With Fedora Live I could see the difference, using # mokutil --list-sbat-revocations. When the system is in one of these states: -new -reflashed -after old clonezilla (grub entries) load -after Fedora live load or Fedora install This list is sbat,1,202103218 After load of grub page of a new Clonezilla (or live Debian) the list becomes: sbat,1,2022052400 grub,2
In addition to firmware reflash, I found this way to restore previous condition:
-in bios settings, disable secure boot-load new clonezilla live (tried with the version that updated the blacklist) -open shell, and run "mokutil --set-sbat-policy delete" (with "mokutil --set-sbat-policy previous" nothing changes) -reboot with same clonezilla live (it's enough to reach boot grub entries, the "mokutil --set-sbat-policy delete" is run at this stage, just as blacklist update)
-shutdown -in bios settings, enable secure boot But I haven't find, so far, a way to prevent blacklist update.