debian-uki/build-uki.sh

#!/usr/bin/env bash

run_directory=$(dirname $(readlink -f "$0"))
source "$run_directory/variables.conf"
user=$(whoami)

if [[ $user != 'root' ]]; then
  sudo="sudo"
else
  sudo=""
fi

# Build UKI
if [ -x /usr/bin/ukify ]; then
  echo "Building UKI using systemd-ukify..."
  $sudo ukify build --linux $path_to_vmlinuz_link/vmlinuz --initrd $path_to_vmlinuz_link/initrd.img \
    --cmdline @/etc/kernel/cmdline --output $path_to_uki
else
  echo "Building UKI using objcopy..."
  $sudo objcopy \
    --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
    --add-section .cmdline="/etc/kernel/cmdline" --change-section-vma .cmdline=0x30000 \
    --add-section .linux="$path_to_vmlinuz_link/vmlinuz" --change-section-vma .linux=0x40000 \
    --add-section .initrd="$path_to_vmlinuz_link/initrd.img" --change-section-vma .initrd=0x3000000 \
    /usr/lib/systemd/boot/efi/linuxx64.efi.stub $path_to_uki
fi

if [[ -v xen_hypervisor ]] && [[ $xen_hypervisor = "yes" ]]; then
  echo "Building UKI for Xen..."
  $sudo objcopy \
    --add-section .config=/boot/xen.cfg --change-section-vma .config=0xffff82d041000000 \
    --add-section .kernel="$path_to_vmlinuz_link/vmlinuz" --change-section-vma .kernel=0xffff82d041100000 \
    --add-section .ramdisk="$path_to_vmlinuz_link/initrd.img" --change-section-vma .ramdisk=0xffff82d042000000 \
    /boot/xen.efi $path_to_xen_uki
fi

# Sign UKI
if [[ -v secureboot_enabled ]] && [[ $secureboot_enabled = "yes" ]]; then
  $sudo sbsign --key /etc/secureboot/full/db.key --cert /etc/secureboot/full/db.crt --output $path_to_uki $path_to_uki
  if [[ -v xen_hypervisor ]] && [[ $xen_hypervisor = "yes" ]]; then
    $sudo sbsign --key /etc/secureboot/full/db.key --cert /etc/secureboot/full/db.crt --output $path_to_xen_uki $path_to_xen_uki
  fi
fi

# if needed, copy UKI to EFI default boot path
if [[ -v set_efi_default_image ]] && [[ $set_efi_default_image = "yes" ]]; then
  $sudo cp $path_to_uki /efi/EFI/BOOT/BOOTX64.EFI
fi

exit 0