Kernel News

make MODSIG=1

Mimi Zohar introduced a patch to support ephemeral module signing. The idea is that if you use a private key to sign modules, the kernel can use a public key to ensure that it only loads modules signed by you. Anyone trying to crack into your system by loading a hostile module would find the way blocked.

The problem is that if they do get a certain level of access to your system, they might locate your private key, sign their hostile module with it, and thus crack deeper into your system anyway.