Linux on a W11 or W10 PC

[Lindley]

Hi,

Have two PCs,  the laptop being W11  and the old  Desktop just W10, not W11 compatible.

If using Linux on the W11 laptop would it make any use of the extra hardware eg TPM  to give more security, and if so is any particular distro better than any other in this respect ?

While asking, is Mint still as good as any for the home / office user, keynotes safe but simple.

[coromonadalix]

use Rufus  and an win 11 iso, you'll see some magic happening with some settings     and you will be able to use w11 on old stuff


w11 worked well on a old athlon fx  ....   loll

[SiliconWizard]

That's an unusual question - usually people are asking for the opposite, how to install Windows 11 without TPM. But you are asking to use TPM with Linux.

If so, you'll need to look that up specifically for the distribution you are going to use.
For Arch that I personally use, they have a wiki page: https://wiki.archlinux.org/title/Trusted_Platform_Module

[Whales]

I wouldn't worry about the TPM.  The halo-effect of the word "security" around it is misleading.

Yes a TPM implementation can improve user security, for example the convenience of bitlocker on Windows at protecting against casual thieves.  But that's not the main goal, TPM exists (opinion) to improve the business security of Microsoft by giving it the ability to sell co-processing and storage that the user can't control to its partners.  "Trusted Platform Module" refers to the ability of companies being able to trust the user can't tamper with it.

I really recommend reading the wikipedia article:

TPM is used for digital rights management (DRM), Windows Defender, Windows Domain logon, protection and enforcement of software licenses,[1] and prevention of cheating in online games.[2]

One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware and ransomware attacks.[3]

(I'm sorry, that "and ransomware attacks" bit is bullshit.  Only the most minor corner cases could possibly be protected.  EDIT: it looks like the reference is misquoted, Microsoft did not state it there)

By default I don't know of any Linux distros that will store keys in a TPM (they probably don't want to expose the users to the risk of it breaking or misbehaving, locking users out of their own computer).  Most of them will probably auto-load kernel modules that might use it as an RNG source, but it will be one RNG source among many (so having it or not will not make a big impact to the entropy pool).

While asking, is Mint still as good as any for the home / office user, keynotes safe but simple.

Yes Mint is a good first choice for new Linux users.  It's mostly as well tested & popular as Ubuntu, but doesn't have Ubuntu's annoying commercially motivated features.

It's easy to get stuck on old releases after a year or so if you don't pay attention to the update manager.  Updating to a new major version is a different process in the update manager compared to normal updates.

[Lindley]

Thanks all, its often so hard to find the real facts about such things.

One last simple (?) question if we may,  as the web is littered with so many opposing comments,  apart from ensuring the Firewall is turned on in Mint, should we be running any other form of AV /Scanners like ClamAV ?

[Nominal Animal]

should we be running any other form of AV /Scanners like ClamAV ?

I've used exclusively Linux on my internet-facing desktops and laptops since 2004 or so, and Linux in general since 1995 or so.
I have never run an AV in Linux on a personal machine (as opposed to a server).

I run AV scanners only on mail and file servers, and only to protect Windows clients.

I do run fail2ban to add temporary (24h typical in my case) firewall blocks to IP addresses that try to intrude my machine (mostly SSH and HTTP/HTTPS protocols, since I don't usually have other services open to internet).  Whenever I have an SSH server running (thus catching intrusion attempts on that), I typically have 5 to 50 IP addresses blocked at any given time, because this machine has an externally visible, relatively stable IP address.  I also run various intrusion detection systems (tripwires and such) if the machine contains any sensitive information.

I don't let my email program download images automatically, nor automatically report deliveries, nor will I trust email attachments are safe to open.  I don't load binaries off web pages, I use standard software repositories (and some personal package archives I consider reliable enough).

I make my choices regarding security and backups assuming I will get breached, and try to minimise the effects.  For example, if my machine gets compromised, I'll just reinstall it from scratch, and recover my own data from backups.  (Of course, I'd have to carefully check if my own data contains the breach or exploit then; that might require some kind of scanner.)

I have not been breached thus far on my desktop machines.  One of my servers was compromised due to OpenSSH security flaw just before the turn of the century, but it was done through an automated script that failed to contact its CNC server due to outgoing firewall rules, and wasn't exploited.  (Many people do find the idea of outgoing firewall rules odd, though.)

All those "Your machine is compromised ... got embarrassing video of you" emails I have a filter deleting automatically, because I have a hardware cover over my laptop camera when not in use.

Software does not protect you, your own behaviour protects you best.  Do not assume you won't be breached, just make sure you can react effectively when (okay, if) that happens.  Backup your data often enough, so that just reinstalling your machine from scratch doesn't feel scary.  Keep your important data on multiple different media, in case one of them gets destroyed.

[Lindley]

Thanks @Nominal Animal for the detailed reply.

Do practice a lot of what you say already on windows and yes the regular backups have saved  us a lot of work on a few occassions, mainly due to microsofts updates !
Had a spare SSD so have been loading Mint up as a  dual drive, dual boot system, think that eases some of the problems you can get with  two OS on one drive,,

 Just need to find the right equivalent  programs for Linux, had been starting to learn a bit with Fusion360 for 3D printing but seems we might have to move over to Freecad who do a proper Linux version.

[Nominal Animal]

As a general rule, I recommend not looking for equivalent applications, but for all solutions for the underlying problem you're solving using a specific Windows application.

For example, I happen to use OpenSCAD for my 3D printed designs.

(Even though I'm old enough to be a granddad, I also like Lego Technics, and sometimes play with LeoCAD.  The third CAD program on my machine is indeed FreeCAD.)

There can be cases where you really want or need a Windows application, in which case Wine might be able to help.  Otherwise, you may need to rethink your past workflows, and consider alternative approaches.

The one way to make sure you'll be unhappy with Linux is to think of it as simply a replacement for Windows.  It isn't that.

Based on my experience, Linux can be used to do the kind of work one might do in Windows (at least when specific applications are not required, or the required applications are available for Linux also).  I happen to prefer Linux, simply because that way I can modify the OS and applications to conform to my own workflow, instead of me having to conform to the workflow my tools require.  I'm much more effective in Linux; the only limitations I feel are my own imagination (and for heavy computation, how long I'm willing to wait for the results to complete).

[SiliconWizard]

I do use ClamAV, both on Windows and Linux, and only to manually scan "external" files. Nothing automated at all.
Haven't had a single security issue on any of my machines in over 20 years.

[Infraviolet]

I can recommend the Wine compatibility layer which can make some (not all) Windows exe file programs run happily on Linux. The Winetricks and PlayOnLinux packages can also assist in this. If your windows program will work this way great, if it won't your best option might be puting Windows in a Virtual Machine and using the Windows VM solely for using programs you can't run on Linux, doing all your linux compatible stuff on the Linux OS.

I can recommend Mint, I am on it right now. I'd suggest going for the MATE or XFCE versions with lighter weight graphics so you can dedicate more computer power to running your actual programs.

I'd suggest when installing to try ideally with UEFI in use, reserve the legacy BIOS mode only for if UEFI installation fails, but ensure junk like secureboot and fancy fast booting modes are turned off.

I keep meaning to learn FreeCAD, but would certainly recommend it over Fusion 360, I'd never want to put the time in to learning a cloud based remotely controlled proprietary software package which could be snatched away from me at any moment.

[JohanH]

Yes, TPM is supported in Linux including LUKS encryption, but it depends on the distro how well and conveniently this is supported. Also not all platforms are probably supported by Linux, but most common laptops are.

Here is an article how to set up TPM2 with disk encryption in Fedora: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

Disclaimer.
I have personally no experience of using TPM2 myself.