mirror of
https://github.com/systemd/systemd.git
synced 2025-01-05 13:18:06 +03:00
update TODO
This commit is contained in:
parent
25dcd9a348
commit
2f92e5c327
30
TODO
30
TODO
@ -130,6 +130,36 @@ Deprecations and removals:
|
|||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* sd-json: before release figure out what to do about
|
||||||
|
SD_JSON_DEBUG+SD_JSON_WARNING. They are probably useless and should be hidden
|
||||||
|
in the public API since we don't expose log_json()
|
||||||
|
|
||||||
|
* rough proposed implementation design for remote attestation infra: add a tool
|
||||||
|
that generates a quote of local PCRs and NvPCRs, along with synchronous log
|
||||||
|
snapshot. use "audit session" logic for that, so that we get read-outs and
|
||||||
|
signature in one step. Then turn this into a JSON object. Use the "TCG TSS 2.0
|
||||||
|
JSON Data Types and Policy Language" format to encode the signature. And CEL
|
||||||
|
for the measurement log.
|
||||||
|
|
||||||
|
* creds: add a new cred format that reused the JSON structures we use in the
|
||||||
|
LUKS header, so that we get the various newer policies for free.
|
||||||
|
|
||||||
|
* drop PCR 7 from default PCR mask in credentials and LUKS2 enrollments
|
||||||
|
|
||||||
|
* systemd-analyze: port "pcrs" verb to talk directly to TPM device, instead of
|
||||||
|
using sysfs interface (well, or maybe not, as that would require privileges?)
|
||||||
|
|
||||||
|
* pcrextend/tpm2-util: add a concept of "rotation" to event log. i.e. allow
|
||||||
|
trailing parts of the logs if time or disk space limit is hit. Protect the
|
||||||
|
boot-time measurements however (i.e. up to some point where things are
|
||||||
|
settled), since we need those for pcrlock measurements and similar. When
|
||||||
|
deleting entries for rotation, place an event that declares how many items
|
||||||
|
have been dropped, and what the hash before and after that.
|
||||||
|
|
||||||
|
* measure information about all DDIs as we activate them to an NvPCR. We
|
||||||
|
probably should measure the dm-verity root hash from the kernel side, but
|
||||||
|
DDI meta info from userspace.
|
||||||
|
|
||||||
* consider reworking json_build() to imply a top-level JSON_BUILD_OBJECT(),
|
* consider reworking json_build() to imply a top-level JSON_BUILD_OBJECT(),
|
||||||
since that's what we want in 99% of cases. Then provide json_build_any() or
|
since that's what we want in 99% of cases. Then provide json_build_any() or
|
||||||
so that can build other variant types top-level too.
|
so that can build other variant types top-level too.
|
||||||
|
Loading…
Reference in New Issue
Block a user