1 files changed, 42 insertions, 0 deletions

diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
new file mode 100644
index 00000000..25977c16
--- /dev/null
+++ b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
@@ -0,0 +1,42 @@
+From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Fri, 5 Apr 2024 21:57:07 +0200
+Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
+
+Add the previous latest level to the switch for automatic.
+
+Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
+---
+ include/sbat_var_defs.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
+index f8cba029..04d708f2 100644
+--- a/include/sbat_var_defs.h
++++ b/include/sbat_var_defs.h
+@@ -47,6 +47,8 @@
+ #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
+ #elif SBAT_AUTOMATIC_DATE == 2023012900
+ #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
++#elif SBAT_AUTOMATIC_DATE == 2024010900
++#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
+ #else
+ #error "Unknown SBAT_AUTOMATIC_DATE"
+ #endif /* SBAT_AUTOMATIC_DATE == */
+@@ -56,10 +58,10 @@
+ 	SBAT_VAR_AUTOMATIC_REVOCATIONS
+ 
+ /*
+- * Revocations for January 2024 shim CVEs
++ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
+  */
+-#define SBAT_VAR_LATEST_DATE "2024010900"
+-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
++#define SBAT_VAR_LATEST_DATE "2024040500"
++#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
+ #define SBAT_VAR_LATEST \
+ 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+ 	SBAT_VAR_LATEST_REVOCATIONS
+-- 
+2.39.2
+