DRBD out-of-tree module tainted kernel warning on RHEL – Is this expected?

Rocky Linux Help & Support
1

I am contacting you regarding a “tainted kernel” warning observed on our RHEL/Rocky/EL-based servers after installing and loading the DRBD kernel module.

**Background:**

- OS: RHEL/Rocky/EL (version:Linux host1.cloud.com 5.14.0-503.14.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 15 12:04:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

- Action: Manually built and installed DRBD module (modprobe drbd, /etc/modules-load.d/drbd.conf configuration)

**Observation:**

When running a custom system check/rootkit scan script (syscheck.sh, rootkit_detect), the following message is reported:

[!!][Suspicious] out-of-tree unsigned module loaded

drbd: loading out-of-tree module taints kernel.

drbd: module verification failed: signature and/or required key missing - tainting kernel

**My understanding is that this warning occurs because the DRBD module is not built into the official kernel and is unsigned.**

Please confirm:

1. Is this “tainted kernel” state and warning considered normal and safe if the DRBD module is intentionally installed and managed by the system administrator?

2. Are there any recommended procedures to avoid or suppress this warning if the module is trusted?

3. Would this trigger any negative effects on system stability, support eligibility, or system security evaluation tools provided by Red Hat?

**Attached:**

- Relevant logs (System_Report.log output)

=====================================================

SYSTEM CHECK TIME

  • Start - Wed Nov 5 10:05:15 KST 2025

  • Finish - Wed Nov 5 10:05:17 KST 2025

============================

SYSTEM CHECK LIST

[Version 3.0]

z01. Kernel Rootkit

  1. Kernel Version

Check> Kernel Version

uname -a

Linux host1.cloud.com 5.14.0-503.14.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 15 12:04:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

======================================================================

Kernel RootKit

##########################

======================================================================

  1. Kernel RootKit

    Check> Hidden Kernel Modudle, Systemcall Table Modification, Detour

sudo ./rootkit_detect

===============================================================================================================

[*] Collecting

  1. List of loaded kernel modules
  2. List of system call functions
  3. ist of monitored kernel functions

[*] Kernel Memory Addresses

Kernel Symbols : sys_call_table=0xffffffffafa016c0, _stext=0xffffffffaea00000, _etext=0xffffffffafa00000, module_kset=0xffffffffb16e6460

===============================================================================================================

[1] List of loaded kernel modules

 [i][Loaded kernel modules (via BPF Program)] (count=92)
      dm_mod, dm_log, dm_region_hash, dm_mirror, serio_raw, vmw_pvscsi, ghash_clmulni_intel, vmxnet3, crc32c_intel, libata
      crc32_pclmul, sg, ata_piix, crct10dif_pclmul, t10_pi, libahci, drm, ata_generic, ahci, sd_mod
      drm_kms_helper, ttm, drm_ttm_helper, cdrom, sr_mod, vmwgfx, libcrc32c, xfs, fuse, joydev
      pcspkr, vmw_vmci, i2c_piix4, rapl, vmw_balloon, kvm, kvm_intel, intel_uncore_frequency_common, intel_rapl_common, intel_rapl_msr
      fat, vfat, sunrpc, nfnetlink, nf_tables, ip_set, rfkill, nf_defrag_ipv4, nf_defrag_ipv6, nf_conntrack
      nf_nat, nft_chain_nat, nft_ct, nft_reject, nf_reject_ipv6, nf_reject_ipv4, nft_reject_inet, nft_fib, nft_fib_ipv6, nft_fib_ipv4
      nft_fib_inet, drbd, drbd_transport_tcp, tls, bonding, llc, stp, bridge, mrp, garp
      8021q, iommufd, vfio, vfio_iommu_type1, vfio_pci_core, vfio_pci, ib_core, psample, nf_conncount, openvswitch
      nft_counter, nf_conntrack_tftp, nft_objref, nf_nat_tftp, nft_compat, ipt_REJECT, xt_conntrack, xt_MASQUERADE, xt_CHECKSUM, dm_multipath
      softdog, scsi_transport_iscsi
 [i][Loaded kernel modules (/proc/modules - lsmod)] (count=92)
      scsi_transport_iscsi, softdog, dm_multipath, xt_CHECKSUM, xt_MASQUERADE, xt_conntrack, ipt_REJECT, nft_compat, nf_nat_tftp, nft_objref
      nf_conntrack_tftp, nft_counter, openvswitch, nf_conncount, psample, ib_core, vfio_pci, vfio_pci_core, vfio_iommu_type1, vfio
      iommufd, 8021q, garp, mrp, bridge, stp, llc, bonding, tls, drbd_transport_tcp
      drbd, nft_fib_inet, nft_fib_ipv4, nft_fib_ipv6, nft_fib, nft_reject_inet, nf_reject_ipv4, nf_reject_ipv6, nft_reject, nft_ct
      nft_chain_nat, nf_nat, nf_conntrack, nf_defrag_ipv6, nf_defrag_ipv4, rfkill, ip_set, nf_tables, nfnetlink, sunrpc
      vfat, fat, intel_rapl_msr, intel_rapl_common, intel_uncore_frequency_common, kvm_intel, kvm, vmw_balloon, rapl, i2c_piix4
      pcspkr, vmw_vmci, joydev, fuse, xfs, libcrc32c, vmwgfx, sr_mod, cdrom, drm_ttm_helper
      ttm, drm_kms_helper, sd_mod, ahci, ata_generic, t10_pi, libahci, crct10dif_pclmul, ata_piix, sg
      drm, crc32_pclmul, crc32c_intel, libata, vmxnet3, ghash_clmulni_intel, vmw_pvscsi, serio_raw, dm_mirror, dm_region_hash
      dm_log, dm_mod
 [i][/sys/module] (count=92)
      vmwgfx, mrp, ata_piix, xt_conntrack, nf_conntrack, vfio, libahci, nfnetlink, drbd_transport_tcp, nf_nat
      drm_kms_helper, vmw_vmci, bridge, nf_conntrack_tftp, nft_ct, nft_compat, cdrom, vfio_pci_core, softdog, nf_defrag_ipv6
      ahci, vmw_pvscsi, dm_region_hash, sd_mod, dm_multipath, xt_CHECKSUM, nf_defrag_ipv4, intel_rapl_msr, ata_generic, libcrc32c
      vmw_balloon, 8021q, scsi_transport_iscsi, nf_nat_tftp, intel_uncore_frequency_common, nft_reject_inet, nf_reject_ipv6, dm_log, serio_raw, nft_fib_ipv6
      nft_objref, iommufd, ghash_clmulni_intel, rfkill, joydev, nf_reject_ipv4, openvswitch, nft_fib_ipv4, vfio_iommu_type1, t10_pi
      sunrpc, fuse, vfio_pci, nf_tables, vmxnet3, psample, ipt_REJECT, xfs, drm_ttm_helper, ip_set
      nft_counter, kvm, llc, tls, crct10dif_pclmul, nft_chain_nat, drbd, rapl, nf_conncount, dm_mod
      crc32c_intel, libata, sg, kvm_intel, ttm, intel_rapl_common, dm_mirror, i2c_piix4, xt_MASQUERADE, bonding
      stp, crc32_pclmul, pcspkr, ib_core, vfat, nft_reject, sr_mod, fat, nft_fib, drm
      nft_fib_inet, garp
 [i][Present in List (via BPF Program) but NOT in List (/proc/modules - lsmod)] (count=0)
      (none)
 [i][Present in module_kset but NOT in /sys/module] (count=0)
      (none)

===============================================================================================================

===============================================================================================================

[3] List of monitored kernel functions

 i] filldir            = 0xffffffffaee65790, [First 8Bytes : 0F1F440000415745
 i] filldir64          = 0xffffffffaee655f0, [First 8Bytes : 0F1F440000415745
 i] tcp4_seq_show      = 0xffffffffaf51eb50, [First 8Bytes : 0F1F440000415741
 i] proc_root_readdir  = 0xffffffffaeee76e0, [First 8Bytes : 0F1F440000415449

===============================================================================================================

##########################

Event Check

##########################

======================================================================

  1. Kernel Tainted Check

    Check> /proc/sys/kernel/tainted Value Check

dmesg | grep taint

[ 227.902907] drbd: loading out-of-tree module taints kernel.
[ 227.902926] drbd: module verification failed: signature and/or required key missing - tainting kernel
[!!][Suspicious] out-of-tree unsigned module loaded

If you need further information or the exact output, please let me know.

Thank you for your assistance.

2

Hola!

This is normal, as long as you intentionally installed that out of tree kernel module. It is just letting you know that it could not verify the module.

If the module being loaded was not installed and loaded intentionally, then you have something to be concerned about and look into.

3

If secure boot is on, and the module is unsigned, it should not load it at all.