Merge "Add element ubuntu-signed to provide signed kernel"

This commit is contained in:
Jenkins 2015-04-28 11:02:44 +00:00 committed by Gerrit Code Review
commit f8302171f5
7 changed files with 82 additions and 0 deletions

View File

@ -30,3 +30,8 @@ sudo cp $BOOTDIR/$KERNEL ${IMAGE_NAME}.vmlinuz
sudo cp $BOOTDIR/$RAMDISK ${IMAGE_NAME}.initrd
sudo chmod a+r ${IMAGE_NAME}.vmlinuz
sudo chmod a+r ${IMAGE_NAME}.initrd
if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
echo "Removing $TARGET_ROOT/dib-signed-kernel-version"
sudo rm -f $TARGET_ROOT/dib-signed-kernel-version
fi

View File

@ -17,7 +17,18 @@ source $_LIB/img-functions
source $_LIB/ramdisk-functions
KERNEL_VERSION=${DIB_KERNEL_VERSION:-$(find_kernel_version)}
MODULE_DIR=$MODULE_ROOT/lib/modules/$KERNEL_VERSION
if [ -f /dib-signed-kernel-version ] ; then
. /dib-signed-kernel-version
fi
if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
# Though kernel name is suffixed with efi.signed, modules directory is
# without that suffix
MOD_KERNEL_NAME=`echo "$DIB_SIGNED_KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
MODULE_DIR=$MODULE_ROOT/lib/modules/$MOD_KERNEL_NAME
fi
FIRMWARE_DIR=$MODULE_ROOT/lib/firmware
LIB_UDEV=$LIB_UDEV_ROOT/lib/udev
INIT="$_LIB/scripts/init"
@ -46,4 +57,13 @@ save_image /tmp/ramdisk
# reset ramdisk image builds fail.
trap EXIT
cp /boot/vmlinu[zx]-${KERNEL_VERSION} /tmp/kernel
if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
cp /boot/vmlinu[zx]-${DIB_SIGNED_KERNEL_VERSION} /tmp/kernel
fi
chmod o+r /tmp/kernel
if [ -f /dib-signed-kernel-version ] ; then
echo "Removing /dib-signed-kernel-version"
rm -f /dib-signed-kernel-version
fi

View File

@ -0,0 +1 @@
ubuntu

View File

@ -0,0 +1 @@
linux-signed-image-generic:

View File

@ -0,0 +1,36 @@
#!/bin/bash
#
# Copyright 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
# Get signed kernel version
LATEST_SIGNED_KERNEL=$(ls /boot/vmlinu*.efi.signed | sort | tail -1)
if [ "$LATEST_SIGNED_KERNEL" == "" ]; then
echo "Unable to find a suitable kernel" >>/dev/stderr
exit 1
fi
SIGNED_KERNEL_VERSION=${LATEST_SIGNED_KERNEL##/boot/vmlinu[zx]-}
echo "Found signed ubuntu kernel version $SIGNED_KERNEL_VERSION"
cat > /dib-signed-kernel-version << EOF
DIB_SIGNED_KERNEL_VERSION=$SIGNED_KERNEL_VERSION
EOF

View File

@ -175,6 +175,15 @@ function select_boot_kernel_initrd () {
elif [ -f $TARGET_ROOT/etc/debian_version ]; then
KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic 2>/dev/null || ls -1rv $BOOTDIR/vmlinu* | head -1))
RAMDISK=$(basename $(ls -1rv $BOOTDIR/initrd*generic 2>/dev/null || ls -1rv $BOOTDIR/initrd* | head -1))
if [ -f $TARGET_ROOT/dib-signed-kernel-version ] ; then
. $TARGET_ROOT/dib-signed-kernel-version
fi
if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
echo "Using signed kernel $DIB_SIGNED_KERNEL_VERSION"
KERNEL=$(basename $(ls -1rv $BOOTDIR/vmlinu*generic.efi.signed 2>/dev/null))
fi
elif [ -f $TARGET_ROOT/etc/SuSE-release ]; then
KERNEL=$(basename $(readlink -e $BOOTDIR/vmlinuz))
RAMDISK=$(basename $(readlink -e $BOOTDIR/initrd))

View File

@ -166,6 +166,16 @@ function populate_lib () {
copy_required_libs "$path"
done
if [ -f /dib-signed-kernel-version ] ; then
. /dib-signed-kernel-version
fi
if [ -n "${DIB_SIGNED_KERNEL_VERSION:-}" ]; then
# Secure kernel module directory does not have efi.signed suffix to
# kernel version.
if echo $KERNEL_VERSION | grep -q 'efi.signed'; then
KERNEL_VERSION=`echo "$KERNEL_VERSION" |sed "s/\.efi\.signed//g"`
fi
fi
cp -a "$MODULE_DIR" "$TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION"
echo "Removing kernel framebuffer drivers to enforce text mode consoles..."
find $TMP_MOUNT_PATH/lib/modules/$KERNEL_VERSION/kernel/drivers/video -name '*fb.ko' -exec rm -v {} +