Comment 9 for bug 2015664

I have verified this using mokutil 0.6.0-2~20.04.1 from focal-proposed:

Edit: I omitted this for brevity initially, but to avoid any confusion for SRU reviewers:

Boot 22.04.2 ISO and kill the VM after grub is reached:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ qemu-img create -f qcow2 test.img 20G
Formatting 'test.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=21474836480 lazy_refcounts=off refcount_bits=16
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ cp /usr/share/OVMF/OVMF_VARS_4M.ms.fd OVMF_VARS_4M.ms.fd
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-22.04.2-desktop-amd64.iso
^Cqemu: terminating on signal 2

Now boot 20.04.5 ISO and disable secureboot before grub is loaded. After that, continue booting into live Ubuntu environment:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-20.04.5-desktop-amd64.iso -boot menu=on
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-20.04.5-desktop-amd64.iso -boot menu=on

From inside the VM:

ubuntu@ubuntu:~$ apt-cache policy mokutil
mokutil:
  Installed: 0.6.0-2~20.04.1
  Candidate: 0.6.0-2~20.04.1
  Version table:
 *** 0.6.0-2~20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.3.0+1538710437.fb6250f-1 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
ubuntu@ubuntu:~$ sudo mokutil --set-verbosity true
ubuntu@ubuntu:~$ sudo mokutil --set-sbat-policy delete

Booting to 22.04.2 grub again:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:focal-boot.log
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:focal-boot.log
^Cqemu: terminating on signal 2
nr@six:/t/test-lp2015664$ grep -I sbat.c focal-boot.log
sbat.c:477:set_sbat_uefi_variable() SbatLevel variable is 25 bytes, attributes are 0x00000003
sbat.c:479:set_sbat_uefi_variable() Deleting SbatLevel variable.
sbat.c:512:set_sbat_uefi_variable() SbatLevel variable initialization succeeded