From c5abc498f64b7c329f5166d59319b1e890a50f2b Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 3 Feb 2025 10:46:32 -0700 Subject: [PATCH] Update Fedora Atomic/SecureBlue caveats --- .../linux/Choosing Your Desktop Linux Distribution/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md index b42430d..8341de4 100644 --- a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md +++ b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md @@ -67,11 +67,11 @@ Fedora's package manager, `dnf`, has a great rollback and undo feature that is g {{< youtube id="-hpV5l-gJnQ">}} -One caveat with Fedora Atomic Desktops is that `rpm-ostree` currently have a hard dependency on `grub` and does not support Unified Kernel Images at the moment. +One caveat with Fedora Atomic Desktops is that `rpm-ostree` currently has a hard dependency on `grub` and does not support Unified Kernel Images. The consequence of this is that unlike Fedora Workstation, it is not possible to set up a Fedora Atomic with meaningful Secure Boot to resist physical tampering. ### SecureBlue -[SecureBlue](https://github.com/secureblue/secureblue) provides hardened operating system images based on Fedora Atomic Desktops. While they do add another party of trust, their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: +[SecureBlue](https://github.com/secureblue/secureblue) provides hardened operating system images based on Fedora Atomic Desktops. While they do additional parties of trust (SecureBlue, GitHub infrastructure, BlueBuild, Negativo, etc), their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: - [Trivalent](https://github.com/secureblue/Trivalent), a hardened chromium desktop build with patches from GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium). - [Hardened Malloc](https://github.com/secureblue/fedora-extras/tree/live/hardened_malloc). SecureBlue packages GrapheneOS's memory allocator and enforce it system wide, including for Flatpak applications.