man: update PCR and Secure Boot key names and paths

author: cvlc12 <cvlc12@outlook.fr> 2024-09-11 20:18:26 +0200
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2024-09-19 22:01:15 +0200
commit: dbf5b09de40a9d22b67611524bea12feae657462 (patch)
tree: cc202d714672e25d93518c3912322f0373154c8d /man/ukify.xml
parent: firstboot: Prompt for keymap (diff)
download: systemd-dbf5b09de40a9d22b67611524bea12feae657462.tar.xz
systemd-dbf5b09de40a9d22b67611524bea12feae657462.zip
1 files changed, 20 insertions, 20 deletions
diff --git a/man/ukify.xml b/man/ukify.xml
index 983e89c270..a11eb85c91 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -619,11 +619,11 @@
       --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
       --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
       uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
-      --pcr-private-key=pcr-private-initrd-key.pem \
-      --pcr-public-key=pcr-public-initrd-key.pem \
+      --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
+      --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
       --phases='enter-initrd' \
-      --pcr-private-key=pcr-private-system-key.pem \
-      --pcr-public-key=pcr-public-system-key.pem \
+      --pcr-private-key=tpm2-pcr-private-key-system.pem \
+      --pcr-public-key=tpm2-pcr-public-key-system.pem \
       --phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
                 enter-initrd:leave-initrd:sysinit:ready' \
       --pcr-banks=sha384,sha512 \
@@ -638,9 +638,9 @@
       and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
       The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
       <constant>enter-initrd</constant> phase) with the key
-      <filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases
+      <filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
       <constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
-      key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting
+      key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
       combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
     </example>
 
@@ -655,19 +655,19 @@
 Initrd=early_cpio
 Cmdline=quiet rw rhgb
 
-SecureBootPrivateKey=sb.key
-SecureBootCertificate=sb.cert
+SecureBootPrivateKey=secure-boot-key.pem
+SecureBootCertificate=secure-boot-certificate.pem
 SignKernel=yes
 PCRBanks=sha384,sha512
 
 [PCRSignature:initrd]
-PCRPrivateKey=pcr-private-initrd-key.pem
-PCRPublicKey=pcr-public-initrd-key.pem
+PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
+PCRPublicKey=tpm2-pcr-public-key-initrd.pem
 Phases=enter-initrd
 
 [PCRSignature:system]
-PCRPrivateKey=pcr-private-system-key.pem
-PCRPublicKey=pcr-public-system-key.pem
+PCRPrivateKey=tpm2-pcr-private-key-system.pem
+PCRPublicKey=tpm2-pcr-public-key-system.pem
 Phases=enter-initrd:leave-initrd
        enter-initrd:leave-initrd:sysinit
        enter-initrd:leave-initrd:sysinit:ready
@@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \
       <title>Kernel command line PE addon</title>
 
       <programlisting>ukify build \
-      --secureboot-private-key=sb.key \
-      --secureboot-certificate=sb.cert \
+      --secureboot-private-key=secure-boot-key.pem \
+      --secureboot-certificate=secure-boot-certificate.pem \
       --cmdline='debug' \
       --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
       uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
@@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \
 
       <para>Next, we can generate the certificate and keys:</para>
       <programlisting># ukify genkey --config=/etc/kernel/uki.conf
-Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
-Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem
-Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
-Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
-Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
-Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
+Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem
+Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
 </programlisting>
 
       <para>(Both operations need to be done as root to allow write access
author	cvlc12 <cvlc12@outlook.fr>	2024-09-11 20:18:26 +0200
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2024-09-19 22:01:15 +0200
commit	dbf5b09de40a9d22b67611524bea12feae657462 (patch)
tree	cc202d714672e25d93518c3912322f0373154c8d /man/ukify.xml
parent	firstboot: Prompt for keymap (diff)
download	systemd-dbf5b09de40a9d22b67611524bea12feae657462.tar.xz systemd-dbf5b09de40a9d22b67611524bea12feae657462.zip