Bug#825141: dasd_mod: module verification failed: signature and/or required key missing

Stephen Powell

2016-05-26 01:10:01 UTC

Post by Stephen Powell
The following message is received at boot time when booting the stock Debian kernel
dasd_mod: module verification failed: signature and/or required key missing - tainting kernel

This is expected until we sort out support for loading signed modules
in unstable.

I've done a little research on this. I haven't checked other architectures,
but the stock s390x kernel for 4.5.3-2 (and today I also tried 4.5.4-1) has

CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_ALL is not set

This seems to be the problem. From what I've read, If CONFIG_MODULE_SIG=y, but
CONFIG_MODULE_SIG_ALL is not set, then the modules need to be manually signed
via

scripts/sign-file

between the "make modules" and "make modules_install" phases of the build
process. But automated tools for building debian kernel packages, such as
make-kpkg from kernel-package, "make deb-pkg", and I presume the tools you
use for building stock kernels as well, do not allow this manual signing step
to take place.

I have been able to build a successful kernel using make-kpkg with both of the
above options not set, as well as with both of them set to y. But the
combination of options currently used in the stock kernel is problematic
for these tools.

--
.''`. Stephen Powell <***@fastmail.com>
: :' :
`. `'`
`-