1 files changed, 28 insertions, 5 deletions

diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index bd54cf5d..f8cba029 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -3,6 +3,9 @@
 #ifndef SBAT_VAR_DEFS_H_
 #define SBAT_VAR_DEFS_H_
 
+#define QUOTEVAL(s) QUOTE(s)
+#define QUOTE(s) #s
+
 /*
  * This is the entry for the sbat data format
  */
@@ -23,14 +26,34 @@
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
 	SBAT_VAR_LATEST_REVOCATIONS
 #else /* !ENABLE_SHIM_DEVEL */
+
 /*
- * At this point we do not want shim to automatically apply a
- * revocation unless it is delivered by a separately installed
- * signed revocations binary.
+ * Some distros may want to apply revocations from 2022052400
+ * or 2022111500 automatically. They can be selected by setting
+ * SBAT_AUTOMATIC_DATE=<datestamp> at build time. Otherwise the
+ * default is to apply the second to most recent revocations
+ * automatically. Distros that need to manage automatic updates
+ * externally from shim can choose the epoch 2021030218 emtpy
+ * revocations.
  */
-#define SBAT_VAR_AUTOMATIC_DATE "2021030218"
+#ifndef SBAT_AUTOMATIC_DATE
+#define SBAT_AUTOMATIC_DATE 2023012900
+#endif /* SBAT_AUTOMATIC_DATE */
+#if SBAT_AUTOMATIC_DATE == 2021030218
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS
+#elif SBAT_AUTOMATIC_DATE == 2022052400
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "grub,2\n"
+#elif SBAT_AUTOMATIC_DATE == 2022111500
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
+#elif SBAT_AUTOMATIC_DATE == 2023012900
+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+#else
+#error "Unknown SBAT_AUTOMATIC_DATE"
+#endif /* SBAT_AUTOMATIC_DATE == */
+#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)
 #define SBAT_VAR_AUTOMATIC \
-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n"
+	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" \
+	SBAT_VAR_AUTOMATIC_REVOCATIONS
 
 /*
  * Revocations for January 2024 shim CVEs