4.2 KiB
4.2 KiB
About this operating system
MiasmaOS aims at being a security hardened, immutable Linux distribution built on top of Arch Linux. Whilst this distribution takes inspiration from GrapheneOS, Secureblue, DivestOS, and many others hardened systems, the goal here is to make a hardened distribution that is also modern and easy to use without much configuration. It is an attempt to break the privacy/security paradox where the common belief is that if it is secure and private, it is not user friendly.
Security features
- Custom kernel that adds additional security to the hardened-linux kernel
- Applications run with hardened_malloc by GrapheneOS
- Flatpak app store for installing GUI applications
- Immutable base, so root files cannot be tampered with
- Firejail and Apparmor for additional containerization for non Flatpak applications
- XWayland-Satellite for rather than XWayland for X11 apps (this uses a fake root so X11 can't break containment)
- Cosmic desktop. Whilst I can acknowledge the Cosmic desktop is still in beta, it is written in Rust (memory safety) and does not contain the amount of unsafe X11 code that other desktop environments like Gnome and KDE Plasma have. Its both a logical choice and good futureproofing.
- Opendoas to replace sudo. This distro doesn't completely remove elevated privileges (by default) but it does replace sudo with doas. doas was ported from OpenBSD and has a smaller codebase so it has a smaller attack surface and is easier to maintain.
- doas has also been limited. If you must run higher privilege commands that are out of scope for doas, please use run0. The distribution does attempt to treat you like an adult, and you can use elevated permissions, but this is made somewhat inconvenient purposely to discourage/minimize it.
- Blacklisted module - copied from Secureblue
- Brace scripts by DivestOS to add hardened policies to certain applications.
- Boot & System Integrity: MiasmaOS boots through systemd‑boot with Secure Boot enabled on UEFI firmware. The boot chain is measured with the TPM 2.0, guaranteeing that every component—from the bootloader to the kernel and initramfs—is cryptographically verified before execution.
- Btrfs root with a dedicated @snapshots subvolume for rollback.
- Optional LUKS2 encryption (AES‑XTS, 512‑bit key) on install.
Other features
- The default browser is a slightly modified version of Ungoogled-Chromium. Ungoogled-Chromium needs certain flags switched on for full Wayland support, and since avoiding anything X11 is a top priority of this distribution, that needs to be on by default. Additionally the Chromium-Web-Store extension by NeverDecaf comes preinstalled, so users can access their favorite browser extensions. Note that browser extensions can be a big security risk and by default, only a handful of extensions are approved in the modified Brace policy (located at /etc/chromium/policies).
Additional note on this: Ungoogled-Chromium is not simply "Chromium without Google". There are many privacy and security features that have been added to the browser that allow it to stand on its on amongst other browsers like Brave, Librewolf, Mullvad etc.
- Neovim is the default text editor and Vim is not installed. Additionally this is preconfigured with LazyVim. This is what I use and I don't really see a purpose for Vim in a modern desktop environment.
- Kanagawa Dragon theme everywhere.
- Alacritty is the default terminal. I prefer Ghostty but with memory safety in mind, I went with as many Rust apps as I could. Why not Wezterm? For now, Alacritty feels like more of a stable longterm project to me. I may be wrong but that is the vibe I get.
- Zsh is the default shell. Bash is still included as it is required for root processes, but Zsh is the default shell here as we are attempting to build a modern and convenient distribution that also happens to be extremely secure.
- The 'MiasmaAUR' user repository is also available for additional packages. All these packages have been signed, and are available for auditing. Keeping this repository small makes it easier to vet the packages rather than using yay or paru and downloading from the entire AUR catelog. Please audit these packages yourself and send any requests for packages you would like to be added to the repository.