The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation of components in the boot path by using generation numbers embedded into the EFI binaries. The SBAT metadata is located in an .sbat data section that has set of UTF-8 strings as comma-separated values (CSV). See https://github.com/rhboot/shim/blob/main/SBAT.md for more details.
To add a data section containing the SBAT information into the binary, the
--sbat option of
grub-mkimage command should be used. The content
of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into
the generated EFI binary. The CSV file can be stored anywhere on the file system.
grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp