A lot of progress has been made in recent years with the integration/enabling in Xen of “TrenchBoot” - a framework for performing measured launch and ensuring launch integrity. TrenchBoot supports Dynamic Root of Trust for Measurement using both Intel TXT and AMD SKINIT, as opposed to “Trusted Boot” (tboot) which is designed for TXT only, and is not UEFI native. There is interest in leveraging TrenchBoot to replace tboot in platforms such as OpenXT, which suffer from a more convoluted/less flexible boot process due to the use of tboot. As someone newer to the Xen space and the virtualization field, it would be useful to hear from experts in the space on the current status of projects integrating TrenchBoot with Xen (especially QubesOS with AEM which seemingly has already implemented full support of TrenchBoot with TPM2.0 for Intel and AMD), what challenges and pitfalls were/may be encountered with this approach, etc.
RFC related to this topic with more background information: https://openxt.atlassian.net/wiki/spaces/CS/pages/3516039172/OpenXT+TrenchBoot+Integration+RFC