[elrepo] dm_mod: module verification failed: signature and/or required key missing - tainting kernel
Akemi Yagi
amyagi at gmail.com
Sat Jan 15 12:58:18 EST 2022
On Sat, Jan 15, 2022 at 4:30 AM Phil Perry <phil at elrepo.org> wrote:
> On 14/01/2022 20:45, Orion Poplawski wrote:
> > I'm seeing this message on an EL7 system running
> 5.4.171-1.el7.elrepo.x86_64:
> >
> > kernel: dm_mod: module verification failed: signature and/or required key
> > missing - tainting kernel
> >
> > that's rather odd, isn't it?
> >
> > I didn't see it with 5.4.142-1.el7.elrepo.x86_64, started with
> > 5.4.148-1.el7.elrepo.x86_64.
>
> It's related to Secure Boot (SB).
>
> Elrepo does not sign the kernel modules in kernel-lt and kernel-ml
> kernels for Secure Boot. The kernel code performs checks when a module
> is loaded to see if it is signed with a SB key, and whether SB is
> enabled in the UEFI/BIOS. If SB is enabled, the kernel will enforce SB
> policy and refuse to load the module.
>
> The warning you see is the kernel checking if the module is signed and
> letting you know it isn't. If you had SB enabled, you would not be able
> to run the kernel.
>
> I suspect a config change at some point in the past has caused the
> observed change in behaviour, but it's informational only and shouldn't
> cause any issues or concerns AFAIK.
>
Actually the said config change occurred in kernel-lt-5.4.144.
CONFIG_MODULE_SIG=y was added there.
Akemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo/attachments/20220115/462b93bf/attachment.html>
More information about the elrepo
mailing list