## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Require every kernel module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This prevents all out-of-tree kernel modules unless signed.
## This makes it harder to load a malicious module.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
##
## Not enabled by default yet due to several issues.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

## Enable kernel lockdown to enforce security boundary between user and kernel space.
## Confidentiality mode enforces module signature verification.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
## ## Not enabled by default yet due to several issues.
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi