redhat: add downstream SBAT for UKI addons

JIRA: https://issues.redhat.com/browse/RHEL-92881

Upstream Status: RHEL-Only

Even though UKI addons are not binaries, it is always better to have a
SBAT version that tracks the downstream build, just in case we figure
there are bugs in the kernel command line.

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

Author: esposem

redhat/kernel.spec.template

@@ -2699,6 +2699,12 @@ BuildKernel() {
 	EOF
 	)
 
+        ADDONS_SBAT=$(cat <<- EOF
+	sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+	kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com
+	EOF
+	)
+
 	KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer"
     	KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi"
 
@@ -2720,7 +2726,7 @@ BuildKernel() {
 
   KernelAddonsDirOut="$KernelUnifiedImage.extra.d"
   mkdir -p $KernelAddonsDirOut
-  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}
+  python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT"
 
 %if %{signkernel}
 	%{log_msg "Sign the EFI UKI kernel"}