SecurityPkg: limit verification of enrolled PK in setup mode

[mirror_edk2.git] / SecurityPkg / Library / AuthVariableLib / AuthService.c

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 9beeca09aebaf5dfa0afd1040a2b43b4ed5575f1..452ed491eaac90530e003ca6f67487b5fee5e0c1 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -603,7 +603,10 @@ ProcessVarWithPk (
   // Init state of Del. State may change due to secure check\r
   //\r
   Del = FALSE;\r
-  if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {\r
+  if (  (InCustomMode () && UserPhysicalPresent ())\r
+     || (  (mPlatformMode == SETUP_MODE)\r
+        && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))\r
+  {\r
     Payload     = (UINT8 *)Data + AUTHINFO2_SIZE (Data);\r
     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
     if (PayloadSize == 0) {\r
@@ -627,7 +630,9 @@ ProcessVarWithPk (
       return Status;\r
     }\r
 \r
-    if ((mPlatformMode != SETUP_MODE) || IsPk) {\r
+    if (  (mPlatformMode != SETUP_MODE)\r
+       || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))\r
+    {\r
       Status = VendorKeyIsModified ();\r
     }\r
   } else if (mPlatformMode == USER_MODE) {\r