I have recently been reading about secureblue. A hardened linux based on fedora. For my hardened qube I have normally use kicksecure (by merging it from a debian template). However apparently secureblue is supposed to be more secure than kicksecure due to have hardened malloc etc which is used on GrapheneOS.
The main resources I have been reading from concerning this are from GrapheneOS. They say kicksecure is actually not very secure and may even be less secure than debian. Now I am in no way a security expert by any measure. I do know how to use linux adequately as a user but know nothing of deep kernel modifications or complex configurations so have no way of verifying this information myself.
The main source that I trust when it comes to security is the Qubes team, and I was wondering if anyone could tell me first of all if secureblue actually is more secure than kicksecure, and secondly if there are any plans for qubes to have secureblue templates.
The strange thing is that the GrapheneOS people also said Whonix was quite insecure, which I find strange - but as I said, I am no security expert by any means so could be true for all I know, so wanted to just check what the general opinion of this is here.
There have also been some concerns about debian. That it may be inherently a insecure OS due to its conservative application updates, often leaving out security updates on applications (in its repositories) until next major release.
I am reading lots of conflicting views concerning these two systems (kicksecure vs secureblue), and as I don’t have the knowledge to really know for myself, it has really been bothering me.
Luckily with QubesOS, the actual template isn’t super important because if it gets breached it can’t breach the rest of the system but I would still like some clarity on this issue!
Whonix and kicksecure are very similar and IIRC maintained by the same people. To make it simple at the expense of some (but not many) details, Whonix is kicksecure with TOR.
Yes I have seen some of the…interesting…things danial micay has said in his usual style. However, a persons personality in and of itself is not a guarantee that their core points are wrong. Of course, I would much prefer him to speak in a more matter of fact way with less emotion and rage as for someone like me, who doesn’t understand computer security at the very deep levels, it just makes it all more complicated. I have used kicksecure myself and have never had a problem with it, and I have never come across any group that claim whonix is insecure other than the GrapheneOS crowd.
What makes you think Secureblue is highly shady? I know hardly anything of it and I don’t use any social media, even matrix rooms for open source projects, so I am obviously very out of the loop on such issues!
Yes that is right. Kicksecure has all the security implementations of whonix, just without TOR. Although it by default does do updates by TOR. I personally disabled this feature as my security model doesn’t require TOR but I see how overall it is beneficial. I guess one of the worrying things about IF kicksecure was actually not secure is obviously that whonix would also not be secure which would be very sad for internet freedom. While I don’t personally use whonix I do understand how important it is for global internet freedom.
This is interesting. That would make secureblue practically useless. I know secureblue uses a modified chromium browser by default, supposedly inspired by graphenes validium browser. But if firefox and most other flatpaks wouldn’t work on secureblue then yeah, that is quite useless. But technically, is that a problem with secureblue or is it a problem with flatpak/programs?
SecureBlue is currently the most secure and privacy respecting Linux based desktop operating system out there. Yes, SecureBlue is significantly more secure than KickSecure. I will cover in what ways.
I believe QubesOS to be more secure on pretty much all fronts, but QubesOS is not a Linux based desktop operating system. I also believe Whonix, which is based on KickSecure, has better security and privacy properties than SecureBlue, but it is a special purpose operating system, and not a regular Linux desktop operating system.
I doubt that to be true. It is hard to do worse than Debian, and KickSecure’s goal is very expressively to do better than Debian on all fronts. I also doubt GrapheneOS developers have said this, since they never speak without having merits to what they say. A reference to where this was stated would be welcome.
Yes, and yes.
Relevant ticket filed by one of the QubesOS developers:
The whole Fedora vs Debian debate pretty much comes down to Fedora being far better at getting security updates out fast while Debian is notably slower, but that Debian offers reproducible builds to verify trust which Fedora does not.
Some security focused operating systems prefer quick security updates, and pick Fedora. Others prefer the perceived increased trust that Debian offers. Ideally though, Fedora would have reproducible builds too, or Debian would improve their security posture.
What makes you say that? What of everything they are doing appears shady to you? The developers are very active in the privacy community, and they have resolved many security and privacy issues that KickSecure hasn’t, so appears very competent too. Nothing with SecureBlue appears shady to me.
This is actually not true. The whole thing with Whonix is the gateway-workstation separation using virtual machines. That is what the security in Whonix relies on, and that is a very strong isolation that provides very tangible security and privacy guarantees. KickSecure itself is a very modest improvement over Debian, and it lacks that separation.
One big security and privacy improvement of SecureBlue over KickSecure is that SecureBlue has the Trivalent web browser, which is a Chromium based fork with the GrapheneOS patch series. This means SecureBlue comes with a security and privacy hardened web browser with all telemetry patched out by default. This is significant. KickSecure in the meantime comes with Firefox, without any specific hardenings applied, and with all the very privacy invasive telemetry still enabled.
Here is a ticket about KickSecure’s failure to deal with the web browser situation as of yet:
There are also many tickets and forum posts talking about it on KickSecure’s ticket tracker and forum.
Another big security and privacy improvement in SecureBlue over KickSecure is that SecureBlue comes with an app sandbox, Flatpak. This allows containing each app by default, so it cannot access your files or other apps’ data even if compromised. This is significant. KickSecure in the meantime has no such app sandboxing, and if a single app is compromised, that app gets read-write access to everything. Now, this security and privacy improvement is not super meaningful in the context of QubesOS, since QubesOS already offers a much stronger isolation between qubes, but running as a standalone desktop operating system, this is a huge security and privacy advantage of SecureBlue.
SecureBlue also contains all the same kinds of hardenings KickSecure has, such as no-suid, hardened kernel parameters, and so on, but also contains some additional security improvements, like the hardened_malloc project from GrapheneOS, which increases likelihood of stopping exploits in most apps. SecureBlue will also benefit from all the security work Fedora is doing right now in a few years, while KickSecure will miss out on that as Debian lack similar initiatives.
It is still worthwhile to mention that even if SecureBlue is the most secure and privacy respecting Linux desktop operating system out there right now, it is not anywhere near the level GrapheneOS is. It is also worth mentioning that the security improvements in SecureBlue does not matter as much in the context of QubesOS as it does when being run standalone, even if it still offers some additional hardening against exploits.
I don’t think it was a GrapheneOS dev that said that, just someone in the GrapheneOS community (on the forum I think).
I can see there has been a ticket there, but no replies to it? Is secureblue really being considered seriously as a future template? I can imagine that the wayland only policy of secureblue is a big obstacle (although I really do want to see wayland come to qubesos)
Yes I understand that, but the base install is the same isn’t it?
I do like the sound of this, but kicksecure says that hardened_malloc hardly works with anything, such as many programs (firefox and probably many others) not working. It also says flatpaks don’t work with it, although this is confusing as secureblues main method of installing programs is via flatpak? Are many programs incompatible with secureblue, for example, KiCad?
I haven’t given secureblue a try yet but do plan to so I can try an see for myself how program compatibility is.
Yes, that is a blocker, and not the only one. We won’t have a SecureBlue template before we have Wayland in QubesOS, and that is probably still at least one year into the future.
Yes. both of the two Whonix virtual machines are based on KickSecure.
I believe SecureBlue disagrees with the “hardly works with anything” part, since they have it enabled for everything by default, and don’t have exceptions, yet it works mostly fine. Though, third-party web browsers does not start, only Trivalent works.
Yeah, it is enabled for Flatpaks. That should work. I haven’t heard anything else.
Likely many, yes. They aim for high app compatibility, but security improvements are almost always at odds with app compatibility. You have to try out yourself if the apps you want to use works or not.
Me neither
One day when I have some time I will try it out for myself, and do some audits of it myself.
If you read the whonix dev’s answer, you will see the non-surprising reason why GrapheneOs is saying such things: He had an different opinion on an highly technical non-whonix related topic (if you search the whonix forum you will find their discussion, it is an technically interesting read).
GrapheneOs often criticizes other projects for good reasons. But it is always a good idea to fact-check what they are saying, research the other side’s opinion / statements and to draw your own conclusion then.
Graphene is known for being UNTRUSTY, simply due to the simple fact who owns it.
This is the first time I read anything like that. A link to some solid evidence would be very welcome.
The creator of it is mentally unstable person, very manipulative, highly insecure and often use fear tactics against these who have even question how things are and why, let alone his own actions.
How can a mentally unstable person create an OS?
Snowden once said on Twitter “I use GrapheneOS every day”. Would you say he has mental problems for trusting GrapheneOS? I am quite confused.
You can find plenty of it in the net, some things are in the archive for anyone who’s interested. Google is your friend.
Not sure, but terry davis and stallman managed it!
lol
But seriously, as far as Micay goes, I think people these days pathologise people who are extremely passionate about their craft. Personally I like a lot of Micays work, and while I can understand that some people might not get along well with him - that is irrelevant to if his work is good or not. Sadly it seems that a curated “professional” image and relatable personality is more important that factual correctness.
Now I am not saying that I would agree with everything he says because to be honest at the very deep levels of system security I am not knowledgeable enough to make that judgement, hence why I ask about it here. But personality is not a reason for why someone is right or wrong.
Yeah, I am very well aware of GraphenOS’ teams hostility towards other security and privacy projects. I do believe that attitude is harmful, and not very trust inspiring. It is true Whonix does not really contain any significant security hardening beyond the workstation and gateway isolation, and none of those posts claimed Whonix or KickSecure is less secure than Debian, so nothing they said there is wrong. But it would have been possible to say that, while still encouraging and supporting other security and privacy projects. I do believe Whonix has a very important role, and the workstation-gateway isolation is very significant. I also believe GrapheneOS has a very important role, being the only security and privacy focused Android fork left now after both DivestOS and CalyxOS are no more.
I have personally audited GrapheneOS for security issues multiple times. I judge the GrapheneOS team to be very competent, the security and privacy posture of GrapheneOS is very good, and they handle reported security issues seriously.
I am not going to speculate about whether Daniel Micay has any mental health issues, I have not heard anything credible about that, just slander. I have also heard no speculations about mental health issues among other GrapheneOS developers, including the lead developer.
But I want to say one thing: Do not underestimate what a person can accomplish despite serious mental health issues.
It is not hard to deal with, and you can always just maintain a container image based on SecureBlue and layer additional X11 packages. If a template were to be made, Qubes would need to maintain their own images and bundle in Qubes specific tools anyways.
Also, while this does not matter in a Qubes environment, it matters significantly if you are going to run these guests with KVM or something else. Using X11 like Whonix essentially makes the isolation between apps useless.
have used kicksecure myself and have never had a problem with it, and I have never come across any group that claim whonix is insecure other than the GrapheneOS crowd.
If you ever try to do in-depth configuration of Debian, you will notice that their software behaves differently from upstream documentations, and a lot of times they invent really weird stuff instead of using standard tooling and just end up producing a far worse product. Sometimes, it is even worse than the upstream that they are basing their stuff on. An example would be how they handle initramfs generation.
The additional hardening that KickSecure provides cannot make up for the downsides of the Debian base, and it doesn’t have nearly as much hardening as SecureBlue to begin with.
The page is highly misleading and misses a lot of hardening that SecureBlue actually does.
@ryrona already covered some of this, but I will expand on this a little more:
Debian offers reproducible builds to verify trust which Fedora does not
Reproducible builds mean nothing if the thing you can reliably reproduce is garbage (outdated packages with terrible downstream patching that doesn’t make any sense).
Others prefer the perceived increased trust that Debian offers.
IMHO Debian decreases trust significantly because you cannot even trust that packages will behave the same way upstream documentation says.
Kicksecure’s Wiki also says a lot of ridiculous stuff, including:
At this point, Kicksecure (and Whonix) runs primarily inside VMs. GNOME and KDE are unsuitable for Kicksecure.
This makes absolutely 0 sense. GNOME runs just fine inside of VMs and it is what I personally use outside of the Qubes environment. That cannot possibly be a justification to stick to XFCE.
but kicksecure says that hardened_malloc hardly works with anything, such as many programs (firefox and probably many others) not working.
Kicksecure’s claim here is objectively false, considering that I use hardened_malloc on almost all of my stuff, including:
Fedora workstations
Virtual Machines
Fedora and RHEL servers
Flatpak containers
OCI containers (yes, I port upstream containers to Alpine Linux and include hardened_malloc in there)
There are incompatibilities, but they are very few and far between.
Architecture support:Limited. (HM supports AMD64 architecture only, which makes Kicksecure progress towards multiple architecture support such as ARM64 and PPC harder.)
I also have 0 idea what they are trying to say here. hardened_malloc works fine on both my aarch64 Linux systems and aarch64 containers. If anything, they seem to have forgotten that hardened_malloc is written for GOS, which runs on ARM devices.
Potential future deprecation by upstream
Not happening anytime soon, especially with projects like SecureBlue using it.
Kicksecure Wiki spreads a fair bit of terrible and misleading information regarding other non-competing projects/products too, including:
Secureblue has been my main os in this last year. Reading and carefully checking info, seems clear how Kicksecure is less hardened and safe in comparison.
SecureblueKicksecure
Fedora modern, fast updates vs Debian more conservative with updates
Sandoxed apps + Flatseal vs Apt (optional Flatpak)
Hardened_malloc vs Basic Glibc malloc
SeLinux vs AppArmor more basic
Wayland forced vs X11 still supported despite of known safety vulns.
New kernels vs Older more stable ones
Modern Clang/LLVM hardening vs Classic mitigations (fortify_source, pie, relro…)
Immutable vs Mutable
Speaking of Secureblue stability:
Being an immutable/atomic os, I always have a previous version. This dramatically reduce any possibility to have my os broken without the possibility to do anything.
The rebase command is amazing to easily switch to another version or fedora immutable os and also window manager. A lot of fun with this.
I never had any broken os installation in this last year but some devs that are trying new Fedora betas exponentially rise this risk (mitigated by the immutable nature).
Speaking of Secureblue usability:
Some apps will not work if downloaded from flatpak! 90% of the times because not compatible with Wayland (so using unsafe X11, Xwayland) or because of Hardened_malloc.
Said this, it takes zero seconds to check if this app works or Wayland so we prefer an alternative one (ex. Onlyoffice vs LibreOffice) or to enable Xwayland with one command (check Secureblue FAQ). As it takes zero second to remove Hardened_malloc on Flatseal for this app.
