4 files changed, 46 insertions, 91 deletions

diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
deleted file mode 100644
index 25977c16..00000000
--- a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001
-From: Julian Andres Klode <julian.klode@canonical.com>
-Date: Fri, 5 Apr 2024 21:57:07 +0200
-Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
-
-Add the previous latest level to the switch for automatic.
-
-Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
----
- include/sbat_var_defs.h | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
-index f8cba029..04d708f2 100644
---- a/include/sbat_var_defs.h
-+++ b/include/sbat_var_defs.h
-@@ -47,6 +47,8 @@
- #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
- #elif SBAT_AUTOMATIC_DATE == 2023012900
- #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
-+#elif SBAT_AUTOMATIC_DATE == 2024010900
-+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
- #else
- #error "Unknown SBAT_AUTOMATIC_DATE"
- #endif /* SBAT_AUTOMATIC_DATE == */
-@@ -56,10 +58,10 @@
- 	SBAT_VAR_AUTOMATIC_REVOCATIONS
- 
- /*
-- * Revocations for January 2024 shim CVEs
-+ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
-  */
--#define SBAT_VAR_LATEST_DATE "2024010900"
--#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
-+#define SBAT_VAR_LATEST_DATE "2024040500"
-+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
- #define SBAT_VAR_LATEST \
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
- 	SBAT_VAR_LATEST_REVOCATIONS
--- 
-2.39.2
-
diff --git a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
deleted file mode 100644
index f1c3028d..00000000
--- a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 3e1394e8e6fd0071a69196230f991612a960c154 Mon Sep 17 00:00:00 2001
-From: Julian Andres Klode <julian.klode@canonical.com>
-Date: Tue, 9 Apr 2024 18:55:12 +0200
-Subject: [PATCH 2/2] sbat: Also bump latest for grub,4 (and to todays date)
-
-Back in January we decided to bump the SBAT level for the shim
-CVE without bumping the grub level for the previous NTFS issues
-- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing
-the ntfs module.
-
-Catch up on this revocation to ensure it doesn't get lost. Doing
-so also allows us to remove the grub.debian,4 revocation as this
-happened before grub,4 and hence is obsolete.
-
-Also bump the date of the sbat variable to today's. Don't copy
-the April 5 one to a previous selection, as it wasn't shipped
-to anyone.
-
-Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
----
- include/sbat_var_defs.h | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
-index 04d708f2..5c7115b9 100644
---- a/include/sbat_var_defs.h
-+++ b/include/sbat_var_defs.h
-@@ -58,10 +58,13 @@
- 	SBAT_VAR_AUTOMATIC_REVOCATIONS
- 
- /*
-- * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
-+ * Revocations for:
-+ * - January 2024 shim CVEs
-+ * - October 2023 grub CVEs
-+ * - Debian/Ubuntu (peimage) CVE-2024-2312
-  */
--#define SBAT_VAR_LATEST_DATE "2024040500"
--#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
-+#define SBAT_VAR_LATEST_DATE "2024040900"
-+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n"
- #define SBAT_VAR_LATEST \
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
- 	SBAT_VAR_LATEST_REVOCATIONS
--- 
-2.39.2
-
diff --git a/debian/patches/series b/debian/patches/series
index 01fd2987..439fbe12 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
-0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
-0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
+test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
diff --git a/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
new file mode 100644
index 00000000..3ca5b967
--- /dev/null
+++ b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
@@ -0,0 +1,45 @@
+From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Mon, 24 Mar 2025 12:58:56 +0100
+Subject: test-mock-variables: explicitly skip CONFIG_ONLY vars
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+otherwise we might pass invalid pointers to load_variables and cause
+segfaults in test cases.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+Submitted upstream: https://github.com/rhboot/shim/pull/739/
+
+ test-mock-variables.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/test-mock-variables.c b/test-mock-variables.c
+index f869300..dd4a9eb 100644
+--- a/test-mock-variables.c
++++ b/test-mock-variables.c
+@@ -212,8 +212,10 @@ test_gnvn_helper(char *testvars)
+ 		 * mok mirroring that aren't really from mok; right now
+ 		 * this is a reasonable heuristic for that.
+ 		 */
+-		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
++		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) {
++			mok_rt_vars[i] = "";
+ 			continue;
++		}
+ 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
+ 	}
+ 
+@@ -313,8 +315,10 @@ test_get_variable_0(void)
+ 		 * mok mirroring that aren't really from mok; right now
+ 		 * this is a reasonable heuristic for that.
+ 		 */
+-		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
++		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) {
++			mok_rt_vars[i] = "";
+ 			continue;
++		}
+ 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
+ 	}
+