diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg
new file mode 100644
index 0000000..a38c6d2
--- /dev/null
+++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg
@@ -0,0 +1,3 @@
+# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
+# This makes it harder to load a malicious module.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"