I was thinking of updating my shim and reading building I see:

- POST_PROCESS_PE_FLAGS
This allows you to add flags to the invocation of "post-process-pe", for
example to disable the NX compatibility flag.

But I thought I read that NX compatibility flag is NOT set by default?

What would be the way to set the NX flag?

Vendor SBAT data:
It will sometimes be requested by reviewers that a build includes extra
.sbat data. The mechanism to do so is to add a CSV file in data/ with the
name sbat.FOO.csv, where foo is your EFI subdirectory name. The build
system will automatically include any such files.

What is "your EFI subdirectory" ?

The NX compatibility flag being enabled by default got introduced with 7c76425. This got introduced after shim 15.7 got released, therefore once shim 15.7 is to be reviewed, there are several methods one can use:

• port the patch to a 15.7 release
• change the building process so that post-process-pe runs on the shimx64.efi binary with the -n option rather than -N (meaning it should enable NX rather than disable: https://github.com/rhboot/shim/blob/main/post-process-pe.c)

I think I'll wait for 15.8 and hopefully they will also have guides if you should update sbat versions, if grub needs updating, or if certificates should be changed.