#!/bin/ash readonly HOOK_NAME=ukify # Defaults backup_name='alpine-{flavor}.bak.efi' cmdline="@/etc/kernel/cmdline" output_dir='/boot/EFI/Linux' output_name='alpine-{flavor}.efi' signing_cert='/etc/uefi-keys/db.crt' signing_disabled=no signing_key='/etc/uefi-keys/db.key' die() { printf "$HOOK_NAME: %s\n" "$2" >&2 exit "$1" } if [ $# -lt 2 ]; then echo "Usage: $0 " >&2 exit 1 fi readonly FLAVOR="$1" readonly NEW_VERSION="$2" readonly OLD_VERSION="${3:-}" # Hook triggered for the kernel removal, nothing to do here. [ "$NEW_VERSION" ] || exit 0 . /etc/kernel-hooks.d/ukify.conf [ "$cmdline" ] \ || die 0 "cmdline is not specified in /etc/kernel-hooks.d/$HOOK_NAME.conf, skipping hook!" if [ "$signing_disabled" != yes ]; then [ -r "$signing_cert" ] \ || die 2 "ERROR: signing cert '$signing_cert' does not exist or not readable!" [ -r "$signing_key" ] \ || die 2 "ERROR: signing key '$signing_key' does not exist or not readable!" else # Unset both if disabled. signing_cert="" signing_key="" fi output_name=$(echo "$output_name" \ | sed "s/{flavor}/$FLAVOR/; s/{version}/$NEW_VERSION/") output="$output_dir/$output_name" microcode="" for path in /boot/intel-ucode.img /boot/amd-ucode.img; do [ -f "$path" ] && microcode="$path" done if [ "$backup_name" != yes ] && [ -f "$output" ]; then backup_name=$(echo "$backup_name" | sed "s/{flavor}/$FLAVOR/") cp -a "$output" "$output_dir/$backup_name" fi tmpdir=$(mktemp -dt "$HOOK_NAME.XXXXXX") trap "rm -f '$tmpdir'/*; rmdir '$tmpdir'" EXIT HUP INT TERM echo "==> $HOOK_NAME: creating initramfs" mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR" echo "==> $HOOK_NAME: creating and signing UKI" ukify build \ --uname "$NEW_VERSION-$FLAVOR" \ --linux "/boot/vmlinuz-$FLAVOR" \ --initrd "$tmpdir/initramfs" \ ${signing_cert:+--secureboot-certificate $signing_cert} \ ${signing_key:+--secureboot-private-key $signing_key} \ ${microcode:+--microcode $microcode} \ --cmdline "$cmdline" \ --output "$output"