After five months of development is presented System Manager Release SystemD 250 . In a new release, it was possible to store credentials in the encrypted form, implemented the verification of automatically defined GPT partitions by digital signature, improved information about the causes of delays when the services started, the options are added to limit the service to certain file systems and network interfaces, control support is provided. Section integrity using the DM-Integrity module, added support for SD-BOOT auto update.
Basic Changes :
- Added support for encrypted and authenticated account data, which can be useful for safe storage of confidential materials, such as SSL keys and access passwords, the decoding is performed only if necessary and in binding to local installation or equipment. The data is encrypted automatically using symmetric encryption algorithms, the key for which can be placed in the file system in the TPM2 chip or using the combined circuit. When the service starts, the credentials are automatically decrypted and the service becomes available in normal form. To work with encrypted credentials, the ‘SystemD-Creds’ utility has been added, and the services are offered LoadcredentialIlencrypted and setcredentialencrypted settings.
- in an SD-STU, executable file for EFI, with which the EFI firmware loads the Linux kernel, added support for loading the kernel using the Linux_EFI_INITRD_MEDIA_GUID EFI protocol. Also in SD-STUB Added the ability to package credentials and SYSEXT files to the CPIO archive and transmit this archive to the kernel along with initrd (additional files are placed in the /.extra/ directory). This feature allows you to use the verified invariable surroundings of the InitrD, complemented using SYSEXTS and encrypted data for authentication.
- Specified discoverable partitions , providing tools for defining, mounting and activating system partitions using GPT (GUID PARTITION TABLES). Compared to past releases for most architectures in the specification, the root partition and / usr support is implemented, including for platforms that do not use UEFI.
Discoverable partitions also added support for partitions, the integrity of which is verified by the DM-VERITY module using PKCS digital signatures # 7, which simplifies the creation of fully authenticated disk images. Support for verification is integrated into various disk image utilities, including SystemD-NSPAWN, SystemD-SysExt, Systemd-Dissect, services with rootimage, SystemD-TmpFiles and SystemD-Sysusers.