system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 10:17:21 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

update TODO

Browse source
This commit is contained in:
Lennart Poettering 2022-09-12 00:13:44 +01:00
parent 03f48fc7c3
commit 4e0ceefeb6
1 changed files with 19 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
TODO
View file

@ -117,17 +117,27 @@ Deprecations and removals:
Features: Features:
* lock down acceptable encrypted credentials at boot, via simple allowlist,
maybe on kernel command line:
systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
down kernels from credentials generated on the host with a weak kernel
* tmpfiles: currently if we fail to create an inode, we stat it first, and only
then O_PATH open it. Reverse that.
* during the initrd → host transition measure a fixed value into TPM PCR 11 * during the initrd → host transition measure a fixed value into TPM PCR 11
(where we already measure the UKI into), so that unlock policies for disk (where we already measure the UKI into), so that unlock policies for disk
enryption/credential encryption can be put together that only work in the enryption/credential encryption can be put together that only work in the
initrd or only on the host (or both). initrd or only on the host (or both).
* Add support for extra verity configuration options to systemd-reart (FEC, hash type, etc) * Add support for extra verity configuration options to systemd-repart (FEC,
hash type, etc)
* chase_symlinks(): take inspiraton from path_extract_filename() and return * chase_symlinks(): take inspiraton from path_extract_filename() and return
O_DIRECTORY if input path contains trailing slash. O_DIRECTORY if input path contains trailing slash.
* chase_symlinks(): refuse resolution if trailing slash is specified on input, but final node is not a directory * chase_symlinks(): refuse resolution if trailing slash is specified on input,
but final node is not a directory
* chase_symlinks(): add new flag that simply refuses all symlink use in a path, * chase_symlinks(): add new flag that simply refuses all symlink use in a path,
then use that for accessing XBOOTLDR/ESP then use that for accessing XBOOTLDR/ESP
@ -689,6 +699,13 @@ Features:
images, to configure this. Also, add a kernel cmdline option for this, to be images, to configure this. Also, add a kernel cmdline option for this, to be
honoured by the gpt auto generator. honoured by the gpt auto generator.
Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to
only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then
minor extension to this, insisting on encryption, for example
"systemd.gpt_auto_policy=r+v+h" to requre encryption for root and var but not
for /home/, and similar. Similar add --image-dissect-policy= to tools that
take --image= that take the same short string.
* nspawn: maybe optionally insert .nspawn file as GPT partition into images, so * nspawn: maybe optionally insert .nspawn file as GPT partition into images, so
that such container images are entirely stand-alone and can be updated as that such container images are entirely stand-alone and can be updated as
one. one.