Down the rabbit hole of tboot, E820 maps, and Xen PV PCI-passthrough domains

From an OpenXT bug report:

TL;DR: a minor adjustment had to be made in tboot so that it picks the right memory protection for itself in the E820 map. The bug only affected PV Linux guests with PCI-passthrough devices as correctly guessed above.[…]