#!/bin/bash

# make settings

# required stub file
EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"

# signing keys
PKI="/root/secureboot"
KEY="${PKI}/db.key"
CERT="${PKI}/db.crt"

# directories
BOOT="/boot"
ESP="${BOOT}/EFI"
OUT="${ESP}/Linux"

# what's needed for a single kernel
MICROCODE="${BOOT}/intel-ucode.img"
ACPI_OVERRIDE="${BOOT}/acpi_override"
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
SIGNED="${OUT}/vmlinuz-linux.efi"
#CMDLINE="/proc/cmdline"
CMDLINE="${PKI}/cmdline.txt"
OSREL="/etc/os-release"

# dynamic osrelease info
KERNEL="${BOOT}/vmlinuz-linux"
KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"

# bundle and sign a kernel binary
cd ${BOOT}/EFI/Linux
	objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
	  --add-section        .osrel=${OSREL} \
	  --change-section-vma .osrel=0x20000 \
	  --add-section        .cmdline=${CMDLINE} \
	  --change-section-vma .cmdline=0x30000 \
	  --add-section        .linux="${KERNEL}" \
	  --change-section-vma .linux=0x40000 \
	  --add-section        .initrd=<(cat ${INITRAMFS}) \
	  --change-section-vma .initrd=0x3000000
	sbsign --key "${KEY}" --cert "${CERT}" \
		--output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new"
	mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}"

sbverify --cert "${CERT}" "${SIGNED}"
rm "vmlinuz-linux.efi.new"