mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
update TODO
This commit is contained in:
parent
6d856e26a7
commit
1d5f14ef3d
65
TODO
65
TODO
@ -117,6 +117,11 @@ Deprecations and removals:
|
|||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* during the initrd → host transition measure a fixed value into TPM PCR 11
|
||||||
|
(where we already measure the UKI into), so that unlock policies for disk
|
||||||
|
enryption/credential encryption can be put together that only work in the
|
||||||
|
initrd or only on the host (or both).
|
||||||
|
|
||||||
* Add support for extra verity configuration options to systemd-reart (FEC, hash type, etc)
|
* Add support for extra verity configuration options to systemd-reart (FEC, hash type, etc)
|
||||||
|
|
||||||
* chase_symlinks(): take inspiraton from path_extract_filename() and return
|
* chase_symlinks(): take inspiraton from path_extract_filename() and return
|
||||||
@ -160,11 +165,6 @@ Features:
|
|||||||
|
|
||||||
* systemd-measure tool:
|
* systemd-measure tool:
|
||||||
- pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
|
- pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
|
||||||
- sign pre-calculated hashes in a way compatible with TPM2 PCR hash signature
|
|
||||||
policies, in a way they can be included in unified PE kernel images, and
|
|
||||||
made available to userspace. There, this should be consumed by
|
|
||||||
systemd-cryptsetup to implement PCR signature based TPM volume unlock
|
|
||||||
policies.
|
|
||||||
|
|
||||||
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
|
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
|
||||||
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
|
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
|
||||||
@ -249,8 +249,7 @@ Features:
|
|||||||
|
|
||||||
* repart: allow defining additional partitions via credential
|
* repart: allow defining additional partitions via credential
|
||||||
|
|
||||||
* tmpfiles: add snippet that provisions /etc/hosts, /etc/motd,
|
* tmpfiles: add snippet that provisions /root/.ssh/authorized_keys from credential
|
||||||
/root/.ssh/authorized_keys from credential
|
|
||||||
|
|
||||||
* timesyncd: pick NTP server info from credential
|
* timesyncd: pick NTP server info from credential
|
||||||
|
|
||||||
@ -343,50 +342,11 @@ Features:
|
|||||||
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
|
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
|
||||||
that hooks up userbdctl ssh-key stuff.
|
that hooks up userbdctl ssh-key stuff.
|
||||||
|
|
||||||
* allow embedding a signature blob for PCR hashes into separate section in
|
|
||||||
unified kernel binaries. This section should be picked up by sd-stub, and
|
|
||||||
passed in a file to the booted kernel (via initrd cpio, as usual). Usecase:
|
|
||||||
this way we can implement disk encryption policies that bind to specific
|
|
||||||
kernel PCR state, without breaking things on every kernel update. As long as
|
|
||||||
the kernel includes the PCR signature blob we should be good, as disk
|
|
||||||
encryption can then pass the signature to the TPM to unlock their secrets.
|
|
||||||
Why do this via a separate PE section? That's because the PCR state depends
|
|
||||||
on the measured kernel/initrd of course, thus we cannot put the signature
|
|
||||||
into the kernel/initrd itself, because that would require a time machine.
|
|
||||||
Hence we have to find a separate place. A simple solution is a PE section
|
|
||||||
of its own, because then it is next to the kernel and initrd which after all
|
|
||||||
are stored in PE sections of their own too. Building a unified kernel would
|
|
||||||
thus mean, calculating PCR values for the raw kernel image, and raw initrd
|
|
||||||
image, then signing those PCR values with a vendor key, and then combining
|
|
||||||
sd-stub, raw kernel image, raw initrd, and PCR signature into a unified
|
|
||||||
kernel image.
|
|
||||||
|
|
||||||
* a new tool "systemd-trust" or so, that can calculate PCR hashes offline, and
|
|
||||||
optionally sign them. for that we should extend our syntax for specifying pcr
|
|
||||||
policies (e.g. the string like "4+7+9") so that it can also include explicit
|
|
||||||
hash values, i.e.
|
|
||||||
4=sha256:0ef149998289474e4bb31813edda6ad7f3c991b2d8dec6e8fe4db7a1f039f2d1+7=sha256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7+9=sha256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f
|
|
||||||
and file names to calculate hashes from, i.e.
|
|
||||||
4=file:/boot/vmlinuz+7=file:/boot/initrd/+9=file:/etc/fstab"
|
|
||||||
The systemd-trust tool should then be able to resolve any "underspecifed"
|
|
||||||
form into the form with explicit hash values.
|
|
||||||
|
|
||||||
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
||||||
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
||||||
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
||||||
to target dir in /tmp, and bind through it.
|
to target dir in /tmp, and bind through it.
|
||||||
|
|
||||||
* tmpfiles: for f/F/w lines, if the argument columns is left unspecified, look
|
|
||||||
for a service credential named after the file path to write to, and load
|
|
||||||
contents to write from there. Usecase: provision arbitrary files from
|
|
||||||
credentials. Example use: with a line like "f /root/.ssh/authorized-keys
|
|
||||||
0644 root root" in a tmpfiles.d/ snippet add
|
|
||||||
LoadCredential=root.ssh.authorized-keys via drop-in to
|
|
||||||
systemd-tmpfiles.service, and then provision an SSH access key through
|
|
||||||
nspawn's --load-credential=, through qemu's fw_cfg, or via systemd-stub's
|
|
||||||
credntial pick-up. The latter is particularly interesting to implement SSH
|
|
||||||
access to an initrd.
|
|
||||||
|
|
||||||
* systemd-homed: when initializing, look for a credential sysemd.homed.register
|
* systemd-homed: when initializing, look for a credential sysemd.homed.register
|
||||||
or so with JSON user records to automatically register if not registered yet.
|
or so with JSON user records to automatically register if not registered yet.
|
||||||
Usecase: deploy a system, and add an account one can directly log into.
|
Usecase: deploy a system, and add an account one can directly log into.
|
||||||
@ -406,14 +366,11 @@ Features:
|
|||||||
set up the directory so that it can only be accessed if host and app are in
|
set up the directory so that it can only be accessed if host and app are in
|
||||||
order.
|
order.
|
||||||
|
|
||||||
* TPM2: add auth policy for signed PCR values to make updates easy. i.e. do
|
* TPM2: extend unlock policy to protect against version downgrades in signed
|
||||||
what tpm2_policyauthorize tool does. To be truly useful scheme needs to be a
|
policies: policy probably must take some nvram based generation counter into
|
||||||
bit more elaborate though: policy probably must take some nvram based
|
account that can only monotonically increase and can be used to invalidate
|
||||||
generation counter into account that can only monotonically increase and can
|
old PCR signatures. Otherwise people could downgrade to old signed PCR sets
|
||||||
be used to invalidate old PCR signatures. Otherwise people could downgrade to
|
whenever they want.
|
||||||
old signed PCR sets whenever they want. Usecase: encrypt the rootfs with LUKS
|
|
||||||
with a key that can only be unlocked via a pristine pre-built Fedora
|
|
||||||
kernel+initrd.
|
|
||||||
|
|
||||||
* update HACKING.md to suggest developing systemd with the ideas from:
|
* update HACKING.md to suggest developing systemd with the ideas from:
|
||||||
https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
|
https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
|
||||||
|
Loading…
Reference in New Issue
Block a user