82 lines
6.8 KiB
HTML
82 lines
6.8 KiB
HTML
<h1 id="os" class="anchor"><a href="#os"><i class="fas fa-link anchor-icon"></i></a> {% t PC Operating Systems %}</h1>
|
|
|
|
<div class="alert alert-warning" role="alert">
|
|
<strong>{% t If you are currently using a operating system like Windows 10, you should pick an alternative here. %}</strong>
|
|
</div>
|
|
|
|
{% include cardv2.html
|
|
title="Qubes OS"
|
|
image="/assets/img/tools/Qubes-OS.png"
|
|
description='Qubes is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.'
|
|
badges="info:Xen"
|
|
labels="warning:contrib:This software may depend on or recommend non-free software."
|
|
website="https://www.qubes-os.org/"
|
|
github="https://github.com/QubesOS"
|
|
tor="http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/"
|
|
%}
|
|
|
|
{% include cardv2.html
|
|
title="Fedora Workstation"
|
|
image="/assets/img/tools/Fedora.png"
|
|
description='Fedora is a Linux distribution developed by the Fedora Project and sponsored by Red Hat. Fedora Workstation is a secure, reliable, and user-friendly edition developed for desktops and laptops, using GNOME as the default desktop environment.'
|
|
badges="info:GNU/Linux"
|
|
labels="warning:contrib:This software may depend on or recommend non-free software."
|
|
website="https://getfedora.org/"
|
|
git="https://src.fedoraproject.org/"
|
|
%}
|
|
|
|
{% include cardv2.html
|
|
title="Debian"
|
|
image="/assets/img/tools/Debian.png"
|
|
description='Debian is a Unix-like computer operating system and a Linux distribution that is composed entirely of free and open-source software, most of which is under the GNU General Public License, and packaged by a group of individuals known as the Debian project.'
|
|
badges="info:GNU/Linux"
|
|
website="https://www.debian.org/"
|
|
tor="http://sejnfjrq6szgca7v.onion"
|
|
gitlab="https://salsa.debian.org/qa/debsources"
|
|
%}
|
|
|
|
<h3>{% t Worth Mentioning %}</h3>
|
|
|
|
<ul>
|
|
<li><a href="{% t https://www.openbsd.org/ %}">{% t OpenBSD %}</a> <span class="badge badge-info">{% t BSD %}</span> - {% t A project that produces a free, multi-platform 4.4BSD-based UNIX-like operating system. Emphasizes portability, standardization, correctness, proactive security and integrated cryptography. %}</li>
|
|
<li><a href="{% t https://www.archlinux.org/ %}">{% t Arch Linux %}</a> <span class="badge badge-info">{% t GNU/Linux %}</span> <span class="badge badge-warning" data-toggle="tooltip" title="{% t This software may depend on or recommend non-free software.%}">{% t contrib %} <i class="far fa-question-circle"></i></span> - {% t A simple, lightweight Linux distribution. It is composed predominantly of free and open-source software, and supports community involvement.%} {% t <a href="https://www.parabola.nu/">Parabola</a> is a
|
|
completely open source version of Arch Linux.%}</li>
|
|
<li><a href="{% t https://trisquel.info/ %}">{% t Trisquel %}</a> <span class="badge badge-info">{% t GNU/Linux %}</span> - {% t Derived from Ubuntu, this project aims for a fully free software system without proprietary software or firmware and uses Linux-libre, a version of the Linux kernel with the non-free code (binary blobs) removed. %}</li>
|
|
<li><a href="{% t https://www.whonix.org/ %}">{% t Whonix %}</a> <span class="badge badge-info">{% t GNU/Linux %}</span> - {% t A Debian-based security-focused Linux distribution. It aims to provide privacy, security and anonymity on the internet. The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway". All communication are forced through the Tor network to accomplish this. %}</li>
|
|
</ul>
|
|
|
|
<h3>{% t Warning %}</h3>
|
|
|
|
<ul>
|
|
<li><a href="#win10"><i class="fas fa-link"></i> {% t Don't use Windows 10 - It's a privacy nightmare %}</a></li>
|
|
</ul>
|
|
|
|
<h4 id="cpuvulns">{% t Remember to check CPU vulnerability mitigations %}</h4>
|
|
|
|
<p><em>{% t <a href=" https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack">This also affects Windows 10</a>, but it doesn't expose this information or mitigation instructions as easily. MacOS users check <a href="https://support.apple.com/en-us/HT210108">How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support</a>.%}</em></p>
|
|
|
|
<p>{% t When running a enough recent Linux kernel, you can check the CPU vulnerabilities it detects by <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code>. By using <code>tail -n +1</code> instead of <code>cat</code>, the file names are also visible. %}</p>
|
|
|
|
<p>
|
|
{% t In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the <code>tail</code> command. To mitigate this, disable <a href="https://en.wikipedia.org/wiki/Hyper-threading">hyper-threading</a> from the UEFI/BIOS.%} {% t You can also take the following mitigation steps below if your system/distribution uses GRUB and supports <code>/etc/default/grub.d/</code>:%}
|
|
</p>
|
|
|
|
<ol>
|
|
<li><code>sudo mkdir /etc/default/grub.d/</code> {% t to create a directory for additional grub configuration %}</li>
|
|
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> {% t to create a new grub config file source with the echoed content %}</li>
|
|
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> {% t to generate a new grub config file including these new kernel boot flags %}</li>
|
|
<li><code>sudo reboot</code> {% t to reboot %}</li>
|
|
<li>{% t after the reboot, check <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code> again to see that everything referring to SMT now says "SMT disabled." %}</li>
|
|
</ol>
|
|
|
|
<h5>{% t Further reading %}</h5>
|
|
|
|
<ul>
|
|
<li><a href="{% t https://cpu.fail/ %}">{% t CPU.fail %}</a></li>
|
|
<li><a href="{% t https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/ %}">{% t Hardware vulnerabilities index on The Linux kernel user's and administrator's guide %}</a></li>
|
|
<li><a href="{% t https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/ %}">{% t How to install/update CPU microcode firmware on Linux %}</a> - {% t Regardless of your CPU manufacturer, you should always install the latest microcode packages available to be protected from CPU vulnerabilities, especially if the command above reports <strong>no microcode</strong> in its output. %}</li>
|
|
<li><a href="{% t https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html %}">{% t MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide %}</a></li>
|
|
<li><a href="{% t https://mdsattacks.com/ %}">{% t RIDL and Fallout: MDS attacks on mdsattacks.com %}</a></li>
|
|
<li><a href="{% t https://en.wikipedia.org/wiki/Simultaneous_multithreading %}">{% t Simultaneous multithreading on Wikipedia %}</a></li>
|
|
</ul>
|