This topic describes the cause of the following issue and how to resolve the issue: The "integrity: Unable to open file" error messages appear in the kernel logs of an Elastic Compute Service (ECS) instance that runs Alibaba Cloud Linux 2.
Problem description
After you run the dmesg command to view the logs of an Alibaba Cloud Linux 2 instance that meets the following conditions, error messages similar to the following ones appear in the kernel logs of the instance:
Image version: aliyun_2_1903_x64_20G_alibase_20200529.vhd or later
Kernel version: kernel-4.19.91-19.1.al7 or later
[ 2.960294] integrity: Unable to open file: /etc/keys/x509_ima.der (-2)
[ 2.960295] integrity: Unable to open file: /etc/keys/x509_evm.der (-2)Cause
The issue is not a kernel error. The CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 features are enabled in the kernel of Alibaba Cloud Linux 2 and the following configurations are specified to provide the required certificate paths for the kernel integrity subsystem. The operating system of the instance is not a trusted system.
In this case, the files included in the following configurations are not configured and cannot be opened, and "integrity: Unable to open file" error messages appear:
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"Solutions
Run the
make menuconfigcommand to remove the following configurations, and then compile and install the kernel again.To resolve the issue, you can go to the directory where the kernel source code resides, run the
make menuconfigcommand to remove the following options, and then compile and install the kernel again:# Load X509 certificate onto the '.ima' trusted keyring CONFIG_IMA_LOAD_X509 is not set # Load an X509 certificate onto the '.evm' trusted keyring CONFIG_EVM_LOAD_X509 is not setIgnore the messages.
This issue occurs only in the configurations and does not affect the system. You can ignore the error messages.