Hi, I believe I am using akmod to build the nvidia kernel module when the kernel version changes and that built module is tainting the kernel because of missing signature or keys, which I am assuming are secure boot keys, but I also followed some instructions I found on the net to get nvidia keys into secure boot when I first installed the nvidia modules. I don't know whether I was getting the following messages at that time or not, as I found these when I was looking for something else. Is the issue with the following messages that the secure boot keys have to be rebuilt every time the nvidia modules are updated? Just as a follow on from this, I've read that nvidia have open sourced their linux drivers, how long will it take for those to be incorporated into the distribution to remove the requirement for the Rpm Fusion versions?
[ 13.973631] nvidia: loading out-of-tree module taints kernel. [ 13.973636] nvidia: module license 'NVIDIA' taints kernel. [ 13.978637] nvidia: module verification failed: signature and/or required key missing - tainting kernel [ 13.988926] nvidia-nvlink: Nvlink Core is being initialized, major device number 511 [ 13.989619] nvidia0000:09:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=io+mem [ 14.040430] NVRM: loading NVIDIAUNIX x86_64 Kernel Module 510.68.02 Wed Apr 20 21:10:34 UTC 2022 [ 14.677665] caller _nv000651rm+0x1ad/0x200 [nvidia] mapping multiple BARs [ 14.928567] nvidia_uvm: module uses symbols from proprietary module nvidia, inheriting taint.
regards, Steve
On 7/5/22 16:54, Stephen Morris wrote:
I believe I am using akmod to build the nvidia kernel module when the kernel version changes and that built module is tainting the kernel because of missing signature or keys, which I am assuming are secure boot keys, but I also followed some instructions I found on the net to get nvidia keys into secure boot when I first installed the nvidia modules. I don't know whether I was getting the following messages at that time or not, as I found these when I was looking for something else.
No. Any use of the binary blob nVidia drivers, including either knod or akmod, taints the kernel because the maintainers don't have access to the source code.
On Tue, Jul 5, 2022 at 7:55 PM Stephen Morris samorris@netspace.net.au wrote:
Hi, I believe I am using akmod to build the nvidia kernel module when the kernel version changes and that built module is tainting the kernel because of missing signature or keys, which I am assuming are secure boot keys, but I also followed some instructions I found on the net to get nvidia keys into secure boot when I first installed the nvidia modules. I don't know whether I was getting the following messages at that time or not, as I found these when I was looking for something else. Is the issue with the following messages that the secure boot keys have to be rebuilt every time the nvidia modules are updated?
It is the nvidia proprietary code that kernel developers can't examine -- nothing to do with the secure boot keys: https://ask.fedoraproject.org/t/nvidia-taints-kernel/12753
Just as a follow on from this, I've read that nvidia have open sourcedtheir linux drivers, how long will it take for those to be incorporated into the distribution to remove the requirement for the Rpm Fusion versions?
[ 13.973631] nvidia: loading out-of-tree module taints kernel. [ 13.973636] nvidia: module license 'NVIDIA' taints kernel. [ 13.978637] nvidia: module verification failed: signature and/or required key missing - tainting kernel [ 13.988926] nvidia-nvlink: Nvlink Core is being initialized, major device number 511 [ 13.989619] nvidia 0000:09:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=io+mem [ 14.040430] NVRM: loading NVIDIA UNIX x86_64 Kernel Module 510.68.02 Wed Apr 20 21:10:34 UTC 2022 [ 14.677665] caller _nv000651rm+0x1ad/0x200 [nvidia] mapping multiple BARs [ 14.928567] nvidia_uvm: module uses symbols from proprietary module nvidia, inheriting taint.
On Jul 5, 2022, at 18:55, Stephen Morris samorris@netspace.net.au wrote:
[ 13.973636] nvidia: module license 'NVIDIA' taints kernel.
It’s this line where the kernel notes why it is tainted. Somewhere in the nvidia kmod C code, there is a line that looks like this:
MODULE_LICENSE("NVIDIA");
The kernel will print out the aforementioned kernel message if it isn’t one of the open licenses defined in the kernel. There’s more about tainted kernels here:
https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
There are a variety of reasons why the kernel would be tainted, but in this case it is because a proprietary kernel module was loaded. It doesn’t have anything to do with signed kernel modules or secure boot.
On 6/7/22 10:41, Jonathan Billings wrote:
On Jul 5, 2022, at 18:55, Stephen Morrissamorris@netspace.net.au wrote:
[ 13.973636] nvidia: module license 'NVIDIA' taints kernel.
It’s this line where the kernel notes why it is tainted. Somewhere in the nvidia kmod C code, there is a line that looks like this:
MODULE_LICENSE("NVIDIA");
The kernel will print out the aforementioned kernel message if it isn’t one of the open licenses defined in the kernel. There’s more about tainted kernels here:
https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
There are a variety of reasons why the kernel would be tainted, but in this case it is because a proprietary kernel module was loaded. It doesn’t have anything to do with signed kernel modules or secure boot.
I thought the akmod version of the nvidia driver was the version that was compiled every time the kernel version was changed, is that not the case?
regards, Steve
-- Jonathan Billings
users mailing list --users@lists.fedoraproject.org To unsubscribe send an email tousers-leave@lists.fedoraproject.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
On Wed, 2022-07-06 at 19:07 +1000, Stephen Morris wrote:
On 6/7/22 10:41, Jonathan Billings wrote:
On Jul 5, 2022, at 18:55, Stephen Morrissamorris@netspace.net.au wrote:
[ 13.973636] nvidia: module license 'NVIDIA' taints kernel.
It’s this line where the kernel notes why it is tainted. Somewhere in the nvidia kmod C code, there is a line that looks like this:
MODULE_LICENSE("NVIDIA");
The kernel will print out the aforementioned kernel message if it isn’t one of the open licenses defined in the kernel. There’s more about tainted kernels here:
https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
There are a variety of reasons why the kernel would be tainted, but in this case it is because a proprietary kernel module was loaded. It doesn’t have anything to do with signed kernel modules or secure boot.
I thought the akmod version of the nvidia driver was the version that was compiled every time the kernel version was changed, is that not the case?
It's compiled as a module, but uses the Nvidia blob. It's not free software.
poc
On 7/6/2022 12:39 PM, Patrick O'Callaghan wrote:
On Wed, 2022-07-06 at 19:07 +1000, Stephen Morris wrote:
On 6/7/22 10:41, Jonathan Billings wrote:
On Jul 5, 2022, at 18:55, Stephen Morrissamorris@netspace.net.au wrote:
[ 13.973636] nvidia: module license 'NVIDIA' taints kernel.
It’s this line where the kernel notes why it is tainted. Somewhere in the nvidia kmod C code, there is a line that looks like this:
MODULE_LICENSE("NVIDIA");
The kernel will print out the aforementioned kernel message if it isn’t one of the open licenses defined in the kernel. There’s more about tainted kernels here:
https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
There are a variety of reasons why the kernel would be tainted, but in this case it is because a proprietary kernel module was loaded. It doesn’t have anything to do with signed kernel modules or secure boot.
I thought the akmod version of the nvidia driver was the version that was compiled every time the kernel version was changed, is that not the case?
It's compiled as a module, but uses the Nvidia blob. It's not free software.
poc
If I remember your original email, you have successfully created and installed a key to sign the modules with (and maybe even signed the original module). If you have kept the key, you will not have to generate and install another one, but every time you install a new kernel, a new set of nvidia modules will need to be created and then signed. When I install a new kernel, the nvidia modules are created automatically, but after they are created, I have to manually sign them. I hope this is relevant to your original question.
On Wed, 2022-07-06 at 15:46 -0400, Lester Petrie wrote:
On 7/6/2022 12:39 PM, Patrick O'Callaghan wrote:
On Wed, 2022-07-06 at 19:07 +1000, Stephen Morris wrote:
On 6/7/22 10:41, Jonathan Billings wrote:
On Jul 5, 2022, at 18:55, Stephen Morrissamorris@netspace.net.au wrote:
[ 13.973636] nvidia: module license 'NVIDIA' taints kernel.
It’s this line where the kernel notes why it is tainted. Somewhere in the nvidia kmod C code, there is a line that looks like this:
MODULE_LICENSE("NVIDIA");
The kernel will print out the aforementioned kernel message if it isn’t one of the open licenses defined in the kernel. There’s more about tainted kernels here:
https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
There are a variety of reasons why the kernel would be tainted, but in this case it is because a proprietary kernel module was loaded. It doesn’t have anything to do with signed kernel modules or secure boot.
I thought the akmod version of the nvidia driver was the version that was compiled every time the kernel version was changed, is that not the case?
It's compiled as a module, but uses the Nvidia blob. It's not free software.
poc
If I remember your original email, you have successfully created and installed a key to sign the modules with (and maybe even signed the original module). If you have kept the key, you will not have to generate and install another one, but every time you install a new kernel, a new set of nvidia modules will need to be created and then signed. When I install a new kernel, the nvidia modules are created automatically, but after they are created, I have to manually sign them. I hope this is relevant to your original question.
This should have been a reply to the OP, not to me.
poc
On Jul 6, 2022, at 15:47, Lester Petrie lmpetrie@bellsouth.net wrote:
If I remember your original email, you have successfully created and installed a key to sign the modules with (and maybe even signed the original module). If you have kept the key, you will not have to generate and install another one, but every time you install a new kernel, a new set of nvidia modules will need to be created and then signed. When I install a new kernel, the nvidia modules are created automatically, but after they are created, I have to manually sign them. I hope this is relevant to your original question.
The kernel taint has nothing to do with signed kmods. The original question was about some messages in the kernel log which mention the kernel being tainted.
This is because:
1.) an out of tree module was loaded 2.) the module is proprietary 3.) the Fedora kernel has kmod signing turned on and the nvidia module isn’t signed with the Fedora signature
#1 is because it isn’t a kernel module that’s part of the Linux kernel. #2 is because the license in the code isn’t one of the open licenses permitted by the kernel. #3 is unrelated to secure boot directly, the Fedora kernel has module signing enabled and they’re signed by a private key when Fedora builds their kernels.
Each of these taint the kernel, which will be noted in kernel backtraces and crash dumps. -- Jonathan Billings
-
George N. White III -
Joe Zeff -
Jonathan Billings -
Lester Petrie -
Patrick O'Callaghan -
Stephen Morris