update TODO

TODO

@@ -293,9 +293,6 @@ Features:
   userspace to allow ordering boots (for example in journalctl). The counter
   would be monotonically increased on every boot.
 
-* systemd-sysext: for sysext DDIs picked up via EFI stub, set much stricter
-  image policy by default
-
 * pam_systemd_home: add module parameter to control whether to only accept
   only password or only pcks11/fido2 auth, and then use this to hook nicely
   into two of the three PAM stacks gdm provides.
@@ -836,9 +833,6 @@ Features:
   virtio-fs.
 
 * for vendor-built signed initrds:
-  - make sysext run in the initrd
-  - sysext should pick up sysext images from /.extra/ in the initrd, and insist
-    on verification if in secureboot mode
   - kernel-install should be able to install pre-built unified kernel images in
     type #2 drop-in dir in the ESP.
   - kernel-install should be able install encrypted creds automatically for
@@ -1046,9 +1040,6 @@ Features:
   CapabilityQuintet we already have. (This likely allows us to drop libcap
   dep in the base OS image)
 
-* sysext: automatically activate sysext images dropped in via new sd-stub
-  sysext pickup logic. (must insist on verity + signature on those though)
-
 * add concept for "exitrd" as inverse of "initrd", that we can transition to at
   shutdown, and has similar security semantics. This should then take the place
   of dracut's shutdown logic. Should probably support sysexts too. Care needs
@@ -1078,22 +1069,6 @@ Features:
   keys of /etc/crypttab. That way people can store/provide the roothash
   externally and provide to us on demand only.
 
-* add high-level lockdown level for GPT dissection logic: e.g. an enum that can
-  be ANY (to mount anything), TRUSTED (to require that /usr is on signed
-  verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is
-  on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not
-  allowed). And then maybe some flavours of that that declare what is expected
-  from home/srv/var… Then, add a new cmdline flag to all tools that parse such
-  images, to configure this. Also, add a kernel cmdline option for this, to be
-  honoured by the gpt auto generator.
-
-  Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to
-  only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then
-  minor extension to this, insisting on encryption, for example
-  "systemd.gpt_auto_policy=r+v+h" to require encryption for root and var but not
-  for /home/, and similar. Similar add --image-dissect-policy= to tools that
-  take --image= that take the same short string.
-
 * we probably should extend the root verity hash of the root fs into some PCR
   on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
   it into PCR 12); Similar: we probably should extend the LUKS volume key of
@@ -1106,10 +1081,6 @@ Features:
   (i.e. sysext, root verity) from those inherently local (i.e. encryption key),
   which is useful if they shall be signed separately.
 
-* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount,
-  what must be read-only, what requires encryption, and what requires
-  authentication.
-
 * in uefi stub: query firmware regarding which PCR banks are being used, store
   that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify
   that the selected PCRs actually are used by firmware.