diff options
author | Lennart Poettering <lennart@poettering.net> | 2024-04-17 10:48:42 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2024-04-18 18:12:24 +0200 |
commit | bb4525c8d89b27ab95e7a8aac1590a202f02ba06 (patch) | |
tree | 6384959adcfe7f5efc233ca043fe66f1ae4899d8 | |
parent | pcrlock: rework --recovery-pin= to take three different arguments (diff) | |
download | systemd-bb4525c8d89b27ab95e7a8aac1590a202f02ba06.tar.xz systemd-bb4525c8d89b27ab95e7a8aac1590a202f02ba06.zip |
update NEWS
-rw-r--r-- | NEWS | 36 |
1 files changed, 24 insertions, 12 deletions
@@ -461,20 +461,8 @@ CHANGES WITH 256-rc1: * confexts are loaded by systemd-stub from the ESP as well. - * The pcrlock policy is saved in an unencrypted credential file - "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the - /loader/credentials/ directory. It will be picked up at boot by - systemd-stub and passed to the initrd, where it can be used to unlock - the root file system. - * kernel-install gained support for --root= for the 'list' verb. - * systemd-pcrlock gained an --entry-token= option to configure the - entry-token. - - * systemd-pcrlock now provides a basic Varlink interface and can be run - as a daemon via a template unit. - * bootctl now provides a basic Varlink interface and can be run as a daemon via a template unit. @@ -498,6 +486,30 @@ CHANGES WITH 256-rc1: for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was supported). It also now supports UEFI "Custom" mode. + * The pcrlock policy is saved in an unencrypted credential file + "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the + /loader/credentials/ directory. It will be picked up at boot by + systemd-stub and passed to the initrd, where it can be used to unlock + the root file system. + + * systemd-pcrlock gained an --entry-token= option to configure the + entry-token. + + * systemd-pcrlock now provides a basic Varlink interface and can be run + as a daemon via a template unit. + + * systemd-pcrlock's TPM nvindex access policy has been modified, this + means that previous pcrlock policies stored in nvindexes are + invalidated. They must be removed (systemd-pcrlock remove-policy) and + recreated (systemd-pcrlock make-policy). For the time being + systemd-pcrlock remains an experimental feature, but it is expected + to become stable in the next release, i.e. v257. + + * systemd-pcrlock's --recovery-pin= switch now takes three values: + "hide", "show", "query". If "show" is selected the automatically + generated recovery PIN is shown to the user. If "query" is selected + then the PIN is queried from the user. + systemd-run/run0: * systemd-run is now a multi-call binary. When invoked as 'run0', it |