From dd8be98cf0fceddd9f156d2917565b18d38c4830 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 16 Nov 2022 13:25:11 -0500 Subject: Bump grub's sbat requirement to grub,3 Due to the issues addressed in the 2022-11-15 batch of grub CVEs[0], we need to bump the sbat version from grub. This patch changes it from 2 to 3. [0] https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html Signed-off-by: Peter Jones --- include/sbat_var_defs.h | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h index c656b56d..6b01573e 100644 --- a/include/sbat_var_defs.h +++ b/include/sbat_var_defs.h @@ -3,6 +3,9 @@ #ifndef SBAT_VAR_DEFS_H_ #define SBAT_VAR_DEFS_H_ +/* + * This is the entry for the sbat data format + */ #define SBAT_VAR_SIG "sbat," #define SBAT_VAR_VERSION "1," #define SBAT_VAR_ORIGINAL_DATE "2021030218" @@ -22,14 +25,18 @@ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ SBAT_VAR_LATEST_REVOCATIONS #else /* !ENABLE_SHIM_DEVEL */ -#define SBAT_VAR_PREVIOUS_DATE SBAT_VAR_ORIGINAL_DATE -#define SBAT_VAR_PREVIOUS_REVOCATIONS +/* + * As of 2022-11-16, most folks (including Ubuntu, SUSE, openSUSE) don't have + * a "shim,2" yet, so adding that here would end up unbootable. + */ +#define SBAT_VAR_PREVIOUS_DATE "2022052400" +#define SBAT_VAR_PREVIOUS_REVOCATIONS "grub,2\n" #define SBAT_VAR_PREVIOUS \ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \ SBAT_VAR_PREVIOUS_REVOCATIONS -#define SBAT_VAR_LATEST_DATE "2022052400" -#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,2\n" +#define SBAT_VAR_LATEST_DATE "2022111500" +#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n" #define SBAT_VAR_LATEST \ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ SBAT_VAR_LATEST_REVOCATIONS -- cgit v1.2.3