After rebasing to secureblue, the following steps are recommended.
If you are using an nvidia image, run this after installation:
rpm-ostree kargs \
--append-if-missing=rd.driver.blacklist=nouveau \
--append-if-missing=modprobe.blacklist=nouveau \
--append-if-missing=nvidia-drm.modeset=1
If you are using an nvidia image on an optimus laptop, run this after installation:
ujust configure-nvidia-optimus
ujust enroll-secure-boot-key
Documentation is available here for the kargs set by the commands below.
ujust set-kargs-hardening
Can cause issues on some hardware, but stable on other hardware
ujust set-kargs-hardening-unstable
This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard
ujust setup-usbguard
Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters.
To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.
sudo grub2-setpassword
GRUB will prompt for a username and password. The default username is root.
If you wish to password-protect booting existing entries, you can add the grub_users root entry in the specific configuration file located in the /boot/loader/entries directory.
Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:
- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD
- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password
Caution
If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.
adduser adminusermod -aG wheel adminpasswd adminreboot
Note
We log in as admin to do the final step of removing the user account's wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.
- Log in as
admin gpasswd -d {your username here} wheelreboot
When not in the wheel group, a user can be added to a dedicated group, otherwise certain actions are blocked:
- use virtual machines:
libvirt - use
adbandfastboot:plugdev - use systemwide flatpaks:
flatpak
Some actions don't have an associated group yet, you can create your own rules and groups to fix this.
Example: To allow a non-wheel user to use LUKS encrypted external drives:
sudo groupadd diskadminsudo usermod -aG diskadmin {your username here}- execute this command (explanation below)
cat >> /etc/polkit-1/rules.d/80-udisks2.rules <<EOF
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
subject.active == true && subject.local == true &&
subject.isInGroup("diskadmin"))
{
return polkit.Result.YES;
}
});
EOF
The custom rule allows the groupdiskadmin to do the actions for unlocking and mounting these drives. Note the requirement on active and local, and the exactly specified actions.
- Go to uBlock Origin Lite (Why Lite?)
- Install it
- In the extension's settings, make sure all of the lists under Default and Miscellaneous are checked (and at your preference, lists in the Annoyances section or country-specific lists)
Please see the description for release v2.2.0