Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hibernation with encrypted swap
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1554
Location: Germany

PostPosted: Tue Sep 19, 2017 8:23 am    Post subject: Hibernation with encrypted swap Reply with quote

Hi,
I like to learn about hibernation as suspend-to-ram is currently broken with my hardware. (It was working some month ago but now stopped working even with old kernels known to work with s2r -> Suspend-to-ram resume is crashing).

I read https://wiki.gentoo.org/wiki/Suspend_and_hibernate.
Does TuxOnIce has any advantage compared to gentoo-sources with CONFIG_HIBERNATION? I have non of the mentioned tools installed, but I have pm-suspend and pm-hibernate from app-laptop/laptop-mode-tools that are not mentioned in the wiki.

However I'm not sure how hibernation works with encrpyted swap. Currently I have a random key like this in /etc/conf.d/dmcrypt:
Code:
swap=swap_crypt_1
source='PARTUUID=5e974f00-05'
options='--cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom'
pre_mount='mkswap -f ${dev} -L swap_crypt_1'

I learned I need a fixed key for that. But which kernel args are required later to open the encrpyted swap by entering a password? My current CMDLINE for opening the btrfs-on-luks is this:
Code:
GRUB_CMDLINE_LINUX_DEFAULT="keymap=de splash crypt_root=UUID=e609e76c-419f-4677-a2fe-872290730f00 root=LABEL=gentoo dobtrfs"

I would add another resume= for suspend-to-disk, but who opens the LUKS behind the swap device?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|Acer Z5610 (Core2QuadQ8200),8G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13831

PostPosted: Wed Sep 20, 2017 1:03 am    Post subject: Reply with quote

Typically, no kernel arguments are required, because the kernel is not responsible for opening the LUKS device containing the swap area. Your initramfs is responsible for that task, and then for resuming from the hibernation image, then falling through and starting fresh if no hibernation image was available.

I used TuxOnIce some years ago, then switched to swsusp when the TuxOnIce maintainer began issuing patches less quickly than I wanted.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1554
Location: Germany

PostPosted: Wed Sep 20, 2017 5:57 am    Post subject: Reply with quote

So you mean a well configured initramfs will open my encrypted swap automatically when pointing resume= to such an encrypted swap partition? Then why are the crypt_root and root parameters required for the encrypted root partition?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|Acer Z5610 (Core2QuadQ8200),8G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 195

PostPosted: Wed Sep 20, 2017 1:41 pm    Post subject: Reply with quote

Massimo B. wrote:
So you mean a well configured initramfs will open my encrypted swap automatically when pointing resume= to such an encrypted swap partition? Then why are the crypt_root and root parameters required for the encrypted root partition?

You call resume from the initramfs but if there wasn't a suspend then your init script proceeds as usual, in which case crypt_root and root and so forth become useful once again.
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1554
Location: Germany

PostPosted: Wed Sep 20, 2017 1:57 pm    Post subject: Reply with quote

This is not the point. In order to check if there is a resumable image it needs to open the encrypted swap first.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|Acer Z5610 (Core2QuadQ8200),8G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 195

PostPosted: Wed Sep 20, 2017 7:28 pm    Post subject: Reply with quote

Massimo B. wrote:
This is not the point. In order to check if there is a resumable image it needs to open the encrypted swap first.

Yes, but if there isn't a resumable image? What do you want the kernel to do then?

At least that's how it is in my init. Swap can be encrypted separately from root, so I still need to know which device to do dm_crypt stuff with and, in the case of something like lvm, which logical volume in the volume group that just got vgscanned to use as root. I'm assuming that's what crypt_root and root point to.
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13831

PostPosted: Thu Sep 21, 2017 1:26 am    Post subject: Reply with quote

Massimo B. wrote:
So you mean a well configured initramfs will open my encrypted swap automatically when pointing resume= to such an encrypted swap partition?
I would consider it a very poor initramfs if it opened the encrypted volume without user interaction, since that means the key is stored in the initramfs (or that it derives the data from some non-interactive source), in which case how is the key protected from unauthorized use? A well configured initramfs will prompt you to unlock the swap device, then resume from that device after you unlock it, and if the resume fails, boot the system normally.
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 168

PostPosted: Thu Sep 21, 2017 9:48 am    Post subject: Reply with quote

I used hibernate with encryption for a few years. You can't use a random generated key for swap because you loose all data on swap when you generate a new random key. You need to enter a passphrase to unlock the swap and then resume from that unlocked swap. Using resume= on the kernel command line doesn't work because the kernel will try to resume before the swap device is unlocked.

I used µswsusp (sys-power/suspend) for the userspace support needed for this. Perhaps TuxOnIce also works but I've never tried that. Read /usr/share/doc/suspend-1.0_p20150810/HOWTO.bz2 from sys-power/suspend for a good introduction.

What you need is an initramfs that unlocks the swap partition with your passphrase, do the resume with the userspace tools from that partition, if that fails do the regular boot. A minimal example might look like this:
Code:

#!/bin/busybox sh

PATH="/usr/sbin:/usr/bin:/sbin:/bin"

mount -t proc -o noexec,nosuid,nodev proc /proc
mount -t sysfs -o noexec,nosuid,nodev sysfs /sys
mount -t devtmpfs none /dev

SWAPDEV=`/dev/sda3`

while ! cryptsetup --allow-discards luksOpen ${SWAPDEV} swap; do
    echo "wrong passphrase, try again"
done

/sbin/resume

# if we reached this point there was no suspended image to resume
# mount the regular root fs and boot from it

ROOTDEV='/dev/sda2' # can be read from kernel commandline
mount -o ro ${ROOTDEV} /mnt/root/

for fs in /dev /sys /proc
do
    umount $fs
done

exec switch_root /mnt/root /sbin/init

This is only to give you an idea of what the initramfs needs to do. Don't use this. The initramfs also needs to have busybox, cryptsetup, /sbin/resume, /etc/suspend.conf and all other stuff they need to run. Perhaps genkernel can already do this for you but from looking at this bug it looks like no. https://bugs.gentoo.org/show_bug.cgi?id=156445

I'm not using hibernate anymore because it's just too broken. Almost every new kernel version got some regression. Since you can't even get suspend to ram working right I'd suggest you forget about hibernate.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 195

PostPosted: Thu Sep 21, 2017 10:20 am    Post subject: Reply with quote

Hu wrote:
Massimo B. wrote:
So you mean a well configured initramfs will open my encrypted swap automatically when pointing resume= to such an encrypted swap partition?
I would consider it a very poor initramfs if it opened the encrypted volume without user interaction, since that means the key is stored in the initramfs (or that it derives the data from some non-interactive source), in which case how is the key protected from unauthorized use? A well configured initramfs will prompt you to unlock the swap device, then resume from that device after you unlock it, and if the resume fails, boot the system normally.

Or you could just write your own. genkernel and dracut were a bit busy for my taste so I just adapted the one used by LFS. I boot using a USB stick cause I like to maintain custody of my kernel and can choose between using a key I embed in the initramfs that sits on the USB stick or entering it in at a prompt (or both). Whatever the key is, that's what I use to open both root and swap and whatever else. Swap gets opened first, and we try the resume. If it fails then we move on to opening root.

Since the kernel moved to initramfs and devtmpfs there really is no reason to not be rolling your own init scripts. Documentation in the kernel is excellent. No issues handing off from devtmpfs to eudev (although mine is a pretty straightforward system device-wise). The only gotcha I experienced is that busybox bash is missing some normal bash stuff (don't do -v in expressions!). And remember that /proc/cmdline is your friend. Do exactly what you need/want to do and no more.
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1554
Location: Germany

PostPosted: Fri Oct 13, 2017 6:11 am    Post subject: Reply with quote

tholin wrote:
Using resume= on the kernel command line doesn't work because the kernel will try to resume before the swap device is unlocked.

I used µswsusp (sys-power/suspend) for the userspace support needed for this. Perhaps TuxOnIce also works but I've never tried that. Read /usr/share/doc/suspend-1.0_p20150810/HOWTO.bz2 from sys-power/suspend for a good introduction.
I didn't expect that working with the kernel opening LUKS on resume=, so I tried, and you are right, it doesn't work. Previous posts were looking like it could work...

Thanks, I will look into µswsusp. Too bad if dracut couldn't create an initramfs working like that. I'm going to switch from genkernel to dracut anyway as genkernel is hitting its limits when I like to boot from some bcache storage.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|Acer Z5610 (Core2QuadQ8200),8G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1554
Location: Germany

PostPosted: Sun Oct 22, 2017 5:48 pm    Post subject: Reply with quote

I migrated to dracut now, but still have issues. dracut already can open my root filesystem from LUKS. I also managed to get dracut opening my bcache by adding the dracut-modules from bcache-tools. Now I thought dracut could also open the LUKS of the swap by a key stored on the root fs. So I tried this:
Code:
rd.luks.uuid=<root-uuid>  root=LABEL=root  rootflags=subvol=root  rd.luks.uuid=<swap_uuid>  rd.luks.key=/etc/key:UUID=<root-uuid>:UUID=<swap_uuid>  resume=LABEL=swap_1

But it does not work. Curiously dracut tries to use the keyfile for my first LUKS, which I did not configure like that.
Removing the part about the 2nd LUKS device I'm asked for the 1st password, that works, but dracut then asks also for the password of the 2nd LUKS that I did not mention in the config at all:
Code:
 rd.luks.uuid=<root-uuid>  root=LABEL=root  rootflags=subvol=root
. It should not do that as that encrypted swap is opened by dmcrypt later anyway.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|Acer Z5610 (Core2QuadQ8200),8G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum