On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote:
> On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote:
> > I think a section on PCI passthrough is also warranted. i.e. preventing 
> > misuse
> > of a device to exploit Secure Boot.
> 
> While I agree it makes sense, I wonder if it's in scope for UEFI
> Secure Boot as defined by Microsoft? It may have implication for example
> on PCI passthrough to a PV domains.

If we bring DomUs into the discussion, then I think we need to make a
distinction between predefined DomUs, which could have signatures
verified by Secure Boot (such as Dom0 and hyperlaunch/dom0less guests),
and other dynamically created DomUs which could be fetched from the
network and potentially started without signature verification or prior
knowledge.

Reply via email to