Matthew GarrettMicrosoft security update that blocks Black Lotus (and, incidentally, also blocks a *lot* of existing Windows boot media and recovery images - you do want to be careful in applying this, but I'm still kind of amazed this ended up being politically viable!) https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
Rairii@mjg59 same. i'd have thought i'd have been told in advance about this, too (i wasn't). and there's got to be some boot applications they missed. i'll check later (not at home right now)
@Rairii dbx revocation is purely of old bootloaders, for any that support policy management for boot apps they've just added a policy that prohibits loading *all* old boot apps
@mjg59 yeah i need to look at the cipolicy later
and double check the hashes, i'm SURE there's some missing.
thing is, there's a few boot environment quirks that may or may not have been considered too, i'll need to look further
vriska, thief of light 
Richard Hughes@mjg59 I'm still not sure when to push the LVFS updates. We do check all the stuff in the ESP to make sure that nothing's going to get bricked, but that doesn't count recovery images...
@hughsie Honestly I think lining up with the Microsoft schedule of 2024 makes sense, but doing something to enable manual updates for people who have this sort of thing as part of their threat model
Morten Linderud
CKing123@mjg59 it is still an incomplete patch, unfortunately https://mastodon.social/@never_released/110341145803408736