mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-05 13:08:04 +07:00
38 lines
1.7 KiB
INI
38 lines
1.7 KiB
INI
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Definitions:
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
|
|
|
## Require every kernel module to be signed before being loaded.
|
|
## Any module that is unsigned or signed with an invalid key cannot be loaded.
|
|
## This prevents all out-of-tree kernel modules unless signed.
|
|
## This makes it harder to load a malicious module.
|
|
##
|
|
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
|
## https://github.com/dell/dkms/issues/359
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
|
|
##
|
|
## Not enabled by default yet due to several issues.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
|
|
|
## Enable kernel lockdown to enforce security boundary between user and kernel space.
|
|
## Confidentiality mode enforces module signature verification.
|
|
##
|
|
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
|
|
##
|
|
## Not enabled by default yet due to several issues.
|
|
##
|
|
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
|
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
|
#fi
|