BootHole - Secure Boot Vulnerability - CVE-2020-10713

Nothing specific to Clear, might even be better off since it uses systemd/gummiboot boot loader and not GRUB2 (but, don’t take that as a statement of fact). In case people aren’t aware of it though, see links below.

One possible mitigation for the truly paranoid would be to write your ESP (/boot or /boot/efi etc) on to media that has a physical write lockout (think old SD cards), such that it becomes hardware read only. Similarly, if you secure the hypervisor, you can use immutable, read-only volumes for the ESP of VM’s. Haven’t tried it with Clear, but can be done with some other distro’s. Probably breaks automated swupd updates in a large way, at least when it comes to kernel updates.