Rebase on 15.8

[dbnicholson]

Rebase on 15.8 to get the latest CVE fixes and for LoadOptions handling (needed for loading fwupd). Below is a review of our outstanding changes, but the actual kept commits come from the fallback-cleanup-duplicate-boot-entries branch.

• 822d07a Fix handling of ignore_db and user_insecure_mode
• a0f7015 shim-15.4 branch: update .gitmodules to point at shim-15.4 in gnu-efi
• 5b3ca0d Fix a broken file header on ia32
• 4068fd4 mok: allocate MOK config table as BootServicesData
• f428985 fallback: Print info on GetNextVariableName errors
• f5e1d7f fallback: Use a dynamic buffer when list var names

Upstream backports.

• 97f5741 Revert "fallback: work around the issue of boot option creation with AMI BIOS"
• ab30a4a fallback: Clean-up duplicate boot entries

I thought I might be able to drop these after upstream's 41319e1.
However, that only covers duplicate entries in the BootOrder variable.
These versions come from the fallback-cleanup-duplicate-boot-entries
branch, which @jprvita kindly rebased to handle merge conflicts.

• 87c9724 fallback: Add build flag to always try to chain-load the new boot entry

Dropped as discussed in https://phabricator.endlessm.com/T31604.

• d05bf29 sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
• 41cdaf0 sbat: Also bump latest for grub,4 (and to todays date)

These are backports added from upstream that are also included in
Debian. They provide 2 newer SBAT policies that can be selected but
aren't used by default.

The full set of downstream changes can be seen here.

https://phabricator.endlessm.com/T34488

[dbnicholson]

For the debian patches, I decided to change the way the branch is handled. Rather than importing 15.8-1~deb12u1 as a single commit, I based the branch on the debian/15.8-1_deb12u1 tag from the salsa repo. That's how I've handled ostree and other packages. The downside is that I can't make a PR for that since the branches don't share a common base. I can go back to single commit import if that's preferable.

The branch I created is in T34488-rebase-15.8-debian. The changes relative to 15.8-1~deb12u1 are here. Here's a list of the previous patches:

• a69f4be Create shim-efi-image package
• a0d815a Vendor customization for Endless OS
• 22ed0e4 Add vendor dbx file with revoked signing certificates

Downstream changes kept.

• a916e3d Set FALLBACK_NEVER_REBOOT

Dropped as discussed in https://phabricator.endlessm.com/T31604.

• 21e97e5 Renew Endless CA certificate

Kept and squashed into a0d815a Vendor customization for Endless OS.

• e261543 Switch to using gcc-12

Upstream backport.

• 3fca433 Remove debian patches

If we're based on Debian's git branch, then we need an actual git commit
to handle the patches.

[dbnicholson]

Of note is bd9f3bf on the debian branch. The comment is wrong there, but it means that the automatically applied SBAT policy is:

sbat,1,2024010900
shim,4
grub,3
grub.debian,4

Once shim sets that in the SbatLevelRT UEFI variable, you wouldn't be able to roll back to an earlier shim or grub.

[starnight]

Nice! Thank you!!!

[wjt]

This branch and debian/15.8-1_deb12u1...T34488-rebase-15.8-debian both LGTM