From: averdow <averdow@amazon.com>
Date: Tue, 5 Mar 2024 21:20:24 +0000 (-0600)
Subject: clarify use of secure boot key for PCR signature
X-Git-Tag: v21~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=061d697ffdcff48853185890c0d47bcd4270fd9e;p=thirdparty%2Fmkosi.git

clarify use of secure boot key for PCR signature
---

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index 52aba1b98..a550791e5 100644
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1336,8 +1336,9 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 `SecureBootKey=`, `--secure-boot-key=`
 
 : Path to the PEM file containing the secret key for signing the
-  UEFI kernel image, if `SecureBoot=` is used. When `SecureBootKeySource=` is specified, the input
-  type depends on the source.
+  UEFI kernel image if `SecureBoot=` is used and PCR signatures when
+  `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified,
+  the input type depends on the source.
 
 `SecureBootKeySource=`, `--secure-boot-key-source=`
 
@@ -1377,7 +1378,8 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
   `systemd-measure` and embed the PCR signature into the unified kernel
   image. This option takes a boolean value or the special value `auto`,
   which is the default, which is equal to a true value if the
-  `systemd-measure` binary is in `PATH`.
+  `systemd-measure` binary is in `PATH`.  Depends on `SecureBoot=`
+  being enabled and key from `SecureBootKey=`.
 
 `Passphrase=`, `--passphrase`