this post was submitted on 11 Feb 2024
13 points (93.3% liked)

Fedora Linux

1757 readers
1 users here now

All about Fedora Linux

founded 5 years ago
MODERATORS
CAP_NAME_NOW_UPVOTE@lemmy.ml
13
Questions about Silverblue (lemmy.blahaj.zone)
submitted 8 months ago by subsonic_bubble@lemmy.blahaj.zone to c/fedora@lemmy.ml
10 comments fedilink hide all child comments
 

  1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

  2. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

Thanks a lot!

all 12 comments
sorted by: hot top controversial new old
[–] Guenther_Amanita@feddit.de 6 points 8 months ago* (last edited 8 months ago) (1 children)
  1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

It should also be more secure. The fact that your install is the same as thousands of others, including the devs', and that updates get patched as a whole, makes it more secure due to the reproducibility you mentioned. If the devs notice a flaw, it will also be on every other install and fixed immediately.
In theory, malicious actors also can't modify the (live) system, but I can't make a statement about that.

You can also take a look at SecureBlue if security is very important to you.

Updates get installed automatically and staged, so you can just boot into a fresh and updated image every day when shutting off the PC before bed without even noticing :)

  1. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

Go to universal-blue.org and select your wanted image there. They have a Nvidia-image for every variant, where the drivers are already baked into the base image.

They support Secure Boot, and if the driver breaks, which it shouldn't, because then thousands others would do that too, you can just select yesterday's image and don't have to worry about fixing something. Your OS will always boot and be usable!

Take a look at my post for further information: https://feddit.de/post/8234416

[–] subsonic_bubble@lemmy.blahaj.zone 1 points 8 months ago (1 children)

I read about universal-blue but I am not confident about using it, as it is not official and not made by the Fedora developers, but I am also not sure if that matters much.

The security from reproducibility does make sense to me, although what I had in mind was more about the malicious actors not being able to modify the system part.

Thanks a lot for the detailed reply! Lemmy seems to be a lot less judgmental and a lot more helpful than Reddit!

[–] Guenther_Amanita@feddit.de 3 points 8 months ago* (last edited 8 months ago) (1 children)

I read about universal-blue but I am not confident about using it, as it is not official and not made by the Fedora developers, but I am also not sure if that matters much.

That isn't an issue at all. You can understand uBlue only as a framework, not distro.
It's just a "factory" to create custom downstream images automatically.
It's even mentioned (but not endorsed) by the Fedora team officially.

It's fully open source and you can view/ modify the changes easily yourself.
One of the main plus points is that the official Fedora Devs aren't allowed to ship certain things, like codecs, due to licensing. uBlue isn't official and thus is allowed to do that.

uBlue isn't some obscure fork that gets forgotten after a few months. It builds itself. For example, I know shit about anything and can't even code. BUT, I've made my own uBlue spin, so I'm a distro maintainer so to say, but I never have to do anything.

Just use that instead, there aren't any disadvantages (besides some nice to have optional apps, like calculator app, missing). That doesn't mean vanilla Silverblue isn't usable by any means of course.

The security from reproducibility does make sense to me, although what I had in mind was more about the malicious actors not being able to modify the system part.

You, and malicious actors, can still modify the system a bit and it isn't bullet proof. No software is.
You can still execute some scripts/ commands (e.g. rpm-ostree install teamviewer && reboot), give them sudo, and let someone steal your banking data.

It's just harder and there are more stepping stones for hackers and co. to archive what they want.
For example, every deep change in the OS requires a reboot. You can chronologically list what has been changed the last times (just like on git) and revert those changes. And needing to reboot when you installed a free game somewhere is a bit sus.

You just can't modify the live system.
But yeah, it still should be somewhat more secure. As long as you don't run random shit from the internet (e.g. scripts) without looking first or practice other insecure things, you don't have to worry much.

Thanks a lot for the detailed reply! Lemmy seems to be a lot less judgmental and a lot more helpful than Reddit!

Glad to hear! Did Reddit really go downhill so fast? Oof

[–] subsonic_bubble@lemmy.blahaj.zone 3 points 8 months ago (2 children)

That clears up my concerns and questions about both Silverblue and uBlue. Though it sounded convenient for my use case, I avoided uBlue as I thought it was a random fork that might not be reliable in the long term. I will be testing it to see if it works for me or if I can adapt to it. Thanks a lot!

[–] ebits21@lemmy.ca 2 points 8 months ago

I use uBlue and have never had an issue.

The great thing is that you can just rebase back to stock Silverblue at any time if you want to go back.

[–] Guenther_Amanita@feddit.de 1 points 8 months ago

As I said, you can't view the uBlue images as forks per se.
It's more the result of a building script saying "Use the original Silverblue image, add this package, remove this package, rebuild" every day.
So the uBlue images aren't much older (less then a few hours normally, less then a day on major releases) then the upstream original versions.

[–] Pantherina@feddit.de 2 points 8 months ago* (last edited 8 months ago) (1 children)

Fedora Atomic is not secure. In fact if you would somehow install malicious RPMs, or a program would do so, only on Atomic they can do so without a password.

This is crazy and you can change the polkit file manually, I have no idea when this will be implemented.

https://gitlab.com/fedora/ostree/sig/-/issues/7

Apart from that, SELinux does not affect the user programs, Desktop and home filesystem. You and any program can execute any script it wants, place an autostart file in your home directory etc.

As long as the home directory allows arbitrary scripts, it is very vulnerable to exploits.

Also, your ~/.bashrc (or the other Shell configs) is writable, so any program can alias what sudo does and thus catch your password.

Or your ~/.local/bin, ~/.local/share/applications/ etc. all being writable, this also means any program can pretend to be Firefox for example but catch your passwords (tbh by default any program can read your Firefox passwords, use a masterpassword people)

This me Same with your ~/.ssh and ~/.gnupg keys being readable.

I second on Secureblue, it works well. Firefox is removed, even though its insecurity is debateable. You can use the Flatpak or build it yourself:

https://github.com/trytomakeyouprivate/Firefox-hardened

Keep an eye on that repo, I will update it when I found out how to build release versions lol.

Also note that you will want to use userns images of Secureblue to have Podman/Docker working.

[–] boredsquirrel@slrpnk.net 1 points 6 months ago

Edit (new account)

I will not use Secureblue anymore in the future, but it is a very useful project. Also note that only the permissionless RPM package installations make it less secure than traditional desktops, and I opened PRs for that. Will need a change request poorly, and I was too late for 40, so this may end up in 41... pretty bad