From mboxrd@z Thu Jan 1 00:00:00 1970 From: anupam.kapoor@gmail.com (Anupam Kapoor) Date: Mon, 02 Nov 2015 14:59:13 +0530 Subject: How to disable "module verification failed: signature and/or required key missing - tainting kernel" message? In-Reply-To: References: <34180.1446448563@turing-police.cc.vt.edu> <87h9l4rdti.fsf@fatcat.parallelwireless> Message-ID: <87d1vsrbpy.fsf@fatcat.parallelwireless> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org >>>>> [2015-11-02T14:36:52+0530]: "Nan Xiao" (nan-xiao): ,----[ nan-xiao ] | Sorry, I am a little confused about your explanation. `---- ah sorry about that. i just re-read your original post, and realized that you _are_ able to load the unsigned/badly-signed module. the only point of concern is that you see a "taint" message. this is expected. from Documentation/module-signing.txt ,---- | (1) "Require modules to be validly signed" (CONFIG_MODULE_SIG_FORCE) | | This specifies how the kernel should deal with a module that has a | signature for which the key is not known or a module that is unsigned. | | If this is off (ie. "permissive"), then modules for which the key is not | available and modules that are unsigned are permitted, but the kernel will | be marked as being tainted, and the concerned modules will be marked as | tainted, shown with the character 'E'. | | If this is on (ie. "restrictive"), only modules that have a valid | signature that can be verified by a public key in the kernel's possession | will be loaded. All other modules will generate an error. | | Irrespective of the setting here, if the module has a signature block that | cannot be parsed, it will be rejected out of hand. `---- if you don't want module signing at all, then set CONFIG_MODULE_SIG to 'n' and recompile your kernel. boot it, and then load modules without signing.... -- kind regards anupam