[elrepo-devel] How to avoid the "tainting kernel" message?

Tue Feb 23 14:14:19 EST 2016

Hi Oliver,

Also, I still would like to see the output from:

grep "(" /proc/modules

Akemi

On Tue, Feb 23, 2016 at 10:25 AM, Akemi Yagi <amyagi at gmail.com> wrote:

> Hi Oliver,
>
> Could you run the following command and let me know the number it returns?
> It should give us some info as to what is tainting your kernel.
>
> cat /proc/sys/kernel/tainted
>
> Akemi
>
> On Mon, Feb 22, 2016 at 11:43 PM, Sang, Oliver <oliver.sang at intel.com>
> wrote:
>
>> Thanks Akemi!
>>
>>
>>
>> I just used GPL. I think the reason my kmod tainting kernel is that I
>> haven’t sign the kmd.
>>
>> Ideally, if I could use the key which centos used when they build their
>> kernel for centos7.2, the kmd wouldn’t taint kernel any longer. But it
>> seems centos won’t give me that key J
>>
>>
>>
>> As I said, after checking several kmod packages from
>> http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ , I found these kmod are
>> signed with the key which seems for Secure Boot.
>>
>> Anyone know about how to do this sign?
>>
>>
>>
>> I found some stuff related with sign in spec file -
>>
>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>> # Sign the modules(s)
>>
>> %if %{?_with_modsign:1}%{!?_with_modsign:0}
>>
>> # If the module signing keys are not defined, define them here.
>>
>> %{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
>>
>> %{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
>>
>> for module in $(find %{buildroot} -type f -name \*.ko);
>>
>> do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
>>
>> sha256 %{privkey} %{pubkey} $module;
>>
>> done
>>
>> %endif
>>
>> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>>
>>
>>
>> But I don’t know how to get these secure-boot key. Anyone can help?
>> Thanks a lot!
>>
>>
>>
>> BR
>>
>> Oliver
>>
>>
>>
>> *From:* elrepo-devel-bounces at lists.elrepo.org [mailto:
>> elrepo-devel-bounces at lists.elrepo.org] *On Behalf Of *Akemi Yagi
>> *Sent:* Thursday, February 18, 2016 2:08 AM
>> *To:* EL Repo Developer Mailing List
>> *Subject:* Re: [elrepo-devel] How to avoid the "tainting kernel" message?
>>
>>
>>
>> On Wed, Feb 17, 2016 at 12:32 AM, Sang, Oliver <oliver.sang at intel.com>
>> wrote:
>>
>> Hello,
>>
>>
>>
>> I build local kmod for centos7.2. After installation, dmesg says -
>>
>> module verification failed: signature and/or required key missing -
>> tainting kernel
>>
>>
>>
>> I checked several kmod packages from
>> http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/
>>
>> It seems the kmd within them are signed -
>>
>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>> The ELRepo Project (http://elrepo.org): ELRepo.org Secure Boot Key
>>
>> *&c[
>>
>> H#A,
>>
>> vrPR
>>
>> OCv+bU
>>
>> P#Rmwf
>>
>> )ZJ#U
>>
>> ~Module signature appended~
>>
>> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>>
>> But this key seems be for Secure Boot, so the kmd itself should still
>> taint the kernel, am I right?
>>
>>
>>
>> Is there a way to avoid the dmesg complaint? Thanks
>>
>>
>>
>> BR
>>
>> Oliver
>>
>>
>>
>> If your kmod taints the kernel, then there can be several possible
>> causes. The most likely reason is a license. If you use a non-GPL license,
>> that will taint the kernel. Please check your package with :
>>
>> rpm -qip <your.rpm>
>>
>> Another way to get more clue is to run this command:
>>
>> grep "(" /proc/modules
>>
>> It will show a letter that tells you the reason for the taint. For
>> example, on a system running ELRepo's Nvidia driver, I see:
>>
>> nvidia 8356269 32 - Live 0x0000000000000000 (P)
>>
>> The letter P indicates "a module with a non-GPL license has been loaded".
>>
>> Akemi
>>
>> _______________________________________________
>> elrepo-devel mailing list
>> elrepo-devel at lists.elrepo.org
>> http://lists.elrepo.org/mailman/listinfo/elrepo-devel
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160223/dcc6f843/attachment-0001.html>