#!/bin/bash

# make settings

# required stub file
EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"

# signing keys
PKI="/root/secureboot"
KEY="${PKI}/db.key"
CERT="${PKI}/db.crt"

# directories
BOOT="/boot"
ESP="${BOOT}/EFI"
OUT="${ESP}/Linux"

# what's needed for a single kernel
MICROCODE="${BOOT}/intel-ucode.img"
ACPI_OVERRIDE="${BOOT}/acpi_override"
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
SIGNED="${OUT}/vmlinuz-linux.efi"
CMDLINE="/proc/cmdline"
#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet"

OSREL="/etc/os-release"

# dynamic osrelease info
KERNEL="${BOOT}/vmlinuz-linux"
KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"

# bundle and sign a kernel binary
cd ${BOOT}/EFI/Linux
	objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
	  --add-section        .osrel=${OSREL} \
	  --change-section-vma .osrel=0x0020000 \
	  --add-section        .cmdline=${CMDLINE} \
	  --change-section-vma .cmdline=0x0030000 \
	  --add-section        .linux="${KERNEL}" \
	  --change-section-vma .linux=0x2000000 \
	  --add-section        .initrd=<(cat ${INITRAMFS}) \
	  --change-section-vma .initrd=0x3000000
	sbsign --key "${KEY}" --cert "${CERT}" \
		--output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new"
	mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi"

sbverify --cert "${CERT}" "${SIGNED}"