Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-08-22 Thread Lin, Derek (HPS SW)
Hi Laszlo, Chao, Sorry for late response in this thread. I review Mantis#1983 and this discussion again. I agree with Laszlo. 1. UEFI spec 2.8 is not very clear about PK validation in Setup mode. 2. This patch only reduce the complexity of update PK process. Having a FeaturePCD to control this

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-11 Thread Laszlo Ersek
On 07/11/19 05:20, Zhang, Chao B wrote: > HI Laszlo: >There is a discussion over this issue in UEFI Manits > https://mantis.uefi.org/mantis/view.php?id=1983 > The justification lies here: > Spec perspective: > Section 8.2.2 : In SetupMode Secure Boot Policy variables shall consider >

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-10 Thread Zhang, Chao B
Presence Asserted. From: Laszlo Ersek [mailto:ler...@redhat.com] Sent: Thursday, July 11, 2019 1:04 AM To: devel@edk2.groups.io; Wang, Jian J ; Zhang, Chao B ; Derek Lin ; Cinnamon Shia Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode Hi, On 07/10/19

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-10 Thread Laszlo Ersek
ent: Tuesday, July 09, 2019 11:39 PM > To: devel@edk2.groups.io; derek.l...@hpe.com > Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK > in setup mode > > Hi Derek: >The patch is good to me. >Reviewed-by : Chao Zhang > mailto:chao.b.

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-10 Thread Wang, Jian J
devel@edk2.groups.io; derek.l...@hpe.com Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode Hi Derek: The patch is good to me. Reviewed-by : Chao Zhang mailto:chao.b.zh...@intel.com>> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io&

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-09 Thread Zhang, Chao B
Hi Derek: The patch is good to me. Reviewed-by : Chao Zhang From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of derek.l...@hpe.com Sent: Tuesday, July 2, 2019 1:25 PM To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK

Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-04 Thread Lin, Derek (HPS SW)
Add SecurityPkg maintainers. Thanks, Derek From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of derek.l...@hpe.com Sent: Tuesday, July 2, 2019 1:25 PM To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode Patch

[edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

2019-07-01 Thread derek . lin2
Patch is attached from group.io. Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK. Below is the sentence about it in UEFI spec ``` 3. If the firmware is in setup mode and the variable is one of: - The global PK variable; - The global KEK