mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
update TODO
This commit is contained in:
parent
6e50cf38a6
commit
6d040d84f5
17
TODO
17
TODO
@ -119,6 +119,17 @@ Deprecations and removals:
|
||||
|
||||
Features:
|
||||
|
||||
* sd-stub: add ".bootcfg" section for kernel bootconfig data (as per
|
||||
|
||||
* tpm2: add (optional) support for generating a local signing key from PCR 15
|
||||
state. use private key part to sign PCR 7+14 policies. stash signatures for
|
||||
expected PCR7+14 policies in EFI var. use public key part in disk encryption.
|
||||
generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
|
||||
securely bind against SecureBoot/shim state, without having to renroll
|
||||
everything on each update (but we still have to generate one sig on each
|
||||
update, but that should be robust/idempotent). needs rollback protection, as
|
||||
usual.
|
||||
|
||||
* Lennart: big blog story about DDIs
|
||||
|
||||
* Lennart: big blog story about building initrds
|
||||
@ -203,8 +214,10 @@ Features:
|
||||
software updates. But that's wrong. Recent fwupd (rightfully) contains code
|
||||
for updating the dbx denylist. This means even without any active policy
|
||||
change PCR 7 might change. Hence, better idea might be in systemd-creds to
|
||||
default to PCR 15 at least of sd-stub is used (i.e. bind to system identity),
|
||||
and in cryptsetup simply the empty list?
|
||||
default to PCR 15 at least if sd-stub is used (i.e. bind to system identity),
|
||||
and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should
|
||||
be included as much as PCR 7 (as it contains shim's policy, which is
|
||||
certainly as relevant as PCR 7 on many systems)
|
||||
|
||||
* move discoverable partition spec and boot loader spec over to uapi group
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user