# turn off kernel loading modules

## farmer.ro

if one decides to turn off kernel load modules, to enhance the security against any type of rootkit, will the kernel still be able to load modules like nvidia and virtualbox that are modprobed before the kernel load modules is turned off?

----------

## Buffoon

Hold your horses, you want to disable loading modules and then you want to load modules? What kind of security would that be if it  was possible?

----------

## fedeliallalinea

And try to sign module?

----------

## farmer.ro

i would like the modules that are running now to be loaded, but i would like to prevent any new modules that might be inserted into the kernel to be loaded.

----------

## farmer.ro

 *fedeliallalinea wrote:*   

> And try to sign module?

 

so when building the kernel with:

Enable module signature verification

```
--- Enable loadable module support

[*]   Module signature verification

[*]     Require modules to be validly signed

[*]     Automatically sign all modules

      Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
```

is enough to stop potential rootkits to be loaded into the kernel, or does the kernel needs to be build with proper keys also?

----------

## Logicien

I think that modules signatures prevent the load of any module not signed with the key. I have not seen any option to sign the kernel image itself. It may be the job of a bootloader to prevent any not signed kernel image to load in memory.

The only options in the Enable load module support section of the Linux kernel configuration related to modules load are Force module loading and Module versioning support. They allow to try to load a module without version information and from an other version than the running kernel ifself what is say to be a bad idea.

A way to prevent a module from being load is to not compile it or to blacklist it. The kernel load the modules as they are need, the administrator can load some too. You have the Security options and the Kernel hacking sections that can be of an help for security.

----------

## Ant P.

 *farmer.ro wrote:*   

> i would like the modules that are running now to be loaded, but i would like to prevent any new modules that might be inserted into the kernel to be loaded.

 

```
printf 1 >| /proc/sys/kernel/modules_disabled
```

Cannot be reverted until next reboot.

----------

