Hi Laszlo, Chao,
Sorry for late response in this thread.
I review Mantis#1983 and this discussion again. I agree with Laszlo.
1. UEFI spec 2.8 is not very clear about PK validation in Setup mode.
2. This patch only reduce the complexity of update PK process.
Having a FeaturePCD to control this kind of behavior in EDK2 is weird. That only make things more complicated to me.
To simplify and make things clear, updating PK shall always be signed in both Setup Mode and User Mode.
Anyway, I agree with Laszlo and I'm good with current implementation now.