<listitem><para>An <literal>.initrd</literal> section with the initrd.</para></listitem>
+ <listitem><para>A <literal>.ucode</literal> section with an initrd containing microcode, to be handed
+ to the kernel before any other initrd. This initrd must not be compressed.</para></listitem>
+
<listitem><para>A <literal>.splash</literal> section with an image (in the Windows
<filename>.BMP</filename> format) to show on screen before invoking the kernel.</para></listitem>
specific key.</para></listitem>
<listitem><para>A <literal>.pcrpkey</literal> section with a public key in the PEM format matching the
- signature data in the the <literal>.pcrsig</literal> section.</para></listitem>
+ signature data in the <literal>.pcrsig</literal> section.</para></listitem>
</itemizedlist>
<para>If UEFI SecureBoot is enabled and the <literal>.cmdline</literal> section is present in the executed
core kernel, the embedded initrd and kernel command line (see above for a full list).</para>
<para>Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9. This means
- every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be
+ every type of initrd will be measured two or three times: the initrds embedded in the kernel image will be
measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized
from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from
system extensions will be measured to both PCR 4 and PCR 9. Let's summarize the OS resources and the PCRs
<entry>4 + 9 + 11</entry>
</row>
+ <row>
+ <entry>Microcode initrd (embedded in unified PE binary)</entry>
+ <entry>4 + 9 + 11</entry>
+ </row>
+
<row>
<entry>Default kernel command line (embedded in unified PE binary)</entry>
<entry>4 + 11</entry>