- maybe: in PID1, when we detect we run in an initrd, make superblock read-only
early on, but provide opt-out via kernel cmdline.
-- measure all log-in attempts into a new nvpcr
-
- measure GPT and LUKS headers somewhere when we use them (i.e. in
systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
keyring, so that the kernel does this validation for us for verity and kernel
modules
-- on first login of a user, measure its identity to some nvpcr
-
- on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?)
- once swtpm's sd_notify() support has landed in the distributions, remove the
projects / thirdparty / systemd.git / commitdiff
