From 9320115be4b700533abe071d90de4e35559923dc Mon Sep 17 00:00:00 2001
From: Nate Graham <nate@kde.org>
Date: Tue, 19 May 2026 10:40:36 -0600
Subject: [PATCH] Stop including out-of-tree kernel modules

This presents some practical problems:
- We'll almost certainly fail shim review and therefore won't be able to
  have secure boot
- Pre-installing these modules taints our kernel, which will be
  problematic for engagement with upstream
- These modules can be fragile (see for example
  https://invent.kde.org/kde-linux/kde-linux/-/work_items/618)
- Including these modules broadens the attack surface, worsening
  security.

As nice as it is to have an "everything and the kitchen sink" approach
to hardware support via these out-of-tree kernel modules, I think the
drawbacks to the project as a whole and all of its users outweigh the
benefits to the specific people who benefit here.

Fixes #618
---
 mkosi.conf.d/00-packages-core.conf | 4 ----
 mkosi.conf.d/80-packages-cli.conf  | 1 -
 2 files changed, 5 deletions(-)

diff --git a/mkosi.conf.d/00-packages-core.conf b/mkosi.conf.d/00-packages-core.conf
index deb7d90..f96d53f 100644
--- a/mkosi.conf.d/00-packages-core.conf
+++ b/mkosi.conf.d/00-packages-core.conf
@@ -59,10 +59,8 @@ Packages=
     ccid # Generic USB CCID/ICCD card readers
     fprintd # Fingerprint authentication
     iio-sensor-proxy # Auto-rotation
-    linux-apfs-rw-dkms # Experimental APFS kernel module with Write support
     linux-firmware-marvell # Firmware files for marvell products
     lvm2 # Logical Volume Manager 2 support
-    openrazer-daemon # Drivers etc. for Razer hardware
     pam-u2f # 2nd factor PAM support for Yubikey hardware authenticators
     powertop # Energy monitoring; also used in our energy tuning scripts
     sane # scanner udev rules - everything else in the package is deleted later
@@ -75,7 +73,6 @@ Packages=
     udisks2-btrfs # support for Btrfs in udisks
     usb_modeswitch # WiFi dongles that have a flash storage mode preventing use OOTB
     usbmuxd # Apple iOS devices via USB
-    v4l2loopback-utils # v4l2loopback dkms and tools for virtual Camera functionality in certain applications
     wireless-regdb # Gets us the wireless-regdom file that we can modify as needed
     yubikey-full-disk-encryption # Support for unlocking a FDE LUKS partition with Yubikey hardware authenticators
 
@@ -102,7 +99,6 @@ Packages=
     flatpak # Flatpak apps
     fuse2 # Some AppImage apps
     fuse3 # The rest of the AppImage apps (also loads of other things as a required dependency)
-    vhba-module # Kernel module needed for cdemu-client
 
     # Virtualization/VM integration
     dnsmasq # Hotspot creation and networking in VMs
diff --git a/mkosi.conf.d/80-packages-cli.conf b/mkosi.conf.d/80-packages-cli.conf
index 4949377..d6d2dff 100644
--- a/mkosi.conf.d/80-packages-cli.conf
+++ b/mkosi.conf.d/80-packages-cli.conf
@@ -38,7 +38,6 @@ Packages=
     bash-completion # Completions for Bash
     bat # Opinionated fancy cat
     bluez-utils # useful Bluetooth CLI tools
-    cdemu-client # Virtual optical drive support for CDEmu disc image mounting
     cpupower # For more granular tuning of CPU limits; needs to touch the kernel
     drm-info # for debugging KWin and other graphics issues
     duf # Opinionated fancy df