Tainted Kernel - Module Verification failed

This document (7017442) is provided subject to the disclaimer at the end of this document.

Environment


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)

Situation

Starting with  SUSE Linux Enterprise 11 SP3 and later releases, the kernel will try to verify the signature of any kernel module loaded. If the module is unsigned, or is signed with an unknown key, the kernel will receive a taint flag.
In Kernel back traces, the taint will be reported as "E".

Resolution

This taint has no effect on system functionality or supportability. It should be considered informational only. For more details including the possibility to remove the taint using the UEFI key db see the additional information below. For legacy boot systems, there is no option around the taint message when using kernel modules not delivered with the SUSE products.

Cause


Additional Information

Kernel Taint Message

Starting with SUSE Linux Enterprise 12 a message will be logged indicating the signature verification failure taint.

If the kernel module is unsigned or signed with an unknown key, the following message will be seen with MODULENAME containing the name of the kernel module in question:

MODULENAME: module verification failed: signature and/or required key missing - tainting kernel

The above message will only be seen once regardless of the number of module signature verification failure. Once the kernel is tainted, it will not be tainted again.

Unknown Module Key Message

If the kernel module signed with an unknown key is loaded, the following message will be logged by the kernel:

Request for unknown module key 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' err -11

The name and fingerprint of the key will vary depending on the key used. The message will be logged for every attempt to load a module with an unknown signature.

System Known Keys

The kernel queries it's own "system keyring" for known keys. With SUSE Linux Enterprise Server this keyring only contains the SUSE key used when building the in product kernel and kernel modules. At this time, there is no supported way for a user to add keys to this keyring directly.

UEFI Key Database

Starting with SUSE Linux Enterprise 12 Service Pack 1 kernel update version 3.12.44-52.10.3 the kernel will merge keys from the UEFI key database (db) into the system keyring at boot. This allows keys in the UEFI db to be "known" by the kernel.

Contact your system manufacture for user options to add keys to the UEFI key db.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017442
  • Creation Date: 01-Apr-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center