About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / power / swsusp-dmcrypt.txt


Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.

1	Author: Andreas Steinmetz <ast@domdv.de>
2	
3	
4	How to use dm-crypt and swsusp together:
5	========================================
6	
7	Some prerequisites:
8	You know how dm-crypt works. If not, visit the following web page:
9	http://www.saout.de/misc/dm-crypt/
10	You have read Documentation/power/swsusp.txt and understand it.
11	You did read Documentation/admin-guide/initrd.rst and know how an initrd works.
12	You know how to create or how to modify an initrd.
13	
14	Now your system is properly set up, your disk is encrypted except for
15	the swap device(s) and the boot partition which may contain a mini
16	system for crypto setup and/or rescue purposes. You may even have
17	an initrd that does your current crypto setup already.
18	
19	At this point you want to encrypt your swap, too. Still you want to
20	be able to suspend using swsusp. This, however, means that you
21	have to be able to either enter a passphrase or that you read
22	the key(s) from an external device like a pcmcia flash disk
23	or an usb stick prior to resume. So you need an initrd, that sets
24	up dm-crypt and then asks swsusp to resume from the encrypted
25	swap device.
26	
27	The most important thing is that you set up dm-crypt in such
28	a way that the swap device you suspend to/resume from has
29	always the same major/minor within the initrd as well as
30	within your running system. The easiest way to achieve this is
31	to always set up this swap device first with dmsetup, so that
32	it will always look like the following:
33	
34	brw-------  1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
35	
36	Now set up your kernel to use /dev/mapper/swap0 as the default
37	resume partition, so your kernel .config contains:
38	
39	CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
40	
41	Prepare your boot loader to use the initrd you will create or
42	modify. For lilo the simplest setup looks like the following
43	lines:
44	
45	image=/boot/vmlinuz
46	initrd=/boot/initrd.gz
47	label=linux
48	append="root=/dev/ram0 init=/linuxrc rw"
49	
50	Finally you need to create or modify your initrd. Lets assume
51	you create an initrd that reads the required dm-crypt setup
52	from a pcmcia flash disk card. The card is formatted with an ext2
53	fs which resides on /dev/hde1 when the card is inserted. The
54	card contains at least the encrypted swap setup in a file
55	named "swapkey". /etc/fstab of your initrd contains something
56	like the following:
57	
58	/dev/hda1   /mnt    ext3      ro                            0 0
59	none        /proc   proc      defaults,noatime,nodiratime   0 0
60	none        /sys    sysfs     defaults,noatime,nodiratime   0 0
61	
62	/dev/hda1 contains an unencrypted mini system that sets up all
63	of your crypto devices, again by reading the setup from the
64	pcmcia flash disk. What follows now is a /linuxrc for your
65	initrd that allows you to resume from encrypted swap and that
66	continues boot with your mini system on /dev/hda1 if resume
67	does not happen:
68	
69	#!/bin/sh
70	PATH=/sbin:/bin:/usr/sbin:/usr/bin
71	mount /proc
72	mount /sys
73	mapped=0
74	noresume=`grep -c noresume /proc/cmdline`
75	if [ "$*" != "" ]
76	then
77	  noresume=1
78	fi
79	dmesg -n 1
80	/sbin/cardmgr -q
81	for i in 1 2 3 4 5 6 7 8 9 0
82	do
83	  if [ -f /proc/ide/hde/media ]
84	  then
85	    usleep 500000
86	    mount -t ext2 -o ro /dev/hde1 /mnt
87	    if [ -f /mnt/swapkey ]
88	    then
89	      dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
90	    fi
91	    umount /mnt
92	    break
93	  fi
94	  usleep 500000
95	done
96	killproc /sbin/cardmgr
97	dmesg -n 6
98	if [ $mapped = 1 ]
99	then
100	  if [ $noresume != 0 ]
101	  then
102	    mkswap /dev/mapper/swap0 > /dev/null 2>&1
103	  fi
104	  echo 254:0 > /sys/power/resume
105	  dmsetup remove swap0
106	fi
107	umount /sys
108	mount /mnt
109	umount /proc
110	cd /mnt
111	pivot_root . mnt
112	mount /proc
113	umount -l /mnt
114	umount /proc
115	exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
116	
117	Please don't mind the weird loop above, busybox's msh doesn't know
118	the let statement. Now, what is happening in the script?
119	First we have to decide if we want to try to resume, or not.
120	We will not resume if booting with "noresume" or any parameters
121	for init like "single" or "emergency" as boot parameters.
122	
123	Then we need to set up dmcrypt with the setup data from the
124	pcmcia flash disk. If this succeeds we need to reset the swap
125	device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
126	then attempts to resume from the first device mapper device.
127	Note that it is important to set the device in /sys/power/resume,
128	regardless if resuming or not, otherwise later suspend will fail.
129	If resume starts, script execution terminates here.
130	
131	Otherwise we just remove the encrypted swap device and leave it to the
132	mini system on /dev/hda1 to set the whole crypto up (it is up to
133	you to modify this to your taste).
134	
135	What then follows is the well known process to change the root
136	file system and continue booting from there. I prefer to unmount
137	the initrd prior to continue booting but it is up to you to modify
138	this.
Hide Line Numbers


About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog