Force usage of newest revocations at build time

Force shim to use the latest revocations by default to block some older grub / peimage issues. This is: "shim,4\ngrub,4\ngrub.peimage,2\n" This should work with the current released grub builds in all of buster, bullseye, bookwork and trixie/unstable. Let's not leave known security holes in the wild.
2025-10-04 11:58:25 +00:00 · 2024-05-03 14:46:24 +01:00 · 2024-05-03 14:46:24 +01:00 · bd9f3bf331
commit bd9f3bf331
parent bb0763da91
2 changed files with 9 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -14,6 +14,10 @@ shim (15.8-1) UNRELEASED; urgency=medium
    + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
    + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
  * Log if the build is nx-compatible or not
+  * Force shim to use the latest revocations by default to block some
+    older grub / peimage issues. This is:
+    "shim,4\ngrub,4\ngrub.peimage,2\n"
+

  [ Bastien Roucariès ]
  * Port autopkgtest from ubuntu
--- a/debian/rules
+++ b/debian/rules
@ -48,6 +48,11 @@ COMMON_OPTIONS += \
 	CC=$(DEB_HOST_GNU_TYPE)-gcc-12 \
 	$(NULL)

+# Force shim to use the latest revocations by default to block some
+# older grub / peimage issues. This is:
+# "shim,4\ngrub,4\ngrub.peimage,2\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+
 $(DBX_LIST): $(DBX_HASHES)
 	./debian/generate_dbx_list $(EFI_ARCH) $< $@