On Fri, Sep 22, 2017 at 02:25:46AM -0600, Jan Beulich wrote: > >>> On 22.09.17 at 00:46, <ta...@tklengyel.com> wrote: > > One piece that I see still missing is the Xen command line parameters > > not being verified. It would be ideal to have the option to get that > > set during compile time as well, similar to Linux's CONFIG_CMDLINE > > option, to avoid for example getting iommu or XSM being turned off by > > someone with physical access. > > We do have CMDLINE and CMDLINE_OVERRIDE. But for someone > with physical access it would likely also be possible to avoid secure > boot altogether?
Another solutions is here: http://lists.gnu.org/archive/html/grub-devel/2017-07/msg00003.html It is TPM based and WIP. It requires verifiers framework which should be posted on grub-devel soon. Or you can add your own method based on verifiers. Patches are welcome... Have a nice weekend, Daniel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
