kvm: module verification failed: signature and/or required key missing - tainting kernel
Solution 1
It seems like the vendor of your system has enabled kernel module signature verification on your kernel which means it won't load any module that the vendor hasn't signed. In other words, your patched module isn't signed (properly) and the kernel will refuse to load it.
The point of this is supposed to prevent malware and rootkits from loading malicious kernel modules.
I suggest you contact your vendor. There may be an option somewhere on your platform to disable signature checking. Otherwise, your vendor may be able to sign the module for you. You might even have the key and the details of the signature verification algorithm and can sign it yourself.
Without knowing what platform you're running on, it's hard to give more specific suggestions.
Solution 2
Instead of re-configuring the kernel, this error (module verification failed) could be resolved by just adding one line CONFIG_MODULE_SIG=n to the top of the Makefile for the module itself:
CONFIG_MODULE_SIG=n
# If KERNELRELEASE is defined, we've been invoked from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
obj-m := hello.o
# Otherwise we were called directly from the command
# line; invoke the kernel build system.
else
KERNELDIR ?= /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules
endif
Solution 3
Go to the kernel source directory and do (for e.g):
./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko
for kernel 4.4.*, keys location should be as follows:
./scripts/sign-file sha512 ./certs/signing_key.pem ./certs/signing_key.x509 path/to/your/kernel/module.ko
Check what is the digest algorithm your kernel is using by opening .config and reading it in CONFIG_MODULE_SIG config values.
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512"
Solution 4
In general, if you are building a custom kernel and using make oldconfig. This copies the exiting config-* file from /boot. Now a days most of the kernel modules required to be signed by the linux vendor. So edit the .config and disable CONFIG_MODULE_SIG_ALL and CONFIG_MODULE_SIG, before compiling the kernel.
CONFIG_MODULE_SIG=n
CONFIG_MODULE_SIG_ALL=n
# CONFIG_MODULE_SIG_FORCE is not set
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
user2743
Updated on October 17, 2020Comments
-
user2743 over 3 years
I'm using
Ubuntu 14.04 LTSand kernel version3.13.11.4.
I'm trying to load patched KVM moduleskvmandkvm-inteland I'm getting the following errorskvm: module verification failed: signature and/or required key missing - tainting kernel
andkvm: module has bad taint, not creating trace events.The source used is the same source that created the image that I am currently running.
I've check the symbols and made sure to the error isn't cause by not includingEXPORT_SYMBOL_GPL()in the patched files where I exported functions.I've also seen some stuff about different kernel versions causing this error but I built the kernel that I'm booted in with the same source that I used to create the patched kvm modules.
Everything compile without an warning. Any help is appreciated! -
user2743 almost 10 yearsused this page to sign my modules wiki.gentoo.org/wiki/Signed_kernel_module_support
-
Nan Xiao over 8 yearsHave you tried it? I find adding "CONFIG_MODULE_SIG=n" still print "
module verification failed: signature and/or required key missing - tainting kernel" message. -
Nan Xiao over 8 yearsI use both Suse(3.12) and RHEL 7(3.10.0), and the results are same. I also discuss this issue on kernelnewbies.org, but seems no satisfied answer now. Could you help to check this mail thread? Thanks very much!
-
Nan Xiao over 8 yearsI do a test on Ubuntu (
uname -aoutputs: "Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux"), and find the same phenomenon on Suse or RHEL: theCONFIG_MODULE_SIG=nis no use in module's Makefile. No matter you add this configuration or not. The first load module will print "module verification failed: signature and/or required key missing - tainting kernel", then this message won't print when loading it. Please try it, thx! -
Nan Xiao over 8 yearsI have 2 questions: a) Why adding "
CONFIG_MODULE_SIG=n" in module Makefile can take effect in kernel? b) On my Ubuntu server, there are 2 directories:/usr/src/linux-headers-3.19.0-25and/usr/src/linux-headers-3.19.0-25-generic, how do u know which header directory is used? -
artm over 8 yearsRun
uname -r(which is part of the Makefile) -
Nan Xiao over 8 yearsYes,
uname -rdisplay the running kernel info. But for question a), I still don't know why adding "CONFIG_MODULE_SIG=n" in module Makefile can take effect in kernel? -
Irfan over 8 yearsThis works for me! Ubuntu 14.04 with 3.17.0-031700rc1-generic kernel.
-
JohnAllen about 8 yearsThis definitely worked for me for a different module:rtl8188and Ubuntu15.1 -
Ilya Matveychikov over 7 yearsWhat a bad answer! Defining
CONFIG_MODULE_SIG=nleads to incorrectmodule.hparsing while module is being compiled. You'll have divergence of kernel's and module's structure layout. Why so many upvotes here? -
rank1 over 7 yearsso kernel needs to be recompiled here? Sorry for lame question perhaps, but I am beginner in Linux and recompiling kernel turns red light for me. Just trying to get ethernet connections working. Looks like I would need extra packages which I dont have to do that (and I wont have since wifi is also not working)
-
artm over 7 years@IlyaMatveychikov I remember trying to solve this issue when some sample module in Linux Device Driver failed to build on Ubuntu 14.04. I found it worked for me without making any changes to the Ubuntu default kernel. I guess you know a better way to do it - do you mind posting an answer to fix this issue? My guess is that other people is having this problem too (although it may not apply to newer kernel - not sure)
-
TerrenceSun about 6 yearsThis should be the answer, it signed the custom build module.
