TODO

@@ -1633,6 +1633,13 @@ Features:
   work for ECDSA keys since their signatures contain a random component, but
   will work for RSA and Ed25519 keys.
 
+* add tiny service that decrypts encrypted user records passed via initrd
+  credential logic and drops them into /run where nss-systemd can pick them up,
+  similar to /run/host/userdb/. Use case: drop a root user JSON record there,
+  and use it in the initrd to log in as root with locally selected password,
+  for debugging purposes. Other use case: boot into qemu with regular user
+  mounted from host. maybe put this in systemd-user-sessions.service?
+
 * drop dependency on libcap, replace by direct syscalls based on
   CapabilityQuintet we already have. (This likely allows us to drop libcap
   dep in the base OS image)

man/ukify.xml

@@ -530,8 +530,7 @@
           <varname>SigningEngine=</varname>/<option>--signing-engine=</option> or
           <varname>SigningProvider=</varname>/<option>--signing-provider=</option> option is used, this may
           also be an engine or provider specific designation. This option is required by
-          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option> and
-          <varname>SecureBootSigningTool=systemd-sbsign</varname>/<option>--signtool=systemd-sbsign</option>. </para>
+          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para>
 
           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
         </varlistentry>
@@ -544,8 +543,7 @@
           <varname>SigningEngine=</varname>/<option>--signing-engine=</option> or
           <varname>SigningProvider=</varname>/<option>--signing-provider=</option> option is used, this may
           also be an engine or provider specific designation. This option is required by
-          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option> and
-          <varname>SecureBootSigningTool=systemd-sbsign</varname>/<option>--signtool=systemd-sbsign</option>. </para>
+          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para>
 
           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
         </varlistentry>