Orange Pi5 kernel

^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) =======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) How to use dm-crypt and swsusp together
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) =======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) Author: Andreas Steinmetz <ast@domdv.de>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) Some prerequisites:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) You know how dm-crypt works. If not, visit the following web page:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) http://www.saout.de/misc/dm-crypt/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) You have read Documentation/power/swsusp.rst and understand it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) You did read Documentation/admin-guide/initrd.rst and know how an initrd works.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) You know how to create or how to modify an initrd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) Now your system is properly set up, your disk is encrypted except for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) the swap device(s) and the boot partition which may contain a mini
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) system for crypto setup and/or rescue purposes. You may even have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) an initrd that does your current crypto setup already.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) At this point you want to encrypt your swap, too. Still you want to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) be able to suspend using swsusp. This, however, means that you
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) have to be able to either enter a passphrase or that you read
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) the key(s) from an external device like a pcmcia flash disk
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) or an usb stick prior to resume. So you need an initrd, that sets
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) up dm-crypt and then asks swsusp to resume from the encrypted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) swap device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) The most important thing is that you set up dm-crypt in such
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) a way that the swap device you suspend to/resume from has
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) always the same major/minor within the initrd as well as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) within your running system. The easiest way to achieve this is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) to always set up this swap device first with dmsetup, so that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) it will always look like the following::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36)   brw-------  1 root root 254, 0 Jul 28 13:37 /dev/mapper/swap0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) Now set up your kernel to use /dev/mapper/swap0 as the default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) resume partition, so your kernel .config contains::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41)   CONFIG_PM_STD_PARTITION="/dev/mapper/swap0"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) Prepare your boot loader to use the initrd you will create or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) modify. For lilo the simplest setup looks like the following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) lines::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47)   image=/boot/vmlinuz
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48)   initrd=/boot/initrd.gz
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49)   label=linux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50)   append="root=/dev/ram0 init=/linuxrc rw"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) Finally you need to create or modify your initrd. Lets assume
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) you create an initrd that reads the required dm-crypt setup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) from a pcmcia flash disk card. The card is formatted with an ext2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) fs which resides on /dev/hde1 when the card is inserted. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) card contains at least the encrypted swap setup in a file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) named "swapkey". /etc/fstab of your initrd contains something
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) like the following::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60)   /dev/hda1   /mnt    ext3      ro                            0 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61)   none        /proc   proc      defaults,noatime,nodiratime   0 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62)   none        /sys    sysfs     defaults,noatime,nodiratime   0 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) /dev/hda1 contains an unencrypted mini system that sets up all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) of your crypto devices, again by reading the setup from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) pcmcia flash disk. What follows now is a /linuxrc for your
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) initrd that allows you to resume from encrypted swap and that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) continues boot with your mini system on /dev/hda1 if resume
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) does not happen::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71)   #!/bin/sh
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72)   PATH=/sbin:/bin:/usr/sbin:/usr/bin
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73)   mount /proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74)   mount /sys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75)   mapped=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76)   noresume=`grep -c noresume /proc/cmdline`
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77)   if [ "$*" != "" ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78)   then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79)     noresume=1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80)   fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81)   dmesg -n 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82)   /sbin/cardmgr -q
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83)   for i in 1 2 3 4 5 6 7 8 9 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84)   do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85)     if [ -f /proc/ide/hde/media ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86)     then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87)       usleep 500000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88)       mount -t ext2 -o ro /dev/hde1 /mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89)       if [ -f /mnt/swapkey ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90)       then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91)         dmsetup create swap0 /mnt/swapkey > /dev/null 2>&1 && mapped=1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92)       fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93)       umount /mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94)       break
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95)     fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96)     usleep 500000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97)   done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98)   killproc /sbin/cardmgr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99)   dmesg -n 6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)   if [ $mapped = 1 ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)   then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)     if [ $noresume != 0 ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)     then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)       mkswap /dev/mapper/swap0 > /dev/null 2>&1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)     fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)     echo 254:0 > /sys/power/resume
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)     dmsetup remove swap0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108)   fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)   umount /sys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)   mount /mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)   umount /proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)   cd /mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)   pivot_root . mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)   mount /proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)   umount -l /mnt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)   umount /proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)   exec chroot . /sbin/init $* < dev/console > dev/console 2>&1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) Please don't mind the weird loop above, busybox's msh doesn't know
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) the let statement. Now, what is happening in the script?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) First we have to decide if we want to try to resume, or not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) We will not resume if booting with "noresume" or any parameters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) for init like "single" or "emergency" as boot parameters.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) Then we need to set up dmcrypt with the setup data from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) pcmcia flash disk. If this succeeds we need to reset the swap
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) device if we don't want to resume. The line "echo 254:0 > /sys/power/resume"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) then attempts to resume from the first device mapper device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) Note that it is important to set the device in /sys/power/resume,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) regardless if resuming or not, otherwise later suspend will fail.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) If resume starts, script execution terminates here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) Otherwise we just remove the encrypted swap device and leave it to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) mini system on /dev/hda1 to set the whole crypto up (it is up to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) you to modify this to your taste).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) What then follows is the well known process to change the root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) file system and continue booting from there. I prefer to unmount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) the initrd prior to continue booting but it is up to you to modify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) this.