systemd 247 changes

HulaHoop · November 17, 2020, 5:12pm

systemd 247 includes interesting features like creating LUKS encrypted home dirs and an option to ignore the hw RNG input. These are worth looking at for both Whonix and the baremetal equivalent.

https://www.phoronix.com/scan.php?page=news_item&px=systemd-247-rc1

Patrick · November 18, 2020, 7:13am

Interesting. But noting actionable yet.

systemd-homed seems cool.

https://media.ccc.de/v/ASG2019-164-reinventing-home-directories

But no compelling argument yet. Debian might go for it or it might stay as is.

Whonix current implementation using pam_mkhomedir is very stable.

https://forums.whonix.org/search?q=pam_mkhomedir

LUKS encrypted home dir isn’t crucially important as https://www.whonix.org/wiki/Full_Disk_Encryption covers that anyhow.

People who just want to outsource their home folder to use it on USB to then use it on different systems, well, I don’t think that’s a realistic use case. In that case, users would be better off installing their whole operating system on USB as per https://www.whonix.org/wiki/Whonix_on_USB.

Setting the SYSTEMD_RDRAND=0 environment variable will now disable RdRand CPU instruction usage even with supported CPUs.

Won’t be needed since we have:

github.com

Whonix/security-misc/blob/master/etc/default/grub.d/40_distrust_cpu.cfg

## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Distrusts the CPU for initial entropy at boot as it is not possible to
## audit, may contain weaknesses or a backdoor.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://twitter.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"