Add SBAT section

See https://github.com/rhboot/shim/blob/main/SBAT.md.  Thanks to Chris
Coulson for an initial version of this patch.

4 files changed, 22 insertions, 6 deletions

diff --git a/debian/build-efi-images b/debian/build-efi-images
index 3e5bfafad..bdf433401 100755
--- a/debian/build-efi-images
+++ b/debian/build-efi-images
@@ -20,8 +20,8 @@ set -e
 
 # Make EFI boot images for signing.
 
-if [ $# -lt 6 ]; then
-	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]"
+if [ $# -lt 7 ]; then
+	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME SBAT-CSV [EFI-VENDOR]"
 fi
 
 grub_mkimage="$1"
@@ -30,7 +30,8 @@ outdir="$3"
 deb_arch="$4"
 platform="$5"
 efi_name="$6"
-efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
+sbat_csv="$7"
+efi_vendor="${8:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
 
 # mkfs.msdos may not be on the default PATH.
 export PATH="$PATH:/sbin:/usr/sbin"
@@ -200,17 +201,22 @@ NET_MODULES="$CD_MODULES
 	-d "$grub_core" \
 	-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
 	-p /boot/grub \
+	--sbat "$sbat_csv" \
 	$CD_MODULES
 
 # Normal disk boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-	-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
+	-d "$grub_core" -p "/EFI/$efi_vendor" \
+	--sbat "$sbat_csv" \
+	$GRUB_MODULES
 
 # Normal network boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
-	-p /grub $NET_MODULES
+	-p /grub \
+	--sbat "$sbat_csv" \
+	$NET_MODULES
 
 # Special network boot image for d-i to use. Just the same as the
 # normal network boot image, but with a different value baked in for
diff --git a/debian/changelog b/debian/changelog
index 038f80f85..d31dee3e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -134,6 +134,7 @@ grub2 (2.04-16) UNRELEASED; urgency=medium
     - gfxmenu/gui: Check printf() format in the gui_progress_bar and
       gui_label
     - kern/mm: Fix grub_debug_calloc() compilation error
+  * Add SBAT section (thanks, Chris Coulson).
 
  -- Colin Watson <cjwatson@debian.org>  Sun, 21 Feb 2021 00:01:18 +0000
 
diff --git a/debian/rules b/debian/rules
index 5a9bdda2a..be8f870c8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -216,11 +216,17 @@ debian/stamps/build-grub-none debian/stamps/build-grub-efi-ia64 debian/stamps/bu
 
 debian/stamps/build-grub-efi-ia32 debian/stamps/build-grub-efi-amd64 debian/stamps/build-grub-efi-arm64: debian/stamps/build-%: debian/stamps/configure-% debian/stamps/build-grub-$(COMMON_PLATFORM)
 	dh_auto_build
+	grub_dir=`mktemp -d` ; \
+	sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
+		-e "s/@UPSTREAM_VERSION@/$(upstream_version)/g" \
+		<debian/sbat.$(SB_EFI_VENDOR).csv.in \
+		>$${grub_dir}/sbat.$(SB_EFI_VENDOR).csv; \
 	debian/build-efi-images \
 		obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
 		obj/$(package)/grub-core \
 		obj/monolithic/$(package) \
-		$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
+		$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) \
+		$${grub_dir}/sbat.$(SB_EFI_VENDOR).csv $(SB_EFI_VENDOR)
 	touch $@
 
 debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386
diff --git a/debian/sbat.debian.csv.in b/debian/sbat.debian.csv.in
new file mode 100644
index 000000000..f2b61adad
--- /dev/null
+++ b/debian/sbat.debian.csv.in
@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
+grub.debian,1,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2