Re: Some questions regarding firmware handling in the qemu driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi,
 
> libvirt requires the firmware to support SMM to enable secure boot. But is
> SMM a strict requirement for secure boot? IIUC, lack of SMM makes the
> securely booted stack less secure since it is easier to tamper with it, but
> it does not prevent securely booting the components.

Well, 'less secure' is an *ahem* interesting way to frame it.  It's not
secure at all.  The guest OS can go ahead modify uefi variables in flash
directly, and the firmware can't stop it.

It's possible to use a build without SMM support for niche use cases,
for example for test setups verifying the secure boot certificate
checking, where broken security isn't much of a problem.

That actually was useful before x86 got SMM support, now there is little
reason to do that.

take care,
  Gerd




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux