1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

update TODO

This commit is contained in:
Lennart Poettering 2024-01-15 15:03:09 +01:00
parent 7704c3474d
commit fd40e7da6e

36
TODO
View File

@ -142,6 +142,24 @@ Features:
* ditto: rewrite bpf-firewall in libbpf/C code * ditto: rewrite bpf-firewall in libbpf/C code
* credentials: if we ever acquire a secure way to derive cgroup id of socket
peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
step use this to implement per-app/per-service encrypted directories, where
we set up fscrypt on the StateDirectory= with a randomized key which is
stored as xattr on the directory, encrypted as a credential.
* credentials: optionally include a per-user secret in scoped user-credential
encryption keys. should come from homed in some way, derived from the luks
volume key or fscrypt directory key.
* credentials: add a flag to the scoped credentials that if set require PK
reauthentication when unlocking a secret.
* teach systemd --user to properly load credentials off disk, with
/etc/credstore equivalent and similar. Mkae sure that $CREDENTIALS_DIRECTORY=
actually works too when run with user privs.
* extend the smbios11 logic for passing credentials so that instead of passing * extend the smbios11 logic for passing credentials so that instead of passing
the credential data literally it can also just reference an AF_VSOCK CID/port the credential data literally it can also just reference an AF_VSOCK CID/port
to read them from. This way the data doesn't remain in the SMBIOS blob during to read them from. This way the data doesn't remain in the SMBIOS blob during
@ -169,23 +187,11 @@ Features:
* use udev rule networkd ownership property to take ownership of network * use udev rule networkd ownership property to take ownership of network
interfaces nspawn creates interfaces nspawn creates
* support encrypted credentials in user context too. This is complicated by the
fact that the user does not have access to the TPM nor the system
credential. Implementation idea: extend the systemd-creds Varlink interface
to allow this: user must supply some per-user secret, that we'll include in
the encryption key.
* add a kernel cmdline switch (and cred?) for marking a system to be * add a kernel cmdline switch (and cred?) for marking a system to be
"headless", in which case we never open /dev/console for reading, only for "headless", in which case we never open /dev/console for reading, only for
writing. This would then mean: systemd-firstboot would process creds but not writing. This would then mean: systemd-firstboot would process creds but not
ask interactively, getty would not be started and so on. ask interactively, getty would not be started and so on.
* extend mime database with mime types for:
- journal files
- credential files
- hwdb files
- catalog files
* cryptsetup: new crypttab option to auto-grow a luks device to its backing * cryptsetup: new crypttab option to auto-grow a luks device to its backing
partition size. new crypttab option to reencrypt a luks device with a new partition size. new crypttab option to reencrypt a luks device with a new
volume key. volume key.
@ -689,10 +695,6 @@ Features:
- If run on every boot, should it use the sysupdate config from the host on - If run on every boot, should it use the sysupdate config from the host on
subsequent boots? subsequent boots?
* provide an API (probably IPC) to apps to encrypt/decrypt
credentials. use case: allow bluez bluetooth daemon to pass pairings to initrd
that way, without shelling out to our tools.
* revisit default PCR bindings in cryptenroll and systemd-creds. Currently they * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
use PCR 7 which should contain secureboot state db/dbx. Which sounded like a use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
safe bet, given that it should change only on policy changes, and not safe bet, given that it should change only on policy changes, and not
@ -1323,8 +1325,6 @@ Features:
wireguard) wireguard)
- make gatewayd/remote read key via creds logic - make gatewayd/remote read key via creds logic
- add sd_notify() command for flushing out creds not needed anymore - add sd_notify() command for flushing out creds not needed anymore
- make user manager instances create and use a user-specific key (the one in
/var/lib is root-only) and add --user switch to systemd-creds to use it
* TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
and such and such