SBAT Level update for February 2025 GRUB CVEs

[jsetje]

Moves the minimum GRUB SBAT Level to 5 in order to require fixes for the following GRUB CVEs:

CVE-2024-45774
CVE-2024-45775
CVE-2024-45776
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45781
CVE-2024-45782
CVE-2024-45783
CVE-2025-0622
CVE-2025-0624
CVE-2025-0677
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-0690
CVE-2025-1118
CVE-2025-1125

[vathpela]

When I build this, in sbat_var.o I get:

sbat,1,2023012900
shim,2
grub,3
grub.debian,4

and

sbat,1,2025021800
shim,4
grub,5

i.e. in the intermediate the compiler sees it's:

  .Lsbat_var_automatic:
   .ascii "sbat," "1," "2023012900" "\n" "shim,2\ngrub,3\ngrub.debian,4\n"
   .byte 0
   .balign 1, 0
  .Lsbat_var_latest:
   .ascii "sbat," "1," "2025021800" "\n" "shim,4\ngrub,5\n"
   .byte 0
   .section .note.GNU-stack,"a"

Shouldn't we have grub,4 in sbat_var_automatic?

[jsetje]

I bumped the default SBAT_AUTOMATIC_DATE to 2024040900 and that looks right, it also includes the grub.peimage,2 revocation.

I should probably move the default SBAT_AUTOMATIC_DATE into SbatLevel_Variable.txt, but that will be a separate PR for the next release.

[vathpela]

I should probably move the default SBAT_AUTOMATIC_DATE into SbatLevel_Variable.txt, but that will be a separate PR for the next release.

So... after this release, we probably ought to look at making it so the automatic date is also something derived from the same place, rather than two different files.

[vathpela]

Looks good to me; for next time we probably want to think about how to unify these two bits of policy so they don't slip through halfway updated.