Allow only loading signed modules has to be reverted yet again.
Yes, kernel modules are signed by DKMS nowadays with the DKMS key. But that is only “half” of the solution. On
- A) EFI systems, one would use
moktuilto import the key. - B) non-EFI systems (such as Whonix for VirtualBox) there is no way to enroll these keys into the kernel.
Hence, the kernel does not know that key and refuses it. In result, kloak fails to load.
There are no other places to enroll the key. Reference:
See:
Table 3.3. Sources for system keyrings
Kernel recompilation would be possible to that’s quite an involved process: