diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-05-13 16:20:18 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-05-13 17:29:15 +0200 |
commit | 027301b43422da63eafe04c17f725935a5a10502 (patch) | |
tree | 459b3017386b13e0ae0855c984003c38d75e688f | |
parent | 7eeedcfcb1c09e6c236c4ee61500f12a1c1d0186 (diff) | |
download | systemd-027301b43422da63eafe04c17f725935a5a10502.tar.gz |
update TODO
-rw-r--r-- | TODO | 45 |
1 files changed, 45 insertions, 0 deletions
@@ -79,6 +79,51 @@ Janitorial Clean-ups: Features: +* homed/userdb: maybe define a "companion" dir for home directories where apps + can safely put privileged stuff in. Would not be writable by the user, but + still conceptually belong to the user. Would be included in user's quota if + possible, even if files are not owned by UID of user. Usecase: container + images that owned by arbitrary UIDs, and are owned/managed by the users, but + are not directly belonging to the user's UID. Goal: we shouldn't place more + privileged dirs inside of unprivileged dirs, and thus containers really + should not be placed inside of traditional UNIX home dirs (which are owned by + users themselves) but somewher else, that is separate, but still close + by. Inform user code about path to this companion dir via env var, so that + container managers find it. the ~/.identity file is also a candidate for a + file to move there, since it is managed by privileged code (i.e. homed) and + not unprivileged code. + +* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that + that hooks up userbdctl ssh-key stuff. + +* allow embedding a signature blob for PCR hashes into separate section in + unified kernel binaries. This section should be picked up by sd-stub, and + passed in a file to the booted kernel (via initrd cpio, as usual). Usecase: + this way we can implement disk encryption policies that bind to specific + kernel PCR state, without breaking things on every kernel update. As long as + the kernel includes the PCR signature blob we should be good, as disk + encryption can then pass the signature to the TPM to unlock their secrets. + Why do this via a separate PE section? That's because the PCR state depends + on the measured kernel/initrd of course, thus we cannot put the signature + into the kernel/initrd itself, because that would require a time machine. + Hence we have to find a separate place. A simple solution is a PE section + of its own, because then it is next to the kernel and initrd which after all + are stored in PE sections of their own too. Building a unified kernel would + thus mean, calculating PCR values for the raw kernel image, and raw initrd + image, then signing those PCR values with a vendor key, and then combining + sd-stub, raw kernel image, raw initrd, and PCR signature into a unified + kernel image. + +* a new tool "systemd-trust" or so, that can calculate PCR hashes offline, and + optionally sign them. for that we should extend our syntax for specifying pcr + policies (e.g. the string like "4+7+9") so that it can also include explicit + hash values, i.e. + 4=sha256:0ef149998289474e4bb31813edda6ad7f3c991b2d8dec6e8fe4db7a1f039f2d1+7=sha256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7+9=sha256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f + and file names to calculate hashes from, i.e. + 4=file:/boot/vmlinuz+7=file:/boot/initrd/+9=file:/etc/fstab" + The systemd-trust tool should then be able to resolve any "underspecifed" + form into the form with explicit hash values. + * maybe add support for binding and connecting AF_UNIX sockets in the file system outside of the 108ch limit. When connecting, open O_PATH fd to socket inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink |