linux/Documentation/power/swsusp-dmcrypt.txt
<<
>>
Prefs
   1Author: Andreas Steinmetz <ast@domdv.de>
   2
   3
   4How to use dm-crypt and swsusp together:
   5========================================
   6
   7Some prerequisites:
   8You know how dm-crypt works. If not, visit the following web page:
   9http://www.saout.de/misc/dm-crypt/
  10You have read Documentation/power/swsusp.txt and understand it.
  11You did read Documentation/initrd.txt and know how an initrd works.
  12You know how to create or how to modify an initrd.
  13
  14Now your system is properly set up, your disk is encrypted except for
  15the swap device(s) and the boot partition which may contain a mini
  16system for crypto setup and/or rescue purposes. You may even have
  17an initrd that does your current crypto setup already.
  18
  19At this point you want to encrypt your swap, too. Still you want to
  20be able to suspend using swsusp. This, however, means that you
  21have to be able to either enter a passphrase or that you read
  22the key(s) from an external device like a pcmcia flash disk
  23or an usb stick prior to resume. So you need an initrd, that sets
  24up dm-crypt and then asks swsusp to resume from the encrypted
  25swap device.
  26
  27The most important thing is that you set up dm-crypt in such
  28a way that the swap device you suspend to/resume from has
  29always the same major/minor within the initrd as well as
  30within your running system. The easiest way to achieve this is
  31to always set up this swap device first with dmsetup, so that
  32it will always look like the following:
  33
  34brw-------  1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
  35
  36Now set up your kernel to use /dev/mapper/swap0 as the default
  37resume partition, so your kernel .config contains:
  38
  39CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
  40
  41Prepare your boot loader to use the initrd you will create or
  42modify. For lilo the simplest setup looks like the following
  43lines:
  44
  45image=/boot/vmlinuz
  46initrd=/boot/initrd.gz
  47label=linux
  48append="root=/dev/ram0 init=/linuxrc rw"
  49
  50Finally you need to create or modify your initrd. Lets assume
  51you create an initrd that reads the required dm-crypt setup
  52from a pcmcia flash disk card. The card is formatted with an ext2
  53fs which resides on /dev/hde1 when the card is inserted. The
  54card contains at least the encrypted swap setup in a file
  55named "swapkey". /etc/fstab of your initrd contains something
  56like the following:
  57
  58/dev/hda1   /mnt    ext3      ro                            0 0
  59none        /proc   proc      defaults,noatime,nodiratime   0 0
  60none        /sys    sysfs     defaults,noatime,nodiratime   0 0
  61
  62/dev/hda1 contains an unencrypted mini system that sets up all
  63of your crypto devices, again by reading the setup from the
  64pcmcia flash disk. What follows now is a /linuxrc for your
  65initrd that allows you to resume from encrypted swap and that
  66continues boot with your mini system on /dev/hda1 if resume
  67does not happen:
  68
  69#!/bin/sh
  70PATH=/sbin:/bin:/usr/sbin:/usr/bin
  71mount /proc
  72mount /sys
  73mapped=0
  74noresume=`grep -c noresume /proc/cmdline`
  75if [ "$*" != "" ]
  76then
  77  noresume=1
  78fi
  79dmesg -n 1
  80/sbin/cardmgr -q
  81for i in 1 2 3 4 5 6 7 8 9 0
  82do
  83  if [ -f /proc/ide/hde/media ]
  84  then
  85    usleep 500000
  86    mount -t ext2 -o ro /dev/hde1 /mnt
  87    if [ -f /mnt/swapkey ]
  88    then
  89      dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
  90    fi
  91    umount /mnt
  92    break
  93  fi
  94  usleep 500000
  95done
  96killproc /sbin/cardmgr
  97dmesg -n 6
  98if [ $mapped = 1 ]
  99then
 100  if [ $noresume != 0 ]
 101  then
 102    mkswap /dev/mapper/swap0 > /dev/null 2>&1
 103  fi
 104  echo 254:0 > /sys/power/resume
 105  dmsetup remove swap0
 106fi
 107umount /sys
 108mount /mnt
 109umount /proc
 110cd /mnt
 111pivot_root . mnt
 112mount /proc
 113umount -l /mnt
 114umount /proc
 115exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
 116
 117Please don't mind the weird loop above, busybox's msh doesn't know
 118the let statement. Now, what is happening in the script?
 119First we have to decide if we want to try to resume, or not.
 120We will not resume if booting with "noresume" or any parameters
 121for init like "single" or "emergency" as boot parameters.
 122
 123Then we need to set up dmcrypt with the setup data from the
 124pcmcia flash disk. If this succeeds we need to reset the swap
 125device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
 126then attempts to resume from the first device mapper device.
 127Note that it is important to set the device in /sys/power/resume,
 128regardless if resuming or not, otherwise later suspend will fail.
 129If resume starts, script execution terminates here.
 130
 131Otherwise we just remove the encrypted swap device and leave it to the
 132mini system on /dev/hda1 to set the whole crypto up (it is up to
 133you to modify this to your taste).
 134
 135What then follows is the well known process to change the root
 136file system and continue booting from there. I prefer to unmount
 137the initrd prior to continue booting but it is up to you to modify
 138this.
 139
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.