On Wed, 6 Mar 2019, Matthew Garrett wrote: > From: David Howells <[email protected]> > > If the kernel is locked down, require that all modules have valid > signatures that we can verify.
Perhaps note that this won't cover the case where folk are using DM-Verity with a signed root hash for verifying kernel modules. -- James Morris <[email protected]>
