Force usage of newest revocations at build time

Force shim to use the latest revocations by default to block some older grub / peimage issues. This is: "shim,4\ngrub,4\ngrub.peimage,2\n" This should work with the current released grub builds in all of buster, bullseye, bookwork and trixie/unstable. Let's not leave known security holes in the wild.
author: Steve McIntyre <steve@einval.com> 2024-05-03 14:46:24 +0100
committer: Steve McIntyre <steve@einval.com> 2024-05-03 14:46:24 +0100
commit: fe02ccbe5315f099ba9d951c79f63c5e3683a707 (patch)
tree: 9726351609bbc1b64fa7e640ee473856afcf6df0 /debian/rules
parent: 852a82665b61635649b281a6006c8ceb14b9fa97 (diff)
download: efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.tar.gz
efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/debian/rules b/debian/rules
index 39d0357e..5edabe1b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -48,6 +48,11 @@ COMMON_OPTIONS += \
 	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
 	$(NULL)
 
+# Force shim to use the latest revocations by default to block some
+# older grub / peimage issues. This is:
+# "shim,4\ngrub,4\ngrub.peimage,2\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+
 $(DBX_LIST): $(DBX_HASHES)
 	./debian/generate_dbx_list $(EFI_ARCH) $< $@
author	Steve McIntyre <steve@einval.com>	2024-05-03 14:46:24 +0100
committer	Steve McIntyre <steve@einval.com>	2024-05-03 14:46:24 +0100
commit	fe02ccbe5315f099ba9d951c79f63c5e3683a707 (patch)
tree	9726351609bbc1b64fa7e640ee473856afcf6df0 /debian/rules
parent	852a82665b61635649b281a6006c8ceb14b9fa97 (diff)
download	efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.tar.gz efi-boot-shim-fe02ccbe5315f099ba9d951c79f63c5e3683a707.zip