From 20434d228245492c0d4b2cf5941dd0efb1e97334 Mon Sep 17 00:00:00 2001
From: Flatcar Buildbot <buildbot@flatcar-linux.org>
Date: Mon, 2 Mar 2026 07:29:10 +0000
Subject: [PATCH] sys-apps/kexec-tools: Sync with Gentoo

It's from Gentoo commit d7d60b7a56eafdcf5f03cf08c992309df7a212af.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
---
 .../sys-apps/kexec-tools/Manifest             |  1 -
 .../kexec-tools/files/kexec-auto-load         | 15 ++---
 ...ools-2.0.32-fix-uki-sig-verification.patch | 55 +++++++++++++++++++
 .../sys-apps/kexec-tools/files/kexec.service  | 16 ------
 ...31.ebuild => kexec-tools-2.0.32-r1.ebuild} |  5 +-
 5 files changed, 63 insertions(+), 29 deletions(-)
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-tools-2.0.32-fix-uki-sig-verification.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec.service
 rename sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/{kexec-tools-2.0.31.ebuild => kexec-tools-2.0.32-r1.ebuild} (94%)

diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/Manifest
index f04b250d20..c926a8ac5d 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/Manifest
@@ -1,2 +1 @@
-DIST kexec-tools-2.0.31.tar.xz 318468 BLAKE2B 075f1457dce9d4d6f0a3fa3cb9ed4cebfc51324fe0f3859b0cb009e1ebdb10d5df83c17d35ec55c479f1416f0836bf263d6ed814732037af6189565685f81afe SHA512 95cb7e7b33685497d72fab74fed2191e476c0574d6ad2333d9e22b95a94543b5fdafe0663282cfaebb8747cf696b7d34c308941ec1074b2b9f1ed440b32d7309
 DIST kexec-tools-2.0.32.tar.xz 325392 BLAKE2B 9cbd0ac706600ddaceabbffdde262d739394ede16572190ed467c8290495a6ba4921973ed332d26f776580191066f3361ce7c39d8e4af5184eec3f3b7b805be0 SHA512 60f120f8e46b9fb5dcf5a5b344ee8b303878ba9f71d58a3eefa1c9f044a6a2192b285154b738970263384c6e7281a854cd48a185334c08141aa4e6cf08230654
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-auto-load b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-auto-load
index 62c828fd1c..7cb08c5a5b 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-auto-load
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-auto-load
@@ -20,17 +20,12 @@ if [[ -s ${instkern_state} ]]; then
 	fi
 fi
 
-if [[ ${LAYOUT} == uki ]]; then
-	echo "WARNING: kexec currently does not support UKIs"
-	KPARAM=
+if [[ -f /etc/kernel/cmdline ]]; then
+	KPARAM="$(tr -s "${IFS}" ' ' </etc/kernel/cmdline)"
+elif [[ -f /usr/lib/kernel/cmdline ]]; then
+	KPARAM="$(tr -s "${IFS}" ' ' </usr/lib/kernel/cmdline)"
 else
-	if [[ -f /etc/kernel/cmdline ]]; then
-		KPARAM="$(tr -s "${IFS}" ' ' </etc/kernel/cmdline)"
-	elif [[ -f /usr/lib/kernel/cmdline ]]; then
-		KPARAM="$(tr -s "${IFS}" ' ' </usr/lib/kernel/cmdline)"
-	else
-		KPARAM=
-	fi
+	KPARAM=
 fi
 
 
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-tools-2.0.32-fix-uki-sig-verification.patch b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-tools-2.0.32-fix-uki-sig-verification.patch
new file mode 100644
index 0000000000..d7269c1f2c
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec-tools-2.0.32-fix-uki-sig-verification.patch
@@ -0,0 +1,55 @@
+From e18a71faae081d075c8d3ec559aa68a59295c739 Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Fri, 5 Dec 2025 10:05:36 +0800
+Subject: [PATCH] UKI: Fix the size of real payload
+
+According to the PE file specification, each section's SizeOfRawData
+must be a multiple of FileAlignment (usually 512). So when ukify builds
+a UKI image, it pads the kernel image, initrd, etc. with zeros aligned
+to 512 bytes. The actual payload size is recorded in VirtualSize.
+
+Since the checksum includes the trailing zeros, this causes issues when
+loading a signed x86 bzImage, which is stored in the UKI's .linux
+section.
+
+Credit goes to Philipp, who analysed and pointed out this issue to me.
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Signed-off-by: Simon Horman <horms@kernel.org>
+---
+ include/pe.h      | 2 +-
+ kexec/kexec-uki.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/pe.h b/include/pe.h
+index 9ab3e79a..3fb923f1 100644
+--- a/include/pe.h
++++ b/include/pe.h
+@@ -116,7 +116,7 @@ struct section_header {
+ 	char name[8];			/* name or "/12\0" string tbl offset */
+ 	uint32_t virtual_size;		/* size of loaded section in ram */
+ 	uint32_t virtual_address;	/* relative virtual address */
+-	uint32_t raw_data_size;		/* size of the section */
++	uint32_t raw_data_size;		/* size of the section, padding to be multiple of FileAlignment */
+ 	uint32_t data_addr;		/* file pointer to first page of sec */
+ 	uint32_t relocs;		/* file pointer to relocation entries */
+ 	uint32_t line_numbers;		/* line numbers! */
+diff --git a/kexec/kexec-uki.c b/kexec/kexec-uki.c
+index 9888d7ea..fe86d613 100644
+--- a/kexec/kexec-uki.c
++++ b/kexec/kexec-uki.c
+@@ -71,11 +71,11 @@ int uki_image_probe(const char *file_buf, off_t buf_sz)
+ 		if (!strcmp(sect_hdr->name, UKI_LINUX_SECTION)) {
+ 			/* data_addr is relative to the whole file */
+ 			linux_src = (char *)file_buf + sect_hdr->data_addr;
+-			linux_sz = sect_hdr->raw_data_size;
++			linux_sz = sect_hdr->virtual_size;
+ 
+ 		} else if (!strcmp(sect_hdr->name, UKI_INITRD_SECTION)) {
+ 			create_tmpfd(FILENAME_UKI_INITRD, (char *)file_buf + sect_hdr->data_addr,
+-					sect_hdr->raw_data_size, &implicit_initrd_fd);
++					sect_hdr->virtual_size, &implicit_initrd_fd);
+ 		}
+ 		sect_hdr++;
+ 	}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec.service b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec.service
deleted file mode 100644
index 289aae0df0..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/files/kexec.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Gracefully restart the box
-Documentation=man:kexec(8)
-After=boot.mount
-Before=shutdown.target umount.target final.target
-ConditionPathExists=!/nokexec
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=/etc/kexec.conf
-ExecStart=/usr/sbin/kexec -l /boot/${KNAME} ${KEXEC_OPT_ARGS}
-ExecStop=/usr/sbin/kexec -l /boot/${KNAME} ${KEXEC_OPT_ARGS}
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.31.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.32-r1.ebuild
similarity index 94%
rename from sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.31.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.32-r1.ebuild
index 17dfc7b6df..bea3824cce 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.31.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/kexec-tools/kexec-tools-2.0.32-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -11,7 +11,7 @@ if [[ ${PV} == "9999" ]] ; then
 else
 	SRC_URI="https://www.kernel.org/pub/linux/utils/kernel/kexec/${P/_/-}.tar.xz"
 	[[ "${PV}" == *_rc* ]] || \
-	KEYWORDS="amd64 arm64 ~ppc64 x86"
+	KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
 fi
 
 DESCRIPTION="Load another kernel from the currently executing Linux kernel"
@@ -40,6 +40,7 @@ CONFIG_CHECK="~KEXEC"
 PATCHES=(
 	"${FILESDIR}"/${PN}-2.0.4-disable-kexec-test.patch
 	"${FILESDIR}"/${PN}-2.0.4-out-of-source.patch
+	"${FILESDIR}"/${PN}-2.0.32-fix-uki-sig-verification.patch
 )
 
 src_prepare() {