* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
@ 2015-11-02 5:57 Nan Xiao
2015-11-02 6:13 ` Anupam Kapoor
2015-11-02 7:16 ` Valdis.Kletnieks at vt.edu
0 siblings, 2 replies; 7+ messages in thread
From: Nan Xiao @ 2015-11-02 5:57 UTC (permalink / raw)
To: kernelnewbies
Hi all,
When the vendor Linux system enable "kernel module signature
verification" mechanism,
if install your own built module, the kernel will complain:
module verification failed: signature and/or required key missing
- tainting kernel
After referring this post on
SO(http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
the module.
But I find this configuration option doesn't take effect, and "module
verification failed: signature
and/or required key missing - tainting kernel" message still occurs
when first loading the module.
Per my understanding, this message shouldn't occur anytime.
Could anyone give some clues on this issue? Thanks in advance!
Best Regards
Nan Xiao
^ permalink raw reply [flat|nested] 7+ messages in thread* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 5:57 How to disable "module verification failed: signature and/or required key missing - tainting kernel" message? Nan Xiao
@ 2015-11-02 6:13 ` Anupam Kapoor
2015-11-02 7:16 ` Valdis.Kletnieks at vt.edu
1 sibling, 0 replies; 7+ messages in thread
From: Anupam Kapoor @ 2015-11-02 6:13 UTC (permalink / raw)
To: kernelnewbies
>>>>> [2015-11-02T11:27:10+0530]: "Nan Xiao" (nan-xiao):
,----[ nan-xiao ]
| When the vendor Linux system enable "kernel module signature
| verification" mechanism,
| if install your own built module, the kernel will complain:
|
| module verification failed: signature and/or required key missing
| - tainting kernel
`----
disable 'CONFIG_MODULE_SIG' in your kernel. more info available in
Documentation/module-signing.txt
--
kind regards
anupam
^ permalink raw reply [flat|nested] 7+ messages in thread
* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 5:57 How to disable "module verification failed: signature and/or required key missing - tainting kernel" message? Nan Xiao
2015-11-02 6:13 ` Anupam Kapoor
@ 2015-11-02 7:16 ` Valdis.Kletnieks at vt.edu
2015-11-02 7:29 ` Nan Xiao
1 sibling, 1 reply; 7+ messages in thread
From: Valdis.Kletnieks at vt.edu @ 2015-11-02 7:16 UTC (permalink / raw)
To: kernelnewbies
On Mon, 02 Nov 2015 13:57:10 +0800, Nan Xiao said:
> I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
> the module.
> Could anyone give some clues on this issue? Thanks in advance!
Did you *also* both rebuild and reboot into the new kernel that has
MODULE_SIG=n?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20151102/7bfa63ee/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 7:16 ` Valdis.Kletnieks at vt.edu
@ 2015-11-02 7:29 ` Nan Xiao
2015-11-02 8:43 ` Anupam Kapoor
0 siblings, 1 reply; 7+ messages in thread
From: Nan Xiao @ 2015-11-02 7:29 UTC (permalink / raw)
To: kernelnewbies
Hi Anupam & Valdis,
I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
the answer said only disable this option in module's Makefile is enough.
So Is this answer wrong? That is what I am confused.
Thanks!
Best Regards
Nan Xiao
On Mon, Nov 2, 2015 at 3:16 PM, <Valdis.Kletnieks@vt.edu> wrote:
> On Mon, 02 Nov 2015 13:57:10 +0800, Nan Xiao said:
>
>> I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
>> the module.
>
>> Could anyone give some clues on this issue? Thanks in advance!
>
> Did you *also* both rebuild and reboot into the new kernel that has
> MODULE_SIG=n?
^ permalink raw reply [flat|nested] 7+ messages in thread
* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 7:29 ` Nan Xiao
@ 2015-11-02 8:43 ` Anupam Kapoor
2015-11-02 9:06 ` Nan Xiao
0 siblings, 1 reply; 7+ messages in thread
From: Anupam Kapoor @ 2015-11-02 8:43 UTC (permalink / raw)
To: kernelnewbies
>>>>> [2015-11-02T12:59:30+0530]: "Nan Xiao" (nan-xiao):
,----[ nan-xiao ]
| I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
| post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
| the answer said only disable this option in module's Makefile is enough.
`----
following config options are available (under 'enable loadable module support')
CONFIG_MODULE_SIG : checks modules for valid signature on load.
CONFIG_MODULE_SIG_FORCE : rejects unsigned modules or modules for which
key is not available.
thus, if, this is set to 'n' then loading a module with bad signature,
would taint the kernel. however, if, this is set to 'y' then loading a
module with bad signature will be rejected.
so, my guess is that in your case, this is most likely set to 'y'.
--
kind regards
anupam
^ permalink raw reply [flat|nested] 7+ messages in thread
* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 8:43 ` Anupam Kapoor
@ 2015-11-02 9:06 ` Nan Xiao
2015-11-02 9:29 ` Anupam Kapoor
0 siblings, 1 reply; 7+ messages in thread
From: Nan Xiao @ 2015-11-02 9:06 UTC (permalink / raw)
To: kernelnewbies
Hi Anupam,
Sorry, I am a little confused about your explanation.
In my kernel, only CONFIG_MODULE_SIG is set to yes. But from the 2nd answer of
this post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
it says "no need to disable this option in kernel". So my question is
this answer is wrong?
If no disable "CONFIG_MODULE_SIG" in kernel, "module verification
failed: signature and/or required key missing"
always be printed?
Thanks!
Best Regards
Nan Xiao
On Mon, Nov 2, 2015 at 4:43 PM, Anupam Kapoor <anupam.kapoor@gmail.com> wrote:
>
>>>>>> [2015-11-02T12:59:30+0530]: "Nan Xiao" (nan-xiao):
> ,----[ nan-xiao ]
> | I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
> | post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
> | the answer said only disable this option in module's Makefile is enough.
> `----
> following config options are available (under 'enable loadable module support')
>
> CONFIG_MODULE_SIG : checks modules for valid signature on load.
>
> CONFIG_MODULE_SIG_FORCE : rejects unsigned modules or modules for which
> key is not available.
>
> thus, if, this is set to 'n' then loading a module with bad signature,
> would taint the kernel. however, if, this is set to 'y' then loading a
> module with bad signature will be rejected.
>
> so, my guess is that in your case, this is most likely set to 'y'.
>
> --
> kind regards
> anupam
^ permalink raw reply [flat|nested] 7+ messages in thread
* How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
2015-11-02 9:06 ` Nan Xiao
@ 2015-11-02 9:29 ` Anupam Kapoor
0 siblings, 0 replies; 7+ messages in thread
From: Anupam Kapoor @ 2015-11-02 9:29 UTC (permalink / raw)
To: kernelnewbies
>>>>> [2015-11-02T14:36:52+0530]: "Nan Xiao" (nan-xiao):
,----[ nan-xiao ]
| Sorry, I am a little confused about your explanation.
`----
ah sorry about that. i just re-read your original post, and realized
that you _are_ able to load the unsigned/badly-signed module. the only
point of concern is that you see a "taint" message. this is expected.
from Documentation/module-signing.txt
,----
| (1) "Require modules to be validly signed" (CONFIG_MODULE_SIG_FORCE)
|
| This specifies how the kernel should deal with a module that has a
| signature for which the key is not known or a module that is unsigned.
|
| If this is off (ie. "permissive"), then modules for which the key is not
| available and modules that are unsigned are permitted, but the kernel will
| be marked as being tainted, and the concerned modules will be marked as
| tainted, shown with the character 'E'.
|
| If this is on (ie. "restrictive"), only modules that have a valid
| signature that can be verified by a public key in the kernel's possession
| will be loaded. All other modules will generate an error.
|
| Irrespective of the setting here, if the module has a signature block that
| cannot be parsed, it will be rejected out of hand.
`----
if you don't want module signing at all, then set CONFIG_MODULE_SIG to
'n' and recompile your kernel. boot it, and then load modules without
signing....
--
kind regards
anupam
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-11-02 9:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-02 5:57 How to disable "module verification failed: signature and/or required key missing - tainting kernel" message? Nan Xiao
2015-11-02 6:13 ` Anupam Kapoor
2015-11-02 7:16 ` Valdis.Kletnieks at vt.edu
2015-11-02 7:29 ` Nan Xiao
2015-11-02 8:43 ` Anupam Kapoor
2015-11-02 9:06 ` Nan Xiao
2015-11-02 9:29 ` Anupam Kapoor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.