From cca3933f48e3a52863322f358c2e8cb8ea80bd57 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Mon, 30 Jan 2023 18:15:36 +0000
Subject: Block Debian grub binaries with SBAT < 4

(See https://bugs.debian.org/1024617)

One of the Debian builds of grub bumped the SBAT to 3, but didn't
include the patches needed. Add "grub.debian,4" to block those
binaries.

Signed-off-by: Steve McIntyre <steve@einval.com>
---
 include/sbat_var_defs.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'include')

diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index 6b01573e..5b1a764f 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -35,8 +35,12 @@
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
 	SBAT_VAR_PREVIOUS_REVOCATIONS
 
-#define SBAT_VAR_LATEST_DATE "2022111500"
-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
+/*
+ * Debian's grub.3 update was broken - some binaries included the SBAT
+ * data update but not the security patches :-(
+ */
+#define SBAT_VAR_LATEST_DATE "2023012900"
+#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
 #define SBAT_VAR_LATEST \
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
 	SBAT_VAR_LATEST_REVOCATIONS
-- 
cgit v1.2.3