From a4f1ad75ed26528c5ebed659d31ee82bde1bce9f Mon Sep 17 00:00:00 2001
From: Rod Smith <rod.smith@canonical.com>
Date: Wed, 16 Oct 2019 19:20:25 -0400
Subject: Added kernel taint test

---
 bin/kernel_taint_test           | 93 +++++++++++++++++++++++++++++++++++++++++
 units/miscellanea/jobs.pxu      | 10 +++++
 units/miscellanea/test-plan.pxu |  1 +
 3 files changed, 104 insertions(+)
 create mode 100755 bin/kernel_taint_test

diff --git a/bin/kernel_taint_test b/bin/kernel_taint_test
new file mode 100755
index 0000000..976ccb6
--- /dev/null
+++ b/bin/kernel_taint_test
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+"""
+Test that the kernel is not "tainted" by out-of-tree drivers, etc.
+
+Copyright (C) 2019 Canonical Ltd.
+
+Authors:
+  Rod Smith <rod.smith@canonical.com>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3,
+as published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+This script examines the /proc/sys/kernel/tainted file (or a user-specified
+file, for debugging purposes) and parses the contents to determine if the
+kernel is tainted. If so, the script reports the nature of the taint and
+returns a value of 1. The script also returns a value of 1 if
+# /proc/sys/kernel/tainted cannot be found or opened. If the kernel is NOT
+# tainted, the script notes this fact and returns 0.
+"""
+
+
+import sys
+from argparse import ArgumentParser
+
+
+# Note: If max_taints is increased, add descriptions to taint_meanings in
+# report_failures()
+max_taints = 17
+
+
+def find_taints(taint_file):
+    """Read the kernel-taint file."""
+    try:
+        f = open(taint_file, "r")
+        taints = int(f.read())
+    except OSError:
+        taints = 2**(max_taints+1)  # Set so we have a non-0 value to return
+        print("Kernel taint file ({}) not found!".format(taint_file))
+    print("Kernel taint value is {}".format(taints))
+    return(taints)
+
+
+def report_failures(taints):
+    """Report the failure code and its meaning(s)."""
+    # Below meaning strings are taken from
+    # https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels_html
+    taint_meanings = ["proprietary module was loaded",
+                      "module was force loaded",
+                      "SMP kernel oops on an officially SMP incapable CPU",
+                      "module was force unloaded",
+                      "processor reported a Machine Check Exception (MCE)",
+                      "bad page referenced or some unexpected page flags",
+                      "taint requested by userspace application",
+                      "kernel died recently, i.e. there was an OOPS or BUG",
+                      "ACPI table overridden by user",
+                      "kernel issued warning",
+                      "staging driver was loaded",
+                      "workaround for bug in platform firmware applied",
+                      "externally-built ('out-of-tree') module was loaded",
+                      "unsigned module was loaded",
+                      "soft lockup occurred",
+                      "kernel has been live patched",
+                      "auxiliary taint, defined for and used by distros",
+                      "kernel was built with the struct randomization plugin"]
+    for i in range(max_taints+1):
+        if (taints & (2 ** i)):
+            print("Taint bit value: {} ({})".format(i, taint_meanings[i]))
+    if taints == 0:
+        print("No kernel taints detected.")
+
+
+def main():
+    parser = ArgumentParser()
+    parser.add_argument('--taint-file',
+                        default="/proc/sys/kernel/tainted",
+                        help='The file that holds the taint information')
+    args = parser.parse_args()
+    taints = find_taints(args.taint_file)
+    report_failures(taints)
+    return(taints > 0)
+
+
+if __name__ == '__main__':
+    sys.exit(main())
diff --git a/units/miscellanea/jobs.pxu b/units/miscellanea/jobs.pxu
index 41c9253..bbb28bf 100644
--- a/units/miscellanea/jobs.pxu
+++ b/units/miscellanea/jobs.pxu
@@ -188,6 +188,16 @@ _description:
  than pre-release, versions of the kernel and the OS.
 command: check-prerelease
 
+plugin: shell
+category_id: com.canonical.plainbox::miscellanea
+estimated_duration: 0.5
+id: miscellanea/kernel_taint_test
+_summary: Test that kernel is not tainted
+_description:
+ Test to verify that the kernel is not tainted by out-of-tree
+ drivers, live patches, proprietary modules, etc.
+command: kernel_taint_test
+
 plugin: shell
 category_id: com.canonical.plainbox::miscellanea
 id: miscellanea/bmc_info
diff --git a/units/miscellanea/test-plan.pxu b/units/miscellanea/test-plan.pxu
index 1b119f1..5f7258d 100644
--- a/units/miscellanea/test-plan.pxu
+++ b/units/miscellanea/test-plan.pxu
@@ -67,6 +67,7 @@ mandatory_include:
     miscellanea/secure_boot_mode
     miscellanea/efi_pxeboot
     miscellanea/check_prerelease
+    miscellanea/kernel_taint_test
     miscellanea/cpus_are_not_samples
     miscellanea/ipmi_test                      certification-status=blocker
     miscellanea/bmc_info
-- 
cgit v1.2.3