mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-27 12:13:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

update TODO

Browse Source
This commit is contained in:
Lennart Poettering 2022-11-01 15:10:47 +01:00
parent 6b41e0250f
commit c0e42509da
1 changed files with 0 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
TODO
View File

@ -251,19 +251,6 @@ Features:
kernel. So far we only did this for the various --image= switches, but not
for the root fs or /usr/.
* extend systemd-measure with an --append= mode when signing expected PCR
measurements. In this mode the tool should read an existing signature JSON
object (which primarily contains an array with the actual signature data),
and then append the new signature to it instead of writing out an entirely
JSON object. Usecase: it might make sense to to sign a UKI's expected PCRs
with different keys for different boot phases. i.e. use keypair X for signing
the expected PCR in the initrd boot phase and keypair Y for signing the
expected PCR in the main boot phase. Via the --append logic we could merge
these signatures into one object, and then include the result in the UKI.
Then, if you bind a LUKS volume to public key X it really only can be
unlocked during early boot, and you bind a LUKS volume to public key Y it
really only can be unlocked during later boot, and so on.
* dissection policy should enforce that unlocking can only take place by
certain means, i.e. only via pw, only via tpm2, or only via fido, or a
combination thereof.