Lennart Poettering
Lennart Poettering
> [@poettering](https://github.com/poettering) Allow me to ask for clarification: does [305272a](https://github.com/systemd/systemd/commit/305272ab2b62a031a91ed3490cb053bee0594964) give access to /dev/hidraw* device files? Isn’t the commit opening an entirely different interface? i does not. you have to...
> The commit is short. I see none of the discussed mechanisms to selectively give permissions only to _some_ devices, not all hidraw devices. – How does the commit you...
> [@smcv](https://github.com/smcv) Can you reopen the issue? This issue is about giving device access to any program of the user in front of the computer for a subset of hidraw...
(or to say this differently: if you want to blanket allow direct access to hidraw devices to unpriv apps, this would have to be a downstream change, I don't think...
so we have this infrastructure for TPM-locked disk encryption: you can enroll a remote TPM by providing a key that is present on the target's system TPM via --tpm2-device-key=. We...
@sigulete service credentials are either locked to the tpm or to a secret stored on the root fs, or both. if you have no tpm only to the latter. but...
But not sure I grok what you are trying to do? You referenced "bootc" first, which I don't really grok, but that sounded as if you want creds to be...
> This seems all unnecessarily convoluted and complex to me, and very hard to understand. It would be much better to just make it simpler: no need for prefixes or...
I changed the approach a bit now. There's now a concept of ".profile" PE sections which can appear multiple times, and which each introduce a new profile. This section can...
> Couple of things that are not clear to me. > > What can be overriden in each `.profile` ? Everything? Even the kernel? Well, yes, if you like. At...