From 3bcf564530bfa7e001354dd94e653905523c418d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 1 Dec 2022 22:21:45 +0100 Subject: [PATCH] update TODO --- TODO | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/TODO b/TODO index b0e4665ad86..e9d6c61108d 100644 --- a/TODO +++ b/TODO @@ -293,9 +293,6 @@ Features: userspace to allow ordering boots (for example in journalctl). The counter would be monotonically increased on every boot. -* systemd-sysext: for sysext DDIs picked up via EFI stub, set much stricter - image policy by default - * pam_systemd_home: add module parameter to control whether to only accept only password or only pcks11/fido2 auth, and then use this to hook nicely into two of the three PAM stacks gdm provides. @@ -836,9 +833,6 @@ Features: virtio-fs. * for vendor-built signed initrds: - - make sysext run in the initrd - - sysext should pick up sysext images from /.extra/ in the initrd, and insist - on verification if in secureboot mode - kernel-install should be able to install pre-built unified kernel images in type #2 drop-in dir in the ESP. - kernel-install should be able install encrypted creds automatically for @@ -1046,9 +1040,6 @@ Features: CapabilityQuintet we already have. (This likely allows us to drop libcap dep in the base OS image) -* sysext: automatically activate sysext images dropped in via new sd-stub - sysext pickup logic. (must insist on verity + signature on those though) - * add concept for "exitrd" as inverse of "initrd", that we can transition to at shutdown, and has similar security semantics. This should then take the place of dracut's shutdown logic. Should probably support sysexts too. Care needs @@ -1078,22 +1069,6 @@ Features: keys of /etc/crypttab. That way people can store/provide the roothash externally and provide to us on demand only. -* add high-level lockdown level for GPT dissection logic: e.g. an enum that can - be ANY (to mount anything), TRUSTED (to require that /usr is on signed - verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is - on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not - allowed). And then maybe some flavours of that that declare what is expected - from home/srv/var… Then, add a new cmdline flag to all tools that parse such - images, to configure this. Also, add a kernel cmdline option for this, to be - honoured by the gpt auto generator. - - Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to - only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then - minor extension to this, insisting on encryption, for example - "systemd.gpt_auto_policy=r+v+h" to require encryption for root and var but not - for /home/, and similar. Similar add --image-dissect-policy= to tools that - take --image= that take the same short string. - * we probably should extend the root verity hash of the root fs into some PCR on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure it into PCR 12); Similar: we probably should extend the LUKS volume key of @@ -1106,10 +1081,6 @@ Features: (i.e. sysext, root verity) from those inherently local (i.e. encryption key), which is useful if they shall be signed separately. -* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount, - what must be read-only, what requires encryption, and what requires - authentication. - * in uefi stub: query firmware regarding which PCR banks are being used, store that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that the selected PCRs actually are used by firmware.