Blame view

Documentation/power/swsusp-dmcrypt.txt 4.65 KB
6ed9fcec8   Andreas Steinmetz   [PATCH] swsusup w...
1
2
3
4
5
6
7
8
9
10
  Author: Andreas Steinmetz <ast@domdv.de>
  
  
  How to use dm-crypt and swsusp together:
  ========================================
  
  Some prerequisites:
  You know how dm-crypt works. If not, visit the following web page:
  http://www.saout.de/misc/dm-crypt/
  You have read Documentation/power/swsusp.txt and understand it.
8c27ceff3   Mauro Carvalho Chehab   docs: fix locatio...
11
  You did read Documentation/admin-guide/initrd.rst and know how an initrd works.
6ed9fcec8   Andreas Steinmetz   [PATCH] swsusup w...
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
  You know how to create or how to modify an initrd.
  
  Now your system is properly set up, your disk is encrypted except for
  the swap device(s) and the boot partition which may contain a mini
  system for crypto setup and/or rescue purposes. You may even have
  an initrd that does your current crypto setup already.
  
  At this point you want to encrypt your swap, too. Still you want to
  be able to suspend using swsusp. This, however, means that you
  have to be able to either enter a passphrase or that you read
  the key(s) from an external device like a pcmcia flash disk
  or an usb stick prior to resume. So you need an initrd, that sets
  up dm-crypt and then asks swsusp to resume from the encrypted
  swap device.
  
  The most important thing is that you set up dm-crypt in such
  a way that the swap device you suspend to/resume from has
  always the same major/minor within the initrd as well as
  within your running system. The easiest way to achieve this is
  to always set up this swap device first with dmsetup, so that
  it will always look like the following:
  
  brw-------  1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
  
  Now set up your kernel to use /dev/mapper/swap0 as the default
  resume partition, so your kernel .config contains:
  
  CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
  
  Prepare your boot loader to use the initrd you will create or
  modify. For lilo the simplest setup looks like the following
  lines:
  
  image=/boot/vmlinuz
  initrd=/boot/initrd.gz
  label=linux
  append="root=/dev/ram0 init=/linuxrc rw"
  
  Finally you need to create or modify your initrd. Lets assume
  you create an initrd that reads the required dm-crypt setup
  from a pcmcia flash disk card. The card is formatted with an ext2
  fs which resides on /dev/hde1 when the card is inserted. The
  card contains at least the encrypted swap setup in a file
  named "swapkey". /etc/fstab of your initrd contains something
  like the following:
  
  /dev/hda1   /mnt    ext3      ro                            0 0
  none        /proc   proc      defaults,noatime,nodiratime   0 0
  none        /sys    sysfs     defaults,noatime,nodiratime   0 0
  
  /dev/hda1 contains an unencrypted mini system that sets up all
  of your crypto devices, again by reading the setup from the
  pcmcia flash disk. What follows now is a /linuxrc for your
  initrd that allows you to resume from encrypted swap and that
  continues boot with your mini system on /dev/hda1 if resume
  does not happen:
  
  #!/bin/sh
  PATH=/sbin:/bin:/usr/sbin:/usr/bin
  mount /proc
  mount /sys
  mapped=0
  noresume=`grep -c noresume /proc/cmdline`
  if [ "$*" != "" ]
  then
    noresume=1
  fi
  dmesg -n 1
  /sbin/cardmgr -q
  for i in 1 2 3 4 5 6 7 8 9 0
  do
    if [ -f /proc/ide/hde/media ]
    then
      usleep 500000
      mount -t ext2 -o ro /dev/hde1 /mnt
      if [ -f /mnt/swapkey ]
      then
        dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
      fi
      umount /mnt
      break
    fi
    usleep 500000
  done
  killproc /sbin/cardmgr
  dmesg -n 6
  if [ $mapped = 1 ]
  then
    if [ $noresume != 0 ]
    then
      mkswap /dev/mapper/swap0 > /dev/null 2>&1
    fi
    echo 254:0 > /sys/power/resume
    dmsetup remove swap0
  fi
  umount /sys
  mount /mnt
  umount /proc
  cd /mnt
  pivot_root . mnt
  mount /proc
  umount -l /mnt
  umount /proc
  exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
  
  Please don't mind the weird loop above, busybox's msh doesn't know
  the let statement. Now, what is happening in the script?
  First we have to decide if we want to try to resume, or not.
  We will not resume if booting with "noresume" or any parameters
  for init like "single" or "emergency" as boot parameters.
  
  Then we need to set up dmcrypt with the setup data from the
  pcmcia flash disk. If this succeeds we need to reset the swap
  device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
  then attempts to resume from the first device mapper device.
  Note that it is important to set the device in /sys/power/resume,
  regardless if resuming or not, otherwise later suspend will fail.
  If resume starts, script execution terminates here.
  
  Otherwise we just remove the encrypted swap device and leave it to the
  mini system on /dev/hda1 to set the whole crypto up (it is up to
  you to modify this to your taste).
  
  What then follows is the well known process to change the root
  file system and continue booting from there. I prefer to unmount
  the initrd prior to continue booting but it is up to you to modify
  this.