From 97054b2b1076d6d428996967304b29620923eff4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 15:55:17 -0400 Subject: [PATCH] revert enabling kernel module signature enforcement due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359 --- README.md | 4 +++- etc/default/grub.d/40_only_allow_signed_modules.cfg | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 96cab41..21ea2fe 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,9 @@ TLB invalidation so devices will never be able to access stale data contents. #### Kernel Module Signature Verification Not yet due to issues: -https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 + +* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +* https://github.com/dell/dkms/issues/359 See: diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg index 5441292..5d1a357 100644 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -1,4 +1,8 @@ ## Requires every module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This makes it harder to load a malicious module. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" +## +## Not enabled by default yet due to issues: +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"