diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 42871b0c771..14ce5337729 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -208,22 +208,13 @@
Generate a unified kernel image, and calculate the expected TPM PCR 11 value
- # objcopy \
- --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
- --add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
- --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
- --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
- --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
- --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
- /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
- foo.efi
-# systemd-measure calculate \
- --linux=vmlinux \
- --osrel=os-release.txt \
- --cmdline=cmdline.txt \
- --initrd=initrd.cpio \
- --splash=splash.bmp \
- --dtb=devicetree.dtb
+ # ukify --output foo.efi \
+ --os-release @os-release.txt \
+ --cmdline @cmdline.txt \
+ --splash splash.bmp \
+ --devicetree devicetree.dtb \
+ --measure \
+ vmlinux initrd.cpio
11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7
11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651
11:sha384=1cf67dff4757e61e5a73d2a21a6694d668629bbc3761747d493f7f49ad720be02fd07263e1f93061243aec599d1ee4b4
@@ -249,17 +240,15 @@
--bank=sha256 \
--private-key=tpm2-pcr-private.pem \
--public-key=tpm2-pcr-public.pem > tpm2-pcr-signature.json
-# objcopy \
- --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
- --add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
- --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
- --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
- --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
- --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
- --add-section .pcrsig=tpm2-pcr-signature.json --change-section-vma .pcrsig=0x80000 \
- --add-section .pcrpkey=tpm2-pcr-public.pem --change-section-vma .pcrpkey=0x90000 \
- /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
- foo.efi
+# ukify --output foo.efi \
+ --os-release @os-release.txt \
+ --cmdline @cmdline.txt \
+ --splash splash.bmp \
+ --devicetree devicetree.dtb \
+ --pcr-private-key tpm2-pcr-private.pem \
+ --pcr-public-key tpm2-pcr-public.pem \
+ --pcr-banks sha1,sha256 \
+ vmlinux initrd.cpio
Later on, enroll the signed PCR policy on a LUKS volume:
@@ -314,17 +303,16 @@
--public-key=tpm2-pcr-initrd-public.pem \
--phase=enter-initrd \
--append=tpm2-pcr-signature.json.tmp >tpm2-pcr-signature.json
-# objcopy \
- --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
- --add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
- --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
- --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
- --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
- --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
- --add-section .pcrsig=tpm2-pcr-signature.json --change-section-vma .pcrsig=0x80000 \
- --add-section .pcrpkey=tpm2-pcr-public.pem --change-section-vma .pcrpkey=0x90000 \
- /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
- foo.efi
+# ukify --output foo.efi \
+ --os-release @os-release.txt \
+ --cmdline @cmdline.txt \
+ --splash splash.bmp \
+ --devicetree devicetree.dtb \
+ --pcr-private-key tpm2-pcr-initrd-private.pem \
+ --pcr-public-key tpm2-pcr-initrd-public.pem \
+ --section .pcrsig=@tpm2-pcr-signature.json \
+ --section .pcrpkey=@tpm2-pcr-public.pem \
+ vmlinux initrd.cpio
Note that in this example the .pcrpkey PE section contains the key covering all
@@ -345,7 +333,7 @@
systemd1,
systemd-stub7,
- objcopy1,
+ ukify1,
systemd-creds1,
systemd-cryptsetup@.service8,
systemd-pcrphase.service1
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index fcb0c24ce80..c2301687806 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -382,45 +382,8 @@
Assembling Kernel Images
- In order to assemble an UEFI PE kernel image from various components as described above, use an
- objcopy1 command line
- like this:
-
- objcopy \
- --add-section .osrel=os-release --change-section-vma .osrel=0x20000 \
- --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
- --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
- --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
- --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
- --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
- /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
- foo-unsigned.efi
-
- Note that these PE section offsets are example values and a properly assembled image must not
- contain any overlapping sections (this includes already existing sections inside the stub before
- assembly) or boot may fail.
-
- This generates one PE executable file foo-unsigned.efi from the six individual
- files for OS release information, kernel command line, boot splash image, kernel image, main initrd and
- UEFI boot stub.
-
- To then sign the resulting image for UEFI SecureBoot use an
- sbsign1 command like
- the following:
-
- sbsign \
- --key mykey.pem \
- --cert mykey.crt \
- --output foo.efi \
- foo-unsigned.efi
-
- This expects a pair of X.509 private key and certificate as parameters and then signs the UEFI PE
- executable we generated above for UEFI SecureBoot and generates a signed UEFI PE executable as
- result.
-
- See
- systemd-measure1 for
- an example involving the .pcrsig and .pcrpkey sections.
+ In order to assemble a bootable Unified Kernel Image from various components as described above, use
+ ukify1.
@@ -432,8 +395,7 @@
systemd-sysext8,
Boot Loader Specification,
Boot Loader Interface,
- objcopy1,
- sbsign1,
+ ukify1,
systemd-measure1