Introduction to soliddriver-checks
The OS kernel is central and fundamental to system functionality and integrity. A user needs to be able to trust in the security and stability of the OS kernel at the heart of their mission critical systems. This trustworthiness extends just the same to kernel modules delivered by third party vendors. Such third party modules (often device drivers) are necessary to exploit products and features that are not supported directly with the SUSE kernels.
Over a decade ago SUSE established the SolidDriver Program that sets standards around compatibility, supportability and integrity of kernel modules provided by third parties to be used with SUSE Linux Enterprise products.
In our experience as an operating system supplier, we have noticed that users face several major problems when dealing with kernel modules provided by third parties, such as difficulty in deciding whether to install it. Are the modules compatible with the SUSE product? How can I audit installed systems to detect any third party kernel modules are installed or being used? And how can I check if those modules are provided by trusted vendors and are SolidDriver compliant? The SUSE soliddriver-checks tool has been developed to help analyze both rpm packages before installation, as well as installed and running kernel modules to help ascertain the integrity of the kernel code being used.
soliddriver-checks is a command line tool for checking RPMs (Kernel Module Packages or KMPs) and installed modules on SUSE Linux Enterprise deployments. With this tool, users can get a detailed rundown of the KMPs and provided modules for auditing purposes. The details can help users to evaluate whether they match SUSE’s standard, and decide what to do next.
Vendors of kernel modules can use the soliddriver-checks tool to evaluate if their modules are being built in a SUSE SolidDriver Compliant manner for best end user acceptance.
Currently soliddriver-checks can audit RPMs that provide kernel modules without the need for installation, modules installed on the local system or modules installed on remote systems. It can generate complete inspection results of json format files, and can also generate optimized readable files in HTML, excel or PDF format.
In the HTML, Excel and PDF report formats, both RPM and kernel module checks have two levels of warning:
- Critical: May cause installation, compatibility or support issues. For instance:
- Module package does not provide kABI requirements and might not be compatible with SUSE kernels or kernel updates
- Module not marked as supported
- Module is not installed in a SUSE compatible manner
- Important: There are potential problems. For instance
- Package has no vendor set
- Package is not signed
- Module is not signed
- License mismatch between module package and modules within the package
For both kinds of issues we recommend that you contact your IHV or anyone who provides the RPM or kernel module to you, ask them to build their RPMs according to SUSE Kernel Module Packages Manual.
Additional information and guidelines are available at https://github.com/SUSE/soliddriver-checks