From: Lennart Poettering Date: Thu, 27 Feb 2025 09:07:36 +0000 (+0100) Subject: man: follow our own naming rules more closely X-Git-Tag: v258-rc1~1233^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f093d83644f496b5ebd25789ec132ccb753adf6;p=thirdparty%2Fsystemd.git man: follow our own naming rules more closely In some examples we inserted "-initrd" after the "public-key" instead of before when naming PEM files. Let's fix that, and stick to common suffixes. --- diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 77a293ac2e1..014769f9217 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -369,9 +369,9 @@ $ ukify build \ $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem .+........+.+........+.......+...+...+........+....+......+..+.......... $ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem -$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem +$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private-key.pem ..+.......++........+........+......+........+....+.....+.+..+.......... -$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem +$ openssl rsa -pubout -in tpm2-pcr-initrd-private-key.pem -out tpm2-pcr-initrd-public-key.pem $ ukify build \ --linux=vmlinux-1.2.3 \ --initrd=initrd.cpio \ @@ -383,8 +383,8 @@ $ ukify build \ --pcr-public-key=tpm2-pcr-public-key.pem \ --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \ --pcr-banks=sha1,sha256 \ - --pcr-private-key=tpm2-pcr-private-key-initrd.pem \ - --pcr-public-key=tpm2-pcr-public-key-initrd.pem \ + --pcr-private-key=tpm2-pcr-initrd-private-key.pem \ + --pcr-public-key=tpm2-pcr-initrd-public-key.pem \ --phases=enter-initrd \ --uname=1.2.3 \ --output=vmlinux-1.2.3.efi @@ -398,8 +398,8 @@ $ ukify build \ + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \ --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \ --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \ ---private-key=tpm2-pcr-private-key-initrd.pem \ ---public-key=tpm2-pcr-public-key-initrd.pem \ +--private-key=tpm2-pcr-initrd-private-key.pem \ +--public-key=tpm2-pcr-initrd-public-key.pem \ --phase=enter-initrd Wrote unsigned vmlinux-1.2.3.efi @@ -414,7 +414,7 @@ Wrote unsigned vmlinux-1.2.3.efi by the first option, covering all boot phases. The .pcrpkey section is used in the default policies of systemd-cryptenroll and systemd-creds. To use the stricter policy - bound to tpm2-pcr-public-key-initrd.pem, specify + bound to tpm2-pcr-initrd-public-key.pem, specify on the command line of those tools. diff --git a/man/uki.conf.example b/man/uki.conf.example index f78c15fe785..59c54af4a72 100644 --- a/man/uki.conf.example +++ b/man/uki.conf.example @@ -4,8 +4,8 @@ SecureBootCertificate=/etc/kernel/secureboot-certificate.pem [PCRSignature:initrd] Phases=enter-initrd -PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem -PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem +PCRPrivateKey=/etc/systemd/tpm2-pcr-initrd-private-key.pem +PCRPublicKey=/etc/systemd/tpm2-pcr-initrd-public-key.pem [PCRSignature:system] Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit diff --git a/man/ukify.xml b/man/ukify.xml index a0e58ab693b..987f9f7b0f1 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -719,8 +719,8 @@ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \ - --pcr-private-key=tpm2-pcr-private-key-initrd.pem \ - --pcr-public-key=tpm2-pcr-public-key-initrd.pem \ + --pcr-private-key=tpm2-pcr-initrd-private-key.pem \ + --pcr-public-key=tpm2-pcr-initrd-public-key.pem \ --phases='enter-initrd' \ --pcr-private-key=tpm2-pcr-private-key-system.pem \ --pcr-public-key=tpm2-pcr-public-key-system.pem \ @@ -738,7 +738,7 @@ and initramfs-6.0.9-300.fc37.x86_64.img. The policy embedded in the .pcrsig section will be signed for the initrd (the enter-initrd phase) with the key - tpm2-pcr-private-key-initrd.pem, and for the main system (phases + tpm2-pcr-initrd-private-key.pem, and for the main system (phases leave-initrd, sysinit, ready) with the key tpm2-pcr-private-key-system.pem. The Linux binary and the resulting combined image will be signed with the SecureBoot key secureboot-private-key.pem. @@ -761,8 +761,8 @@ SignKernel=yes PCRBanks=sha384,sha512 [PCRSignature:initrd] -PCRPrivateKey=tpm2-pcr-private-key-initrd.pem -PCRPublicKey=tpm2-pcr-public-key-initrd.pem +PCRPrivateKey=tpm2-pcr-initrd-private-key.pem +PCRPublicKey=tpm2-pcr-initrd-public-key.pem Phases=enter-initrd [PCRSignature:system] @@ -811,8 +811,8 @@ $ ukify -c ukify.conf build \ # ukify genkey --config=/etc/kernel/uki.conf Writing SecureBoot private key to /etc/kernel/secureboot-private-key.pem Writing SecureBoot certificate to /etc/kernel/secureboot-certificate.pem -Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem -Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem +Writing private key for PCR signing to /etc/systemd/tpm2-pcr-initrd-private-key.pem +Writing public key for PCR signing to /etc/systemd/tpm2-pcr-initrd-public-key.pem Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem @@ -881,7 +881,7 @@ ID=factory-reset' \ --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ --cmdline='quiet rw' \ - --pcr-public-key=tpm2-pcr-public-key-initrd.pem \ + --pcr-public-key=tpm2-pcr-initrd-public-key.pem \ --policy-digest \ --json=short \ --output=base.efi >base.pcrs