Patch is attached from group.io.

Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK.

Below is the sentence about it in UEFI spec

```

3. If the firmware is in setup mode and the variable is one of:

- The global PK variable;

- The global KEK variable;

- The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or

- The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID,

then the firmware implementation shall consider the checks in the following steps 4 and 5 to

have passed, and proceed with updating the variable value as outlined below.

```

The step 4 is to verify the signature and the step 5 is to verify the cert.

 

After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor.

 

Signed-off-by: Derek Lin <derek.lin2@hpe.com>

Signed-off-by: cinnamon shia <cinnamon.shia@hpe.com>