Add info on DBX updates via the UEFI Revocation List

README.md

@@ -138,9 +138,12 @@ configuration file and significant hardening is applied to a myriad of component
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
 and simultaneous multithreading (SMT) is disabled. See the
-`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
-complete protection for known CPU vulnerabilities, the latest security microcode
+
-(BIOS/UEFI) updates must also be installed on the system.
+Note, to achieve complete protection for known CPU vulnerabilities, the latest
+security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
+if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
+up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
 
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -26,6 +26,13 @@
 ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
 ## The parameters below only provide (partial) protection at both the kernel and user space level.
 
+## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
+## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
+## If using compatible hardware, the database can be updated directly in user space using fwupd.
+## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
+## https://uefi.org/revocationlistfile
+## https://github.com/fwupd/fwupd
+
 ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes