summaryrefslogtreecommitdiff
path: root/include/sbat_var_defs.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/sbat_var_defs.h')
-rw-r--r--include/sbat_var_defs.h52
1 files changed, 37 insertions, 15 deletions
diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index 6b01573e..f8cba029 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -3,6 +3,9 @@
#ifndef SBAT_VAR_DEFS_H_
#define SBAT_VAR_DEFS_H_
+#define QUOTEVAL(s) QUOTE(s)
+#define QUOTE(s) #s
+
/*
* This is the entry for the sbat data format
*/
@@ -13,11 +16,9 @@
SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_ORIGINAL_DATE "\n"
#if defined(ENABLE_SHIM_DEVEL)
-#define SBAT_VAR_PREVIOUS_DATE "2022020101"
-#define SBAT_VAR_PREVIOUS_REVOCATIONS "component,2\n"
-#define SBAT_VAR_PREVIOUS \
- SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
- SBAT_VAR_PREVIOUS_REVOCATIONS
+#define SBAT_VAR_AUTOMATIC_DATE "2021030218"
+#define SBAT_VAR_AUTOMATIC \
+ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n"
#define SBAT_VAR_LATEST_DATE "2022050100"
#define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n"
@@ -25,21 +26,42 @@
SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
SBAT_VAR_LATEST_REVOCATIONS
#else /* !ENABLE_SHIM_DEVEL */
+
/*
- * As of 2022-11-16, most folks (including Ubuntu, SUSE, openSUSE) don't have
- * a "shim,2" yet, so adding that here would end up unbootable.
+ * Some distros may want to apply revocations from 2022052400
+ * or 2022111500 automatically. They can be selected by setting
+ * SBAT_AUTOMATIC_DATE=<datestamp> at build time. Otherwise the
+ * default is to apply the second to most recent revocations
+ * automatically. Distros that need to manage automatic updates
+ * externally from shim can choose the epoch 2021030218 emtpy
+ * revocations.
*/
-#define SBAT_VAR_PREVIOUS_DATE "2022052400"
-#define SBAT_VAR_PREVIOUS_REVOCATIONS "grub,2\n"
-#define SBAT_VAR_PREVIOUS \
- SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
- SBAT_VAR_PREVIOUS_REVOCATIONS
+#ifndef SBAT_AUTOMATIC_DATE
+#define SBAT_AUTOMATIC_DATE 2023012900
+#endif /* SBAT_AUTOMATIC_DATE */
+#if SBAT_AUTOMATIC_DATE == 2021030218
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS
+#elif SBAT_AUTOMATIC_DATE == 2022052400
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "grub,2\n"
+#elif SBAT_AUTOMATIC_DATE == 2022111500
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
+#elif SBAT_AUTOMATIC_DATE == 2023012900
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+#else
+#error "Unknown SBAT_AUTOMATIC_DATE"
+#endif /* SBAT_AUTOMATIC_DATE == */
+#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)
+#define SBAT_VAR_AUTOMATIC \
+ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" \
+ SBAT_VAR_AUTOMATIC_REVOCATIONS
-#define SBAT_VAR_LATEST_DATE "2022111500"
-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
+/*
+ * Revocations for January 2024 shim CVEs
+ */
+#define SBAT_VAR_LATEST_DATE "2024010900"
+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
#define SBAT_VAR_LATEST \
SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
SBAT_VAR_LATEST_REVOCATIONS
#endif /* ENABLE_SHIM_DEVEL */
-
#endif /* !SBAT_VAR_DEFS_H_ */