update TODO

author Lennart Poettering <lennart@poettering.net>

Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)

committer Lennart Poettering <lennart@poettering.net>

Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)
author Lennart Poettering <lennart@poettering.net>
Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)
committer Lennart Poettering <lennart@poettering.net>
Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)
diff --git a/TODO b/TODO

index 8b966dc62538cc4e0958dfe551285b270a550dd1..31e9b866dae5cf103747efa162274d3541df95f7 100644 (file)
--- a/TODO
+++ b/TODO
@@ -83,6 +83,14 @@ Janitorial Clean-ups:
  
  Features:
  
+* we probably should extend the root verity hash of the root fs into some PCR
+  on boot. (i.e. maybe add a crypttab option tpm2-measure=8 or so to measure it
+  into PCR 8)
+
+* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount,
+  what must be read-only, what requires encryption, and what requires
+  authentication.
+
  * in uefi stub: query firmware regarding which PCRs are being used, store that
    in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that
    the selected PCRs actually are used by firmware.
author	Lennart Poettering <lennart@poettering.net>
	Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 23 Sep 2021 15:07:25 +0000 (17:07 +0200)