1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-05 13:18:06 +03:00

update TODO

This commit is contained in:
Lennart Poettering 2024-06-18 09:27:57 +02:00
parent 25dcd9a348
commit 2f92e5c327

30
TODO
View File

@ -130,6 +130,36 @@ Deprecations and removals:
Features: Features:
* sd-json: before release figure out what to do about
SD_JSON_DEBUG+SD_JSON_WARNING. They are probably useless and should be hidden
in the public API since we don't expose log_json()
* rough proposed implementation design for remote attestation infra: add a tool
that generates a quote of local PCRs and NvPCRs, along with synchronous log
snapshot. use "audit session" logic for that, so that we get read-outs and
signature in one step. Then turn this into a JSON object. Use the "TCG TSS 2.0
JSON Data Types and Policy Language" format to encode the signature. And CEL
for the measurement log.
* creds: add a new cred format that reused the JSON structures we use in the
LUKS header, so that we get the various newer policies for free.
* drop PCR 7 from default PCR mask in credentials and LUKS2 enrollments
* systemd-analyze: port "pcrs" verb to talk directly to TPM device, instead of
using sysfs interface (well, or maybe not, as that would require privileges?)
* pcrextend/tpm2-util: add a concept of "rotation" to event log. i.e. allow
trailing parts of the logs if time or disk space limit is hit. Protect the
boot-time measurements however (i.e. up to some point where things are
settled), since we need those for pcrlock measurements and similar. When
deleting entries for rotation, place an event that declares how many items
have been dropped, and what the hash before and after that.
* measure information about all DDIs as we activate them to an NvPCR. We
probably should measure the dm-verity root hash from the kernel side, but
DDI meta info from userspace.
* consider reworking json_build() to imply a top-level JSON_BUILD_OBJECT(), * consider reworking json_build() to imply a top-level JSON_BUILD_OBJECT(),
since that's what we want in 99% of cases. Then provide json_build_any() or since that's what we want in 99% of cases. Then provide json_build_any() or
so that can build other variant types top-level too. so that can build other variant types top-level too.