Objective

The Xen hypervisor binary, as loaded into memory by the bootloader, must have its integrity cryptographically verified against a known-good hash derived from a reproducible, open-source build.

Key-result

Publish the SHA-256 of the Xen ELF binary that is fetched by the bootloader; provide a reproducible build that yields the same hash from published Debian sources.

Test:

xl dmesg | sed -n '/Xen version/s/.*: //p' | xargs -I{} \
       bash -c 'apt-get source xen-hypervisor-4.17 && cd xen-* && \
                dpkg-buildpackage -b -uc && sha256sum xen/xen.gz'

Compare with the hash:

sha256sum /boot/xen-*

Expected output:

Match

Tonight’s executable test bash Copy

apt-cache policy xen-hypervisor-4.17-amd64 dpkg-sig –verify /var/lib/dpkg/info/xen-hypervisor-4.17-amd64.list

sha256sum /boot/xen-4.17-amd64.gz Publish the hash; add a foot-note: “Full reproducible build pending – see GitHub issue #3.” This keeps the claim falsifiable without equipment you do not own.