From a5ad7aa16b692c4da738808787bdcb899f4419e9 Mon Sep 17 00:00:00 2001
From: Maximilian Luz <luzmaximilian@gmail.com>
Date: Mon, 20 Jan 2020 23:01:01 +0100
Subject: [PATCH] Set-up secure-boot signing for Arch Linux

---
 .github/workflows/release.yml | 12 +++++++++++-
 pkg/arch/kernel/PKGBUILD      | 12 +++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6e9139537..a5d0d7e22 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,7 +24,17 @@ jobs:
       - name: Install build dependencies
         run: |
           # Install makepkg deps
-          pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
+          pacman -Sy sudo binutils fakeroot grep base-devel git sbsigntools --noconfirm
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          cd pkg
+
+          # Install the surface secureboot certificate
+          echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key
+          cp keys/surface.crt arch/kernel/MOK.crt
 
       - name: Build
         run: |
diff --git a/pkg/arch/kernel/PKGBUILD b/pkg/arch/kernel/PKGBUILD
index 441f51e37..ea82d8474 100644
--- a/pkg/arch/kernel/PKGBUILD
+++ b/pkg/arch/kernel/PKGBUILD
@@ -87,14 +87,24 @@ _package() {
   optdepends=('crda: to set the correct wireless channels of your country'
               'linux-firmware: firmware images needed for some devices')
 
+  local mok_crt="$PWD/MOK.crt"
+  local mok_key="$PWD/MOK.key"
+
   cd $_srcname
   local kernver="$(<version)"
   local modulesdir="$pkgdir/usr/lib/modules/$kernver"
+  local image_name="$(make -s image_name)"
+
+  # sign boot image if the prequisites are available
+  if [[ -f "$mok_crt" ]] && [[ -f "$mok_key" ]] && [[ -x "$(command -v sbsign)" ]]; then
+    msg2 "Signing boot image..."
+    sbsign --key "$mok_key" --cert "$mok_crt" --output "$image_name" "$image_name"
+  fi
 
   msg2 "Installing boot image..."
   # systemd expects to find the kernel here to allow hibernation
   # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
-  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
+  install -Dm644 "$image_name" "$modulesdir/vmlinuz"
 
   # Used by mkinitcpio to name the kernel
   echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"