11 Oct
2019
11 Oct
'19
7:32 p.m.
Since the kernel now separates verification of signed modules from the enforcement policy whether to allow unverified modules to be loaded or now I thought it's time to explore. The enforcement policy can be compiled in or turned on at run time via boot option to kernel. I now have it working to sign all the in tree modules as well as the out of tree modules. In my case I'm signing virtualbox and wireguard. In case it's helpful I created a wiki page outlining what I did to get this working. Hope it's useful. https://wiki.archlinux.org/index.php/Signed_kernel_modules gene