99
Opinions on immutable distros
(lemmy.zip)
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Why do all these immutable distros not support use of secure boot and/or TPM. If there was one that made it a breeze to configure this and made using my AURs easy as well I probably could give immutable a chance. But ATM it all looks like I'll have to wait until a major corp like Ubuntu made & supported an immutable version so we can get these quirks hashed out.
I'm not sure what you mean exactly but I use Silverblue with secureboot on and a LUKS encrypted drive using a fido2 key. To my knowledge I also could configure the use of TPM to store my key but find that setup not to my liking.
This summary should cover my main concerns with current secure boot implementations on the major distros. Ignore everything else other the linked part. I also would not want to be forced to use grub as the bootloader.
Curious. What did you not like about using TPM to store keys in your setup? I use TPM for secure state validation & automatic decryption of my LUKS drive, it's great and also acts as a tripwire for secureboot state.
I could build a custom version of Silverblue (u-Blue) to replicate what I already have setup, but none of this would be supported configuration. All this is not entirely to blame on on immutable distros (traditional distros don't give a damn about secure boot either way), just that to mess around within /etc is a no-no in such a model so to get multiple pre-configured options for secureboot configs/keys that work seamlessly would be a great experience for me.
My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?
Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.
What do you think of this?
If it were that easy to do, we wouldn't have even bothered with doing disk encryption in the first place. And it's not like cracking TPMs is a walk in the park.
This definitely could help in a scenario where an attacker has only your notebook but for it to make a difference your attacker must not be able to access your Yubikey and/or compel you to hand it over.
As long as your LUKS drive is encrypted (TPM or not, Yubikey or not), you are relatively safe from an unauthorized party trying to access your data. Either of these attestation tools add a layer of defense for your encrypted drive.