From fe02ccbe5315f099ba9d951c79f63c5e3683a707 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Fri, 3 May 2024 14:46:24 +0100
Subject: Force usage of newest revocations at build time

Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:

"shim,4\ngrub,4\ngrub.peimage,2\n"

This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
---
 debian/changelog | 4 ++++
 debian/rules     | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8f0d7025..d0f5fcf7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,10 @@ shim (15.8-1) UNRELEASED; urgency=medium
     + Debian kernels are no longer signed for i386, it's time to stop
       supporting i386 SB.
   * Log if the build is nx-compatible or not
+  * Force shim to use the latest revocations by default to block some
+    older grub / peimage issues. This is:
+    "shim,4\ngrub,4\ngrub.peimage,2\n"
+
 
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
diff --git a/debian/rules b/debian/rules
index 39d0357e..5edabe1b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -48,6 +48,11 @@ COMMON_OPTIONS += \
 	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
 	$(NULL)
 
+# Force shim to use the latest revocations by default to block some
+# older grub / peimage issues. This is:
+# "shim,4\ngrub,4\ngrub.peimage,2\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+
 $(DBX_LIST): $(DBX_HASHES)
 	./debian/generate_dbx_list $(EFI_ARCH) $< $@
 
-- 
cgit v1.2.3