From 0a6749b11288f0c58cd6fbeb3d3b20d48871ab58 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 8 Nov 2022 14:45:34 -0800
Subject: [PATCH 1/7] Create revocations.efi to deliver new sbat level
 requirements

 This covers delivering updates to SBAT_LEVEL without the need
to create and sign a new shim

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                     | 19 ++++++++++++++++++-
 data/sbat_level_latest.csv   |  3 +++
 data/sbat_level_previous.csv |  2 ++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 data/sbat_level_latest.csv
 create mode 100644 data/sbat_level_previous.csv

diff --git a/Makefile b/Makefile
index ecb7e49..9d6fbdc 100644
--- a/Makefile
+++ b/Makefile
@@ -55,6 +55,8 @@ $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
+SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
+SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -84,7 +86,7 @@ ifeq ($(ARCH),arm)
 	BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 
-all : certwrapper.efi
+all : certwrapper.efi revocations.efi
 
 certwrapper.so : sbat_data.o certwrapper.o
 certwrapper.so : SOLIBS=
@@ -94,6 +96,15 @@ certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
+revocations.so : sbat_data.o revocations.o
+revocations.so : SOLIBS=
+revocations.so : SOFLAGS=
+revocations.efi : OBJFLAGS = --strip-unneeded 
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp
+
+revocations.o : certwrapper.o
+	cp certwrapper.o revocations.o
+
 %.efi : %.so
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
@@ -109,6 +120,12 @@ sbat_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
+		--set-section-flags .sbatl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
+		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o
diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
new file mode 100644
index 0000000..cf56b2e
--- /dev/null
+++ b/data/sbat_level_latest.csv
@@ -0,0 +1,3 @@
+sbat,1,2022111500
+shim,2
+grub,3
diff --git a/data/sbat_level_previous.csv b/data/sbat_level_previous.csv
new file mode 100644
index 0000000..51fa1e9
--- /dev/null
+++ b/data/sbat_level_previous.csv
@@ -0,0 +1,2 @@
+sbat,1,2022052400
+grub,2

From cb08cf550fc208a4d26c21f0f0f558dec6bde5f2 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 9 Jun 2023 14:57:58 -0700
Subject: [PATCH 2/7] SkuSiPolicy payload - at the moment this is only for
 testing

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                              |  31 +++++++++++++++++++++-----
 data/SkuSiPolicy_Version_latest.bin   | Bin 0 -> 8 bytes
 data/SkuSiPolicy_Version_previous.bin | Bin 0 -> 8 bytes
 data/SkuSiPolicy_latest.bin           | Bin 0 -> 131 bytes
 data/SkuSiPolicy_previous.bin         | Bin 0 -> 131 bytes
 5 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 data/SkuSiPolicy_Version_latest.bin
 create mode 100644 data/SkuSiPolicy_Version_previous.bin
 create mode 100644 data/SkuSiPolicy_latest.bin
 create mode 100644 data/SkuSiPolicy_previous.bin

diff --git a/Makefile b/Makefile
index 9d6fbdc..b669c9f 100644
--- a/Makefile
+++ b/Makefile
@@ -51,12 +51,19 @@ endef
 
 define add-vendor-sbat
 $(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+endef
 
+define add-skusi
+$(OBJCOPY) --add-section ".$(patsubst %.bin,%,$(1))=$(1)" $(2)
 endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
 SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
 SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
+SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
+SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
+SSPVPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_Version_previous.bin
+SSPSPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_previous.bin
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -88,7 +95,7 @@ endif
 
 all : certwrapper.efi revocations.efi
 
-certwrapper.so : sbat_data.o certwrapper.o
+certwrapper.so : revocation_data.o certwrapper.o
 certwrapper.so : SOLIBS=
 certwrapper.so : SOFLAGS=
 certwrapper.so : BUILDFLAGS+=-DVENDOR_DB
@@ -96,11 +103,11 @@ certwrapper.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
 certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
-revocations.so : sbat_data.o revocations.o
+revocations.so : revocation_data.o revocations.o
 revocations.so : SOLIBS=
 revocations.so : SOFLAGS=
-revocations.efi : OBJFLAGS = --strip-unneeded 
-revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp
+revocations.efi : OBJFLAGS = --strip-unneeded
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp .sspvp .sspsp .sspvl .sspsl
 
 revocations.o : certwrapper.o
 	cp certwrapper.o revocations.o
@@ -114,8 +121,8 @@ endif
 		   $(OBJFLAGS) \
 		   $(FORMAT) $^ $@
 
-sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
-sbat_data.o : /dev/null
+revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+revocation_data.o : /dev/null
 	$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
 	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
 		--set-section-flags .sbat=contents,alloc,load,readonly,data \
@@ -126,6 +133,18 @@ sbat_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
 		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
 		$@
+	$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
+		--set-section-flags .sspvl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
+		--set-section-flags .sspsl=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspvp=$(SSPVPREVIOUSPATH) \
+		--set-section-flags .sspvp=contents,alloc,load,readonly,data \
+		$@
+	$(OBJCOPY) --add-section .sspsp=$(SSPSPREVIOUSPATH) \
+		--set-section-flags .sspsp=contents,alloc,load,readonly,data \
+		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
 %.so : %.o
diff --git a/data/SkuSiPolicy_Version_latest.bin b/data/SkuSiPolicy_Version_latest.bin
new file mode 100644
index 0000000000000000000000000000000000000000..329e937b3fb9c867983245d50d0c408cc7dc59ea
GIT binary patch
literal 8
McmZQ#00CwO0015U1^@s6

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_Version_previous.bin b/data/SkuSiPolicy_Version_previous.bin
new file mode 100644
index 0000000000000000000000000000000000000000..412ee8764ac5c75d4b1aa5692ebfb98c7130c7da
GIT binary patch
literal 8
McmZQ#00AZj000~S1poj5

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_latest.bin b/data/SkuSiPolicy_latest.bin
new file mode 100644
index 0000000000000000000000000000000000000000..02968773e05f5b49940901d1943438bb8cc60051
GIT binary patch
literal 131
zcmZQ%U|?VaVr+mBD98=O7bX@%rJ2BV$g&C)eheBv1<r>mL!-E~*%(<Eo6NbG!8QW`
D(i#V8

literal 0
HcmV?d00001

diff --git a/data/SkuSiPolicy_previous.bin b/data/SkuSiPolicy_previous.bin
new file mode 100644
index 0000000000000000000000000000000000000000..02968773e05f5b49940901d1943438bb8cc60051
GIT binary patch
literal 131
zcmZQ%U|?VaVr+mBD98=O7bX@%rJ2BV$g&C)eheBv1<r>mL!-E~*%(<Eo6NbG!8QW`
D(i#V8

literal 0
HcmV?d00001


From 7b0068ffaadb62c154d62b43e46b133876939d7a Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Sep 2023 15:15:43 -0700
Subject: [PATCH 3/7] Update previous (automatic) SbatLevel to 2022111500

---
 data/sbat_level_previous.csv | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/sbat_level_previous.csv b/data/sbat_level_previous.csv
index 51fa1e9..e219305 100644
--- a/data/sbat_level_previous.csv
+++ b/data/sbat_level_previous.csv
@@ -1,2 +1,4 @@
-sbat,1,2022052400
-grub,2
+sbat,1,2022111500
+shim,2
+grub,3
+grub.debian,4

From 1109790191993a8df4f4458824b4e6b6892cfb36 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Sep 2023 15:02:53 -0700
Subject: [PATCH 4/7] 2023 shim and GRUB revocations

This is also included in shim builtin latest revocation, but it
revokes shim binaries impacted by:

* CVE-2023-40547
* CVE-2023-40546
* CVE-2023-40548
* CVE-2023-40549
* CVE-2023-40550
* CVE-2023-40551

And also revokes GRUB binaries impacted by:

* CVE-2023-4692
* CVE-2023-4693
---
 data/sbat_level_latest.csv | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
index cf56b2e..de466ab 100644
--- a/data/sbat_level_latest.csv
+++ b/data/sbat_level_latest.csv
@@ -1,3 +1,3 @@
-sbat,1,2022111500
-shim,2
-grub,3
+sbat,1,2023100300
+shim,4
+grub,4

From dea75006c33256160fe0668790c95e4b2e150e87 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 15 Dec 2023 14:36:07 -0800
Subject: [PATCH 5/7] Rename "previous" revocations to "automatic"

When the term previous was introduced for revocations to be
automatically applied there was a hope that everytime a new
revocation was built into shim, the previous revocation could
be applied automatically. Further experience has shown the
real world to be more complex than that. The automatic payload
will realistically contain a set of revocations governed by
both the cadence at which a distro's customer base updates
as well as the severity of the issue being revoked.

This is not a functional change.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile                                      |  20 +++++++++---------
 ....bin => SkuSiPolicy_Version_automatic.bin} | Bin
 ...previous.bin => SkuSiPolicy_automatic.bin} | Bin
 ..._previous.csv => sbat_level_automatic.csv} |   0
 4 files changed, 10 insertions(+), 10 deletions(-)
 rename data/{SkuSiPolicy_Version_previous.bin => SkuSiPolicy_Version_automatic.bin} (100%)
 rename data/{SkuSiPolicy_previous.bin => SkuSiPolicy_automatic.bin} (100%)
 rename data/{sbat_level_previous.csv => sbat_level_automatic.csv} (100%)

diff --git a/Makefile b/Makefile
index b669c9f..06145d7 100644
--- a/Makefile
+++ b/Makefile
@@ -59,11 +59,11 @@ endef
 
 SBATPATH = $(TOPDIR)/data/sbat.csv
 SBATLEVELLATESTPATH = $(TOPDIR)/data/sbat_level_latest.csv
-SBATLEVELPREVIOUSPATH = $(TOPDIR)/data/sbat_level_previous.csv
+SBATLEVELAUTOMATICPATH = $(TOPDIR)/data/sbat_level_automatic.csv
 SSPVLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_Version_latest.bin
 SSPSLATESTPATH = $(TOPDIR)/data/SkuSiPolicy_latest.bin
-SSPVPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_Version_previous.bin
-SSPSPREVIOUSPATH = $(TOPDIR)/data/SkuSiPolicy_previous.bin
+SSPVAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_Version_automatic.bin
+SSPSAUTOMATICPATH = $(TOPDIR)/data/SkuSiPolicy_automatic.bin
 VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 OBJFLAGS =
@@ -107,7 +107,7 @@ revocations.so : revocation_data.o revocations.o
 revocations.so : SOLIBS=
 revocations.so : SOFLAGS=
 revocations.efi : OBJFLAGS = --strip-unneeded
-revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbatp .sspvp .sspsp .sspvl .sspsl
+revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl
 
 revocations.o : certwrapper.o
 	cp certwrapper.o revocations.o
@@ -130,8 +130,8 @@ revocation_data.o : /dev/null
 	$(OBJCOPY) --add-section .sbatl=$(SBATLEVELLATESTPATH) \
 		--set-section-flags .sbatl=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sbatp=$(SBATLEVELPREVIOUSPATH) \
-		--set-section-flags .sbatp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sbata=$(SBATLEVELAUTOMATICPATH) \
+		--set-section-flags .sbata=contents,alloc,load,readonly,data \
 		$@
 	$(OBJCOPY) --add-section .sspvl=$(SSPVLATESTPATH) \
 		--set-section-flags .sspvl=contents,alloc,load,readonly,data \
@@ -139,11 +139,11 @@ revocation_data.o : /dev/null
 	$(OBJCOPY) --add-section .sspsl=$(SSPSLATESTPATH) \
 		--set-section-flags .sspsl=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sspvp=$(SSPVPREVIOUSPATH) \
-		--set-section-flags .sspvp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sspva=$(SSPVAUTOMATICPATH) \
+		--set-section-flags .sspva=contents,alloc,load,readonly,data \
 		$@
-	$(OBJCOPY) --add-section .sspsp=$(SSPSPREVIOUSPATH) \
-		--set-section-flags .sspsp=contents,alloc,load,readonly,data \
+	$(OBJCOPY) --add-section .sspsa=$(SSPSAUTOMATICPATH) \
+		--set-section-flags .sspsa=contents,alloc,load,readonly,data \
 		$@
 	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
 
diff --git a/data/SkuSiPolicy_Version_previous.bin b/data/SkuSiPolicy_Version_automatic.bin
similarity index 100%
rename from data/SkuSiPolicy_Version_previous.bin
rename to data/SkuSiPolicy_Version_automatic.bin
diff --git a/data/SkuSiPolicy_previous.bin b/data/SkuSiPolicy_automatic.bin
similarity index 100%
rename from data/SkuSiPolicy_previous.bin
rename to data/SkuSiPolicy_automatic.bin
diff --git a/data/sbat_level_previous.csv b/data/sbat_level_automatic.csv
similarity index 100%
rename from data/sbat_level_previous.csv
rename to data/sbat_level_automatic.csv

From a7546a7a245aca7c8d3adfc15b9e460b5e1f46ef Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Mon, 23 Dec 2024 11:36:11 -0800
Subject: [PATCH 6/7] use SbatLevel_Variable.txt in shim repo as source for
 revocations

With shim added as a git module this allows builds to specify
revocations from SbatLevel_Variable.txt on the command line they
currently default to: SBAT_LATEST_DATE=2023012950 SBAT_AUTOMATIC_DATE=2023012900

Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
---
 .gitignore                    |  4 ++++
 .gitmodules                   |  3 +++
 Makefile                      | 16 +++++++++++++++-
 data/sbat_level_automatic.csv |  4 ----
 data/sbat_level_latest.csv    |  3 ---
 shim                          |  1 +
 6 files changed, 23 insertions(+), 8 deletions(-)
 delete mode 100644 data/sbat_level_automatic.csv
 delete mode 100644 data/sbat_level_latest.csv
 create mode 160000 shim

diff --git a/.gitignore b/.gitignore
index 5a703bd..2a4ed69 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,7 @@
 # editor backup/tmp files
 *~
 *.sw?
+
+# generated revocation payload
+data/sbat_level_automatic.csv
+data/sbat_level_latest.csv
diff --git a/.gitmodules b/.gitmodules
index 4e5d47a..e228fa3 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,3 +2,6 @@
 	path = gnu-efi
 	url = https://github.com/rhboot/gnu-efi
 	branch = shim-15.6
+[submodule "shim"]
+	path = shim
+	url = https://github.com/rhboot/shim
diff --git a/Makefile b/Makefile
index 06145d7..02a36a7 100644
--- a/Makefile
+++ b/Makefile
@@ -112,6 +112,19 @@ revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl
 revocations.o : certwrapper.o
 	cp certwrapper.o revocations.o
 
+SBAT_LATEST_DATE ?= 2023012950
+SBAT_AUTOMATIC_DATE ?= 2023012900
+
+$(SBATLEVELLATESTPATH) :
+	awk '/^sbat,1,$(SBAT_LATEST_DATE)/ { print $$0 }' \
+		FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \
+		> $@
+
+$(SBATLEVELAUTOMATICPATH) :
+	awk '/^sbat,1,$(SBAT_AUTOMATIC_DATE)/ { print $$0 }' \
+		FS=\"\n\" RS=\\n\\n shim/SbatLevel_Variable.txt \
+		> $@
+
 %.efi : %.so
 ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
@@ -121,6 +134,7 @@ endif
 		   $(OBJFLAGS) \
 		   $(FORMAT) $^ $@
 
+revocation_data.o : $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH)
 revocation_data.o : | $(SBATPATH) $(VENDOR_SBATS)
 revocation_data.o : /dev/null
 	$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
@@ -156,7 +170,7 @@ revocation_data.o : /dev/null
 	$(CC) $(BUILDFLAGS) -c -o $@ $^
 
 clean :
-	@rm -vf *.o *.so *.efi
+	@rm -vf *.o *.so *.efi $(SBATLEVELLATESTPATH) $(SBATLEVELAUTOMATICPATH)
 
 update :
 	git submodule update --init --recursive
diff --git a/data/sbat_level_automatic.csv b/data/sbat_level_automatic.csv
deleted file mode 100644
index e219305..0000000
--- a/data/sbat_level_automatic.csv
+++ /dev/null
@@ -1,4 +0,0 @@
-sbat,1,2022111500
-shim,2
-grub,3
-grub.debian,4
diff --git a/data/sbat_level_latest.csv b/data/sbat_level_latest.csv
deleted file mode 100644
index de466ab..0000000
--- a/data/sbat_level_latest.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-sbat,1,2023100300
-shim,4
-grub,4
diff --git a/shim b/shim
new file mode 160000
index 0000000..314aecf
--- /dev/null
+++ b/shim
@@ -0,0 +1 @@
+Subproject commit 314aecf89318d31697a3fabf14cf49a0dc359331

From 3e016afab01a7b2b82ee0d9a27ad6860c7466569 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Wed, 5 Feb 2025 11:14:05 -0800
Subject: [PATCH 7/7] build individual revocations_sbat.efi revocations_sku.efi
 files

Automatically build revocations_sbat.efi and revocations_sku.efi
binaries that contain only sbat and SkuSi revocation payloads.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 Makefile | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 02a36a7..0306049 100644
--- a/Makefile
+++ b/Makefile
@@ -93,7 +93,7 @@ ifeq ($(ARCH),arm)
 	BUILDFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 
-all : certwrapper.efi revocations.efi
+all : certwrapper.efi revocations.efi revocations_sbat.efi revocations_sku.efi
 
 certwrapper.so : revocation_data.o certwrapper.o
 certwrapper.so : SOLIBS=
@@ -104,13 +104,21 @@ certwrapper.efi : SECTIONS=.text .reloc .db .sbat
 certwrapper.efi : VENDOR_DB_FILE?=db.esl
 
 revocations.so : revocation_data.o revocations.o
-revocations.so : SOLIBS=
-revocations.so : SOFLAGS=
-revocations.efi : OBJFLAGS = --strip-unneeded
+revocations_sbat.so : revocation_data.o revocations_sbat.o
+revocations_sku.so : revocation_data.o revocations_sku.o
+revocations_sbat.so revocations_sku.so revocations.so : SOLIBS=
+revocations_sbat.so revocations_sku.so revocations.so : SOFLAGS=
+revocations_sbat.efi revocations_sku.efi revocations.efi : OBJFLAGS = --strip-unneeded
 revocations.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata .sspva .sspsa .sspvl .sspsl
+revocations_sbat.efi : SECTIONS=.text .reloc .sbat .sbatl .sbata
+revocations_sku.efi : SECTIONS=.text .reloc .sbat .sspva .sspsa .sspvl .sspsl
 
 revocations.o : certwrapper.o
 	cp certwrapper.o revocations.o
+revocations_sbat.o : certwrapper.o
+	cp certwrapper.o revocations_sbat.o
+revocations_sku.o : certwrapper.o
+	cp certwrapper.o revocations_sku.o
 
 SBAT_LATEST_DATE ?= 2023012950
 SBAT_AUTOMATIC_DATE ?= 2023012900