On Mon, May 23, 2016, at 22:16, Ben Hutchings wrote: > On Mon, 2016-05-23 at 21:06 -0400, Stephen Powell wrote: >> >> The following message is received at boot time when booting the stock Debian >> kernel >> version 4.5.3-2 on the s390x architecture: >> >> dasd_mod: module verification failed: signature and/or required key missing >> - tainting kernel > > This is expected until we sort out support for loading signed modules > in unstable. >
I've done a little research on this. I haven't checked other architectures, but the stock s390x kernel for 4.5.3-2 (and today I also tried 4.5.4-1) has CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_ALL is not set This seems to be the problem. From what I've read, If CONFIG_MODULE_SIG=y, but CONFIG_MODULE_SIG_ALL is not set, then the modules need to be manually signed via scripts/sign-file between the "make modules" and "make modules_install" phases of the build process. But automated tools for building debian kernel packages, such as make-kpkg from kernel-package, "make deb-pkg", and I presume the tools you use for building stock kernels as well, do not allow this manual signing step to take place. I have been able to build a successful kernel using make-kpkg with both of the above options not set, as well as with both of them set to y. But the combination of options currently used in the stock kernel is problematic for these tools. -- .''`. Stephen Powell <zlinux...@fastmail.com> : :' : `. `'` `-
