Could use some advice on a desktop security setup

District41

This is the only security sensuous forum that I am part of so I hope you guys can answer my question.
I'm using a Windows 11 Enterprise install on a Lenovo Z13 gen1 laptop locking down as much as I can with a separate user profile that I do my browsing on, have my backups and do some occasional gaming on.
I've locked down my BIOS, enabled all the security features that have toggles in the settings menu and added extra hardening via gpedit releated to secure boot, only good and known drivers enabled etc.

All of my serious files and backups are either in peergos or in my pixel with grapheneos.
Currently I'm wondering what exactly I'd be losing out on by switching to a linux distro like fedora or secureblue. Does anything like verified boot exist on linux? I've seen that u-boot has some kind of measured boot solution but nothing that secureblue or fedora have implemented yet and it seems like everyone in the linux community treats security like some kind of a joke.

My current threat model is that I'd like to stop having my data harvested by microsoft but I hope I am mitigating it by having a mullvad vpn always on.
I'd hope you guys could give me some serious pros and cons about leaving windows behind. I am currently running fedora and secureblue using hyper-v and I had experience running couple of distros earlier in my life.

Also my future threat model might include some light whistleblowing and contact with journalists to fight corrupt local government so once again I'd hope to be prepared on what to avoid doing when using an x86-64 device.
I know most of you will focus on reading this paragraph and just keep hammering that I should use qubesos or tails or other specialized solutions but I am really hoping to use my laptop in the spirit of what the secureblue project is trying to accomplish. If I'd really have to be that super secure I'd rather trust a pixel grapheneos device than my laptop with my life.

Thanks in advance.

Johnnyloans

District41 Currently I'm wondering what exactly I'd be losing out on by switching to a linux distro like fedora or secureblue.

Many proprietary tools from adobe, autodesk, etc probably won't work. You could have a windows VM with a gpu or dual boot. Dual booting with only 1 hard drive is risky--windows messing up the Linux partition.

secure boot

sbctl makes secure boot easy
TPM PCR is available on systemd-boot and grub

gaming

List of working steam games
https://www.protondb.com/

Most? All? anti cheats don't work on Linux.

District41 light whistleblowing and contact with journalists

Signal or similar is good.

Find out what DE (desktop environment) you like. Kdeconnect on the phone is nice.
There's several ways to do anything on Linux and the guide youre following in the future could be needlessly complex.

NoahRaketic

District41 If privacy is your main concern, switching to Linux may be helpful, but it's important to distinguish between that and security. A properly-configured Windows installation will likely be more secure than even on secureblue, especially if you're using a Windows Secured-core device.

The maintainers of the project do not claim that their OS is more secure than Windows; they will tell you the same as I have.

District41 Does anything like verified boot exist on linux?

Not yet, but work is being done in upstream distros like Silverblue to implement UKIs and fs-verity, which will bring desktop Linux much closer. It will likely be a long time, however, before this is properly integrated.

Johnnyloans

Also, very few people require disk encryption. Utilize backups and test them before you need it.

https://xkcd.com/538/

District41

I do find it quite sad that after the last time I ran linux not much has changed.
Well it seems I am stuck with windows and if I wish to play with linux I'll have to do so inside of a VM.

Johnnyloans
NoahRaketic

So if I were to run a linux distro on bare metal compromising my system would be trivial with physical access to the device. What I'm mostly worried about it being planted with illegal content from a state sponsored actor to discredit me so I'd actually say that encryption is really important.

Should I just ditch the idea of a x86x64 device all together and just get a macbook? But I feel I've just swapped one set of disadvantages for another.
Also how come chromeos managed to lock itself down by building from a gentoo build? Is it just that all the great security based software engineers decline to release anything that they're not being paid for and so everything that gets released on linux is just a second rate mimicry of the real thing?
Sorry if it just feels that I'm spreading doom and gloom

NoahRaketic

District41 So if I were to run a linux distro on bare metal compromising my system would be trivial with physical access to the device.

It would be trivial without disk encryption, and straightforward with disk encryption, even with Secure Boot. The situation isn't great on Windows either; there are many side channels available on the desktop, including firmware attacks and hardware keyloggers. On Linux, you can at least fully secure the bootloader if you have a Unified Kernel Image with Secure Boot and measured boot; that would make your bootloader tamper evident and likely stronger than Windows for boot security.

District41 Should I just ditch the idea of a x86x64 device all together and just get a macbook?

This is certainly an option. MacBooks have integration between the hardware and the OS, allowing the more aggressive implementation of modern security features, and your apps will be sandboxed by default, unless you install unsandboxed ones. They have a Secure Boot implementation that is stronger than Microsoft's (in Full Security Mode) because it doesn't rely on having an excessively broad range of signed third-party firmware and OSes.

District41 Also how come chromeos managed to lock itself down by building from a gentoo build?

Chrome OS improves the security of Linux in a few ways. For starters, it does not have a GNU userland, but instead uses Chrome as its interface. This allows several advantages, including the broad application of PartitionAlloc, a more secure memory allocator reminiscent of hardened_malloc on GrapheneOS. Similar to mobile devices, Chrome OS has a full hardware-backed Verified Boot implementation, so a compromise of any system component is detected, and the Chromebook will revert to a known-good state if that occurs. The system doesn't allow unsigned native code to be loaded, so there are very few attack vectors for malware persistence. The most common attack vectors on Chrome OS that remain are phishing and the user installing malicious extensions.

District41 Is it just that all the great security based software engineers decline to release anything that they're not being paid for and so everything that gets released on linux is just a second rate mimicry of the real thing?

Actually, Chromium OS is fully open source. Any other distro that wants to copy security features from Chrome OS can do so (with the exception of proprietary features like ARCVM, their Android emulator). The issue is that most Linux distributions rely on a GNU userland, most users expect to be able to modify their system (antithetical to Verified Boot), and they need to be able to support native and legacy applications. Note that progress is being made with UKIs and fs-verity on Silverblue, as well as work on Flatpak to increase the usage of sandboxed apps, but there is still much work to be done.

taiyi

Use ChromeOS/MacOS/VM in VeraCrypt

District41

I have concluded that since my laptop is equipped with a microsoft pluton security chip it doesn't make any sense to install any other OS on my laptop as I would be significantly degrading my security.
I also carry a QubesOS install on a USB stick or some other amnesiac OS just in case
I'll try to see if I can get an Apple device and I'll be following what the Secureblue project does.
Thank you for your time.