From 377ef4a83a6fccaa26985d86cb01ff1f322980d8 Mon Sep 17 00:00:00 2001
From: Manuel Thalmann <m@nuth.ch>
Date: Sat, 19 Nov 2022 00:59:19 +0100
Subject: [PATCH] Add an `.sbat` section to `systemd-boot`

---
 scripts/PopOS/secure-boot/install.sh | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/scripts/PopOS/secure-boot/install.sh b/scripts/PopOS/secure-boot/install.sh
index 10c820ae..8839741e 100755
--- a/scripts/PopOS/secure-boot/install.sh
+++ b/scripts/PopOS/secure-boot/install.sh
@@ -31,14 +31,24 @@ else
     systemdDirName=/EFI/systemd
     systemdFullName=$esp$systemdDirName
     systemdFile=$systemdFullName/systemd-bootx64.efi
+    bootFile=$defaultBootDir/grubx64.efi
 
     # Set up files
-    cp $systemdFile $defaultBootDir/grubx64.efi
+    cp $systemdFile $bootFile
     cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
     cp "$src/mmx64.efi" $defaultBootDir
     cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/
     wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$systemdFullName/Shell.efi"
 
+    {
+        echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
+        echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io"
+    } > sbat.csv
+
+    # No idea where the `10000000` comes from...
+    # Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
+    objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$bootFile"
+
     # Add boot entries
     efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.efi