[systemd-devel] RFC: luksSuspend support in sleep/sleep.c

Jonas Meurer jonas at freesources.org
Wed Oct 9 10:20:35 UTC 2019


Hi systemd devs,

We[1] are working on bringing luksSuspend for LUKS devices before system
suspend to Debian. The basic idea is to remove the encryption keys of
encrypted devices from RAM before suspending the system.

While working on it, we figured out that systemd probably is the best
place to implement this. Would you be willed to accept related patches
into systemd? We're still early in the design process, but probably the
relevant parts will be:

* create a minimalist ramfs chroot environment with all required
  components to unlock the suspended LUKS encrypted root filesystems.
* freeze most processes before suspending the system to prevent timeouts
  when a process asks for resources from suspended block devices before
  the block device gets luksResumed.
* luksSuspend all active LUKS devices before suspend in sleep/sleep.c.
* luksResume all formerly active LUKS devices after resume.
* unfreeze/continue all frozen processes.

Lennart's talk[2] about systemd-homed mentions luksSuspend support for
system suspend, but it's limited to home directories. The whole ramfs
foo wouldn't be necessary to do that. So a direct question: would you
still be ok with support for luksSuspending the encrypted root
filesystem in systemd?

Before spending days of work on implementing this in systemd only to get
the patches rejected in the end, we thought it would be better to ask
beforehands ;)

So far, we have a working systemd-independent proof of concept: a
systemd-suspend.service override invokes a shell script[3] that takes
precautions, runs luksSuspend, then suspends the system and runs
luksResume after the system has been resumed.

We're looking forward to your comments :)

Kind regards,
 Tim and Jonas

[1] We are Tim and Jonas. For six months, we're funded part-time by the
    PrototypeFund to work on luksSuspend before system suspend in
    Debian.
[3] https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
[2]
https://salsa.debian.org/mejo/cryptsetup-suspend/blob/master/debian/cryptroot-suspend/cryptroot-suspend.c
and

https://salsa.debian.org/mejo/cryptsetup-suspend/blob/master/debian/cryptroot-suspend/cryptroot-suspend-wrapper

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20191009/379ceee7/attachment.sig>


More information about the systemd-devel mailing list