On 02.06.2025 16:16, Marek Marczykowski-Górecki wrote:
> On Mon, Jun 02, 2025 at 02:46:56PM +0100, Kevin Lampis wrote:
>> --- a/xen/common/lockdown.c
>> +++ b/xen/common/lockdown.c
>> @@ -35,7 +35,7 @@ static int __init parse_lockdown_opt(const char *s)
>>
>> return 0;
>> }
>> -custom_param("lockdown", parse_lockdown_opt);
>> +custom_secure_param("lockdown", parse_lockdown_opt);
>
> Is that really a good idea? It means `lockdown=yes lockdown=no` would
> still disable it in the end. This may matter more if for example the
> `lockdown=yes` part is in the built-in cmdline (possibly with other
> integrity protection than UEFI SB).
But having a way to override an earlier "lockdown" by "lockdown=no" is
intended? E.g. when your xen.cfg has the former, but you don't really
want that (for, say, an experiment).
Jan
