Starting with linux-next 5.4 the option to sign kernel modules is added. For now it is not strictly needed, all modules can still be loaded even if not signed.
First set of out-of-kernel-tree modules that has the signing implemented is virtualbox (virtualbox-modules-next package). All in-tree modules are now signed.
After updating to the latest linux-next, you can verify if you have any unsigned modules:
for mod in $(lsmod | tail -n +2 | cut -d' ' -f1); do modinfo ${mod} | grep -q "signature" || echo "no signature for module: ${mod}" ; done
Most probably, the output will be empty, but NVidia non-free and tp_smapi users are encouraged to check.
If you have no unsigned modules, you can now enforce kernel loading with signed modules only. Add module.sig_enforce=1
to your kernel boot line, or edit /boot/loader/entries/KaOS_<version>-next.conf
and add module.sig_enforce=1
to the last (options) line.
Once this is all tested well, the signature enforce will be build into the kernel and no extra boot line will be needed.