Systemd 248 Released With System Extension Images Feature, More TPM2/FIDO2 Integration
Highlights of new systemd 248 features include:
- A new concept of "system extension images" as images that can extend the /usr/ or /opt/ hierarchies at run-time with additional files. The images can be read-only and its usr/opt hierarchies combined via OverlayFS. This led to a new systemd-sysext tool with systemd 248 for managing of system extension hierarchies.
- A new "root=tmpfs" kernel command-line option that will mount a Tmpfs on /. The mount.usr option can then be used to point to the operating system implementation.
- Systemd-networkd now supports the B.A.T.M.A.N. Advanced Wireless Routing Protocol. The "Better Approach to Mobile Ad-hoc Networking" is a routing protocol for multi-hop mobile ad-hoc networks.
- Intel SGX enclave device nodes will now be owned by a new system security group called "sgx".
- A new /etc/veritytab configuration file for configuring dm-verity integrity protection for block devices.
- Systemd-cryptsetup can now unlock LUKS2 volumes using TPM2 hardware and FIDO2 security tokens.
- A new systemd-cryptenroll tool for adding TPM2 / FIDO2 / PKCS#11 security tokens to LUKS volumes.
- A new ConditionCPUFeature= setting that can conditionalize systemd units so they only run if matching given CPU features like RdRand.
- Various systemd-resolved improvements.
- The previously introduced systemd-oomd out-of-memory daemon now has a default memory pressure duration tunable and this service is also now considered fully-supported rather than just experimental.
- Systemd has renamed its main Git development branch from "master" to "main".
- Systemd will now set the $SYSTEMD_EXEC_PID environment variable for the spawned process to the PID of the process itself.
The lengthy list of systemd 248 changes in full can be found via their NEWS file. Those wanting to build systemd 248 from source can fetch it via GitHub.