On 01/22/2016 01:56 PM, John R Pierce wrote: > Sure, if someone has penetrated my IPMI and/or virtualization > management, I'm already in a world of hurt Exactly. IPMI should be on a dedicated VLAN with a bastion host. No other systems should have access to it at all. The servers, especially, should not have access to their own IPMI network. Otherwise, you risk creating exactly that kind of hole, where tasks that are supposed to require console access don't. Having said that, I have no idea whether or not the virtual console is locked during the secure boot path. Anybody who uses IPMI and secure boot?