What to use for a workstation/gaming desktop?

Sigismund

What you're missing is the bigger picture and how everything connects. What the other person said, you want to "harden" the PC like it would be a server, with things that won't increase your overall security posture but instead will make your "high end rig" a potato.

People really think they're going to get popped on every single visit to some weirdo site and go over so many weird things not figuring out the basics..

archbtw

Sigismund
Okay, so if this isn't realistically going to increase the security, then what is? What is there left?
What can I do to have my pc as secure at least as windows or mac users?

Sigismund

archbtw What can I do to have my pc as secure at least as windows or mac users?

You get the wrong idea, and perceive certain features (as per your next comment) as some kind of a "must-have" for "fully secured" system. What's left out of your equation is common sense, and not overthinking this. You also should better understand what certain features can and cannot protect you against, and if this is falling into your threat model and is it worth the hassle.

WestQuester

Out of curiosity, what do you perceive to be insecure (or less secure) about Arch?

archbtw

WestQuester
Well it's not the arch itself, but I keep hearing that linux is less secure than windows.
Arch is quite barebones so it's obviously only as secure as the user makes it out to be, but apparently even regular distros are insecure compared to windows or mac.

The arguments I hear are mostly about no sandbox (though I had better experience with flatpak sandbox compared to the windows sandbox) and the lack of verified boot.

That's why I want to secure the boot process as much as I can, even with the security issues of the proprietary firmware. I also want to do integrity scans before each update to verify the whole root partition integrity (though dm-verity should also take care of that afaik)

WestQuester

archbtw Well it's not the arch itself, but I keep hearing that linux is less secure than windows.

Not sure who is saying this but I'm a bit skeptical as to how true it is. I'm sure in some ways Windows can be more secure, but it's no doubt less secure in other ways. There is no question it is less private.

I don't think you can go wrong with most of the major Linux distributions. Fedora might be more secure than Mint, Debian, Arch, etc. but all would be pretty good I would think. Plenty of security researchers and experts use Linux.

Personally, I wouldn't worry about your setup too much.

Dumdum

WestQuester Not sure who is saying this but I'm a bit skeptical as to how true it is

Certain individuals have said such things.

Plenty of security researchers and experts use Linux.

There's also security researchers who have pointed out its insecurities.

archbtw

Sigismund
I try to keep my threat model as broad as possible. To protect myself from anything from a hacker to state actors as much as I can, to an extent.

I think I understand what those features do. Having more secure boot process protects me mainly from physical cyber attacks but can also help if I get malware. Now, sure, if I get a malware, then I'm screwed, and I want to protect against it mostly with the use of KVM and sandboxing.
I don't install random crap on my pc, but I do have some games which are proprietary, and they will at least be sandboxed (with flatpak's bubblewrap and wine itself).

I get that security is not simple nor binary. But with the broad threat model, I try to cover everything.

WestQuester

Dumdum Certain individuals have said such things.

Only that's not what they said. Pointing out ways in which an OS could be more secure does not imply a comparative advantage of another OS that wasn't even mentioned.

As the OP said, solutions would be nice rather than simply pointing out problems.

archbtw

Also, I do think it's a "must-have" to have at least somewhat secured boot. We are on a GrapheneOS forum and I hear a lot about how important the verified boot is, and why we shouldn't use stuff like LineageOS (even though I did many times).

Sigismund

archbtw it's easier to tamper with a phone than desktop. But I'll leave it at that. You have quite high expectations, yet your approach is (imho) incorrect in regards to what your threat model is .

archbtw

Sigismund
Why is it incorrect?

I do not know who could attack me, so I cannot simply focus on a specific group, and therefore I have to try to defend from anything from a malicious friend, to a state actor.

secrec

archbtw Should I switch to windows for better security like people tend to tell me? I would probably trade privacy for security, plus windows is kind of pain in the ass.

I've never seen anything that supports the theory that windoze is in any way secure.

Sigismund

archbtw I do not know who could attack me, so I cannot simply focus on a specific group,

Sure you do. That's what threat model is for.

archbtw defend from anything from a malicious friend, to a state actor.

Good luck with that.

n3t_admin

archbtw try to cover the basics.

archbtw a state actor

Pick one. You really should read up on threat modeling first. It's a complicated topic, but what you are doing right now is pointless. It's like saying "I'm trying to protect my house". From what? An earthquake? A fire? Burglars? A nuclear strike? That will pretty much determine what you need to do. The same applies for cybersecurity. Determine a clear path, then move forward. You can't really protect yourself from "everyone", unless you want to live a very uncomfortable life.

archbtw

It's a complicated task sure, but anyone could attack really. Especially with the governments now using malware for surveillance of people.

Delaney

archbtw I wouldn't bother. I'd consider it to be insecure and just enjoy gaming on it with access to bare metal resources. Anything else I want to do, I'd do on another computer that's actually secured

archbtw

Delaney
I mean, apart from having 2 powerful computers being quite costly, I don't really have space for it.
The sandbox doesn't really reduce runtime performance anyways, and the hardening isn't really going to reduce gpu performance, which is always the bottleneck at 4k.

Delaney

archbtw I mean, apart from having 2 powerful computers being quite costly, I don't really have space for it.

I'm not sure what you're talking about. I only said I'd use a secure computer for non-gaming purposes. That would be your laptop in this case.

archbtw The sandbox doesn't really reduce runtime performance anyways, and the hardening isn't really going to reduce gpu performance, which is always the bottleneck at 4k.

Sure, but that assumes that the games will respond well to your security hardening efforts, which is uncertain at best considering most games will only run under wine on Linux.

archbtw

Delaney
We will see... It might have some problems with the hardening.

Anyways, I cannot have this computer just for gaming, as I often don't even game every day. Sometimes I don't launch a game for weeks. I really don't wanna have an expensive computer doing nothing, while I do stuff on an old 13" laptop.

RockHyrax

if you want a secure device, keep things separate. use your other fancy high-end computer for sensitive stuff. if you truly cared about security and privacy, you would make the space for it and use them separately.

by hardening a flatpak app, lets say Steam for example, you run the risks of certain games no longer running properly due to limiting permissions (ptrace, ipc, shared memory, etc).

i have been gaming on fedora close to 6 years now. the reason why i chose fedora is because it has SELinux configured out the box. i have never had an issue gaming on fedora aside from the standard kernel level anti cheat games no longer working on it. for sensitive stuff, i have a laptop running secureblue.

archbtw

RockHyrax
I think in the future I will get a better laptop for sensitive things.

Right now I have only one high end computer and the laptop is kind of trash. All my other computers are decade old, being used as servers.

The laptop (now also running secureblue) also has a security issue with it's management engine being set to manufacturing mode for some reason, and I cannot turn that off.