From 3fc0688d422c9f358881fb9093a3a02a6989de52 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 23 Sep 2021 17:07:25 +0200 Subject: [PATCH] update TODO --- TODO | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/TODO b/TODO index 8b966dc625..31e9b866da 100644 --- a/TODO +++ b/TODO @@ -83,6 +83,14 @@ Janitorial Clean-ups: Features: +* we probably should extend the root verity hash of the root fs into some PCR + on boot. (i.e. maybe add a crypttab option tpm2-measure=8 or so to measure it + into PCR 8) + +* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount, + what must be read-only, what requires encryption, and what requires + authentication. + * in uefi stub: query firmware regarding which PCRs are being used, store that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that the selected PCRs actually are used by firmware.