Features:
+* sd-boot: define a drop-in dir in the ESP that may contain X.509
+ certificates. If the firmware is detected to be in setup mode, automaticallly
+ enroll them as PK/KEK/db, turn off setup mode and proceed. Optionally,
+ instead of auto-enrolling them add them to the sd-boot menu, giving the user
+ the option to manually enroll them, after selecting the menu entry. This way,
+ installer images can just drop the certfiicates in the ESP, and on first boot
+ can easily enroll the keys without ever booting up.
+
+* efi stub: optionally, load initrd from disk as a separate file, HMAC check it
+ with key from TPM, bound to PCR, refusing if failing. This would then allow
+ traditional distros that generate initrds locally to secure them with TPM:
+ after generating the initrd, do the HMAC calculation, put result in initrd
+ filename, done. This would then bind the validity of the initrd to the local
+ host, and used kernel, and means people cannot change initrd or kernel
+ without booting the kernel + initrd.
+
* importd: add ability download images for portabled + sysext
* importd: support image signature verification with PKCS#7 + OpenBSD signify
projects / thirdparty / systemd.git / commitdiff
