From: Lennart Poettering Date: Mon, 31 Oct 2022 11:13:15 +0000 (+0100) Subject: update TODO X-Git-Tag: v252~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d040d84f58f853ca1a2e0cbb8639a186154bc6a;p=thirdparty%2Fsystemd.git update TODO --- diff --git a/TODO b/TODO index d435651b623..560ec4bca49 100644 --- a/TODO +++ b/TODO @@ -119,6 +119,17 @@ Deprecations and removals: Features: +* sd-stub: add ".bootcfg" section for kernel bootconfig data (as per + +* tpm2: add (optional) support for generating a local signing key from PCR 15 + state. use private key part to sign PCR 7+14 policies. stash signatures for + expected PCR7+14 policies in EFI var. use public key part in disk encryption. + generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can + securely bind against SecureBoot/shim state, without having to renroll + everything on each update (but we still have to generate one sig on each + update, but that should be robust/idempotent). needs rollback protection, as + usual. + * Lennart: big blog story about DDIs * Lennart: big blog story about building initrds @@ -203,8 +214,10 @@ Features: software updates. But that's wrong. Recent fwupd (rightfully) contains code for updating the dbx denylist. This means even without any active policy change PCR 7 might change. Hence, better idea might be in systemd-creds to - default to PCR 15 at least of sd-stub is used (i.e. bind to system identity), - and in cryptsetup simply the empty list? + default to PCR 15 at least if sd-stub is used (i.e. bind to system identity), + and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should + be included as much as PCR 7 (as it contains shim's policy, which is + certainly as relevant as PCR 7 on many systems) * move discoverable partition spec and boot loader spec over to uapi group