On 5/9/26 5:03 AM, Martin Steigerwald wrote:
> Greetings.
>
> Arnt Karlsen - 08.05.26, 23:30:11 CEST:
>>> Thanks. That is an important distinction, I did not know yet.
>>>
>>> For preventing certain drivers to load the modprobe.d approach worked
>>> for me, but indeed I have four modules mentioned. With the fake
>>> install method I would probably just have needed one.
>>>
>>> So for this security issue I'd recommend the fake install method.
>> ..the classic classy way is build your own kernel packages, tossing
>> out all the systemd etc crap we do not want, and keeping only the
>> modules we do want, "if it's not there, it cannot be loaded",
>> effectively creating the module whitelist effect we want. ;o)
>> https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.htm
>> l#s-common-official
> For my main machine I build my own kernel from vanilla. Like this
> meanwhile:
>
> % time eatmydata make LLVM=1 -j16 bindeb-pkg LOCALVERSION=-t14g5
>
> LLVM=1 for Rust support, will be needed for BCacheFS in the future.
>
> I am not using BCacheFS for anything critical yet, but I have encrypted
> BCacheFS on an external SSD I store more rarely used data on. I had hoped
> for its proper inclusion in vanilla, however it did not work out.
>
> Now I am using DKMS. It works. But I am not entirely happy with BCacheFS
> not in mainline. However it was not enough to justify moving more than 3,5
> TB of data around. And BTRFS on LUKS, basically anything on LUKS, for
> removable media can be quite a pain. Cause sometimes "cryptsetup
> luksClose" says it is busy and I never found a way to find out the process
> that is keeping it busy.
>
> However compiling my own kernel is challenging. I find it very difficult
> to determine what kernel options I need and what options I do not need.
> Often enough it is clear, but there are options I have not even a bit of a
> clue about. I have a markdown file were I document my process for thinning
> out the kernel to what I need and I am still far from complete with that
> work.
>
> There is a gazillion of options. And quite some are described in a way
> that is not at all helpful. That is part of the reason I do this work only
> for my main desktop laptop.
>
> I am not sure I can recommend building your own kernel to anyone. It
> really got quite complex, if you ask me.
>
> Best,

I have a few systems that unfortunaely use systemd (Debian 12) and are
runnning Plesk. Plesk sent us notification about this. It also explained
the systems that use these modules. esp4 and esp6 are used by ipsec and
rxrpc is used by AFS (Andrew File System) clients. I rand this on all 5
systems and I ran the mitigation that involved the printf and none of
the modules were loaded. Just saying. Sounds like special cases that
load these modules. I also ran it on several devuan systems they didn't
have them loaded either. I just tested on a system with openvpn running
and the modules weren't loaded.

--Curtis