What to use for a workstation/gaming desktop?

archbtw

Hello. I am trying to secure my laptop and my desktop but I'm unsure what is going to be the best idea.
Should I switch to windows for better security like people tend to tell me? I would probably trade privacy for security, plus windows is kind of pain in the ass.

I was thinking a hardened fedora or secureblue for the laptop (qubes would be too much to the hw and couldn't even play a video properly)

And more importantly for the desktop, I'm not sure if I want to switch from arch to fedora just for the selinux. I feel way too comfortable with arch on my main pc.
I have set up every security option I could in the gigabyte uefi, and I want to do a setup with luks2 fde, dm-verify, secure-boot, tpm2 with totp and pin, uki.
I would use a vm or a separate machine to provide update images, as the root partition will be read only. I will use linux-hardened, which is I think based on the graphene os kernel, setup kernel lockdown and the apparmor security module with profiles I have found on github, and install all apps as a user flatpak. I will also change things like sudo for doas so reduce attack surface slightly more.

This is a high end gaming pc that I use for programming, entertainment, gaming, comms, basically everything.
I won't be installing anything proprietary apart from steam and wine (both in flatpak)
I will setup the flatpak permissions for each app so they have the least access.

Am I missing anything else that's important?
Or am I better off dealing with m$ spyware?
What do people here actually use for security?

Curious

archbtw
I mean... is there any point to use anything at this point?
Like you have a high-end rig but you are about to nerf it or not use to the extend for gaming due to there are simply not optimalizations or enough support for gaming in linux world (wine will not save you), sorry to say that but Win is still the king at this. (Or at least developers of games make it like that)
About security... you have some issue on one system, others on another, nothing is bullet proof. And argument that your system is not so popular so there is less virues, malwares etc. is not an argument.
Not proprietary SW? What about games? :)

secrec

archbtw Should I switch to windows for better security like people tend to tell me? I would probably trade privacy for security, plus windows is kind of pain in the ass.

I've never seen anything that supports the theory that windoze is in any way secure.

Delaney

archbtw I wouldn't bother. I'd consider it to be insecure and just enjoy gaming on it with access to bare metal resources. Anything else I want to do, I'd do on another computer that's actually secured

GrouchyGrape

archbtw you're not going to find a perfect solution. This is why honest threat modeling is so important.

The highest risk to my health and life is driving on the highway, yet I commute on it everyday to and from work.

Don't create non-probabilistic threats only to endlessly attempt to mitigate them. It's unhealthy at best. If it's purely for research and/or a hobby, then knock yourself out. But that's not what I'm sensing.

There are many ways to skin this cat, try them all. All you have to lose is time, but you'll gain a lot of knowledge and experience along the way. I settled on having a dedicated windows gaming machine and VM's for everything else. I ran the windows machine headless for a while, using moonlight/sunshine to stream to a fedora machine. Worked a treat.

archbtw

Curious

What do you mean by nerf? I've been using it with arch for some time and haven't had a problem even with the largest games.
The security hardenings might slow down cpu, storage and memory slightly, but in games the GPU is always the bottleneck anyways.

I have never made the argument about popularity.

Yes games are proprietary, that's why I said it's going to be all foss apart from steam and wine stuff (by that I meant games).

Curious

archbtw Then why are you asking for Win option?

archbtw

Curious
I have only mentioned windows because I have seen many people say it's more secure, but I don't actually want to use windows if I can help it (in regards to security). I have been wondering if my planned setup is secure enough compared to windows, and other options, and if not, then what options are left?

Sigismund

What you're missing is the bigger picture and how everything connects. What the other person said, you want to "harden" the PC like it would be a server, with things that won't increase your overall security posture but instead will make your "high end rig" a potato.

People really think they're going to get popped on every single visit to some weirdo site and go over so many weird things not figuring out the basics..

archbtw

Sigismund
Okay, so if this isn't realistically going to increase the security, then what is? What is there left?
What can I do to have my pc as secure at least as windows or mac users?

Sigismund

archbtw What can I do to have my pc as secure at least as windows or mac users?

You get the wrong idea, and perceive certain features (as per your next comment) as some kind of a "must-have" for "fully secured" system. What's left out of your equation is common sense, and not overthinking this. You also should better understand what certain features can and cannot protect you against, and if this is falling into your threat model and is it worth the hassle.

WestQuester

Out of curiosity, what do you perceive to be insecure (or less secure) about Arch?

archbtw

WestQuester
Well it's not the arch itself, but I keep hearing that linux is less secure than windows.
Arch is quite barebones so it's obviously only as secure as the user makes it out to be, but apparently even regular distros are insecure compared to windows or mac.

The arguments I hear are mostly about no sandbox (though I had better experience with flatpak sandbox compared to the windows sandbox) and the lack of verified boot.

That's why I want to secure the boot process as much as I can, even with the security issues of the proprietary firmware. I also want to do integrity scans before each update to verify the whole root partition integrity (though dm-verity should also take care of that afaik)

WestQuester

archbtw Well it's not the arch itself, but I keep hearing that linux is less secure than windows.

Not sure who is saying this but I'm a bit skeptical as to how true it is. I'm sure in some ways Windows can be more secure, but it's no doubt less secure in other ways. There is no question it is less private.

I don't think you can go wrong with most of the major Linux distributions. Fedora might be more secure than Mint, Debian, Arch, etc. but all would be pretty good I would think. Plenty of security researchers and experts use Linux.

Personally, I wouldn't worry about your setup too much.

Dumdum

WestQuester Not sure who is saying this but I'm a bit skeptical as to how true it is

Certain individuals have said such things.

Plenty of security researchers and experts use Linux.

There's also security researchers who have pointed out its insecurities.

archbtw

Sigismund
I try to keep my threat model as broad as possible. To protect myself from anything from a hacker to state actors as much as I can, to an extent.

I think I understand what those features do. Having more secure boot process protects me mainly from physical cyber attacks but can also help if I get malware. Now, sure, if I get a malware, then I'm screwed, and I want to protect against it mostly with the use of KVM and sandboxing.
I don't install random crap on my pc, but I do have some games which are proprietary, and they will at least be sandboxed (with flatpak's bubblewrap and wine itself).

I get that security is not simple nor binary. But with the broad threat model, I try to cover everything.

WestQuester

Dumdum Certain individuals have said such things.

Only that's not what they said. Pointing out ways in which an OS could be more secure does not imply a comparative advantage of another OS that wasn't even mentioned.

As the OP said, solutions would be nice rather than simply pointing out problems.

archbtw

Also, I do think it's a "must-have" to have at least somewhat secured boot. We are on a GrapheneOS forum and I hear a lot about how important the verified boot is, and why we shouldn't use stuff like LineageOS (even though I did many times).

Sigismund

archbtw it's easier to tamper with a phone than desktop. But I'll leave it at that. You have quite high expectations, yet your approach is (imho) incorrect in regards to what your threat model is .

archbtw

Sigismund
Why is it incorrect?

I do not know who could attack me, so I cannot simply focus on a specific group, and therefore I have to try to defend from anything from a malicious friend, to a state actor.

Sigismund

archbtw I do not know who could attack me, so I cannot simply focus on a specific group,

Sure you do. That's what threat model is for.

archbtw defend from anything from a malicious friend, to a state actor.

Good luck with that.

n3t_admin

archbtw try to cover the basics.

archbtw a state actor

Pick one. You really should read up on threat modeling first. It's a complicated topic, but what you are doing right now is pointless. It's like saying "I'm trying to protect my house". From what? An earthquake? A fire? Burglars? A nuclear strike? That will pretty much determine what you need to do. The same applies for cybersecurity. Determine a clear path, then move forward. You can't really protect yourself from "everyone", unless you want to live a very uncomfortable life.

archbtw

It's a complicated task sure, but anyone could attack really. Especially with the governments now using malware for surveillance of people.