Updated descriptions of disabled modules

etc/modprobe.d/30_security-misc.conf

@@ -1,17 +1,20 @@
 ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## https://phabricator.whonix.org/T486
+# See the following links for a community discussion and overview regarding the selections
+# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+# Blacklist automatic conntrack helper assignment
+# https://phabricator.whonix.org/T486
 options nf_conntrack nf_conntrack_helper=0
 
-# Blacklists bluetooth to reduce attack surface.
-# Bluetooth also has a history of security vulnerabilities:
-#
+# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
 
-# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+# Blacklist thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/false
 install firewire-core /bin/false
 install firewire_core /bin/false
@@ -24,11 +27,10 @@ install raw1394 /bin/false
 install video1394 /bin/false
 install firewire-sbp2 /bin/false
 
-# Blacklist CPU MSRs as they can be abused to write to
-# arbitrary memory.
+# Blacklist CPU MSRs as they can be abused to write to arbitrary memory.
 install msr /bin/false
 
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
 # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 #
@@ -56,7 +58,7 @@ install p8022 /bin/false
 install can /bin/false
 install atm /bin/false
 
-# Disable uncommon file systems to reduce attack surface
+# Blacklist uncommon file systems to reduce attack surface
 install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
@@ -64,7 +66,7 @@ install hfs /bin/false
 install hfsplus /bin/false
 install udf /bin/false
 
-# Disable uncommon network filesystems to reduce attack surface
+# Blacklist uncommon network file systems to reduce attack surface
 install cifs /bin/false
 install nfs /bin/false
 install nfsv3 /bin/false
@@ -72,18 +74,18 @@ install nfsv4 /bin/false
 install ksmbd /bin/false
 install gfs2 /bin/false
 
-## Blacklists the vivid kernel module as it's only required for
-## testing and has been the cause of multiple vulnerabilities.
-##
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+# https://www.openwall.com/lists/oss-security/2019/11/02/1
+# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/false
 
-# Disable CD-ROM
+# Blacklist CD-ROM devices
+# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 install cdrom /bin/false
 install sr_mod /bin/false
 
-# Disable Intel Management Engine (ME) interface with OS
+# Blacklist Intel Management Engine (ME) interface with the OS
+# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/false
 install mei-me /bin/false