Images

Table of Contents

Security recommendation

GNOME, KDE Plasma, and Sway (Silverblue, Kinoite, and Sericea images, respectively) secure privileged Wayland protocols like screencopy. This means that on environments outside of GNOME, KDE Plasma, and Sway, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It's primarily for this reason that Silverblue, Kinoite, and Sericea images are recommended. COSMIC has plans to fix this.

In addition, GNOME also provides weak thumbnailer sandboxing in Gnome Files, which is an effort to mitigate attacks via thumbnailers. No environment aside from GNOME provides any thumbnailer sandboxing.

It should also be noted that our Sericea images disable the wlroots desktop portal, despite it being commonly used alongside Sway. This is because the portal reintroduces the screencopy vulnerability described above, which would undermine the security improvements in Sway for sandboxed applications. The downside of this is that by default on our Sericea images, flatpaks and applications that haven’t implemented protocol support (like chromium-based browsers) are entirely prevented from screenshotting and screensharing. If necessary, Sway users can configure this using their own portals.conf.

This section is a relative recommendation between the desktop environments available on secureblue. GNOME, KDE Plasma, and Sway have some extra security niceties like the ones listed above. However, this should not be misconstrued as saying that either one solves any of the fundamental issues with desktop Linux security. For more details, consult the table below.

DE/WM Secures privileged Wayland protocols? Thumbnailer sandboxing? Stability Recommendation
GNOME Yes Weak Stable Recommended
KDE Plasma Yes None Stable Recommended
Sway Yes None Stable Recommended for tiling WM users
COSMIC No None Experimental Not currently recommended

Desktop

nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer (GTX 16XX+, RTX 20XX+). These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.

Stable

Silverblue (GNOME)

Name Base NVIDIA Support
silverblue-main-hardened Silverblue No
silverblue-nvidia-hardened Silverblue Yes, closed drivers
silverblue-nvidia-open-hardened Silverblue Yes, open drivers

Kinoite (KDE Plasma)

Name Base NVIDIA Support
kinoite-main-hardened Kinoite No
kinoite-nvidia-hardened Kinoite Yes, closed drivers
kinoite-nvidia-open-hardened Kinoite Yes, open drivers

Sericea (Sway)

Name Base NVIDIA Support
sericea-main-hardened Sericea No
sericea-nvidia-hardened Sericea Yes, closed drivers
sericea-nvidia-open-hardened Sericea Yes, open drivers

Experimental

Note that there are no ISOs available for experimental images. If you want to try out an experimental image, you can use ujust rebase-secureblue on an existing secureblue installation.

COSMIC

Name Base NVIDIA Support
cosmic-main-hardened COSMIC No
cosmic-nvidia-hardened COSMIC Yes, closed drivers
cosmic-nvidia-open-hardened COSMIC Yes, open drivers

Server

Note

After you finish setting up your Fedora CoreOS installation, you will need to disable zincati.service before rebasing to securecore.

Name Base NVIDIA Support ZFS Support
securecore-main-hardened CoreOS No No
securecore-nvidia-hardened CoreOS Yes, closed drivers No
securecore-nvidia-open-hardened CoreOS Yes, open drivers No
securecore-zfs-main-hardened CoreOS No Yes
securecore-zfs-nvidia-hardened CoreOS Yes, closed drivers Yes
securecore-zfs-nvidia-open-hardened CoreOS Yes, open drivers Yes