Tainted Kernel

dmesg | grep -i taint
[ 11.642005] 8812au: loading out-of-tree module taints kernel.
[ 11.642887] 8812au: module verification failed: signature and/or required key missing - tainting kernel
[ 14.944939] CPU: 2 PID: 987 Comm: NetworkManager Tainted: G OE 6.3.8-200.fc38.x86_64 #1
[ 15.567846] CPU: 0 PID: 987 Comm: NetworkManager Tainted: G W OE 6.3.8-200.fc38.x86_64 #1

Please help me to reolve the problem.

I follow the thread tio install 8812au driver

git clone https://github.com/gnab/rtl8812au.git /usr/src/8812au-4.2.2/
cd /usr/src/8812au-4.2.2/
cp 8812au.ko /lib/modules/5.3.7-301.fc31.x86_64/kernel/drivers/net/wireless
sudo insmod 8812au.ko
sudo depmod -a
sudo modprobe 8812au

The installation is complete but it is an unsigned module which fail the signed module verification
Please help me how to sign the 8812au moudle

If that driver is installed from an rpm then it should already be signed. If it is compiled locally as is apparent from what you posted then when using secure boot one must create a signature key and load it into the bios so the kernel recognizes it. When not using secure boot the signature is not required.

Note that taint and not-signed are 2 totally different factors. An unsigned module cannot be loaded if secure boot is enabled. A module that taints the kernel but is signed may be loaded with or without secure boot enabled.

A locally compiled (out-of-tree) module is not part of the fedora ecosystem and will likely always taint the kernel when loaded whether it is signed or not.

According to what you posted it seems you have secure boot disabled and the module loaded but you are concerned about the taint. That is not something that can be changed so ignore it.

When you say something like

it would be nice if one were to post the link to the actual thread so we may read what instructions were followed.

Thank you for posting the actual steps used.

Thanks the immediate response. I will try with secure boot enabled and recompile 8812au driver locally. I hope this will create a signature key and load it into bios so that the kernel recognizes it.

I will provide the exact feedback at a later date.

Thanks for the assistance.

In addition, i follow this link to install the 8812au driver https://discussion.fedoraproject.org/t/wifi-rtl8812au-downgrade-kernel/78090/1

Please be informed I have the secure boot enabled. I reinstall the fedora cinnamon system. I reinstall the 8812au driver using the following link GitHub - morrownr/8812au-20210629: Linux Driver for USB WiFi Adapters that are based on the RTL8812AU Chipset - v5.13.6.
With secure-boot enabled, there is no wireless icon and the nmcli show wifi enabled but one cannot connect(with no wifi scan list). With secure-boot disabled, wireless icon shows up but it is having a tainted kernel. One will experience possible lockup cases. Hope you understand my concerns on this matter.

Did you enroll the machine owner key in the secure boot database? Signing it without enrolling the signature won’t cut it.

You need to:

  • Install openssl: sudo dnf install openssl
  • Remove the dkms module completely.
  • Reinstall the dkms module (dkms will generate a signing key).
  • Enroll the key in your secure boot database:
    sudo mokutil --import /var/lib/dkms/mok.pub (enter the password that will be used to enroll the key in the next boot).

As for the tainted kernel: It is normal when you load an out of tree module. My kernel is tainted due to rtl8821ce dkms driver and no issues in the last 2 years. For reference about tainted kernels: Tainted kernels — The Linux Kernel documentation

Thanks for the assistance. It worked as expected. I deeply thank you for the assistance.

Glad it worked!
Could you update the thread title to better reflect your issue? And mark the reply that solved the issue as solution for future reference.

Thanks for the guidance from A.Ismil td211.

With secure-boot enabled,

  • Reinstall the dkms module (dkms will generate a signing key).
  • Enroll the key in your secure boot database:
    sudo mokutil --import /var/lib/dkms/mok.pub (enter the password that will be used to enroll the key in the next boot).

Just follow the tips and tricks from Ismil, the lockup problems now disappear. Please note the
case is now fully resolved.

Lastly, thank you for your assistance. Wish you the very best !!!

I’m interested in understanding what the effects of a tainted kernel are. For example, I didn’t understand if this could lead to problems with secure boot enabled or if it could cause issues in other situations. Specifically I would like to enable GuC/HuC functions for hardware video acceleration (this operation taints the kernel).
I would be grateful if you could help me.

Any module that is from an out-of-tree source usually is considered to ‘taint’ the kernel. This is because it is not built by and certified by the kernel developers: Thus problems in the kernel “might” be caused by that module and the developers are not responsible for what that particular module may do or cause.

There may or may not be any negative effects, but the kernel is still tainted since the developers did not provide that particular module.

Thank you for the clarification.
Then I guess I’ll have to think about it.