I'm using Ubuntu 14.04 LTS
and kernel version 3.13.11.4
.
I'm trying to load patched KVM modules kvm
and kvm-intel
and I'm getting the following errors
我正在使用Ubuntu 14.04 LTS和内核3.13.11.4版本。我正在尝试加载patched KVM模块KVM和KVM -intel,我得到了以下错误。
kvm: module verification failed: signature and/or required key missing - tainting kernel
andkvm: module has bad taint, not creating trace events
.kvm:模块验证失败:签名和/或所需的密钥缺失——玷污内核和kvm:模块有坏的污点,没有创建跟踪事件。
The source used is the same source that created the image that I am currently running.
I've check the symbols and made sure to the error isn't cause by not including EXPORT_SYMBOL_GPL()
in the patched files where I exported functions.
所使用的源是创建我正在运行的图像的同一源。我检查了符号,并确保错误不是由于在我导出函数的补丁文件中没有包含EXPORT_SYMBOL_GPL()造成的。
I've also seen some stuff about different kernel versions causing this error but I built the kernel that I'm booted in with the same source that I used to create the patched kvm modules.
Everything compile without an warning. Any help is appreciated!我还看到了一些关于不同内核版本导致这个错误的内容,但是我构建了内核,我使用了与创建补丁kvm模块相同的源启动了内核。一切都在没有任何警告的情况下编译。任何帮助都是赞赏!
4 个解决方案
#1
10
It seems like the vendor of your system has enabled kernel module signature verification on your kernel which means it won't load any module that the vendor hasn't signed. In other words, your patched module isn't signed (properly) and the kernel will refuse to load it.
看起来您的系统供应商已经在您的内核上启用了内核模块签名验证,这意味着它不会加载供应商没有签名的任何模块。换句话说,您修补过的模块没有(正确地)签名,内核将拒绝加载它。
The point of this is supposed to prevent malware and rootkits from loading malicious kernel modules.
这样做的目的是防止恶意软件和rootkit加载恶意内核模块。
I suggest you contact your vendor. There may be an option somewhere on your platform to disable signature checking. Otherwise, your vendor may be able to sign the module for you. You might even have the key and the details of the signature verification algorithm and can sign it yourself.
我建议你和你的供应商联系。您的平台上可能有禁用签名检查的选项。否则,您的供应商可能会为您签署这个模块。您甚至可能拥有签名验证算法的密钥和细节,并可以自己签名。
Without knowing what platform you're running on, it's hard to give more specific suggestions.
如果不知道自己在哪个平台上运行,就很难给出更具体的建议。
#2
16
Instead of re-configuring the kernel, this error (module verification failed
) could be resolved by just adding one line CONFIG_MODULE_SIG=n
to the top of the Makefile
for the module itself:
不需要重新配置内核,这个错误(模块验证失败)可以通过为模块本身在Makefile的顶部添加一行CONFIG_MODULE_SIG=n来解决:
CONFIG_MODULE_SIG=n
# If KERNELRELEASE is defined, we've been invoked from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
obj-m := hello.o
# Otherwise we were called directly from the command
# line; invoke the kernel build system.
else
KERNELDIR ?= /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules
endif
#3
9
In general, if you are building a custom kernel and using make oldconfig
. This copies the exiting config-* file from /boot. Now a days most of the kernel modules required to be signed by the linux vendor. So edit the .config and disable CONFIG_MODULE_SIG_ALL and CONFIG_MODULE_SIG, before compiling the kernel.
通常,如果您正在构建一个自定义内核并使用make oldconfig。这将从/boot复制现有的配置-*文件。现在,大多数内核模块都需要linux供应商签名。因此在编译内核之前,编辑.config并禁用CONFIG_MODULE_SIG_ALL和CONFIG_MODULE_SIG。
CONFIG_MODULE_SIG=n
CONFIG_MODULE_SIG_ALL=n
# CONFIG_MODULE_SIG_FORCE is not set
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
#4
9
Go to the kernel source directory and do (for e.g):
转到内核源目录并执行(例如):
./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko
for kernel 4.4.*, keys location should be as follows:
4.4内核。*、钥匙位置应如下:
./scripts/sign-file sha512 ./certs/signing_key.pem ./certs/signing_key.x509 path/to/your/kernel/module.ko
Check what is the digest algorithm your kernel is using by opening .config
and reading it in CONFIG_MODULE_SIG
config values.
通过打开.config并在CONFIG_MODULE_SIG配置值中读取它,检查内核使用的摘要算法是什么。
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512"
#1
10
It seems like the vendor of your system has enabled kernel module signature verification on your kernel which means it won't load any module that the vendor hasn't signed. In other words, your patched module isn't signed (properly) and the kernel will refuse to load it.
看起来您的系统供应商已经在您的内核上启用了内核模块签名验证,这意味着它不会加载供应商没有签名的任何模块。换句话说,您修补过的模块没有(正确地)签名,内核将拒绝加载它。
The point of this is supposed to prevent malware and rootkits from loading malicious kernel modules.
这样做的目的是防止恶意软件和rootkit加载恶意内核模块。
I suggest you contact your vendor. There may be an option somewhere on your platform to disable signature checking. Otherwise, your vendor may be able to sign the module for you. You might even have the key and the details of the signature verification algorithm and can sign it yourself.
我建议你和你的供应商联系。您的平台上可能有禁用签名检查的选项。否则,您的供应商可能会为您签署这个模块。您甚至可能拥有签名验证算法的密钥和细节,并可以自己签名。
Without knowing what platform you're running on, it's hard to give more specific suggestions.
如果不知道自己在哪个平台上运行,就很难给出更具体的建议。
#2
16
Instead of re-configuring the kernel, this error (module verification failed
) could be resolved by just adding one line CONFIG_MODULE_SIG=n
to the top of the Makefile
for the module itself:
不需要重新配置内核,这个错误(模块验证失败)可以通过为模块本身在Makefile的顶部添加一行CONFIG_MODULE_SIG=n来解决:
CONFIG_MODULE_SIG=n
# If KERNELRELEASE is defined, we've been invoked from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
obj-m := hello.o
# Otherwise we were called directly from the command
# line; invoke the kernel build system.
else
KERNELDIR ?= /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules
endif
#3
9
In general, if you are building a custom kernel and using make oldconfig
. This copies the exiting config-* file from /boot. Now a days most of the kernel modules required to be signed by the linux vendor. So edit the .config and disable CONFIG_MODULE_SIG_ALL and CONFIG_MODULE_SIG, before compiling the kernel.
通常,如果您正在构建一个自定义内核并使用make oldconfig。这将从/boot复制现有的配置-*文件。现在,大多数内核模块都需要linux供应商签名。因此在编译内核之前,编辑.config并禁用CONFIG_MODULE_SIG_ALL和CONFIG_MODULE_SIG。
CONFIG_MODULE_SIG=n
CONFIG_MODULE_SIG_ALL=n
# CONFIG_MODULE_SIG_FORCE is not set
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
#4
9
Go to the kernel source directory and do (for e.g):
转到内核源目录并执行(例如):
./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko
for kernel 4.4.*, keys location should be as follows:
4.4内核。*、钥匙位置应如下:
./scripts/sign-file sha512 ./certs/signing_key.pem ./certs/signing_key.x509 path/to/your/kernel/module.ko
Check what is the digest algorithm your kernel is using by opening .config
and reading it in CONFIG_MODULE_SIG
config values.
通过打开.config并在CONFIG_MODULE_SIG配置值中读取它,检查内核使用的摘要算法是什么。
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512"