NEWS: rework the description of systemd-measure a bit again

Try to separate the description so that changes are described first, and the discussion follows separately. Remove some repeated verbose descriptions of the subject: if one sentence describes that UKI contains an signature and describes it in detail, the next sentence can just say "the signature" without elaborating. Also, we don't do version-keying yet, so don't say "future" kernels — older kernels will work too.
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2022-10-12 17:05:27 +0200
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2022-10-14 15:56:55 +0200
commit: 8d3b7d2fd3ea3f6588150267ec7c07cd688d6b37 (patch)
tree: 2ee9c1c616e6e86fdd193ef25433719c16c22682
parent: 7ff7eadf42e76c5f7f021d8887feec9a12f1e1a9 (diff)
download: systemd-8d3b7d2fd3ea3f6588150267ec7c07cd688d6b37.tar.gz
1 files changed, 20 insertions, 24 deletions
diff --git a/NEWS b/NEWS
index f049e53b23..22893f51cd 100644
--- a/NEWS
+++ b/NEWS
@@ -39,25 +39,22 @@ CHANGES WITH 252 in spe:
 
         New Features:
 
-        * systemd-measure is a new tool for precalculating and signing expected
-          TPM2 PCR values seen once a given unified kernel image (UKI) with
-          systemd-stub is booted. This is useful for implementing TPM2 policies
-          for LUKS encrypted volumes and encrypted system/service credentials,
-          that robustly bind to kernels carrying appropriate PCR signature
-          information. The signed expected PCR information, and the public key
-          used for the signature may be embedded inside UKIs for this purpose,
-          so that it is automatically available in userspace, once the UKI is
-          booted.
-
-          systemd-cryptsetup, systemd-cryptenroll and systemd-creds have been
+        * systemd-measure is a new tool for calculating and signing expected
+          TPM2 PCR values for a given unified kernel image (UKI) booted via
+          sd-stub. The public key used for the signature and the signed
+          expected PCR information can be embedded inside the UKI. This
+          information can be extracted from the UKI by external tools and code
+          in the image itself and is made available to userspace in the booted
+          kernel.
+
+          systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
           updated to make use of this information if available in the booted
           kernel: when locking an encrypted volume/credential to the TPM
-          systemd-cryptenroll/systemd-creds will use the public key embedded in
-          the booted UKI to bind the volume/credential to the kernel (and
-          future versions thereof, as long as it carries PCR information signed
-          by the same key pair). When unlocking such an encrypted
-          volume/credential systemd-cryptsetup/systemd-creds will use the
-          signature embedded in the booted UKI to gain access.
+          systemd-cryptenroll/systemd-creds will use the public key to bind the
+          volume/credential to any kernel that carries PCR information signed
+          by the same key pair. When unlocking such volumes/credentials
+          systemd-cryptsetup/systemd-creds will use the signature embedded in
+          the booted UKI to gain access.
 
           Binding TPM-based disk encryption to public keys/signatures of PCR
           values — instead of literal PCR values — addresses the inherent
@@ -68,13 +65,12 @@ CHANGES WITH 252 in spe:
 
           Net effect: if you boot a properly prepared kernel, TPM-bound disk
           encryption now defaults to be locked to kernels which carry PCR
-          signatures from the same signature key pair. Example: if a
-          hypothetical distro FooOS prepares its UKIs like this, TPM-based disk
-          encryption is now – by default – bound to only FooOS kernels, and
-          encrypted volumes bound to the TPM cannot be unlocked on other
-          kernels from other sources. (But do note this behaviour requires
-          preparation/enabling in the UKI, and of course users can always
-          enroll non-TPM ways to unlock the volume.)
+          signatures from the same key pair. Example: if a hypothetical distro
+          FooOS prepares its UKIs like this, TPM-based disk encryption is now –
+          by default – bound to only FooOS kernels, and encrypted volumes bound
+          to the TPM cannot be unlocked on kernels from other sources. (But do
+          note this behaviour requires preparation/enabling in the UKI, and of
+          course users can always enroll non-TPM ways to unlock the volume.)
 
         * systemd-pcrphase is a new tool that is invoked at 4 places during
           system runtime, and measures additional words into TPM2 PCR 11, to
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2022-10-12 17:05:27 +0200
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2022-10-14 15:56:55 +0200
commit	8d3b7d2fd3ea3f6588150267ec7c07cd688d6b37 (patch)
tree	2ee9c1c616e6e86fdd193ef25433719c16c22682
parent	7ff7eadf42e76c5f7f021d8887feec9a12f1e1a9 (diff)
download	systemd-8d3b7d2fd3ea3f6588150267ec7c07cd688d6b37.tar.gz