Fix to load only signed kernel in UEFI secure boot

This fix prevents loading of unsigned ubuntu kernel in UEFI secure
boot environment when image is created using 'iso' element.

'iso' element uses 'linux' and 'initrd' modules of grub2 to load
kernel and initrd respectively. The grub2 implementation of Ubuntu
can load unsigned kernel when these modules are used.

Ubuntu has Grub2 modules 'linuxefi' and 'initrdefi' which exits
boot process if unsigned kernel is used in UEFI secure boot mode.
The 'iso' element should use these modules in grub.cfg to prevent
loading of unsigned kernel when node is booted in the UEFI secure
boot environment.

'linuxefi' and 'initrdefi' works seamlessly when node is booted in
normal UEFI boot mode (non-secure).

Fedora do not have this issue. This fix has been tested in Fedora
environment. It works fine.

Closes-Bug: 1443114
Change-Id: If256ba1f7d7c149482d0f37fabcdfa8ed22e3f91

elements/iso/cleanup.d/100-build-iso

@@ -60,16 +60,11 @@ function build_iso() {
     SCRIPTNAME=$(basename $0)
     SCRIPTDIR=$(dirname $0)
     MKISOFS="/usr/bin/mkisofs"
-
     if [ $DISTRO_NAME = "fedora" ]; then
         EFI_BOOT_DIR="EFI/fedora"
-        GRUB_LINUX_TAG="linuxefi"
-        GRUB_INITRD_TAG="initrdefi"
         EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1"
     else
         EFI_BOOT_DIR="EFI/ubuntu"
-        GRUB_LINUX_TAG="linux"
-        GRUB_INITRD_TAG="initrd"
         EXTRA_KERNEL_PARAMS=""
     fi
 
@@ -117,8 +112,8 @@ set hidden_timeout_quiet=false
 
 menuentry "install" {
     search --set=root --label VMEDIA_BOOT_ISO
-    $GRUB_LINUX_TAG /vmlinuz  $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS --
-    $GRUB_INITRD_TAG /initrd
+    linuxefi /vmlinuz  $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS --
+    initrdefi /initrd
 }
 END_CONFIG