Hey! I’m currently on Fedora Workstation and I’m getting bored. Nothing in particular. I’ve heard about immutable distros and I’m thinking about Fedora Kinoite. The idea is interesting but idk if it’s worth it. CPU and GPU are AMD. Mostly used for gaming.

  • hottari@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    Why do all these immutable distros not support use of secure boot and/or TPM. If there was one that made it a breeze to configure this and made using my AURs easy as well I probably could give immutable a chance. But ATM it all looks like I’ll have to wait until a major corp like Ubuntu made & supported an immutable version so we can get these quirks hashed out.

    • russjr08@outpost.zeuslink.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I believe Universal Blue supports Secure Boot, since they specifically went to make it work for even Nvidia users - I’m assuming it works similarly for the non Nvidia variants or maybe just uses Fedora’s default keys? I’m not too well versed in how SB works.

      Then it also comes with Distrobox so you can just spin up an Arch container and use AUR apps through there.

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        RedHat & Debian family desktop distros use a key that is signed by Microsoft for supporting secure boot. For compatibility reasons mostly as some hardware will brick when the MS signed keys are not found. But I prefer to sign my own keys and enroll them as I currently do with sbctl. I have no need for extra kernel modules/drivers as Nvidia users would (seems like a hacky workaround if the kernel can’t ship the drivers and signing your own kernel makes the situation even more complicated).

        However I have been meaning to try Distrobox, if I get around to trying out immutable I will give it a good run.

        • russjr08@outpost.zeuslink.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ah gotcha, I appreciate the info! I hope that someday a better solution for managing secure boot will work with immutable distros in the future then, so that you have a chance to give it a try (if you want to, of course).

          • hottari@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Am already sold on immutable distros as the future of desktop Linux. 8/10 applications that I use today are flatpaks or dockers. That remaining 20% of the work to be done on immutable is what am anxious about.

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Yeah. Came across it when it was released. It’s still considered experimental.

        And am sure NixOS is great but it definitely is a weird operating system.

    • ndonkersloot@feddit.nl
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m not sure what you mean exactly but I use Silverblue with secureboot on and a LUKS encrypted drive using a fido2 key. To my knowledge I also could configure the use of TPM to store my key but find that setup not to my liking.

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        This summary should cover my main concerns with current secure boot implementations on the major distros. Ignore everything else other the linked part. I also would not want to be forced to use grub as the bootloader.

        Curious. What did you not like about using TPM to store keys in your setup? I use TPM for secure state validation & automatic decryption of my LUKS drive, it’s great and also acts as a tripwire for secureboot state.

        I could build a custom version of Silverblue (u-Blue) to replicate what I already have setup, but none of this would be supported configuration. All this is not entirely to blame on on immutable distros (traditional distros don’t give a damn about secure boot either way), just that to mess around within /etc is a no-no in such a model so to get multiple pre-configured options for secureboot configs/keys that work seamlessly would be a great experience for me.

        • ndonkersloot@feddit.nl
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?

          Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.

          What do you think of this?

          • hottari@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?

            If it were that easy to do, we wouldn’t have even bothered with doing disk encryption in the first place. And it’s not like cracking TPMs is a walk in the park.

            Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.

            This definitely could help in a scenario where an attacker has only your notebook but for it to make a difference your attacker must not be able to access your Yubikey and/or compel you to hand it over.

            As long as your LUKS drive is encrypted (TPM or not, Yubikey or not), you are relatively safe from an unauthorized party trying to access your data. Either of these attestation tools add a layer of defense for your encrypted drive.