A short, informative conversation from Twitter: @tehjh If you don't have any kind of verified boot, an attacker can just replace the kernel and reboot. If you do, pass the flag in bootparm — Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) October 7, 2015