From 2ecb5662fce0a9b38c5409539b851632016958ba Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 5 Mar 2024 14:52:54 -0700
Subject: [PATCH] Enable module sig enforce and lockdown=confidentiality

Signed-off-by: Tommy <contact@tommytran.io>
---
 UTM-Chrony.ign      | 2 ++
 UTM-Chrony.yml      | 2 ++
 x86-QEMU-Docker.ign | 2 ++
 x86-QEMU-Docker.yml | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/UTM-Chrony.ign b/UTM-Chrony.ign
index e07f09f..395b3ac 100644
--- a/UTM-Chrony.ign
+++ b/UTM-Chrony.ign
@@ -12,6 +12,8 @@
       "nosmt=force",
       "l1d_flush=on",
       "spec_rstack_overflow=safe-ret",
+      "module.sig_enforce=1",
+      "lockdown=confidentiality",
       "random.trust_bootloader=off",
       "random.trust_cpu=off",
       "intel_iommu=on",
diff --git a/UTM-Chrony.yml b/UTM-Chrony.yml
index 326cca3..ff919eb 100644
--- a/UTM-Chrony.yml
+++ b/UTM-Chrony.yml
@@ -192,6 +192,8 @@ kernel_arguments:
     - nosmt=force
     - l1d_flush=on
     - spec_rstack_overflow=safe-ret
+    - module.sig_enforce=1
+    - lockdown=confidentiality
     - random.trust_bootloader=off
     - random.trust_cpu=off
     - intel_iommu=on
diff --git a/x86-QEMU-Docker.ign b/x86-QEMU-Docker.ign
index 673c5fc..1ce54fd 100644
--- a/x86-QEMU-Docker.ign
+++ b/x86-QEMU-Docker.ign
@@ -12,6 +12,8 @@
       "nosmt=force",
       "l1d_flush=on",
       "spec_rstack_overflow=safe-ret",
+      "module.sig_enforce=1",
+      "lockdown=confidentiality",
       "random.trust_bootloader=off",
       "random.trust_cpu=off",
       "intel_iommu=on",
diff --git a/x86-QEMU-Docker.yml b/x86-QEMU-Docker.yml
index 286ba13..3fe65ff 100644
--- a/x86-QEMU-Docker.yml
+++ b/x86-QEMU-Docker.yml
@@ -256,6 +256,8 @@ kernel_arguments:
     - nosmt=force
     - l1d_flush=on
     - spec_rstack_overflow=safe-ret
+    - module.sig_enforce=1
+    - lockdown=confidentiality
     - random.trust_bootloader=off
     - random.trust_cpu=off
     - intel_iommu=on