We can restrict kernel modules to only be loaded if they’re signed by a valid key. This increases security by making it harder to load a malicious module. We can do this by adding
module.sig_enforce=1 as a kernel parameter.
We can also prevent kernel modules from being loaded or unloaded after boot by setting
kernel.modules_disabled=1 with sysctl. I don’t really see a point in this though as module loading requires root and if an attacker has root already, there’s no point in attempting to load a module. Even if the attacker did need to load a module, they could just set
kernel.modules_disabled=0 with sysctl as they have root anyway. For some reason, the lockdown patch sets this but I don’t see any real security advantage and only potential breakages.