From: Lennart Poettering Date: Thu, 23 Sep 2021 15:07:25 +0000 (+0200) Subject: update TODO X-Git-Tag: v250-rc1~631 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fc0688d422c9f358881fb9093a3a02a6989de52;p=thirdparty%2Fsystemd.git update TODO --- diff --git a/TODO b/TODO index 8b966dc6253..31e9b866dae 100644 --- a/TODO +++ b/TODO @@ -83,6 +83,14 @@ Janitorial Clean-ups: Features: +* we probably should extend the root verity hash of the root fs into some PCR + on boot. (i.e. maybe add a crypttab option tpm2-measure=8 or so to measure it + into PCR 8) + +* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount, + what must be read-only, what requires encryption, and what requires + authentication. + * in uefi stub: query firmware regarding which PCRs are being used, store that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that the selected PCRs actually are used by firmware.