redhat: Directly use 'ukify' for building the UKI

vittyvk · vittyvk · commit b4df57359c9b · 2025-08-27T10:36:15.000+03:00
Upstream Status: RHEL only JIRA: https://issues.redhat.com/browse/RHEL-109610 dracut-107 switched to calling 'ukify' directly and this causes several issues: 1) '--uname' is not passed to 'ukify' by dracut, this triggers version autodetection which breaks on -debug kernels with e.g. Kernel version not specified, starting autodetection 😖. Cannot parse version-host-release uname string: b'6.17.0-0.rc2.24.fc44.x86_64+debug (mockbuild@fb2dab7653d446e38a376a74fe4e22a2) #1 SMP PREEMPT_DYNAMIC Mon Aug 18 16:54:37 UTC 20' + readelf --notes /builddir/build/BUILD/kernel-6.17.0-build/kernel-6.17-rc2/linux-6.17.0-0.rc2.24.fc44.x86_64/arch/x86/boot/bzImage readelf: Error: Not an ELF file - it has the wrong magic bytes at the start Cannot find b'Linux version (?P<version>\\d\\.\\S+) \\(' in /builddir/build/BUILD/kernel-6.17.0-build/kernel-6.17-rc2/linux-6.17.0-0.rc2.24.fc44.x86_64/arch/x86/boot/bzImage 2) 'ukify' expects SBAT data to begin with the standard 'sbat,1,SBAT Version,sbat,1,...' line but for kernel-uki-virt we only pass the addon ('kernel-uki-virt.<suffix>,1,...') as the header comes through systemd-stub. This leads to /var/tmp/dracut.dzt9WSC/uefi/uki.sbat does not contain a valid SBAT section, skipping. While it is possible to solve 2) by altering our SBAT data, 1) requires a dracut fix (dracut-ng/dracut-ng#1594). As there's no real benefit in using the dracut wrapper, switch to calling 'ukify' explicitly. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
diff --git a/redhat/Makefile b/redhat/Makefile
@@ -761,6 +761,8 @@ sources-rh: $(TARBALL) $(KABI_TARBALL) $(KABIDW_TARBALL) generate-testpatch-tmp
 		README.rst \
 		kernel-local \
 		dracut-virt.conf \
+		uki.sbat.template \
+		uki-addons.sbat.template \
 		$(SOURCES)/
 	@changelog_glob="$(SPECPACKAGE_NAME).changelog-*"; \
 	[[ -n "$(AUTOMOTIVE_BUILD)" ]] && changelog_glob="kernel.changelog-*"; \
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
@@ -108,6 +108,17 @@ Summary: The Linux kernel
 %global signkernel 0
 %endif
 
+# RHEL/CentOS/Fedora specific .SBAT entries
+%if 0%{?centos}
+%global sbat_suffix centos
+%else
+%if 0%{?fedora}
+%global sbat_suffix fedora
+%else
+%global sbat_suffix rhel
+%endif
+%endif
+
 # Sign modules on all arches
 %global signmodules 1
 
@@ -989,6 +1000,9 @@ Source77: partial-clang_lto-aarch64-debug-snip.config
 Source80: generate_all_configs.sh
 Source81: process_configs.sh
 
+Source83: uki.sbat.template
+Source84: uki-addons.sbat.template
+
 Source86: dracut-virt.conf
 
 Source87: flavors
@@ -1977,6 +1991,10 @@ rm -f localversion-next localversion-rt
 	Documentation \
 	scripts/clang-tools 2> /dev/null
 
+# SBAT data
+sed -e s,@KVER,%{KVERREL}, -e s,@SBAT_SUFFIX,%{sbat_suffix}, %{SOURCE83} > uki.sbat
+sed -e s,@KVER,%{KVERREL}, -e s,@SBAT_SUFFIX,%{sbat_suffix}, %{SOURCE84} > uki-addons.sbat
+
 # only deal with configs if we are going to build for the arch
 %ifnarch %nobuildarches
 
@@ -2736,19 +2754,9 @@ BuildKernel() {
         SBATsuffix="rhel"
 %endif
 %endif
-        SBAT=$(cat <<- EOF
-	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
-	EOF
-	)
-
-        ADDONS_SBAT=$(cat <<- EOF
-	sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-	kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com
-	EOF
-	)
-
 	KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer"
     	KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi"
+	KernelUnifiedInitrd="$KernelUnifiedImageDir/$InstallName-virt.img"
 
     	mkdir -p $KernelUnifiedImageDir
 
@@ -2758,15 +2766,17 @@ BuildKernel() {
            --kver "$KernelVer" \
            --kmoddir "$RPM_BUILD_ROOT/lib/modules/$KernelVer/" \
            --logfile=$(mktemp) \
-           --uefi \
-           --sbat "$SBAT" \
-           --kernel-image $(realpath $KernelImage) \
-           --kernel-cmdline 'console=tty0 console=ttyS0' \
-	   $KernelUnifiedImage
+           $KernelUnifiedInitrd
+
+       ukify build --linux $(realpath $KernelImage) --initrd $KernelUnifiedInitrd \
+          --sbat @uki.sbat --os-release @/etc/os-release --uname $KernelVer \
+          --cmdline 'console=tty0 console=ttyS0' --output $KernelUnifiedImage
+
+       rm -f $KernelUnifiedInitrd
 
   KernelAddonsDirOut="$KernelUnifiedImage.extra.d"
   mkdir -p $KernelAddonsDirOut
-  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"
+  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} @uki-addons.sbat
 
 %if %{signkernel}
 	%{log_msg "Sign the EFI UKI kernel"}
diff --git a/redhat/uki-addons.sbat.template b/redhat/uki-addons.sbat.template
@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel-uki-virt-addons.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt-addons,@KVER,mailto:secalert@redhat.com
diff --git a/redhat/uki.sbat.template b/redhat/uki.sbat.template
@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel-uki-virt.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt,@KVER,mailto:secalert@redhat.com

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md`
	`2`	`+kernel-uki-virt-addons.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt-addons,@KVER,mailto:secalert@redhat.com`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md`
	`2`	`+kernel-uki-virt.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt,@KVER,mailto:secalert@redhat.com`