the best way i could think of is if our templates had some kinda HASH/signature that dom0 could compare at boot. this would ensure the templates are unmodified and trustworthy. what do you think @fsflover ?
I agree with you. i would like things to harden up. passwordless sudo never sat right with me.