swsusp-dmcrypt.txt 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
  1. Author: Andreas Steinmetz <ast@domdv.de>
  2. How to use dm-crypt and swsusp together:
  3. ========================================
  4. Some prerequisites:
  5. You know how dm-crypt works. If not, visit the following web page:
  6. http://www.saout.de/misc/dm-crypt/
  7. You have read Documentation/power/swsusp.txt and understand it.
  8. You did read Documentation/initrd.txt and know how an initrd works.
  9. You know how to create or how to modify an initrd.
  10. Now your system is properly set up, your disk is encrypted except for
  11. the swap device(s) and the boot partition which may contain a mini
  12. system for crypto setup and/or rescue purposes. You may even have
  13. an initrd that does your current crypto setup already.
  14. At this point you want to encrypt your swap, too. Still you want to
  15. be able to suspend using swsusp. This, however, means that you
  16. have to be able to either enter a passphrase or that you read
  17. the key(s) from an external device like a pcmcia flash disk
  18. or an usb stick prior to resume. So you need an initrd, that sets
  19. up dm-crypt and then asks swsusp to resume from the encrypted
  20. swap device.
  21. The most important thing is that you set up dm-crypt in such
  22. a way that the swap device you suspend to/resume from has
  23. always the same major/minor within the initrd as well as
  24. within your running system. The easiest way to achieve this is
  25. to always set up this swap device first with dmsetup, so that
  26. it will always look like the following:
  27. brw------- 1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
  28. Now set up your kernel to use /dev/mapper/swap0 as the default
  29. resume partition, so your kernel .config contains:
  30. CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
  31. Prepare your boot loader to use the initrd you will create or
  32. modify. For lilo the simplest setup looks like the following
  33. lines:
  34. image=/boot/vmlinuz
  35. initrd=/boot/initrd.gz
  36. label=linux
  37. append="root=/dev/ram0 init=/linuxrc rw"
  38. Finally you need to create or modify your initrd. Lets assume
  39. you create an initrd that reads the required dm-crypt setup
  40. from a pcmcia flash disk card. The card is formatted with an ext2
  41. fs which resides on /dev/hde1 when the card is inserted. The
  42. card contains at least the encrypted swap setup in a file
  43. named "swapkey". /etc/fstab of your initrd contains something
  44. like the following:
  45. /dev/hda1 /mnt ext3 ro 0 0
  46. none /proc proc defaults,noatime,nodiratime 0 0
  47. none /sys sysfs defaults,noatime,nodiratime 0 0
  48. /dev/hda1 contains an unencrypted mini system that sets up all
  49. of your crypto devices, again by reading the setup from the
  50. pcmcia flash disk. What follows now is a /linuxrc for your
  51. initrd that allows you to resume from encrypted swap and that
  52. continues boot with your mini system on /dev/hda1 if resume
  53. does not happen:
  54. #!/bin/sh
  55. PATH=/sbin:/bin:/usr/sbin:/usr/bin
  56. mount /proc
  57. mount /sys
  58. mapped=0
  59. noresume=`grep -c noresume /proc/cmdline`
  60. if [ "$*" != "" ]
  61. then
  62. noresume=1
  63. fi
  64. dmesg -n 1
  65. /sbin/cardmgr -q
  66. for i in 1 2 3 4 5 6 7 8 9 0
  67. do
  68. if [ -f /proc/ide/hde/media ]
  69. then
  70. usleep 500000
  71. mount -t ext2 -o ro /dev/hde1 /mnt
  72. if [ -f /mnt/swapkey ]
  73. then
  74. dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
  75. fi
  76. umount /mnt
  77. break
  78. fi
  79. usleep 500000
  80. done
  81. killproc /sbin/cardmgr
  82. dmesg -n 6
  83. if [ $mapped = 1 ]
  84. then
  85. if [ $noresume != 0 ]
  86. then
  87. mkswap /dev/mapper/swap0 > /dev/null 2>&1
  88. fi
  89. echo 254:0 > /sys/power/resume
  90. dmsetup remove swap0
  91. fi
  92. umount /sys
  93. mount /mnt
  94. umount /proc
  95. cd /mnt
  96. pivot_root . mnt
  97. mount /proc
  98. umount -l /mnt
  99. umount /proc
  100. exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
  101. Please don't mind the weird loop above, busybox's msh doesn't know
  102. the let statement. Now, what is happening in the script?
  103. First we have to decide if we want to try to resume, or not.
  104. We will not resume if booting with "noresume" or any parameters
  105. for init like "single" or "emergency" as boot parameters.
  106. Then we need to set up dmcrypt with the setup data from the
  107. pcmcia flash disk. If this succeeds we need to reset the swap
  108. device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
  109. then attempts to resume from the first device mapper device.
  110. Note that it is important to set the device in /sys/power/resume,
  111. regardless if resuming or not, otherwise later suspend will fail.
  112. If resume starts, script execution terminates here.
  113. Otherwise we just remove the encrypted swap device and leave it to the
  114. mini system on /dev/hda1 to set the whole crypto up (it is up to
  115. you to modify this to your taste).
  116. What then follows is the well known process to change the root
  117. file system and continue booting from there. I prefer to unmount
  118. the initrd prior to continue booting but it is up to you to modify
  119. this.