Replace ukify with objcopy for UKI creation to fix overlapping PE sections

- Replace ukify with manual objcopy implementation to avoid overlapping PE
  sections that cause "Boot may fail due to image memory corruption!" errors
- Extract UKI build logic into separate bash script (hack/uki/build-uki.sh)
  for better maintainability
- Calculate section offsets dynamically to ensure proper alignment
- Remove ukify dependency from build container, add binutils for objcopy
- Update documentation to reflect the change from ukify to objcopy

This resolves boot failures caused by memory corruption from overlapping
PE sections in the generated UKI files.

Author: MalteJ

docs/boot-image/uki.md

@@ -2,7 +2,8 @@ Unified Kernel Images
 =====================
 
 Have a look at the [Arch Documentation - Unified Kernel Images](https://wiki.archlinux.org/title/Unified_kernel_image).
-It also describes how to build a UKI with `objcopy` instead of `ukify`.
+
+FeOS uses `objcopy` to build UKIs instead of `ukify` to avoid overlapping PE sections that can cause boot failures. The UKI creation process dynamically calculates section offsets to ensure proper alignment and prevent memory corruption.
 
 ## Boot from USB Stick
 Booting FeOS from USB is quite easy. You just need to prepare a USB stick with a bootable UEFI partition and insert the FeOS UKI.

hack/build-container/Dockerfile

@@ -7,15 +7,15 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
     ninja-build \
     protobuf-compiler \
     libprotobuf-dev \
-    sbsigntool python3-pefile systemd-boot \
+    sbsigntool systemd-boot \
     musl-tools \
-    ca-certificates
+    ca-certificates \
+    binutils
 
 RUN cargo new xyz; cd xyz; cargo fetch; cd ..; rm -rf xyz
 RUN rustup component add clippy
 RUN rustup component add rustfmt
 RUN rustup target add x86_64-unknown-linux-musl
 RUN mkdir /feos
 RUN mkdir /target
-RUN wget https://raw.githubusercontent.com/systemd/systemd/main/src/ukify/ukify.py -O /usr/bin/ukify && chmod +x /usr/bin/ukify
 WORKDIR /feos

hack/uki/build-uki.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+echo "Building UKI with objcopy..."
+
+# Calculate section alignment from systemd stub
+echo "Calculating section offsets..."
+align="$(objdump -p /usr/lib/systemd/boot/efi/linuxx64.efi.stub | awk '/SectionAlignment/ {print $2}')"
+align_dec=$((16#$align))
+echo "Section alignment: $align ($align_dec bytes)"
+
+# Calculate the end of the systemd stub to determine where our sections can start
+stub_size="$(objdump -h /usr/lib/systemd/boot/efi/linuxx64.efi.stub | tail -n +2 | awk '{if(NF==7) {size=$3; offset=$4; printf "%d\n", ("0x" size) + ("0x" offset)}}' | sort -n | tail -1)"
+
+# Calculate properly aligned offsets for each section
+osrel_offs=$((stub_size + align_dec - stub_size % align_dec))
+cmdline_offs=$((osrel_offs + $(stat -Lc%s "/usr/lib/os-release")))
+cmdline_offs=$((cmdline_offs + align_dec - cmdline_offs % align_dec))
+initrd_offs=$((cmdline_offs + $(stat -Lc%s "/feos/target/cmdline")))
+initrd_offs=$((initrd_offs + align_dec - initrd_offs % align_dec))
+linux_offs=$((initrd_offs + $(stat -Lc%s "/feos/target/initramfs.zst")))
+linux_offs=$((linux_offs + align_dec - linux_offs % align_dec))
+
+echo "Calculated offsets:"
+echo "  .osrel:   0x$(printf %x $osrel_offs)"
+echo "  .cmdline: 0x$(printf %x $cmdline_offs)"
+echo "  .initrd:  0x$(printf %x $initrd_offs)" 
+echo "  .linux:   0x$(printf %x $linux_offs)"
+
+# Create UKI using objcopy with calculated offsets
+echo "Creating UKI with objcopy..."
+objcopy \
+    --add-section .osrel=/feos/hack/uki/os-release.txt \
+    --change-section-vma .osrel=$(printf 0x%x $osrel_offs) \
+    --add-section .cmdline=/feos/target/cmdline \
+    --change-section-vma .cmdline=$(printf 0x%x $cmdline_offs) \
+    --add-section .initrd=/feos/target/initramfs.zst \
+    --change-section-vma .initrd=$(printf 0x%x $initrd_offs) \
+    --add-section .linux=/feos/target/kernel/vmlinuz \
+    --change-section-vma .linux=$(printf 0x%x $linux_offs) \
+    /usr/lib/systemd/boot/efi/linuxx64.efi.stub /feos/target/uki.efi
+
+# Sign the UKI with secureboot key
+echo "Signing UKI with secureboot key..."
+sbsign \
+    --key /feos/keys/secureboot.key \
+    --cert /feos/keys/secureboot.pem \
+    --output /feos/target/uki.efi \
+    /feos/target/uki.efi
+
+echo "UKI created successfully at target/uki.efi" 

hack/uki/make.mk

@@ -7,11 +7,4 @@ keys:
 	openssl x509 -in keys/secureboot.pem -out keys/secureboot.der -outform DER
 
 uki: keys
-	docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ukify build \
-	  --os-release @/feos/hack/uki/os-release.txt \
-	  --linux /feos/target/kernel/vmlinuz \
-	  --initrd /feos/target/initramfs.zst \
-	  --cmdline @/feos/target/cmdline \
-	  --secureboot-private-key /feos/keys/secureboot.key \
-	  --secureboot-certificate /feos/keys/secureboot.pem \
-	  --output /feos/target/uki.efi
+	docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder /feos/hack/uki/build-uki.sh