From b6d53f698d0ad21a31da6bf74a44577a0c8869fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:17:00 -0400 Subject: [PATCH] Revert "allow loading unsigned modules due to issues" This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. --- debian/security-misc.maintscript | 3 --- etc/default/grub.d/40_only_allow_signed_modules.cfg | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f1664ee..1c4ea5e 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -3,9 +3,6 @@ rm_conffile /etc/sudoers.d/umask-security-misc -## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg new file mode 100644 index 0000000..5441292 --- /dev/null +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -0,0 +1,4 @@ +## Requires every module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This makes it harder to load a malicious module. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"