1Author: Andreas Steinmetz <ast@domdv.de> 2 3 4How to use dm-crypt and swsusp together: 5======================================== 6 7Some prerequisites: 8You know how dm-crypt works. If not, visit the following web page: 9http://www.saout.de/misc/dm-crypt/ 10You have read Documentation/power/swsusp.txt and understand it. 11You did read Documentation/initrd.txt and know how an initrd works. 12You know how to create or how to modify an initrd. 13 14Now your system is properly set up, your disk is encrypted except for 15the swap device(s) and the boot partition which may contain a mini 16system for crypto setup and/or rescue purposes. You may even have 17an initrd that does your current crypto setup already. 18 19At this point you want to encrypt your swap, too. Still you want to 20be able to suspend using swsusp. This, however, means that you 21have to be able to either enter a passphrase or that you read 22the key(s) from an external device like a pcmcia flash disk 23or an usb stick prior to resume. So you need an initrd, that sets 24up dm-crypt and then asks swsusp to resume from the encrypted 25swap device. 26 27The most important thing is that you set up dm-crypt in such 28a way that the swap device you suspend to/resume from has 29always the same major/minor within the initrd as well as 30within your running system. The easiest way to achieve this is 31to always set up this swap device first with dmsetup, so that 32it will always look like the following: 33 34brw------- 1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0 35 36Now set up your kernel to use /dev/mapper/swap0 as the default 37resume partition, so your kernel .config contains: 38 39CONFIG_PM_STD_PARTITION="/dev/mapper/swap0" 40 41Prepare your boot loader to use the initrd you will create or 42modify. For lilo the simplest setup looks like the following 43lines: 44 45image=/boot/vmlinuz 46initrd=/boot/initrd.gz 47label=linux 48append="root=/dev/ram0 init=/linuxrc rw" 49 50Finally you need to create or modify your initrd. Lets assume 51you create an initrd that reads the required dm-crypt setup 52from a pcmcia flash disk card. The card is formatted with an ext2 53fs which resides on /dev/hde1 when the card is inserted. The 54card contains at least the encrypted swap setup in a file 55named "swapkey". /etc/fstab of your initrd contains something 56like the following: 57 58/dev/hda1 /mnt ext3 ro 0 0 59none /proc proc defaults,noatime,nodiratime 0 0 60none /sys sysfs defaults,noatime,nodiratime 0 0 61 62/dev/hda1 contains an unencrypted mini system that sets up all 63of your crypto devices, again by reading the setup from the 64pcmcia flash disk. What follows now is a /linuxrc for your 65initrd that allows you to resume from encrypted swap and that 66continues boot with your mini system on /dev/hda1 if resume 67does not happen: 68 69#!/bin/sh 70PATH=/sbin:/bin:/usr/sbin:/usr/bin 71mount /proc 72mount /sys 73mapped=0 74noresume=`grep -c noresume /proc/cmdline` 75if [ "$*" != "" ] 76then 77 noresume=1 78fi 79dmesg -n 1 80/sbin/cardmgr -q 81for i in 1 2 3 4 5 6 7 8 9 0 82do 83 if [ -f /proc/ide/hde/media ] 84 then 85 usleep 500000 86 mount -t ext2 -o ro /dev/hde1 /mnt 87 if [ -f /mnt/swapkey ] 88 then 89 dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1 90 fi 91 umount /mnt 92 break 93 fi 94 usleep 500000 95done 96killproc /sbin/cardmgr 97dmesg -n 6 98if [ $mapped = 1 ] 99then 100 if [ $noresume != 0 ] 101 then 102 mkswap /dev/mapper/swap0 > /dev/null 2>&1 103 fi 104 echo 254:0 > /sys/power/resume 105 dmsetup remove swap0 106fi 107umount /sys 108mount /mnt 109umount /proc 110cd /mnt 111pivot_root . mnt 112mount /proc 113umount -l /mnt 114umount /proc 115exec chroot . /sbin/init $* < dev/console > dev/console 2>&1 116 117Please don't mind the weird loop above, busybox's msh doesn't know 118the let statement. Now, what is happening in the script? 119First we have to decide if we want to try to resume, or not. 120We will not resume if booting with "noresume" or any parameters 121for init like "single" or "emergency" as boot parameters. 122 123Then we need to set up dmcrypt with the setup data from the 124pcmcia flash disk. If this succeeds we need to reset the swap 125device if we don't want to resume. The line "echo 254:0 > /sys/power/resume" 126then attempts to resume from the first device mapper device. 127Note that it is important to set the device in /sys/power/resume, 128regardless if resuming or not, otherwise later suspend will fail. 129If resume starts, script execution terminates here. 130 131Otherwise we just remove the encrypted swap device and leave it to the 132mini system on /dev/hda1 to set the whole crypto up (it is up to 133you to modify this to your taste). 134 135What then follows is the well known process to change the root 136file system and continue booting from there. I prefer to unmount 137the initrd prior to continue booting but it is up to you to modify 138this. 139