diff --git a/man/smbios-type-11.xml b/man/smbios-type-11.xml
index 93252274da..2fc215ecbd 100644
--- a/man/smbios-type-11.xml
+++ b/man/smbios-type-11.xml
@@ -64,6 +64,16 @@
+
+
+ io.systemd.boot.kernel-cmdline-extra=CMDLINE
+
+ This allows configuration of additional kernel command line options for Boot Loader
+ Specification Type 1 entries, and is read by systemd-boot. For details see
+ systemd-boot1.
+
+
+
diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml
index 74514fb5d0..a4d1c003e0 100644
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@@ -561,6 +561,27 @@
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface.
+
+ SMBIOS Type 11 Strings
+
+ systemd-boot can be configured using SMBIOS Type 11 strings. Applicable strings
+ consist of a name, followed by =, followed by the value. Unless
+ systemd-boot detects it is running inside a confidential computing environment,
+ systemd-boot will search the table for a string with a specific name, and if found,
+ use its value. The following strings are read:
+
+
+
+ io.systemd.boot.kernel-cmdline-extra
+ If set, the value of this string is added to the list of kernel command line
+ arguments for Boot Loader Specification Type 1 entries that are measured in PCR12 and passed to the
+ kernel.
+
+
+
+
+
+
Boot Counting
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index e489a138d6..756654854e 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -503,7 +503,8 @@
SMBIOS Type 11 Strings
systemd-stub can be configured using SMBIOS Type 11 strings. Applicable strings
- consist of a name, followed by =, followed by the value.
+ consist of a name, followed by =, followed by the value. Unless
+ systemd-stub detects it is running inside a confidential computing environment,
systemd-stub will search the table for a string with a specific name, and if found,
use its value. The following strings are read:
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index eba8b40e2f..d64e560a52 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2374,7 +2374,16 @@ static EFI_STATUS image_start(
/* If we had to append an initrd= entry to the command line, we have to pass it, and measure it.
* Otherwise, only pass/measure it if it is not implicit anyway (i.e. embedded into the UKI or
* so). */
- char16_t *options = options_initrd ?: entry->options_implied ? NULL : entry->options;
+ _cleanup_free_ char16_t *options = xstrdup16(options_initrd ?: entry->options_implied ? NULL : entry->options);
+
+ if (!is_confidential_vm()) {
+ const char *extra = smbios_find_oem_string("io.systemd.boot.kernel-cmdline-extra");
+ if (extra) {
+ _cleanup_free_ char16_t *tmp = TAKE_PTR(options), *extra16 = xstr8_to_16(extra);
+ options = xasprintf("%ls %ls", tmp, extra16);
+ }
+ }
+
if (options) {
loaded_image->LoadOptions = options;
loaded_image->LoadOptionsSize = strsize16(options);
diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index 6197f00a3c..967f701e05 100644
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -1570,6 +1570,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
r = strv_extendf(&cmdline, "type=11,value=io.systemd.stub.kernel-cmdline-extra=%s", escaped_kcl);
if (r < 0)
return log_oom();
+
+ r = strv_extendf(&cmdline, "type=11,value=io.systemd.boot.kernel-cmdline-extra=%s", escaped_kcl);
+ if (r < 0)
+ return log_oom();
} else
log_warning("Cannot append extra args to kernel cmdline, native architecture doesn't support SMBIOS, ignoring");
}