From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 18 Jan 2021 20:05:32 +0000 (+0100)
Subject: update TODO
X-Git-Tag: v248-rc1~309
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33295214facc8ec0e348b1fa0a06dac3aca24ede;p=thirdparty%2Fsystemd.git

update TODO
---

diff --git a/TODO b/TODO
index 0d31bd189eb..b06bd7ba452 100644
--- a/TODO
+++ b/TODO
@@ -20,6 +20,22 @@ Janitorial Clean-ups:
 
 Features:
 
+* sd-boot: define a drop-in dir in the ESP that may contain X.509
+  certificates. If the firmware is detected to be in setup mode, automaticallly
+  enroll them as PK/KEK/db, turn off setup mode and proceed. Optionally,
+  instead of auto-enrolling them add them to the sd-boot menu, giving the user
+  the option to manually enroll them, after selecting the menu entry. This way,
+  installer images can just drop the certfiicates in the ESP, and on first boot
+  can easily enroll the keys without ever booting up.
+
+* efi stub: optionally, load initrd from disk as a separate file, HMAC check it
+  with key from TPM, bound to PCR, refusing if failing. This would then allow
+  traditional distros that generate initrds locally to secure them with TPM:
+  after generating the initrd, do the HMAC calculation, put result in initrd
+  filename, done. This would then bind the validity of the initrd to the local
+  host, and used kernel, and means people cannot change initrd or kernel
+  without booting the kernel + initrd.
+
 * importd: add ability download images for portabled + sysext
 
 * importd: support image signature verification with PKCS#7 + OpenBSD signify