diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 77a293ac2e..014769f921 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -369,9 +369,9 @@ $ ukify build \
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
.+........+.+........+.......+...+...+........+....+......+..+..........
$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
-$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem
+$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private-key.pem
..+.......++........+........+......+........+....+.....+.+..+..........
-$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem
+$ openssl rsa -pubout -in tpm2-pcr-initrd-private-key.pem -out tpm2-pcr-initrd-public-key.pem
$ ukify build \
--linux=vmlinux-1.2.3 \
--initrd=initrd.cpio \
@@ -383,8 +383,8 @@ $ ukify build \
--pcr-public-key=tpm2-pcr-public-key.pem \
--phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
--pcr-banks=sha1,sha256 \
- --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
- --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+ --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+ --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
--phases=enter-initrd \
--uname=1.2.3 \
--output=vmlinux-1.2.3.efi
@@ -398,8 +398,8 @@ $ ukify build \
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
---private-key=tpm2-pcr-private-key-initrd.pem \
---public-key=tpm2-pcr-public-key-initrd.pem \
+--private-key=tpm2-pcr-initrd-private-key.pem \
+--public-key=tpm2-pcr-initrd-public-key.pem \
--phase=enter-initrd
Wrote unsigned vmlinux-1.2.3.efi
@@ -414,7 +414,7 @@ Wrote unsigned vmlinux-1.2.3.efi
by the first option, covering all boot phases. The
.pcrpkey section is used in the default policies of
systemd-cryptenroll and systemd-creds. To use the stricter policy
- bound to tpm2-pcr-public-key-initrd.pem, specify
+ bound to tpm2-pcr-initrd-public-key.pem, specify
on the command line of those tools.
diff --git a/man/uki.conf.example b/man/uki.conf.example
index f78c15fe78..59c54af4a7 100644
--- a/man/uki.conf.example
+++ b/man/uki.conf.example
@@ -4,8 +4,8 @@ SecureBootCertificate=/etc/kernel/secureboot-certificate.pem
[PCRSignature:initrd]
Phases=enter-initrd
-PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=/etc/systemd/tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=/etc/systemd/tpm2-pcr-initrd-public-key.pem
[PCRSignature:system]
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
diff --git a/man/ukify.xml b/man/ukify.xml
index a0e58ab693..987f9f7b0f 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -719,8 +719,8 @@
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
- --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
- --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+ --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+ --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
--phases='enter-initrd' \
--pcr-private-key=tpm2-pcr-private-key-system.pem \
--pcr-public-key=tpm2-pcr-public-key-system.pem \
@@ -738,7 +738,7 @@
and initramfs-6.0.9-300.fc37.x86_64.img.
The policy embedded in the .pcrsig section will be signed for the initrd (the
enter-initrd phase) with the key
- tpm2-pcr-private-key-initrd.pem, and for the main system (phases
+ tpm2-pcr-initrd-private-key.pem, and for the main system (phases
leave-initrd, sysinit, ready) with the
key tpm2-pcr-private-key-system.pem. The Linux binary and the resulting
combined image will be signed with the SecureBoot key secureboot-private-key.pem.
@@ -761,8 +761,8 @@ SignKernel=yes
PCRBanks=sha384,sha512
[PCRSignature:initrd]
-PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=tpm2-pcr-initrd-public-key.pem
Phases=enter-initrd
[PCRSignature:system]
@@ -811,8 +811,8 @@ $ ukify -c ukify.conf build \
# ukify genkey --config=/etc/kernel/uki.conf
Writing SecureBoot private key to /etc/kernel/secureboot-private-key.pem
Writing SecureBoot certificate to /etc/kernel/secureboot-certificate.pem
-Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
-Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-initrd-private-key.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-initrd-public-key.pem
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
@@ -881,7 +881,7 @@ ID=factory-reset' \
--linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
--cmdline='quiet rw' \
- --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+ --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
--policy-digest \
--json=short \
--output=base.efi >base.pcrs