Ben, hello! Can you please tell, why do we have in kernel config file:
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_KEY="" so loading any kernel module (checked with sid/unstable with kernels linux-image-4.5.0-2-amd64 and linux-image-4.5.0-2-sparc64-smp ) taints kernel : on x86_64: mator@windrunner:~$ dmesg | grep -i taint [ 1.056795] fjes: module verification failed: signature and/or required key missing - tainting kernel root@windrunner:/home/mator# modinfo fjes filename: /lib/modules/4.5.0-2-amd64/kernel/drivers/net/fjes/fjes.ko version: 1.0 license: GPL description: FUJITSU Extended Socket Network Device Driver author: Taku Izumi <izumi.t...@jp.fujitsu.com> srcversion: C09FB90B0DA9890395D27B8 alias: acpi*:PNP0C02:* depends: intree: Y vermagic: 4.5.0-2-amd64 SMP mod_unload modversions mator@windrunner:~$ cat /proc/sys/kernel/tainted 8192 [1] states that 8192 code is for "An unsigned module has been loaded in a kernel supporting module signature." on sparc64: mator@nvg5120:~$ dmesg | grep taint [1800486.552168] aes_sparc64: module verification failed: signature and/or required key missing - tainting kernel root@nvg5120:~# modinfo aes_sparc64 filename: /lib/modules/4.5.0-2-sparc64-smp/kernel/arch/sparc/crypto/aes-sparc64.ko alias: crypto-aes alias: aes description: Rijndael (AES) Cipher Algorithm, sparc64 aes opcode accelerated license: GPL alias: of:NcpuT*Csun4vC* alias: of:NcpuT*Csun4v depends: intree: Y vermagic: 4.5.0-2-sparc64-smp SMP mod_unload modversions Looking at the output of modinfo, there's no lines like this (as example of signed module): user$ modinfo usbcore | grep '^sig' signer: Modules sig_key: B0:3B:5E:DB:57:00:F9:D5:D7:85:EB:2D:6F:3E:19:D3:4A:20:20:5B sig_hashalgo: sha512 If module signing only for Secure Boot on EFI [2], why do we have it on sparc64? Thanks. [1] https://www.kernel.org/doc/Documentation/sysctl/kernel.txt [2] https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html