16 Jun
2022
16 Jun
'22
2:25 p.m.
On 6/14/22 07:35, Gerd Hoffmann wrote:
Hi,
libvirt requires the firmware to support SMM to enable secure boot. But is SMM a strict requirement for secure boot? IIUC, lack of SMM makes the securely booted stack less secure since it is easier to tamper with it, but it does not prevent securely booting the components.
Well, 'less secure' is an *ahem* interesting way to frame it. It's not secure at all. The guest OS can go ahead modify uefi variables in flash directly, and the firmware can't stop it.
Understood. Thanks for the clarification and thanks for sharing your knowledge throughout this thread! Regards, Jim