On Thu, Jun 12, 2025 at 12:58 AM Andrew Cooper <andrew.coop...@citrix.com> wrote: ... > +In Progress > +----------- > + > +.. warning:: > + > + The following work is still in progress. It is provisional, and not > + security supported yet. > + > + > +Secure Boot Advanced Targeting > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > + > +SBAT is a recovation scheme for Secure Boot enabled components, using a > +generation based scheme. See `Shim SBAT.md > +<https://github.com/rhboot/shim/blob/main/SBAT.md>`_ for full details. > + > +Upstream Xen provides the infrastructure to embed SBAT metadata in > +``xen.efi``, but does not maintain a generation number itself. Downstreams > +are expected to maintain their own generation numbers. > + > + > +Lockdown Mode > +^^^^^^^^^^^^^ > + > +A mode which causes the enforcement of the properties necessary to conform to > +the Secure Boot specification. Lockdown Mode is forced active when Secure > +Boot is active in the platform, but may be activated independently too for > +development purposes with the ``lockdown`` command line option. > + > +TODO > +^^^^ > + > + * Command Line
These two are also in progress since they have had patch series posted: > + * Livepatching > + * Kexec I think a section on PCI passthrough is also warranted. i.e. preventing misuse of a device to exploit Secure Boot. Ross
