Make sure we output signed kernel instead of unsigned kernel

Fixes #1589

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 98e10e4d80634e4ba1c1af97e8e3367ef2f1e5a7..611c9ca717b0d7b7bd7e8dfc41e09ab6f5b58f80 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -773,6 +773,20 @@ def install_unified_kernel(state: MkosiState, roothash: Optional[str]) -> None:
             if not (state.staging / state.config.output_split_uki).exists():
                 shutil.copy(boot_binary, state.staging / state.config.output_split_uki)
 
+                # ukify will have signed the kernel image as well. Let's make sure we put the signed kernel
+                # image in the output directory instead of the unsigned one by reading it from the UKI.
+
+                import pefile  # type: ignore
+                pe = pefile.PE(boot_binary, fast_load=True)
+                linux = {s.Name.decode().strip("\0"): s for s in pe.sections}[".linux"]
+                run(["dd",
+                     f"if={boot_binary}",
+                     f"of={state.staging / state.config.output_split_kernel}",
+                     f"skip={linux.PointerToRawData}",
+                     # Get the actual size using Misc_VirtualSize instead of the aligned size from SizeOfRawData.
+                     f"count={linux.Misc_VirtualSize}",
+                     "iflag=skip_bytes,count_bytes"])
+
             print_output_size(boot_binary)
 
     if state.config.bootable == ConfigFeature.enabled and not (state.staging / state.config.output_split_uki).exists():