2 files changed, 20 insertions, 0 deletions

diff --git a/debian/patches/block-grub-sbat3-debian.patch b/debian/patches/block-grub-sbat3-debian.patch
new file mode 100644
index 00000000..4b0aa39a
--- /dev/null
+++ b/debian/patches/block-grub-sbat3-debian.patch
@@ -0,0 +1,19 @@
+diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
+index 6b01573e..5b1a764f 100644
+--- a/include/sbat_var_defs.h
++++ b/include/sbat_var_defs.h
+@@ -35,8 +35,12 @@
+ 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
+ 	SBAT_VAR_PREVIOUS_REVOCATIONS
+ 
+-#define SBAT_VAR_LATEST_DATE "2022111500"
+-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
++/*
++ * Debian's grub.3 update was broken - some binaries included the SBAT
++ * data update but not the security patches :-(
++ */
++#define SBAT_VAR_LATEST_DATE "2023012900"
++#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+ #define SBAT_VAR_LATEST \
+ 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+ 	SBAT_VAR_LATEST_REVOCATIONS
diff --git a/debian/patches/series b/debian/patches/series
index b3ddfc8f..683d1b90 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch
 Enable-NX.patch
+block-grub-sbat3-debian.patch