Hi, I’m in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.
I’m running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I’m 100% sure I don’t need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?
I’m planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.
I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.
What are other ways I can make my laptop more secure?
Look into installing AppArmor instead of SELinux. AppArmor is easier to configure, and SELinux is not officially supported on Arch.
Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process?
Step 1: Buy a faster CPU.
The only thing you could do is ccache but that’s just a cache and can get invalidated whenever.
After doing that I will try to compile it with -O3 and LTO.
Don’t use
-O3, especially when your goal is to harden. It has no measurable benefit beyond measurement bias due to memory layout changes and some of its optimisations may produce wrong code which is a big no-no if your goal is to harden.install ClaimAV
Are you planning to host a file share for Windows system or what are you trying to achieve using ClamAV?
install flatpak versions for every non open-source app
You’re going to such lengths and even consider snake oil in order to “harden” your system and then you’re telling me you want to run proprietary (often known malicious) software on it?
What are you trying to achieve here? What do you want to protect against whom? Create a proper threat model before you wildly apply “hardening” that is likely ineffective at protecting against the threats that actually matter to you.
I also want to have SELinux.
Good luck with that. Distros with proper SELinux setups (i.e. Android, Redhat) employ teams of people to write SELinux rules for them.
I won’t discourage you from learning SELinux but know that setting up SELinux for your entire system when the distro does not support it already is not something you can realistically achieve on your own.
There are also some kernel settings that you may find useful. Currently I am on the mobile and cannot remember the names. Text me if you need help
Network:
Enable rp and arp filter
Disable IP forwarding if you don’t use docker
Disable tcp timestamp
Disable icmp broadcast
Enable syncookies
Enable source route checking
Other:
Enable hard and soft link protection (it is may broke your system, use carefully)
Enable kptr restrict
Disable kexec
Disable sysrq
Enable randomize virtual memory address
Disable JIT for ebpf programms
Disable loading drivers via modprobe in live kernel.
Also check which hardware mitigations is disabled in your kernel. (Spectre, meltdawn) You may enable KASL
Also use selinux or apparmor. I prefer Selinux.
Enable auditd and configure it for auditing actions that your find useful.
(arch still use systemd)
and linux still not have base system software sandboxed (you can’t enforce)
Currently it takes ~50 minutes to recompile the kernel
try make with -j
I have
-j12who cares how much money do you have, perhaps you have smt enabled?
