sys-boot/grub-lakitu: add SBAT revocation date to the EFI binary

Recent version of the EFI shim require GRUB binary to include
the .sbat section. This section is a CSV file that contains
information about the vendor, package, and version that can be used
by shim to decide whether the binary is trusted or not. More details:
  https://github.com/rhboot/shim/blob/main/SBAT.md

BUG=b/186856815
TEST=presubmit
RELEASE_NOTE=None

Change-Id: I4399f7460fa4a0efa6ddac0f0c37cffc2182b0d9
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/27581
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Oleksandr Tymoshenko <ovt@google.com>
diff --git a/project-lakitu/sys-boot/grub-lakitu/files/sbat.csv.in b/project-lakitu/sys-boot/grub-lakitu/files/sbat.csv.in
new file mode 100644
index 0000000..0b2ab0b
--- /dev/null
+++ b/project-lakitu/sys-boot/grub-lakitu/files/sbat.csv.in
@@ -0,0 +1,4 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,@@GRUB_VERSION@@,https//www.gnu.org/software/grub/
+grub.fedora,1,The Fedora Project,grub2,@@FC_GRUB_VERSION@@,https://src.fedoraproject.org/rpms/grub2
+grub.cos,1,Container-Optimized OS,grub-lakitu,@@VERSION@@,https://cloud.google.com/container-optimized-os/docs
diff --git a/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06-r1.ebuild b/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06-r2.ebuild
similarity index 100%
rename from project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06-r1.ebuild
rename to project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06-r2.ebuild
diff --git a/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06.ebuild b/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06.ebuild
index 12bb22c..12ad3f2 100644
--- a/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06.ebuild
+++ b/project-lakitu/sys-boot/grub-lakitu/grub-lakitu-2.06.ebuild
@@ -2,7 +2,20 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
+
+# fedora-36 branch in rhboot/grub2
 GRUB2_COMMIT="89fe2f15e13d465aba68cdb727fadb35330c9265"
+
+# This information is required for .sbat section of the EFI binary
+# https://github.com/rhboot/shim/blob/main/SBAT.md
+# Should be kept up to date with every version update
+GRUB_VERSION="2.06"
+# whenever updating GRUB package it's better to synchronize with
+# Fedora Core releases and cross-reference git commits in rhboot/grub2
+# with the changelog in GRUB2 rpm file or with sources from the srpm
+#   rpm -q --changelog grub2-efi-x64-2.06-6.fc36.x86_64.rpm
+FC_GRUB_VERSION="2.06-6.fc36"
+
 # tip of the "fixes" branch
 GNULIB_COMMIT="6db02d3d2febe5e6e855d94722bb24f097c80a6f"
 SRC_URI="https://github.com/rhboot/grub2/archive/${GRUB2_COMMIT}.tar.gz -> rhboot-grub2-${GRUB2_COMMIT}.tar.gz
@@ -99,6 +112,10 @@
 		done
 	done
 	multijob_finish
+	cat "${FILESDIR}/sbat.csv.in" \
+		| sed "s/@@GRUB_VERSION@@/${GRUB_VERSION}/g" \
+		| sed "s/@@FC_GRUB_VERSION@@/${FC_GRUB_VERSION}/g" \
+		| sed "s/@@VERSION@@/${PVR}/g" > "${S}/sbat.csv"
 }
 
 src_compile() {
@@ -128,6 +145,7 @@
 		-c "${FILESDIR}/grub.cfg" \
 		-d "${D}/$(get_libdir)/grub/$(grub_output_dir)" \
 		-o "${S}/grub-lakitu.efi" \
+		--sbat "${S}/sbat.csv" \
 		part_gpt test fat ext2 normal boot \
 		efi_gop configfile search search_fs_uuid search_label \
 		terminal echo serial tpm gptpriority linux