thanks for your reply, my comments below:

> The intention of disabling VMX outside of SMX when TXT has been enabled
> is that by enabling TXT the user is signalling that they wish to use the
> platform in a secure mode.  And by disabling VMX outside of SMX, then
> once a launch control policy has been established, the system is
> protected from a blue-pill type of attack (or if a launch control policy
> is not present then at least blue-pill must perform a measured launch
> and will be detectable in the PCR state).
I don't see how disabling VMX outside SMX adds any security, since full virtualization is still possible in software, it just can't take advantage of VMX. VMWare and others have offered "near native" virtualization performance even before VMX. So it would still be possible to do a full (in software) virtualization of the CPU, including SMX features, opening up for a "blue-pill" attack. Of course, it wouldn't be possible to "fake" the PCR registers on the true TPM so it wouldn't be able to extract any secrets from here. If it attempts to software-emulate a TPM a third party would be able to verify that it wasn't manufactured by a "well-known" TPM manufacturer. But these two limitations would also apply if the blue pill had used VMX.
Regarding this launch control policy, I've seen it mentioned here and there but has it been documented yet? I haven't been able to find much information on it in Intel's manuals but maybe it is in a different manual?
Best regards,
Martin Thiim