[edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

Wang, Jian J jian.j.wang at intel.com
Wed Jul 10 08:50:24 UTC 2019 

Hi Derek,

Please file a Bugzilla for this issue. With it addressed,

    Reviewed-by: Jian J Wang jian.j.wang at intel.com<mailto:jian.j.wang at intel.com>

Thanks,
Jian
From: devel at edk2.groups.io [mailto:devel at edk2.groups.io] On Behalf Of Zhang, Chao B
Sent: Tuesday, July 09, 2019 11:39 PM
To: devel at edk2.groups.io; derek.lin2 at hpe.com
Subject: Re: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

Hi Derek:
   The patch is good to me.
   Reviewed-by : Chao Zhang <chao.b.zhang at intel.com<mailto:chao.b.zhang at intel.com>>

From: devel at edk2.groups.io<mailto:devel at edk2.groups.io> [mailto:devel at edk2.groups.io] On Behalf Of derek.lin2 at hpe.com<mailto:derek.lin2 at hpe.com>
Sent: Tuesday, July 2, 2019 1:25 PM
To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Subject: [edk2-devel] [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode

Patch is attached from group.io.
Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup mode doesn't need to verify the PK.
Below is the sentence about it in UEFI spec
```
3. If the firmware is in setup mode and the variable is one of:
- The global PK variable;
- The global KEK variable;
- The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or
- The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID,
then the firmware implementation shall consider the checks in the following steps 4 and 5 to
have passed, and proceed with updating the variable value as outlined below.
```
The step 4 is to verify the signature and the step 5 is to verify the cert.

After this change, when system is in Setup mode, setting a PK does not require authenticated variable descriptor.

Signed-off-by: Derek Lin <derek.lin2 at hpe.com<mailto:derek.lin2 at hpe.com>>
Signed-off-by: cinnamon shia <cinnamon.shia at hpe.com<mailto:cinnamon.shia at hpe.com>>



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#43466): https://edk2.groups.io/g/devel/message/43466
Mute This Topic: https://groups.io/mt/32283314/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20190710/644ab72d/attachment.htm>

More information about the edk2-devel-archive mailing list