## Requires every module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This makes it harder to load a malicious module.
##
## Not enabled by default yet due to issues:
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"