Patch is attached from group.io. Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK. Below is the sentence about it in UEFI spec ``` 3. If the firmware is in setup mode and the variable is one of: - The global PK variable; - The global KEK variable; - The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or - The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID, then the firmware implementation shall consider the checks in the following steps 4 and 5 to have passed, and proceed with updating the variable value as outlined below. ``` The step 4 is to verify the signature and the step 5 is to verify the cert.
After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor. Signed-off-by: Derek Lin <derek.l...@hpe.com> Signed-off-by: cinnamon shia <cinnamon.s...@hpe.com> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#43150): https://edk2.groups.io/g/devel/message/43150 Mute This Topic: https://groups.io/mt/32283314/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
0001-SecurityPkg-Don-t-Verify-the-enrolled-PK-in-setup-mo.patch
Description: Binary data
