security-misc/etc/default/grub.d/40_only_allow_signed_modules.cfg

## Requires every module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This makes it harder to load a malicious module.
##
## Not enabled by default yet due to issues:
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
Revert "allow loading unsigned modules due to issues" This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. 2023-11-03 12:17:00 -04:00			`## Requires every module to be signed before being loaded.`
			`## Any module that is unsigned or signed with an invalid key cannot be loaded.`
			`## This makes it harder to load a malicious module.`
revert enabling kernel module signature enforcement due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359 2023-11-03 15:55:17 -04:00			`##`
			`## Not enabled by default yet due to issues:`
			`## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61`
			`## https://github.com/dell/dkms/issues/359`
			`#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"`