Hi Derek: The patch is good to me. Reviewed-by : Chao Zhang <chao.b.zh...@intel.com>
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of derek.l...@hpe.com Sent: Tuesday, July 2, 2019 1:25 PM To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode Patch is attached from group.io. Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK. Below is the sentence about it in UEFI spec ``` 3. If the firmware is in setup mode and the variable is one of: - The global PK variable; - The global KEK variable; - The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or - The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID, then the firmware implementation shall consider the checks in the following steps 4 and 5 to have passed, and proceed with updating the variable value as outlined below. ``` The step 4 is to verify the signature and the step 5 is to verify the cert. After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor. Signed-off-by: Derek Lin <derek.l...@hpe.com<mailto:derek.l...@hpe.com>> Signed-off-by: cinnamon shia <cinnamon.s...@hpe.com<mailto:cinnamon.s...@hpe.com>> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#43442): https://edk2.groups.io/g/devel/message/43442 Mute This Topic: https://groups.io/mt/32283314/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
