From fe02ccbe5315f099ba9d951c79f63c5e3683a707 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Fri, 3 May 2024 14:46:24 +0100
Subject: Force usage of newest revocations at build time

Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:

"shim,4\ngrub,4\ngrub.peimage,2\n"

This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
---
 debian/rules | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'debian/rules')

diff --git a/debian/rules b/debian/rules
index 39d0357e..5edabe1b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -48,6 +48,11 @@ COMMON_OPTIONS += \
 	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
 	$(NULL)
 
+# Force shim to use the latest revocations by default to block some
+# older grub / peimage issues. This is:
+# "shim,4\ngrub,4\ngrub.peimage,2\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+
 $(DBX_LIST): $(DBX_HASHES)
 	./debian/generate_dbx_list $(EFI_ARCH) $< $@
 
-- 
cgit v1.2.3