In doubt lets start simple, see how things go and more hardening later? Otherwise, if someone experiences instability, it may be hard to pinpoint what the cause is.
That might actually be less secure then.
This will probably be contested.
Understood. Makes sense. Package name: hardened-vm-kernel or something like that? (“hardened vm kernel” might have some search results, hopefully we’re not reinventing here. I remember Ubuntu years ago had a VM specialized kernel.)
Yes.
Module loading requires root. “trusted” root. But root could as well as modify the kernel on the disk so next reboot something else will be booted? This would be far more useful if at reboot there was an integrity check which would refuse to boot any tampered kernel images. Related to verified boot:
- Verified Boot - Kicksecure
- enable Linux kernel gpg verification in grub and/or enable Secure Boot by default
As an alternative to make all modules built-in rather than dynamically load… What about loading all modules at early boot time and then disabling module loading? Would that be as good as disabling module loading at kernel compile time?