Instead of creating a bunch of different threads for different kernel modules, we can just use this one.
We can blacklist more kernel modules to reduce attack surface further. This can include a bunch of uncommon modules or things unlikely to be used.
We can blacklist a bunch of uncommon filesystems by creating a file in /etc/modprobe.d with
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
This blacklists cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs and udf.
We can blacklist the CD-ROM kernel modules with
install cdrom /bin/true
install sr_mod /bin/true
I doubt CD-ROMs would be used within Whonix and the CD-ROM kernel driver has had some vulnerabilities before such as CVE-2018-11506.
We can blacklist the PC speaker module with
install pcspkr /bin/true
This will mostly be helpful for discretion purpose. This can cause the computer to make various beeps or other noises.
Tails also blacklists this.
disable beep (#5724) · Issues · tails / tails · GitLab
The MEI is the interface between the Intel ME and the OS. The Intel ME is dangerous as it has access to basically everything and the MEI may have some vulnerability that allows exploitation of the ME.
It can be disabled with
install mei /bin/true
install mei-me /bin/true
Tails also blacklists this although it seems to be because of a bug that messed up shutdown.
enforce kernel module software signature verification [module signing] / disallow kernel module loading by default won’t make this pointless as many of these can be loaded at boot, before kernel.modules_disabled=1
is set and some users may revert that (if it is ever implemented).