Quite a bit actually.  Items marked with a + are planned for the next
release.

MUST, MUST, MUST BE DONE:

DONE: Integrate with capabilities to supply normal Linux protection


MUST BE DONE:

+ Make code conform to kernel coding style.

DONE: Fix bigint distribution, doesn't include all the files it needs to.

DONE: Re-arrange file layout so the kernel part is in a self-contained
directory without any extra stuff.

DONE: Move to Linux 2.6:
  DONE: Use native crypto.
  DONE: Update the MODULE_PARM usage.
  DONE: Update LSM interface.
  DONE: Update make system

DONE: Wire together with TCPA hardware.

IBM's tpm.c: make SMP/preempt safe, add locking.
DONE: Add comments about SMP incompatibility, enforce in Kconfig.

DONE: Clean up the LSM's TPM locking

DONE: Document LILO config changes and how they relate to PCR values.

Extend enforcer-hash-extend to take a file or a hash on the command
line.

DONE: Clean up the prink message to take into account DEBUG mode.

DONE: Document 2.6.x call_usermodehelper bug.  Write a BUGS document.

Work out a way to upgrade the kernel.  Looks like it will involve
pulling the secret out of the TPM, writing it to disk, booting with
the new kernel, and re-sealing.  Will be part of the admin tool.

DONE: Document statically building mount, umount, losetup, copy to
/etc/enforcer, protect with deny/panic action.

DONE: Write statically linked user-space helper to mount/unmount
encrypted loopback filesystem.

DONE: Add memory pinning to the helper.

DONE: Add more TripWire like checking of inode data
   DONE: Add a way to selectively apply extra checks?

DONE: Add a way to allow only certain apps to access certain files.

DONE: Massive code audit to look for problems in preparation for
announcing on the linux kernel mailing list.  No major problems found.

DONE: enforcer_inode_permission:
    Rewrite this hook.

	Iterate over each dentry with a count > 0, rather than just finding
	the first one.  Only has an impact on hard links.

	Look into using the nameidata being passed in as of 2.6-test9.

DONE: Add the ability to deny access to files that were not there when the
DB was built.  Build DB /bin/, someone adds /bin/trojan, don't allow
/bin/trojan to be used.  Optionally recursive so /bin/foo/trojan can't
execute as well.

DONE: Do more sanity checking on the input.  Whine if a file is in the
database more than once.

Test with an initrd.  Current behavior is unknown, but probably will
not work unless the files for both the initrd and the real root are
listed in the database.  Look into hooks involving pivot root.

Check behavior for NFS exported file systems and NFS clients running
the Enforcer.

DONE: Write a comprehensive admin tool to take the painful work out of
setup.

Test what actually happens when the user tries to access a file when
the path is more than 4096 characters long.  The Enforcer is suppose
to deny access to that file, but that code path has never been tested.

+ Have the enforcer check to see if it needs to extend the public key
PCR in enforcer_tcpa.c:tcpa_hash_and_extend().  

+ Move to standard key generation/signing tools (eg GPG).  The issue
is that signature verification needs to be done inside the kernel, so
a minimal bigint library would be required to verify a signature
generated with GPG.

+ Allow the secret key and TPM secret to be stored on a floppy when
the Enforcer is built into the kernel.  This would allow the Enforcer
to function without TCPA, but it also leaves the computer open to
attack if someone has physical access.  Since the database needs to be
read in as soon as / is mounted, this would require the Enforcer to
either mount a floppy, or read the raw data off a floppy (eg raw read
from /dev/fd0).

+ Up-port the LILO TCPA patches to a current LILO and make Debian packages.


SHOULD BE DONE:

Write/find a TCPA any-command for sending raw commands to the TPM.

The current stats (#define ENFORCER_DEBUG_TIME) should take into
account the amount of time it takes to load pages off of disk.  Those
really don't count against the enforcer, that work would happen
anyhow.

TCPA: Move from public key enforced goodness of the database to a
protected freshness table goodness.

Switch the lookup mechanism over from the full path of each file to
the (inode, device) pair.  This would reduce the amount of work that
needs to be done find out if the current inode needs to be checked.
This would also significantly reduce the amount of kernel memory
required to store the database significantly (from 20 bytes + length
of the full path, to 30 bytes per file).  Need to tap unlink for this
to work.  May be much more work than it is worth. 

OR: use a sha1 of the filename instead of the full filename.
Calculated the sha1 of all the filenames on my computer:
0 > ls -l ~/sha1.txt ; wc -l ~/sha1.txt
-rw-r-----    1 omen     omen     30140466 Mar 11 11:58 /home/omen/sha1.txt
328625 /home/omen/sha1.txt

So, for 328,625 files, the SHA1s take 6,572,500 bytes, while the
filenames take 16,666,841 bytes.


Implement caching of already checked files.  This requires a perfectly
reliable way to determine when a file has been modified, but the speed
payoff would be huge.  Maybe the nanosecond time stamps?


WISH LIST:

Keep detailed stats per file that is protected.  Have some way to
print them out in /proc, eg:
cat /proc/enforcer/stats
/bin/sh : checked 51 times : average 20032 ms
/bin/sleep : checked 12151 times : average 2032 ms
/bin/stty : checked 12 times : average 90032 ms
/bin/su : checked 9 times : average 102732 ms


PROJECT HOME PAGE:
http://enforcer.sourceforge.net/