mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
update NEWS
This commit is contained in:
parent
d1d8786c5b
commit
29818c4e99
43
NEWS
43
NEWS
@ -44,36 +44,43 @@ CHANGES WITH 252 in spe:
|
||||
systemd-stub is booted. This is useful for implementing TPM2 policies
|
||||
for LUKS encrypted volumes and encrypted system/service credentials,
|
||||
that robustly bind to kernels carrying appropriate PCR signature
|
||||
information. The signed expected PCR information may be embedded
|
||||
inside UKI images for this purpose so that it is automatically
|
||||
available in userspace, once the UKI is booted.
|
||||
information. The signed expected PCR information, and the public key
|
||||
used for the signature may be embedded inside UKIs for this purpose,
|
||||
so that it is automatically available in userspace, once the UKI is
|
||||
booted.
|
||||
|
||||
systemd-cryptsetup, systemd-cryptenroll and systemd-creds have been
|
||||
updated to make use of this information if available in the booted
|
||||
kernel.
|
||||
|
||||
Net effect: if you boot a properly prepared kernel, TPM-bound disk
|
||||
encryption now defaults to be locked to kernels which carry PCR
|
||||
signatures from the same signature key pair. Example: if a
|
||||
hypothetical distro FooOS prepares its UKI kernels like this,
|
||||
TPM-based disk encryption is now – by default – bound to only FooOS
|
||||
kernels, and encrypted volumes bound to the TPM cannot be unlocked on
|
||||
other kernels from other sources. (But do note this behaviour
|
||||
requires preparation/enabling in the UKI, and of course users can
|
||||
always enroll non-TPM ways to unlock the volume.)
|
||||
kernel: when locking an encrypted volume/credential to the TPM
|
||||
systemd-cryptenroll/systemd-creds will use the public key embedded in
|
||||
the booted UKI to bind the volume/credential to the kernel (and
|
||||
future versions thereof, as long as it carries PCR information signed
|
||||
by the same key pair). When unlocking such an encrypted
|
||||
volume/credential systemd-cryptsetup/systemd-creds will use the
|
||||
signature embedded in the booted UKI to gain access.
|
||||
|
||||
Binding TPM-based disk encryption to public keys/signatures of PCR
|
||||
values — instead of literal PCR values — addresses the inherent
|
||||
"brittleness" of traditional PCR-bound TPM disk encryption schemes:
|
||||
disks remain accessible even if the UKI image is updated, without any
|
||||
prepartion during the update scheme — as long as each UKI carries the
|
||||
necessary PCR signature information.
|
||||
disks remain accessible even if the UKI is updated, without any TPM
|
||||
specific preparation during the OS update — as long as each UKI
|
||||
carries the necessary PCR signature information.
|
||||
|
||||
Net effect: if you boot a properly prepared kernel, TPM-bound disk
|
||||
encryption now defaults to be locked to kernels which carry PCR
|
||||
signatures from the same signature key pair. Example: if a
|
||||
hypothetical distro FooOS prepares its UKIs like this, TPM-based disk
|
||||
encryption is now – by default – bound to only FooOS kernels, and
|
||||
encrypted volumes bound to the TPM cannot be unlocked on other
|
||||
kernels from other sources. (But do note this behaviour requires
|
||||
preparation/enabling in the UKI, and of course users can always
|
||||
enroll non-TPM ways to unlock the volume.)
|
||||
|
||||
* systemd-pcrphase is a new tool that is invoked at 4 places during
|
||||
system runtime, and measures additional words into TPM2 PCR 11, to
|
||||
mark milestones of the boot process. This allows binding access to
|
||||
specific TPM2-encrypted secrets to specific phases of the boot
|
||||
process. (Think: LUKS2 disk encryption key only accessible in the
|
||||
process. (Example: LUKS2 disk encryption key only accessible in the
|
||||
initrd, but not later.)
|
||||
|
||||
Changes in systemd itself, i.e. the manager and units
|
||||
|
Loading…
Reference in New Issue
Block a user