From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode To: Zhang, Chao B ,devel@edk2.groups.io From: "Lin, Derek (HPS SW)" X-Originating-Location: Singapore, SG (15.211.153.74) X-Originating-Platform: Windows Chrome 76 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Thu, 22 Aug 2019 20:20:53 -0700 References: In-Reply-To: Message-ID: <19963.1566530453572108137@groups.io> Content-Type: multipart/alternative; boundary="IDvdwlPP2CD9UglzCSwY" --IDvdwlPP2CD9UglzCSwY Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Laszlo, Chao, Sorry for late response in this thread. I review Mantis#1983 and this discussion again. I agree with Laszlo. 1. UEFI spec 2.8 is not very clear about PK validation in Setup mode. 2. This patch only reduce the complexity of update PK process. Having a FeaturePCD to control this kind of behavior in EDK2 is weird. Tha= t only make things more complicated to me. To simplify and make things clear, updating PK shall always be signed in b= oth Setup Mode and User Mode. Anyway, I agree with Laszlo and I'm good with current implementation now. --IDvdwlPP2CD9UglzCSwY Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Laszlo, Chao,

Sorry for late response in this thread.
I review Mantis#1983 and this discussion again. I agree with Laszlo.   1. UEFI spec 2.8 is not very clear about PK validation in Setup = mode.
  2. This patch only reduce the complexity of update PK pro= cess.

Having a FeaturePCD to control this kind of behavior in ED= K2 is weird. That only make things more complicated to me.
To simplify= and make things clear, updating PK shall always be signed in both Setup Mo= de and User Mode. 

Anyway, I agree with Laszlo and I'm good= with current implementation now. --IDvdwlPP2CD9UglzCSwY--