[elrepo-devel] How to avoid the "tainting kernel" message?

Tue Feb 23 13:25:15 EST 2016

Hi Oliver,

Could you run the following command and let me know the number it returns?
It should give us some info as to what is tainting your kernel.

cat /proc/sys/kernel/tainted

Akemi

On Mon, Feb 22, 2016 at 11:43 PM, Sang, Oliver <oliver.sang at intel.com>
wrote:

> Thanks Akemi!
>
>
>
> I just used GPL. I think the reason my kmod tainting kernel is that I
> haven’t sign the kmd.
>
> Ideally, if I could use the key which centos used when they build their
> kernel for centos7.2, the kmd wouldn’t taint kernel any longer. But it
> seems centos won’t give me that key J
>
>
>
> As I said, after checking several kmod packages from
> http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ , I found these kmod are
> signed with the key which seems for Secure Boot.
>
> Anyone know about how to do this sign?
>
>
>
> I found some stuff related with sign in spec file -
>
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> # Sign the modules(s)
>
> %if %{?_with_modsign:1}%{!?_with_modsign:0}
>
> # If the module signing keys are not defined, define them here.
>
> %{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
>
> %{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
>
> for module in $(find %{buildroot} -type f -name \*.ko);
>
> do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
>
> sha256 %{privkey} %{pubkey} $module;
>
> done
>
> %endif
>
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
>
>
> But I don’t know how to get these secure-boot key. Anyone can help? Thanks
> a lot!
>
>
>
> BR
>
> Oliver
>
>
>
> *From:* elrepo-devel-bounces at lists.elrepo.org [mailto:
> elrepo-devel-bounces at lists.elrepo.org] *On Behalf Of *Akemi Yagi
> *Sent:* Thursday, February 18, 2016 2:08 AM
> *To:* EL Repo Developer Mailing List
> *Subject:* Re: [elrepo-devel] How to avoid the "tainting kernel" message?
>
>
>
> On Wed, Feb 17, 2016 at 12:32 AM, Sang, Oliver <oliver.sang at intel.com>
> wrote:
>
> Hello,
>
>
>
> I build local kmod for centos7.2. After installation, dmesg says -
>
> module verification failed: signature and/or required key missing -
> tainting kernel
>
>
>
> I checked several kmod packages from
> http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/
>
> It seems the kmd within them are signed -
>
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> The ELRepo Project (http://elrepo.org): ELRepo.org Secure Boot Key
>
> *&c[
>
> H#A,
>
> vrPR
>
> OCv+bU
>
> P#Rmwf
>
> )ZJ#U
>
> ~Module signature appended~
>
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> But this key seems be for Secure Boot, so the kmd itself should still
> taint the kernel, am I right?
>
>
>
> Is there a way to avoid the dmesg complaint? Thanks
>
>
>
> BR
>
> Oliver
>
>
>
> If your kmod taints the kernel, then there can be several possible causes.
> The most likely reason is a license. If you use a non-GPL license, that
> will taint the kernel. Please check your package with :
>
> rpm -qip <your.rpm>
>
> Another way to get more clue is to run this command:
>
> grep "(" /proc/modules
>
> It will show a letter that tells you the reason for the taint. For
> example, on a system running ELRepo's Nvidia driver, I see:
>
> nvidia 8356269 32 - Live 0x0000000000000000 (P)
>
> The letter P indicates "a module with a non-GPL license has been loaded".
>
> Akemi
>
> _______________________________________________
> elrepo-devel mailing list
> elrepo-devel at lists.elrepo.org
> http://lists.elrepo.org/mailman/listinfo/elrepo-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160223/3954d184/attachment.html>