man: clean up how we name our PEM files in examples (#36541)

Kinda a follow-up for 2cc58b6c8a

man/systemd-measure.xml

@@ -369,9 +369,9 @@ $ ukify build \
       <programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
 .+........+.+........+.......+...+...+........+....+......+..+..........
 $ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
-$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem
+$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private-key.pem
 ..+.......++........+........+......+........+....+.....+.+..+..........
-$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem
+$ openssl rsa -pubout -in tpm2-pcr-initrd-private-key.pem -out tpm2-pcr-initrd-public-key.pem
 $ ukify build \
      --linux=vmlinux-1.2.3 \
      --initrd=initrd.cpio \
@@ -383,8 +383,8 @@ $ ukify build \
      --pcr-public-key=tpm2-pcr-public-key.pem \
      --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
      --pcr-banks=sha1,sha256 \
-     --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
-     --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+     --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+     --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
      --phases=enter-initrd \
      --uname=1.2.3 \
      --output=vmlinux-1.2.3.efi
@@ -398,8 +398,8 @@ $ ukify build \
 + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
 --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
 --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
---private-key=tpm2-pcr-private-key-initrd.pem \
---public-key=tpm2-pcr-public-key-initrd.pem \
+--private-key=tpm2-pcr-initrd-private-key.pem \
+--public-key=tpm2-pcr-initrd-public-key.pem \
 --phase=enter-initrd
 Wrote unsigned vmlinux-1.2.3.efi
 </programlisting>
@@ -414,7 +414,7 @@ Wrote unsigned vmlinux-1.2.3.efi
       by the first <option>--pcr-private-key=</option> option, covering all boot phases. The
       <literal>.pcrpkey</literal> section is used in the default policies of
       <command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy
-      bound to <filename>tpm2-pcr-public-key-initrd.pem</filename>, specify
+      bound to <filename>tpm2-pcr-initrd-public-key.pem</filename>, specify
       <option>--tpm2-public-key=</option> on the command line of those tools.</para>
     </example>
   </refsect1>

man/systemd-repart.xml

@@ -684,8 +684,8 @@ IMAGE_ID=my-motd
 IMAGE_VERSION=7
 EOF
 systemd-repart -C \
-  --private-key=privkey.pem \
-  --certificate=cert.crt \
+  --private-key=verity-private-key.pem \
+  --certificate=verity-certificate.pem \
   -s tree/ \
   /var/lib/confexts/my-motd.confext.raw
 systemd-confext refresh</programlisting>
@@ -711,7 +711,7 @@ EOF
 systemd-repart --make-ddi=sysext \
   --private-key-source=engine:pkcs11 \
   --private-key="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=0123456789abcdef;token=Some%20Cert" \
-  --certificate=cert.crt \
+  --certificate=verity-certificate.pem \
   -s tree/ \
   /var/lib/extensions/my-foo.sysext.raw
 systemd-sysext refresh</programlisting>
@@ -763,21 +763,21 @@ EOF
 
 systemd-repart --definitions repart.d \
   --defer-partitions=root-verity-sig \
-  --copy-source /tmp/tree/ \
-  --empty create --size 600M \
+  --copy-source=/tmp/tree/ \
+  --empty=create --size=600M \
   --json=short \
   /tmp/img.raw | | jq --raw-output0 .[-1].roothash &gt; /tmp/img.roothash
 
 openssl smime -sign -in /tmp/img.roothash \
-  -inkey privkey.pem \
-  -signer cert.crt \
+  -inkey verity-private-key.pem \
+  -signer verity-certificate.pem \
   -noattr -binary -outform der \
   -out /tmp/img.roothash.p7s
 
 systemd-repart --definitions repart.d \
-  --dry-run=no --root /tmp/tree/ \
-  --join-signature "$(cat /tmp/img.roothash):/tmp/img.roothash.p7s" \
-  --certificate cert.crt \
+  --dry-run=no --root=/tmp/tree/ \
+  --join-signature="$(cat /tmp/img.roothash):/tmp/img.roothash.p7s" \
+  --certificate=verity-certificate.pem \
   /tmp/img.raw</programlisting>
     </example>
 

man/uki.conf.example

@@ -4,8 +4,8 @@ SecureBootCertificate=/etc/kernel/secureboot-certificate.pem
 
 [PCRSignature:initrd]
 Phases=enter-initrd
-PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=/etc/systemd/tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=/etc/systemd/tpm2-pcr-initrd-public-key.pem
 
 [PCRSignature:system]
 Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit

man/ukify.xml

@@ -719,8 +719,8 @@
       --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
       --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
       uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
-      --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
-      --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+      --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+      --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
       --phases='enter-initrd' \
       --pcr-private-key=tpm2-pcr-private-key-system.pem \
       --pcr-public-key=tpm2-pcr-public-key-system.pem \
@@ -738,7 +738,7 @@
       and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
       The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
       <constant>enter-initrd</constant> phase) with the key
-      <filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
+      <filename index='false'>tpm2-pcr-initrd-private-key.pem</filename>, and for the main system (phases
       <constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
       key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
       combined image will be signed with the SecureBoot key <filename index='false'>secureboot-private-key.pem</filename>.</para>
@@ -761,8 +761,8 @@ SignKernel=yes
 PCRBanks=sha384,sha512
 
 [PCRSignature:initrd]
-PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=tpm2-pcr-initrd-public-key.pem
 Phases=enter-initrd
 
 [PCRSignature:system]
@@ -811,8 +811,8 @@ $ ukify -c ukify.conf build \
       <programlisting># ukify genkey --config=/etc/kernel/uki.conf
 Writing SecureBoot private key to /etc/kernel/secureboot-private-key.pem
 Writing SecureBoot certificate to /etc/kernel/secureboot-certificate.pem
-Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
-Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-initrd-private-key.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-initrd-public-key.pem
 Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
 Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
 </programlisting>
@@ -881,7 +881,7 @@ ID=factory-reset' \
       --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \
       --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
       --cmdline='quiet rw' \
-      --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+      --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
       --policy-digest \
       --json=short \
       --output=base.efi >base.pcrs