Secure boot will ensure the bootloader binary itself is signed, but won't do anything for the config itself for obvious reasons. I was working on a high assurance scenario though, so I think my meaning of tamper resistance differed significantly from the above post.
I found the editor option, but the issue was that the config file could be edited offline to enable it again. Stripping the whole feature out of the binary solved the issue for what I needed. I guess it just goes to show there's a broad spectrum of interpretations of tamper resistance. If you're using dm-verity for example, you want to protect your cmdline parameters to at least the level of security offered by secure boot.
I found the editor option, but the issue was that the config file could be edited offline to enable it again. Stripping the whole feature out of the binary solved the issue for what I needed. I guess it just goes to show there's a broad spectrum of interpretations of tamper resistance. If you're using dm-verity for example, you want to protect your cmdline parameters to at least the level of security offered by secure boot.