1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

update TODO

This commit is contained in:
Lennart Poettering 2024-01-15 15:03:09 +01:00
parent 7704c3474d
commit fd40e7da6e

36
TODO
View File

@ -142,6 +142,24 @@ Features:
* ditto: rewrite bpf-firewall in libbpf/C code
* credentials: if we ever acquire a secure way to derive cgroup id of socket
peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
step use this to implement per-app/per-service encrypted directories, where
we set up fscrypt on the StateDirectory= with a randomized key which is
stored as xattr on the directory, encrypted as a credential.
* credentials: optionally include a per-user secret in scoped user-credential
encryption keys. should come from homed in some way, derived from the luks
volume key or fscrypt directory key.
* credentials: add a flag to the scoped credentials that if set require PK
reauthentication when unlocking a secret.
* teach systemd --user to properly load credentials off disk, with
/etc/credstore equivalent and similar. Mkae sure that $CREDENTIALS_DIRECTORY=
actually works too when run with user privs.
* extend the smbios11 logic for passing credentials so that instead of passing
the credential data literally it can also just reference an AF_VSOCK CID/port
to read them from. This way the data doesn't remain in the SMBIOS blob during
@ -169,23 +187,11 @@ Features:
* use udev rule networkd ownership property to take ownership of network
interfaces nspawn creates
* support encrypted credentials in user context too. This is complicated by the
fact that the user does not have access to the TPM nor the system
credential. Implementation idea: extend the systemd-creds Varlink interface
to allow this: user must supply some per-user secret, that we'll include in
the encryption key.
* add a kernel cmdline switch (and cred?) for marking a system to be
"headless", in which case we never open /dev/console for reading, only for
writing. This would then mean: systemd-firstboot would process creds but not
ask interactively, getty would not be started and so on.
* extend mime database with mime types for:
- journal files
- credential files
- hwdb files
- catalog files
* cryptsetup: new crypttab option to auto-grow a luks device to its backing
partition size. new crypttab option to reencrypt a luks device with a new
volume key.
@ -689,10 +695,6 @@ Features:
- If run on every boot, should it use the sysupdate config from the host on
subsequent boots?
* provide an API (probably IPC) to apps to encrypt/decrypt
credentials. use case: allow bluez bluetooth daemon to pass pairings to initrd
that way, without shelling out to our tools.
* revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
safe bet, given that it should change only on policy changes, and not
@ -1323,8 +1325,6 @@ Features:
wireguard)
- make gatewayd/remote read key via creds logic
- add sd_notify() command for flushing out creds not needed anymore
- make user manager instances create and use a user-specific key (the one in
/var/lib is root-only) and add --user switch to systemd-creds to use it
* TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
and such