Instead of creating a bunch of different threads for different kernel modules, we can just use this one.
We can blacklist more kernel modules to reduce attack surface further. This can include a bunch of uncommon modules or things unlikely to be used.
We can blacklist a bunch of uncommon filesystems by creating a file in /etc/modprobe.d with
install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true
This blacklists cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs and udf.
We can blacklist the CD-ROM kernel modules with
install cdrom /bin/true install sr_mod /bin/true
I doubt CD-ROMs would be used within Whonix and the CD-ROM kernel driver has had some vulnerabilities before such as CVE-2018-11506.
We can blacklist the PC speaker module with
install pcspkr /bin/true
This will mostly be helpful for discretion purpose. This can cause the computer to make various beeps or other noises.
Tails also blacklists this.
The MEI is the interface between the Intel ME and the OS. The Intel ME is dangerous as it has access to basically everything and the MEI may have some vulnerability that allows exploitation of the ME.
It can be disabled with
install mei /bin/true install mei-me /bin/true
allow loading signed kernel modules by default / disallow kernel module loading by default won’t make this pointless as many of these can be loaded at boot, before
kernel.modules_disabled=1 is set and some users may revert that (if it is ever implemented).