sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SecurityPkg: limit verification of enrolled PK in setup mode

Browse Source 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506

Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
Jan Bobek
2023-01-21 06:58:32 +08:00
committed by mergify[bot]
parent 7c138e4008
commit 566cdfc675
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
View File

@@ -86,3 +86,6 @@
gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
[FeaturePcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk