From bb5464ad201bd598ef73ec319822609b51dc57a1 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 26 Oct 2021 15:40:25 +0200 Subject: [PATCH] update TODO --- TODO | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/TODO b/TODO index 8eb27496a8..d19808ec2f 100644 --- a/TODO +++ b/TODO @@ -81,6 +81,29 @@ Janitorial Clean-ups: Features: +* add tiny service that decrypts encrypted user records passed via initrd + credential logic and drops them into /run where nss-systemd can pick them up, + similar to /run/host/userdb/. Usecase: drop a root user JSON record there, + and use it in the initrd to log in as root with locally selected password, + for debugging purposes. + +* drop dependency on libcap, replace by direct syscalls based on + CapabilityQuintet we already have. (This likely allows us drop drop libcap + dep in the base OS image) + +* sysext: automatically activate sysext images dropped in via new sd-stub + sysext pickup logic. + +* add concept for "exitrd" as inverse of "initrd", that we can transition to at + shutdown, and has similar security semantics. This should then take the place + of dracut's shutdown logic. Should probably support sysexts too. Care needs + to be taken that the resulting logic ends up in RAM, i.e. is copied out of + on-disk storage. + +* sd-stub: automatically pick up microcode from ESP and synthesize initrd from + it, and measure it. Signing is not necessary, as microcode does that on its + own. Pass as first initrd to kernel. + * userdbd: implement an additional varlink service socket that provides the host user db in restricted form, then allow this to be bind mounted into sandboxed environments that want the host database in minimal form. All