mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 05:18:17 +03:00
update TODO
This commit is contained in:
parent
6d856e26a7
commit
1d5f14ef3d
65
TODO
65
TODO
@ -117,6 +117,11 @@ Deprecations and removals:
|
||||
|
||||
Features:
|
||||
|
||||
* during the initrd → host transition measure a fixed value into TPM PCR 11
|
||||
(where we already measure the UKI into), so that unlock policies for disk
|
||||
enryption/credential encryption can be put together that only work in the
|
||||
initrd or only on the host (or both).
|
||||
|
||||
* Add support for extra verity configuration options to systemd-reart (FEC, hash type, etc)
|
||||
|
||||
* chase_symlinks(): take inspiraton from path_extract_filename() and return
|
||||
@ -160,11 +165,6 @@ Features:
|
||||
|
||||
* systemd-measure tool:
|
||||
- pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
|
||||
- sign pre-calculated hashes in a way compatible with TPM2 PCR hash signature
|
||||
policies, in a way they can be included in unified PE kernel images, and
|
||||
made available to userspace. There, this should be consumed by
|
||||
systemd-cryptsetup to implement PCR signature based TPM volume unlock
|
||||
policies.
|
||||
|
||||
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
|
||||
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
|
||||
@ -249,8 +249,7 @@ Features:
|
||||
|
||||
* repart: allow defining additional partitions via credential
|
||||
|
||||
* tmpfiles: add snippet that provisions /etc/hosts, /etc/motd,
|
||||
/root/.ssh/authorized_keys from credential
|
||||
* tmpfiles: add snippet that provisions /root/.ssh/authorized_keys from credential
|
||||
|
||||
* timesyncd: pick NTP server info from credential
|
||||
|
||||
@ -343,50 +342,11 @@ Features:
|
||||
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
|
||||
that hooks up userbdctl ssh-key stuff.
|
||||
|
||||
* allow embedding a signature blob for PCR hashes into separate section in
|
||||
unified kernel binaries. This section should be picked up by sd-stub, and
|
||||
passed in a file to the booted kernel (via initrd cpio, as usual). Usecase:
|
||||
this way we can implement disk encryption policies that bind to specific
|
||||
kernel PCR state, without breaking things on every kernel update. As long as
|
||||
the kernel includes the PCR signature blob we should be good, as disk
|
||||
encryption can then pass the signature to the TPM to unlock their secrets.
|
||||
Why do this via a separate PE section? That's because the PCR state depends
|
||||
on the measured kernel/initrd of course, thus we cannot put the signature
|
||||
into the kernel/initrd itself, because that would require a time machine.
|
||||
Hence we have to find a separate place. A simple solution is a PE section
|
||||
of its own, because then it is next to the kernel and initrd which after all
|
||||
are stored in PE sections of their own too. Building a unified kernel would
|
||||
thus mean, calculating PCR values for the raw kernel image, and raw initrd
|
||||
image, then signing those PCR values with a vendor key, and then combining
|
||||
sd-stub, raw kernel image, raw initrd, and PCR signature into a unified
|
||||
kernel image.
|
||||
|
||||
* a new tool "systemd-trust" or so, that can calculate PCR hashes offline, and
|
||||
optionally sign them. for that we should extend our syntax for specifying pcr
|
||||
policies (e.g. the string like "4+7+9") so that it can also include explicit
|
||||
hash values, i.e.
|
||||
4=sha256:0ef149998289474e4bb31813edda6ad7f3c991b2d8dec6e8fe4db7a1f039f2d1+7=sha256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7+9=sha256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f
|
||||
and file names to calculate hashes from, i.e.
|
||||
4=file:/boot/vmlinuz+7=file:/boot/initrd/+9=file:/etc/fstab"
|
||||
The systemd-trust tool should then be able to resolve any "underspecifed"
|
||||
form into the form with explicit hash values.
|
||||
|
||||
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
||||
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
||||
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
||||
to target dir in /tmp, and bind through it.
|
||||
|
||||
* tmpfiles: for f/F/w lines, if the argument columns is left unspecified, look
|
||||
for a service credential named after the file path to write to, and load
|
||||
contents to write from there. Usecase: provision arbitrary files from
|
||||
credentials. Example use: with a line like "f /root/.ssh/authorized-keys
|
||||
0644 root root" in a tmpfiles.d/ snippet add
|
||||
LoadCredential=root.ssh.authorized-keys via drop-in to
|
||||
systemd-tmpfiles.service, and then provision an SSH access key through
|
||||
nspawn's --load-credential=, through qemu's fw_cfg, or via systemd-stub's
|
||||
credntial pick-up. The latter is particularly interesting to implement SSH
|
||||
access to an initrd.
|
||||
|
||||
* systemd-homed: when initializing, look for a credential sysemd.homed.register
|
||||
or so with JSON user records to automatically register if not registered yet.
|
||||
Usecase: deploy a system, and add an account one can directly log into.
|
||||
@ -406,14 +366,11 @@ Features:
|
||||
set up the directory so that it can only be accessed if host and app are in
|
||||
order.
|
||||
|
||||
* TPM2: add auth policy for signed PCR values to make updates easy. i.e. do
|
||||
what tpm2_policyauthorize tool does. To be truly useful scheme needs to be a
|
||||
bit more elaborate though: policy probably must take some nvram based
|
||||
generation counter into account that can only monotonically increase and can
|
||||
be used to invalidate old PCR signatures. Otherwise people could downgrade to
|
||||
old signed PCR sets whenever they want. Usecase: encrypt the rootfs with LUKS
|
||||
with a key that can only be unlocked via a pristine pre-built Fedora
|
||||
kernel+initrd.
|
||||
* TPM2: extend unlock policy to protect against version downgrades in signed
|
||||
policies: policy probably must take some nvram based generation counter into
|
||||
account that can only monotonically increase and can be used to invalidate
|
||||
old PCR signatures. Otherwise people could downgrade to old signed PCR sets
|
||||
whenever they want.
|
||||
|
||||
* update HACKING.md to suggest developing systemd with the ideas from:
|
||||
https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
|
||||
|
Loading…
Reference in New Issue
Block a user