kvmfr: module verification failed: signature and/or required key missing - tainting kernel

Terry_Robison · July 1, 2025, 1:28pm

I have compiled Lookingglass successfully, but I get this error message with dmeg | grep kvmfr

[ 4.701587] EXT4-fs (nvme1n1p2): re-mounted 615f2b9b-2e81-408c-9883-4beea75b2062 r/w. Quota mode: none.
[ 4.701954] kvmfr: loading out-of-tree module taints kernel.
[ 4.702390] kvmfr: module verification failed: signature and/or required key missing - tainting kernel
[ 4.702814] kvmfr: creating 1 static devices
[ 4.705097] kvmfr: kvmfr_module_init: module loaded
[ 4.716044] systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully…

Any pointers on how to fix the out-of-tree module?

Kubuntu Linux version 6.14.0-22-generic .

Regards.

k3ninho · July 1, 2025, 1:36pm

Debian supply a PEM with signing keys to build your own modules. See here Debian Handbook under Kernel Compilation under " TIP Missing debian/certs/debian-uefi-certs.pem". There’s more detail about what’s going on in the handbook.

K3n.

mathew2214 · July 1, 2025, 3:33pm

Wonder if itd be easier to build kvmfr into one’s own custom kernels as opposed to hoping dkms wont have some debian-ism.

doc2010 · July 1, 2025, 3:34pm

Like k3ninho said it has something to do with uefi and secure boot:

“On UEFI systems with Secure Boot enabled, modules require signing before they can be loaded. The modules shipped with the kernel packages are signed. But external modules are not.”

Perhaps it is worth trying the whole thing with secure boot switched off. If everything is running and you still have enough power and desire, then you can experiment with secure boot switched on.
If you absolutely have to.
I personally feel that the immature secure boot is an invention of a personality with strong sadistic tendencies without offending anyone.

Terry_Robison · July 2, 2025, 2:26am

Thank you - not looking forward to reinstalling
Does Secure boot cause so many issues?

Is there any documentation for complete removal including the modules. Then I can have another go at reinstalling Looking Glas.

Regards

k3ninho · July 2, 2025, 11:00am

Why reinstall?

I think that the guide there supplies cryptographic credentials you can add to your current kernel build setup to get signed modules. Let us know how it goes.

K3n.

starshipeleven · July 2, 2025, 1:46pm

It’s not Secure Boot in itself but how Linux kernel react when started in secure boot mode.

Secure boot is a feature that allows only booting “trusted” operating systems with the right keys/signatures.

Linux kernel extends this to its kernel modules too because if you allow loading of unsigned kernel modules you would just easily sidestep the security measure.

So in this case you can disable it or sign the kernel module so it passes the verification

ah come on, it is a security system, it is doing its job. The issue is enabling it on everything even when it is not necessary.

Your home probably does not need a bank vault for example, you can get a smaller safe and still be fine with your valuables even if its less safe than the bank vault.

doc2010 · July 2, 2025, 5:19pm

"Summary (of c´t 07/2024)
All of this adds up to a shocking
picture. Secure Boot is supposed to protect against known
insecure boot loaders via DBX; but
which boot loaders are exactly affected,
is not available. Microsoft has published a list on uefi.org
, but
has only a limited connection with reality.
The DBX also suffers from a lack of space.
To summarize:: Secure Boot cannot fulfill its task
in its current form.

Microsoft’s supposed solution to the problem
leads to even more chaos: Here too
it is unclear exactly which boot loaders are blocked
. Even worse: activating this function did not work on most
of our test computers, and
without any indication of any
problems. In addition, unlike with
the DBX ignores external drives. If you
try to fix this on your own,
in the worst case scenario you will put the computer in
a state that looks like a total loss
even though only one file is missing. There is no
documentation that would deserve its name, and Microsoft does not even provide a clear
schedule. In short: The attempt to solve the secure
boot problems with the Code Integrity Boot
policy is currently going completely down the
drain.

If you are now asking what you should do, the simplest answer is simply
“Disable Secure Boot completely” (if you
use BitLocker, please refer to the
box on p. 54). However, there are also other
other approaches. More on this in the following
practical articles."
This is an abstract of the c`t magazin 07/2024.
I would say the idea of secure boot was good but the outcome was problematic.

The oldest Secure Boot certificates expire in June and October 2026.
We will see what problems it leads to if no new certificates are available or the old ones are not replaced and this is not just a Windows problem. MacOs and Linux can also be affected.

doc2010 · July 2, 2025, 5:33pm

My approach was too driven by the many hours I’ve already spent solving secure boot problems and I’m a bit allergic at the moment.
starshipeleven represents a more feasible and less disappointing solution with his approach here : “that the guide there supplies cryptographic credentials you can add to your current kernel build setup to get signed modules.”

Mastic_Warrior · July 8, 2025, 5:30am

You can turn secureboot off. The debian guide tells you how to do that and to turn sign verification off. I use secureboot on my mobile devices, also Debian shill.

Terry_Robison · July 11, 2025, 8:29am

I couldn’t get it working, so I decided to reinstall Kubuntu with no secure boot. I recompile Looking-glass. It compiles without error. Here’s what I get with dmesg looking for KMV.

[ 5.415587] systemd[1]: Mounted sys-kernel-config.mount - Kernel Configuration File System.
[ 5.416911] kvmfr: loading out-of-tree module taints kernel.
[ 5.416986] kvmfr: module verification failed: signature and/or required key missing - tainting kernel
[ 5.417278] kvmfr: creating 1 static devices
[ 5.419221] kvmfr: kvmfr_module_init: module loaded
[ 5.420044] systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.

[ 5.608692] nvidia 0000:01:00.0: vgaarb: VGA decodes changed: olddecodes=io+mem,decodes=none:owns=io+mem
[ 5.612059] kvm_amd: TSC scaling supported
[ 5.612062] kvm_amd: Nested Virtualization enabled
[ 5.612063] kvm_amd: Nested Paging enabled
[ 5.612064] kvm_amd: LBR virtualization supported
[ 5.612072] kvm_amd: Virtual VMLOAD VMSAVE supported
[ 5.612073] kvm_amd: Virtual GIF supported
[ 5.612073] kvm_amd: Virtual NMI enabled

The tainted kernel error happens after I perform

dkms install “.” From that point on, I get the tainted kernel message in dmseg.

Regards,

Terry

Netboy3 · July 13, 2025, 1:42am

That’s not an error, just a warning.

[ 5.417278] kvmfr: creating 1 static devices
[ 5.419221] kvmfr: kvmfr_module_init: module loaded

The module is loaded. That’s the important part.

Terry_Robison · July 13, 2025, 10:26am

Cheers.