Secure boot variable seems not consistent between varstored and VM

[gthvn1]

Hello,

When I start a VM with secure boot enabled it looks like the UEFI variable is not consistent between what is seen with varstore-get and the sysfs of the VM. From the host I see that variable is equal to 0:

[17:39 xcp-ng-fwkum ~]# varstore-get 27d6e5cb-8c50-c34b-b094-43271bfcc0d2 8be4df61-93ca-11d2-aa0d-00e098032b8c SecureBoot |hexdump -C
00000000  00                                                |.|

While in the VM I see it set to 1:

root@ci-debian-12-uefi:~# dmesg |grep secure
[    0.000000] secureboot: Secure boot enabled
root@ci-debian-12-uefi:~# cat /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | hexdump -C
00000000  06 00 00 00 01                                    |.....|

Can we rely on varstore-get to know if secure boot is enabled in the VM?