As outlined by https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021 we have a new wave of GRUB security vulnerabilities around SecureBoot.
There is no new upstream release so patching this appears to be some kind of sport. Debian has patched it in this commit: https://salsa.debian.org/grub-team/grub/-/commit/37c2a594625efba8b7f10d18a444393982d2e31f I see also there's a new concept of SBAT section to ease administrative efforts around certificate revocation when signed binaries such as some GRUB2 things become vulnerable (and we don't want them to verify successfully anymore). This looks like a sizeable upgrade to a sensitive part of GNU Guix, so we have to test carefully.
signature.asc
Description: This is a digitally signed message part
