diff options
| author | Steve McIntyre <steve@einval.com> | 2024-05-03 14:46:24 +0100 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2024-05-03 14:46:24 +0100 |
| commit | fe02ccbe5315f099ba9d951c79f63c5e3683a707 (patch) | |
| tree | 9726351609bbc1b64fa7e640ee473856afcf6df0 | |
| parent | 852a82665b61635649b281a6006c8ceb14b9fa97 (diff) | |
| download | efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.tar.gz efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.zip | |
Force usage of newest revocations at build time
Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rwxr-xr-x | debian/rules | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 8f0d7025..d0f5fcf7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -17,6 +17,10 @@ shim (15.8-1) UNRELEASED; urgency=medium + Debian kernels are no longer signed for i386, it's time to stop supporting i386 SB. * Log if the build is nx-compatible or not + * Force shim to use the latest revocations by default to block some + older grub / peimage issues. This is: + "shim,4\ngrub,4\ngrub.peimage,2\n" + [ Bastien Roucariès ] * Port autopkgtest from ubuntu diff --git a/debian/rules b/debian/rules index 39d0357e..5edabe1b 100755 --- a/debian/rules +++ b/debian/rules @@ -48,6 +48,11 @@ COMMON_OPTIONS += \ CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \ $(NULL) +# Force shim to use the latest revocations by default to block some +# older grub / peimage issues. This is: +# "shim,4\ngrub,4\ngrub.peimage,2\n" +COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900 + $(DBX_LIST): $(DBX_HASHES) ./debian/generate_dbx_list $(EFI_ARCH) $< $@ |