From cc18c503e03e64860e3587f7aa54b6beccd41fb2 Mon Sep 17 00:00:00 2001 From: Jan Bobek Date: Sat, 21 Jan 2023 06:58:35 +0800 Subject: SecurityPkg: don't require PK to be self-signed by default REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Change the default value of PcdRequireSelfSignedPk to FALSE in accordance with UEFI spec, which states that PK need not be self-signed when enrolling in setup mode. Note that this relaxes the legacy behavior, which required the PK to be self-signed in this case. Cc: Jiewen Yao Cc: Jian J Wang Signed-off-by: Jan Bobek Reviewed-by: Sean Brogan Acked-by: Jiewen Yao --- SecurityPkg/SecurityPkg.dec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'SecurityPkg/SecurityPkg.dec') diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index d3b7ad7..0382090 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -585,7 +585,7 @@ # TRUE - Require PK to be self-signed. # FALSE - Do not require PK to be self-signed. # @Prompt Require PK to be self-signed - gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027 + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|FALSE|BOOLEAN|0x00010027 [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni -- cgit v1.1