privacytools.io/_includes/sections/operating-systems.html

<h1 id="os" class="anchor"><a href="#os"><i class="fas fa-link anchor-icon"></i></a> {% t pc_os.pc_operating_systems %}</h1>

<div class="alert alert-warning" role="alert">
  <strong>{% t pc_os.ms_warning %}</strong>
</div>

{%- capture pc_os_contrib_labels -%}warning:contrib:{% t global.contrib %}{%- endcapture -%}
{%- capture pc_os_qubesos_descr -%}{% t pc_os.qubesos_descr %}{%- endcapture -%}
{%- capture pc_os_debian_descr -%}{% t pc_os.debian_descr %}{%- endcapture -%}
{%- capture pc_os_fedora_descr -%}{% t pc_os.fedora_descr %}{%- endcapture -%}

{% include cardv2.html
title="Qubes OS"
image="/assets/img/tools/Qubes-OS.png"
description=pc_os_qubesos_descr
badges="info:Xen"
labels=pc_os_contrib_labels
website="https://www.qubes-os.org/"
github="https://github.com/QubesOS"
tor="http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/"
%}

{% include cardv2.html
title="Fedora Workstation"
image="/assets/img/tools/Fedora.png"
description=pc_os_fedora_descr
badges="info:GNU/Linux"
labels=pc_os_contrib_labels
website="https://getfedora.org/"
git="https://src.fedoraproject.org/"
%}

{% include cardv2.html
title="Debian"
image="/assets/img/tools/Debian.png"
description=pc_os_debian_descr
badges="info:GNU/Linux"
website="https://www.debian.org/"
tor="http://sejnfjrq6szgca7v.onion"
gitlab="https://salsa.debian.org/qa/debsources"
%}

<h3>{% t pc_os.worth_mentioning %}</h3>

<ul>
  <li><a href="https://www.openbsd.org/">OpenBSD</a> <span class="badge badge-info">BSD</span> - {% t pc_os.openbsd_descr %}</li>
  <li><a href="https://www.archlinux.org/">Arch Linux</a> <span class="badge badge-info">GNU/Linux</span> <span class="badge badge-warning" data-toggle="tooltip" title="{% t global.contrib %}">contrib <i class="far fa-question-circle"></i></span> - {% t pc_os.arch_descr %} <a href="https://www.parabola.nu/">Parabola</a> {% t pc_os.parabola_descr %}</li>
  <li><a href="https://trisquel.info/">Trisquel</a> <span class="badge badge-info">GNU/Linux</span> - {% t pc_os.trisquel_descr %}</li>
  <li><a href="https://www.whonix.org/">Whonix</a> <span class="badge badge-info">GNU/Linux</span> - {% t pc_os.whonix_descr %}</li>
</ul>

<h3>{% t pc_os.warning %}</h3>

<ul>
  <li><a href="#win10"><i class="fas fa-link"></i> {% t pc_os.win10_nightmare %}</a></li>
</ul>

<h4 id="cpuvulns">Remember to check CPU vulnerability mitigations</h4>

<p><em><a href="https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack">This also affects Windows 10</a>, but it doesn't expose this information or mitigation instructions as easily. MacOS users check <a href="https://support.apple.com/en-us/HT210108">How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support</a>.</em></p>

<p>When running a enough recent Linux kernel, you can check the CPU vulnerabilities it detects by <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code>. By using <code>tail -n +1</code> instead of <code>cat</code>, the file names are also visible.</p>

<p>
    In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the <code>tail</code> command. To mitigate this, disable <a href="https://en.wikipedia.org/wiki/Hyper-threading">hyper-threading</a> from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports <code>/etc/default/grub.d/</code>:
</p>

<ol>
  <li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
  <li><code>sudo reboot</code> to reboot</li>
  <li>after the reboot, check <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code> again to see that everything referring to SMT now says "SMT disabled."</li>
</ol>

<h5>Further reading</h5>

<ul>
  <li><a href="https://cpu.fail/">CPU.fail</a></li>
  <li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/">Hardware vulnerabilities index on The Linux kernel user's and administrator's guide</a></li>
  <li><a href="https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/">How to install/update CPU microcode firmware on Linux</a> - Regardless of your CPU manufacturer, you should always install the latest microcode packages available to be protected from CPU vulnerabilities, especially if the command above reports <strong>no microcode</strong> in its output.</li>
  <li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
  <li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
  <li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
</ul>