grub: Secure Boot Advanced Targeting
18.4 Embedded information for generation number based revocation
================================================================
The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the
revocation of components in the boot path by using generation numbers
embedded into the EFI binaries. The SBAT metadata is located in an
.sbat data section that has set of UTF-8 strings as comma-separated
values (CSV). See <https://github.com/rhboot/shim/blob/main/SBAT.md> for
more details.
To add a data section containing the SBAT information into the
binary, the '--sbat' option of 'grub-mkimage' command should be used.
The content of a CSV file, encoded with UTF-8, is copied as is to the
.sbat data section into the generated EFI binary. The CSV file can be
stored anywhere on the file system.
grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp