It's that time again! The systemd v260 release is coming closer. Let's restart the "what's new" series of posts for this iteration! Hence:
1️⃣ Here's the 1st post highlighting key new features of the upcoming v260 release of systemd. #systemd260 #systemd
In v259 we introduced the concept of "NvPCRs", i.e. additional TPM PCRs, that are implemented based on TPM NV Indexes in PCR mode, rather than true PCRs. PCRs are scarce, and this relieves the pressure a bit (not too much though, NV index…
…space is very scarce too). This opens things up so that we can start measuring more resources. There's one type of resource that is probably the most important one to measure on a modern image-based OSes: the images the OS is composed of, as they are activated.
With v260 we are filling this gap, finally, using a new NvPCR defined for this purpose. Whenever a DDI is activated, we'll ensure the root hash and information about the used signing keys for it are measured. This means the…
… TPM event log becomes a cryptographically protected log of every image the OS is composed of. Yay!
(Note: this measurement is done in userspace for now, we hope this can be done from kernel space eventually, and we made sure the measurement is done in a way we can eventually move this.)
There's one type of resource that is probably the most important one to measure on a modern image-based OSes: the images the OS is composed of, as they are activated.
Does this mean only things contributing to the root file namespace like base-DDI/sysext/confext or also services like portabled that are added after the fact (e.g. created by a sys admin for a specific system)?
I C.
But wouldn't it be a bit too broad considering some images are ephemeral and might not even be part of the system?
Like say I am working on building an image for a different system and want to sd-dissect --mount it, I assume that would be also measured.
I guess my overarching question is: for what would this be used considering how noisy/unpredictable it might be?
Lennart Poettering
Nekko