These messages are harmless. The Alibaba Cloud Linux 2 kernel has the CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 features enabled, which cause the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) subsystems to look for X.509 certificate files at startup. On instances that are not trusted systems, those files are absent, so the kernel logs the error and continues. No functionality is affected.
Affected versions
ECS image:
aliyun_2_1903_x64_20G_alibase_20200529.vhdand laterKernel:
kernel-4.19.91-19.1.al7and later (rununame -rto check your kernel version)
Error details
When you run dmesg, you may see:
[ 2.960294] integrity: Unable to open file: /etc/keys/x509_ima.der (-2)
[ 2.960295] integrity: Unable to open file: /etc/keys/x509_evm.der (-2)The kernel integrity subsystem is configured to load X.509 certificates from these paths:
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"On non-trusted systems, those certificate files are absent. The issue is only related to configurations and does not affect the operating system.
Solution
No action is required. You can ignore the error messages.
To determine whether your instance is a trusted system, run:
ll /dev/tpm*| Output | Meaning |
|---|---|
/dev/tpm0 or /dev/tpmrm0 is listed | The instance is a trusted system. Certificate files are present and no errors appear at boot. |
| Neither device is listed | The instance is not a trusted system. The error messages appear at boot but do not affect the operating system. |