Info Catalog grub: UEFI secure boot and shim grub: Security grub: Measured Boot

grub: Secure Boot Advanced Targeting

 
 18.4 Embedded information for generation number based revocation
 ================================================================
 
 The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the
 revocation of components in the boot path by using generation numbers
 embedded into the EFI binaries.  The SBAT metadata is located in an
 .sbat data section that has set of UTF-8 strings as comma-separated
 values (CSV). See <https://github.com/rhboot/shim/blob/main/SBAT.md> for
 more details.
 
    To add a data section containing the SBAT information into the
 binary, the '--sbat' option of 'grub-mkimage' command should be used.
 The content of a CSV file, encoded with UTF-8, is copied as is to the
 .sbat data section into the generated EFI binary.  The CSV file can be
 stored anywhere on the file system.
 
      grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp
 

Info Catalog grub: UEFI secure boot and shim grub: Security grub: Measured Boot