ukify: use empty stub for addons

Instead of picking up sd-stub, which is runnable, add an empty
addon stub that just returns an error if executed

src/boot/efi/addon.c

@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "efi.h"
+
+/* Magic string for recognizing our own binaries */
+_used_ _section_(".sdmagic") static const char magic[] =
+        "#### LoaderInfo: systemd-addon " GIT_VERSION " ####";
+
+/* This is intended to carry data, not to be executed */
+
+EFIAPI EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *system_table);
+EFIAPI EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *system_table) {
+    return EFI_UNSUPPORTED;
+}

src/boot/efi/meson.build

@@ -259,6 +259,10 @@ stub_sources = files(
         'stub.c',
 )
 
+addon_sources = files(
+        'addon.c',
+)
+
 if get_option('b_sanitize') == 'undefined'
         libefi_sources += files('ubsan.c')
 endif
@@ -328,12 +332,27 @@ foreach archspec : efi_archspecs
                 override_options : efi_override_options,
                 name_suffix : 'elf.stub',
                 pie : true)
+
+        efi_elf_binaries += executable(
+                'addon' + archspec['arch'],
+                addon_sources,
+                include_directories : efi_includes,
+                c_args : archspec['c_args'],
+                link_args : archspec['link_args'],
+                link_depends : elf2efi_lds,
+                gnu_symbol_visibility : 'hidden',
+                override_options : efi_override_options,
+                name_suffix : 'elf.stub',
+                pie : true)
 endforeach
 
 foreach efi_elf_binary : efi_elf_binaries
         # FIXME: Use build_tgt.name() with meson >= 0.54.0
         name = fs.name(efi_elf_binary.full_path()).split('.')[0]
-        name += name.startswith('linux') ? '.efi.stub' : '.efi'
+        name += name.startswith('systemd-boot') ? '.efi' : '.efi.stub'
+        # For the addon, given it's empty, we need to explicitly reserve space in the header to account for
+        # the sections that ukify will add.
+        minimum_sections = name.startswith('addon') ? '7' : '0'
         exe = custom_target(
                 name,
                 output : name,
@@ -348,6 +367,7 @@ foreach efi_elf_binary : efi_elf_binaries
                         '--efi-major=1',
                         '--efi-minor=1',
                         '--subsystem=10',
+                        '--minimum-sections=' + minimum_sections,
                         '@INPUT@',
                         '@OUTPUT@',
                 ])

src/ukify/ukify.py

@@ -1141,7 +1141,10 @@ def finalize_options(opts):
         opts.efi_arch = guess_efi_arch()
 
     if opts.stub is None:
-        opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/linux{opts.efi_arch}.efi.stub')
+        if opts.linux is not None:
+            opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/linux{opts.efi_arch}.efi.stub')
+        else:
+            opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/addon{opts.efi_arch}.efi.stub')
 
     if opts.signing_engine is None:
         if opts.sb_key: