Tainted Kernel - Module Verification failed

  • 7017442
  • 01-Apr-2016
  • 07-Apr-2016

Environment


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)

Situation

Starting with  SUSE Linux Enterprise 11 SP3 and later releases, the kernel will try to verify the signature of any kernel module loaded. If the module is unsigned, or is signed with an unknown key, the kernel will receive a taint flag.
In Kernel back traces, the taint will be reported as "E".

Resolution

This taint has no effect on system functionality or supportability. It should be considered informational only. For more details including the possibility to remove the taint using the UEFI key db see the additional information below. For legacy boot systems, there is no option around the taint message when using kernel modules not delivered with the SUSE products.

Additional Information

Kernel Taint Message

Starting with SUSE Linux Enterprise 12 a message will be logged indicating the signature verification failure taint.

If the kernel module is unsigned or signed with an unknown key, the following message will be seen with MODULENAME containing the name of the kernel module in question:

MODULENAME: module verification failed: signature and/or required key missing - tainting kernel

The above message will only be seen once regardless of the number of module signature verification failure. Once the kernel is tainted, it will not be tainted again.

Unknown Module Key Message

If the kernel module signed with an unknown key is loaded, the following message will be logged by the kernel:

Request for unknown module key 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' err -11

The name and fingerprint of the key will vary depending on the key used. The message will be logged for every attempt to load a module with an unknown signature.

System Known Keys

The kernel queries it's own "system keyring" for known keys. With SUSE Linux Enterprise Server this keyring only contains the SUSE key used when building the in product kernel and kernel modules. At this time, there is no supported way for a user to add keys to this keyring directly.

UEFI Key Database

Starting with SUSE Linux Enterprise 12 Service Pack 1 kernel update version 3.12.44-52.10.3 the kernel will merge keys from the UEFI key database (db) into the system keyring at boot. This allows keys in the UEFI db to be "known" by the kernel.

Contact your system manufacture for user options to add keys to the UEFI key db.