forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
2661 lines (2084 loc) · 133 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Bugfixes:
* Many manager configuration settings that are only applicable to user
manager or system manager can be always set. It would be better to reject
them when parsing config.
* Jun 01 09:43:02 krowka systemd[1]: Unit [email protected] has alias [email protected].
Jun 01 09:43:02 krowka systemd[1]: Unit [email protected] has alias [email protected].
Jun 01 09:43:02 krowka systemd[1]: Unit [email protected] has alias [email protected].
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
* dbus:
- natively watch for dbus-*.service symlinks (PENDING)
- teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
* neither pkexec nor sudo initialize environ[] from the PAM environment?
* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
* register catalog database signature as file magic
* zsh shell completion:
- <command> <verb> -<TAB> should complete options, but currently does not
- systemctl add-wants,add-requires
- systemctl reboot --boot-loader-entry=
* systemctl status should know about 'systemd-analyze calendar ... --iterations='
* If timer has just OnInactiveSec=..., it should fire after a specified time
after being started.
* write blog stories about:
- hwdb: what belongs into it, lsusb
- enabling dbus services
- how to make changes to sysctl and sysfs attributes
- remote access
- how to pass throw-away units to systemd, or dynamically change properties of existing units
- testing with Harald's awesome test kit
- auto-restart
- how to develop against journal browsing APIs
- the journal HTTP iface
- non-cgroup resource management
- dynamic resource management with cgroups
- refreshed, longer missions statement
- calendar time events
- init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
- how to create your own target
- instantiated apache, dovecot and so on
- hooking a script into various stages of shutdown/early boot
Regularly:
* look for close() vs. close_nointr() vs. close_nointr_nofail()
* check for strerror(r) instead of strerror(-r)
* pahole
* set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
* use secure_getenv() instead of getenv() where appropriate
* link up selected blog stories from man pages and unit files Documentation= fields
Janitorial Clean-ups:
* rework mount.c and swap.c to follow proper state enumeration/deserialization
semantics, like we do for device.c now
* get rid of prefix_roota() and similar, only use chase() and related
calls instead.
* get rid of basename() and replace by path_extract_filename()
* Replace our fstype_is_network() with a call to libmount's mnt_fstype_is_netfs()?
Having two lists is not nice, but maybe it's now worth making a dependency on
libmount for something so trivial.
* drop set_free_free() and switch things over from string_hash_ops to
string_hash_ops_free everywhere, so that destruction is implicit rather than
explicit. Similar, for other special hashmap/set/ordered_hashmap destructors.
* generators sometimes apply C escaping and sometimes specifier escaping to
paths and similar strings they write out. Sometimes both. We should clean
this up, and should probably always apply both, i.e. introduce
unit_file_escape() or so, which applies both.
* xopenat() should pin the parent dir of the inode it creates before doing its
thing, so that it can create, open, label somewhat atomically.
Deprecations and removals:
* Remove any support for booting without /usr pre-mounted in the initrd entirely.
Update INITRD_INTERFACE.md accordingly.
* remove cgroups v1 support EOY 2023. As per
https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html
and then rework cgroupsv2 support around fds, i.e. keep one fd per active
unit around, and always operate on that, instead of cgroup fs paths.
* drop support for kernels that lack ambient capabilities support (i.e. make
4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which
is only supported for such old kernels.
* drop support for kernels lacking memfd_create() (i.e. make 3.17 new
baseline), then drop all pipe() based fallbacks.
* drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel
5.6 becomes our baseline). See
https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for
details. Maybe before that: at taint-flags/warn about kernels that lack
getrandom()/environments where it is blocked.
* drop support for LOOP_CONFIGURE-less loopback block devices, once kernel
baseline is 5.8.
* drop fd_is_mount_point() fallback mess once we can rely on
STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8
* Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.
That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for
x86 and v6.2 for arm.
* Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm
trigger"'s waiting logic, since we can then rely on uuid-tagged uevents
Features:
* look at nsresourced, mountfsd, homed, importd, and try to come up with a way
how the forked off worker processes can be moved into transient services with
sandboxing, without breaking notify socket stuff and so on.
* replace all \x1b, \x1B, \033 C string escape sequences in our codebase with a
more readable \e. It's a GNU extension, but a ton more readable than the
others, and most importantly it doesn't result in confusing errors if you
suffix the escape sequence with one more decimal digit, because compilers
think you might actually specify a value outside the 8bit range with that.
* homed: allow login via username + realm on getty/login prompt. Then rewrite
the user name in the PAM stack
* homed/userdb: add "aliases" field to user record, which can alternatively be
used for logging in. Rewrite user name in the PAM stack once acquired.
* confext/sysext: instead of mounting the overlayfs directly on /etc/ + /usr/,
insert an intermediary bind mount on itself there. This has the benefit that
services where mount propagation from the root fs is off, an still have
confext/sysext propagated in.
* marry pcrlock + signed pcr policies for FDE/credentials by letting each
unlock "half" of the volume key, so that the combination of both must be
XOR'ed to get the actual volume key
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
* generic interface for varlink for setting log level and stuff that all our daemons can implement
* use pty ioctl to get peer wherever possible (TIOCGPTPEER)
* maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is
just like MakeDirectories=, but uses an access mode of 0000 and sets the +i
chattr bit. This is useful as protection against early uses of /var/ or /tmp/
before their contents is mounted.
* go through all uses of table_new() in our codebase, and make sure we support
all three of:
1. --no-legend properly
2. --json= properly
3. --no-pager properly
* go through all --help texts in our codebases, and make sure:
1. the one sentence description of the tool is highlighted via ANSI how we
usually do it
2. If more than one or two commands are supported (as opposed to switches),
separate commands + switches from each other, using underlined --help sections.
3. If there are many switches, consider adding additional --help sections.
* go through our codebase, and convert "vertical tables" (i.e. things such as
"systemctl status") to use table_new_vertical() for output
* logind: when logging in use new tmpfs quota support to configure quota on
/tmp/ + /dev/shm/. But do so only in case of tmpfs, because otherwise quota
is persistent and any persistent settings mean we don#t have to reapply them.
* initrd: when transitioning from initrd to host, validate that
/lib/modules/`uname -r` exists, refuse otherwise
* tmpfiles: add "owning" flag for lines that limits effect of --purge
* signed bpf loading: to address need for signature verification for bpf
programs when they are loaded, and given the bpf folks don't think this is
realistic in kernel space, maybe add small daemon that facilitates this
loading on request of clients, validates signatures and then loads the
programs. This daemon should be the only daemon with privs to do load BPF on
the system. It might be a good idea to run this daemon already in the initrd,
and leave it around during the initrd transition, to continue serve requests.
Should then live in its own fs namespace that inherits from the initrd's
fs tree, not from the host, to isolate it properly. Should set
PR_SET_DUMPABLE so that it cannot be ptraced from the host. Should have
CAP_SYS_BPF as only service around.
* add a mechanism we can drop capabilities from pid1 *before* transitioning
from initrd to host. i.e. before we transition into the slightly lower trust
domain that is the host systems we might want to get rid of some caps.
Example: CAP_SYS_BPF in the signed bpf loading logic above. (We already have
CapabilityBoundingSet= in system.conf, but that is enforced when pid 1
initializes, rather then when it transitions to the next.)
* maybe add a new standard slice where process that are started in the initrd
and stick around for the whole system runtime (i.e. root fs storage daemons,
the bpf loader daemon discussed above, and such) are placed. maybe
protected.slice or so? Then write docs that suggest that services like this
set Slice=protected.sice, RefuseManualStart=yes, RefuseManualStop=yes and a
couple of other things.
* add feature to xopenat() that implements O_REGULAR in userspace: i.e. let's
open the inode via O_PATH first, then validate its type, and then convert to
proper fd via fd_reopen()
* rough proposed implementation design for remote attestation infra: add a tool
that generates a quote of local PCRs and NvPCRs, along with synchronous log
snapshot. use "audit session" logic for that, so that we get read-outs and
signature in one step. Then turn this into a JSON object. Use the "TCG TSS 2.0
JSON Data Types and Policy Language" format to encode the signature. And CEL
for the measurement log.
* creds: add a new cred format that reused the JSON structures we use in the
LUKS header, so that we get the various newer policies for free.
* drop PCR 7 from default PCR mask in credentials and LUKS2 enrollments
* systemd-analyze: port "pcrs" verb to talk directly to TPM device, instead of
using sysfs interface (well, or maybe not, as that would require privileges?)
* pcrextend/tpm2-util: add a concept of "rotation" to event log. i.e. allow
trailing parts of the logs if time or disk space limit is hit. Protect the
boot-time measurements however (i.e. up to some point where things are
settled), since we need those for pcrlock measurements and similar. When
deleting entries for rotation, place an event that declares how many items
have been dropped, and what the hash before and after that.
* measure information about all DDIs as we activate them to an NvPCR. We
probably should measure the dm-verity root hash from the kernel side, but
DDI meta info from userspace.
* rework tpm2_parse_pcr_argument_to_mask() to refuse literal hash value
specifications. They are currently parsed but ignored. We should refuse them
however, to not confuse people.
* use name_to_handle_at() with AT_HANDLE_FID instead of .st_ino (inode
number) for identifying inodes, for example in copy.c when finding hard
links, or loop-util.c for tracking backing files, and other places.
* cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and
fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the
volume key with the TPM, with a policy that insists that a nonce is signed by
the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM
generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which
returns a signature which is handed to the tpm, which then reveals the volume
key to the PC.
* cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM.
* expose the handoff timestamp fully via the D-Bus properties that contain
ExecStatus information
* properly serialize the ExecStatus data from all ExecCommand objects
associated with services, sockets, mounts and swaps. Currently, the data is
flushed out on reload, which is quite a limitation.
* Clean up "reboot argument" handling, i.e. set it through some IPC service
instead of directly via /run/, so that it can be sensible set remotely.
* userdb: add concept for user "aliases", to cover for cases where you can log
in under the name lennart@somenetworkfsserver, and it would automatically
generate a local user, and from the one both names can be used to allow
logins into the same account.
* systemd-tpm2-support: add a some logic that detects if system is in DA
lockout mode, and queries the user for TPM recovery PIN then.
* systemd-repart should probably enable btrfs' "temp_fsid" feature for all file
systems it creates, as we have no interest in RAID for repart, and it should
make sure that we can mount them trivially everywhere.
* systemd-nspawn should get the same SSH key support that vmspawn now has.
* move documentation about our common env vars (SYSTEMD_LOG_LEVEL,
SYSTEMD_PAGER, …) into a man page of its own, and just link it from our
various man pages that so far embed the whole list again and again, in an
attempt to reduce clutter and noise a bid.
* vmspawn switch default swtpm PCR bank to SHA384-only (away from SHA256), at
least on 64bit archs, simply because SHA384 is typically double the hashing
speed than SHA256 on 64bit archs (since based on 64bit words unlike SHA256
which uses 32bit words).
* In vmspawn/nspawn/machined wait for X_SYSTEMD_UNIT_ACTIVE=ssh-active.target
and X_SYSTEMD_SIGNAL_LEVEL=2 as indication whether/when SSH and the POSIX
signals are available. Similar for D-Bus (but just use sockets.target for
that). Report as property for the machine.
* teach nspawn/machined a new bus call/verb that gets you a
shell in containers that have no sensible pid1, via joining the container,
and invoking a shell directly. Then provide another new bus call/vern that is
somewhat automatic: if we detect that pid1 is running and fully booted up we
provide a proper login shell, otherwise just a joined shell. Then expose that
as primary way into the container.
* make vmspawn/nspawn/importd/machined a bit more usable in a WSL-like
fashion. i.e. teach unpriv systemd-vmspawn/systemd-nspawn a reasonable
--bind-user= behaviour that mounts the calling user through into the
machine. Then, ship importd with a small database of well known distro images
along with their pinned signature keys. Then add some minimal glue that binds
this together: downloads a suitable image if not done so yet, starts it in
the bg via vmspawn/nspawn if not done so yet and then requests a shell inside
it for the invoking user.
* importd/…: define per-user dirs for container/VM images too.
* add a new specifier to unit files that figures out the DDI the unit file is
from, tracing through overlayfs, DM, loopback block device.
* importd/importctl
- port tar handling to libarchive
- complete varlink interface
- download images into .v/ dirs
* in os-release define a field that can be initialized at build time from
SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to
initialize the timestamp logic of ConditionNeedsUpdate=.
* nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into
shell pipelines, i.e. add easy to use switch that turns off console status
output, and generates the right credentials for systemd-run-generator so that
a program is invoked, and its output captured, with correct EOF handling and
exit code propagation
* new systemd-analyze "join" verb or so, for debugging services. Would be
nsenter on steroids, i.e invoke a shell or command line in an environment as
close as we can make it for the MainPID of a service. Should be built around
pidfd, so that we can reasonably robustly do this. Would only cover the
execution environment like namespaces, but not the privilege settings.
* Introduce a CGroupRef structure, inspired by PidRef. Should contain cgroup
path, cgroup id, and cgroup fd. Use it to continuously pin all v2 cgroups via
a cgroup_ref field in the CGroupRuntime structure. Eventually switch things
over to do all cgroupfs access only via that structure's fd.
* Get rid of the symlinks in /run/systemd/units/* and exclusively use cgroupfs
xattrs to convey info about invocation ids, logging settings and so on.
support for cgroupfs xattrs in the "trusted." namespace was added in linux
3.7, i.e. which we don't pretend to support anymore.
* rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to
match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind
* ditto: rewrite bpf-firewall in libbpf/C code
* credentials: if we ever acquire a secure way to derive cgroup id of socket
peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
step use this to implement per-app/per-service encrypted directories, where
we set up fscrypt on the StateDirectory= with a randomized key which is
stored as xattr on the directory, encrypted as a credential.
* credentials: optionally include a per-user secret in scoped user-credential
encryption keys. should come from homed in some way, derived from the luks
volume key or fscrypt directory key.
* credentials: add a flag to the scoped credentials that if set require PK
reauthentication when unlocking a secret.
* teach systemd --user to properly load credentials off disk, with
/etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
actually works too when run with user privs.
* extend the smbios11 logic for passing credentials so that instead of passing
the credential data literally it can also just reference an AF_VSOCK CID/port
to read them from. This way the data doesn't remain in the SMBIOS blob during
runtime, but only in the credentials fs.
* machined: optionally track nspawn unix-export/ runtime for each machined, and
then update systemd-ssh-proxy so that it can connect to that.
* add a new ExecStart= flag that inserts the configured user's shell as first
word in the command line. (maybe use character '.'). Usecase: tool such as
run0 can use that to spawn the target user's default shell.
* introduce mntid_t, and make it 64bit, as apparently the kernel switched to
64bit mount ids
* use udev rule networkd ownership property to take ownership of network
interfaces nspawn creates
* mountfsd/nsresourced
- userdb: maybe allow callers to map one uid to their own uid
- bpflsm: allow writes if resulting UID on disk would be userns' owner UID
- make encrypted DDIs work (password…)
- add API for creating a new file system from scratch (together with some
dm-integrity/HMAC key). Should probably work using systemd-repart (access
via varlink).
- add api to make an existing file "trusted" via dm-integry/HMAC key
- port: portabled
- port: tmpfiles, sysusers and similar
- lets see if we can make runtime bind mounts into unpriv nspawn work
* add a kernel cmdline switch (and cred?) for marking a system to be
"headless", in which case we never open /dev/console for reading, only for
writing. This would then mean: systemd-firstboot would process creds but not
ask interactively, getty would not be started and so on.
* cryptsetup: new crypttab option to auto-grow a luks device to its backing
partition size. new crypttab option to reencrypt a luks device with a new
volume key.
* we probably should have some infrastructure to acquire sysexts with
drivers/firmware for local hardware automatically. Idea: reuse the modalias
logic of the kernel for this: make the main OS image install a hwdb file
that matches against local modalias strings, and adds properties to relevant
devices listing names of sysexts needed to support the hw. Then provide some
tool that goes through all devices and tries to acquire/download the
specified images.
* repart + cryptsetup: support file systems that are encrypted and use verity
on top. Usecase: confexts that shall be signed by the admin but also be
confidential. Then, add a new --make-ddi=confext-encrypted for this.
* tmpfiles: add new line type for moving files from some source dir to some
target dir. then use that to move sysexts/confexts and stuff from initrd
tmpfs to /run/, so that host can pick things up.
* tiny varlink service that takes a fd passed in and serves it via http. Then
make use of that in networkd, and expose some EFI binary of choice for
DHCP/HTTP base EFI boot.
* bootctl: add reboot-to-disk which takes a block device name, and
automatically sets things up so that system reboots into that device next.
* maybe: in PID1, when we detect we run in an initrd, make superblock read-only
early on, but provide opt-out via kernel cmdline.
* systemd-pcrextend:
- support measuring to nvindex with PCR update semantics ("fake PCRs")
- add api for "allocating" such an nvindex
- once we have that start measuring every sysext we apply, every confext,
every RootImage= we apply, every nspawn and so on. All in separate fake
PCRs.
* vmspawn:
- run in scope unit when invoked from command line, and machined registration is off
- sd_notify support
- --ephemeral support
- --read-only support
- automatically suspend/resume the VM if the host suspends. Use logind
suspend inhibitor to implement this. request clean suspend by generating
suspend key presses.
- support for "real" networking via "-n" and --network-bridge=
- translate SIGTERM to clean ACPI shutdown event
* systemd-pcrmachine should probably also measure the SMBIOS system UUID.
* sd-boot: allow synthesizing additional type1 entries via SMBIOS vendor strings
* storagetm:
- add USB mass storage device logic, so that all local disks are also exposed
as mass storage devices on systems that have a USB controller that can
operate in device mode
- add NVMe authentication
* add support for activating nvme-oF devices at boot automatically via kernel
cmdline, and maybe even support a syntax such as
root=nvme:<trtype>:<traddr>:<trsvcid>:<nqn>:<partition> to boot directly from
nvme-oF
* pcrlock:
- make signed PCR work together with pcrlock
- add kernel-install plugin that automatically creates UKI .pcrlock file when
UKI is installed, and removes it when it is removed again
- automatically install PE measurement of sd-boot on "bootctl install"
- write generated pcrlock signature files to the ESP as credential, one for
each installed OS & pick up generated pcrlock signature file in sd-stub,
pass it via initrd to OS
- pre-calc sysext + kernel cmdline measurements
- pre-calc cryptsetup root key measurement
- maybe make systemd-repart generate .pcrlock for old and new GPT header in
/run?
- Add support for more than 8 branches per PCR OR
- add "systemd-pcrlock lock-kernel-current" or so which synthesizes .pcrlock
policy from currently booted kernel/event log, to close gap for first boot
for pre-built images
* in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at
least some subset of them that look like systemd stuff), because apparently
some firmware does not, but systemd honours it. avoid duplicate measurement
by sd-boot and sd-stub by adding LoaderFeatures/StubFeatures flag for this,
so that sd-stub can avoid it if sd-boot already did it.
* cryptsetup: a mechanism that allows signing a volume key with some key that
has to be present in the kernel keyring, or similar, to ensure that confext
DDIs can be encrypted against the local SRK but signed with the admin's key
and thus can authenticated locally before they are decrypted.
* image policy should be extended to allow dictating *how* a disk is unlocked,
i.e. root=encrypted-tpm2+encrypted-fido2 would mean "root fs must be
encrypted and unlocked via fido2 or tpm2, but not otherwise"
* systemd-repart: add support for formatting dm-crypt + dm-integrity file
systems.
* homed: use systemd-storagetm to expose home dirs via nvme-tcp. Then,
teach homed/pam_systemd_homed with a user name such as
lennart%nvme_tcp_192.168.100.77_8787 to log in from any linux host with the
same home dir. Similar maybe for nbd, iscsi? this should then first ask for
the local root pw, to authenticate that logging in like this is ok, and would
then be followed by another password prompt asking for the user's own
password. Also, do something similar for CIFS: if you log in via
lennart%cifs-someserver_someshare, then set up the homed dir for it
automatically. The PAM module should update the user name used for login to
the short version once it set up the user. Some care should be taken, so that
the long version can be still be resolved via NSS afterwards, to deal with
PAM clients that do not support PAM sessions where PAM_USER changes half-way.
* redefine /var/lib/extensions/ as the dir one can place all three of sysext,
confext as well is multi-modal DDIs that qualify as both. Then introduce
/var/lib/sysexts/ which can be used to place only DDIs that shall be used as
sysext
* Varlinkification of the following command line tools, to open them up to
other programs via IPC:
- bootctl
- journalctl (allowing journal read access via IPC)
- coredumpcl
- systemd-bless-boot
- systemd-measure
- systemd-cryptenroll (to allow UIs to enroll FIDO2 keys and such)
- systemd-dissect
- systemd-sysupdate
- systemd-analyze
- kernel-install
- systemd-mount (with PK so that desktop environments could use it to mount disks)
* enumerate virtiofs devices during boot-up in a generator, and synthesize
mounts for rootfs, /usr/, /home/, /srv/ and some others from it, depending on
the "tag". (waits for: https://gitlab.com/virtio-fs/virtiofsd/-/issues/128)
* automatically mount one virtiofs during early boot phase to /run/host/,
similar to how we do that for nspawn, based on some clear tag.
* add some service that makes an atomic snapshot of PCR state and event log up
to that point available, possibly even with quote by the TPM.
* encode type1 entries in some UKI section to add additional entries to the
menu.
* Add ACL-based access management to .socket units. i.e. add AllowPeerUser= +
AllowPeerGroup= that installs additional user/group ACL entries on AF_UNIX
sockets.
* systemd-tpm2-setup should probably have a factory reset logic, i.e. when some
kernel command line option is set we reset the TPM (equivalent of tpm2_clear
-c owner? or rather echo 5 >/sys/class/tpm/tpm0/ppi/request?).
* systemd-tpm2-setup should support a mode where we refuse booting if the SRK
changed. (Must be opt-in, to not break systems which are supposed to be
migratable between PCs)
* when systemd-sysext learns mutable /usr/ (and systemd-confext mutable /etc/)
then allow them to store the result in a .v/ versioned subdir, for some basic
snapshot logic
* add a new PE binary section ".mokkeys" or so which sd-stub will insert into
Mok keyring, by overriding/extending whatever shim sets in the EFI
var. Benefit: we can extend the kernel module keyring at ukify time,
i.e. without recompiling the kernel, taking an upstream OS' kernel and adding
a local key to it.
* PidRef conversion work:
- cg_pid_get_xyz()
- pid_from_same_root_fs()
- get_ctty_devnr()
- actually wait for POLLIN on pidref's pidfd in service logic
- openpt_allocate_in_namespace()
- unit_attach_pid_to_cgroup_via_bus()
- cg_attach() – requires new kernel feature
* ddi must be listed as block device fstype
* measure some string via pcrphase whenever we end up booting into emergency
mode.
* homed: add a basic form of secrets management to homed, that stores
secrets in $HOME somewhere, is protected by the accounts own authentication
mechanisms. Should implement something PKCS#11-like that can be used to
implement emulated FIDO2 in unpriv userspace on top (which should happen
outside of homed), emulated PKCS11, and libsecrets support. Operate with a
2nd key derived from volume key of the user, with which to wrap all
keys. maintain keys in kernel keyring if possible.
* use sd-event ratelimit feature optionally for journal stream clients that log
too much
* systemd-mount should only consider modern file systems when mounting, similar
to systemd-dissect
* add another PE section ".fname" or so that encodes the intended filename for
PE file, and validate that when loading add-ons and similar before using
it. This is particularly relevant when we load multiple add-ons and want to
sort them to apply them in a define order. The order should not be under
control of the attacker.
* also include packaging metadata (á la
https://systemd.io/ELF_PACKAGE_METADATA/) in our UEFI PE binaries, using the
same JSON format.
* make "bootctl install" + "bootctl update" useful for installing shim too. For
that introduce new dir /usr/lib/systemd/efi/extra/ which we copy mostly 1:1
into the ESP at install time. Then make the logic smart enough so that we
don't overwrite bootx64.efi with our own if the extra tree already contains
one. Also, follow symlinks when copying, so that shim rpm can symlink their
stuff into our dir (which is safe since the target ESP is generally VFAT and
thus does not have symlinks anyway). Later, teach the update logic to look at
the ELF package metadata (which we also should include in all PE files, see
above) for version info in all *.EFI files, and use it to only update if
newer.
* in sd-stub: optionally add support for a new PE section .keyring or so that
contains additional certificates to include in the Mok keyring, extending
what shim might have placed there. why? let's say I use "ukify" to build +
sign my own fedora-based UKIs, and only enroll my personal lennart key via
shim. Then, I want to include the fedora keyring in it, so that kmods work.
But I might not want to enroll the fedora key in shim, because this would
also mean that the key would be in effect whenever I boot an archlinux UKI
built the same way, signed with the same lennart key.
* resolved: take possession of some IPv6 ULA address (let's say
fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the
local stubs, so that we can make the stub available via ipv6 too.
* Maybe add SwitchRootEx() as new bus call that takes env vars to set for new
PID 1 as argument. When adding SwitchRootEx() we should maybe also add a
flags param that allows disabling and enabling whether serialization is
requested during switch root.
* introduce a .acpitable section for early ACPI table override
* add proper .osrel matching for PE addons. i.e. refuse applying an addon
intended for a different OS. Take inspiration from how confext/sysext are
matched against OS.
* figure out what to do about credentials sealed to PCRs in kexec + soft-reboot
scenarios. Maybe insist sealing is done additionally against some keypair in
the TPM to which access is updated on each boot, for the next, or so?
* logind: when logging in, always take an fd to the home dir, to keep the dir
busy, so that autofs release can never happen. (this is generally a good
idea, and specifically works around the fact the autofs ignores busy by mount
namespaces)
* mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a
uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar.
* mount the root fs with MS_NOSUID by default, and then mount /usr/ without
both so that suid executables can only be placed there. Do this already in
the initrd. If /usr/ is not split out create a bind mount automatically.
* fix our various hwdb lookup keys to end with ":" again. The original idea was
that hwdb patterns can match arbitrary fields with expressions like
"*:foobar:*", to wildcard match both the start and the end of the string.
This only works safely for later extensions of the string if the strings
always end in a colon. This requires updating our udev rules, as well as
checking if the various hwdb files are fine with that.
* mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user
among other things such as dynamic uid ranges for containers and so on. That
way no one can create files there with these uids and we enforce they are only
used transiently, never persistently.
* rework loopback support in fstab: when "loop" option is used, then
instantiate a new [email protected] for the source path, set the
lo_file_name field for it to something recognizable derived from the fstab
line, and then generate a mount unit for it using a udev generated symlink
based on lo_file_name.
* teach systemd-nspawn the boot assessment logic: hook up vpick's try counters
with success notifications from nspawn payloads. When this is enabled,
automatically support reverting back to older OS version images if newer ones
fail to boot.
* implement new "systemd-fsrebind" tool that works like gpt-auto-generator but
looks at a root dir and then applies vpick on various dirs/images to pick a
root tree, a /usr/ tree, a /home/, a /srv/, a /var/ tree and so on. Dirs
could also be btrfs subvols (combine with btrfs auto-snapshort approach for
creating versions like these automatically).
* remove tomoyo support, it's obsolete and unmaintained apparently
* In .socket units, add ConnectStream=, ConnectDatagram=,
ConnectSequentialPacket= that create a socket, and then *connect to* rather than
listen on some socket. Then, add a new setting WriteData= that takes some
base64 data that systemd will write into the socket early on. This can then
be used to create connections to arbitrary services and issue requests into
them, as long as the data is static. This can then be combined with the
aforementioned journald subscription varlink service, to enable
activation-by-message id and similar.
* .service with invalid Sockets= starts successfully.
* landlock: lock down RuntimeDirectory= via landlock, so that services lose
ability to write anywhere else below /run/. Similar for
StateDirectory=. Benefit would be clear delegation via unit files: services
get the directories they get, and nothing else even if they wanted to.
* landlock: for unprivileged systemd (i.e. systemd --user), use landlock to
implement ProtectSystem=, ProtectHome= and so on. Landlock does not require
privs, and we can implement pretty similar behaviour. Also, maybe add a mode
where ProtectSystem= combined with an explicit PrivateMounts=no could request
similar behaviour for system services, too.
* Add [email protected] which is instantiated for a block device and
invokes systemd-mount and exits. This is then useful to use in
ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+=
* udevd: extend memory pressure logic: also kill any idle worker processes
* udevadm: to make symlink querying with udevadm nicer:
- do not enable the pager for queries like 'udevadm info -q -r symlink'
- add mode with newlines instead of spaces (for grep)?
* SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed,
localed, oomd, timedated.
* repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions,
that have a new type uuid and can "extend" earlier partitions, to work around
the fact that systemd-repart can only grow the last partition defined. During
activation we'd simply set up a dm-linear mapping to merge them again. A
partition that is to be extended would just set a bit in the partition flags
field to indicate that there's another extension partition to look for. The
identifying UUID of the extension partition would be hashed in counter mode
from the uuid of the original partition it extends. Inspiration for this is
the "dynamic partitions" concept of new Android. This would be a minimalistic
concept of a volume manager, with the extents it manages being exposes as GPT
partitions. I a partition is extended multiple times they should probably
grow exponentially in size to ensure O(log(n)) time for finding them on
access.
* Make nspawn to a frontend for systemd-executor, so that we have to ways into
the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI
through nspawn.
* sd-stub: detect if we are running with uefi console output on serial, and if so
automatically add console= to kernel cmdline matching the same port.
* add a utility that can be used with the kernel's
CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that
security, resource management and cgroup settings can be enforced properly
for all umh processes.
* homed: when resizing an fs don't sync identity beforehand there might simply
not be enough disk space for that. try to be defensive and sync only after
resize.
* homed: if for some reason the partition ended up being much smaller than
whole disk, recover from that, and grow it again.
* timesyncd: when saving/restoring clock try to take boot time into account.
Specifically, along with the saved clock, store the current boot ID. When
starting, check if the boot id matches. If so, don't do anything (we are on
the same boot and clock just kept running anyway). If not, then read
CLOCK_BOOTTIME (which started at boot), and add it to the saved clock
timestamp, to compensate for the time we spent booting. If EFI timestamps are
available, also include that in the calculation. With this we'll then only
miss the time spent during shutdown after timesync stopped and before the
system actually reset.
* systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to
userspace to allow ordering boots (for example in journalctl). The counter
would be monotonically increased on every boot.
* pam_systemd_home: add module parameter to control whether to only accept
only password or only pcks11/fido2 auth, and then use this to hook nicely
into two of the three PAM stacks gdm provides.
See discussion at https://github.com/authselect/authselect/pull/311
* sd-boot: make boot loader spec type #1 accept http urls in "linux"
lines. Then, do the uefi http dance to download kernels and boot them. This
is then useful for network boot, by embedding a cpio with type #1 snippets
in sd-boot, which reference remote kernels.
* maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
the nobody is not a user any code should run under, ever, as that user would
possibly get a lot of access to resources it really shouldn't be getting
access to due to the userns + nfs semantics of the user. Alternatively: use
the seccomp log action, and allow it.
* sd-boot: add a new PE section .bls or so that carries a cpio with additional
boot loader entries (both type1 and type2). Then when initializing, find this
section, iterate through it and populate menu with it. cpio is simple enough
to make a parser for this reasonably robust. use same path structures as in
the ESP. Similar add one for signature key drop-ins.
* sd-boot: also allow passing in the cpio as in the previous item via SMBIOS
* add a new EFI tool "sd-fetch" or so. It looks in a PE section ".url" for an
URL, then downloads the file from it using UEFI HTTP APIs, and executes it.
Use case: provide a minimal ESP with sd-boot and a couple of these sd-fetch
binaries in place of UKIs, and download them on-the-fly.
* maybe: systemd-loop-generator that sets up loopback devices if requested via kernel
cmdline. use case: include encrypted/verity root fs in UKI.
* systemd-gpt-auto-generator: add kernel cmdline option to override block
device to dissect. also support dissecting a regular file. useccase: include
encrypted/verity root fs in UKI.
* sd-stub: add ".bootcfg" section for kernel bootconfig data (as per
https://docs.kernel.org/admin-guide/bootconfig.html)
* tpm2: add (optional) support for generating a local signing key from PCR 15
state. use private key part to sign PCR 7+14 policies. stash signatures for
expected PCR7+14 policies in EFI var. use public key part in disk encryption.
generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
securely bind against SecureBoot/shim state, without having to renroll
everything on each update (but we still have to generate one sig on each
update, but that should be robust/idempotent). needs rollback protection, as
usual.
* Lennart: big blog story about DDIs
* Lennart: big blog story about building initrds
* Lennart: big blog story about "why systemd-boot"
* bpf: see if we can use BPF to solve the syslog message cgroup source problem:
one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to
implicitly contain the source cgroup id. Another idea would be to patch
sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target
sockaddr.
* bpf: see if we can address opportunistic inode sharing of immutable fs images
with BPF. i.e. if bpf gives us power to hook into openat() and return a
different inode than is requested for which we however it has same contents
then we can use that to implement opportunistic inode sharing among DDIs:
make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also
dictate that DDIs should come with a top-level subdir where all reg files are
linked into by their SHA256 sum. Then, whenever an inode is opened with the
xattr set, check bpf table to find dirs with hashes for other prior DDIs and
try to use inode from there.
* extend the verity signature partition to permit multiple signatures for the
same root hash, so that people can sign a single image with multiple keys.
* consider adding a new partition type, just for /opt/ for usage in system
extensions
* gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to
kernel. So far we only did this for the various --image= switches, but not
for the root fs or /usr/.
* dissection policy should enforce that unlocking can only take place by
certain means, i.e. only via pw, only via tpm2, or only via fido, or a
combination thereof.
* make the systemd-repart "seed" value provisionable via credentials, so that
confidential computing environments can set it and deterministically
enforce the uuids for partitions created, so that they can calculate PCR 15
ahead of time.
* systemd-repart: also derive the volume key from the seed value, for the
aforementioned purpose.
* in the initrd: derive the default machine ID to pass to the host PID 1 via
$machine_id from the same seed credential.
* Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the
initrd to bootstrap the initrd to populate the initial partitions. Some things
to figure out:
- Should it run on firstboot or on every boot?
- If run on every boot, should it use the sysupdate config from the host on
subsequent boots?
* revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
safe bet, given that it should change only on policy changes, and not
software updates. But that's wrong. Recent fwupd (rightfully) contains code
for updating the dbx denylist. This means even without any active policy
change PCR 7 might change. Hence, better idea might be in systemd-creds to
default to PCR 15 at least if sd-stub is used (i.e. bind to system identity),
and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should
be included as much as PCR 7 (as it contains shim's policy, which is
certainly as relevant as PCR 7 on many systems)
* To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab
(measuring the root hash) and integritytab (measuring the HMAC key if one is
used)
* We should start measuring all services, containers, and system extensions we
activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to
systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement
of the activated configuration and the image that is being activated (in case
verity is used, hash of the root hash).
* bootspec: permit graceful "update" from type #2 to type #1. If both a type #1
and a type #2 entry exist under otherwise the exact same name, then use the
type #1 entry, and ignore the type #2 entry. This way, people can "upgrade"
from the UKI with all parameters baked in to a Type #1 .conf file with manual
parametrization, if needed. This matches our usual rule that admin config
should win over vendor defaults.
* write a "search path" spec, that documents the prefixes to search in
(i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to
sort found entries, how masking works and overriding.
* automatic boot assessment: add one more default success check that just waits
for a bit after boot, and blesses the boot if the system stayed up that long.
* systemd-repart: add support for generating ISO9660 images
* systemd-repart: in addition to the existing "factory reset" mode (which
simply empties existing partitions marked for that). add a mode where
partitions marked for it are entirely removed. Use case: remove secondary OS
copy, and redundant partitions entirely, and recreate them anew.
* systemd-boot: maybe add support for collapsing menu entries of the same OS
into one item that can be opened (like in a "tree view" UI element) or
collapsed. If only a single OS is installed, disable this mode, but if
multiple OSes are installed might make sense to default to it, so that user
is not immediately bombarded with a multitude of Linux kernel versions but
only one for each OS.
* systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire
disk) is set to all FFFFF then use this as trigger for factory reset, in
addition to the existing mechanisms via EFI variables and kernel command
line. Benefit: works also on non-EFI systems, and can be requested on one
boot, for the next.
* systemd-sysupdate: make transport pluggable, so people can plug casync or
similar behind it, instead of http.
* systemd-tmpfiles: add concept for conditionalizing lines on factory reset
boot, or on first boot.
* in UKIs: add way to define allowlist of additional words that can be added to
the kernel cmdline even in SecureBoot mode
* we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
which contains a separate public key for PCR values that only apply in the
initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
can easily bind resources to just the initrd. Similar, maybe one more for
"enter-initrd:leave-initrd" for resources that shall be accessible only
before unprivileged user code is allowed. (we only need this for .pcrpkey,
not for .pcrsig, since the latter is a list of signatures anyway). With that,
when you enroll a LUKS volume or similar, pick either the .pcrkey (for
coverage through all phases of the boot, but excluding shutdown), the
.pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage
until users are allowed to log in).
* Once the root fs LUKS volume key is measured into PCR 15, default to binding
credentials to PCR 15 in "systemd-creds"
* add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
an encrypted image on some host given a public key belonging to a specific
other host, so that only hosts possessing the private key in the TPM2 chip
can decrypt the volume key and activate the volume. Use case: systemd-confext
for a central orchestrator to generate confext images securely that can only
be activated on one specific host (which can be used for installing a bunch
of creds in /etc/credstore/ for example). Extending on this: allow binding
LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
prepare a confext image that can only be activated on a specific host that
runs a specific software in a specific time window. confext would be
automatically invalidated outside of it.
* maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of
current system state, i.e. a combination of PCR information, local system
time and TPM clock, running services, recent high-priority log
messages/coredumps, system load/PSI, signed by the local TPM chip, to form an
enhanced remote attestation quote. Use case: a simple orchestrator could use
this: have the report tool upload these reports every 3min somewhere. Then
have the orchestrator collect these reports centrally over a 3min time
window, and use them to determine what which node should now start/stop what,
and generate a small confext for each node, that uses Uphold= to pin services
on each node. The confext would be encrypted using the asymmetric encryption
proposed above, so that it can only be activated on the specific host, if the
software is in a good state, and within a specific time frame. Then run a
loop on each node that sends report to orchestrator and then sysupdate to
update confext. Orchestrator would be stateless, i.e. operate on desired
config and collected reports in the last 3min time window only, and thus can
be trivially scaled up since all instances of the orchestrator should come to
the same conclusions given the same inputs of reports/desired workload info.
Could also be used to deliver Wireguard secrets and thus to clients, thus
permitting zero-trust networking: secrets are rolled over via confext updates,
and via the time window TPM logic invalidated if node doesn't keep itself
updated, or becomes corrupted in some way.
* in the initrd, once the rootfs encryption key has been measured to PCR 15,
derive default machine ID to use from it, and pass it to host PID 1.