From 02c0bdaa28315b1b33919742da7b6eb5ea71f0ba Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 6 Sep 2024 19:43:25 +0530
Subject: [PATCH] sys-boot/shim: Include @@VERSION@@ in SBAT for version

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../third_party/coreos-overlay/sys-boot/shim/files/sbat.csv  | 1 -
 .../coreos-overlay/sys-boot/shim/files/sbat.csv.in           | 3 +++
 .../coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild         | 5 ++++-
 3 files changed, 7 insertions(+), 2 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv.in

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv
deleted file mode 100644
index c0a2f34e88..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv
+++ /dev/null
@@ -1 +0,0 @@
-shim.flatcar,1,Flatcar Container Linux,shim,15.8,security@flatcar-linux.org
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv.in b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv.in
new file mode 100644
index 0000000000..43b9f68a7a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/sbat.csv.in
@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
+shim.flatcar,1,Flatcar Container Linux,shim,@@VERSION@@,security@flatcar-linux.org
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
index f81676c173..a44719000d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
@@ -31,6 +31,9 @@ src_compile() {
   local emake_args=(
     CROSS_COMPILE="${CHOST}-"
   )
+
+  sed -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${WORKDIR}/sbat.csv" || die
+
   # Apparently our environment already has the ARCH variable in
   # it, and Makefile picks it up instead of figuring it out
   # itself with the compiler -dumpmachine flag. But also it
@@ -42,7 +45,7 @@ src_compile() {
     emake_args+=( ARCH=aarch64 )
   fi
   emake_args+=( ENABLE_SBSIGN=1 )
-  emake_args+=( SBATPATH="${FILESDIR}/sbat.csv" )
+  emake_args+=( SBATPATH="${WORKDIR}/sbat.csv" )
 
   if use official; then
     if [ -z "${SHIM_SIGNING_CERTIFICATE}" ]; then