Features:
+* rework recursive read-only remount to use new mount API
+
+* PAM: pick auf one authentication token from credentials
+
+* tpm2: figure out if we need to do anything for TPM2 parameter encryption? And
+ if so, what precisely?
+
+* insert pkcs7 signature for verity gpt
+
+* when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
+ data in the image, make sure the image filename actually matches this, so
+ that images cannot be misused.
+
* New udev block device symlink names:
/dev/disk/by-parttypelabel/<pttype>/<ptlabel>. Use case: if pt label is used
as partition image version string, this is a safe way to reference a specific
* expose MS_NOSYMFOLLOW in various places
-* ability to insert trusted configuration and secrets into the boot parameters
- of a kernel booting in a VM or on baremetal some way, via TPM
- protection. idea:
- 1. pass via /proc/bootconfig
- 2. for secrets: put secrets in node of /proc/bootconfig, decrypt them via
- TPM early on in PID 1, put them in $CREDENTIAL_PATH logic
- 3. for config: put signed data in node /proc/booconfig, validate via TPM
- early on in PID 1, put data into /run/bootconfig/ as individual files
- 4. boot loader/stub should pick these up automatically from the boot loader
- file systems
+* allow passing creds into kernel when booting: in EFI stub, collect creds
+ files from ESP directory, generate CPIO archive on the fly from them, so that
+ they are dropped into /run/initramfs/creds/ and pass to kernel as additional
+ initrd. Then, use LoadCredentialEncrypted=foo:/run/initramfs/creds/foo to
+ load them.
+
+* make LoadCredential= automatically find credentials in /etc/creds,
+ /run/creds, … and so on, if path component is unqualified
+
+* teach LoadCredential=/LoadCredentialEncrypted= to load credentials from
+ kernel cmdline, maybe: LoadCredentialEncrypted=foobar:proc-cmdline:foobar
+
+* credentials system:
+ - acquire from kernel command line
+ - acquire from EFI variable?
+ - acquire via via ask-password?
+ - acquire creds via keyring?
+ - pass creds via keyring?
+ - pass creds via memfd?
+ - acquire + decrypt creds from pkcs11?
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
+
+* teach LoadCredential= the ability to load all files from a specified dir as
+ individual creds
+
+* add tpm.target or so which is delayed until TPM2 device showed up in case
+ firmware indicates there is one.
* tpm2: support a PIN policy, i.e. allowing windows-style short authentication
passwords by using the TPM2 to enforce ratelimiting and such, use for
- cryptsetup-generator: allow specification of passwords in crypttab itself
- support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
-* credentials system:
- - maybe add AcquireCredential= for querying a cred via ask-password
- - maybe try to acquire creds via keyring?
- - maybe try to pass creds via keyring?
- - maybe optionally pass creds via memfd
- - maybe add support for decrypting creds via TPM
- - maybe add support for decrypting/importing creds via pkcs11
- - make systemd-cryptsetup acquire pw via creds logic
- - make PAMName= acquire pw via creds logic
- - make macsec/wireguard code in networkd read key via creds logic
- - make gatwayd/remote read key via creds logic
- - add sd_notify() command for flushing out creds not needed anymore
-
* when configuring loopback netif, and it fails due to EPERM, eat up error if
it happens to be set up alright already.
address as conduit for some minimal connection metainfo, and use it to
restore the "description" logic that kdbus used to have.
-* teach LoadCredential= the ability to load all files from a specified dir as
- individual creds
-
* systemd-analyze netif that explains predictable interface (or networkctl)
* Add service setting to run a service within the specified VRF. i.e. do the
* pid1: support new clone3() fork-into-cgroup feature
+* pid1: support new cgroup.kill to terminate all processes in a cgroup
+
* pid1: also remove PID files of a service when the service starts, not just
when it exits
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
at the end).
-* We should probably replace /var/log/README, /etc/rc.d/README with symlinks
- that are linked to these places instead of copied. After all they are
- constant vendor data.
+* We should probably replace /etc/rc.d/README with a symlink to doc
+ content. After all it is constant vendor data.
* maybe add kernel cmdline params: to force random seed crediting
* paranoia: whenever we process passwords, call mlock() on the memory
first. i.e. look for all places we use free_and_erasep() and
augment them with mlock(). Also use MADV_DONTDUMP.
+ Alternatively (preferably?) use memfd_secret().
* Move RestrictAddressFamily= to the new cgroup create socket
* bootctl,sd-boot: actually honour the "architecture" key
-* sd-boot: add service that automatically runs "bootctl update" on every boot,
- in a graceful way, so that updated /usr trees automatically propagate into
- updated boot loaders on reboot.
-
* bootctl:
- teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
- teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
- introduce API for "making room", that grows/shrinks home directory
according to elastic parameters, discards blocks, and removes additional snapshots. Call it
either from UI when disk space gets low
-
-* homed: during login resize fs automatically towards size goal. Specifically,
- resize to diskSize if possible, but leave a certain amount (configured by a
- new value diskLeaveFreeSize) of space free on the backing fs.
-
-* homed: permit multiple user record signing keys to be used locally, and pick
- the right one for signing records automatically depending on a pre-existing
- signature
-
-* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
- and insert a local signature instead.
-
-* homed: as an extension to the directory+subvolume backend: if located on
- especially marked fs, then sync down password into LUKS header of that fs,
- and always verify passwords against it too. Bootstrapping is a problem
- though: if no one is logged in (or no other user even exists yet), how do you
- unlock the volume in order to create the first user and add the first pw.
-
-* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
-
-* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
- easily?
-
-* homed: if kernel 5.12 uid mapping mounts exist, use that instead of recursive
- chowns.
-
-* add a switch to homectl (maybe called --first-boot) where it will check if
- any non-system users exist, and if not prompts interactively for basic user
- info, mimicking systemd-firstboot. Then, place this in a service that runs
- after systemd-homed, but before gdm and friends, as a simple, barebones
- fallback logic to get a regular user created on uninitialized systems.
-
-* homed: store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
- systemd-cryptsetup, so that it can unlock homed volumes
-
-* homed: try to unmount in regular intervals when home dir was busy when we
- tried because idle.
-
-* homed: keep an fd to the homedir open at all times, to keep the fs pinned
- (autofs and such) while user is logged in.
-
-* when we resize disks (homed?) always round up to 4K sectors, not 512K
+ - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
+ so that mounts propagate down but not up - eg, user A setting up a backup volume
+ doesn't mean user B sees it
+ - use credentials logic/TPM2 logic to store homed signing key
+ - during login resize fs automatically towards size goal. Specifically,
+ resize to diskSize if possible, but leave a certain amount (configured by a
+ new value diskLeaveFreeSize) of space free on the backing fs.
+ - permit multiple user record signing keys to be used locally, and pick
+ the right one for signing records automatically depending on a pre-existing
+ signature
+ - add a way to "adopt" a home directory, i.e. strip foreign signatures
+ and insert a local signature instead.
+ - as an extension to the directory+subvolume backend: if located on
+ especially marked fs, then sync down password into LUKS header of that fs,
+ and always verify passwords against it too. Bootstrapping is a problem
+ though: if no one is logged in (or no other user even exists yet), how do you
+ unlock the volume in order to create the first user and add the first pw.
+ - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+ - maybe pre-create ~/.cache as subvol so that it can have separate quota
+ easily?
+ - if kernel 5.12 uid mapping mounts exist, use that instead of recursive
+ chowns.
+ - add a switch to homectl (maybe called --first-boot) where it will check if
+ any non-system users exist, and if not prompts interactively for basic user
+ info, mimicking systemd-firstboot. Then, place this in a service that runs
+ after systemd-homed, but before gdm and friends, as a simple, barebones
+ fallback logic to get a regular user created on uninitialized systems.
+ - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
+ systemd-cryptsetup, so that it can unlock homed volumes
+ - try to unmount in regular intervals when home dir was busy when we
+ tried because idle.
+ - keep an fd to the homedir open at all times, to keep the fs pinned
+ (autofs and such) while user is logged in.
* add a new switch --auto-definitions=yes/no or so to systemd-repart. If
specified, synthesize a definition automatically if we can: enlarge last