diff --git a/doc/glossary.rst b/doc/glossary.rst
index 8921490a4..70fd85ca4 100644
--- a/doc/glossary.rst
+++ b/doc/glossary.rst
@@ -143,6 +143,12 @@ Glossary of Terms
developers can use to define a scenario configuration appropriate for
their own application.
+ Security VM
+ A special :term:`User VM` providing software-based security services
+ within a dynamic virtualized environment. Such security services are
+ application dependent and can include antivirus and malware detection,
+ virtualized firewalls, resource monitoring, and more.
+
Service VM
A special VM, directly launched by the hypervisor. The Service VM can
access hardware resources directly by running native drivers and provides
diff --git a/misc/config_tools/schema/config.xsd b/misc/config_tools/schema/config.xsd
index 040433dd3..1208f0da5 100644
--- a/misc/config_tools/schema/config.xsd
+++ b/misc/config_tools/schema/config.xsd
@@ -69,8 +69,19 @@
-
- Enable to do fixup for TPM2 and SMBIOS for Security VM. If no Security VM, setting this option to ``n``
+
+ This option enables hypervisor features potentially needed by a :term:`Security VM`:
+
+- The virtual Trusted Platform Module (vTPM) 2.0 ACPI table, likely
+ used by a security VM, is usually generated statically at build
+ time. Checking this option enables the ACRN hypervisor to update the
+ vTPM 2.0 ACPI table if the physical ACPI table was modified by the BIOS.
+- Data from the system management BIOS (SMBIOS) can replace probing
+ hardware directly to discover what devices are present. Checking
+ this option enables the hypervisor to pass through the physical
+ SMBIOS to a pre-launched security VM.
+
+If your VM is not a security VM, leave this option unchecked.
@@ -448,7 +459,7 @@ This feature enables you to view the VM's GPU output in the Service VM.
Virtio console device for data input and output.
The virtio console BE driver copies data from the frontend's transmitting virtqueue when it receives a kick on virtqueue (implemented as a vmexit).
-The BE driver then writes the data to backend, and can be implemented as PTY, TTY, STDIO, and regular file.
+The BE driver then writes the data to backend, and can be implemented as a PTY, TTY, STDIO, or regular file.
For details, see :ref:`virtio-console`.
@@ -462,7 +473,7 @@ is the virtio network driver, simulating the virtual NIC. The backend could be:
The virtio input device creates a virtual human interface device such as a keyboard,
-mouse, and tablet. It sends Linux input layer events over virtio.
+mouse, or tablet. The device sends Linux input layer events over virtio.