From b797e575d0a8d551e7167703bc57ae855c6be98f Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Thu, 9 Apr 2026 18:19:10 -0400
Subject: [PATCH] Add xen_privcmd.unrestricted to workstation kernel opts

---
 .../etc/default/grub.d/60-unrestrict-privcmd.cfg               | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 debian/securedrop-workstation-grsec/etc/default/grub.d/60-unrestrict-privcmd.cfg

diff --git a/debian/securedrop-workstation-grsec/etc/default/grub.d/60-unrestrict-privcmd.cfg b/debian/securedrop-workstation-grsec/etc/default/grub.d/60-unrestrict-privcmd.cfg
new file mode 100644
index 0000000..a9e7f03
--- /dev/null
+++ b/debian/securedrop-workstation-grsec/etc/default/grub.d/60-unrestrict-privcmd.cfg
@@ -0,0 +1,3 @@
+# set xen_privcmd to unrestricted to account for XSA-482 patch
+# see https://github.com/QubesOS/qubes-linux-kernel/pull/1256
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX xen_privcmd.unrestricted"