PC Operating Systems

{% include cardv2.html title="Qubes OS" image="/assets/img/tools/Qubes-OS.png" description='Qubes is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.' badges="info:Xen" labels="warning:contrib:This software may depend on or recommend non-free software." website="https://www.qubes-os.org/" github="https://github.com/QubesOS" tor="http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/" %} {% include cardv2.html title="Fedora Workstation" image="/assets/img/tools/Fedora.png" description='Fedora is a Linux distribution developed by the Fedora Project and sponsored by Red Hat. Fedora Workstation is a secure, reliable, and user-friendly edition developed for desktops and laptops, using GNOME as the default desktop environment.' badges="info:GNU/Linux" labels="warning:contrib:This software may depend on or recommend non-free software." website="https://getfedora.org/" git="https://src.fedoraproject.org/" %} {% include cardv2.html title="Debian" image="/assets/img/tools/Debian.png" description='Debian is a Unix-like computer operating system and a Linux distribution that is composed entirely of free and open-source software, most of which is under the GNU General Public License, and packaged by a group of individuals known as the Debian project.' badges="info:GNU/Linux" website="https://www.debian.org/" tor="http://sejnfjrq6szgca7v.onion" gitlab="https://salsa.debian.org/qa/debsources" %}

Warning

Remember to check CPU vulnerability mitigations

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support.

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat, the file names are also visible.

In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/:

  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
  3. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including this new kernel boot flag
  4. sudo reboot to reboot
  5. after the reboot, check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says "SMT disabled."
Further reading

Worth Mentioning