From fd40e7da6e005644445d2f6cb3363daf1e170b8c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 15 Jan 2024 15:03:09 +0100 Subject: [PATCH] update TODO --- TODO | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/TODO b/TODO index e2e6162ce82..d0d11f238b1 100644 --- a/TODO +++ b/TODO @@ -142,6 +142,24 @@ Features: * ditto: rewrite bpf-firewall in libbpf/C code +* credentials: if we ever acquire a secure way to derive cgroup id of socket + peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to + allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next + step use this to implement per-app/per-service encrypted directories, where + we set up fscrypt on the StateDirectory= with a randomized key which is + stored as xattr on the directory, encrypted as a credential. + +* credentials: optionally include a per-user secret in scoped user-credential + encryption keys. should come from homed in some way, derived from the luks + volume key or fscrypt directory key. + +* credentials: add a flag to the scoped credentials that if set require PK + reauthentication when unlocking a secret. + +* teach systemd --user to properly load credentials off disk, with + /etc/credstore equivalent and similar. Mkae sure that $CREDENTIALS_DIRECTORY= + actually works too when run with user privs. + * extend the smbios11 logic for passing credentials so that instead of passing the credential data literally it can also just reference an AF_VSOCK CID/port to read them from. This way the data doesn't remain in the SMBIOS blob during @@ -169,23 +187,11 @@ Features: * use udev rule networkd ownership property to take ownership of network interfaces nspawn creates -* support encrypted credentials in user context too. This is complicated by the - fact that the user does not have access to the TPM nor the system - credential. Implementation idea: extend the systemd-creds Varlink interface - to allow this: user must supply some per-user secret, that we'll include in - the encryption key. - * add a kernel cmdline switch (and cred?) for marking a system to be "headless", in which case we never open /dev/console for reading, only for writing. This would then mean: systemd-firstboot would process creds but not ask interactively, getty would not be started and so on. -* extend mime database with mime types for: - - journal files - - credential files - - hwdb files - - catalog files - * cryptsetup: new crypttab option to auto-grow a luks device to its backing partition size. new crypttab option to reencrypt a luks device with a new volume key. @@ -689,10 +695,6 @@ Features: - If run on every boot, should it use the sysupdate config from the host on subsequent boots? -* provide an API (probably IPC) to apps to encrypt/decrypt - credentials. use case: allow bluez bluetooth daemon to pass pairings to initrd - that way, without shelling out to our tools. - * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they use PCR 7 which should contain secureboot state db/dbx. Which sounded like a safe bet, given that it should change only on policy changes, and not @@ -1323,8 +1325,6 @@ Features: wireguard) - make gatewayd/remote read key via creds logic - add sd_notify() command for flushing out creds not needed anymore - - make user manager instances create and use a user-specific key (the one in - /var/lib is root-only) and add --user switch to systemd-creds to use it * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades and such