Block Debian grub binaries with sbat < 4 (see #1024617)

3 files changed, 22 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index edc61f41..290bfe4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,9 @@ shim (15.7-1) UNRELEASED; urgency=medium
   * Update to Standards-Version 4.6.2 (no changes needed)
   * Enable NX support at build time, as required by policy for signing
     new shim binaries.
+  * Block Debian grub binaries with sbat < 4 (see #1024617)
 
- -- Steve McIntyre <93sam@debian.org>  Sun, 22 Jan 2023 13:12:14 +0000
+ -- Steve McIntyre <93sam@debian.org>  Sun, 29 Jan 2023 23:34:40 +0000
 
 shim (15.6-1) unstable; urgency=medium
 
diff --git a/debian/patches/block-grub-sbat3-debian.patch b/debian/patches/block-grub-sbat3-debian.patch
new file mode 100644
index 00000000..4b0aa39a
--- /dev/null
+++ b/debian/patches/block-grub-sbat3-debian.patch
@@ -0,0 +1,19 @@
+diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
+index 6b01573e..5b1a764f 100644
+--- a/include/sbat_var_defs.h
++++ b/include/sbat_var_defs.h
+@@ -35,8 +35,12 @@
+ 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
+ 	SBAT_VAR_PREVIOUS_REVOCATIONS
+ 
+-#define SBAT_VAR_LATEST_DATE "2022111500"
+-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
++/*
++ * Debian's grub.3 update was broken - some binaries included the SBAT
++ * data update but not the security patches :-(
++ */
++#define SBAT_VAR_LATEST_DATE "2023012900"
++#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+ #define SBAT_VAR_LATEST \
+ 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+ 	SBAT_VAR_LATEST_REVOCATIONS
diff --git a/debian/patches/series b/debian/patches/series
index b3ddfc8f..683d1b90 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch
 Enable-NX.patch
+block-grub-sbat3-debian.patch