--- /home/ianc/tmp/x/etc/grub.d/20_linux_xen	2013-07-03 04:39:20.000000000 +0100
+++ overlay/etc/grub.d/20_linux_xen	2015-04-21 11:09:57.777812773 +0100
@@ -81,10 +85,27 @@
   recovery="$4"
   args="$5"
   xen_args="$6"
-  if ${recovery} ; then
-    title="$(gettext_quoted "%s, with Xen %s and Linux %s (recovery mode)")"
+  xsm="$7"
+  # If user wants to enable XSM support, make sure there's
+  # corresponding policy file.
+  if ${xsm} ; then
+      xenpolicy=`echo xenpolicy-$xen_version`
+      if test ! -e "${xen_dirname}/${xenpolicy}" ; then
+	  return
+      fi
+      xen_args=`echo $xen_args flask=enforcing`
+      if ${recovery} ; then
+	  title="$(gettext_quoted "%s, with Xen %s (XSM enabled) and Linux %s (recovery mode)")"
+      else
+	  title="$(gettext_quoted "%s, with Xen %s (XSM enabled) and Linux %s")"
+      fi
   else
-    title="$(gettext_quoted "%s, with Xen %s and Linux %s")"
+      xenpolicy=""
+      if ${recovery} ; then
+	  title="$(gettext_quoted "%s, with Xen %s and Linux %s (recovery mode)")"
+      else
+	  title="$(gettext_quoted "%s, with Xen %s and Linux %s")"
+      fi
   fi
   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${xen_version}" "${version}"
   if ! ${recovery} ; then
@@ -110,6 +131,13 @@
 	module	${rel_dirname}/${initrd}
 EOF
   fi
+  if test -n "${xenpolicy}" ; then
+    message="$(gettext_printf "Loading XSM policy ...")"
+    cat << EOF
+	echo	'$message'
+	module	${rel_dirname}/${xenpolicy}
+EOF
+  fi
   cat << EOF
 }
 EOF
@@ -133,7 +161,7 @@
 if [ "x${linux_list}" = "x" ] ; then
     exit 0
 fi
-xen_list=`for i in /boot/xen*; do
+xen_list=`for i in /boot/xen[-.]*; do
         if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
       done`
 prepare_boot_cache=
@@ -175,10 +203,14 @@
 	fi
 
 	linux_entry "${OS}" "${version}" "${xen_version}" false \
-	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
+	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}" false
+	linux_entry "${OS}" "${version}" "${xen_version}" false \
+	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}" true
 	if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
 	    linux_entry "${OS}" "${version}" "${xen_version}" true \
-		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}"
+		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}" false
+	    linux_entry "${OS}" "${version}" "${xen_version}" true \
+		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}" true
 	fi
 
 	list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`