[elrepo-devel] How to avoid the "tainting kernel" message?

Tue Feb 23 02:43:48 EST 2016

Thanks Akemi!

I just used GPL. I think the reason my kmod tainting kernel is that I haven’t sign the kmd.
Ideally, if I could use the key which centos used when they build their kernel for centos7.2, the kmd wouldn’t taint kernel any longer. But it seems centos won’t give me that key ☺

As I said, after checking several kmod packages from http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ , I found these kmod are signed with the key which seems for Secure Boot.
Anyone know about how to do this sign?

I found some stuff related with sign in spec file -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# Sign the modules(s)
%if %{?_with_modsign:1}%{!?_with_modsign:0}
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%endif
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

But I don’t know how to get these secure-boot key. Anyone can help? Thanks a lot!

BR
Oliver

From: elrepo-devel-bounces at lists.elrepo.org [mailto:elrepo-devel-bounces at lists.elrepo.org] On Behalf Of Akemi Yagi
Sent: Thursday, February 18, 2016 2:08 AM
To: EL Repo Developer Mailing List
Subject: Re: [elrepo-devel] How to avoid the "tainting kernel" message?

On Wed, Feb 17, 2016 at 12:32 AM, Sang, Oliver <oliver.sang at intel.com<mailto:oliver.sang at intel.com>> wrote:
Hello,

I build local kmod for centos7.2. After installation, dmesg says -
module verification failed: signature and/or required key missing - tainting kernel

I checked several kmod packages from http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/
It seems the kmd within them are signed -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The ELRepo Project (http://elrepo.org): ELRepo.org Secure Boot Key
*&c[
H#A,
vrPR
OCv+bU
P#Rmwf
)ZJ#U
~Module signature appended~
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
But this key seems be for Secure Boot, so the kmd itself should still taint the kernel, am I right?

Is there a way to avoid the dmesg complaint? Thanks

BR
Oliver

If your kmod taints the kernel, then there can be several possible causes. The most likely reason is a license. If you use a non-GPL license, that will taint the kernel. Please check your package with :

rpm -qip <your.rpm>
Another way to get more clue is to run this command:

grep "(" /proc/modules
It will show a letter that tells you the reason for the taint. For example, on a system running ELRepo's Nvidia driver, I see:

nvidia 8356269 32 - Live 0x0000000000000000 (P)
The letter P indicates "a module with a non-GPL license has been loaded".
Akemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160223/e6f7cc4d/attachment.html>