This topic describes the cause of the following issue and how to resolve the issue: The "integrity: Unable to open file" error messages appear in the kernel logs of an Elastic Compute Service (ECS) instance that runs Alibaba Cloud Linux 2.
Problem description
After you run the dmesg command to view the kernel logs of an Elastic Compute Service (ECS) instance that runs the following Alibaba Cloud Linux 2 image version and kernel version, the following error messages appear.
Image version: aliyun_2_1903_x64_20G_alibase_20200529.vhd or later
Kernel version: kernel-4.19.91-19.1.al7 or later
[ 2.960294] integrity: Unable to open file: /etc/keys/x509_ima.der (-2)
[ 2.960295] integrity: Unable to open file: /etc/keys/x509_evm.der (-2)Cause
If the CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 features are enabled in the kernel of Alibaba Cloud Linux 2, the following configurations must be specified to provide the required certificate paths for the kernel integrity subsystem:
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"If the operating system of the ECS instance is not a trusted system, the preceding path configurations are not specified and the corresponding files cannot be opened, and the "integrity: Unable to open file" error messages appear.
If the operating system of the ECS instance is a trusted system, the preceding path configurations are specified. In this case, no error messages appear when the files are opened.
If an operating system is a trusted system, the command output of the ll /dev/tpm* command contains /dev/tpm0 or /dev/tpmrm0 for the operating system.
Solution
The preceding issue is only about the configurations and does not affect the operating system. You can ignore the error messages.