Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo hardened stage3 on desktop?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
whiteman808
n00b
n00b


Joined: 07 Jul 2024
Posts: 5

PostPosted: Thu Oct 17, 2024 1:07 pm    Post subject: Gentoo hardened stage3 on desktop? Reply with quote

I had installed gentoo and using desktop profile now. I tried different distros like Debian, Slackware, Arch, and finally, end distrohopping on Gentoo. I love Gentoo for great flexibility it offers, portability, and well-written documentation. USE flags are nice feature.

On the virtual machines gentoo hardened works fine.

I want to know your experiences with using Gentoo hardened profiles on the desktop daily-driver. I want to try use hardened stage3 on ThinkPad X220 because Gentoo hardened profile's default USE flag set is more minimal than default desktop's, so I have less stuff to globally disable and I can enable support for stuff I'm sure I'll need it. Another nice features are hardened toolchain and hardened USE flag.

I'm just curious if there are any issues with hardened profiles on desktop. I'm going to run some window manager + emacs + nyxt on desktop. Does minimalistic desktop configuration like mine vs full-blown GNOME/KDE + Firefox + Thunderbird make difference when I use stage3 hardened?

Please share your experience with using hardened stage3 as daily-driver on desktop computer.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3940
Location: Hamburg

PostPosted: Thu Oct 17, 2024 4:23 pm    Post subject: Reply with quote

https://wiki.gentoo.org/wiki/Hardened_Desktop_Profiles#hardened-desktop

I do run hardened Desktop (KDE) since 10 yrs at Lenove ThinkPads without any bigger problems.
Back to top
View user's profile Send private message
NeglectedRudderPug
n00b
n00b


Joined: 04 Oct 2023
Posts: 29

PostPosted: Sat Oct 19, 2024 3:02 pm    Post subject: Reply with quote

Much like above, I also run a hardened KDE desktop. In my case it's a custom profile with a mix of:

Quote:

gentoo:default/linux/amd64/23.0/hardened
gentoo:targets/desktop/plasma
gentoo:targets/systemd


I've not experienced any issues. Though, I should note that my original install was not hardened and was profile version 17. I moved over to a hardened profile shortly after installing, which went smoothly and I've also since upgraded the profile to 23 without issues. The only area I did have issues with was SELinux, though I since switched to apparmor with custom profiles instead. :oops:

In any case, a full desktop versus a minimal install (hopefully) shouldn't cause issues. But it is worth remembering you can switch profiles even after installing, so if you do get issues you can move back to a different profile (carefully).
Back to top
View user's profile Send private message
whiteman808
n00b
n00b


Joined: 07 Jul 2024
Posts: 5

PostPosted: Sun Oct 20, 2024 3:44 pm    Post subject: Reply with quote

NeglectedRudderPug wrote:
it is worth remembering you can switch profiles even after installing, so if you do get issues you can move back to a different profile (carefully).

Can I even switch from nomultilib profile to its multilib version or from non-hardened to hardened profile and vice-versa? What about switching from multilib system to nomultilib? Can I switch easily between regular systemd profile and llvm? How easy is in general switching between different profiles, and what are the limits of eselect profile set x && rebuild world using emerge?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22756

PostPosted: Sun Oct 20, 2024 3:53 pm    Post subject: Reply with quote

Moving from multilib to no-multilib is possible. Moving back is more difficult, since you need multilib in order to build multilib. Generally, it's easy to tell Portage to switch profiles. Whether you can readily build anything in your new profile depends on the capabilities of the profile you are leaving.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3940
Location: Hamburg

PostPosted: Sun Oct 20, 2024 5:11 pm    Post subject: Reply with quote

whiteman808 wrote:

Can I even switch from nomultilib profile to its multilib version or from non-hardened to hardened profile and vice-versa?

No:
Code:
    # [11:06:37 pm] <@toralf> Would changing the profile and re-emerging @world with --emptytree do it?
    # [11:27:13 pm] <@dilfridge> switching from/to hardened, and switching from multilib to non-multilib, yes
    # [11:27:31 pm] <@dilfridge> switching from non-multilib to multilib, NO
Back to top
View user's profile Send private message
whiteman808
n00b
n00b


Joined: 07 Jul 2024
Posts: 5

PostPosted: Mon Oct 21, 2024 3:25 pm    Post subject: Reply with quote

toralf wrote:
https://wiki.gentoo.org/wiki/Hardened_Desktop_Profiles#hardened-desktop

I do run hardened Desktop (KDE) since 10 yrs at Lenove ThinkPads without any bigger problems.

NeglectedRudderPug wrote:
Much like above, I also run a hardened KDE desktop

Just curious, why do you run gentoo hardened profile instead of regular desktop kde? Does your threat model require that or other reasons?
Back to top
View user's profile Send private message
NeglectedRudderPug
n00b
n00b


Joined: 04 Oct 2023
Posts: 29

PostPosted: Mon Oct 21, 2024 10:45 pm    Post subject: Reply with quote

whiteman808 wrote:
toralf wrote:
https://wiki.gentoo.org/wiki/Hardened_Desktop_Profiles#hardened-desktop

I do run hardened Desktop (KDE) since 10 yrs at Lenove ThinkPads without any bigger problems.

NeglectedRudderPug wrote:
Much like above, I also run a hardened KDE desktop

Just curious, why do you run gentoo hardened profile instead of regular desktop kde? Does your threat model require that or other reasons?

In my case there's a few reasons:

  • I'm a bit paranoid :oops:
  • My computer often holds sensitive customer data, and in some instances backups of systems that also hold it - I must keep it safe.
  • My computer holds SSH keys that can access many, many, many servers. It's best I don't lose them. :oops:


But, it works well enough. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum