From ee7561d014d073944779e155271d7042d7ea5572 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 20 Apr 2021 15:33:15 +0200
Subject: [PATCH] update TODO

---
 TODO | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/TODO b/TODO
index b05e61552c3..19b044c648c 100644
--- a/TODO
+++ b/TODO
@@ -22,6 +22,17 @@ Janitorial Clean-ups:
 
 Features:
 
+* ability to insert trusted configuration and secrets into the boot paramaters
+  of a kernel booting in a VM or on baremetal some way, via TPM
+  protection. idea:
+  1. pass via /proc/bootconfig
+  2. for secrets: put secrets in node of /proc/bootconfig, decrypt them via
+     TPM early on in PID 1, put them in $CREDENTIAL_PATH logic
+  3. for config: put signed data in node /proc/booconfig, validate via TPM
+     early on in PID 1, put data into /run/bootconfig/ as individual files
+  4. boot loader/stub should pick these up automatically from the boot loader
+     file systems
+
 * journald: support RFC3164 fully for the incoming syslog transport, see
   https://github.com/systemd/systemd/issues/19251#issuecomment-816601955