Hi Derek,

 

Please file a Bugzilla for this issue. With it addressed,

 

    Reviewed-by: Jian J Wang jian.j.wang@intel.com

 

Thanks,

Jian

From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Zhang, Chao B
Sent: Tuesday, July 09, 2019 11:39 PM
To: devel@edk2.groups.io; derek.lin2@hpe.com
Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

 

Hi Derek:

   The patch is good to me.

   Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>

 

From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of derek.lin2@hpe.com
Sent: Tuesday, July 2, 2019 1:25 PM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

 

Patch is attached from group.io.

Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK.

Below is the sentence about it in UEFI spec

```

3. If the firmware is in setup mode and the variable is one of:

- The global PK variable;

- The global KEK variable;

- The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or

- The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID,

then the firmware implementation shall consider the checks in the following steps 4 and 5 to

have passed, and proceed with updating the variable value as outlined below.

```

The step 4 is to verify the signature and the step 5 is to verify the cert.

 

After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor.

 

Signed-off-by: Derek Lin <derek.lin2@hpe.com>

Signed-off-by: cinnamon shia <cinnamon.shia@hpe.com>