@@ -142,16 +142,37 @@ Features:
142142
143143* expose MS_NOSYMFOLLOW in various places
144144
145- * ability to insert trusted configuration and secrets into the boot parameters
146- of a kernel booting in a VM or on baremetal some way, via TPM
147- protection. idea:
148- 1. pass via /proc/bootconfig
149- 2. for secrets: put secrets in node of /proc/bootconfig, decrypt them via
150- TPM early on in PID 1, put them in $CREDENTIAL_PATH logic
151- 3. for config: put signed data in node /proc/booconfig, validate via TPM
152- early on in PID 1, put data into /run/bootconfig/ as individual files
153- 4. boot loader/stub should pick these up automatically from the boot loader
154- file systems
145+ * allow passing creds into kernel when booting: in EFI stub, collect creds
146+ files from ESP directory, generate CPIO archive on the fly from them, so that
147+ they are dropped into /run/initramfs/creds/ and pass to kernel as additional
148+ initrd. Then, use LoadCredentialEncrypted=foo:/run/initramfs/creds/foo to
149+ load them.
150+
151+ * make LoadCredential= automatically find credentials in /etc/creds,
152+ /run/creds, … and so on, if path component is unqualified
153+
154+ * teach LoadCredential=/LoadCredentialEncrypted= to load credentials from
155+ kernel cmdline, maybe: LoadCredentialEncrypted=foobar:proc-cmdline:foobar
156+
157+ * credentials system:
158+ - acquire from kernel command line
159+ - acquire from EFI variable?
160+ - acquire via via ask-password?
161+ - acquire creds via keyring?
162+ - pass creds via keyring?
163+ - pass creds via memfd?
164+ - acquire + decrypt creds from pkcs11?
165+ - make systemd-cryptsetup acquire pw via creds logic
166+ - make PAMName= acquire pw via creds logic
167+ - make macsec/wireguard code in networkd read key via creds logic
168+ - make gatwayd/remote read key via creds logic
169+ - add sd_notify() command for flushing out creds not needed anymore
170+
171+ * teach LoadCredential= the ability to load all files from a specified dir as
172+ individual creds
173+
174+ * add tpm.target or so which is delayed until TPM2 device showed up in case
175+ firmware indicates there is one.
155176
156177* tpm2: support a PIN policy, i.e. allowing windows-style short authentication
157178 passwords by using the TPM2 to enforce ratelimiting and such, use for
@@ -195,19 +216,6 @@ Features:
195216 - cryptsetup-generator: allow specification of passwords in crypttab itself
196217 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
197218
198- * credentials system:
199- - maybe add AcquireCredential= for querying a cred via ask-password
200- - maybe try to acquire creds via keyring?
201- - maybe try to pass creds via keyring?
202- - maybe optionally pass creds via memfd
203- - maybe add support for decrypting creds via TPM
204- - maybe add support for decrypting/importing creds via pkcs11
205- - make systemd-cryptsetup acquire pw via creds logic
206- - make PAMName= acquire pw via creds logic
207- - make macsec/wireguard code in networkd read key via creds logic
208- - make gatwayd/remote read key via creds logic
209- - add sd_notify() command for flushing out creds not needed anymore
210-
211219* when configuring loopback netif, and it fails due to EPERM, eat up error if
212220 it happens to be set up alright already.
213221
@@ -223,9 +231,6 @@ Features:
223231 address as conduit for some minimal connection metainfo, and use it to
224232 restore the "description" logic that kdbus used to have.
225233
226- * teach LoadCredential= the ability to load all files from a specified dir as
227- individual creds
228-
229234* systemd-analyze netif that explains predictable interface (or networkctl)
230235
231236* Add service setting to run a service within the specified VRF. i.e. do the
0 commit comments