Curiously, the only reason this works is because kernel modules don't need signing to be loaded? You simply need a SHA1 hash of the module injected into the loading whitelist?