The USA's National Security Agency (NSA) has released a UEFI Secure Boot customisation Technical Report(external link) that provides detailed recommendations for customising Secure Boot to better protect against firmware exploitation – a means attackers can use to gain persistent access to victim networks. This product follows the NSA’s 30 July advisory release(external link) on the GRUB BootHole vulnerability
Secure Boot customisation enables administrators to realise the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. This product encourages system administrators to customise Secure Boot instead of disabling it for compatibility issues.
The full product can be viewed here(external link).