Details at URL. Note that: "Full mitigation against all CVEs will require updated shim with latest SBAT (Secure Boot Advanced Targeting) [2] data provided by distros and vendors. This time UEFI revocation list (dbx) will not be used and revocation of broken artifacts will be done with SBAT only. For information on how to apply the latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly permit known older boot artifacts to boot." So I suppose we need an update for sys-boot/shim, too?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bbb9e2ce52ffd701c05daa3752f1fe11ec72f27 commit 7bbb9e2ce52ffd701c05daa3752f1fe11ec72f27 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-06-08 01:02:45 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-06-08 01:02:45 +0000 sys-boot/grub: backport many patches Bug: https://bugs.gentoo.org/850535 Closes: https://github.com/gentoo/gentoo/pull/25629 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-boot/grub/Manifest | 1 + sys-boot/grub/grub-2.06-r2.ebuild | 319 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 320 insertions(+)
Thank you! Please stabilize when ready.
(In reply to John Helmert III from comment #0) > So I suppose we need an update for sys-boot/shim, too? I doubt there are many (any?) Gentoo users that attempt to use "secure boot" via sys-boot/shim.