Force usage of newest revocations at build time

Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:

"shim,4\ngrub,4\ngrub.peimage,2\n"

This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.

diff --git a/debian/changelog b/debian/changelog
index eaeec3703cd6d27e54a00ded78b07b2f1a572106..d3dd34227f948d369a53540707d6f406ff294a10 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,10 @@ shim (15.8-1) UNRELEASED; urgency=medium
     + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
     + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
   * Log if the build is nx-compatible or not
+  * Force shim to use the latest revocations by default to block some
+    older grub / peimage issues. This is:
+    "shim,4\ngrub,4\ngrub.peimage,2\n"
+
 
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu

diff --git a/debian/rules b/debian/rules
index 39d0357efcb63306d03ff1435c45d3358d7c3f75..5edabe1b618dd5e1114da51581c1129d17dc9530 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -48,6 +48,11 @@ COMMON_OPTIONS += \
        CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
        $(NULL)
 
+# Force shim to use the latest revocations by default to block some
+# older grub / peimage issues. This is:
+# "shim,4\ngrub,4\ngrub.peimage,2\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+
 $(DBX_LIST): $(DBX_HASHES)
        ./debian/generate_dbx_list $(EFI_ARCH) $< $@