summaryrefslogtreecommitdiffstats
path: root/TODO
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2020-07-23 08:46:43 +0200
committerLennart Poettering <lennart@poettering.net>2020-08-25 19:46:39 +0200
commitfabece9ccb77e773bd5e9ac91edfa841e2d78f38 (patch)
treeacd42d49a690ce47dc095a2e0b2404a6718c407c /TODO
parenttest: add test suite for new credentials logic (diff)
downloadsystemd-fabece9ccb77e773bd5e9ac91edfa841e2d78f38.tar.xz
systemd-fabece9ccb77e773bd5e9ac91edfa841e2d78f38.zip
update TODO
Diffstat (limited to 'TODO')
-rw-r--r--TODO20
1 files changed, 12 insertions, 8 deletions
diff --git a/TODO b/TODO
index b63b436e29..c4c20f71a5 100644
--- a/TODO
+++ b/TODO
@@ -119,14 +119,18 @@ Features:
* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
-* per-service credential system. Specifically: add LoadCredential= (for loading
- cred from file), AcquireCredential= (for asking user for cred, via
- ask-password), PassCredential= (for passing on credential systemd itself
- got). Then, place credentials in a per-service, immutable ramfs instance (so
- that it cannot be swapped out), destroy after use. Also pass via keyring
- (with graceful fallback to cover for containers). Define CredentialPath= for
- defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
- env var for services to the result. Also pass via fd passing (optionally).
+* credentials system:
+ - maybe add AcquireCredential= for querying a cred via ask-password
+ - maybe try to acquire creds via keyring?
+ - maybe try to pass creds via keyring?
+ - maybe optionally pass creds via memfd
+ - maybe add support for decrypting creds via TPM
+ - maybe add support for decrypting/importing creds via pkcs11
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
* homed: add native recovery key support. use 48 lowercase modhex characters
(192bit), show qr code of it, include pattern expression in user record.