Discussed using sbctl with Arch Linux

content/posts/linux/Desktop-Linux-Hardening.md

@@ -265,7 +265,7 @@ In this section we succinctly present the parameters used by Kicksecure as those
 spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full, mds=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt
 ```
 
-[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly. As an aside, one should keep in mind that despite the clear security benefits of disabling SMT, the very popular `linux-hardened` kernel for Arch linux does not disable it by default given the [large potential performance costs](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365). You should determine your own desired level of risk mitigation and if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from the above parameters.
+[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly. As an aside, one should keep in mind that despite the clear security benefits of disabling SMT, the very popular `linux-hardened` kernel for Arch Linux does not disable it by default given the [large potential performance costs](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365). You should determine your own desired level of risk mitigation and if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from the above parameters.
 
 - Kernel
 ```
@@ -428,7 +428,7 @@ For a Fedora Workstation specific guide, you can follow this [blog post](https:/
 
 For Arch Linux is very similar, though `sbctl` is already included in the official Arch Linux repository, and you will need to switch from `mkinitpcio` to `dracut`.
 
-In my opinion, this is most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. sWith that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working.
+In my opinion, this is most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working. Currently Arch Linux with the hardened kernel works well using `sbctl` but some level of tedious `pacman` hooks are required for appropriately timing the resigning of all relevant files every time the kernel or bootloader are updated, which on rolling release distributions can be quite often. Again, [it's hard to achieve a respectable verified boot implementation on traditional Linux](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
 
 ### Encrypted `/boot`