# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
# This makes it harder to load a malicious module.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"