mirror of
https://github.com/systemd/systemd.git
synced 2024-12-31 21:18:09 +03:00
man: update PCR and Secure Boot key names and paths
This commit is contained in:
parent
939137abb4
commit
dbf5b09de4
@ -1,14 +1,14 @@
|
|||||||
[UKI]
|
[UKI]
|
||||||
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
|
SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
|
||||||
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
|
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
|
||||||
|
|
||||||
[PCRSignature:initrd]
|
[PCRSignature:initrd]
|
||||||
Phases=enter-initrd
|
Phases=enter-initrd
|
||||||
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
|
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
|
||||||
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
|
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
|
||||||
|
|
||||||
[PCRSignature:system]
|
[PCRSignature:system]
|
||||||
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
|
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
|
||||||
enter-initrd:leave-initrd:sysinit:ready
|
enter-initrd:leave-initrd:sysinit:ready
|
||||||
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
|
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem
|
||||||
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
|
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-system.pem
|
||||||
|
@ -619,11 +619,11 @@
|
|||||||
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
|
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
|
||||||
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||||
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
|
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
|
||||||
--pcr-private-key=pcr-private-initrd-key.pem \
|
--pcr-private-key=tpm2-pcr-private-key-initrd.pem \
|
||||||
--pcr-public-key=pcr-public-initrd-key.pem \
|
--pcr-public-key=tpm2-pcr-public-key-initrd.pem \
|
||||||
--phases='enter-initrd' \
|
--phases='enter-initrd' \
|
||||||
--pcr-private-key=pcr-private-system-key.pem \
|
--pcr-private-key=tpm2-pcr-private-key-system.pem \
|
||||||
--pcr-public-key=pcr-public-system-key.pem \
|
--pcr-public-key=tpm2-pcr-public-key-system.pem \
|
||||||
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
|
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
|
||||||
enter-initrd:leave-initrd:sysinit:ready' \
|
enter-initrd:leave-initrd:sysinit:ready' \
|
||||||
--pcr-banks=sha384,sha512 \
|
--pcr-banks=sha384,sha512 \
|
||||||
@ -638,9 +638,9 @@
|
|||||||
and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
|
and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
|
||||||
The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
|
The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
|
||||||
<constant>enter-initrd</constant> phase) with the key
|
<constant>enter-initrd</constant> phase) with the key
|
||||||
<filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases
|
<filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
|
||||||
<constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
|
<constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
|
||||||
key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting
|
key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
|
||||||
combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
|
combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
@ -655,19 +655,19 @@
|
|||||||
Initrd=early_cpio
|
Initrd=early_cpio
|
||||||
Cmdline=quiet rw rhgb
|
Cmdline=quiet rw rhgb
|
||||||
|
|
||||||
SecureBootPrivateKey=sb.key
|
SecureBootPrivateKey=secure-boot-key.pem
|
||||||
SecureBootCertificate=sb.cert
|
SecureBootCertificate=secure-boot-certificate.pem
|
||||||
SignKernel=yes
|
SignKernel=yes
|
||||||
PCRBanks=sha384,sha512
|
PCRBanks=sha384,sha512
|
||||||
|
|
||||||
[PCRSignature:initrd]
|
[PCRSignature:initrd]
|
||||||
PCRPrivateKey=pcr-private-initrd-key.pem
|
PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
|
||||||
PCRPublicKey=pcr-public-initrd-key.pem
|
PCRPublicKey=tpm2-pcr-public-key-initrd.pem
|
||||||
Phases=enter-initrd
|
Phases=enter-initrd
|
||||||
|
|
||||||
[PCRSignature:system]
|
[PCRSignature:system]
|
||||||
PCRPrivateKey=pcr-private-system-key.pem
|
PCRPrivateKey=tpm2-pcr-private-key-system.pem
|
||||||
PCRPublicKey=pcr-public-system-key.pem
|
PCRPublicKey=tpm2-pcr-public-key-system.pem
|
||||||
Phases=enter-initrd:leave-initrd
|
Phases=enter-initrd:leave-initrd
|
||||||
enter-initrd:leave-initrd:sysinit
|
enter-initrd:leave-initrd:sysinit
|
||||||
enter-initrd:leave-initrd:sysinit:ready
|
enter-initrd:leave-initrd:sysinit:ready
|
||||||
@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \
|
|||||||
<title>Kernel command line PE addon</title>
|
<title>Kernel command line PE addon</title>
|
||||||
|
|
||||||
<programlisting>ukify build \
|
<programlisting>ukify build \
|
||||||
--secureboot-private-key=sb.key \
|
--secureboot-private-key=secure-boot-key.pem \
|
||||||
--secureboot-certificate=sb.cert \
|
--secureboot-certificate=secure-boot-certificate.pem \
|
||||||
--cmdline='debug' \
|
--cmdline='debug' \
|
||||||
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||||
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
|
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
|
||||||
@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \
|
|||||||
|
|
||||||
<para>Next, we can generate the certificate and keys:</para>
|
<para>Next, we can generate the certificate and keys:</para>
|
||||||
<programlisting># ukify genkey --config=/etc/kernel/uki.conf
|
<programlisting># ukify genkey --config=/etc/kernel/uki.conf
|
||||||
Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
|
Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem
|
||||||
Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem
|
Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
|
||||||
Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
|
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
|
||||||
Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
|
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
|
||||||
Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
|
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
|
||||||
Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
|
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>(Both operations need to be done as root to allow write access
|
<para>(Both operations need to be done as root to allow write access
|
||||||
|
Loading…
Reference in New Issue
Block a user