diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-10-04 11:55:33 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-10-04 11:55:33 +0200 |
commit | feffee70d9fa6195dc3b6631b3aa75f0d796793f (patch) | |
tree | 491010b5cb1ee7009e1d20ed54d9319e3b082904 /TODO | |
parent | 9cc48b8175feda3296ebbb43fb9772777b18a0ca (diff) | |
download | systemd-feffee70d9fa6195dc3b6631b3aa75f0d796793f.tar.gz |
update TODO
Diffstat (limited to 'TODO')
-rw-r--r-- | TODO | 44 |
1 files changed, 44 insertions, 0 deletions
@@ -119,6 +119,50 @@ Deprecations and removals: Features: +* add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing + an encrypted image on some host given a public key belonging to a specific + other host, so that only hosts possessing the private key in the TPM2 chip + can decrypt the volume key and activate the volume. Usecase: systemd-syscfg + for a central orchestrator to generate syscfg images securely that can only + be activated on one specific host (which can be used for installing a bunch + of creds in /etc/credstore/ for example). Extending on this: allow binding + LUKS2 TPM based encryption also to the TPM2 internal clock. Net result: + prepare a syscfg image that can only be activated on a specific host that + runs a specific software in a specific time window. syscfg would be + automatically invalidated outside of it. + +* maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of + current system state, i.e. a combination of PCR information, local system + time and TPM clock, running services, recent high-priority log + messages/coredumps, system load/PSI, signed by the local TPM chip, to form an + enhanced remote attestation quote. Usecase: a simple orchestrator could use + this: have the report tool upload thes reports every 3min somewhere. Then + have the orchestrator collect these reports centrally over a 3min time + window, and use them to determine what which node should now start/stop what, + and generate a small syscfg for each node, that uses Uphold= to pin services + on each node. The syscfg would be encrypted using the asymmetric encryption + proposed above, so that it can only be activated on the specific host, if the + software is in a good state, and within a specific time frame. Then run a + loop on each node that sends report to orchestrator and then sysupdate to + update syscfg. Orchestrator would be stateless, i.e. operate on desired + config and collected reports in the last 3min time window only, and thus can + be trivially scaled up since all instances of the orchestrator should come to + the same conclusions given the same inputs of reports/desired workload info. + Could also be used to deliver Wireguard secrets and thus to clients, thus + permitting zero-trust networking: secrets are rolled over via syscfg updates, + and via the time window TPM logic invalidated if node doesn't keep itself + updated, or becomes corrupted in some way. + +* Always measure the LUKS rootfs volume key into PCR 15, and derive the machine + ID from it securely. This would then allow us to bind secrets a specific + system securely. + +* nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image= + hash into its PCR 11, so that nspawn instances can be TPM enabled, and + partake in measurements/remote attestation and such. swtpm would run outside + of control of container, and ideally would itself bind its encryption keys to + host TPM. + * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead of manually hooking into SIGINT/SIGTERM |