mirror of
https://github.com/systemd/systemd
synced 2024-10-04 15:21:01 +00:00
update TODO
This commit is contained in:
parent
9cc48b8175
commit
feffee70d9
44
TODO
44
TODO
|
@ -119,6 +119,50 @@ Deprecations and removals:
|
|||
|
||||
Features:
|
||||
|
||||
* add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
|
||||
an encrypted image on some host given a public key belonging to a specific
|
||||
other host, so that only hosts possessing the private key in the TPM2 chip
|
||||
can decrypt the volume key and activate the volume. Usecase: systemd-syscfg
|
||||
for a central orchestrator to generate syscfg images securely that can only
|
||||
be activated on one specific host (which can be used for installing a bunch
|
||||
of creds in /etc/credstore/ for example). Extending on this: allow binding
|
||||
LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
|
||||
prepare a syscfg image that can only be activated on a specific host that
|
||||
runs a specific software in a specific time window. syscfg would be
|
||||
automatically invalidated outside of it.
|
||||
|
||||
* maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of
|
||||
current system state, i.e. a combination of PCR information, local system
|
||||
time and TPM clock, running services, recent high-priority log
|
||||
messages/coredumps, system load/PSI, signed by the local TPM chip, to form an
|
||||
enhanced remote attestation quote. Usecase: a simple orchestrator could use
|
||||
this: have the report tool upload thes reports every 3min somewhere. Then
|
||||
have the orchestrator collect these reports centrally over a 3min time
|
||||
window, and use them to determine what which node should now start/stop what,
|
||||
and generate a small syscfg for each node, that uses Uphold= to pin services
|
||||
on each node. The syscfg would be encrypted using the asymmetric encryption
|
||||
proposed above, so that it can only be activated on the specific host, if the
|
||||
software is in a good state, and within a specific time frame. Then run a
|
||||
loop on each node that sends report to orchestrator and then sysupdate to
|
||||
update syscfg. Orchestrator would be stateless, i.e. operate on desired
|
||||
config and collected reports in the last 3min time window only, and thus can
|
||||
be trivially scaled up since all instances of the orchestrator should come to
|
||||
the same conclusions given the same inputs of reports/desired workload info.
|
||||
Could also be used to deliver Wireguard secrets and thus to clients, thus
|
||||
permitting zero-trust networking: secrets are rolled over via syscfg updates,
|
||||
and via the time window TPM logic invalidated if node doesn't keep itself
|
||||
updated, or becomes corrupted in some way.
|
||||
|
||||
* Always measure the LUKS rootfs volume key into PCR 15, and derive the machine
|
||||
ID from it securely. This would then allow us to bind secrets a specific
|
||||
system securely.
|
||||
|
||||
* nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image=
|
||||
hash into its PCR 11, so that nspawn instances can be TPM enabled, and
|
||||
partake in measurements/remote attestation and such. swtpm would run outside
|
||||
of control of container, and ideally would itself bind its encryption keys to
|
||||
host TPM.
|
||||
|
||||
* tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
|
||||
of manually hooking into SIGINT/SIGTERM
|
||||
|
||||
|
|
Loading…
Reference in a new issue