Loading...
1=======================================
2How to use dm-crypt and swsusp together
3=======================================
4
5Author: Andreas Steinmetz <ast@domdv.de>
6
7
8
9Some prerequisites:
10You know how dm-crypt works. If not, visit the following web page:
11http://www.saout.de/misc/dm-crypt/
12You have read Documentation/power/swsusp.rst and understand it.
13You did read Documentation/admin-guide/initrd.rst and know how an initrd works.
14You know how to create or how to modify an initrd.
15
16Now your system is properly set up, your disk is encrypted except for
17the swap device(s) and the boot partition which may contain a mini
18system for crypto setup and/or rescue purposes. You may even have
19an initrd that does your current crypto setup already.
20
21At this point you want to encrypt your swap, too. Still you want to
22be able to suspend using swsusp. This, however, means that you
23have to be able to either enter a passphrase or that you read
24the key(s) from an external device like a pcmcia flash disk
25or an usb stick prior to resume. So you need an initrd, that sets
26up dm-crypt and then asks swsusp to resume from the encrypted
27swap device.
28
29The most important thing is that you set up dm-crypt in such
30a way that the swap device you suspend to/resume from has
31always the same major/minor within the initrd as well as
32within your running system. The easiest way to achieve this is
33to always set up this swap device first with dmsetup, so that
34it will always look like the following::
35
36 brw------- 1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
37
38Now set up your kernel to use /dev/mapper/swap0 as the default
39resume partition, so your kernel .config contains::
40
41 CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
42
43Prepare your boot loader to use the initrd you will create or
44modify. For lilo the simplest setup looks like the following
45lines::
46
47 image=/boot/vmlinuz
48 initrd=/boot/initrd.gz
49 label=linux
50 append="root=/dev/ram0 init=/linuxrc rw"
51
52Finally you need to create or modify your initrd. Lets assume
53you create an initrd that reads the required dm-crypt setup
54from a pcmcia flash disk card. The card is formatted with an ext2
55fs which resides on /dev/hde1 when the card is inserted. The
56card contains at least the encrypted swap setup in a file
57named "swapkey". /etc/fstab of your initrd contains something
58like the following::
59
60 /dev/hda1 /mnt ext3 ro 0 0
61 none /proc proc defaults,noatime,nodiratime 0 0
62 none /sys sysfs defaults,noatime,nodiratime 0 0
63
64/dev/hda1 contains an unencrypted mini system that sets up all
65of your crypto devices, again by reading the setup from the
66pcmcia flash disk. What follows now is a /linuxrc for your
67initrd that allows you to resume from encrypted swap and that
68continues boot with your mini system on /dev/hda1 if resume
69does not happen::
70
71 #!/bin/sh
72 PATH=/sbin:/bin:/usr/sbin:/usr/bin
73 mount /proc
74 mount /sys
75 mapped=0
76 noresume=`grep -c noresume /proc/cmdline`
77 if [ "$*" != "" ]
78 then
79 noresume=1
80 fi
81 dmesg -n 1
82 /sbin/cardmgr -q
83 for i in 1 2 3 4 5 6 7 8 9 0
84 do
85 if [ -f /proc/ide/hde/media ]
86 then
87 usleep 500000
88 mount -t ext2 -o ro /dev/hde1 /mnt
89 if [ -f /mnt/swapkey ]
90 then
91 dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
92 fi
93 umount /mnt
94 break
95 fi
96 usleep 500000
97 done
98 killproc /sbin/cardmgr
99 dmesg -n 6
100 if [ $mapped = 1 ]
101 then
102 if [ $noresume != 0 ]
103 then
104 mkswap /dev/mapper/swap0 > /dev/null 2>&1
105 fi
106 echo 254:0 > /sys/power/resume
107 dmsetup remove swap0
108 fi
109 umount /sys
110 mount /mnt
111 umount /proc
112 cd /mnt
113 pivot_root . mnt
114 mount /proc
115 umount -l /mnt
116 umount /proc
117 exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
118
119Please don't mind the weird loop above, busybox's msh doesn't know
120the let statement. Now, what is happening in the script?
121First we have to decide if we want to try to resume, or not.
122We will not resume if booting with "noresume" or any parameters
123for init like "single" or "emergency" as boot parameters.
124
125Then we need to set up dmcrypt with the setup data from the
126pcmcia flash disk. If this succeeds we need to reset the swap
127device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
128then attempts to resume from the first device mapper device.
129Note that it is important to set the device in /sys/power/resume,
130regardless if resuming or not, otherwise later suspend will fail.
131If resume starts, script execution terminates here.
132
133Otherwise we just remove the encrypted swap device and leave it to the
134mini system on /dev/hda1 to set the whole crypto up (it is up to
135you to modify this to your taste).
136
137What then follows is the well known process to change the root
138file system and continue booting from there. I prefer to unmount
139the initrd prior to continue booting but it is up to you to modify
140this.
1=======================================
2How to use dm-crypt and swsusp together
3=======================================
4
5Author: Andreas Steinmetz <ast@domdv.de>
6
7
8
9Some prerequisites:
10You know how dm-crypt works. If not, visit the following web page:
11http://www.saout.de/misc/dm-crypt/
12You have read Documentation/power/swsusp.rst and understand it.
13You did read Documentation/admin-guide/initrd.rst and know how an initrd works.
14You know how to create or how to modify an initrd.
15
16Now your system is properly set up, your disk is encrypted except for
17the swap device(s) and the boot partition which may contain a mini
18system for crypto setup and/or rescue purposes. You may even have
19an initrd that does your current crypto setup already.
20
21At this point you want to encrypt your swap, too. Still you want to
22be able to suspend using swsusp. This, however, means that you
23have to be able to either enter a passphrase or that you read
24the key(s) from an external device like a pcmcia flash disk
25or an usb stick prior to resume. So you need an initrd, that sets
26up dm-crypt and then asks swsusp to resume from the encrypted
27swap device.
28
29The most important thing is that you set up dm-crypt in such
30a way that the swap device you suspend to/resume from has
31always the same major/minor within the initrd as well as
32within your running system. The easiest way to achieve this is
33to always set up this swap device first with dmsetup, so that
34it will always look like the following::
35
36 brw------- 1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
37
38Now set up your kernel to use /dev/mapper/swap0 as the default
39resume partition, so your kernel .config contains::
40
41 CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
42
43Prepare your boot loader to use the initrd you will create or
44modify. For lilo the simplest setup looks like the following
45lines::
46
47 image=/boot/vmlinuz
48 initrd=/boot/initrd.gz
49 label=linux
50 append="root=/dev/ram0 init=/linuxrc rw"
51
52Finally you need to create or modify your initrd. Lets assume
53you create an initrd that reads the required dm-crypt setup
54from a pcmcia flash disk card. The card is formatted with an ext2
55fs which resides on /dev/hde1 when the card is inserted. The
56card contains at least the encrypted swap setup in a file
57named "swapkey". /etc/fstab of your initrd contains something
58like the following::
59
60 /dev/hda1 /mnt ext3 ro 0 0
61 none /proc proc defaults,noatime,nodiratime 0 0
62 none /sys sysfs defaults,noatime,nodiratime 0 0
63
64/dev/hda1 contains an unencrypted mini system that sets up all
65of your crypto devices, again by reading the setup from the
66pcmcia flash disk. What follows now is a /linuxrc for your
67initrd that allows you to resume from encrypted swap and that
68continues boot with your mini system on /dev/hda1 if resume
69does not happen::
70
71 #!/bin/sh
72 PATH=/sbin:/bin:/usr/sbin:/usr/bin
73 mount /proc
74 mount /sys
75 mapped=0
76 noresume=`grep -c noresume /proc/cmdline`
77 if [ "$*" != "" ]
78 then
79 noresume=1
80 fi
81 dmesg -n 1
82 /sbin/cardmgr -q
83 for i in 1 2 3 4 5 6 7 8 9 0
84 do
85 if [ -f /proc/ide/hde/media ]
86 then
87 usleep 500000
88 mount -t ext2 -o ro /dev/hde1 /mnt
89 if [ -f /mnt/swapkey ]
90 then
91 dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
92 fi
93 umount /mnt
94 break
95 fi
96 usleep 500000
97 done
98 killproc /sbin/cardmgr
99 dmesg -n 6
100 if [ $mapped = 1 ]
101 then
102 if [ $noresume != 0 ]
103 then
104 mkswap /dev/mapper/swap0 > /dev/null 2>&1
105 fi
106 echo 254:0 > /sys/power/resume
107 dmsetup remove swap0
108 fi
109 umount /sys
110 mount /mnt
111 umount /proc
112 cd /mnt
113 pivot_root . mnt
114 mount /proc
115 umount -l /mnt
116 umount /proc
117 exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
118
119Please don't mind the weird loop above, busybox's msh doesn't know
120the let statement. Now, what is happening in the script?
121First we have to decide if we want to try to resume, or not.
122We will not resume if booting with "noresume" or any parameters
123for init like "single" or "emergency" as boot parameters.
124
125Then we need to set up dmcrypt with the setup data from the
126pcmcia flash disk. If this succeeds we need to reset the swap
127device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
128then attempts to resume from the first device mapper device.
129Note that it is important to set the device in /sys/power/resume,
130regardless if resuming or not, otherwise later suspend will fail.
131If resume starts, script execution terminates here.
132
133Otherwise we just remove the encrypted swap device and leave it to the
134mini system on /dev/hda1 to set the whole crypto up (it is up to
135you to modify this to your taste).
136
137What then follows is the well known process to change the root
138file system and continue booting from there. I prefer to unmount
139the initrd prior to continue booting but it is up to you to modify
140this.