OVMF_CODE32_4M.fd
  UEFI firmware for a 32-bit QEMU guest that is intended to be read-only.

OVMF32_CODE_4M.secboot.fd
  Like OVMF32_CODE_4M.fd, but will abort if QEMU does not support SMM.
  Use this for guests for which you may enable Secure Boot. Be aware
  that the included JSON firmware descriptors associate this with
  OVMF32_VARS_4M.fd. Which means, if you specify this image in libvirt, you'll
  get a guest that is Secure Boot-*capable*, but has Secure Boot disabled.
  To enable it, you'll need to manually import PK/KEK/DB keys and activate
  Secure Boot from the UEFI setup menu.

OVMF32_CODE_4M.secboot.strictnx.fd
  This is the same as the OVMF32_CODE_4M.secboot.fd, except that it has
  the EFI_MEMORY_ATTRIBUTE_PROTOCOL enabled. This provides additional
  security, but will result in crashes with many old guest operating
  system versions that do not observe proper memory access semantics.
  This security feature will be enabled by default in the
  OVMF32_CODE_4M.secboot.fd image in a future release.

OVMF32_VARS_4M.fd
  A variable template image that is intended to be read-write, and therefore
  each guest should be given its own copy. This is an empty variable store
  template.

 -- dann frazier <dannf@debian.org>, Mon, 12 May 2025 18:34:58 -0600