On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote: > On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote: > > I think a section on PCI passthrough is also warranted. i.e. preventing > > misuse > > of a device to exploit Secure Boot. > > While I agree it makes sense, I wonder if it's in scope for UEFI > Secure Boot as defined by Microsoft? It may have implication for example > on PCI passthrough to a PV domains.
If we bring DomUs into the discussion, then I think we need to make a distinction between predefined DomUs, which could have signatures verified by Secure Boot (such as Dom0 and hyperlaunch/dom0less guests), and other dynamically created DomUs which could be fetched from the network and potentially started without signature verification or prior knowledge.
