* expose MS_NOSYMFOLLOW in various places
-* ability to insert trusted configuration and secrets into the boot parameters
- of a kernel booting in a VM or on baremetal some way, via TPM
- protection. idea:
- 1. pass via /proc/bootconfig
- 2. for secrets: put secrets in node of /proc/bootconfig, decrypt them via
- TPM early on in PID 1, put them in $CREDENTIAL_PATH logic
- 3. for config: put signed data in node /proc/booconfig, validate via TPM
- early on in PID 1, put data into /run/bootconfig/ as individual files
- 4. boot loader/stub should pick these up automatically from the boot loader
- file systems
+* allow passing creds into kernel when booting: in EFI stub, collect creds
+ files from ESP directory, generate CPIO archive on the fly from them, so that
+ they are dropped into /run/initramfs/creds/ and pass to kernel as additional
+ initrd. Then, use LoadCredentialEncrypted=foo:/run/initramfs/creds/foo to
+ load them.
+
+* make LoadCredential= automatically find credentials in /etc/creds,
+ /run/creds, … and so on, if path component is unqualified
+
+* teach LoadCredential=/LoadCredentialEncrypted= to load credentials from
+ kernel cmdline, maybe: LoadCredentialEncrypted=foobar:proc-cmdline:foobar
+
+* credentials system:
+ - acquire from kernel command line
+ - acquire from EFI variable?
+ - acquire via via ask-password?
+ - acquire creds via keyring?
+ - pass creds via keyring?
+ - pass creds via memfd?
+ - acquire + decrypt creds from pkcs11?
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
+
+* teach LoadCredential= the ability to load all files from a specified dir as
+ individual creds
+
+* add tpm.target or so which is delayed until TPM2 device showed up in case
+ firmware indicates there is one.
* tpm2: support a PIN policy, i.e. allowing windows-style short authentication
passwords by using the TPM2 to enforce ratelimiting and such, use for
- cryptsetup-generator: allow specification of passwords in crypttab itself
- support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
-* credentials system:
- - maybe add AcquireCredential= for querying a cred via ask-password
- - maybe try to acquire creds via keyring?
- - maybe try to pass creds via keyring?
- - maybe optionally pass creds via memfd
- - maybe add support for decrypting creds via TPM
- - maybe add support for decrypting/importing creds via pkcs11
- - make systemd-cryptsetup acquire pw via creds logic
- - make PAMName= acquire pw via creds logic
- - make macsec/wireguard code in networkd read key via creds logic
- - make gatwayd/remote read key via creds logic
- - add sd_notify() command for flushing out creds not needed anymore
-
* when configuring loopback netif, and it fails due to EPERM, eat up error if
it happens to be set up alright already.
address as conduit for some minimal connection metainfo, and use it to
restore the "description" logic that kdbus used to have.
-* teach LoadCredential= the ability to load all files from a specified dir as
- individual creds
-
* systemd-analyze netif that explains predictable interface (or networkctl)
* Add service setting to run a service within the specified VRF. i.e. do the
projects / thirdparty / systemd.git / commitdiff
