On 6/12/25 06:06, Jan Beulich wrote: > On 12.06.2025 01:58, Andrew Cooper wrote: >> 2) Pre-boot DMA Protection. Microsoft consider this a platform feature >> requiring OEM enablement, and do not consider its absence to be a Secure Boot >> vulnerability. But, it is less clear what the policy ought to be for Xen >> booting on a capable system and failing to do a correct live-handover of the >> IOMMU across ExitBootServices(). > > Shouldn't this be another TODO item at the bottom? We don't support yet taking > over when the IOMMUs are already enabled, do we?
Dasharo supports leaving the IOMMU enabled when transferring to the OS, and this message was sent from a Qubes OS box booted in this configuration. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
