Comment # 19 on bug 1219807 from Andrei Borzenkov

(In reply to Alberto Planas Dominguez from comment #18)
> 
> Right, that is how fde works with grub2, but the comment was more about the
> grub2-shim interaction when loading the kernel.
> 
> The pcr-oracle workaround works under the assumption that there is only one
> pcr4 extension of type boot services application that has this issue (the
> kernel).  This can be invalidated if grub2 is following a different protocol.

Currently grub only uses shim to verify file of type "kernel" or other EFI
binary when chainloading it. So, in normal case of shim -> grub -> kernel there
should be only one such event for the kernel.