From: Lennart Poettering Date: Fri, 10 Jul 2026 12:43:12 +0000 (+0200) Subject: credentials: add policy that can allow key=null creds from the ESP (#42555) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5cead3f2695f8b3b9ff149482e2daea4f0021d33;p=thirdparty%2Fsystemd.git credentials: add policy that can allow key=null creds from the ESP (#42555) This PR only sets the default to "relaxed" - I can change the default to "tofu" if desired. But for that we will also need to update the NEWS file to ensure everyone is aware of this new default. --- This PR adds a new `systemd.credentials-boot=` kernel commandline that allows to control if credentials with a `null` key are accepted. The possible options are: * strict: always insist on tpm encryption * tofu: allow null encryption in firstboot mode and when no tpm is available * relaxed: allow null encryption when sb is off, or no tpm is available * off: allow null encryption always The default is `relaxed` which is exactly the behavior we had before. This replaces the initial idea of using plaintext credentials at firstboot (thanks to Lennart for this nicer and simpler design). --- With that we can drop `- firstboot: optionally accept credentials at firstboot without authentication` from TODO.md --- 5cead3f2695f8b3b9ff149482e2daea4f0021d33