summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Make.defaults3
-rw-r--r--include/sbat_var_defs.h33
2 files changed, 31 insertions, 5 deletions
diff --git a/Make.defaults b/Make.defaults
index 9af89f4e..e75cd3cd 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -188,6 +188,9 @@ endif
ifneq ($(origin VENDOR_DBX_FILE), undefined)
DEFINES += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
endif
+ifneq ($(origin SBAT_AUTOMATIC_DATE), undefined)
+DEFINES += -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
+endif
LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index bd54cf5d..f8cba029 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -3,6 +3,9 @@
#ifndef SBAT_VAR_DEFS_H_
#define SBAT_VAR_DEFS_H_
+#define QUOTEVAL(s) QUOTE(s)
+#define QUOTE(s) #s
+
/*
* This is the entry for the sbat data format
*/
@@ -23,14 +26,34 @@
SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
SBAT_VAR_LATEST_REVOCATIONS
#else /* !ENABLE_SHIM_DEVEL */
+
/*
- * At this point we do not want shim to automatically apply a
- * revocation unless it is delivered by a separately installed
- * signed revocations binary.
+ * Some distros may want to apply revocations from 2022052400
+ * or 2022111500 automatically. They can be selected by setting
+ * SBAT_AUTOMATIC_DATE=<datestamp> at build time. Otherwise the
+ * default is to apply the second to most recent revocations
+ * automatically. Distros that need to manage automatic updates
+ * externally from shim can choose the epoch 2021030218 emtpy
+ * revocations.
*/
-#define SBAT_VAR_AUTOMATIC_DATE "2021030218"
+#ifndef SBAT_AUTOMATIC_DATE
+#define SBAT_AUTOMATIC_DATE 2023012900
+#endif /* SBAT_AUTOMATIC_DATE */
+#if SBAT_AUTOMATIC_DATE == 2021030218
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS
+#elif SBAT_AUTOMATIC_DATE == 2022052400
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "grub,2\n"
+#elif SBAT_AUTOMATIC_DATE == 2022111500
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
+#elif SBAT_AUTOMATIC_DATE == 2023012900
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+#else
+#error "Unknown SBAT_AUTOMATIC_DATE"
+#endif /* SBAT_AUTOMATIC_DATE == */
+#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)
#define SBAT_VAR_AUTOMATIC \
- SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n"
+ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" \
+ SBAT_VAR_AUTOMATIC_REVOCATIONS
/*
* Revocations for January 2024 shim CVEs
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-21 16:04:34 +0000