1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

update TODO

This commit is contained in:
Lennart Poettering 2023-02-06 11:53:05 +01:00
parent ecf4be2952
commit 1c904337a2

63
TODO
View File

@ -129,7 +129,43 @@ Deprecations and removals:
Features:
* tmpfiles snippet that locks down /etc/credstore/ and friends, just in case.
* in order to make binding to PCR 4 realistic:
- generate one keypair "U" and store it in a tpm2 nvindex.
- Generate another keypair "P" and store it in a second tpm2 nvindex.
- allocate a persistent counter object "C" in the tpm2
- Enroll all user objects (i.e. luks volumes, creds, …) to a tpm2 policy
signed by U.
- Lock both U and P down with a tpm2 policy signed by P (yes, P can only be
used if a signature by P itself can be provided)
- For regular reboots generate a signature for a restrictive PCR4 + counter C
based policy with key P. Place signature in EFI var, so it can be found on
next boot
- For reboots where a firmware update is expected generate a signature with a
more open policy against just counter C. Place signature in same EFI var.
- Increase C whenever switching between these two signature types.
- During early boot, use the signature from the EFI var to unlock U and P.
Use it to generate a signature for unlocking user objects given the current
PCR 4 value, store that away into /run somewhere, for user during the whole
later boot.
- When booting up automatically update the mentioned efi var so that it
contains the restrictive signature. But also generate a signature ahead of
time that could be used in case during the current boot we later detect we might
need to reboot for a firmware update. Store that in /run somewhere, so that
it can be placed in the EFI var, if needed.
* repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions,
that have a new type uuid and can "extend" earlier partitions, to work around
the fact that systemd-repart can only grow the last partition defined. During
activation we'd simply set up a dm-linear mapping to merge them again. A
partition that is to be extended would just set a bit in the partition flags
field to indicate that there's another extension partition to look for. The
identifiying UUID of the extension partition would be hashed in counter mode
from the uuid of the original partition it extends. Inspiration for this is
the "dynamic partitions" concept of new Android. This would be a minimalistic
concept of a volume manager, with the extents it manages being exposes as GPT
partitions. I a partition is extended multiple times they should probably
grow exponentially in size to ensure O(log(n)) time for finding them on
access.
* split out execute.c into new "systemd-executor" binary. Then make PID 1 fork
that off via vfork(), and then let that executor do the hard work. Ultimately
@ -198,7 +234,7 @@ Features:
See discussion at https://github.com/authselect/authselect/pull/311
* sd-boot: make boot loader spec type #1 accept http urls in "linux"
lines. THen, do the uefi http dance to download kernels and boot them. This
lines. Then, do the uefi http dance to download kernels and boot them. This
is then useful for network boot, by embdedding a cpio with type #1 snippets
in sd-boot, which reference remote kernels.
@ -321,14 +357,6 @@ Features:
be included as much as PCR 7 (as it contains shim's policy, which is
certainly as relevant as PCR 7 on many systems)
* move discoverable partition spec and boot loader spec over to uapi group
* maybe measure UUIDs of important mounted file systems (after mount, via the
new ioctls to query them) into PCR 15? Add "x-systemd.measure-pcr=" or so for
this that pulls in a per mount service?
* measure /etc/machine-id during early boot into PCR 15?
* To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab
(measuring the root hash) and integritytab (measuring the HMAC key if one is
used)
@ -598,12 +626,6 @@ Features:
* building on top of the above, the pub/priv key pair generated on the TPM2
should probably also one you can use to get a remote attestation quote.
* bootctl: add "gc" verb that loads all type #1 .conf files, and then removes
all files from the set of files from the ESP/XBOOTLDR matching the entry
token that are not referenced by any. Then, change kernel-install to use only
this to remove auxiliary files, and never remove them explicitly. Benefit:
resources such as initrds/kernels/dtb can be shared between entries.
* Process credentials in:
• networkd/udevd: add a way to define additional .link, .network, .netdev files
via the credentials logic.
@ -676,7 +698,7 @@ Features:
* sd-event: add ability to "chain" event sources. Specifically, add a call
sd_event_source_chain(x, y), which will automatically enable event source y
in oneshit mode once x is triggered. Use case: in src/core/mount.c implement
in oneshot mode once x is triggered. Use case: in src/core/mount.c implement
the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
seen, trigger the rescan defer event source automatically, and allow it to be
dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
@ -1091,12 +1113,7 @@ Features:
* whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
reception limit the kernel silently enforces.
* add an Open= setting to service unit files that can open arbitrary file
system paths at service startup time and pass them to the service process via
our usual socket activation protocol. If passed path refers to AF_UNIX
socket: connect() to it.
* Similar, ConnectStream= which takes IP addresses and connects to them.
* Add service unit setting ConnectStream= which takes IP addresses and connects to them.
* Similar, Load= which takes literal data in text or base64 format, and puts it
into a memfd, and passes that. This enables some fun stuff, such as embedding