Generate signed Unified Kernel Images
This tool is originally developed by Andrey Vihrov, now rewritten as a mkinitcpio post hook by YHNdnzj
$ aur_helper -S sbupdate-mkinitcpioVarious ways of doing this can be found on ArchWiki, and the simplest of which is to use sbkeys:
# mkdir -m 0700 /etc/efi-keys
# cd /etc/efi-keys
# sbkeys/etc/efi-keys is the default location used by sbupdate to search for Secure Boot keys. This can be changed in /etc/sbupdate.conf through KEY_DIR setting.
sbupdate is a mkinitcpio post hook, so it automatically retrieves kernel image and initramfs locations.
However, you need to configure which kernels to generate UKI for and kernel parameters. All available settings are listed in /etc/sbupdate.conf with examples.
sbupdate uses bootctl --print-boot-path to acquire the mountpoint of EFI System Partition or XBOOTLDR. This shouldn't need manual configuration.
This is an extra function provided by sbupdate beside generating UKIs.
A list of extra EFI binaries can be provided for sbupdate to sign using the configured Secure Boot keys.
A systemd.path(5) unit is also enabled to trigger re-signing when the binaries get modified.
# mkinitcpio -PAnd confirm that UKIs are put into place as configured using UKI_DIR 😉