[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#825141: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel



On Mon, May 23, 2016, at 22:16, Ben Hutchings wrote:
> On Mon, 2016-05-23 at 21:06 -0400, Stephen Powell wrote:
>> 
>> The following message is received at boot time when booting the stock Debian kernel
>> version 4.5.3-2 on the s390x architecture:
>> 
>> dasd_mod: module verification failed: signature and/or required key missing - tainting kernel
> 
> This is expected until we sort out support for loading signed modules
> in unstable.
> 

I've done a little research on this.  I haven't checked other architectures,
but the stock s390x kernel for 4.5.3-2 (and today I also tried 4.5.4-1) has

   CONFIG_MODULE_SIG=y
   # CONFIG_MODULE_SIG_ALL is not set

This seems to be the problem.  From what I've read, If CONFIG_MODULE_SIG=y, but
CONFIG_MODULE_SIG_ALL is not set, then the modules need to be manually signed
via

   scripts/sign-file

between the "make modules" and "make modules_install" phases of the build
process.  But automated tools for building debian kernel packages, such as
make-kpkg from kernel-package, "make deb-pkg", and I presume the tools you
use for building stock kernels as well, do not allow this manual signing step
to take place.

I have been able to build a successful kernel using make-kpkg with both of the
above options not set, as well as with both of them set to y.  But the
combination of options currently used in the stock kernel is problematic
for these tools.

-- 
  .''`.     Stephen Powell    <zlinuxman@fastmail.com>
 : :'  :
 `. `'`
   `-


Reply to: