There is only a single thing on my system unencrypted: the grubx64.efi binary. This binary is verified via secure boot. Unless an attacker can break luks2 encryption, they cannot get to anything else.
I don’t know enough about the subject of a secure grub to tell you how wrong you are.
Did you read your own post? The lts kernel was affected too. That’s why I used it as an example.
Yes I did. It was a terrible example. As all I would need to know was the last working version for TPM. Regression in LTS does not factor in this equation.
And most importantly, it would not stop me from booting.
You could also just nab the older kernel from the archive or something, if your system still boots. But I don’t want to have to do that. I have better things to spend my time on then going through the pain of disabling all my security features so I can chroot into an encrypted system.
You think you are saying something smart here but I assure you, you couldn’t be more conceited. You are maintaining a patch of grub for a bug that grub has no idea it exists. And you claim not to have time to fix your installation…