From da468d61eea5381b45a462f04e2fb11cc50f0cf2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 27 Feb 2025 10:02:09 +0100
Subject: [PATCH 1/2] man: follow our certificate/public-key/private-key PEM
 file naming rules

In 2cc58b6c8ad1826f22b120c4148d123018a7b92c and related we established
rules on naming certs/public-keys/private-keys:

*-public-key.pem
*-private-key.pem
*-certificate.pem

Let's follow that naming in repart's man page too.
---
 man/systemd-repart.xml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/man/systemd-repart.xml b/man/systemd-repart.xml
index 2e11c45993..f4823cd0e2 100644
--- a/man/systemd-repart.xml
+++ b/man/systemd-repart.xml
@@ -684,8 +684,8 @@ IMAGE_ID=my-motd
 IMAGE_VERSION=7
 EOF
 systemd-repart -C \
-  --private-key=privkey.pem \
-  --certificate=cert.crt \
+  --private-key=verity-private-key.pem \
+  --certificate=verity-certificate.pem \
   -s tree/ \
   /var/lib/confexts/my-motd.confext.raw
 systemd-confext refresh</programlisting>
@@ -711,7 +711,7 @@ EOF
 systemd-repart --make-ddi=sysext \
   --private-key-source=engine:pkcs11 \
   --private-key="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=0123456789abcdef;token=Some%20Cert" \
-  --certificate=cert.crt \
+  --certificate=verity-certificate.pem \
   -s tree/ \
   /var/lib/extensions/my-foo.sysext.raw
 systemd-sysext refresh</programlisting>
@@ -763,21 +763,21 @@ EOF
 
 systemd-repart --definitions repart.d \
   --defer-partitions=root-verity-sig \
-  --copy-source /tmp/tree/ \
-  --empty create --size 600M \
+  --copy-source=/tmp/tree/ \
+  --empty=create --size=600M \
   --json=short \
   /tmp/img.raw | | jq --raw-output0 .[-1].roothash &gt; /tmp/img.roothash
 
 openssl smime -sign -in /tmp/img.roothash \
-  -inkey privkey.pem \
-  -signer cert.crt \
+  -inkey verity-private-key.pem \
+  -signer verity-certificate.pem \
   -noattr -binary -outform der \
   -out /tmp/img.roothash.p7s
 
 systemd-repart --definitions repart.d \
-  --dry-run=no --root /tmp/tree/ \
-  --join-signature "$(cat /tmp/img.roothash):/tmp/img.roothash.p7s" \
-  --certificate cert.crt \
+  --dry-run=no --root=/tmp/tree/ \
+  --join-signature="$(cat /tmp/img.roothash):/tmp/img.roothash.p7s" \
+  --certificate=verity-certificate.pem \
   /tmp/img.raw</programlisting>
     </example>
 

From 2f093d83644f496b5ebd25789ec132ccb753adf6 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 27 Feb 2025 10:07:36 +0100
Subject: [PATCH 2/2] man: follow our own naming rules more closely

In some examples we inserted "-initrd" after the "public-key" instead of
before when naming PEM files. Let's fix that, and stick to common
suffixes.
---
 man/systemd-measure.xml | 14 +++++++-------
 man/uki.conf.example    |  4 ++--
 man/ukify.xml           | 16 ++++++++--------
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 77a293ac2e..014769f921 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -369,9 +369,9 @@ $ ukify build \
       <programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
 .+........+.+........+.......+...+...+........+....+......+..+..........
 $ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
-$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem
+$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private-key.pem
 ..+.......++........+........+......+........+....+.....+.+..+..........
-$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem
+$ openssl rsa -pubout -in tpm2-pcr-initrd-private-key.pem -out tpm2-pcr-initrd-public-key.pem
 $ ukify build \
      --linux=vmlinux-1.2.3 \
      --initrd=initrd.cpio \
@@ -383,8 +383,8 @@ $ ukify build \
      --pcr-public-key=tpm2-pcr-public-key.pem \
      --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
      --pcr-banks=sha1,sha256 \
-     --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
-     --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+     --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+     --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
      --phases=enter-initrd \
      --uname=1.2.3 \
      --output=vmlinux-1.2.3.efi
@@ -398,8 +398,8 @@ $ ukify build \
 + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
 --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
 --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
---private-key=tpm2-pcr-private-key-initrd.pem \
---public-key=tpm2-pcr-public-key-initrd.pem \
+--private-key=tpm2-pcr-initrd-private-key.pem \
+--public-key=tpm2-pcr-initrd-public-key.pem \
 --phase=enter-initrd
 Wrote unsigned vmlinux-1.2.3.efi
 </programlisting>
@@ -414,7 +414,7 @@ Wrote unsigned vmlinux-1.2.3.efi
       by the first <option>--pcr-private-key=</option> option, covering all boot phases. The
       <literal>.pcrpkey</literal> section is used in the default policies of
       <command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy
-      bound to <filename>tpm2-pcr-public-key-initrd.pem</filename>, specify
+      bound to <filename>tpm2-pcr-initrd-public-key.pem</filename>, specify
       <option>--tpm2-public-key=</option> on the command line of those tools.</para>
     </example>
   </refsect1>
diff --git a/man/uki.conf.example b/man/uki.conf.example
index f78c15fe78..59c54af4a7 100644
--- a/man/uki.conf.example
+++ b/man/uki.conf.example
@@ -4,8 +4,8 @@ SecureBootCertificate=/etc/kernel/secureboot-certificate.pem
 
 [PCRSignature:initrd]
 Phases=enter-initrd
-PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=/etc/systemd/tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=/etc/systemd/tpm2-pcr-initrd-public-key.pem
 
 [PCRSignature:system]
 Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
diff --git a/man/ukify.xml b/man/ukify.xml
index a0e58ab693..987f9f7b0f 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -719,8 +719,8 @@
       --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
       --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
       uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
-      --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
-      --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+      --pcr-private-key=tpm2-pcr-initrd-private-key.pem \
+      --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
       --phases='enter-initrd' \
       --pcr-private-key=tpm2-pcr-private-key-system.pem \
       --pcr-public-key=tpm2-pcr-public-key-system.pem \
@@ -738,7 +738,7 @@
       and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
       The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
       <constant>enter-initrd</constant> phase) with the key
-      <filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
+      <filename index='false'>tpm2-pcr-initrd-private-key.pem</filename>, and for the main system (phases
       <constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
       key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
       combined image will be signed with the SecureBoot key <filename index='false'>secureboot-private-key.pem</filename>.</para>
@@ -761,8 +761,8 @@ SignKernel=yes
 PCRBanks=sha384,sha512
 
 [PCRSignature:initrd]
-PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
-PCRPublicKey=tpm2-pcr-public-key-initrd.pem
+PCRPrivateKey=tpm2-pcr-initrd-private-key.pem
+PCRPublicKey=tpm2-pcr-initrd-public-key.pem
 Phases=enter-initrd
 
 [PCRSignature:system]
@@ -811,8 +811,8 @@ $ ukify -c ukify.conf build \
       <programlisting># ukify genkey --config=/etc/kernel/uki.conf
 Writing SecureBoot private key to /etc/kernel/secureboot-private-key.pem
 Writing SecureBoot certificate to /etc/kernel/secureboot-certificate.pem
-Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
-Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-initrd-private-key.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-initrd-public-key.pem
 Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
 Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
 </programlisting>
@@ -881,7 +881,7 @@ ID=factory-reset' \
       --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \
       --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
       --cmdline='quiet rw' \
-      --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
+      --pcr-public-key=tpm2-pcr-initrd-public-key.pem \
       --policy-digest \
       --json=short \
       --output=base.efi >base.pcrs