diff --git a/TODO b/TODO index c940cb69ad..0a06735c08 100644 --- a/TODO +++ b/TODO @@ -129,7 +129,43 @@ Deprecations and removals: Features: -* tmpfiles snippet that locks down /etc/credstore/ and friends, just in case. +* in order to make binding to PCR 4 realistic: + - generate one keypair "U" and store it in a tpm2 nvindex. + - Generate another keypair "P" and store it in a second tpm2 nvindex. + - allocate a persistent counter object "C" in the tpm2 + - Enroll all user objects (i.e. luks volumes, creds, …) to a tpm2 policy + signed by U. + - Lock both U and P down with a tpm2 policy signed by P (yes, P can only be + used if a signature by P itself can be provided) + - For regular reboots generate a signature for a restrictive PCR4 + counter C + based policy with key P. Place signature in EFI var, so it can be found on + next boot + - For reboots where a firmware update is expected generate a signature with a + more open policy against just counter C. Place signature in same EFI var. + - Increase C whenever switching between these two signature types. + - During early boot, use the signature from the EFI var to unlock U and P. + Use it to generate a signature for unlocking user objects given the current + PCR 4 value, store that away into /run somewhere, for user during the whole + later boot. + - When booting up automatically update the mentioned efi var so that it + contains the restrictive signature. But also generate a signature ahead of + time that could be used in case during the current boot we later detect we might + need to reboot for a firmware update. Store that in /run somewhere, so that + it can be placed in the EFI var, if needed. + +* repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions, + that have a new type uuid and can "extend" earlier partitions, to work around + the fact that systemd-repart can only grow the last partition defined. During + activation we'd simply set up a dm-linear mapping to merge them again. A + partition that is to be extended would just set a bit in the partition flags + field to indicate that there's another extension partition to look for. The + identifiying UUID of the extension partition would be hashed in counter mode + from the uuid of the original partition it extends. Inspiration for this is + the "dynamic partitions" concept of new Android. This would be a minimalistic + concept of a volume manager, with the extents it manages being exposes as GPT + partitions. I a partition is extended multiple times they should probably + grow exponentially in size to ensure O(log(n)) time for finding them on + access. * split out execute.c into new "systemd-executor" binary. Then make PID 1 fork that off via vfork(), and then let that executor do the hard work. Ultimately @@ -198,7 +234,7 @@ Features: See discussion at https://github.com/authselect/authselect/pull/311 * sd-boot: make boot loader spec type #1 accept http urls in "linux" - lines. THen, do the uefi http dance to download kernels and boot them. This + lines. Then, do the uefi http dance to download kernels and boot them. This is then useful for network boot, by embdedding a cpio with type #1 snippets in sd-boot, which reference remote kernels. @@ -321,14 +357,6 @@ Features: be included as much as PCR 7 (as it contains shim's policy, which is certainly as relevant as PCR 7 on many systems) -* move discoverable partition spec and boot loader spec over to uapi group - -* maybe measure UUIDs of important mounted file systems (after mount, via the - new ioctls to query them) into PCR 15? Add "x-systemd.measure-pcr=" or so for - this that pulls in a per mount service? - -* measure /etc/machine-id during early boot into PCR 15? - * To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab (measuring the root hash) and integritytab (measuring the HMAC key if one is used) @@ -598,12 +626,6 @@ Features: * building on top of the above, the pub/priv key pair generated on the TPM2 should probably also one you can use to get a remote attestation quote. -* bootctl: add "gc" verb that loads all type #1 .conf files, and then removes - all files from the set of files from the ESP/XBOOTLDR matching the entry - token that are not referenced by any. Then, change kernel-install to use only - this to remove auxiliary files, and never remove them explicitly. Benefit: - resources such as initrds/kernels/dtb can be shared between entries. - * Process credentials in: • networkd/udevd: add a way to define additional .link, .network, .netdev files via the credentials logic. @@ -676,7 +698,7 @@ Features: * sd-event: add ability to "chain" event sources. Specifically, add a call sd_event_source_chain(x, y), which will automatically enable event source y - in oneshit mode once x is triggered. Use case: in src/core/mount.c implement + in oneshot mode once x is triggered. Use case: in src/core/mount.c implement the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is seen, trigger the rescan defer event source automatically, and allow it to be dispatched *before* the SIGCHLD is handled (based on priorities). Benefit: @@ -1091,12 +1113,7 @@ Features: * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the reception limit the kernel silently enforces. -* add an Open= setting to service unit files that can open arbitrary file - system paths at service startup time and pass them to the service process via - our usual socket activation protocol. If passed path refers to AF_UNIX - socket: connect() to it. - -* Similar, ConnectStream= which takes IP addresses and connects to them. +* Add service unit setting ConnectStream= which takes IP addresses and connects to them. * Similar, Load= which takes literal data in text or base64 format, and puts it into a memfd, and passes that. This enables some fun stuff, such as embedding