Hi Anupam,

Sorry, I am a little confused about your explanation.

In my kernel, only CONFIG_MODULE_SIG is set to yes. But from the 2nd answer of
this post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
it says "no need to disable this option in kernel". So my question is
this answer is wrong?
If no disable "CONFIG_MODULE_SIG" in kernel, "module verification
failed: signature and/or required key missing"
always be printed?

Thanks!
Best Regards
Nan Xiao


On Mon, Nov 2, 2015 at 4:43 PM, Anupam Kapoor [off-list ref] wrote:

quoted

quoted

quoted

quoted

quoted

[2015-11-02T12:59:30+0530]: "Nan Xiao" (nan-xiao):

,----[ nan-xiao ]
| I don't disable CONFIG_MODULE_SIG configuration in kernel. Since from this
| post (http://stackoverflow.com/questions/24975377/kvm-module-verification-failed-signature-and-or-required-key-missing-taintin),
| the answer said only disable this option in module's Makefile is enough.
`----
following config options are available (under 'enable loadable module support')

CONFIG_MODULE_SIG : checks modules for valid signature on load.

CONFIG_MODULE_SIG_FORCE : rejects unsigned modules or modules for which
key is not available.

thus, if, this is set to 'n' then loading a module with bad signature,
would taint the kernel. however, if, this is set to 'y' then loading a
module with bad signature will be rejected.

so, my guess is that in your case, this is most likely set to 'y'.

--
kind regards
anupam