Closed madaidan closed 5 years ago
This will require all out-of-tree modules like nvidia drivers or wireguard have to be signed with the same key which was used for building kernel which isn't feasible except for private use therefore this option shouldn't be the default. I recommend to use boot param instead.
I forgot about those. This isn't a good idea then. Thanks.
This makes it harder to load a malicious kernel module by requiring them to be signed with a valid key. Any module that is unsigned or signed with an invalid key won't be loaded.
https://www.kernel.org/doc/html/v5.2/admin-guide/module-signing.html