Bug#825141: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel
On Wed, 2016-05-25 at 20:56 -0400, Stephen Powell wrote: > On Mon, May 23, 2016, at 22:16, Ben Hutchings wrote: > > On Mon, 2016-05-23 at 21:06 -0400, Stephen Powell wrote: > > > > > > The following message is received at boot time when booting the stock > > > Debian kernel > > > version 4.5.3-2 on the s390x architecture: > > > > > > dasd_mod: module verification failed: signature and/or required key > > > missing - tainting kernel > > > > This is expected until we sort out support for loading signed modules > > in unstable. > > > > I've done a little research on this. I haven't checked other architectures, > but the stock s390x kernel for 4.5.3-2 (and today I also tried 4.5.4-1) has > > CONFIG_MODULE_SIG=y > # CONFIG_MODULE_SIG_ALL is not set > > This seems to be the problem. But is exactly what's needed for official linux and linux-signed packages. [...] > I have been able to build a successful kernel using make-kpkg with both of the > above options not set, as well as with both of them set to y. But the > combination of options currently used in the stock kernel is problematic > for these tools. That's why the config files included in linux-source packages are now slightly different from those used in official packages. Ben. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette' signature.asc Description: This is a digitally signed message part
Bug#825141: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel
On Mon, May 23, 2016, at 22:16, Ben Hutchings wrote: > On Mon, 2016-05-23 at 21:06 -0400, Stephen Powell wrote: >> >> The following message is received at boot time when booting the stock Debian >> kernel >> version 4.5.3-2 on the s390x architecture: >> >> dasd_mod: module verification failed: signature and/or required key missing >> - tainting kernel > > This is expected until we sort out support for loading signed modules > in unstable. > I've done a little research on this. I haven't checked other architectures, but the stock s390x kernel for 4.5.3-2 (and today I also tried 4.5.4-1) has CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_ALL is not set This seems to be the problem. From what I've read, If CONFIG_MODULE_SIG=y, but CONFIG_MODULE_SIG_ALL is not set, then the modules need to be manually signed via scripts/sign-file between the "make modules" and "make modules_install" phases of the build process. But automated tools for building debian kernel packages, such as make-kpkg from kernel-package, "make deb-pkg", and I presume the tools you use for building stock kernels as well, do not allow this manual signing step to take place. I have been able to build a successful kernel using make-kpkg with both of the above options not set, as well as with both of them set to y. But the combination of options currently used in the stock kernel is problematic for these tools. -- .''`. Stephen Powell: :' : `. `'` `-
Bug#825141: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel
On Mon, 2016-05-23 at 21:06 -0400, Stephen Powell wrote: > Package: linux > Version: 4.5.3-2 > Severity: minor > X-Debbugs-CC: debian-s...@lists.debian.org > > The following message is received at boot time when booting the stock Debian > kernel > version 4.5.3-2 on the s390x architecture: > > dasd_mod: module verification failed: signature and/or required key missing - > tainting kernel This is expected until we sort out support for loading signed modules in unstable. > The kernel does boot; but the kernel gets tainted, which disables lock > debugging. Lock debugging is not enabled to start with. Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once. signature.asc Description: This is a digitally signed message part
Bug#825141: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel
Package: linux Version: 4.5.3-2 Severity: minor X-Debbugs-CC: debian-s...@lists.debian.org The following message is received at boot time when booting the stock Debian kernel version 4.5.3-2 on the s390x architecture: dasd_mod: module verification failed: signature and/or required key missing - tainting kernel The kernel does boot; but the kernel gets tainted, which disables lock debugging. -- .''`. Stephen Powell: :' : `. `'` `-