Comment 0 for bug 2015664

After installing the most recent point releases of Ubuntu (Ubuntu 20.04.6, 22.04.2, or 23.04 beta), if the user has SecureBoot enabled (which is definitely recommended on UEFI systems) they will subsequently be unable to boot older OS install media which has not bumped its SBAT level since December 2022.

While this is the correct default security policy as explained at https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996, users also need to be able to have control over their SBAT level so that they have the choice to downgrade the security level and boot other install media (up to and including older ESM-supported Ubuntu releases for which no updated media will be issued).

In order to clear the SBAT level recorded in firmware, we need an updated version of mokutil corresponding to the shim which has been backported in these releases.