Thanks to GitHub - Kicksecure/apparmor-profile-everything: AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening. untrusted root comes closer. And thanks to untrusted root, we could generated signing keys on the user’s machine which untrusted root has no access to. These could then be used for various good things:
- Verified Boot - Kicksecure (sign kernel images, perhaps initrd), and
- enforce kernel module software signature verification [module signing] / disallow kernel module loading by default