Grub boothole fixes available for Mender?

In July an issue was discovered by Eclypsium with regards to Grub2 and secure boot.

See also: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

At the time we ignored this issue because the proposed fixes to Grub2 were causing boot issues on several systems and it seemed a better idea to wait until these issues were resolved before trying to update the Grub2 files used by the our Menderized systems.

As far as we can tell it seems that those issues have now been resolved and we could attempt to update to a newer Grub2.

Since Mender uses its own builds of Grub2 for use with mender-convert, my question is: Is the version used by mender-convert up to date with these fixes, and if it is, can I download the newer Grub2 files that mender-convert uses for x64 somewhere so that we can create an update script to replace the old Grub2 boot files for the newer ones?

So to be clear we want to upgrade the Grub2 boot files (executables?) with the ones that fix the secure boot issues, on our Menderized systems without having to go through the entire mender-convert process (as that would mean having to recreate an entire bare Linux install, which would be more work than we are willing to commit to)

I do not actually think that this is up to date. The latest built binary we have is stored here,

https://mender.s3.amazonaws.com/mender-convert/grub-efi/2.04/x86-64/grub-efi-bootx64.efi

This was uploaded in April 2020. I also took note that mender-convert does not even use this one and is using an even older version.

We use the Yocto Project to build these binaries, and it seems that a fix for the mentioned security issue was added in October 2020.

http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-bsp/grub/grub2.inc?id=ec6a2258ca27d5709df4fe18d94841332395bcb2&h=dunfell

I am not sure what our process has been in the past to update these, @kacf or @lluiscampos probably know more. But it seems that they are due an update.

We have usually updated when Yocto updates. However, I think they only update to stable versions, and the Grub folks still have not released anything past 2.04, which is almost a year and a half old by now.

For now, I created MEN-4198 so we can update to a reasonable SHA at least. Thanks for the heads up on this.