From 5bc58da2bc19fa714d286a946e334d35660cd482 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 19 Oct 2022 16:21:51 +0200
Subject: [PATCH] update TODO

---
 TODO | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/TODO b/TODO
index 0de5f3d477b..f75f39749b2 100644
--- a/TODO
+++ b/TODO
@@ -119,6 +119,19 @@ Deprecations and removals:
 
 Features:
 
+* extend systemd-measure with an --append= mode when signing expected PCR
+  measurements. In this mode the tool should read an existing signature JSON
+  object (which primarily contains an array with the actual signature data),
+  and then append the new signature to it instead of writing out an entirely
+  JSON object. Usecase: it might make sense to to sign a UKI's expected PCRs
+  with different keys for different boot phases. i.e. use keypair X for signing
+  the expected PCR in the initrd boot phase and keypair Y for signing the
+  expected PCR in the main boot phase. Via the --append logic we could merge
+  these signatures into one object, and then include the result in the UKI.
+  Then, if you bind a LUKS volume to public key X it really only can be
+  unlocked during early boot, and you bind a LUKS volume to public key Y it
+  realy only can be unlocked during later boot, and so on.
+
 * dissection policy should enforce that unlocking can only take place by
   certain means, i.e. only via pw, only via tpm2, or only via fido, or a
   combination thereof.
-- 
2.47.3