-
Notifications
You must be signed in to change notification settings - Fork 1
/
encswap_hook
70 lines (58 loc) · 2.45 KB
/
encswap_hook
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/ash
run_hook () {
local swapdev swapkeyfile
. /encswap.conf
local resolvedswapdev=$(resolve_device "${swapdev}" ${rootdelay})
if [ -z "${resolvedswapdev}" ] ; then
err "encswap: Swap device not found"
return 1
fi
if [ -z "${swapkeyfile}" ] ; then
err "encswap: Keyfile not configured"
return 1
fi
# cryptname is leaked by the encrypt hook.
if [ -z "$cryptname" ] ; then
err "encswap: Did not find encrypted root image (unlocked by encrypt)."
return 1
fi
if [ ! -e /sys/power/resume ]; then
err "encswap: no hibernation support found"
return 1
fi
# Mount the root disk and copy the keyfile to /encswap.key (/ resides in RAM).
mkdir /encswaproot
if mount -o ro,nosuid,noexec,nodev "/dev/mapper/${cryptname}" /encswaproot ; then
dd if="/encswaproot/${swapkeyfile}" of="/encswap.key" >/dev/null 2>&1
umount /encswaproot
fi
if [ ! -s "/encswap.key" ] ; then
# The key is only set before hibernation.
echo "encswap: The swap file does not contain a hibernation image (keyfile not found)."
return 0
fi
if ! cryptsetup open --type plain --cipher aes-xts-plain64:sha256 --key-file /encswap.key "${resolvedswapdev}" encswapSwapFile ${swapdevopts}; then
echo "encswap: Keyfile cannot be used to unlock the swap device"
return 0
fi
printf "%d:%d" $(stat -Lc "0x%t 0x%T" /dev/mapper/encswapSwapFile) >/sys/power/resume
# If we are at this point, then resume failed and we proceed to boot normally.
cryptsetup close encswapSwapFile
# If not hibernated, then the keyfile should have been removed. But if the
# system shuts down before our encswap service runs, then it is possible to
# reach this place.
echo "encswap: Unable to resume. Possibly not hibernated."
# cryptoptions is leaked by the encrypt hook.
for cryptopt in ${cryptoptions//,/ }; do
if [ "${cryptopt}" = "allow-discards" ] ; then
maybediscard=,discard
fi
done
if mount -o rw,nosuid,noexec,nodev,noatime${maybediscard} "/dev/mapper/${cryptname}" /encswaproot ; then
# Shred keyfile to minimize exposure of the swap content.
dd if=/dev/urandom of="/encswaproot/${swapkeyfile}" bs="${swapkeyfilesize}" count=1 >/dev/null 2>&1
rm "/encswaproot/${swapkeyfile}"
umount /encswaproot
echo "encswap: Shredded keyfile"
fi
}