systemd/SOURCES/0492-update-TODO.patch

29 lines
1.0 KiB
Diff

From 48d3b9b2ee68a41e41ccb493e24c0283d752e4f8 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Oct 2022 21:21:46 +0200
Subject: [PATCH] update TODO
(cherry picked from commit a67a50e8f4a3d19713fe9b84653616fcba5ae14c)
Related: RHEL-16182
---
TODO | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/TODO b/TODO
index 8c67f93f35..aa3f1c596c 100644
--- a/TODO
+++ b/TODO
@@ -354,9 +354,8 @@ Features:
and via the time window TPM logic invalidated if node doesn't keep itself
updated, or becomes corrupted in some way.
-* Always measure the LUKS rootfs volume key into PCR 15, and derive the machine
- ID from it securely. This would then allow us to bind secrets a specific
- system securely.
+* in the initrd, once the rootfs encryption key has been measured to PCR 15,
+ derive default machine ID to use from it, and pass it to host PID 1.
* nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image=
hash into its PCR 11, so that nspawn instances can be TPM enabled, and