v2.2.0 - Please read: instruction set optimizations for hardened_malloc

The latest build includes instruction set optimizations for hardened_malloc, thanks to pieces from divestedcg's spec that were added. For system packages, you don't need to do anything to benefit from the performance optimizations, since the linker will automatically choose the right binary based on your CPU's supported instruction set. However, for flatpaks this is not the case, since we explicitly tell flatpak which binary to LD_PRELOAD in the override.

The default for this won't be changing, since the existing default in yafti maintains support for all instruction set levels. So if you want to benefit from the performance improvements for flatpaks as well, you will need to update the global override. For example, if your CPU supports x86_64-v3, then you would update the override to: LD_PRELOAD=/var/run/host/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so

Full Changelog: v2.1.0...v2.2.0

v2.1.0 - Container signing by default, and other changes

What's Changed

• Improve post install instructions by @alexispurslane in #272
• add a FAQ about NTS DoT deadlock by @czhang03 in #274
• feat: replace image name in checksum file by @Tracker3223 in #275
• fix: use separate signing module for shared cosign pubkey across secu… by @qoijjj in #279
• feat: set distrobox/toolbox to default to signed images by @qoijjj in #280
• feat: opt out of homebrew analytics by default by @qoijjj in 9d6b7c6
• feat: add back container policy hardening by @qoijjj in c4b73ca

New Contributors

• @alexispurslane made their first contribution in #272
• @Tracker3223 made their first contribution in #275

Full Changelog: v2.0.0...v2.1.0

v2.0.0 - F40 release

What's Changed

• fix: nvidia karg command by @qoijjj in #259
• feat: just commands to override modprobe blacklist by @czhang03 in #260
• feat: add additional chromium hardening based on vanadium by @qoijjj in a86a3b7
• feat: disable chromium internal pdf viewer by @qoijjj in 656bf9b
• remove chkrootkit from README.md by @spaceoden in #261
• feat: upgrade to f40 by @qoijjj in #264

New Contributors

• @spaceoden made their first contribution in #261

Full Changelog: v1.1.0...2.0.0

v1.1.0 - Recent security news and additional SELinux tooling

v1.1.0 (04-10-2024)

Security news

• There is a CVE affecting all systems built with rpm-ostree starting with v2023.6:
  • GHSA-2m76-cwhg-7wv6
  • https://discussion.fedoraproject.org/t/security-issue-cve-2024-2905-world-readable-etc-shadow-etc-gshadow-on-fedora-coreos-iot-atomic-desktops-including-silverblue-kinoite/112438
  • https://access.redhat.com/security/cve/CVE-2024-2905
• This has already been fixed upstream here: coreos/fedora-coreos-tracker#1705, but only for F39.
• Secureblue has already been rebuilt to include the fix. Please upgrade immediately, and rebase to latest if you are on any other tag.
• As a precaution, it is also recommended that you rotate all user credentials stored in those files.

What's Changed

• fix: remove Firefox from aurora images by @Rubiginosa in #256
• Change Aurora images according to upstream suggestions by @MkKvcs in #257
• Fix Aurora images not building by @MkKvcs in #258
• feat: add necessary init script, then add additional selinux tooling with alerts disabled by default by @qoijjj in f3ec42e

Full Changelog: v1.0.2...v1.1.0

v1.0.2 - Aurora images now available

v1.0.2 (04-06-2024)

What's Changed

• Replace hardcoded Fedora version in Copr repos by @cig0 in #247
• feat: add additional chromium policy hardening and drop chkrootkit by @qoijjj in e1f6b5b
• Add Aurora images to secureblue by @MkKvcs in #249
• feat: add just command to remove all hardening kargs by @qoijjj in 9f6aa64
• Add aurora-asus and aurora-dx-asus images by @Rubiginosa in #254

New Contributors

• @cig0 made their first contribution in #247
• @MkKvcs made their first contribution in #249
• @Rubiginosa made their first contribution in #254

Full Changelog: v1.0.1...v1.0.2

v1.0.1 - Recent security news and secureblue ISO generation now available

v1.0.1 (03-30-2024)

Security news

• A kernel privilege escalation exploit requiring both unprivileged user namespaces enabled and init_on_alloc disabled doesn't affect secureblue due to secureblue setting init_on_alloc=1 in kargs. Images with userns disabled are doubly unaffected.
• A backdoor was found in xz/liblzma. Secureblue was unaffected due to Fedora 39 being unaffected.
• A malicious KDE theme was found to have deleted at least one user's entire drive. This is indicative of both a lack of quality control in KDE themes, and more importantly a fundamental design flaw, since themes shouldn't have permission to do anything remotely like this in the first place. In response to this, KDE GHNS (the mechanism showing the "Get new themes" button and others) is now disabled by default on secureblue.

What's Changed

• Disable KDE GHNS by @qoijjj in cb67ab8
• Set sudo timeout to 1min by @qoijjj in 67e114c
• New ISO generation by @qoijjj in 6d4a2a8
• Disable compression for sshd by @qoijjj in 55a5474

Full Changelog: v1.0.0...v1.0.1

v1.0.0 - Initial release notes

v1.0.0 (03-21-2024)

Summary

• Initial stable release
• -laptop images have been deprecated and a NOTICE has gone out via MOTD. Consult this document for rebase instructions.

What's Changed

• Rebase secureblue with a new clean commit history by @qoijjj in #46
• Replace email for CoC contact by @qoijjj in #47
• Rename sudoers timeout file by @qoijjj in #50
• Require sudo for rpm-ostree by @qoijjj in #51
• Update readme to include most recent additions by @qoijjj in #52
• feat: reenable flatpak by @34N0 in #53
• changes and removals based on the new flatpak avilability by @qoijjj in #61
• refactor: 🚚 rm fonts module mv other modules into common-* files by @34N0 in #68
• Add CONTRIBUTORS by @qoijjj in #71
• Remove podman and all dependent packages by @qoijjj in #83
• Add bubblejail by @qoijjj in #84
• feat: ✨ mac address randomization by @34N0 in #77
• added kate and dolphin files to .gitignore by @trytomakeyouprivate in #95
• Fix wireplumber issue with hardened malloc #92 by @qoijjj in #97
• Add warning about removing userns setting by @qoijjj in #99
• Switch to non-koji chromium by @qoijjj in #100
• Add chrony config to enable NTS. by @qoijjj in #103
• Remove out of date note about steam by @qoijjj in #104
• Add server versions by @qoijjj in #105
• Add sericea images, add separate laptop images for tlp, and refactor by @qoijjj in #111
• Fix typo in image names by @qoijjj in #113
• feat: 🔒 enable and harden pam faillock, password encryption & pa… by @34N0 in #112
• Add cups back to the image and disable it by default. Include a just … by @qoijjj in #117
• Update ld.so.preload according to #119 by @qoijjj in #120
• Add kargs password prompt for yafti by @qoijjj in #121
• set suid on bubblewrap from fedora instead of using copr for non-userns variants by @qoijjj in #126
• Add bluefin images by @qoijjj in #130
• chromium: Disable VAAPI and enable wayland by @Sadoon-AlBader in #143
• Add staging builds by @qoijjj in #144
• Remove lazurite images that were added prematurely before full wayland support by @qoijjj in #147
• add ucore-based server images by @qoijjj in #157
• SDDM wayland and usbguard by @qoijjj in #158
• docs: set grub password in postinstall readme by @34N0 in #159
• docs: added boot from usb, changed formatting by @trytomakeyouprivate in #167
• docs: added group permissions details by @trytomakeyouprivate in #166
• docs: fix formatting for chromium readme by @trytomakeyouprivate in #178
• Provide Link to Implimentation Details by @czhang03 in #191
• Docs: add password for admin user by @trytomakeyouprivate in #198
• hardening: changed "debugfs" to experimental/breaking by @trytomakeyouprivate in #206
• chore: document secureblue counterpart for vanadium patches and add a… by @qoijjj in #210
• chore: migrate to BlueBuild 🎉 by @qoijjj in #212
• [doc] add documentation for laptop variant by @czhang03 in #220
• [doc] add recommendation against laptop image for latest AMD laptop by @czhang03 in #221
• doc: remove redundant contributors file by @34N0 in #223
• merge live into staging by @qoijjj in #234
• chore: deprecate images that are no longer needed by @qoijjj in #238
• fix: Assure that "disabling CoreDump tweak" is applied correctly by @fiftydinar in #241

New Contributors

• @trytomakeyouprivate made their first contribution in #95
• @Sadoon-AlBader made their first contribution in #143
• @czhang03 made their first contribution in #191
• @fiftydinar made their first contribution in #241

Full Changelog: https://github.com/secureblue/secureblue/commits/v1.0.0