From ed2cce93d712eca6dba0f3d0da1fb96a2fc1e8bf Mon Sep 17 00:00:00 2001
From: Dermot Bradley <dermot_bradley@yahoo.com>
Date: Mon, 30 Oct 2023 00:10:24 +0000
Subject: [PATCH] main/secureboot-hook: add support for specifying with EFISTUB
 file to use

In addition to Gummiboot as a EFISTUB to use there is now also
Stubbyboot and in future there may be other alternatives.

Add a secureboot.conf option to specify the path to a EFISTUB to use
so this is configurable.
---
 main/secureboot-hook/APKBUILD        |  6 +++---
 main/secureboot-hook/secureboot.conf |  5 +++++
 main/secureboot-hook/secureboot.hook | 10 ++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/main/secureboot-hook/APKBUILD b/main/secureboot-hook/APKBUILD
index e3cc79b10a9..976f359888c 100644
--- a/main/secureboot-hook/APKBUILD
+++ b/main/secureboot-hook/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=secureboot-hook
 pkgver=0.2
-pkgrel=0
+pkgrel=1
 pkgdesc="A kernel hook for generating signed UEFI Unified Kernel Image"
 url="https://gitlab.alpinelinux.org/alpine/aports"
 arch="noarch !armhf !s390x !ppc64le !mips !mips64"  # limited by sbsigntool
@@ -23,6 +23,6 @@ package() {
 }
 
 sha512sums="
-139a3d5c77db2924872ccdd4a9bb538eaed354c7954f2627e4befacb1e42588ad9ba9b9e25028068c28d50fbea01a764c8be0ab3d1115c99dc937b38e5b20ce8  secureboot.hook
-0432a9f38fff08abcfab336c1fecd4e7e45bfda6906fd846fd0fdb2608008460327654b99f38a1ce806723da257dc57fbdf81398f0e038bc42b87e6f3064822a  secureboot.conf
+8cf0ea83f32f7cc546f2235dcf0258ada36cf738c5738d6ac31b935b158ac40de51d53784c310810be0f8f6ce3947d9e09d781eab716f6cc303948d47384f6a8  secureboot.hook
+0777b1ec63d7d21a2144737fb913a52b8deedadbec69b7450799c228950adf9213d5d40e52617841dbae3bf4451f37a18f833e94860fab2c7779779b5fa9f66d  secureboot.conf
 "
diff --git a/main/secureboot-hook/secureboot.conf b/main/secureboot-hook/secureboot.conf
index d25229b0f26..39118c9e5a1 100644
--- a/main/secureboot-hook/secureboot.conf
+++ b/main/secureboot-hook/secureboot.conf
@@ -44,3 +44,8 @@ cmdline=
 # Kernel flavors to skip this hook for (e.g. "edge virt"). If empty, it runs
 # for all installed flavors.
 #skip_flavors=
+
+# Absolute path to the EFI Stub file to use. It can contain placeholders:
+# '{march}' will be replaced with the machine's architecture (e.g. "aa64",
+# "x64").
+#efistub_file="/usr/lib/gummiboot/linux{march}.efi.stub"
diff --git a/main/secureboot-hook/secureboot.hook b/main/secureboot-hook/secureboot.hook
index 86acd8ee6f8..39b778d6663 100644
--- a/main/secureboot-hook/secureboot.hook
+++ b/main/secureboot-hook/secureboot.hook
@@ -16,6 +16,7 @@ output_dir='/boot/efi/Alpine'
 output_name='linux-{flavor}.efi'
 backup_old=yes
 skip_flavors=
+efistub_file='/usr/lib/gummiboot/linux{march}.efi.stub'
 
 die() {
 	printf "$HOOK_NAME: %s\n" "$2" >&2
@@ -31,6 +32,13 @@ fi
 readonly FLAVOR=$1
 readonly NEW_VERSION=$2
 readonly OLD_VERSION=${3:-}
+case "$(cat /etc/apk/arch)" in
+	aarch64) readonly MARCH="aa64";;
+	arm*)    readonly MARCH="arm";;
+	riscv64) readonly MARCH="riscv64";;
+	x86)     readonly MARCH="ia32";;
+	x86_64)  readonly MARCH="x64";;
+esac
 
 # Hook triggered for the kernel removal, nothing to do here.
 [ "$NEW_VERSION" ] || exit 0
@@ -57,6 +65,7 @@ vmlinuz="/boot/vmlinuz-$FLAVOR"
 output_name=$(echo "$output_name" \
 	| sed "s/{flavor}/$FLAVOR/; s/{version}/$NEW_VERSION/")
 output="$output_dir/$output_name"
+efistub_file=$(echo "$efistub_file" | sed "s/{march}/$MARCH/")
 
 [ "$microcode" ] || for path in /boot/intel-ucode.img /boot/amd-ucode.img; do
 	[ -f "$path" ] && microcode="$path"
@@ -75,6 +84,7 @@ echo "==> $HOOK_NAME: creating UEFI Unified Kernel Image with $vmlinuz"
 /usr/bin/efi-mkuki \
 	-c "$cmdline" \
 	-s "$splash_image" \
+	-S "$efistub_file" \
 	-o "$tmpdir"/unsigned.efi \
 	"$vmlinuz" $microcode "$tmpdir"/initramfs