From 07e5220f601292c9982b2953592685a1dee8531c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Thu, 16 Apr 2015 15:55:02 -0700
Subject: [PATCH] Add the kernels to the ESP

Once we're signing the root filesystem, we're not going to be able to boot
the kernel from there. Copy the kernel out to the EFI System Partition and
sign it.
---
 build_library/build_image_util.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 733eb209ae..ff03d929d7 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -258,6 +258,11 @@ finish_image() {
 
   local disk_img="${BUILD_DIR}/${image_name}"
 
+  sudo mkdir -p "${root_fs_dir}/boot/coreos"
+  sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
+       "${root_fs_dir}/boot/coreos/vmlinuz-a"
+  sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
+       "${root_fs_dir}/boot/coreos/vmlinuz-b"
   # Record directories installed to the state partition.
   # Explicitly ignore entries covered by existing configs.
   local tmp_ignore=$(awk '/^[dDfFL]/ {print "--ignore=" $2}' \
@@ -293,6 +298,19 @@ finish_image() {
     sudo fstrim "${root_fs_dir}/usr" || true
   fi
 
+  # Sign the kernels after /usr is in a consistent state
+  if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+      sudo sbsign --key /usr/share/sb_keys/DB.key \
+	   --cert /usr/share/sb_keys/DB.crt \
+	   "${root_fs_dir}/boot/coreos/vmlinuz-a"
+      sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-a.signed" \
+	   "${root_fs_dir}/boot/coreos/vmlinuz-a"
+      sudo sbsign --key /usr/share/sb_keys/DB.key \
+	   --cert /usr/share/sb_keys/DB.crt \
+	   "${root_fs_dir}/boot/coreos/vmlinuz-b"
+      sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-b.signed" \
+	   "${root_fs_dir}/boot/coreos/vmlinuz-b"
+  fi
   rm -rf "${BUILD_DIR}"/configroot
   cleanup_mounts "${root_fs_dir}"
   trap - EXIT