systemd 247 changes

HulaHoop · November 17, 2020, 5:12pm

systemd 247 includes interesting features like creating LUKS encrypted home dirs and an option to ignore the hw RNG input. These are worth looking at for both Whonix and the baremetal equivalent.

Patrick · November 18, 2020, 7:13am

Interesting. But noting actionable yet.

systemd-homed seems cool.

Reinventing Home Directories - media.ccc.de

But no compelling argument yet. Debian might go for it or it might stay as is.

Whonix current implementation using pam_mkhomedir is very stable.

https://forums.whonix.org/search?q=pam_mkhomedir

LUKS encrypted home dir isn’t crucially important as Full Disk Encryption (FDE) covers that anyhow.

People who just want to outsource their home folder to use it on USB to then use it on different systems, well, I don’t think that’s a realistic use case. In that case, users would be better off installing their whole operating system on USB as per Installation of Whonix on a USB.

Setting the SYSTEMD_RDRAND=0 environment variable will now disable RdRand CPU instruction usage even with supported CPUs.

Won’t be needed since we have:

github.com

Kicksecure/security-misc/blob/master/etc/default/grub.d/40_distrust_cpu.cfg

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Distrusts the CPU for initial entropy at boot as it is not possible to
## audit, may contain weaknesses or a backdoor.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://twitter.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://lkml.org/lkml/2022/6/5/271
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"