Sounds like cope to me. You don’t get to tell an attacker which component they can attack when you have misconfigured your security guards.
There is only a single thing on my system unencrypted: the grubx64.efi binary. This binary is verified via secure boot. Unless an attacker can break luks2 encryption, they cannot get to anything else.
I keep the LTS kernel around for that
Did you read your own post? The lts kernel was affected too. That’s why I used it as an example.
anyway, a simple chroot should allow me to fix any problems.
You could also just nab the older kernel from the archive or something, if your system still boots. But I don’t want to have to do that. I have better things to spend my time on then going through the pain of disabling all my security features so I can chroot into an encrypted system.