[aionescu]

Author here.

The problem I was trying to get to is that VSM allows itself to be activated without SB (which as you note, can also be done with malicious SB) and therefore there is no way to really 'trust' the VSM implementation.

Possible fixes to this would be to rely on SGX/TXT. But even that can be messed with -- but the attack surface is much harder than EDK-II.

[mjg59]

You can never really trust a system's assertion about its Secure Boot state, so refusing to run when Secure Boot appears to be disabled would be more of a feel-good approach than anything else. You really need a measured boot process here, and if you have that then Secure Boot's not buying you a great deal in this case.

[ossreality]

Don't you need SecureBoot to start the process of the measured boot?

[mjg59]

No, Secure Boot only comes into play at the point where the firmware starts executing external code (option ROMs or bootloaders). You need to start measurement way before that.