On Wed, 6 Mar 2019, Matthew Garrett wrote: > From: David Howells <dhowe...@redhat.com> > > If the kernel is locked down, require that all modules have valid > signatures that we can verify.
Perhaps note that this won't cover the case where folk are using DM-Verity with a signed root hash for verifying kernel modules. -- James Morris <jmor...@namei.org>