[Pkg-cryptsetup-devel] Bug#477658: [cryptsetup] problem related to resuming from encrypted swap partition

spam2008 at meeque.de spam2008 at meeque.de
Thu Apr 24 10:39:11 UTC 2008 

Package: cryptsetup
Version: 2:1.0.6-1
Severity: normal

--- Please enter the report below this line. ---

Hi everyone!


I'm running a Debian system with both encrypted root and swap
partitions. I have been experiencing a problem with suspend-to-disk and
the subsequent resume operation that involves the encrypted swap
partition. I tracked the problem down to a bug in the cryptsetup
package. In the following, I'll try to explain the problem and suggest
both a workaround and bugfix...


Problem:

I don't know the exact suspend-to-disk method i use, since I simple
select "Hibernate" from Gnome's shutqown dialog. However, it is apparent
 that the swap partition is used to store RAM contents and that
initramfs is doing most of the resume work. In case of an LUKS encrypted
swap partition cryptsetup has to provide access to that partition during
the boot.

For that purpose cryptsetup installs a hook script for initramfs-tools,
namely "/usr/share/initramfs-tools/hooks/cryptroot". That script is
supposed to identify all partitions that may need to be decrypted by
initramfs during boot. This includes the root partition and any swap
partition used for resume.

In my case information about the swap partition to use for resume is
found in the configuration file "/etc/initramfs-tools/conf.d/resume". I
think, the Debian Installer created this file. Usually it only contains
one line, in my case: "RESUME=/dev/mapper/cryptoswap".

Line 69 of "/usr/share/initramfs-tools/hooks/cryptroot" tries to use
this file to determine which partitions to decrypt during boot. However,
the sed scrypt used seems to be buggy. It assumes whitespace where none
is present:

	device=$(sed -rn 's/^RESUME[[:space:]]+=[[:space:]]+// p' \
	/etc/initramfs-tools/conf.d/resume)

Therefore the encrypted swap device is never added to the list of
devices to encrypt during boot.


Workaround:

The trivial workaround of adding appropriate whitespace around the "="
in the configuration file does not work very well. While this is a
worksaround for the mentioned bug, it does break other scripts. There is
at least one script that tries to source the configuration file and then
use the contents of the environment variable "RESUME". However, the
syntax for setting an environment variable does not allow any whitespace
there.

To enable both kinds of usage of the configuration file I added a
duplicate line, and thus changed it to:

RESUME = /dev/mapper/cryptoswap
RESUME=/dev/mapper/cryptoswap

This actually fixed my problem of resuming from my encrypted swap
partition. However it seems quite messy!


Suggested Bugfix:

IMHO the bug should be fixed in
"/usr/share/initramfs-tools/hooks/cryptroot" itself. I did not try that
yet, since I did not want to modify any files outside of "/etc".
However, changing line 69 to either of the following might do the trick:

	device=$(sed -rn 's/^RESUME[[:space:]]?=[[:space:]]?// p' \
	/etc/initramfs-tools/conf.d/resume)

	device=$(sed -rn 's/^RESUME=// p' \
	/etc/initramfs-tools/conf.d/resume)

Alternatively the script could be modified so that it sources the
configuration file and then uses the variable "RESUME" to determine the
device to decrypt. As mentioned, that seems to be the way other scripts
do it.


Conclusion:

I don't know if my use of encrypted partitions is correct let alone
typical. But for me it seems to work, except for the mentioned bug. So
I'd be happy to see it fixed. Otherwise, could anyone point me to a
better way to resume from an encrypted swap partition?

BTW, I don't report Debian bugs too often. Sorry. I already tried to
report this last week, using "reportbug" and "sendmail", but it didn't
seem to work. Now I'm trying with "reportbug-ng" and "icedove". I
appologize, if this should be duplicate after all.


Regards,
Michael Riedel


--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.24-1-amd64

Debian Release: lenny/sid
  500 testing         www.debian-multimedia.org
  500 testing         security.debian.org
  500 testing         ftp.nz.debian.org

--- Package information. ---
Depends                     (Version) | Installed
=====================================-+-===============
dmsetup                               | 2:1.02.24-4
libc6                      (>= 2.7-1) | 2.7-10
libdevmapper1.02.1     (>= 2:1.02.20) | 2:1.02.24-4
libpopt0                    (>= 1.10) | 1.10-3
libuuid1                              | 1.40.8-2
initramfs-tools                       | 0.91e

More information about the Pkg-cryptsetup-devel mailing list