Hi, I’m in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I’m running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I’m 100% sure I don’t need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I’m planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

  • vatson112@lemm.ee
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    10 months ago

    I will describe settings that are not so easy to google and a few new thoughts.

    kptr restrict:

    https://wiki.archlinux.org/title/security

    https://lwn.net/Articles/420403/

    Kexec:

    You may google about mechanics, but basically, it is just a mechanism to ‘reexec’ your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

    But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

    These are unlikely scenarios. But I prefer to disable this feature since I don’t use it anyway.

    Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

    Ebpf JIT:

    There I misleaded you.

    There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

    According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

    Randomize virtual memory address:

    https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address space layout randomization (ASLR) is a memory-protection,executables are loaded into memory.

    systemd

    If you use systemd your can use systemd-analyze tool to harden your units settings.

    Also, I remember the tool you can use.

    There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

    You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

    This may give you some thoughts.

    • chevy9294OP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Thank you very much for this detailed explanation! Looks like kptr and kexec are already disabled and enabled randomized virtual memory address in the hardened kernel. I will check for ebpf. Security certs seem interesting, I will defenetly look into them.