systemd 248 changes

Our beloved systemd is finalizing their 248 release. Interesting in this version is:

  • A new concept of “system extension images” as images that can extend the /usr/ or /opt/ hierarchies at run-time with additional files. The images can be read-only and its usr/opt hierarchies combined via OverlayFS. This led to a new systemd-sysext tool with systemd 248 for managing of system extension hierarchies.

I wonder if this can be extended to mimic the virus protect feature where we protect system directories from infection by marking them read-only?

  • A new /etc/veritytab configuration file for configuring dm-verity integrity protection for block devices.

I don’t know how powerful this is to be used for system verification instead of our planned grub mechanism, but it could be handy.

  • Systemd-cryptsetup can now unlock LUKS2 volumes using TPM2 hardware and FIDO2 security tokens.
  • A new systemd-cryptenroll tool for adding TPM2 / FIDO2 / PKCS#11 security tokens to LUKS volumes.

Might be useful depending on how ready the virtual TPM is in Debian next’s KVM release.

They are also almost done with their development on the out-of-memory daemon which should make VMs more stable when dealing with memory constraints.

1 Like