mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
26 lines
1.2 KiB
INI
26 lines
1.2 KiB
INI
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Require every kernel module to be signed before being loaded.
|
|
## Any module that is unsigned or signed with an invalid key cannot be loaded.
|
|
## This prevents all out-of-tree kernel modules unless signed.
|
|
## This makes it harder to load a malicious module.
|
|
##
|
|
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
|
## https://github.com/dell/dkms/issues/359
|
|
##
|
|
## Not enabled by default yet due to several issues.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
|
|
|
## Enable kernel lockdown to enforce security boundary between user and kernel space.
|
|
## Confidentiality mode enforces module signature verification.
|
|
##
|
|
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
|
##
|
|
## ## Not enabled by default yet due to several issues.
|
|
##
|
|
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
|
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
|
#fi
|