1Author: Andreas Steinmetz <ast@domdv.de>
2
3
4How to use dm-crypt and swsusp together:
5========================================
6
7Some prerequisites:
8You know how dm-crypt works. If not, visit the following web page:
9http://www.saout.de/misc/dm-crypt/
10You have read Documentation/power/swsusp.txt and understand it.
11You did read Documentation/initrd.txt and know how an initrd works.
12You know how to create or how to modify an initrd.
13
14Now your system is properly set up, your disk is encrypted except for
15the swap device(s) and the boot partition which may contain a mini
16system for crypto setup and/or rescue purposes. You may even have
17an initrd that does your current crypto setup already.
18
19At this point you want to encrypt your swap, too. Still you want to
20be able to suspend using swsusp. This, however, means that you
21have to be able to either enter a passphrase or that you read
22the key(s) from an external device like a pcmcia flash disk
23or an usb stick prior to resume. So you need an initrd, that sets
24up dm-crypt and then asks swsusp to resume from the encrypted
25swap device.
26
27The most important thing is that you set up dm-crypt in such
28a way that the swap device you suspend to/resume from has
29always the same major/minor within the initrd as well as
30within your running system. The easiest way to achieve this is
31to always set up this swap device first with dmsetup, so that
32it will always look like the following:
33
34brw-------  1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
35
36Now set up your kernel to use /dev/mapper/swap0 as the default
37resume partition, so your kernel .config contains:
38
39CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
40
41Prepare your boot loader to use the initrd you will create or
42modify. For lilo the simplest setup looks like the following
43lines:
44
45image=/boot/vmlinuz
46initrd=/boot/initrd.gz
47label=linux
48append="root=/dev/ram0 init=/linuxrc rw"
49
50Finally you need to create or modify your initrd. Lets assume
51you create an initrd that reads the required dm-crypt setup
52from a pcmcia flash disk card. The card is formatted with an ext2
53fs which resides on /dev/hde1 when the card is inserted. The
54card contains at least the encrypted swap setup in a file
55named "swapkey". /etc/fstab of your initrd contains something
56like the following:
57
58/dev/hda1   /mnt    ext3      ro                            0 0
59none        /proc   proc      defaults,noatime,nodiratime   0 0
60none        /sys    sysfs     defaults,noatime,nodiratime   0 0
61
62/dev/hda1 contains an unencrypted mini system that sets up all
63of your crypto devices, again by reading the setup from the
64pcmcia flash disk. What follows now is a /linuxrc for your
65initrd that allows you to resume from encrypted swap and that
66continues boot with your mini system on /dev/hda1 if resume
67does not happen:
68
69#!/bin/sh
70PATH=/sbin:/bin:/usr/sbin:/usr/bin
71mount /proc
72mount /sys
73mapped=0
74noresume=`grep -c noresume /proc/cmdline`
75if [ "$*" != "" ]
76then
77  noresume=1
78fi
79dmesg -n 1
80/sbin/cardmgr -q
81for i in 1 2 3 4 5 6 7 8 9 0
82do
83  if [ -f /proc/ide/hde/media ]
84  then
85    usleep 500000
86    mount -t ext2 -o ro /dev/hde1 /mnt
87    if [ -f /mnt/swapkey ]
88    then
89      dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
90    fi
91    umount /mnt
92    break
93  fi
94  usleep 500000
95done
96killproc /sbin/cardmgr
97dmesg -n 6
98if [ $mapped = 1 ]
99then
100  if [ $noresume != 0 ]
101  then
102    mkswap /dev/mapper/swap0 > /dev/null 2>&1
103  fi
104  echo 254:0 > /sys/power/resume
105  dmsetup remove swap0
106fi
107umount /sys
108mount /mnt
109umount /proc
110cd /mnt
111pivot_root . mnt
112mount /proc
113umount -l /mnt
114umount /proc
115exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
116
117Please don't mind the weird loop above, busybox's msh doesn't know
118the let statement. Now, what is happening in the script?
119First we have to decide if we want to try to resume, or not.
120We will not resume if booting with "noresume" or any parameters
121for init like "single" or "emergency" as boot parameters.
122
123Then we need to set up dmcrypt with the setup data from the
124pcmcia flash disk. If this succeeds we need to reset the swap
125device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
126then attempts to resume from the first device mapper device.
127Note that it is important to set the device in /sys/power/resume,
128regardless if resuming or not, otherwise later suspend will fail.
129If resume starts, script execution terminates here.
130
131Otherwise we just remove the encrypted swap device and leave it to the
132mini system on /dev/hda1 to set the whole crypto up (it is up to
133you to modify this to your taste).
134
135What then follows is the well known process to change the root
136file system and continue booting from there. I prefer to unmount
137the initrd prior to continue booting but it is up to you to modify
138this.
139