When Xen boots in a secure boot enabled machine, it needs to enter “lockdown mode” in which some features are reduced or hardened (or even removed?). Linux kernel does the same.
Some of these feature modifications already have corresponding patchsets:
One big topic to discuss is the lockdown of the /dev/xen/privcmd Linux dom0 driver and its Xen counterpart. Let’s discuss what needs to be done for lockdown in general and privcmd in particular.