revert enabling kernel module signature enforcement

due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359
2025-01-25 02:25:33 +07:00 · 2023-11-03 15:55:17 -04:00 · 2023-11-03 15:55:17 -04:00 · 97054b2b10
commit 97054b2b10
parent 978e3e4abd
2 changed files with 8 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -94,7 +94,9 @@ TLB invalidation so devices will never be able to access stale data contents.
 #### Kernel Module Signature Verification
 Not yet due to issues:
-https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
+
 * https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
 * https://github.com/dell/dkms/issues/359
 See:
--- a/etc/default/grub.d/40_only_allow_signed_modules.cfg
+++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg
@ -1,4 +1,8 @@
 ## Requires every module to be signed before being loaded.
 ## Any module that is unsigned or signed with an invalid key cannot be loaded.
 ## This makes it harder to load a malicious module.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+##
 ## Not enabled by default yet due to issues:
 ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
 ## https://github.com/dell/dkms/issues/359
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"