Hi, I’m in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.
I’m running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I’m 100% sure I don’t need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?
I’m planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.
I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.
What are other ways I can make my laptop more secure?
Thank you for the list! Do you maybe know where can I find explanations what does each option do? I know only half of them and I already use some of them.
I will describe settings that are not so easy to google and a few new thoughts.
kptr restrict:
https://wiki.archlinux.org/title/security
https://lwn.net/Articles/420403/
Kexec:
You may google about mechanics, but basically, it is just a mechanism to ‘reexec’ your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.
But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).
These are unlikely scenarios. But I prefer to disable this feature since I don’t use it anyway.
Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.
Ebpf JIT:
There I misleaded you.
There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3
According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)
Randomize virtual memory address:
https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address space layout randomization (ASLR) is a memory-protection,executables are loaded into memory.
systemd
If you use systemd your can use systemd-analyze tool to harden your units settings.
Also, I remember the tool you can use.
There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.
You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.
This may give you some thoughts.