Add element ubuntu-signed to provide signed kernel

ubuntu-signed element would install 'linux-signed-image-generic' that
provides signed kernel that can be used for deploy in UEFI secure boot mode.

Package 'linux-signed-image-generic' ships signed kernel with extension
'.efi.signed' (Ex. '/boot/vmlinuz-3.13.0-49-generic.efi.signed').

The kernel modules directory for signed kernel and unsigned kernel is same.
It is without 'efi.signed' extension to its name. This is different from normal
practice of directory naming in '/lib/modules' (Ex. For signed kernel
'vmlinuz-3.13.0-49-generic.efi.signed', modules directory is
'/lib/modules/3.13.0-49-generic').
This needed some changes in '/lib/ramdisk-functions' and 'ramdisk' element to
copy kernel modules.

The signed kernel package contains both signed and unsigned kernel. The
unsiged kernel is without extension '.efi.signed' (Ex.
'/boot/vmlinuz-3.13.0-49-generic'). This required change into
'/lib/img-functions' and 'baremetal' element to pick up signed kernel version
when this element is used.

Closes-Bug: 1443076
Change-Id: I60061cbea847b47fa752b9463cfd387e8e7f0635

elements/baremetal/cleanup.d/99-extract-kernel-and-ramdisk

@@ -30,3 +30,8 @@ sudo cp $BOOTDIR/$KERNEL ${IMAGE_NAME}.vmlinuz
 sudo cp $BOOTDIR/$RAMDISK ${IMAGE_NAME}.initrd
 sudo chmod a+r ${IMAGE_NAME}.vmlinuz
 sudo chmod a+r ${IMAGE_NAME}.initrd
+
+if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
+    echo "Removing $TARGET_ROOT/dib-signed-kernel-version"
+    sudo rm -f $TARGET_ROOT/dib-signed-kernel-version
+fi

elements/ramdisk/post-install.d/99-build-ramdisk

@@ -17,7 +17,18 @@ source $_LIB/img-functions
 source $_LIB/ramdisk-functions
 
 KERNEL_VERSION=${DIB_KERNEL_VERSION:-$(find_kernel_version)}
+
 MODULE_DIR=$MODULE_ROOT/lib/modules/$KERNEL_VERSION
+if [ -f /dib-signed-kernel-version ] ; then
+    . /dib-signed-kernel-version
+fi
+if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+    # Though kernel name is suffixed with efi.signed, modules directory is
+    # without that suffix
+    MOD_KERNEL_NAME=`echo "$DIB_SIGNED_KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
+    MODULE_DIR=$MODULE_ROOT/lib/modules/$MOD_KERNEL_NAME
+fi
+
 FIRMWARE_DIR=$MODULE_ROOT/lib/firmware
 LIB_UDEV=$LIB_UDEV_ROOT/lib/udev
 INIT="$_LIB/scripts/init"
@@ -46,4 +57,13 @@ save_image /tmp/ramdisk
 # reset ramdisk image builds fail.
 trap EXIT
 cp /boot/vmlinu[zx]-${KERNEL_VERSION} /tmp/kernel
+if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+    cp /boot/vmlinu[zx]-${DIB_SIGNED_KERNEL_VERSION} /tmp/kernel
+fi
+
 chmod o+r /tmp/kernel
+
+if [ -f /dib-signed-kernel-version ] ; then
+    echo "Removing /dib-signed-kernel-version"
+    rm -f /dib-signed-kernel-version
+fi

elements/ubuntu-signed/element-deps

@@ -0,0 +1 @@
+ubuntu

elements/ubuntu-signed/package-installs.yaml

@@ -0,0 +1 @@
+linux-signed-image-generic:

elements/ubuntu-signed/post-install.d/90-get-signed-kernel

@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Copyright 2015 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# Get signed kernel version
+LATEST_SIGNED_KERNEL=$(ls /boot/vmlinu*.efi.signed | sort | tail -1)
+if [ "$LATEST_SIGNED_KERNEL" == "" ]; then
+    echo "Unable to find a suitable kernel" >>/dev/stderr
+    exit 1
+fi
+
+SIGNED_KERNEL_VERSION=${LATEST_SIGNED_KERNEL##/boot/vmlinu[zx]-}
+echo "Found signed ubuntu kernel version $SIGNED_KERNEL_VERSION"
+
+cat > /dib-signed-kernel-version << EOF
+DIB_SIGNED_KERNEL_VERSION=$SIGNED_KERNEL_VERSION
+EOF
+

lib/img-functions

@@ -165,6 +165,15 @@ function select_boot_kernel_initrd () {
     elif [ -f $TARGET_ROOT/etc/debian_version ]; then
         KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic 2>/dev/null || ls -1rv $BOOTDIR/vmlinu* | head -1))
         RAMDISK=$(basename $(ls -1rv $BOOTDIR/initrd*generic 2>/dev/null || ls -1rv $BOOTDIR/initrd* | head -1))
+
+        if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
+            . $TARGET_ROOT/dib-signed-kernel-version
+        fi
+
+        if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+            echo "Using signed kernel $DIB_SIGNED_KERNEL_VERSION"
+            KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic.efi.signed 2>/dev/null))
+        fi
     elif [ -f $TARGET_ROOT/etc/SuSE-release ]; then
         KERNEL=$(basename $(readlink -e $BOOTDIR/vmlinuz))
         RAMDISK=$(basename $(readlink -e $BOOTDIR/initrd))

lib/ramdisk-functions

@@ -155,6 +155,16 @@ function populate_lib () {
     copy_required_libs "$path"
   done
 
+  if [ -f /dib-signed-kernel-version ] ; then
+      . /dib-signed-kernel-version
+  fi
+  if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
+      # Secure kernel module directory does not have efi.signed suffix to
+      # kernel version.
+      if echo $KERNEL_VERSION | grep -q 'efi.signed'; then
+          KERNEL_VERSION=`echo "$KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
+      fi
+  fi
   cp -a "$MODULE_DIR" "$TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION"
   echo "Removing kernel framebuffer drivers to enforce text mode consoles..."
   find $TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION/kernel/drivers/video -name '*fb.ko' -exec rm -v {} +