Linux Kernel Support - Policy on Third Party Kernel Modules
(Doc ID 284823.1)
Last updated on DECEMBER 23, 2022
Applies to:Linux OS - Version Enterprise Linux 4.0 and later
Oracle Cloud Infrastructure Linux aarch64
The purpose of this document is to describe limitations to the Oracle Linux support when third-party kernel modules or unpermitted kernel modifications are present.
SCOPE & APPLICATION
The guidance in this article applies to all Oracle Linux systems running either the Unbreakable Enterprise Kernel (UEK) or the Red Hat Compatible Kernel (RHCK).
LIMITED SUPPORT FOR MODIFIED AND TAINTED KERNELS
Oracle Linux environments in which customers recompile the kernel, insert third-party provided kernel modules, or recompile glibc are not eligible for Linux kernel support. The only exceptions are listed in this document. In the exception cases here, Oracle will support the Linux kernel, but will not offer support for the added functionality provided by the third-party modules.
For the purpose of support, Oracle does not differentiate between open source (GPL) and closed source (non-GPL) third-party drivers loaded into the kernel; use of unapproved third-party modules will limit support subject to the limitations and exceptions described here.
The Linux kernel includes a self-protection mechanism that indicates when code is loaded which was not cryptographically signed by the distribution vendor, or if the loaded module does not have a GPL compatible license. This warning is referred to as a taint and is reported in all crash dumps and panic stacks on the operating system. When a non-approved kernel module is loaded, it is said to taint the whole kernel (not just the module) because the loaded module has full read and write access to the running kernel's address space. A kernel becomes tainted when a kernel module is loaded which did not originate from Oracle or Red Hat.
KERNEL MODULES DISTRIBUTED BY ORACLE
Kernel modules distributed by Oracle are always permitted when used along with Oracle products and do not limit Oracle Linux support, even if the kernel reports that it is tainted.
PERMITTED KERNEL MODIFICATIONS
Oracle does not restrict customer use of sysctl and /proc to modify the running kernel. Oracle does not restrict the use of kernel command line options to modify kernel behavior.
- Exceptions for Oracle provided kernel modules
- Exceptions for GPL third-party modules
- Exceptions for non-GPL third-party modules
Exceptions for Oracle provided kernel modulesUse of Oracle provided kernel modules is always supported and does not limit Oracle’s ability to provide support for the system. Whether the kernel module is provided by Oracle Linux as part of diagnostics, or if the kernel module is provided as part of an Oracle product, Oracle Linux will not limit support when the modules are provided by Oracle products or by Oracle Linux support. In some cases, these kernel modules may cause the kernel to display a tainted warning, especially when those kernel modules are released under a proprietary license.
Exceptions for GPL third-party kernel modulesIn some cases, Oracle will offer support for kernels with GPL modules recommended by third-party vendors which are not part of the kernel distributed by Oracle or Red Hat. Support for these exceptions should be confirmed on a case-by-case basis before the modules are deployed.
Exceptions include: Driver packages from Cisco, Broadcom, LSI, Marvell, QLogic, Emulex, and Microchip, and Ethernet driver packages from Intel and Nvidia (Mellanox).
Exceptions for non-GPL third-party kernel modulesNon-GPL modules are proprietary closed source modules. Oracle does not have the source code necessary for fixing problems in these modules. Only systems with kernels tainted by modules/vendors on the exception list are eligible for support by Oracle; use of modules not on the exception list will render the system out of support. The third-party driver vendor is responsible for any fixes to their module.
Oracle Linux maintains a kABI to allow approved third-party vendors to register their use of APIs within the kernel, and Oracle makes a best effort to ensure that those symbols are not changed during regular updates to the Oracle Linux kernels (UEK or RHCK). However, it is always possible that the user of a third-party kernel module will have to request an updated version of a third-party kernel module should a kABI or other kernel change render the module incompatible with the kernel.
- EMC PowerPath
- Symantec Critical System Protection (CSP)
- IBM Security Guardium Data Activity Monitor
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|SCOPE & APPLICATION|
|LIMITED SUPPORT FOR MODIFIED AND TAINTED KERNELS|
|KERNEL MODULES DISTRIBUTED BY ORACLE|
|PERMITTED KERNEL MODIFICATIONS|
|Exceptions for Oracle provided kernel modules|
|Exceptions for GPL third-party kernel modules|
|Exceptions for non-GPL third-party kernel modules|