fix: support disabling module signature verification

frezbo · frezbo · commit 6ea49c7264ba · 2026-04-15T09:01:25.000+05:30
Even though siderolabs/talos#11989 got completed, it missed a critical step to disable `CONFIG_MODULE_SIG_FORCE` as the issues states. This got missed and released, fixing the errata. Signed-off-by: Noel Georgi <git@frezbo.dev>
diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
@@ -1008,7 +1008,7 @@ CONFIG_ASM_MODVERSIONS=y
 CONFIG_BASIC_MODVERSIONS=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
+# CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
@@ -949,7 +949,7 @@ CONFIG_ASM_MODVERSIONS=y
 CONFIG_BASIC_MODVERSIONS=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
+# CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
@@ -36,6 +36,7 @@
     'CONFIG_IOMMU_DEFAULT_DMA_STRICT', # performance impact https://github.com/siderolabs/talos/issues/9531
     'CONFIG_PROC_MEM_NO_FORCE', # might break some applications, so instead we will enforce in the kernel arg 'proc_mem.force_override=never' (https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201)
     'CONFIG_GCC_PLUGIN_LATENT_ENTROPY', # doesn't seem very relevant, entropy is low quality, and not available in Clang, https://github.com/torvalds/linux/blob/37a93dd5c49b5fda807fd204edf2547c3493319c/scripts/gcc-plugins/Kconfig#L25-L33
+    'CONFIG_MODULE_SIG_FORCE', # see https://github.com/siderolabs/talos/issues/11989
 }
 
 """

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@`
`36`	`36`	`'CONFIG_IOMMU_DEFAULT_DMA_STRICT', # performance impact https://github.com/siderolabs/talos/issues/9531`
`37`	`37`	`'CONFIG_PROC_MEM_NO_FORCE', # might break some applications, so instead we will enforce in the kernel arg 'proc_mem.force_override=never' (https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201)`
`38`	`38`	`'CONFIG_GCC_PLUGIN_LATENT_ENTROPY', # doesn't seem very relevant, entropy is low quality, and not available in Clang, https://github.com/torvalds/linux/blob/37a93dd5c49b5fda807fd204edf2547c3493319c/scripts/gcc-plugins/Kconfig#L25-L33`
	`39`	`+ 'CONFIG_MODULE_SIG_FORCE', # see https://github.com/siderolabs/talos/issues/11989`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`"""`