From 9a49b8ecbb863a995862a4d380c6a03f6c0991ac Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Tue, 13 Aug 2019 13:33:07 +0000
Subject: [PATCH] Create 40_only_allow_signed_modules.cfg

Require all loaded kernel modules to be signed with a valid key.
---
 etc/default/grub.d/40_only_allow_signed_modules.cfg | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg

diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg
new file mode 100644
index 0000000..a38c6d2
--- /dev/null
+++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg
@@ -0,0 +1,3 @@
+# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
+# This makes it harder to load a malicious module.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"