Re: [dm-crypt] Dmcrypt and hibernate key disclosure

[Heiko Rosemann <heiko.rosemann@web.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/11 05:08, Bryan Kadzban wrote:
> Arno Wagner wrote:
>> The other option would be to modify the resume process to
>> ask you for the passphrase to the swap partition. I don't 
>> know whether that is possible.
> 
> In an initramfs, I bet it is, though I've never tried it.  Resuming from
> hibernate is handled by writing the major:minor of the block device to
> resume from into the /sys/power/resume file, and I would *guess* that
> the device node can be a device-mapper child (such as dm-crypt or LVM
> would create).

I do not know about the details like what needs to be copied in which
stage, but I can confirm that this works with tuxonice: Add to your
initramfs a call to cryptsetup luksOpen enc-swap before initiating the
resume process from /dev/mapper/enc-swap. I know this because this is
the setup I have been using for the last couple of years :)

> Of course, whether any given distro's initramfs setup can actually do
> this (assuming it's possible in the kernel) is a different story.  :-)

I have recently tried out archlinux and it is pretty easy to add such a
hook there. They also support udev inside their initramfs, so using a
keyfile on a specific USB device to unlock your swap is also quite easy.
(Using gentoo, I have been running into a lot of trouble with
compatibility issues between udev and busybox-modprobe - used in my
initramfs - lately)

It is also no big deal if you just unlock *all* encrypted partitions
before initiating the resume process, but it does not need to be done.

>> It seems to me that there
>> is actually no software hook or script thet gets executed
>> during resume,
>
> From hibernate, there is.  It's a normal bootup, including initramfs,
> until some string gets written into /sys/power/resume.  There might be
> restrictions on when this write can happen, but I'm sure they at least
> allow some initramfs code to run.

Well, most of my initramfs runs before initiating resume :)

Regards,
Heiko
- -- 
eMails verschlüsseln mit PGP - privacy is your right!
Mein PGP-Key zur Verifizierung: http://pgp.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0m7hgACgkQ/Vb5NagElAW3CQCcCxtTN/UmI5XAYZfLaRqBv7QV
adIAn3U2NysZEES9ZlIzr4AvG9I9NUB5
=cHRj
-----END PGP SIGNATURE-----