“Canonical Kernel Team” team

We're using a list to store those modules which will taint the kernel.
However we didn't check why the module is tainted but just ignore them
if they're in the loaded module list.

It will cause a false impression that a module is tainting the kernel
with different issues simply because they're loaded. This was found
while investigating Kinetic RPI boot test result (with database added
in the same logic). Within which only the rpivid_hevc module was
unsigned, but every other modules in the list were printed out for the
unsigned taint as well.

Test output:
  Taint bit value: 13 (unsigned module was loaded)
  Exception made in test script: bcm2835_codec
  Exception made in test script: bcm2835_isp
  Exception made in test script: bcm2835_v4l2
  Exception made in test script: bcm2835_mmal_vchiq
  Exception made in test script: rpivid_hevc
  Exception made in test script: snd_bcm2835
  Exception made in test script: vc_sm_cma
  * Unsigned modules found, but they are expected and OK

Acutal module taint flag:
  snd_bcm2835 - C
  rpivid_hevc - CE
  bcm2835_codec -C
  bcm2835_v4l2 - C
  bcm2835_isp - C
  bcm2835_mmal_vchiq - C
  vc_sm_cma C

Reconstruct kernel_tainted check, use a taint flag dictionary to
filter out known issues for different modules. Ignore them only if the
issue is explicitly recorded in the database.

Also remove the process_GPL_incompatible_modules(), I don't think we
really care if a certain module is using GPL or MIT license. We care
if it's tainting the kernel.

Update the DGX / RPI modules based on actual test result.

Description of the change

Patch tested with DGX B/F and RPI B/F/J, including testing them with entries removed from the database to make sure they will fail as expected.

Example output for F-DGX:
Running 'python3 /home/ubuntu/autotest/client/tests/ubuntu_boot/kernel_taint_test.py'
Kernel taint value is 12289
Taint bit value: 0 (proprietary module was loaded)
Exception made in test script for: nvidia_drm
Exception made in test script for: nvidia_modeset
Exception made in test script for: nvidia
* Proprietary modules found, but they are expected and OK
Taint bit value: 12 (externally-built ('out-of-tree') module was loaded)
Exception made in test script for: nvidia_uvm
Exception made in test script for: nvidia_drm
Exception made in test script for: nvidia_modeset
Exception made in test script for: mlx5_ib
Exception made in test script for: ib_uverbs
Exception made in test script for: nvidia
Exception made in test script for: ib_core
Exception made in test script for: mlx5_core
Exception made in test script for: mlxdevm
Exception made in test script for: auxiliary
Exception made in test script for: mlxfw
Exception made in test script for: mlx_compat
* Out of Tree modules found, but they are expected and OK
Taint bit value: 13 (unsigned module was loaded)
Exception made in test script for: mlx5_ib
Exception made in test script for: ib_uverbs
Exception made in test script for: ib_core
Exception made in test script for: mlx5_core
Exception made in test script for: mlxdevm
Exception made in test script for: auxiliary
Exception made in test script for: mlxfw
Exception made in test script for: mlx_compat
* Unsigned modules found, but they are expected and OK
Kernel tainted but in an expected way.
GOOD: Test Passed.

Revision history for this message

Francis Ginther (fginther) wrote on 2022-12-16:

review: Approve

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2022-12-19:

Applied and pushed, thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Kernel Team

 diff --git a/ubuntu_boot/kernel_taint_test.py b/ubuntu_boot/kernel_taint_test.py
 index 93cccdd..59a2cfb 100755
 --- a/ubuntu_boot/kernel_taint_test.py
 +++ b/ubuntu_boot/kernel_taint_test.py
@@ -61,92 +61,84 @@ def get_modules():
      return modules
--def process_GPL_incompatible_modules(modules):
--    mod_list = []
--    modules = remove_ignored_modules(modules)
--    for mod in modules:
--        cmd = 'modinfo -F license %s' % mod
--        license = check_output(shlex.split(cmd),
--                               universal_newlines=True).strip()
--        if "GPL" not in license and "MIT" not in license:
--            mod_list.append((mod, license))
--    return(mod_list)
--
--
  def process_known_issues(issue, modules):
--    mod_list = []
--    issue_flags = {"staging driver was loaded":                          "C",
++    '''Filter out known taint flags'''
++    issue_flags = {"proprietary module was loaded":                      "P",
++                   "staging driver was loaded":                          "C",
                     "externally-built ('out-of-tree') module was loaded": "O",
                     "unsigned module was loaded":                         "E"}
--    modules = remove_ignored_modules(modules)
--    for mod in modules:
--        fn = '/sys/module/{}/taint'.format(mod)
--        with open(fn, 'r') as f:
--            status = f.read()
--            if issue_flags[issue] in status:
--                mod_list.append(mod)
--    return(mod_list)
--
--
--def remove_ignored_modules(modules):
--    # Remove modules we know will fail, but accept
--    dgx_modules = {'focal': ['mlx5_ib',
--                             'ib_uverbs',
--                             'ib_core',
--                             'mlx5_core',
--                             'mlxdevm',
--                             'auxiliary',
--                             'mlxfw',
--                             'mlx_compat'],
--                   'bionic':['ib_iser',
--                             'rdma_cm',
--                             'iw_cm',
--                             'ib_cm',
--                             'mlx5_ib',
--                             'ib_uverbs',
--                             'ib_core',
--                             'mlx5_core',
--                             'mlxfw',
--                             'mdev',
--                             'mlx_compat']}
--    rpi_modules = {'jammy': ['bcm2835_codec',
--                             'bcm2835_isp',
--                             'bcm2835_v4l2',
--                             'bcm2835_mmal_vchiq',
--                             'snd_bcm2835',
--                             'vc_sm_cma'],
--                   'focal': ['bcm2835_codec',
--                             'bcm2835_isp',
--                             'bcm2835_v4l2',
--                             'bcm2835_mmal_vchiq',
--                             'snd_bcm2835',
--                             'vc_sm_cma']}
--    try:
--        series = platform.dist()[2]
--    except AttributeError:
--        import distro
--        series = distro.codename()
++    dgx_modules = {'focal':  {'nvidia_uvm':     'O',
++                              'nvidia_drm':     'PO',
++                              'nvidia_modeset': 'PO',
++                              'nvidia':         'PO',
++                              'mlx5_ib':        'OE',
++                              'ib_uverbs':      'OE',
++                              'ib_core':        'OE',
++                              'mlx5_core':      'OE',
++                              'mlxdevm':        'OE',
++                              'auxiliary':      'OE',
++                              'mlxfw':          'OE',
++                              'mlx_compat':     'OE'},
++                   'bionic': {'nvidia_uvm':     'O',
++                              'nvidia_drm':     'PO',
++                              'nvidia_modeset': 'PO',
++                              'nvidia':         'PO',
++                              'ib_iser':        'OE',
++                              'rdma_cm':        'OE',
++                              'iw_cm':          'OE',
++                              'ib_cm':          'OE',
++                              'mlx5_ib':        'OE',
++                              'ib_uverbs':      'OE',
++                              'ib_core':        'OE',
++                              'mlx5_core':      'OE',
++                              'mlxfw':          'OE',
++                              'mdev':           'OE',
++                              'mlx_compat':     'OE'}}
++    rpi_modules = {'jammy': {'bcm2835_codec':      'C',
++                             'bcm2835_isp':        'C',
++                             'bcm2835_v4l2':       'C',
++                             'bcm2835_mmal_vchiq': 'C',
++                             'snd_bcm2835':        'C',
++                             'vc_sm_cma':          'C'},
++                   'focal': {'bcm2835_codec':      'CE',
++                             'bcm2835_isp':        'CE',
++                             'bcm2835_v4l2':       'CE',
++                             'bcm2835_mmal_vchiq': 'CE',
++                             'snd_bcm2835':        'CE',
++                             'vc_sm_cma':          'CE'}}
      try:
          with open('/sys/class/dmi/id/product_name', 'r') as f:
              product_name = f.read().strip()
      except FileNotFoundError:
          product_name = ''
--    if series in ['focal', 'bionic'] and 'DGX' in product_name:
--        for ignore_mod in dgx_modules[series]:
--            try:
--                print('Exception made in test script: {}'.format(ignore_mod))
--                modules.remove(ignore_mod)
--            except ValueError:
--                pass
--    elif series in ['focal', 'jammy'] and 'raspi' in platform.release():
--        for ignore_mod in rpi_modules[series]:
--            try:
--                print('Exception made in test script: {}'.format(ignore_mod))
--                modules.remove(ignore_mod)
--            except ValueError:
--                pass
--    return(modules)
++    module_flags = {}
++    if 'DGX' in product_name:
++        module_flags = dgx_modules
++    elif 'raspi' in platform.release():
++        module_flags = rpi_modules
++
++    try:
++        series = platform.dist()[2]
++    except AttributeError:
++        import distro
++        series = distro.codename()
++
++    # Filter out modules flagged with corresponding taint flag
++    mod_list = []
++    for mod in modules:
++        fn = '/sys/module/{}/taint'.format(mod)
++        with open(fn, 'r') as f:
++            status = f.read()
++            if issue_flags[issue] in status:
++                # Check with the allow list
++                if series in module_flags:
++                    if mod in module_flags[series]:
++                        if issue_flags[issue] in module_flags[series][mod]:
++                            print('Exception made in test script for: ' + mod)
++                            continue
++                mod_list.append(mod)
++    return mod_list
  def main():
@@ -184,7 +176,7 @@ def main():
              modules = get_modules()
              print("Taint bit value: {} ({})".format(i, taint_meanings[i]))
              if i == 0:  # List GPL incompatible modules and licenses
--                proprietary_modules = process_GPL_incompatible_modules(modules)
++                proprietary_modules = process_known_issues(taint_meanings[i], modules)
                  if proprietary_modules:
                      print("*   Modules with GPL Incompatible Licenses:")
                      for mod in proprietary_modules:
@@ -230,8 +222,9 @@ def main():
      if count == 0:
--        # else case below contains expected issue in case 0 / 11 / 12 / 13
--        if not taints:
++        if taints:
++            print("Kernel tainted but in an expected way.")
++        else:
              print("No kernel taints detected.")
          return 0
      else:
 diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py
 index 50cb8c3..44a0b9b 100644
 --- a/ubuntu_boot/ubuntu_boot.py
 +++ b/ubuntu_boot/ubuntu_boot.py
@@ -74,7 +74,7 @@ class ubuntu_boot(test.test):
              if self.kernel_tainted():
                  raise error.TestFail()
              else:
--                print('GOOD: Kernel not tainted.')
++                print('GOOD: Test Passed.')
              return
          elif test_name == 'kernel_revocation_list':
              if self.kernel_revocation_list():