Block Debian grub binaries with SBAT < 4

(See https://bugs.debian.org/1024617) One of the Debian builds of grub bumped the SBAT to 3, but didn't include the patches needed. Add "grub.debian,4" to block those binaries. Signed-off-by: Steve McIntyre <steve@einval.com>
author: Steve McIntyre <steve@einval.com> 2023-01-30 18:15:36 +0000
committer: Peter Jones <pjones@redhat.com> 2023-05-02 14:09:52 -0400
commit: cca3933f48e3a52863322f358c2e8cb8ea80bd57 (patch)
tree: d1ab5f1b6e8ec3b8d88475de3caea85169520a4a /include
parent: aae3df086a22aa1727889199f730b9d5dc9de78c (diff)
download: efi-boot-shim-cca3933f48e3a52863322f358c2e8cb8ea80bd57.tar.gz
efi-boot-shim-cca3933f48e3a52863322f358c2e8cb8ea80bd57.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index 6b01573e..5b1a764f 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -35,8 +35,12 @@
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
 	SBAT_VAR_PREVIOUS_REVOCATIONS
 
-#define SBAT_VAR_LATEST_DATE "2022111500"
-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
+/*
+ * Debian's grub.3 update was broken - some binaries included the SBAT
+ * data update but not the security patches :-(
+ */
+#define SBAT_VAR_LATEST_DATE "2023012900"
+#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
 #define SBAT_VAR_LATEST \
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
 	SBAT_VAR_LATEST_REVOCATIONS
author	Steve McIntyre <steve@einval.com>	2023-01-30 18:15:36 +0000
committer	Peter Jones <pjones@redhat.com>	2023-05-02 14:09:52 -0400
commit	cca3933f48e3a52863322f358c2e8cb8ea80bd57 (patch)
tree	d1ab5f1b6e8ec3b8d88475de3caea85169520a4a /include
parent	aae3df086a22aa1727889199f730b9d5dc9de78c (diff)
download	efi-boot-shim-cca3933f48e3a52863322f358c2e8cb8ea80bd57.tar.gz efi-boot-shim-cca3933f48e3a52863322f358c2e8cb8ea80bd57.zip