tests: Skip kmod tests when secure boot is enabled

Kernel lockdown blocks loading unsigned kernel modules, so these tests need to be disabled. Eventually the zfs sysext should ship a signed kernel modules, but falco is built on the running system and won't work the same way. Falco suggests running in eBPF mode instead.
flatcar · Sep 10, 2024 · d7b7a14 · d7b7a14
1 parent c1dbf61
commit d7b7a14
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/kola/harness.go b/kola/harness.go
@@ -223,6 +223,13 @@ var (
 	}
 )
 
+func SkipSecureboot(_ semver.Version, channel, arch, platform string) bool {
+	if Options.EnableSecureboot {
+		return true
+	}
+	return false
+}
+
 // NativeRunner is a closure passed to all kola test functions and used
 // to run native go functions directly on kola machines. It is necessary
 // glue until kola does introspection.

diff --git a/kola/tests/misc/falco.go b/kola/tests/misc/falco.go
@@ -1,6 +1,7 @@
 package misc
 
 import (
+	"github.com/flatcar/mantle/kola"
 	"github.com/flatcar/mantle/kola/cluster"
 	"github.com/flatcar/mantle/kola/register"
 )
@@ -16,7 +17,8 @@ func init() {
 		// falco builder container can't handle our arm64 config (yet)
 		Architectures: []string{"amd64"},
 		// selinux blocks insmod from within container
-		Flags: []register.Flag{register.NoEnableSelinux},
+		Flags:    []register.Flag{register.NoEnableSelinux},
+		SkipFunc: kola.SkipSecureboot,
 	})
 }
 

diff --git a/kola/tests/sysext/zfs.go b/kola/tests/sysext/zfs.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 
 	"github.com/coreos/go-semver/semver"
+	"github.com/flatcar/mantle/kola"
 	"github.com/flatcar/mantle/kola/cluster"
 	"github.com/flatcar/mantle/kola/register"
 	"github.com/flatcar/mantle/platform"
@@ -133,7 +134,7 @@ func init() {
 		// This test is normally not related to the cloud environment
 		Platforms:  []string{"qemu", "qemu-unpriv"},
 		MinVersion: semver.Version{Major: 3902},
-		SkipFunc:   skipOnGha,
+		SkipFunc:   skipZfs,
 	})
 
 	register.Register(&register.Test{
@@ -144,7 +145,7 @@ func init() {
 		// This test is normally not related to the cloud environment
 		Platforms:  []string{"qemu", "qemu-unpriv"},
 		MinVersion: semver.Version{Major: 3902},
-		SkipFunc:   skipOnGha,
+		SkipFunc:   skipZfs,
 	})
 
 	register.Register(&register.Test{
@@ -155,10 +156,20 @@ func init() {
 		// This test is normally not related to the cloud environment
 		Platforms:  []string{"qemu", "qemu-unpriv"},
 		MinVersion: semver.Version{Major: 3902},
-		SkipFunc:   skipOnGha,
+		SkipFunc:   skipZfs,
 	})
 }
 
+func skipZfs(version semver.Version, channel, arch, platform string) bool {
+	if kola.SkipSecureboot(version, channel, arch, platform) {
+		return true
+	}
+	if skipOnGha(version, channel, arch, platform) {
+		return true
+	}
+	return false
+}
+
 func skipOnGha(version semver.Version, channel, arch, platform string) bool {
 	// Skip for release tests as we don't yet have a sysext signed with the
 	// prod key, nor is it on the release server.