Please file a Bugzilla for this issue. With it addressed,
Jian
Hi Derek:
The patch is good to me.
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
From:
devel@edk2.groups.io [mailto:devel@edk2.groups.io]
On Behalf Of derek.lin2@hpe.com
Sent: Tuesday, July 2, 2019 1:25 PM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode
Patch is attached from group.io.
Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK.
Below is the sentence about it in UEFI spec
```
3. If the firmware is in setup mode and the variable is one of:
- The global PK variable;
- The global KEK variable;
- The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or
- The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID,
then the firmware implementation shall consider the checks in the following steps 4 and 5 to
have passed, and proceed with updating the variable value as outlined below.
```
The step 4 is to verify the signature and the step 5 is to verify the cert.
After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor.
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Signed-off-by: cinnamon shia <cinnamon.shia@hpe.com>