On Fri, Feb 03, 2023 at 11:49:07AM +0100, Ard Biesheuvel wrote: > On Fri, 20 Jan 2023 at 23:59, Jan Bobek <jbo...@nvidia.com> wrote: > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 > > > > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring > > self-signed PK when SECURE_BOOT_ENABLE is TRUE. > > > > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> > > Cc: Leif Lindholm <quic_llind...@quicinc.com> > > Cc: Sami Mujawar <sami.muja...@arm.com> > > Cc: Gerd Hoffmann <kra...@redhat.com> > > Signed-off-by: Jan Bobek <jbo...@nvidia.com> > > I have no problems with this patch, but I wonder if we need it. I > suppose this is intended to retain the previous behavior, but i don't > think that makes sense at all. Secure boot support in ArmVirtPkg is > not production quality in any case, and self-signed PKs are rather > pointless too, so I think we should just go with the new default > behavior of allowing unsigned PKs.
Hmm, reading this (and the bugzilla entry) I'm wondering what the point in requiring a self-signed PK is. I can't think of a case where this brings a benefit. Shouldn't we just relax the requirement everywhere, especially given that this is what the spec asks for? take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#99565): https://edk2.groups.io/g/devel/message/99565 Mute This Topic: https://groups.io/mt/96412384/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
