Images
Table of Contents
Security recommendation
GNOME, KDE Plasma, Sway, and COSMIC (Silverblue, Kinoite, Sericea, and COSMIC images, respectively) secure privileged Wayland protocols like screencopy. This means that on environments outside of GNOME, KDE Plasma, Sway, and COSMIC, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It's primarily for this reason that Silverblue, Kinoite, and Sericea images are recommended.
In addition, GNOME also provides weak thumbnailer sandboxing in Gnome Files, and Thunar/Tumblerd on secureblue Sway images provide weak thumbnailer sandboxing via Glycin. These are both efforts to mitigate attacks via thumbnailers. COSMIC is planning to add thumbnailer sandboxing for the release of Epoch 2. It’s not known whether KDE plans to add this to Dolphin.
It should also be noted that our Sericea images disable the wlroots desktop portal, despite it being commonly used alongside Sway. This is because the portal reintroduces the screencopy vulnerability described above, which would undermine the security improvements in Sway for sandboxed applications. The downside of this is that by default on our Sericea images, flatpaks and applications that haven’t implemented protocol support (like chromium-based browsers) are entirely prevented from screenshotting and screensharing. If necessary, Sway users can configure this using their own portals.conf.
This section is a relative recommendation between the desktop environments available on secureblue. This should not be misconstrued as saying that any one solves any of the fundamental issues with desktop Linux security. For more details, consult the table below. Note: this table assumes no extensions are installed. Extensions are a significant source of attack surface in and of themselves and they can reduce the effectiveness of, or completely negate, the security advantages described above.
| DE/WM | Secures privileged Wayland protocols? | Thumbnailer sandboxing? | Stability | Recommendation |
|---|---|---|---|---|
| GNOME | Yes | Weak | Stable | Recommended |
| KDE Plasma | Yes | None | Stable | Recommended |
| Sway | Yes | Weak | Stable | Recommended for tiling WM users |
| COSMIC | Yes | None | Beta | Not currently recommended |
Note
nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer (GTX 16XX+, RTX 20XX+). These include NVIDIA's proprietary drivers with their new open source kernel modules, not to be confused with the reverse engineered open source Nouveau drivers (available in the main images). nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed source kernel modules from NVIDIA. Consult this page if you're not sure what family your GPU belongs to.
Desktop
Stable
Silverblue (GNOME)
| Name | Base | NVIDIA Support | ARM64 Support |
|---|---|---|---|
silverblue-main-hardened |
Silverblue | Reverse engineered Nouveau open source driver (not recommended) | Beta |
silverblue-nvidia-hardened |
Silverblue | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No |
silverblue-nvidia-open-hardened |
Silverblue | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No |
Kinoite (KDE Plasma)
| Name | Base | NVIDIA Support | ARM64 Support |
|---|---|---|---|
kinoite-main-hardened |
Kinoite | Reverse engineered Nouveau open source driver (not recommended) | Beta |
kinoite-nvidia-hardened |
Kinoite | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No |
kinoite-nvidia-open-hardened |
Kinoite | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No |
Sericea (Sway)
| Name | Base | NVIDIA Support | ARM64 Support |
|---|---|---|---|
sericea-main-hardened |
Sericea | Reverse engineered Nouveau open source driver (not recommended) | Beta |
sericea-nvidia-hardened |
Sericea | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No |
sericea-nvidia-open-hardened |
Sericea | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No |
Experimental
Note that there are no ISOs available for experimental images. If you want to try out an experimental image, you can use ujust rebase-secureblue on an existing secureblue installation.
COSMIC
| Name | Base | NVIDIA Support | ARM64 Support |
|---|---|---|---|
cosmic-main-hardened |
COSMIC | Reverse engineered Nouveau open source driver (not recommended) | Beta |
cosmic-nvidia-hardened |
COSMIC | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No |
cosmic-nvidia-open-hardened |
COSMIC | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No |
Server
CoreOS
Note
After you finish setting up your Fedora CoreOS installation, you will need to disable zincati.service before rebasing to securecore.
| Name | Base | NVIDIA Support | ZFS Support | ARM64 Support |
|---|---|---|---|---|
securecore-main-hardened |
CoreOS | Reverse engineered Nouveau open source driver (not recommended) | No | Beta |
securecore-nvidia-hardened |
CoreOS | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No | No |
securecore-nvidia-open-hardened |
CoreOS | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No | No |
securecore-zfs-main-hardened |
CoreOS | Reverse engineered Nouveau open source driver (not recommended) | Yes | No |
securecore-zfs-nvidia-hardened |
CoreOS | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | Yes | No |
securecore-zfs-nvidia-open-hardened |
CoreOS | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | Yes | No |
IoT
| Name | Base | NVIDIA Support | ZFS Support | ARM64 Support |
|---|---|---|---|---|
iot-main-hardened |
IoT | Reverse engineered Nouveau open source driver (not recommended) | No | Beta |
iot-nvidia-hardened |
IoT | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | No | No |
iot-nvidia-open-hardened |
IoT | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | No | No |
iot-zfs-main-hardened |
IoT | Reverse engineered Nouveau open source driver (not recommended) | Yes | No |
iot-zfs-nvidia-hardened |
IoT | Proprietary NVIDIA driver with closed source kernel modules (recommended for pre-Turing) | Yes | No |
iot-zfs-nvidia-open-hardened |
IoT | Proprietary NVIDIA driver with open source kernel modules (recommended for Turing and later) | Yes | No |