garymacindoe · November 25, 2018 19:08
diff --git a/upgrade-kernel b/upgrade-kernel
 #!/bin/bash
 #
 # Author: Gary Macindoe
 # Date: November 2014

 set -eu

 EFI_KEYS="/root/efi"

 LINUX_SOURCE="/usr/src/linux"
 LINUX_CONFIG="${LINUX_SOURCE}/.config"

 MAKEOPTS="${MAKEOPTS:--j9}"
 V=${V:-0}

 if [ ! -e "${LINUX_CONFIG}" ]
 # If there is no existing .config, create one from the running kernel and 'make oldconfig'
 then
 	make -C"${LINUX_SOURCE}" V=${V} distclean
 	echo "zcat /proc/config.gz > ${LINUX_CONFIG}"
 	zcat /proc/config.gz > "${LINUX_CONFIG}"
 	make -C"${LINUX_SOURCE}" V=${V} oldconfig
 else
 # If there is an existing .config, move it out of the way while we clean the old binaries
 	temp_config="$(mktemp)"
 	cp -v "${LINUX_CONFIG}" "${temp_config}"
 	make -C"${LINUX_SOURCE}" V=${V} distclean
 	cp -v "${temp_config}" "${LINUX_CONFIG}"
 	rm -v "${temp_config}"
 fi

 # Build the kernel, modules and install the modules
 make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS}
 make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules
 make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules_install

 # Rebuild external modules
 emerge @module-rebuild

 SIGN="$(sed -ne 's/CONFIG_MODULE_SIG_FORCE=\(.\)$/\1/p' "${LINUX_CONFIG}")"
 if [[ "${SIGN}" == y ]]
 then
 	SIG_HASH="$(sed -ne 's/^CONFIG_MODULE_SIG_HASH="\(.*\)"$/\1/p' "${LINUX_CONFIG}")"
 	SIG_KEY="$(sed -ne 's/^CONFIG_MODULE_SIG_KEY="\(.*\)"$/\1/p' "${LINUX_CONFIG}")"
 	SIG_CERT="${SIG_KEY%%.pem}.x509"
 fi

 COMPRESS="$(sed -ne 's/CONFIG_MODULE_COMPRESS=\(.\)$/\1/p' "${LINUX_CONFIG}")"
 if [[ "${COMPRESS}" == y ]]
 then
 	case "$(sed -ne 's/^CONFIG_MODULE_COMPRESS_\(.*\)=y$/\L\1/p' "${LINUX_CONFIG}")" in
 	gzip)
 		COMPRESSOR="gzip -9"
 		;;
 	xz)
 		COMPRESSOR="${LINUX_SOURCE}/scripts/xz_wrap.sh"
 		;;
 	*)
 		echo "Unknown module compression!"
 		exit 1
 		;;
 	esac
 fi

 # Sign and compress external modules, if needed
 if [[ "${SIGN}" == y ]] || [[ "${COMPRESS}" == y ]]
 then
 	for module in $(equery files @module-rebuild | grep "^/lib/modules")
 	do
 		if [[ "${SIGN}" == "y" ]]
 		then
 			"${LINUX_SOURCE}/scripts/sign-file" ${SIG_HASH} "${LINUX_SOURCE}/${SIG_KEY}" "${LINUX_SOURCE}/${SIG_CERT}" "${module}"
 		fi

 		if [[ "${COMPRESS}" == "y" ]]
 		then
 			"${COMPRESSOR}" < "${module}" > "${module}.xz" && rm "${module}"
 		fi
 	done
 	depmod -v
 fi

 # Sign the kernel
 sbsign --key="${EFI_KEYS}/db.key" --cert="${EFI_KEYS}/db.crt" "${LINUX_SOURCE}/arch/x86/boot/bzImage"

 # Mount /boot/efi
 if ! grep -qs /boot/efi /proc/mounts
 then
 	mount -v /boot/efi
 fi

 # Copy the signed kernel into place
 cp -v "/boot/efi/EFI/Gentoo/bootx64.efi" "/boot/efi/EFI/Gentoo/bootx64.efi.old"
 cp -v "${LINUX_SOURCE}/arch/x86/boot/bzImage.signed" "/boot/efi/EFI/Gentoo/bootx64.efi"
	#!/bin/bash
	#
	# Author: Gary Macindoe
	# Date: November 2014

	set -eu

	EFI_KEYS="/root/efi"

	LINUX_SOURCE="/usr/src/linux"
	LINUX_CONFIG="${LINUX_SOURCE}/.config"

	MAKEOPTS="${MAKEOPTS:--j9}"
	V=${V:-0}

	if [ ! -e "${LINUX_CONFIG}" ]
	# If there is no existing .config, create one from the running kernel and 'make oldconfig'
	then
	make -C"${LINUX_SOURCE}" V=${V} distclean
	echo "zcat /proc/config.gz > ${LINUX_CONFIG}"
	zcat /proc/config.gz > "${LINUX_CONFIG}"
	make -C"${LINUX_SOURCE}" V=${V} oldconfig
	else
	# If there is an existing .config, move it out of the way while we clean the old binaries
	temp_config="$(mktemp)"
	cp -v "${LINUX_CONFIG}" "${temp_config}"
	make -C"${LINUX_SOURCE}" V=${V} distclean
	cp -v "${temp_config}" "${LINUX_CONFIG}"
	rm -v "${temp_config}"
	fi

	# Build the kernel, modules and install the modules
	make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS}
	make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules
	make -C"${LINUX_SOURCE}" V=${V} ${MAKEOPTS} modules_install

	# Rebuild external modules
	emerge @module-rebuild

	SIGN="$(sed -ne 's/CONFIG_MODULE_SIG_FORCE=\(.\)$/\1/p' "${LINUX_CONFIG}")"
	if [[ "${SIGN}" == y ]]
	then
	SIG_HASH="$(sed -ne 's/^CONFIG_MODULE_SIG_HASH="\(.*\)"$/\1/p' "${LINUX_CONFIG}")"
	SIG_KEY="$(sed -ne 's/^CONFIG_MODULE_SIG_KEY="\(.*\)"$/\1/p' "${LINUX_CONFIG}")"
	SIG_CERT="${SIG_KEY%%.pem}.x509"
	fi

	COMPRESS="$(sed -ne 's/CONFIG_MODULE_COMPRESS=\(.\)$/\1/p' "${LINUX_CONFIG}")"
	if [[ "${COMPRESS}" == y ]]
	then
	case "$(sed -ne 's/^CONFIG_MODULE_COMPRESS_\(.*\)=y$/\L\1/p' "${LINUX_CONFIG}")" in
	gzip)
	COMPRESSOR="gzip -9"
	;;
	xz)
	COMPRESSOR="${LINUX_SOURCE}/scripts/xz_wrap.sh"
	;;
	*)
	echo "Unknown module compression!"
	exit 1
	;;
	esac
	fi

	# Sign and compress external modules, if needed
	if [[ "${SIGN}" == y ]] \|\| [[ "${COMPRESS}" == y ]]
	then
	for module in $(equery files @module-rebuild \| grep "^/lib/modules")
	do
	if [[ "${SIGN}" == "y" ]]
	then
	"${LINUX_SOURCE}/scripts/sign-file" ${SIG_HASH} "${LINUX_SOURCE}/${SIG_KEY}" "${LINUX_SOURCE}/${SIG_CERT}" "${module}"
	fi

	if [[ "${COMPRESS}" == "y" ]]
	then
	"${COMPRESSOR}" < "${module}" > "${module}.xz" && rm "${module}"
	fi
	done
	depmod -v
	fi

	# Sign the kernel
	sbsign --key="${EFI_KEYS}/db.key" --cert="${EFI_KEYS}/db.crt" "${LINUX_SOURCE}/arch/x86/boot/bzImage"

	# Mount /boot/efi
	if ! grep -qs /boot/efi /proc/mounts
	then
	mount -v /boot/efi
	fi

	# Copy the signed kernel into place
	cp -v "/boot/efi/EFI/Gentoo/bootx64.efi" "/boot/efi/EFI/Gentoo/bootx64.efi.old"
	cp -v "${LINUX_SOURCE}/arch/x86/boot/bzImage.signed" "/boot/efi/EFI/Gentoo/bootx64.efi"