[blibble]

> Secure boot with just the MS keys is quite silly and ever since that one version of Grub could be exploited it's basically useless

this isn't true: there's a hash blacklist which is (supposed) to be regularly updated by your OS update mechanism

windows update does it anyway

[jeroenhd]

Is there a way to list this blacklist? I have several computers which haven't received updates in years and I strongly doubt that the internal blacklist has been updated.

[blibble]

mokutil --dbx

official list is here: https://uefi.org/revocationlistfile

(I have my own root configured for all of my machines so only stuff I've signed can boot)