mkosi-obs: when building DDI + UKI, update ESP after signing

If a DDI with an ESP is built, update the UKI after signing it

diff --git a/mkosi/resources/mkosi-obs/mkosi.build b/mkosi/resources/mkosi-obs/mkosi.build
index f297962eefbdb8ff10ab807cd847fa624327400a..6031ee157875d25d2f48d13ce4a0e9e3908d1cf7 100755 (executable)
--- a/mkosi/resources/mkosi-obs/mkosi.build
+++ b/mkosi/resources/mkosi-obs/mkosi.build
@@ -58,6 +58,23 @@ while read -r SIG; do
     fi
 
     rm -f "$(basename "${infile}").sattrs" "$SIG" "$infile"
+
+    # If there is a DDI with an ESP, add the UKI to it
+    if [ -f "${DEST%efi}raw" ] || [ -f "${DEST%efi}raw.zst" ]; then
+        if [ -f "${DEST%efi}raw.zst" ]; then
+            unzstd "${DEST%efi}raw.zst"
+        fi
+        offset="$(systemd-repart --json=short "${DEST%efi}raw" | jq -r '.[] | select(.type == "esp") | .offset')"
+        if [ "$offset" = "null" ]; then
+            rm -f "${DEST%efi}raw"
+            continue
+        fi
+        mcopy -o -i "${DEST%efi}raw@@${offset}" "$DEST" "::EFI/Linux/$(basename "$DEST")"
+        if [ -f "${DEST%efi}raw.zst" ]; then
+            zstd --force "${DEST%efi}raw"
+            rm -f "${DEST%efi}raw"
+        fi
+    fi
 done < <(find hashes/ukis hashes/kernels -type f \( -name '*efi.sig' -o -name 'vmlinu*.sig' \) -printf '%P\n')
 rm -rf nss-db "$OUTPUTDIR"/*.sig hashes/ukis