[Code First]: Allow KEK self-signed append operations #12159
Description
Code First Item Overview
Current UEFI Spec
8.2.6. Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor (https://uefi.org/specs/UEFI/2.10/08_Services_Runtime_Services.html?highlight=efi_variable_authentication_2#using-the-efi-variable-authentication-2-descriptor)
If the variable is the global PK variable or the global KEK variable, verify that the signature has been made with the current Platform Key.
32.3. Firmware/OS Key Exchange: Creating Trust Relationship (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html?highlight=enrolling%20key%20exchange%20keys#firmware-os-key-exchange-creating-trust-relationships)
The platform is in setup mode, in which case the variable can be written without a signature validation, but the *SetVariable()* call needs to be formatted in accordance with the procedure for authenticated variables in :ref:`using-the-efi-variable-authentication-3-descriptor`.
Problem: Today performing a KEK update requires for the KEK authority to request PK signed updates from every OEM (including those they do not have a business relationship with) this creates a complex update story that takes years to complete with high cost to the ecosystem by every OEM.
[Proposal]: Allow for KEK self-signed KEK Append Operations
What specification(s) are directly related?
UEFI
Anything else?
No response