From: Michael Prokop <mika@grml.org>
Date: Wed, 12 Aug 2020 15:24:08 +0000 (+0200)
Subject: Secure Boot: update grubx64.efi.signed to fix BootHole issue
X-Git-Tag: v0.37.1~3
X-Git-Url: https://git.grml.org/?p=grml-live.git;a=commitdiff_plain;h=0867199f57a3d59bbf1d6e03edc1e99d7e9446d6

Secure Boot: update grubx64.efi.signed to fix BootHole issue

Fixes the BootHole, see https://www.debian.org/security/2020/dsa-4735 +
https://www.openwall.com/lists/oss-security/2020/07/29/3 +
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
---

diff --git a/templates/EFI/debian/BOOT/README b/templates/EFI/debian/BOOT/README
index ea5f86f..5334582 100644
--- a/templates/EFI/debian/BOOT/README
+++ b/templates/EFI/debian/BOOT/README
@@ -1,6 +1,6 @@
 # debian approach:
 shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed                  from http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
-grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from http://ftp.de.debian.org/debian/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.02+dfsg1+20_amd64.deb
+grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from http://ftp.de.debian.org/debian/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u2_amd64.deb
 # NOTE:
 # shimx64.efi.signed ends up as /EFI/BOOT/bootx64.efi inside [grml_cd]/boot/efi.img, and
 # grubx64.efi.signed ends up as /EFI/BOOT/grubx64.efi inside [grml_cd]/boot/efi.img, whereas
diff --git a/templates/EFI/debian/BOOT/grubx64.efi.signed b/templates/EFI/debian/BOOT/grubx64.efi.signed
index 01c10b4..0f82e38 100644
Binary files a/templates/EFI/debian/BOOT/grubx64.efi.signed and b/templates/EFI/debian/BOOT/grubx64.efi.signed differ