Re: Some questions regarding firmware handling in the qemu driver

Hi, > libvirt requires the firmware to support SMM to enable secure boot. But is > SMM a strict requirement for secure boot? IIUC, lack of SMM makes the > securely booted stack less secure since it is easier to tamper with it, but > it does not prevent securely booting the components. Well, 'less secure' is an *ahem* interesting way to frame it. It's not secure at all. The guest OS can go ahead modify uefi variables in flash directly, and the firmware can't stop it.