[elrepo-devel] How to avoid the "tainting kernel" message?

Sang, Oliver oliver.sang at intel.com
Thu Feb 25 21:29:46 EST 2016 

Thanks Akemi,

Then how I sign my modules? I found kmod(s) from http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ are normally signed. And also in kmod rpm spec file -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# Sign the modules(s)
%if %{?_with_modsign:1}%{!?_with_modsign:0}
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%endif
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
But I don’t know how to get these secure-boot key for my local build. Any help doc? Thanks!

BR
Oliver

From: elrepo-devel-bounces at lists.elrepo.org [mailto:elrepo-devel-bounces at lists.elrepo.org] On Behalf Of Akemi Yagi
Sent: Friday, February 26, 2016 1:19 AM
To: EL Repo Developer Mailing List
Subject: Re: [elrepo-devel] How to avoid the "tainting kernel" message?

Hi Oliver,

On Wed, Feb 24, 2016 at 11:35 PM, Sang, Oliver <oliver.sang at intel.com<mailto:oliver.sang at intel.com>> wrote:
Hi Akemi,

This is my results -
$ grep "(" /proc/modules
i915 1344032 4 - Live 0xffffffffa01c9000 (OE)
drm_ukmd_kms_helper 141060 1 i915, Live 0xffffffffa016f000 (OE)
drm_ukmd 369649 3 i915,drm_ukmd_kms_helper, Live 0xffffffffa00b7000 (OE)
drm_ukmd_compat 109279 1 i915, Live 0xffffffffa0019000 (OE)
drm 354356 3 drm_ukmd, Live 0xffffffffa0036000 (OE)

So it seems only because of sign problem, am I right?
In panic.c
*  'O' - Out-of-tree module has been loaded.
*  'E' - Unsigned module has been loaded.

And -
$ cat /proc/sys/kernel/tainted
12288

I don’t know what this number means.

That number, 12288, seems to agree with your other output.
According to :

https://www.kernel.org/doc/Documentation/sysctl/kernel.txt

4096 - An out-of-tree module has been loaded.
8192 - An unsigned module has been loaded in a kernel supporting module signature.

4096+8192=12288
Akemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160226/e1999137/attachment-0001.html>

More information about the elrepo-devel mailing list