diff --git a/man/uki.conf.example b/man/uki.conf.example index 84a9f77b8d7..9fcae71e852 100644 --- a/man/uki.conf.example +++ b/man/uki.conf.example @@ -1,14 +1,14 @@ [UKI] -SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem -SecureBootCertificate=/etc/kernel/secure-boot.cert.pem +SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem +SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem [PCRSignature:initrd] Phases=enter-initrd -PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem -PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem +PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem +PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem [PCRSignature:system] Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready -PCRPrivateKey=/etc/kernel/pcr-system.key.pem -PCRPublicKey=/etc/kernel/pcr-system.pub.pem +PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem +PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-system.pem diff --git a/man/ukify.xml b/man/ukify.xml index 983e89c270e..a11eb85c917 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -619,11 +619,11 @@ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \ - --pcr-private-key=pcr-private-initrd-key.pem \ - --pcr-public-key=pcr-public-initrd-key.pem \ + --pcr-private-key=tpm2-pcr-private-key-initrd.pem \ + --pcr-public-key=tpm2-pcr-public-key-initrd.pem \ --phases='enter-initrd' \ - --pcr-private-key=pcr-private-system-key.pem \ - --pcr-public-key=pcr-public-system-key.pem \ + --pcr-private-key=tpm2-pcr-private-key-system.pem \ + --pcr-public-key=tpm2-pcr-public-key-system.pem \ --phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \ enter-initrd:leave-initrd:sysinit:ready' \ --pcr-banks=sha384,sha512 \ @@ -638,9 +638,9 @@ and initramfs-6.0.9-300.fc37.x86_64.img. The policy embedded in the .pcrsig section will be signed for the initrd (the enter-initrd phase) with the key - pcr-private-initrd-key.pem, and for the main system (phases + tpm2-pcr-private-key-initrd.pem, and for the main system (phases leave-initrd, sysinit, ready) with the - key pcr-private-system-key.pem. The Linux binary and the resulting + key tpm2-pcr-private-key-system.pem. The Linux binary and the resulting combined image will be signed with the SecureBoot key sb.key. @@ -655,19 +655,19 @@ Initrd=early_cpio Cmdline=quiet rw rhgb -SecureBootPrivateKey=sb.key -SecureBootCertificate=sb.cert +SecureBootPrivateKey=secure-boot-key.pem +SecureBootCertificate=secure-boot-certificate.pem SignKernel=yes PCRBanks=sha384,sha512 [PCRSignature:initrd] -PCRPrivateKey=pcr-private-initrd-key.pem -PCRPublicKey=pcr-public-initrd-key.pem +PCRPrivateKey=tpm2-pcr-private-key-initrd.pem +PCRPublicKey=tpm2-pcr-public-key-initrd.pem Phases=enter-initrd [PCRSignature:system] -PCRPrivateKey=pcr-private-system-key.pem -PCRPublicKey=pcr-public-system-key.pem +PCRPrivateKey=tpm2-pcr-private-key-system.pem +PCRPublicKey=tpm2-pcr-public-key-system.pem Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready @@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \ Kernel command line PE addon ukify build \ - --secureboot-private-key=sb.key \ - --secureboot-certificate=sb.cert \ + --secureboot-private-key=secure-boot-key.pem \ + --secureboot-certificate=secure-boot-certificate.pem \ --cmdline='debug' \ --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' @@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \ Next, we can generate the certificate and keys: # ukify genkey --config=/etc/kernel/uki.conf -Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem -Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem -Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem -Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem -Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem -Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem +Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem +Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem +Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem +Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem +Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem +Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem (Both operations need to be done as root to allow write access