I'm using Ubuntu 14.04 LTS
and kernel version 3.13.11.4
.
I'm trying to load patched KVM modules kvm
and kvm-intel
and I'm getting the following errors
kvm: module verification failed: signature and/or required key missing - tainting kernel
andkvm: module has bad taint, not creating trace events
.
The source used is the same source that created the image that I am currently running.
I've check the symbols and made sure to the error isn't cause by not including EXPORT_SYMBOL_GPL()
in the patched files where I exported functions.
I've also seen some stuff about different kernel versions causing this error but I built the kernel that I'm booted in with the same source that I used to create the patched kvm modules.
Everything compile without an warning. Any help is appreciated!
Instead of re-configuring the kernel, this error (
module verification failed
) could be resolved by just adding one lineCONFIG_MODULE_SIG=n
to the top of theMakefile
for the module itself:In general, if you are building a custom kernel and using
make oldconfig
. This copies the exiting config-* file from /boot. Now a days most of the kernel modules required to be signed by the linux vendor. So edit the .config and disable CONFIG_MODULE_SIG_ALL and CONFIG_MODULE_SIG, before compiling the kernel.Go to the kernel source directory and do (for e.g):
for kernel 4.4.*, keys location should be as follows:
Check what is the digest algorithm your kernel is using by opening
.config
and reading it inCONFIG_MODULE_SIG
config values.It seems like the vendor of your system has enabled kernel module signature verification on your kernel which means it won't load any module that the vendor hasn't signed. In other words, your patched module isn't signed (properly) and the kernel will refuse to load it.
The point of this is supposed to prevent malware and rootkits from loading malicious kernel modules.
I suggest you contact your vendor. There may be an option somewhere on your platform to disable signature checking. Otherwise, your vendor may be able to sign the module for you. You might even have the key and the details of the signature verification algorithm and can sign it yourself.
Without knowing what platform you're running on, it's hard to give more specific suggestions.