summaryrefslogtreecommitdiffstats
path: root/TODO
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2020-11-26 14:42:23 +0100
committerLennart Poettering <lennart@poettering.net>2020-12-17 20:03:04 +0100
commit80670e748de8cc2980ad6b5a5e172cfbb61d777a (patch)
tree313861a8c97d8a1d588cab063360f311e5383cb2 /TODO
parentmkosi: add TPM2 packages to debian/ubuntu/fedora mkosi files (diff)
downloadsystemd-80670e748de8cc2980ad6b5a5e172cfbb61d777a.tar.xz
systemd-80670e748de8cc2980ad6b5a5e172cfbb61d777a.zip
update TODO
Diffstat (limited to '')
-rw-r--r--TODO35
1 files changed, 25 insertions, 10 deletions
diff --git a/TODO b/TODO
index a666303571..00467b15f7 100644
--- a/TODO
+++ b/TODO
@@ -22,8 +22,32 @@ Features:
* expose MS_NOSYMFOLLOW in various places
+* Add concept for upgrading TPM2 enrollments, maybe a new switch
+ --pcrs=4:<hash> or so, i.e. select a PCR to include in the hash, and then
+ override its hash
+
+* homed: store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
+ systemd-cryptsetup, so that it can unlock homed volumes
+
+* cryptenroll: politely refuse enrolling new keys to homed volumes, since we
+ we cannot update identity info
+
+* TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
+ and such
+
+* cryptsetup: if only recovery keys are registered and no regular passphrases,
+ ask user for "recovery key", not "passphrase"
+
+* cyptsetup: add option for automatically removing empty password slot on boot
+
* cryptsetup: optionally, when run during boot-up and password is never
- entered, and we are on AC power (or so), power off machine again
+ entered, and we are on battery power (or so), power off machine again
+
+* cryptsetup: when FIDO2/PKCS#11/TPM2 token/chip didn't show up after some
+ time, abort the attempt, fallback to asking for pw
+
+* cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
+ allow plymouth to abort the waiting and enter pw instead
* when configuring loopback netif, and it fails due to EPERM, eat up error if
it happens to be set up alright already.
@@ -200,9 +224,6 @@ Features:
thus allows defining OS images which can be A/B updated and we default to the
newest version automatically, both in nspawn and in sd-boot
-* cryptsetup: support FIDO2 tokens for deriving keys (i.e. do what homed can do
- also in plain cryptsetup)
-
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
@@ -241,12 +262,6 @@ Features:
* add growvol and makevol options for /etc/crypttab, similar to
x-systemd.growfs and x-systemd-makefs.
-* hook up the TPM to /etc/crypttab, with a new option that is similar to the
- new PKCS#11 option in crypttab, and allows unlocking a LUKS volume via a key
- unsealed from the TPM. Optionally, if TPM is not available fall back to
- TPM-less mode, and set up linear DM mapping instead (inspired by kpartx), so
- that the device paths stay the same, regardless if crypto is used or not.
-
* systemd-repart: by default generate minimized partition tables (i.e. tables
that only cover the space actually used, excluding any free space at the
end), in order to maximize dd'ability. Requires libfdisk work, see