diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
new file mode 100644
index 00000000000..bc450dbc428
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+msg() {
+	echo "EFI sbsign hook: $1"
+}
+
+. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
+if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
+	exit 0
+fi
+
+if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+	msg "key and/or certificate is not available"
+	exit 1
+fi
+
+key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
+
+# check if go=00 owner=0
+if [ "${key_stat}" = "${key_stat%00 0}" ]; then
+	msg "Please  chown root:root '${EFI_KEY_FILE}'"
+	msg "and     chmod go-rwx '${EFI_KEY_FILE}'"
+	exit 1
+fi
+
+# this part is completely untested
+options=""
+if [ "x${EFI_SIGN_ENGINE}" != x ]; then
+	options="--engine=${EFI_SIGN_ENGINE}"
+fi
+
+if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
+	"/boot/vmlinuz-${VERSION}"; then
+	msg "failed to sign kernel"
+	exit 1
+fi
+
+if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
+	msg "failed to verify the signature"
+	exit 1
+fi
+
+if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+	mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
+fi
+mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
diff --git a/srcpkgs/sbsigntool/files/sbsigntool-kernel-hook.conf b/srcpkgs/sbsigntool/files/sbsigntool-kernel-hook.conf
new file mode 100644
index 00000000000..667661bb5ff
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/sbsigntool-kernel-hook.conf
@@ -0,0 +1,21 @@
+# Options for kernel hook script installed by the sbsigntool package
+
+# set this option to 1 to sign the kernel with default hook
+SBSIGN_EFI_KERNEL=0
+
+# The key and certificate to sign
+#
+# sbsigntool will only sign if `EFI_KEY_FILE':
+#  - owner: root
+#  - permission: 0*00
+EFI_KEY_FILE=/etc/efikeys/db.key
+EFI_CERT_FILE=/etc/efikeys/db.crt
+
+# set to 1 to keep the unsigned backup
+EFI_KEEP_UNSIGNED=0
+
+# OpenSSL/LibreSSL engine to load the key
+# Completely untested, but here is your option
+# See `efi-updatevar', `sbsign', and `sbvarsign'
+# Don't uncomment this option unless you know what you're doing
+# EFI_SIGN_ENGINE=
diff --git a/srcpkgs/sbsigntool/patches/Align-signature-data-to-8-bytes.patch b/srcpkgs/sbsigntool/patches/Align-signature-data-to-8-bytes.patch
new file mode 100644
index 00000000000..4cd5ec99168
--- /dev/null
+++ b/srcpkgs/sbsigntool/patches/Align-signature-data-to-8-bytes.patch
@@ -0,0 +1,26 @@
+From 8b6b7a9904881757254b92a928b95dfb8634605b Mon Sep 17 00:00:00 2001
+From: Steve Langasek <steve.langasek@canonical.com>
+Date: Fri, 12 Oct 2012 16:27:13 -0700
+Subject: [PATCH] Align signature data to 8 bytes
+
+Before appending the signature data to our binary, pad the file out to
+8-byte alignment.  This matches the Microsoft signing implementation, which
+enables us to use sbattach to verify the integrity of the binaries returned
+by the SysDev signing service.
+---
+ src/image.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: sbsigntool/src/image.c
+===================================================================
+--- sbsigntool.orig/src/image.c
++++ sbsigntool/src/image.c
+@@ -495,6 +495,8 @@ reparse:
+ 	 * we've calculated during the pecoff parsing, so we need to redo that
+ 	 * too.
+ 	 */
++	image->data_size = align_up(image->data_size, 8);
++
+ 	if (image->data_size > image->size) {
+ 		image->buf = talloc_realloc(image, image->buf, uint8_t,
+ 				image->data_size);
diff --git a/srcpkgs/sbsigntool/patches/libressl.patch b/srcpkgs/sbsigntool/patches/libressl.patch
new file mode 100644
index 00000000000..e64533d43cd
--- /dev/null
+++ b/srcpkgs/sbsigntool/patches/libressl.patch
@@ -0,0 +1,11 @@
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -56,7 +56,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+ #define X509_OBJECT_get_type(obj) ((obj)->type)
+ #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
diff --git a/srcpkgs/sbsigntool/patches/sbsign_check_write_return.patch b/srcpkgs/sbsigntool/patches/sbsign_check_write_return.patch
new file mode 100644
index 00000000000..efe9a06b6c2
--- /dev/null
+++ b/srcpkgs/sbsigntool/patches/sbsign_check_write_return.patch
@@ -0,0 +1,52 @@
+Index: sbsigntool/src/sbsign.c
+===================================================================
+--- sbsigntool.orig/src/sbsign.c
++++ sbsigntool/src/sbsign.c
+@@ -242,12 +242,12 @@ int main(int argc, char **argv)
+ 
+ 		for (i = 0; !image_get_signature(ctx->image, i, &buf, &len); i++)
+ 			;
+-		image_write_detached(ctx->image, i - 1, ctx->outfilename);
++		rc = image_write_detached(ctx->image, i - 1, ctx->outfilename);
+ 	} else
+-		image_write(ctx->image, ctx->outfilename);
++		rc = image_write(ctx->image, ctx->outfilename);
+ 
+ 	talloc_free(ctx);
+ 
+-	return EXIT_SUCCESS;
++	return (rc == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+ }
+ 
+Index: sbsigntool/src/fileio.c
+===================================================================
+--- sbsigntool.orig/src/fileio.c
++++ sbsigntool/src/fileio.c
+@@ -201,12 +201,12 @@ int fileio_write_file(const char *filena
+ 
+ 	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+ 	if (fd < 0) {
+-		perror("open");
++		perror("fileio_write_file/open");
+ 		return -1;
+ 	}
+ 
+ 	if (!write_all(fd, buf, len)) {
+-		perror("write_all");
++		perror("fileio_write_file/write_all");
+ 		close(fd);
+ 		return -1;
+ 	}
+Index: sbsigntool/src/image.c
+===================================================================
+--- sbsigntool.orig/src/image.c
++++ sbsigntool/src/image.c
+@@ -658,7 +658,7 @@ int image_write(struct image *image, con
+ 
+ 	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+ 	if (fd < 0) {
+-		perror("open");
++		perror("image_write/open");
+ 		return -1;
+ 	}
+ 
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
new file mode 100644
index 00000000000..30cf2414f0a
--- /dev/null
+++ b/srcpkgs/sbsigntool/template
@@ -0,0 +1,47 @@
+# Template file for 'sbsigntool'
+pkgname=sbsigntool
+version=0.9.2
+revision=1
+build_style=gnu-configure
+hostmakedepends="autoconf automake pkg-config"
+makedepends="binutils-devel libressl-devel libuuid-devel gnu-efi-libs"
+short_desc="Signing utility for UEFI secure boot"
+maintainer="Đoàn Trần Công Danh <congdanhqx@gmail.com>"
+license="GPL-3.0-or-later"
+homepage="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/"
+distfiles="${DEBIAN_SITE}/main/s/${pkgname}/${pkgname}_${version}.orig.tar.gz"
+checksum=1dc1e1de5f2dda50dbd2e6a83355fe7ae38ca0f79daeb404026421af70606653
+patch_args="-Np1"
+
+if [ ! "$CROSS_BUILD" ]; then
+	hostmakedepends+=" help2man"
+fi
+
+pre_patch() {
+	[ ! "$CROSS_BUILD" ] && return
+
+	case "${XBPS_TARGET_MACHINE}" in
+		arm*) _ARCH=arm ;;
+		i686*) _ARCH=ia32 ;;
+		*) _ARCH="${XBPS_TARGET_MACHINE%-musl}" ;;
+	esac
+	sed -i -e "/^EFI_ARCH=/s/=.*/=${_ARCH}/" \
+		-e "s,^\(for path in\).*;,\1 ${XBPS_CROSS_BASE}/usr/lib ;," \
+		-e "/^EFI_CPPFLAGS=/s,I\(/usr/include\),I${XBPS_CROSS_BASE}\1,g" \
+		configure.ac
+	sed -i -e "/^man/s/=.*/=/" docs/Makefile.am
+}
+
+pre_configure() {
+	autoreconf -i
+}
+
+post_install() {
+	vmkdir etc/
+	vinstall "${FILESDIR}/sbsigntool-kernel-hook.conf" 644 \
+		etc/default sbsigntool-kernel-hook
+	# grub is 50, I don't use grub
+	# and I'm not sure about their interaction
+	vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
+		etc/kernel.d/post-install 40-sbsigntool
+}