diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
index 7f6bedce..afa9fb7a 100755
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@@ -132,7 +132,7 @@ fi
 # sign and auto-roll config counter
 extparam=
 if [ "$CONFIG_TPM" = "y" ]; then
-	extparam=-u
+	extparam=-r
 fi
 kexec-sign-config -p $paramsdir $extparam \
 || die "Failed to sign default config"
diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key
index 2ea17f63..7a20fafa 100755
--- a/initrd/bin/kexec-save-key
+++ b/initrd/bin/kexec-save-key
@@ -62,7 +62,7 @@ kexec-seal-key $paramsdir \
 
 if [ "$skip_sign" != "y" ]; then
 	# sign and auto-roll config counter
-	kexec-sign-config -p $paramsdir -u \
+	kexec-sign-config -p $paramsdir -r \
 	|| die "Failed to sign updated config"
 fi
 
diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config
index 23cdf28d..1f8a6d72 100755
--- a/initrd/bin/kexec-sign-config
+++ b/initrd/bin/kexec-sign-config
@@ -5,12 +5,13 @@ set -e -o pipefail
 . /etc/functions
 
 rollback="n"
-update_counter="n"
-while getopts "p:c:u" arg; do
+update="n"
+while getopts "p:c:u:r" arg; do
 	case $arg in
 		p) paramsdir="$OPTARG" ;;
 		c) counter="$OPTARG"; rollback="y" ;;
-		u) update_counter="y"; rollback="y" ;;
+		u) update="y" ;;
+		r) rollback="y" ;;
 	esac
 done
 
@@ -22,6 +23,22 @@ paramsdir="${paramsdir%%/}"
 
 confirm_gpg_card
 
+# update hashes in /boot before signing
+if [ "$update" = "y" ]; then
+	( 
+		cd /boot
+		find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
+		if [ -e /boot/kexec_default_hashes.txt ]; then
+			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
+			echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
+		fi
+	)
+
+	# Remove any package trigger log files
+	# We don't need them after the user decides to sign
+	rm -f /boot/kexec_package_trigger*
+fi
+
 if [ "$rollback" = "y" ]; then
 	rollback_file="$paramsdir/kexec_rollback.txt"
 
diff --git a/initrd/etc/functions b/initrd/etc/functions
index 03559d5a..d7907e39 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -276,26 +276,16 @@ update_checksums()
 		mount -o ro /boot \
 		|| recovery "Unable to mount /boot"
 	fi
+
 	# remount RW
 	mount -o rw,remount /boot
-	(
-	  cd /boot
-	  find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
-	  if [ -e /boot/kexec_default_hashes.txt ]; then
-	    DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
-	    echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
-	  fi
-	)
-	# Remove any package trigger log files
-	# We don't need them after the user decides to sign
-	rm -f /boot/kexec_package_trigger*
 
 	# sign and auto-roll config counter
 	extparam=
 	if [ "$CONFIG_TPM" = "y" ]; then
-	extparam=-u
+		extparam=-r
 	fi
-	if ! kexec-sign-config -p /boot $extparam ; then
+	if ! kexec-sign-config -p /boot -u $extparam ; then
 	  echo "Failed to sign default config; press Enter to continue."
 	  read
 	fi