update TODO

TODO

@@ -142,6 +142,24 @@ Features:
 
 * ditto: rewrite bpf-firewall in libbpf/C code
 
+* credentials: if we ever acquire a secure way to derive cgroup id of socket
+  peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
+  allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
+  step use this to implement per-app/per-service encrypted directories, where
+  we set up fscrypt on the StateDirectory= with a randomized key which is
+  stored as xattr on the directory, encrypted as a credential.
+
+* credentials: optionally include a per-user secret in scoped user-credential
+  encryption keys. should come from homed in some way, derived from the luks
+  volume key or fscrypt directory key.
+
+* credentials: add a flag to the scoped credentials that if set require PK
+  reauthentication when unlocking a secret.
+
+* teach systemd --user to properly load credentials off disk, with
+  /etc/credstore equivalent and similar. Mkae sure that $CREDENTIALS_DIRECTORY=
+  actually works too when run with user privs.
+
 * extend the smbios11 logic for passing credentials so that instead of passing
   the credential data literally it can also just reference an AF_VSOCK CID/port
   to read them from. This way the data doesn't remain in the SMBIOS blob during
@@ -169,23 +187,11 @@ Features:
 * use udev rule networkd ownership property to take ownership of network
   interfaces nspawn creates
 
-* support encrypted credentials in user context too. This is complicated by the
-  fact that the user does not have access to the TPM nor the system
-  credential. Implementation idea: extend the systemd-creds Varlink interface
-  to allow this: user must supply some per-user secret, that we'll include in
-  the encryption key.
-
 * add a kernel cmdline switch (and cred?) for marking a system to be
   "headless", in which case we never open /dev/console for reading, only for
   writing. This would then mean: systemd-firstboot would process creds but not
   ask interactively, getty would not be started and so on.
 
-* extend mime database with mime types for:
-  - journal files
-  - credential files
-  - hwdb files
-  - catalog files
-
 * cryptsetup: new crypttab option to auto-grow a luks device to its backing
   partition size. new crypttab option to reencrypt a luks device with a new
   volume key.
@@ -689,10 +695,6 @@ Features:
   - If run on every boot, should it use the sysupdate config from the host on
     subsequent boots?
 
-* provide an API (probably IPC) to apps to encrypt/decrypt
-  credentials. use case: allow bluez bluetooth daemon to pass pairings to initrd
-  that way, without shelling out to our tools.
-
 * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
   use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
   safe bet, given that it should change only on policy changes, and not
@@ -1323,8 +1325,6 @@ Features:
     wireguard)
   - make gatewayd/remote read key via creds logic
   - add sd_notify() command for flushing out creds not needed anymore
-  - make user manager instances create and use a user-specific key (the one in
-    /var/lib is root-only) and add --user switch to systemd-creds to use it
 
 * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
   and such