Features:
+* use name_to_handle_at() with AT_HANDLE_FID instead of .st_ino (inode
+ number) for identifying inodes, for example in copy.c when finding hard
+ links, or loop-util.c for tracking backing files, and other places.
+
+* cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and
+ fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the
+ volume key with the TPM, with a policy that insists that a nonce is signed by
+ the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM
+ generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which
+ returns a signature which is handed to the tpm, which then reveals the volume
+ key to the PC.
+
+* cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM.
+
+* expose the handoff timestamp fully via the D-Bus properties that contain
+ ExecStatus information
+
+* properly serialize the ExecStatus data from all ExecCommand objects
+ associated with services, sockets, mounts and swaps. Currently, the data is
+ flushed out on reload, which is quite a limitation.
+
+* Clean up "reboot argument" handling, i.e. set it through some IPC service
+ instead of directly via /run/, so that it can be sensible set remotely.
+
+* userdb: add concept for user "aliases", to cover for cases where you can log
+ in under the name lennart@somenetworkfsserver, and it would automatically
+ generate a local user, and from the one both names can be used to allow
+ logins into the same account.
+
+* systemd-tpm2-support: add a some logic that detects if system is in DA
+ lockout mode, and queries the user for TPM recovery PIN then.
+
+* systemd-repart should probably enable btrfs' "temp_fsid" feature for all file
+ systems it creates, as we have no interest in RAID for repart, and it should
+ make sure that we can mount them trivially everywhere.
+
+* systemd-nspawn should get the same SSH key support that vmspawn now has.
+
+* insert the new pidfs inode number as a third field into PidRef, so that
+ PidRef are reasonably serializable without having to pass around fds.
+
+* systemd-analyze smbios11 to dump smbios type 11 vendor strings
+
+* move documentation about our common env vars (SYSTEMD_LOG_LEVEL,
+ SYSTEMD_PAGER, …) into a man page of its own, and just link it from our
+ various man pages that so far embed the whole list again and again, in an
+ attempt to reduce clutter and noise a bid.
+
* vmspawn switch default swtpm PCR bank to SHA384-only (away from SHA256), at
least on 64bit archs, simply because SHA384 is typically double the hashing
speed than SHA256 on 64bit archs (since based on 64bit words unlike SHA256
which uses 32bit words).
-* send out sd_notify() from PID 1 when we determined hostname and machine ID
-
-* send out sd_notify() from PID 1 whenever we reach a target unit. Then
- introduce ssh.target or so. And in vmspawn/nspawn wait for that as indication
- whether/when SSH is available. Similar for D-Bus (but just use sockets.target for that)
+* In vmspawn/nspawn/machined wait for X_SYSTEMD_UNIT_ACTIVE=ssh-active.target
+ and X_SYSTEMD_SIGNAL_LEVEL=2 as indication whether/when SSH and the POSIX
+ signals are available. Similar for D-Bus (but just use sockets.target for
+ that). Report as property for the machine.
* teach nspawn/machined a new bus call/verb that gets you a
shell in containers that have no sensible pid1, via joining the container,
SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to
initialize the timestamp logic of ConditionNeedsUpdate=.
-* ptyfwd: look for window title ANSI sequences and insert colored dot in front
- of it while passing it through, to indicate whether we are in privileged, VM,
- container terminal sessions.
-
* nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into
shell pipelines, i.e. add easy to use switch that turns off console status
output, and generates the right credentials for systemd-run-generator so that
* add a new ExecStart= flag that inserts the configured user's shell as first
word in the command line. (maybe use character '.'). Usecase: tool such as
- uid0 can use that to spawn the target user's default shell.
+ run0 can use that to spawn the target user's default shell.
* varlink: figure out how to do docs for our varlink interfaces. Idea: install
interface files augmented with docs in /usr/share/ somewhere. And have
* use udev rule networkd ownership property to take ownership of network
interfaces nspawn creates
+* mountfsd/nsresourced
+ - userdb: maybe allow callers to map one uid to their own uid
+ - bpflsm: allow writes if resulting UID on disk would be userns' owner UID
+ - make encrypted DDIs work (password…)
+ - add API for creating a new file system from scratch (together with some
+ dm-integrity/HMAC key). Should probably work using systemd-repart (access
+ via varlink).
+ - add api to make an existing file "trusted" via dm-integry/HMAC key
+ - port: portabled
+ - port: tmpfiles, sysusers and similar
+ - lets see if we can make runtime bind mounts into unpriv nspawn work
+
* add a kernel cmdline switch (and cred?) for marking a system to be
"headless", in which case we never open /dev/console for reading, only for
writing. This would then mean: systemd-firstboot would process creds but not
PCRs.
* vmspawn:
- - enable hyperv extension by default (https://www.qemu.org/docs/master/system/i386/hyperv.html)
- - register with machined
- run in scope unit when invoked from command line, and machined registration is off
- - support --directory= via virtiofs
- sd_notify support
- --ephemeral support
- --read-only support
policy from currently booted kernel/event log, to close gap for first boot
for pre-built images
-* add a new systemd-project@.service that is very similar to user@.service but
- uses DynamicUser=1 and no PAMName= to invoke an unprivileged somewhat
- light-weight service manager. Use HOME=/var/lib/systemd/projects/%i as home
- dir. Similar for $XDG_RUNTIME_DIR. Start project@%i.target. Use LogField= to
- add a field identifying the project.
-
* in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at
least some subset of them that look like systemd stuff), because apparently
some firmware does not, but systemd honours it. avoid duplicate measurement
fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the
local stubs, so that we can make the stub available via ipv6 too.
-* introduce a .microcode PE section for sd-stub which we'll pass as first initrd
- to the kernel which will then upload it to the CPU. This should be distinct
- from .initrd to guarantee right ordering. also, and maybe more importantly
- support .microcode in PE add-ons, so that a microcode update can be shipped
- independently of any kernel.
-
* Maybe add SwitchRootEx() as new bus call that takes env vars to set for new
PID 1 as argument. When adding SwitchRootEx() we should maybe also add a
flags param that allows disabling and enabling whether serialization is
grow exponentially in size to ensure O(log(n)) time for finding them on
access.
-* Use CLONE_INTO_CGROUP to spawn systemd-executor, once glibc supports it in
- posix_spawn().
-
* Make nspawn to a frontend for systemd-executor, so that we have to ways into
the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI
through nspawn.
early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
directory, and paths ending that way can be refused early in many contexts.
-* systemd-measure: allow operating with PEM certificates in addition to PEM
- public keys when signing PCR values. SecureBoot and our Verity signatures
- operate with certificates already, hence I guess we should also just deal for
- convenience with certificates for the PCR stuff too.
-
* systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
would just use the same public key specified with --public-key= (or the one
automatically derived from --private-key=).
keyring, so that the kernel does this validation for us for verity and kernel
modules
-* for systemd-confext: add a tool that can generate suitable DDIs with verity +
- sig using squashfs-tools-ng's library. Maybe just systemd-repart called under
- a new name with a built-in config?
-
* lock down acceptable encrypted credentials at boot, via simple allowlist,
maybe on kernel command line:
systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
down kernels from credentials generated on the host with a weak kernel
+* Merge systemd-creds options --uid= (which accepts user names) and --user.
+
* Add support for extra verity configuration options to systemd-repart (FEC,
hash type, etc)
images as OS payloads. i.e. have a generic OS image you can point to any
payload you like, which is then downloaded, securely verified and run.
-* deprecate cgroupsv1 further (print log message at boot)
-
* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
* per-service sandboxing option: ProtectIds=. If used, will overmount
- pass creds via keyring?
- pass creds via memfd?
- acquire + decrypt creds from pkcs11?
- - make systemd-cryptsetup acquire pw via creds logic
- make PAMName= acquire pw via creds logic
- make macsec code in networkd read key via creds logic (copy logic from
wireguard)
* systemd-analyze netif that explains predictable interface (or networkctl)
+* Figure out naming of verbs in systemd-analyze: we have (singular) capability,
+ exit-status, but (plural) filesystems, architectures.
+
* Add service setting to run a service within the specified VRF. i.e. do the
equivalent of "ip vrf exec".
* make us use dynamically fewer deps for containers in general purpose distros:
o turn into dlopen() deps:
- - kmod-libs (only when called from PID 1)
- libblkid (only in RootImage= handling in PID 1, but not elsewhere)
- libpam (only when called from PID 1)
- - bzip2 (always — gzip should probably stay static dep the way it is,
- since it's so basic and our defaults)
* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
Apparently kernel performance is much better with fewer larger seccomp
filters than with more smaller seccomp filters.
-* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
- mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
+* systemd-path: Add "private" runtime/state/cache dir enum, mapping to
+ $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
* transient units:
- add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
-* when we detect low battery and no AC on boot, show pretty splash and refuse boot
-
* libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
* be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
that are not supported...
https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
- recreate systemd's D-Bus private socket file on SIGUSR2
- - move PAM code into its own binary
- when we automatically restart a service, ensure we restart its rdeps, too.
- hide PAM options in fragment parser when compile time disabled
- Support --test based on current system state
* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
-* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
-
* add a pam module that on password changes updates any LUKS slot where the password matches
* test/:
- fingerprint authentication, pattern authentication, …
- make sure "classic" user records can also be managed by homed
- make size of $XDG_RUNTIME_DIR configurable in user record
- - query password from kernel keyring first
- - update even if record is "absent"
- move acct mgmt stuff from pam_systemd_home to pam_systemd?
- when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
- make slice for users configurable (requires logind rework)
or two sockets.
- Support running nspawn as an unprivileged user.
-* machined: add API to acquire UID range. add API to mount/dissect loopback
- file. Both protected by PK. Then make nspawn use these APIs to run
- unprivileged containers. i.e. push the truly privileged bits into machined,
- so that the client side can remain entirely unprivileged, with SUID or
- anything like that.
-
* machined:
- add an API so that libvirt-lxc can inform us about network interfaces being
removed or added to an existing machine
projects / thirdparty / systemd.git / blobdiff