[systemd-devel] RFC: luksSuspend support in sleep/sleep.c
Jonas Meurer
jonas at freesources.org
Wed Oct 9 10:20:35 UTC 2019
Hi systemd devs,
We[1] are working on bringing luksSuspend for LUKS devices before system
suspend to Debian. The basic idea is to remove the encryption keys of
encrypted devices from RAM before suspending the system.
While working on it, we figured out that systemd probably is the best
place to implement this. Would you be willed to accept related patches
into systemd? We're still early in the design process, but probably the
relevant parts will be:
* create a minimalist ramfs chroot environment with all required
components to unlock the suspended LUKS encrypted root filesystems.
* freeze most processes before suspending the system to prevent timeouts
when a process asks for resources from suspended block devices before
the block device gets luksResumed.
* luksSuspend all active LUKS devices before suspend in sleep/sleep.c.
* luksResume all formerly active LUKS devices after resume.
* unfreeze/continue all frozen processes.
Lennart's talk[2] about systemd-homed mentions luksSuspend support for
system suspend, but it's limited to home directories. The whole ramfs
foo wouldn't be necessary to do that. So a direct question: would you
still be ok with support for luksSuspending the encrypted root
filesystem in systemd?
Before spending days of work on implementing this in systemd only to get
the patches rejected in the end, we thought it would be better to ask
beforehands ;)
So far, we have a working systemd-independent proof of concept: a
systemd-suspend.service override invokes a shell script[3] that takes
precautions, runs luksSuspend, then suspends the system and runs
luksResume after the system has been resumed.
We're looking forward to your comments :)
Kind regards,
Tim and Jonas
[1] We are Tim and Jonas. For six months, we're funded part-time by the
PrototypeFund to work on luksSuspend before system suspend in
Debian.
[3] https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
[2]
https://salsa.debian.org/mejo/cryptsetup-suspend/blob/master/debian/cryptroot-suspend/cryptroot-suspend.c
and
https://salsa.debian.org/mejo/cryptsetup-suspend/blob/master/debian/cryptroot-suspend/cryptroot-suspend-wrapper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20191009/379ceee7/attachment.sig>
More information about the systemd-devel
mailing list