29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
From 48d3b9b2ee68a41e41ccb493e24c0283d752e4f8 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Fri, 14 Oct 2022 21:21:46 +0200
|
|
Subject: [PATCH] update TODO
|
|
|
|
(cherry picked from commit a67a50e8f4a3d19713fe9b84653616fcba5ae14c)
|
|
|
|
Related: RHEL-16182
|
|
---
|
|
TODO | 5 ++---
|
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/TODO b/TODO
|
|
index 8c67f93f35..aa3f1c596c 100644
|
|
--- a/TODO
|
|
+++ b/TODO
|
|
@@ -354,9 +354,8 @@ Features:
|
|
and via the time window TPM logic invalidated if node doesn't keep itself
|
|
updated, or becomes corrupted in some way.
|
|
|
|
-* Always measure the LUKS rootfs volume key into PCR 15, and derive the machine
|
|
- ID from it securely. This would then allow us to bind secrets a specific
|
|
- system securely.
|
|
+* in the initrd, once the rootfs encryption key has been measured to PCR 15,
|
|
+ derive default machine ID to use from it, and pass it to host PID 1.
|
|
|
|
* nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image=
|
|
hash into its PCR 11, so that nspawn instances can be TPM enabled, and
|