## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

## Require every kernel module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This prevents all out-of-tree kernel modules unless signed.
## This makes it harder to load a malicious module.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
##
## KSPP=yes
## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
##
## Not enabled by default yet due to several issues.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

## Enable kernel lockdown to enforce security boundary between user and kernel space.
## Confidentiality mode enforces module signature verification.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
## KSPP=yes
## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
##
## Not enabled by default yet due to several issues.
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi