revert enabling kernel module signature enforcement

due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359
2025-01-24 10:06:25 +07:00 · 2023-11-03 15:55:17 -04:00 · 2023-11-03 15:55:17 -04:00 · 97054b2b10
commit 97054b2b10
parent 978e3e4abd
2 changed files with 8 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -94,7 +94,9 @@ TLB invalidation so devices will never be able to access stale data contents.
 #### Kernel Module Signature Verification

 Not yet due to issues:
-https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
+
+* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
+* https://github.com/dell/dkms/issues/359

 See:

--- a/etc/default/grub.d/40_only_allow_signed_modules.cfg
+++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg
@ -1,4 +1,8 @@
 ## Requires every module to be signed before being loaded.
 ## Any module that is unsigned or signed with an invalid key cannot be loaded.
 ## This makes it harder to load a malicious module.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+##
+## Not enabled by default yet due to issues:
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
+## https://github.com/dell/dkms/issues/359
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"