Hi Laszlo, Chao,
Sorry for late response in this thread.
I review Mantis#1983 and this discussion again. I agree with Laszlo.
1. UEFI spec 2.8 is not very clear about PK validation in Setup mode.
2. This patch only reduce the complexity of update PK process.
Having a FeaturePCD to control this
On 07/11/19 05:20, Zhang, Chao B wrote:
> HI Laszlo:
>There is a discussion over this issue in UEFI Manits
> https://mantis.uefi.org/mantis/view.php?id=1983
> The justification lies here:
> Spec perspective:
> Section 8.2.2 : In SetupMode Secure Boot Policy variables shall consider
>
Presence
Asserted.
From: Laszlo Ersek [mailto:ler...@redhat.com]
Sent: Thursday, July 11, 2019 1:04 AM
To: devel@edk2.groups.io; Wang, Jian J ; Zhang, Chao B
; Derek Lin ; Cinnamon Shia
Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in
setup mode
Hi,
On 07/10/19
ent: Tuesday, July 09, 2019 11:39 PM
> To: devel@edk2.groups.io; derek.l...@hpe.com
> Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK
> in setup mode
>
> Hi Derek:
>The patch is good to me.
>Reviewed-by : Chao Zhang
> mailto:chao.b.
devel@edk2.groups.io; derek.l...@hpe.com
Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in
setup mode
Hi Derek:
The patch is good to me.
Reviewed-by : Chao Zhang
mailto:chao.b.zh...@intel.com>>
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io&
Hi Derek:
The patch is good to me.
Reviewed-by : Chao Zhang
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
derek.l...@hpe.com
Sent: Tuesday, July 2, 2019 1:25 PM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK
Add SecurityPkg maintainers.
Thanks,
Derek
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
derek.l...@hpe.com
Sent: Tuesday, July 2, 2019 1:25 PM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in
setup mode
Patch
Patch is attached from group.io.
Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode
doesn't need to verify the PK.
Below is the sentence about it in UEFI spec
```
3. If the firmware is in setup mode and the variable is one of:
- The global PK variable;
- The global KEK