Tainted Kernel - Module Verification failed
This document (7017442) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
In Kernel back traces, the taint will be reported as "E".
Kernel Taint MessageStarting with SUSE Linux Enterprise 12 a message will be logged indicating the signature verification failure taint.
If the kernel module is unsigned or signed with an unknown key, the following message will be seen with MODULENAME containing the name of the kernel module in question:
MODULENAME: module verification failed: signature and/or required key missing - tainting kernel
The above message will only be seen once regardless of the number of module signature verification failure. Once the kernel is tainted, it will not be tainted again.
Unknown Module Key MessageIf the kernel module signed with an unknown key is loaded, the following message will be logged by the kernel:
Request for unknown module key 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' err -11
The name and fingerprint of the key will vary depending on the key used. The message will be logged for every attempt to load a module with an unknown signature.
System Known KeysThe kernel queries it's own "system keyring" for known keys. With SUSE Linux Enterprise Server this keyring only contains the SUSE key used when building the in product kernel and kernel modules. At this time, there is no supported way for a user to add keys to this keyring directly.
UEFI Key DatabaseStarting with SUSE Linux Enterprise 12 Service Pack 1 kernel update version 3.12.44-52.10.3 the kernel will merge keys from the UEFI key database (db) into the system keyring at boot. This allows keys in the UEFI db to be "known" by the kernel.
Contact your system manufacture for user options to add keys to the UEFI key db.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017442
- Creation Date: 01-Apr-2016
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com