Discussion:
How to disable "module verification failed: signature and/or required key missing - tainting kernel" message?
Nan Xiao
2015-11-02 05:57:10 UTC
Permalink
Hi all,

When the vendor Linux system enable "kernel module signature
verification" mechanism,
if install your own built module, the kernel will complain:

module verification failed: signature and/or required key missing
- tainting kernel

After referring this post on
SO(http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
the module.

But I find this configuration option doesn't take effect, and "module
verification failed: signature
and/or required key missing - tainting kernel" message still occurs
when first loading the module.
Per my understanding, this message shouldn't occur anytime.

Could anyone give some clues on this issue? Thanks in advance!

Best Regards
Nan Xiao
Anupam Kapoor
2015-11-02 06:13:06 UTC
Permalink
,----[ nan-xiao ]
| When the vendor Linux system enable "kernel module signature
| verification" mechanism,
| if install your own built module, the kernel will complain:
|
| module verification failed: signature and/or required key missing
| - tainting kernel
`----
disable 'CONFIG_MODULE_SIG' in your kernel. more info available in
Documentation/module-signing.txt
--
kind regards
anupam
V***@vt.edu
2015-11-02 07:16:03 UTC
Permalink
Post by Nan Xiao
I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
the module.
Could anyone give some clues on this issue? Thanks in advance!
Did you *also* both rebuild and reboot into the new kernel that has
MODULE_SIG=n?
Nan Xiao
2015-11-02 07:29:30 UTC
Permalink
Hi Anupam & Valdis,

I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
the answer said only disable this option in module's Makefile is enough.

So Is this answer wrong? That is what I am confused.

Thanks!
Best Regards
Nan Xiao
Post by V***@vt.edu
Post by Nan Xiao
I add "CONFIG_MODULE_SIG=n" at the beginning of Makefile, and rebuild
the module.
Could anyone give some clues on this issue? Thanks in advance!
Did you *also* both rebuild and reboot into the new kernel that has
MODULE_SIG=n?
Anupam Kapoor
2015-11-02 08:43:53 UTC
Permalink
,----[ nan-xiao ]
| I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
| post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
| the answer said only disable this option in module's Makefile is enough.
`----
following config options are available (under 'enable loadable module support')

CONFIG_MODULE_SIG : checks modules for valid signature on load.

CONFIG_MODULE_SIG_FORCE : rejects unsigned modules or modules for which
key is not available.

thus, if, this is set to 'n' then loading a module with bad signature,
would taint the kernel. however, if, this is set to 'y' then loading a
module with bad signature will be rejected.

so, my guess is that in your case, this is most likely set to 'y'.
--
kind regards
anupam
Nan Xiao
2015-11-02 09:06:52 UTC
Permalink
Hi Anupam,

Sorry, I am a little confused about your explanation.

In my kernel, only CONFIG_MODULE_SIG is set to yes. But from the 2nd answer of
this post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
it says "no need to disable this option in kernel". So my question is
this answer is wrong?
If no disable "CONFIG_MODULE_SIG" in kernel, "module verification
failed: signature and/or required key missing"
always be printed?

Thanks!
Best Regards
Nan Xiao
Post by Anupam Kapoor
,----[ nan-xiao ]
| I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
| post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
| the answer said only disable this option in module's Makefile is enough.
`----
following config options are available (under 'enable loadable module support')
CONFIG_MODULE_SIG : checks modules for valid signature on load.
CONFIG_MODULE_SIG_FORCE : rejects unsigned modules or modules for which
key is not available.
thus, if, this is set to 'n' then loading a module with bad signature,
would taint the kernel. however, if, this is set to 'y' then loading a
module with bad signature will be rejected.
so, my guess is that in your case, this is most likely set to 'y'.
--
kind regards
anupam
Anupam Kapoor
2015-11-02 09:29:13 UTC
Permalink
,----[ nan-xiao ]
| Sorry, I am a little confused about your explanation.
`----
ah sorry about that. i just re-read your original post, and realized
that you _are_ able to load the unsigned/badly-signed module. the only
point of concern is that you see a "taint" message. this is expected.

from Documentation/module-signing.txt

,----
| (1) "Require modules to be validly signed" (CONFIG_MODULE_SIG_FORCE)
|
| This specifies how the kernel should deal with a module that has a
| signature for which the key is not known or a module that is unsigned.
|
| If this is off (ie. "permissive"), then modules for which the key is not
| available and modules that are unsigned are permitted, but the kernel will
| be marked as being tainted, and the concerned modules will be marked as
| tainted, shown with the character 'E'.
|
| If this is on (ie. "restrictive"), only modules that have a valid
| signature that can be verified by a public key in the kernel's possession
| will be loaded. All other modules will generate an error.
|
| Irrespective of the setting here, if the module has a signature block that
| cannot be parsed, it will be rejected out of hand.
`----

if you don't want module signing at all, then set CONFIG_MODULE_SIG to
'n' and recompile your kernel. boot it, and then load modules without
signing....

--
kind regards
anupam

Loading...