sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SecurityPkg: limit verification of enrolled PK in setup mode

Browse Source 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506

Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
Jan Bobek
2023-01-21 06:58:32 +08:00
committed by mergify[bot]
parent 7c138e4008
commit 566cdfc675
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
SecurityPkg/SecurityPkg.dec
View File

@@ -580,5 +580,12 @@
## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
[PcdsFeatureFlag]
## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
# TRUE - Require PK to be self-signed.
# FALSE - Do not require PK to be self-signed.
# @Prompt Require PK to be self-signed
gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni