1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

update TODO

This commit is contained in:
Lennart Poettering 2022-08-26 11:11:07 +02:00
parent 6d856e26a7
commit 1d5f14ef3d

65
TODO
View File

@ -117,6 +117,11 @@ Deprecations and removals:
Features:
* during the initrd → host transition measure a fixed value into TPM PCR 11
(where we already measure the UKI into), so that unlock policies for disk
enryption/credential encryption can be put together that only work in the
initrd or only on the host (or both).
* Add support for extra verity configuration options to systemd-reart (FEC, hash type, etc)
* chase_symlinks(): take inspiraton from path_extract_filename() and return
@ -160,11 +165,6 @@ Features:
* systemd-measure tool:
- pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
- sign pre-calculated hashes in a way compatible with TPM2 PCR hash signature
policies, in a way they can be included in unified PE kernel images, and
made available to userspace. There, this should be consumed by
systemd-cryptsetup to implement PCR signature based TPM volume unlock
policies.
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
@ -249,8 +249,7 @@ Features:
* repart: allow defining additional partitions via credential
* tmpfiles: add snippet that provisions /etc/hosts, /etc/motd,
/root/.ssh/authorized_keys from credential
* tmpfiles: add snippet that provisions /root/.ssh/authorized_keys from credential
* timesyncd: pick NTP server info from credential
@ -343,50 +342,11 @@ Features:
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
that hooks up userbdctl ssh-key stuff.
* allow embedding a signature blob for PCR hashes into separate section in
unified kernel binaries. This section should be picked up by sd-stub, and
passed in a file to the booted kernel (via initrd cpio, as usual). Usecase:
this way we can implement disk encryption policies that bind to specific
kernel PCR state, without breaking things on every kernel update. As long as
the kernel includes the PCR signature blob we should be good, as disk
encryption can then pass the signature to the TPM to unlock their secrets.
Why do this via a separate PE section? That's because the PCR state depends
on the measured kernel/initrd of course, thus we cannot put the signature
into the kernel/initrd itself, because that would require a time machine.
Hence we have to find a separate place. A simple solution is a PE section
of its own, because then it is next to the kernel and initrd which after all
are stored in PE sections of their own too. Building a unified kernel would
thus mean, calculating PCR values for the raw kernel image, and raw initrd
image, then signing those PCR values with a vendor key, and then combining
sd-stub, raw kernel image, raw initrd, and PCR signature into a unified
kernel image.
* a new tool "systemd-trust" or so, that can calculate PCR hashes offline, and
optionally sign them. for that we should extend our syntax for specifying pcr
policies (e.g. the string like "4+7+9") so that it can also include explicit
hash values, i.e.
4=sha256:0ef149998289474e4bb31813edda6ad7f3c991b2d8dec6e8fe4db7a1f039f2d1+7=sha256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7+9=sha256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f
and file names to calculate hashes from, i.e.
4=file:/boot/vmlinuz+7=file:/boot/initrd/+9=file:/etc/fstab"
The systemd-trust tool should then be able to resolve any "underspecifed"
form into the form with explicit hash values.
* maybe add support for binding and connecting AF_UNIX sockets in the file
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
to target dir in /tmp, and bind through it.
* tmpfiles: for f/F/w lines, if the argument columns is left unspecified, look
for a service credential named after the file path to write to, and load
contents to write from there. Usecase: provision arbitrary files from
credentials. Example use: with a line like "f /root/.ssh/authorized-keys
0644 root root" in a tmpfiles.d/ snippet add
LoadCredential=root.ssh.authorized-keys via drop-in to
systemd-tmpfiles.service, and then provision an SSH access key through
nspawn's --load-credential=, through qemu's fw_cfg, or via systemd-stub's
credntial pick-up. The latter is particularly interesting to implement SSH
access to an initrd.
* systemd-homed: when initializing, look for a credential sysemd.homed.register
or so with JSON user records to automatically register if not registered yet.
Usecase: deploy a system, and add an account one can directly log into.
@ -406,14 +366,11 @@ Features:
set up the directory so that it can only be accessed if host and app are in
order.
* TPM2: add auth policy for signed PCR values to make updates easy. i.e. do
what tpm2_policyauthorize tool does. To be truly useful scheme needs to be a
bit more elaborate though: policy probably must take some nvram based
generation counter into account that can only monotonically increase and can
be used to invalidate old PCR signatures. Otherwise people could downgrade to
old signed PCR sets whenever they want. Usecase: encrypt the rootfs with LUKS
with a key that can only be unlocked via a pristine pre-built Fedora
kernel+initrd.
* TPM2: extend unlock policy to protect against version downgrades in signed
policies: policy probably must take some nvram based generation counter into
account that can only monotonically increase and can be used to invalidate
old PCR signatures. Otherwise people could downgrade to old signed PCR sets
whenever they want.
* update HACKING.md to suggest developing systemd with the ideas from:
https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html