If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Well, to be exact ovmf (open virtual machine firmware, part of tianocore) has support for the secure boot interfaces for a long time already. But it used to not provide any actual security, the guest os could easily tamper with the secure boot variable storage by simply writing to the (virtual) firmware flash.
This is no longer the case now.
Making secure boot actually secure was a bigger effort than we initially expected and it required changes in three software projects: kvm got smm emulation support. qemu got smm emulation support, and the q35 chipset emulation needed some fixes and improvements too. ovmf makes use of the smm lockbox now as tamper-resitant storage for secure boot variables (and some other bits).