<div dir="ltr"><div><div>Hi Oliver,<br><br></div>Could you run the following command and let me know the number it returns? It should give us some info as to what is tainting your kernel. <br><pre><code>cat /proc/sys/kernel/tainted</code></pre>Akemi<br></div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 22, 2016 at 11:43 PM, Sang, Oliver <span dir="ltr"><<a href="mailto:oliver.sang@intel.com" target="_blank">oliver.sang@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Thanks Akemi!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">I just used GPL. I think the reason my kmod tainting kernel is that I haven’t sign the kmd.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Ideally, if I could use the key which centos used when they build their kernel for centos7.2, the kmd wouldn’t taint kernel any longer. But it seems centos
won’t give me that key </span><span style="font-size:11pt;font-family:Wingdings;color:rgb(31,73,125)">J</span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">As I said, after checking several kmod packages from
<a href="http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/" target="_blank">http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/</a> , I found these kmod are signed with the key which seems for Secure Boot.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Anyone know about how to do this sign?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">I found some stuff related with sign in spec file -<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"># Sign the modules(s)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%if %{?_with_modsign:1}%{!?_with_modsign:0}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"># If the module signing keys are not defined, define them here.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">for module in $(find %{buildroot} -type f -name \*.ko);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">sha256 %{privkey} %{pubkey} $module;<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">done<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%endif<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">But I don’t know how to get these secure-boot key. Anyone can help? Thanks a lot!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">BR<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Oliver<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10pt;font-family:"Tahoma","sans-serif""> <a href="mailto:elrepo-devel-bounces@lists.elrepo.org" target="_blank">elrepo-devel-bounces@lists.elrepo.org</a> [mailto:<a href="mailto:elrepo-devel-bounces@lists.elrepo.org" target="_blank">elrepo-devel-bounces@lists.elrepo.org</a>]
<b>On Behalf Of </b>Akemi Yagi<br>
<b>Sent:</b> Thursday, February 18, 2016 2:08 AM<br>
<b>To:</b> EL Repo Developer Mailing List<br>
<b>Subject:</b> Re: [elrepo-devel] How to avoid the "tainting kernel" message?<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal">On Wed, Feb 17, 2016 at 12:32 AM, Sang, Oliver <<a href="mailto:oliver.sang@intel.com" target="_blank">oliver.sang@intel.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I build local kmod for centos7.2. After installation, dmesg says -<u></u><u></u></p>
<p class="MsoNormal">module verification failed: signature and/or required key missing - tainting kernel<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I checked several kmod packages from
<a href="http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/" target="_blank">http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/</a><u></u><u></u></p>
<p class="MsoNormal">It seems the kmd within them are signed -<u></u><u></u></p>
<p class="MsoNormal">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <u></u><u></u></p>
<p class="MsoNormal">The ELRepo Project (<a href="http://elrepo.org" target="_blank">http://elrepo.org</a>): ELRepo.org Secure Boot Key<u></u><u></u></p>
<p class="MsoNormal">*&c[<u></u><u></u></p>
<p class="MsoNormal">H#A,<u></u><u></u></p>
<p class="MsoNormal">vrPR<u></u><u></u></p>
<p class="MsoNormal">OCv+bU<u></u><u></u></p>
<p class="MsoNormal">P#Rmwf<u></u><u></u></p>
<p class="MsoNormal">)ZJ#U<u></u><u></u></p>
<p class="MsoNormal">~Module signature appended~<u></u><u></u></p>
<p class="MsoNormal"><<<<<<<<<<<<<<<<<<<<<<<<<<<<<< <u></u><u></u></p>
<p class="MsoNormal">But this key seems be for Secure Boot, so the kmd itself should still taint the kernel, am I right?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Is there a way to avoid the dmesg complaint? Thanks<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">BR<u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(136,136,136)">Oliver<u></u><u></u></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">If your kmod taints the kernel, then there can be several possible causes. The most likely reason is a license. If you use a non-GPL license, that will taint the kernel. Please check your package with :<br>
<br>
rpm -qip <your.rpm><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Another way to get more clue is to run this command:<br>
<br>
grep "(" /proc/modules<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">It will show a letter that tells you the reason for the taint. For example, on a system running ELRepo's Nvidia driver, I see:<br>
<br>
nvidia 8356269 32 - Live 0x0000000000000000 (P)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">The letter P indicates "a module with a non-GPL license has been loaded".<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Akemi<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
elrepo-devel mailing list<br>
<a href="mailto:elrepo-devel@lists.elrepo.org">elrepo-devel@lists.elrepo.org</a><br>
<a href="http://lists.elrepo.org/mailman/listinfo/elrepo-devel" rel="noreferrer" target="_blank">http://lists.elrepo.org/mailman/listinfo/elrepo-devel</a><br>
<br></blockquote></div><br></div></div></div></div></div>