systemd-boot/stub: addons support (only cmdline, dtb incoming)
Systemd-stub: confidential VM support
UKI: new sections in the spec for metadata (uname/sbat)
Ukify: build UKIs, embed measurements and signatures
Calls systemd-measure, sbsigntool
Mkosi now supports UKI directly, building of initrds
Uses systemd-repart, unprivileged, can use from containers, UKIs support with PCR measurements bells and whistles, embed OS inside UKI (small img), massive refactoring, broke everything and fixed again (?), presets (multi-image layers in same build, as dependencies for sequential stages of build), initrd built directly without dracut, almost reproducible (WIP), improvements around secure boot signing, supports grubs (unprivileged, shim works if it is installed to /boot), credentials support in cfg file
Systemd-measure: PCR11 measurements and signing for UKI
Pcrphases: advances the PCR during boot (initrd -> rootfs transition)
Kernel-install is C and has plugins for UKIs
Systemd-repart: running unprivileged, minimization of filesystem, support dm-verity, reproducibility (repart itself, but mkfs.* might not), direct writing of file system contents, subvolumes for btrfs (needs privileges)
Bootctl: garbage collection of /boot (bootctl unlink), delete kernels that are not referenced, bootctl cleanup for other files as well, bootctl identify/inspect
Early-boot detection of battery critical levels
Smbios support: pass kernel cmdline, credentials
AF_VSOCK support in systemd: sd-notify support to pass back state changes to hypervisor (ready, failed, finished)
Credentials: almost everything that takes config files takes credentials (no udev, no units)
Can now process credentials from systemd generators
RPM gained native support for sysusers
Softreboot
Skip kernel restart, jump to new rootfs
Pass state across via FD Store, retains /run
Can configure some services to survive
TPM: offline sealing
Get TPM public key, provision secrets from different machine
Confidential computing support: setup SRK before VM instantiation, using to seal secrets
Fully encrypted sessions, pin SRK, create SRK if not present already
Confext: equivalent of sysext (system extension) but /etc
Grub: patch sent for UKI support, under review
AI Luca: enquire about state
NixOS:
Working on Rust version of systemd-stub
Uses repart for DDI
Bootspec: high level config to support multiple bootloaders
Rust implementation of ukify: goal to do everything in-process without shelling out
Systemd-sysupdate + repart integration
tvix-store for serving content addressable parts of (system) images: some sort of blob protocol relying on Merkle trees / BLAKE3 constructions
We have a systemd-based initrd implementation finally with networkd
sysext-bakery gives simple scripts for users to build custom sysext images, prebuilt images published as github artifacts with systemd-sysupdate config (signing WIP), sysupdate can consume them
flatcar-reset tool: stage reset on next reboot, with optional regex to keep files around
/etc is now overlay mount, lowerdir is on read-only /usr/share/flatcar/etc, /etc remains writable (/etc is upperdir, unmounting overlayfs still results in a working system, needed to suppress a few tmpfile rules to prevent upcopies)
OSBuild
Support for UKI (native implementation)
Ubuntu: TPM support by default on generic distro
Snapased: kernel updates, measurement updates
Uses systemd-stub
Systemd-based initrd in Ubuntu-core
Ubuntu-core initrd+kernel snap used for tpm-by-default desktop
Native upstream cryptsetup
Precalculate PCR measurements
White paper internal, not published yet
GNOME OS:
Sysupdate support, already used sd-boot
Repart on firstboot
UKI support, with dracut
SteamOS supports sysext too now
SUSE
Shim trusts signed systemd-boot in openSUSE
YaST support to install with systemd-boot in MicroOS (tooling works on Tumbleweed too)
PCR Oracle tool for PCR predictions
Aeon (formerly micro-os desktop), sd-boot, image-base-install, full FDE by default no option
Tumbleed installs everything into /usr (no longer /boot) work in progress on /etc too
Currently involves PCR11 (kernel/uki) and PCR15 (system identity)
How to cover PCR 0-7 which are owned by firmware?
Answer: systemd-pcrlock
Instead of changing the superblock on fw update, change the policy in the TPM
Attach objects to the TPM policy, when changes are expected change policy objects
Disk encryption binds to policies, not measurements
.pcrlock files define component involved in boot, even after fw -> kernel transition, json format following TCG measurement log format (but not 100% the same)
Allows drop-ins and alternatives for components (eg: run multiple kernels)
Generates lock files from what system measured at some point via tpm log
If fwupd shipped the pcrlock file with an update then we wouldn’t need to measure on-the-fly, current LVFS stores result of pcr0, instead store measurement
Only vendor can know what firmware will measure, so vendor has to provide it
Pcrlock tool orders drop-ins by filenames
If fwupd doesn’t know what measurements are going to be, it can remove the pcrlock drop-ins that corresponds to the component
Pcrlock will recognize that there are holes, and remove that pcr/measurement from the policy
If info is there, secrets are always protected
If info is not there, secrets are not protected by those pcrs for one boot
Improvements: reboot twice to apply changed quickly and minimize window
Windows also reboots twice on unexpected fw update, but changes block device and re-enrolls in Bitlocker
Can lock against firmware, can deal with firmware updates, if vendors collaborates no ‘open’ policy window
Local/hw specific vs OS vendor (uki)
Also solves rollback protection
Recalculate automatically on reboot so that it always uses the most secure policy possible
Can generate from gpt, uki, pe, current event log
Trust-on-first-use model
Transparent log database with pcr values of known hardware - if anything changes in the uefi (option) they change - from TCG
How to recover from failure - recovery key? How to restore a usable policy? Reset TPM?
Can the same recovery key for LUKS2 be used?
Ubuntu Core also implements a similar infrastructure
Changes the LUKS superblock on updates
Can be analyzed offline
Systemd has event log, that works like TCG firmware event log, for measurements done at runtime, v255
Json-seq, not array but separator-separated blocks so that it can be append-only
Stored in systemd-specific dir so that it’s private
Would be good to allow other usespace app can append
But need atomic behaviour (file lock, append-only)
Public API dbus/varlink
AI Lennart: libsystemd sd_measure(⋅) which takes data and hash it for the consumer
Kexec(/crashkernel): measure nonce so that it cannot be predicted and change policy, so that it works only on that kexec
Ubuntu Core stores encrypted object that allows to reset the TPM on factory reset
Attested TLS: developed for SGX - standardization happening, RATS, remote attestation for TLS
Bind confidential computing to remote attestation
Keylime uses TPM for remote attestation, integrated in MicroOS
Talos does
Build reproducibility helps for build systems attestation, but it is expensive, so many prefer attestation/authentication as an alternative
Confidential computing
Amd sev vs intel tdx, amd uses tpm
Full vm confidential comp vs kata containers, but still needs measured boot
In Azure firmware does measurements in vTPM
Thread models driven by soc - intel/amd - no common specification
Unified kernels + pre-built initrd
Pass initrd via PE binary, lose ordering guarantees because filenames are not trusted
Dtb addon patch adds matching based on content of dtb
.mucode for microcode section in UKI, and magically make it first in the generated cpio
Systemd-sysusers and user users
A switch will be added to copy /etc/skel
Can also drop json blob for userdbd to pick up in /run/ for transient user user, never show up in /etc/passwd → also great for hermetic /usr with json blobs in /usr/lib/userdb/
pam_mkhomedir can also create the directory on first login
Homed in openSUSE Aeon: many papercuts, mainly storage burden
Need to know a lot of stuff for provisioning ahead of time (like number of users)
Encrypted btrfs subvolume as a solution, don’t need to know size ahead of time
Lots of work going on in Gnome, lock session and remove disk keys from memory
Interactive resizing negotiating between users if disk needs to change (owner user will be authenticated and asked to agree)
SELinux policy for homed needs a little work
Fedora actively fixes systemd selinux issues if they are reported with logs
Some users in Nix also use homed, but with fixed user, also on Fedora there are some users but unofficial
Ongoing work in Gnome is to make it trivial to enable homed in distros
How to split space between /home and rootfs
New partition type in repart using dm-linear to add an extension for another partition on-the-fly
Android uses it, no measurable performance penalties for having many dm-linear extensions
/ as opal encrypted (cryptsetup will support in next version with LUKS2 for keys), then homed LUKS2+dm-crypt loopback
q devices
Homed could use creds for initial setup
Sysusers runs much earlier, homed need a lot of stuff set up, runs very late