CHANGELOG.md 7.26 KB
Newer Older
1 2 3
Version 0.8
-----------
_I owe it to the MM U!_
4
Released: 2019-06-14
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

* New Features:
  - **IOMMU support**: adapt behavior iommu support is present and active [#128]
    - automatically enroll new devices with the new `iommu` policy when iommu is active
    - automatically authorize devices with the `iommu` policy if iommu is active
  - `boltctl config` command to describe, get and set global, device and domain properties.
  - Chain authorization and enrollment via `boltctl {enroll, authorize} --chain` [!153, !154]
  - `bolt-mock` script for interactively testing `boltd` [!152]

* Improvements:
  - Automatically import devices that were authorized at boot [#137]
  - Make tests installable [#140]
  - Honour `STATE_DIRECTORY` [!159] and `RUNTIME_DIRECTORY` [!161]
  - Profiling support via gprof [!168]

* Bug fixes:
  - Better handling of random data generation [#132, !165]
  - Fix double free in case of client creation failure [!148]
  - Fix invalid format string in warning [!14]

* NB for packagers:
  - The dbus configuration is now installed in `$datadir/dbus-1/system.d` instead of `$sysconfdir` [!177].
  - To install tests, configure with `-Dinstall-tests=true`.


Version 0.7
-----------
_The Known Unknowns_
33
Released: 2019-01-01
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199


* Features:
  - announce status to systemd via sd_notify (using a simple custom implementation) [!143]

* Bug fixes:
  - properly update global security level status [#131 via !141]
  - adapt to `systemd` 240 not sending `bind`/`unbind` uevents [#133 via !145]
  - fix compilation on musl [#126 via !140]
  - daemon: use `g_unix_signal_source…` to catch signals [#127, #129 via !138]

* Improvements
  - precondition checks cleanup and completion [#124 via !139]
  - error cleanup [#125, !142]
  - fix some leaks and issues uncovered by coverity [!144]


Version 0.6
-----------
_Make the firmware do it!_
Released: 2018-11-28

* New Features:
  - **pre-boot access control list, aka. `BootACL`** support [!119]
    - domains objects are now persistent
      - new `Uid` (dbus) / `uid` (object) property derived from the uuid of the device representing the root switch
      - `sysfs` and `id` attribute will be set/unset on connects and disconnects
      - domains are now stored in the boltd database
    - domains got the `BootACL` (dbus) / `bootacl` (object) property
      - uuids can be added, removed or set in batch
      - when domain is *online*: changes are written to the sysfs `boot_acl` attribute directly
      - when domain is *offline*: changes are written to a journal and then reapplied in order when the domain is connected
    - newly enrolled devices get added to all bootacls of all domains *if* the `policy` is `BOLT_POLICY_AUTO`
    - removed devices get deleted from all bootacls of all domains
    - `boltacl domain` command will show the bootacl slots and their content

  - `boltctl` gained the `-U, --uuid` option, to control how uuids are printed [!124]

* Improvements and fixes:
  - Testing [!127]
    - The test coverage increased to `84.80%` overall and to `90.0%` for the `boltd` source
    - Coverage is reported for merge requests via the fedora ci image [!126]
    - `boltctl` is now included in the tests [!132]
    - Fedora 29 is used for the fedora ci image

  - Bugs and robustness:
    - The device state is verified in `Device.Authorize` [!120]
    - Handle empty 'keys' sysfs device attribute [!129]
    - Properly adjust policies when enrolling already authorized devices [!136]
    - Fix potential crasher when logging assertions `g_return_if_fail` [!121]


Version 0.5
-----------
_You've got the Power_
Released: 2018-09-28

* New Features:

  - Force-Power DBus API ⚡(!101)
    - A new interface to boltd to control the (force) power mechanism (#106)
    - Switch off power with a delay so we don't run into races (#104)
  - Add representation of thunderbolt domains<br>
    This is a preparation for the boot acl support
  - Authorizing devices, after upgrading from `USER` to `SECURE` security level, will lead to key upgrades (!107)
  - Connection and Authorization times are now stored (!105)
  - Systemd dependency is now optional (!106, !103)
  - Company and brand names are cleaned up for the display name (#102)


* Bug fixes and cleanups:

  - Emit proper notification for security-level property changes (!100)
  - Auto generate the object path for BoltDevice (!102)


* NB for packagers:

  - `-Ddb-path` is **DEPRECATED**, use `-Ddb-name` instead (!113)
  - meson >= 0.44.0 is required.
  - systemd unit files got updated:
    - `After=polkit.service` (!116)
    - Use systemd for runtime and state directory management (!113)
    - Sandbox is tightened (!97)


Version 0.4
-----------
_The Race Is Over_
Released: 2018-05-28

* New features:
  - auto import of devices authorized during boot [!90]
  - allow enrolling of already authorized devices, i.e. importing of devices [!86]
  - label new devices and detect duplicates [!91]

* Be more robust:
  - Handle NULL errors in logging code better [!89]
  - Properly handle empty device database entries [!87]
  - Better authentication errors and logging [!85]
  - More tests

* Internal changes:
  - Make sure we don't miss device status changes [!82]
  - Rework property change notification dispatching [!83]


Version 0.3
-----------
_Capture The Flags_
Released: 2018-05-28

* Prepare for upcoming kernel changes:
  - Support for `usbonly` (SL4) security level (#75)
  - Support for `boot` sysfs device attribute (#76)

* DBus API changes:
  - `BoltStatus` was split (#81), so that:
      - `Device.Status` does not report `authorized-xxx` anymore
      - `Device.AuthFlags` added to indicate auth details, e.g. `secure`, `nopci`, `boot`, `nokey` (#76)
  - `BoltSecurity` and thus `Manager.SecurityLevel` can report `usbonly` (#75)

* client/boltctl:
  - async versions for many function calls
  - more efficient getters, resulting in reduced allocations
  - boltctl reports `Device.AuthFlags`
  - boltctl prints more and better version info via `boltctl monitor`

* Other bugfixes and improvements include:
  - more robust flags/enum conversion


Version 0.2
-----------
_I broke the Bus_
Released: 2018-03-06

Lots of changes, the most significant:

- database location moved (now in `/var/lib/boltd`)
  - **⚠** devices enrolled with bolt 0.1 need to be re-enrolled (or the database moved from the old location)

- DBus API changed (lots of strings)

- Enums are transmitted as strings
  - `Device.Security` property is gone; replaced by `authorized-dponly` status and `Manager.SecurityLevel` ( #37, #38, #62)
  - Various timestamps got added: `Device.ConnectTime`, `Device.StoreTime` and `Device.AuthorizeTime` (#46  #57)
  - `Device.Label` (readwrite) was added so devices can be given custom names (#46)
  - `Device.Type` added, to differentiate between host and peripherals
  - `Manager.AuthMode` (readwrite) was added to control (auto) authorization (#48)

Other bugfixes and improvements include:

- Ensure we get a `DeviceAdded` signal on startup (#58)
 - Support for legacy devices that have no key sysfs attribute (#67)
 - Use structured logging and avoid printing UUIDs in non-debug log code (#36 #60)
 - Other internal restructuring for cleaner code (#43)


Version 0.1
-----------
_Accidentally Working_
Released: 2017-12-13

* functional daemon that can authorize enroll and authorize devices
* `boltctl` command to interact with the daemon