userspace to allow ordering boots (for example in journalctl). The counter
would be monotonically increased on every boot.
-* systemd-sysext: for sysext DDIs picked up via EFI stub, set much stricter
- image policy by default
-
* pam_systemd_home: add module parameter to control whether to only accept
only password or only pcks11/fido2 auth, and then use this to hook nicely
into two of the three PAM stacks gdm provides.
virtio-fs.
* for vendor-built signed initrds:
- - make sysext run in the initrd
- - sysext should pick up sysext images from /.extra/ in the initrd, and insist
- on verification if in secureboot mode
- kernel-install should be able to install pre-built unified kernel images in
type #2 drop-in dir in the ESP.
- kernel-install should be able install encrypted creds automatically for
CapabilityQuintet we already have. (This likely allows us to drop libcap
dep in the base OS image)
-* sysext: automatically activate sysext images dropped in via new sd-stub
- sysext pickup logic. (must insist on verity + signature on those though)
-
* add concept for "exitrd" as inverse of "initrd", that we can transition to at
shutdown, and has similar security semantics. This should then take the place
of dracut's shutdown logic. Should probably support sysexts too. Care needs
keys of /etc/crypttab. That way people can store/provide the roothash
externally and provide to us on demand only.
-* add high-level lockdown level for GPT dissection logic: e.g. an enum that can
- be ANY (to mount anything), TRUSTED (to require that /usr is on signed
- verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is
- on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not
- allowed). And then maybe some flavours of that that declare what is expected
- from home/srv/var… Then, add a new cmdline flag to all tools that parse such
- images, to configure this. Also, add a kernel cmdline option for this, to be
- honoured by the gpt auto generator.
-
- Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to
- only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then
- minor extension to this, insisting on encryption, for example
- "systemd.gpt_auto_policy=r+v+h" to require encryption for root and var but not
- for /home/, and similar. Similar add --image-dissect-policy= to tools that
- take --image= that take the same short string.
-
* we probably should extend the root verity hash of the root fs into some PCR
on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
it into PCR 12); Similar: we probably should extend the LUKS volume key of
(i.e. sysext, root verity) from those inherently local (i.e. encryption key),
which is useful if they shall be signed separately.
-* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount,
- what must be read-only, what requires encryption, and what requires
- authentication.
-
* in uefi stub: query firmware regarding which PCR banks are being used, store
that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify
that the selected PCRs actually are used by firmware.
projects / thirdparty / systemd.git / commitdiff
