From 06e3d7c767399f025876449e3b3c8bbe925e0774 Mon Sep 17 00:00:00 2001
From: Shivanand Tendulker <stendulker@gmail.com>
Date: Fri, 10 Apr 2015 01:58:19 -0700
Subject: [PATCH] Add element ubuntu-signed to provide signed kernel

ubuntu-signed element would install 'linux-signed-image-generic' that
provides signed kernel that can be used for deploy in UEFI secure boot mode.

Package 'linux-signed-image-generic' ships signed kernel with extension
'.efi.signed' (Ex. '/boot/vmlinuz-3.13.0-49-generic.efi.signed').

The kernel modules directory for signed kernel and unsigned kernel is same.
It is without 'efi.signed' extension to its name. This is different from normal
practice of directory naming in '/lib/modules' (Ex. For signed kernel
'vmlinuz-3.13.0-49-generic.efi.signed', modules directory is
'/lib/modules/3.13.0-49-generic').
This needed some changes in '/lib/ramdisk-functions' and 'ramdisk' element to
copy kernel modules.

The signed kernel package contains both signed and unsigned kernel. The
unsiged kernel is without extension '.efi.signed' (Ex.
'/boot/vmlinuz-3.13.0-49-generic'). This required change into
'/lib/img-functions' and 'baremetal' element to pick up signed kernel version
when this element is used.

Closes-Bug: 1443076
Change-Id: I60061cbea847b47fa752b9463cfd387e8e7f0635
---
 .../cleanup.d/99-extract-kernel-and-ramdisk   |  5 +++
 .../ramdisk/post-install.d/99-build-ramdisk   | 20 +++++++++++
 elements/ubuntu-signed/element-deps           |  1 +
 elements/ubuntu-signed/package-installs.yaml  |  1 +
 .../post-install.d/90-get-signed-kernel       | 36 +++++++++++++++++++
 lib/img-functions                             |  9 +++++
 lib/ramdisk-functions                         | 10 ++++++
 7 files changed, 82 insertions(+)
 create mode 100644 elements/ubuntu-signed/element-deps
 create mode 100644 elements/ubuntu-signed/package-installs.yaml
 create mode 100755 elements/ubuntu-signed/post-install.d/90-get-signed-kernel

diff --git a/elements/baremetal/cleanup.d/99-extract-kernel-and-ramdisk b/elements/baremetal/cleanup.d/99-extract-kernel-and-ramdisk
index 9433feed..7c4a6857 100755
--- a/elements/baremetal/cleanup.d/99-extract-kernel-and-ramdisk
+++ b/elements/baremetal/cleanup.d/99-extract-kernel-and-ramdisk
@@ -30,3 +30,8 @@ sudo cp $BOOTDIR/$KERNEL ${IMAGE_NAME}.vmlinuz
 sudo cp $BOOTDIR/$RAMDISK ${IMAGE_NAME}.initrd
 sudo chmod a+r ${IMAGE_NAME}.vmlinuz
 sudo chmod a+r ${IMAGE_NAME}.initrd
+
+if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
+    echo "Removing $TARGET_ROOT/dib-signed-kernel-version"
+    sudo rm -f $TARGET_ROOT/dib-signed-kernel-version
+fi
diff --git a/elements/ramdisk/post-install.d/99-build-ramdisk b/elements/ramdisk/post-install.d/99-build-ramdisk
index 4fc187b3..44fbc812 100755
--- a/elements/ramdisk/post-install.d/99-build-ramdisk
+++ b/elements/ramdisk/post-install.d/99-build-ramdisk
@@ -17,7 +17,18 @@ source $_LIB/img-functions
 source $_LIB/ramdisk-functions
 
 KERNEL_VERSION=${DIB_KERNEL_VERSION:-$(find_kernel_version)}
+
 MODULE_DIR=$MODULE_ROOT/lib/modules/$KERNEL_VERSION
+if [ -f /dib-signed-kernel-version ] ; then
+    . /dib-signed-kernel-version
+fi
+if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+    # Though kernel name is suffixed with efi.signed, modules directory is
+    # without that suffix
+    MOD_KERNEL_NAME=`echo "$DIB_SIGNED_KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
+    MODULE_DIR=$MODULE_ROOT/lib/modules/$MOD_KERNEL_NAME
+fi
+
 FIRMWARE_DIR=$MODULE_ROOT/lib/firmware
 LIB_UDEV=$LIB_UDEV_ROOT/lib/udev
 INIT="$_LIB/scripts/init"
@@ -46,4 +57,13 @@ save_image /tmp/ramdisk
 # reset ramdisk image builds fail.
 trap EXIT
 cp /boot/vmlinu[zx]-${KERNEL_VERSION} /tmp/kernel
+if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+    cp /boot/vmlinu[zx]-${DIB_SIGNED_KERNEL_VERSION} /tmp/kernel
+fi
+
 chmod o+r /tmp/kernel
+
+if [ -f /dib-signed-kernel-version ] ; then
+    echo "Removing /dib-signed-kernel-version"
+    rm -f /dib-signed-kernel-version
+fi
diff --git a/elements/ubuntu-signed/element-deps b/elements/ubuntu-signed/element-deps
new file mode 100644
index 00000000..e9e5f7ce
--- /dev/null
+++ b/elements/ubuntu-signed/element-deps
@@ -0,0 +1 @@
+ubuntu
diff --git a/elements/ubuntu-signed/package-installs.yaml b/elements/ubuntu-signed/package-installs.yaml
new file mode 100644
index 00000000..7ce59d73
--- /dev/null
+++ b/elements/ubuntu-signed/package-installs.yaml
@@ -0,0 +1 @@
+linux-signed-image-generic:
diff --git a/elements/ubuntu-signed/post-install.d/90-get-signed-kernel b/elements/ubuntu-signed/post-install.d/90-get-signed-kernel
new file mode 100755
index 00000000..86cd47cf
--- /dev/null
+++ b/elements/ubuntu-signed/post-install.d/90-get-signed-kernel
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Copyright 2015 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# Get signed kernel version
+LATEST_SIGNED_KERNEL=$(ls /boot/vmlinu*.efi.signed | sort | tail -1)
+if [ "$LATEST_SIGNED_KERNEL" == "" ]; then
+    echo "Unable to find a suitable kernel" >>/dev/stderr
+    exit 1
+fi
+
+SIGNED_KERNEL_VERSION=${LATEST_SIGNED_KERNEL##/boot/vmlinu[zx]-}
+echo "Found signed ubuntu kernel version $SIGNED_KERNEL_VERSION"
+
+cat > /dib-signed-kernel-version << EOF
+DIB_SIGNED_KERNEL_VERSION=$SIGNED_KERNEL_VERSION
+EOF
+
diff --git a/lib/img-functions b/lib/img-functions
index 6e94423b..1cb860fb 100644
--- a/lib/img-functions
+++ b/lib/img-functions
@@ -165,6 +165,15 @@ function select_boot_kernel_initrd () {
     elif [ -f $TARGET_ROOT/etc/debian_version ]; then
         KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic 2>/dev/null || ls -1rv $BOOTDIR/vmlinu* | head -1))
         RAMDISK=$(basename $(ls -1rv $BOOTDIR/initrd*generic 2>/dev/null || ls -1rv $BOOTDIR/initrd* | head -1))
+
+        if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
+            . $TARGET_ROOT/dib-signed-kernel-version
+        fi
+
+        if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+            echo "Using signed kernel $DIB_SIGNED_KERNEL_VERSION"
+            KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic.efi.signed 2>/dev/null))
+        fi
     elif [ -f $TARGET_ROOT/etc/SuSE-release ]; then
         KERNEL=$(basename $(readlink -e $BOOTDIR/vmlinuz))
         RAMDISK=$(basename $(readlink -e $BOOTDIR/initrd))
diff --git a/lib/ramdisk-functions b/lib/ramdisk-functions
index b472ceb8..3b43a1c3 100644
--- a/lib/ramdisk-functions
+++ b/lib/ramdisk-functions
@@ -155,6 +155,16 @@ function populate_lib () {
     copy_required_libs "$path"
   done
 
+  if [ -f /dib-signed-kernel-version ] ; then
+      . /dib-signed-kernel-version
+  fi
+  if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+      # Secure kernel module directory does not have efi.signed suffix to
+      # kernel version.
+      if echo $KERNEL_VERSION | grep -q 'efi.signed'; then
+          KERNEL_VERSION=`echo "$KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
+      fi
+  fi
   cp -a "$MODULE_DIR" "$TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION"
   echo "Removing kernel framebuffer drivers to enforce text mode consoles..."
   find $TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION/kernel/drivers/video -name '*fb.ko' -exec rm -v {} +