Make UKIs using objcopy; a minimal subset of ukify.
Mildly a ripoff of efi-mkuki, and uses the Arch Linux wiki's method of calculating offsets for every section.
-
An EFI stub from either systemd-boot or gummiboot (either installed or copied into the current working directory)
-
objdump,objcopy(usually packaged asbinutils): used to read off information about the EFI stub, then to append sections to the EFI stub -
Python 3.9
usage: ukiki [-h] -l LINUX -i INITRD -r OSREL [-s SPLASH] [-c CMDLINE] [-e EFISTUB] [-A ARCH] output
ukiki.py: error: the following arguments are required: output, -l/--linux, -i/--initrd, -r/--osrel
While you don't strictly need an os-release (-r/--osrel)
to build a UKI, systemd-boot (and possibly rEFInd?)
won't accept a UKI without an .osrel section.
If you're in need of an os-release and /etc/os-release won't do,
the following should suffice as a template.
NAME=ook!
ID=ukiki
PRETTY_NAME=ook!
Refer to os-release(5) for more information.
./src/ukiki.py is a self-contained Python script
that only depends on the stdlib, so you can copy it to anywhere in PATH.
You can also use pipx to install.
Out of scope because external tools do this better.
You can use sbsign to sign the generated UKI with
the same key/cert you use to sign your kernel normally.
$ sbsign --key /etc/mok.key --cert /etc/mok.crt uki.efi --output uki.signed.efiAs far as I've been told bootsplash is a to-do feature and will have no effect right now (as of kernel 6.14).
To my knowledge, the initramfs generators Dracut, ugrd, and mkinitcpio will produce a microcode-attached initramfs.
If your initramfses were generated by these tools, it is not necessary to attach a microcode initramfs. In the event that that your initramfs does not have microcode attached, then you should attach your own.
Refer to the shell script in
https://www.kernel.org/doc/html/latest/arch/x86/microcode.html
for generating your own if /boot/*-ucode.img is absent from your
system.