Nothing.
I believe SELinux fedora may be better choice. But don’t have time to look into this, so continuing with setup I use.
1 Like
Could you explain how secureblue is more hardened than Kicksecure?
Wayland is a display server protocol designed to replace X11 (X Window
System) protocol.
What is the status of Wayland support in QubesOS?
1 Like
I find that kicksecure template install and distromorphing are buggy at present.
Anybody have issues?
1 Like
Just wait until they release an official KickSecure template. They are working on it.
1 Like
have you tried secureblue?
where can i install secureblue? Their .iso is not present on their site or github
1 Like
To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. You must start from a Fedora Atomic ISO for secureblue desktop images, and must start from a Fedora CoreOS ISO for securecore images.
They don’t offer ISO. You have to install ISO image you want from fedora website and then rebase to secureblue.
2 Likes
Since secureblue relies on Wayland it’s not clear to me that this will
work as a template, and certainly not as a dom0 replacement. Or have you
tried this and have it working?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
1 Like
It might be a better idea to integrate the Nix programming language and package manager into Fedora.
1 Like
“I would rather use Kicksecure:”
Why?
“I use and trust Whonix (based on Kicksecure), therefore I trust adrelanos as well.”
This means you place more trust in Whonix, over secureblue?
“Yes.”
This is due to more trust in the lead developers of Whonix?
“Yes”
Hilarious. someone with a lot of post history managed to drive this thread into the ground before it even began by advertising their garbage preference and basically admitting they have nothing behind their reasoning for it other than vibes and “i trust these guys more bro”
to Quote the GrapheneOS developer account on the GOS forum (likely logged into by Daniel Micay for this post)
"Kicksecure has very poor security and is not a hardened OS at all. It inherits the poor security of Debian and has almost no actual hardening included. They used to have more hardening than they do now but dropped nearly all of it. The person who was working on most of it stopped contributing and what’s left is a project claiming to be hardened while being significantly worse than many mainstream Linux distributions like Fedora. Kicksecure is even trying to interfere with actual hardening efforts and spreading misinformation about projects like hardened_malloc to discourage people from using them. Kicksecure doesn’t do useful work and is harming people. Neither Kicksecure or Whonix is trustworthy and the fact that Whonix gets so frequently naively promoted is problematic. Whonix should be completely replaced by a serious project with developers who understand and care about security.
The secureblue project is doing actual hardening work while Kicksecure largely does the complete opposite."
If you actually read the documentation for the different projects you will notice a stark difference in attitude, KickSecure reads like the developer is confident in what he is offering while the project itself is devoid of meaningful security improvements, its Debian base is shaky ground to build on and not all that much has been built. to quote the Kicksecure Features page “Linux is highly reliable and secure. It is Open Source and freedom paradigm sets it apart from other OS. That’s why Kicksecure is based on Linux.” what is this 2012? we know Linux has nothing going for it EXCEPT it’s opensource. This is just a fact, and for Kicksecure to have such outdated propaganda on their website should be an obvious red flag for anyone who knows anything about Operating System security.
secureblue on the other hand bases itself on Fedora Atomic and Core for Sane updates and a better beginning point. the Devs make no effort to hype the project above its virtues and they say outright how poor Linux security is (its lagging decades behind MacOS and Windows at this point) and tells you “if you already intend to use Linux, our goal is to give the most secure option available” and they deliver on this with Fedora Atomic, Hardened Malloc, Trivalent their own hardened browser and more REAL security features listed in easy to read format here Features | secureblue
Conversely, Kicksecure’s feature page is bloated with unnecessary graphics and side scrolling, making it a chore to read even without including the fluff “features” (Example: Being based on Linux is a feature…??) the vast majority of Kicksecure’s improvements are simple configuration choices the same of which have been made by the secureblue Devs.
TLDR
secureblue is based on Fedora and includes meaningful security improvements like Hardened Malloc and a security focused browser, The Devs don’t promise more than they can provide.
KickSecure Promises a lot and delivers on little, website is filled with Jargon and the Dev makes what i would call poor decisions like abandoning Hardened Malloc (Hardened Malloc)
4 Likes
Interesting point. I would like to see some discussion upon on it. I never understood why these security-focused OSes doesn’t make it self based on Atomic/Immutable desktops, which has been proven to offer a superior security & stability.
1 Like
some good points raised here, some of which I personally agree with. Though I probably wouldn’t have called out other peoples opinions as garbage as my opening post on the forum, please ensure to keep messaging less personal. We are all free to disagree with each other, and we are all free to have our opinions that others disagree with, but please do it politely.
3 Likes
Apologies about that, i joined in a bit of a huff. I will make sure my future posts are held to a stricter standard.
2 Likes
The thing with immutability of the base operating system image is that it in and of itself does not provide any additional security at all. In fact, SecureBlue does not use immutability to provide any security today. Immutability is however an absolutely necessary stepping stone to get boot security, which can help preventing malware persistence, but the immutable image must also be protected by a signed hash tree, verified by a chain of trust starting in the BIOS, preferably Secure Boot with custom keys. This is what Android and iOS does for example.
Still, it is very true that KickSecure offers little to no security or privacy improvements on top of Debian. Little enough, that switching is hardly warranted. SecureBlue on the other hand offers many tangible security and privacy improvements, including:
-
An app sandbox (FlatPak) to prevent a compromised app from accessing your data, other apps, or privacy sensitive hardware such as web cameras. I have not audited the security of FlatPak, but it is clearly a step in the right direction towards what Android and iOS has, and a strong improvement in security and privacy in the same spirit QubesOS tries to do with separate qubes. KickSecure offers nothing for user installed apps, they are all granted full pemissions to everything, including reading and destroying all your files and accessing all your hardware.
-
Trivalent, a Chromium fork with secure default settings and privacy by default, and all telemetry patched out. Such a web browser seems like a very basic requirement for any distribution that calls itself security and privacy focused, to at the very least not call home. Yet, KickSecure ships Firefox. They talk at lengths on their wiki about how bad of a choice that is, but hasn’t done anything about it.
-
Hardening features of code written in unsafe languages such as C/C++. Let’s face the fact, most hardware drivers, operating system components and apps we use are old, and written in a time where C/C++ where seen as acceptable languages to use. Porting a mature app to a new language is an unfeasible undertaking for most projects. So we are stuck with all this code. What we at the very least can do is try to harden the code as much as possible. QubesOS idea of that is to put network and USB drivers in separate qubes, so they are isolated, and same for groups of apps. SecureBlue instead take the GrapheneOS approach, and patch the malloc implementation with one that can detect more attack patterns, so that attacks exploiting memory safety issues aren’t just contained, but stopped. KickSecure is… not doing anything. No, removing sudo isn’t doing something, all your sensitive data is still accessible, as is privacy sensitive hardware like web cams, without any root rights.
KickSecure is highly criticized among those that knows security and privacy. Yeah, Debian is an extremely poor choice of a base OS by today’s standard. They haven’t improved security at all in 15 years, and shows no interest to. Debian was a great choice, but that was a long time ago. Yet, Tails and Whonix, both based on Debian too, offers something. Tails offers strong and reliable anti-forensics features and pretty good isolation of Tor Browser, and Whonix offers strong security boundaries and thus prevents exposure of your real identity in case of compromise due to its division into two separate virtual machines. KickSecure… offers nothing.
2 Likes
to Quote the GrapheneOS developer account on the GOS forum (likely logged into by Daniel Micay for this post)
I cannot reply there, nor can anyone else with an opposing viewpoint, because I am presumably unwelcome due to disagreements on highly technical issues, primarily, I guess, the following disagreements:
- Mobile Operating System Comparison, chapter GrapheneOS
- discussion: Overview of Mobile Projects - That focus on either/and/or security, privacy, anonymity, source-available, Freedom Software. - News - Whonix Forum
The person who was working on most of it stopped contributing
That might suggest there was some kind of fallout with the contributor; however, this was not the case.
Since no references are omitted, I guess this is referring to madaidan. However, unfortunately madaidan is MIA (missing in action).
misinformation
All disagreements are being mis-characterized as “misinformation”.
trying to interfere with actual hardening efforts and spreading misinformation about projects like hardened_malloc
to discourage people from using them.
For context, wiki page Hardened Malloc uses wiki keyword __NOINDEX__. Quote Wikipedia:
The noindex value of an HTML robots meta tag requests that automated Internet bots avoid indexing a web page.
This is done deliberately to prevent the page from appearing in Google and other search engine results. The intention is to minimize drama. Discussion about hardened malloc is not a core activity of the project. Those interested in Kicksecure’s development and integration perspective can find the details; otherwise, the topic is considered sufficiently addressed.
Since the topic was raised again, it seems important to clarify the following.
The term “misinformation” appears to reference, though not directly cited, the wiki chapter Deprecation in Kicksecure (from the noindexed page).
Here is what may be the relevant controversial statement:
Unclear Benefit: See chapter Tickets and Discussions. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
What is written there:
- chromium feature request: consider using hardened malloc
- No favorable review by Chromium developers.
This is probably made unnecessary by the PartitionAlloc work, which contains similar security features. See https://source.chromium.org/chromium/chromium/src/+/main:base/allocator/partition_allocator/PartitionAlloc.md.
- tor-dev mailing list: TBB Memory Allocator choice fingerprint implications
- tor-dev mailing list thread TBB Memory Allocator choice fingerprint implication
- The thread did not go well.
- Tor Browser feature request: consider using Hardened Malloc for better security in TBB - got closed probably due to the outcome of above mailing list discussion.
- glibc feature request: consider using Hardened Malloc
This material consists primarily of public links and documented developer feedback. If there are any factual inaccuracies, clarification would be welcome.
Only two distributions, to the best of current knowledge, use Hardened Malloc by default: GrapheneOS and secureblue. As such, Kicksecure has not adopted it yet. That position could change with broader adoption, more positive reviews from independent experts, and availability in Debian.
Neither Kicksecure or Whonix is trustworthy
This is a subjective judgment.
Related: Placing Trust in Kicksecure
Kicksecure doesn’t do useful work and is harming people.
“harming people”: Such a serious accusation should be supported with clear, objective evidence. Disagreement on complex technical matters alone does not constitute harm.
“no useful work:” As for the claim of “no useful work”, such a conclusion appears dismissive. A single example security-misc by Kicksecure demonstrates active technical contributions. A broader and more constructive critique would be more helpful to the community.
If you actually read the documentation for the different projects you will notice a stark difference in attitude, KickSecure reads like the developer is confident in what he is offering
Confidence is a subjective judgment.
Is confidence inherently negative? Some users value confidence; others may prefer more tentative language. Across the Kicksecure documentation, phrases such as “might”, “could be”, and “probably” are used frequently. This could be interpreted as cautious (a positive trait) or uncertain (a negative one), depending on perspective.
Security researchers often refer to themselves as such rather than as “security experts,” due to the high scrutiny in the field. Labels like “expert” can be seen as presumptuous or as justified, again depending on interpretation.
Throughout the Kicksecure documentation a high frequency of words such as “might”, “could be”, “probably” can be observed. This could be labeled “unconfident” (negative label) or “cautious” (positive label).
An example of a write-up being very unconfident in computer security: About Computer (In)Security
to quote the Kicksecure Features page “Linux is highly reliable and secure. It is Open Source and freedom paradigm sets it apart from other OS. That’s why Kicksecure is based on Linux.” what is this 2012? we know Linux has nothing going for it EXCEPT it’s opensource. This is just a fact, and for Kicksecure to have such outdated propaganda on their website should be an obvious red flag for anyone who knows anything about Operating System security.
Conversely, Kicksecure’s feature page is bloated with unnecessary graphics and side scrolling,
Compared to what? Got any alternative? Qubes, Xen? Ok, but that’s not an “either/or”, can be “and”.
The homepage is primarily targeted at visitors who’ve never heard (much) of Linux, i.e. Windows users. How the homepage should look can be a highly opinionated matter. For example, the original poster in Is graphene os a little to intimidating? - GrapheneOS Discussion Forum was arguing for making the GrapheneOS homepage look more like the Whonix homepage.
Much more technical write-ups can be found in the wiki.
secureblue on the other hand bases itself on Fedora Atomic and Core for Sane updates and a better beginning point.
Immutable has advantages and disadvantages.
(its lagging decades behind MacOS and Windows at this point)
Windows, MacOS is not even in the same category:
- Non-freedom software → Avoid Non-Freedom Software
- Microsoft Windows Hosts
- macOS Hosts
listed in easy to read format here Features | secureblue
For a less graphical, more textual, more summarized security feature overview, is available here:
the vast majority of Kicksecure’s improvements are simple configuration choices
It is unclear how that could be objectively quantified.
the vast majority of Kicksecure’s improvements are simple configuration choices the same of which have been made by the secureblue Devs.
Some of the configuration choices have been copied over from Kicksecure to secureblue. Quote Comparison of secureblue with Kicksecure and Development Notes
secureblue /etc/sysctl.d/hardening.conf file as of commit a6b58f042b0e9e9036a6d68a5b202eed96a1a892 was inspired by, more or less copied and pasted from Kicksecure as can be seen from the following comment found in that file.
## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 kernel.printk = 3 3 3 3
verified by a chain of trust starting in the BIOS, preferably Secure Boot with custom keys.
You might like the upcoming Sovereign Boot.
A vendor-neutral mechanism to allow operating systems and users to adopt UEFI Secure Boot without relying on Microsoft’s Secure Boot key.
Sovereign Boot Provisioning Wizard is an UEFI application designed to guide end users through the provisioning of UEFI Secure Boot. The objective is to offer a user-controllable mechanism for managing platform trust relationships and establishing UEFI Secure Boot infrastructure, with a primary focus on transparency, informed consent, and usability.
Unlike traditional firmware interfaces, which expose UEFI Secure Boot as a collection of loosely connected toggleable settings and unmanaged certificate stores, this application presents a coherent, wizard-like experience. Its purpose is to make the process of reviewing and enrolling platform keys intuitive for users who are not security experts.
References:
- GitHub - 3mdeb/verified-boot
- Sovereign Boot Provisioning Wizard - Dasharo Universe
- https://www.youtube.com/watch?v=sCohCVvcp7E
- more updated will probably be posted by 3MDEB / Dasharo
- I’ll also post more updates here as they become available: Verified Boot - Development Discussion - Development - Kicksecure Forums
- An app sandbox (FlatPak)
Flatpak / Flathub has many issues:
- Flathub Package Sources Security
- Flatpak Breaking the Native Sandbox of Applications
- When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal | Linux Journal
Such a web browser seems like a very basic requirement for any distribution that calls itself security and privacy focused, to at the very least not call home. Yet, KickSecure ships Firefox. They talk at lengths on their wiki about how bad of a choice that is, but hasn’t done anything about it.
- Coming soon: Browser Choice
- related: Is Firefox really an appropriate default browser for Qubes?
No, removing sudo isn’t doing something, all your sensitive data is still accessible, as is privacy sensitive hardware like web cams, without any root rights.
- Rationale for Protecting the Root Account
- Strong Linux User Account Isolation
- Quoting myself from Qubes vm-sudo documentation write-up against sudo passwords inside App Qubes outdated · Issue #8823 · QubesOS/qubes-issues · GitHub
The security of non-root enforcement generally
It’s futile to argue that non-root enforcement cannot improve the security of the system (in case of Qubes, of an App Qube).
Non-root enforcement is the industry standard for Android [1], iOS and any locked down Linux based operating system.
4 Likes
Is this needed though? How hard can it be for a user to follow instruction to set Secure Boot in setup mode, and then the installation program can just enroll its own custom keys (PK+KEK+db).
Still interesting. Thanks for mentioning.
True. Flatpak has some well-known issues, some of which are partially mitigated by SecureBlue. But running apps without any sandboxing at all is hardly an option IMO.
Which browsers would be offered? Would Trivalent or LibreWolf be offered? Will browsers with telemetry be clearly marked as such? Will the browser choice work in QubesOS, or what will be done there? Just curious.
1 Like