On 6/14/22 07:35, Gerd Hoffmann wrote:
Hi,
libvirt requires the firmware to support SMM to enable secure boot. But is
SMM a strict requirement for secure boot? IIUC, lack of SMM makes the
securely booted stack less secure since it is easier to tamper with it, but
it does not prevent securely booting the components.
Well, 'less secure' is an *ahem* interesting way to frame it. It's not
secure at all. The guest OS can go ahead modify uefi variables in flash
directly, and the firmware can't stop it.
Understood. Thanks for the clarification and thanks for sharing your knowledge
throughout this thread!
Regards,
Jim
