(SBAT = UEFI Secure Boot Advanced Targeting)
We need to decide whether we want to have an upstream maintained generation number, or whether to leave that to every downstream to maintain, with upstream merely providing the necessary infrastructure.
See https://github.com/rhboot/shim/blob/main/SBAT.md and https://lists.xen.org/archives/html/xen-devel/2025-05/msg00481.html as well as discussions on earlier versions (hanging off of https://lists.xen.org/archives/html/xen-devel/2025-05/msg00313.html, https://lists.xen.org/archives/html/xen-devel/2025-05/msg00009.html, and https://lists.xen.org/archives/html/xen-devel/2025-05/msg00005.html) for some context.