Last active
November 25, 2018 19:08
-
-
Save garymacindoe/5a90f7152c758709fade to your computer and use it in GitHub Desktop.
Compiles and installs two versions of a new kernel source - one with an EFI stub loader and one without - using the running kernel's config as a template (requires /proc/config.gz)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Author: Gary Macindoe | |
| # Date: November 2014 | |
| set -eu | |
| EFI_KEYS="/root/efi" | |
| LINUX_SOURCE="/usr/src/linux" | |
| LINUX_CONFIG="${LINUX_SOURCE}/.config" | |
| MAKEOPTS="${MAKEOPTS:--j9}" | |
| V=${V:-0} | |
| if [ ! -e "${LINUX_CONFIG}" ] | |
| # If there is no existing .config, create one from the running kernel and 'make oldconfig' | |
| then | |
| make -C"${LINUX_SOURCE}" V=${V} distclean | |
| echo "zcat /proc/config.gz > ${LINUX_CONFIG}" | |
| zcat /proc/config.gz > "${LINUX_CONFIG}" | |
| make -C"${LINUX_SOURCE}" V=${V} oldconfig | |
| else | |
| # If there is an existing .config, move it out of the way while we clean the old binaries | |
| temp_config="$(mktemp)" | |
| cp -v "${LINUX_CONFIG}" "${temp_config}" | |
| make -C"${LINUX_SOURCE}" V=${V} distclean | |
| cp -v "${temp_config}" "${LINUX_CONFIG}" | |
| rm -v "${temp_config}" | |
| fi | |
| # Build the kernel, modules and install the modules | |
| make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} | |
| make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules | |
| make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules_install | |
| # Rebuild external modules | |
| emerge @module-rebuild | |
| SIGN="$(sed -ne 's/CONFIG_MODULE_SIG_FORCE=\(.\)$/\1/p' "${LINUX_CONFIG}")" | |
| if [[ "${SIGN}" == y ]] | |
| then | |
| SIG_HASH="$(sed -ne 's/^CONFIG_MODULE_SIG_HASH="\(.*\)"$/\1/p' "${LINUX_CONFIG}")" | |
| SIG_KEY="$(sed -ne 's/^CONFIG_MODULE_SIG_KEY="\(.*\)"$/\1/p' "${LINUX_CONFIG}")" | |
| SIG_CERT="${SIG_KEY%%.pem}.x509" | |
| fi | |
| COMPRESS="$(sed -ne 's/CONFIG_MODULE_COMPRESS=\(.\)$/\1/p' "${LINUX_CONFIG}")" | |
| if [[ "${COMPRESS}" == y ]] | |
| then | |
| case "$(sed -ne 's/^CONFIG_MODULE_COMPRESS_\(.*\)=y$/\L\1/p' "${LINUX_CONFIG}")" in | |
| gzip) | |
| COMPRESSOR="gzip -9" | |
| ;; | |
| xz) | |
| COMPRESSOR="${LINUX_SOURCE}/scripts/xz_wrap.sh" | |
| ;; | |
| *) | |
| echo "Unknown module compression!" | |
| exit 1 | |
| ;; | |
| esac | |
| fi | |
| # Sign and compress external modules, if needed | |
| if [[ "${SIGN}" == y ]] || [[ "${COMPRESS}" == y ]] | |
| then | |
| for module in $(equery files @module-rebuild | grep "^/lib/modules") | |
| do | |
| if [[ "${SIGN}" == "y" ]] | |
| then | |
| "${LINUX_SOURCE}/scripts/sign-file" ${SIG_HASH} "${LINUX_SOURCE}/${SIG_KEY}" "${LINUX_SOURCE}/${SIG_CERT}" "${module}" | |
| fi | |
| if [[ "${COMPRESS}" == "y" ]] | |
| then | |
| "${COMPRESSOR}" < "${module}" > "${module}.xz" && rm "${module}" | |
| fi | |
| done | |
| depmod -v | |
| fi | |
| # Sign the kernel | |
| sbsign --key="${EFI_KEYS}/db.key" --cert="${EFI_KEYS}/db.crt" "${LINUX_SOURCE}/arch/x86/boot/bzImage" | |
| # Mount /boot/efi | |
| if ! grep -qs /boot/efi /proc/mounts | |
| then | |
| mount -v /boot/efi | |
| fi | |
| # Copy the signed kernel into place | |
| cp -v "/boot/efi/EFI/Gentoo/bootx64.efi" "/boot/efi/EFI/Gentoo/bootx64.efi.old" | |
| cp -v "${LINUX_SOURCE}/arch/x86/boot/bzImage.signed" "/boot/efi/EFI/Gentoo/bootx64.efi" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment