Fix bugs. Update READMEs. Add TODO.txt.

README.md

 
 # Read me
+Every command requires to be performed while logged as root unless explicitely indicated.
 
-The current version does not support signed initramfs image. (Work In Progress!)
+## UEFI Keys
+This stage is about enrolling Rapid.Space's keys in the UEFI firmware of the machine. It all happens in the `uefi-keys/` directory.
+`cd uefi-keys/`
 
-## Workflow
-### Install dependencies
-
-Run
+Refer to the `README.md` file in there and follow the instructions.
 
-sudo ./installation/dependencies.sh
+## Initramfs image
+This stage is about creating and signing an initramfs image with the Metadata Collect Agent (MCA) enabled in it.
 
-### Install the dracut module
+### Install dependencies
+Run `sudo ./installation/dependencies.sh`
 
-Run
+### Install the dracut module and signed initramfs image
+Run `sudo ./installation/install.sh`
 
-sudo ./installation/install.sh
+### Secure Boot
+Make sure Secure Boot is enabled. It should be in Custom Mode.

uefi-keys/README.md

+
 # UEFI keys enrollment
 
 To perform the following instructions, some packages are needed. They are installed by `dependencies.sh` of this directory. By default, the command listed below require to be logged as root. It will be pointed out otherwise.
 
+## Install the dependencies
+Run `./dependencies.sh`
+
 ## Create the keys
 WARNING: A set of keys is already created here. So the following instruction is probably NOT what you want to do. This section is simply for documentation and you should proceed to the next section.
 
@@ -13,21 +17,37 @@ mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh
 ## Sign a UEFI application
 You have nothing special to do in this section. This is performed by dracut right after creating the (unsigned) image. Dracut is called in `installation/install.sh` with parameters according to `dracut.conf` and the command line. Tip: `dracut.conf` if generated by `installation/install.sh` from `dracut.conf.in`.
 
-## Add keys to the firmware
+## UEFI keys
 Run `efi-readvar` (no root access needed).
-If the field `PK`, `KEK` or `db` is not empty, then reboot. Enter the BIOS, disable Secure Boot (SB) and remove every keys.
 
-If it is empty or after the previous stage, add the keys to UEFI as follow. We assume the keys have the name `mkkeys.sh` gave them:
+If the fields `PK`, `KEK`, `db` or `dbx` are not all empty, then follow continue to [the next section](#remove-the-current-keys). Else you can bypass the next section and jump directly to [the section after](#add-the-keys-from-rapid-space).
+
+### Remove the current keys
+Reboot. Enter the BIOS, disable Secure Boot (SB) and remove every keys. The following instructions are based on the UEFI interface of a capri and may vary depending on the hardware and the UEFI firmware version.
+
+To do so, you have to:
+
+1. Disable Secure Boot
+
+2. Switch Secure Boot to Custom Mode
+
+3. Go in `Key Management` and delete the keys: `Platform Key (PK)`, `Key Exchange Keys (KEK)`, `Authorized Signatures (db)`, `Forbidden Signatures (dbx)`.
+
+### Add the keys from Rapid Space
+If it is empty or after the previous stage is done, add the keys to UEFI as follow. We assume the keys have the name `mkkeys.sh` gave them:
 * Add the Platform Key (the authority key for the machine):
-    `efi-updatevar -f PK.auth PK`
+`efi-updatevar -f PK.auth PK`
 
 * Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes):
 `efi-updatevar -a -c KEK.crt -k PK.key KEK`
-    
-* Replace the current whitelist certificate:
-`efi-updatevar -f -c DB.crt -k KEK.key db`
-(replace -f with -a to append another whitelist certificate instead of replacing the old one)
 
+* Add the whitelist certificate:
+`efi-updatevar -a -c DB.crt -k KEK.key db`
+
+* Set the variables as immutable:
+TODO:
+
+* Run `efi-readvar` again to check that `PK`, `KEK` and `db` have at least one entry.
 
 ### Troubleshooting
 Some general informations:

uefi-keys/TODO.txt

+
+
++ Read the wording of the uefi-keys/README.md and figure out the details (about the -a or -f option and all the cases).
+
+
+[comment]: <> (TODO: Required to delete the keys? Only the PK?)
+1. Disable Secure Boot
+
+[comment]: <> (TODO: Required to modify the keys?)
+2. Switch Secure Boot to Custom Mode
+
+[comment]: <> (TODO: Add other things to the list?)
+3. Go in `Key Management` and delete the keys: `Platform Key (PK)`, `Key Exchange Keys (KEK)`, `Authorized Signatures (db)`, `Forbidden Signatures (dbx)`.
+
+* Replace the current whitelist certificate:
+`efi-updatevar -a -c DB.crt -k KEK.key db`
+[comment]: <> (TODO: what about "replace -f with -a to append another whitelist certificate instead of replacing the old one"??)

uefi-keys/depenencies.sh → uefi-keys/dependencies.sh

 # generate efi certificates
-apt -y install sbsigntool efitool python3
+apt -y install sbsigntool efitools python3