tux on ice

All posts tagged tux on ice

tuxonice-sources 2.6.38-r2
hibernate-scripts 2.0
tuxonice_userui 1.0

One of the interesting configs needed for toi when using an initramfs, which we will due to crypto, is that you must enable
CONFIG_TOI_IGNORE_LATE_INITCALL=y

Otherwise when linux boots up it will attempt to resume before the initramfs. Obviously this is undesirable as since we are encrypting our filesystems it won’t find the resume file. This config basically tells it not to attempt it just yet. However, after initramfs is done TOI will not resume. It actually expects you to manually call the tuxonice /sys interface telling it exactly when its ok to resume. For our purposes we want to make this call in our initramfs after the user has successfully decrypted the filesystem.

What we use for encrypting our partition

dm-crypt – backend for our crypted filesystem
cryptsetup – frontend for performing initial formatting, opening and closing of encrypted filesystems.
lvm – the reason for using this in addition to our encrypted filesystem is to allow the swap partition to also be encrypted.
Essentially we are using one encrypted partition which LVM will recognize, once decrypted, as 2 logical partitions. In our case
swap and root. Using LVM you can have as many partitions as you’d like and they would all benefit from being encrypted as they are
physically one partition.

Make sure that your kernel has either built in support or modules for dm-crypt. If the latter is used make sure initramfs will load
modules you require. Personally for the Crypto APIs I build that all into the kernel for simplicity.

The initial setup of your Gentoo system is the same as the gentoo-handbook guide until the part where you are creating the filesystem partitions. Here we will deviate. Create two partitions. One for /boot and the other which will be our encrypted container partition.
For our example these partitions will be /dev/sda1 and /dev/sda2.

modprobe modules dm-crypt, aes, and sha256. At this point we can encrypt the /dev/sda2 partition.

cryptsetup luksFormat /dev/sda2
— here you can setup your password.

Now to open(decrypt) the partition just created.

cryptsetup luksOpen /dev/sda2 root — root in this case is the name of our luks device. just make sure this is consistant.

LVM – here we will create the logical drives from our now accessible partition.

pvcreate /dev/mapper/root
vgcreate vg /dev/mapper/root

Now create the logical drives as you see fit. Here we will create two logical drives (partitions). One for root and one for swap.

lvcreate -L 40G -n root vg  — here vg is the volumegroup we created before and -L specifies the size of the partition. This is /
lvcreate -L 1G -n swap vg   — and this one is for swap.

Now we continue setting up our drives as normal according to the gentoo-handbook installation guide.

mke2fs -j -L root /dev/vg/root  — just note the device path is now a bit different due to LVM. They behave as any block device tho.
mkswap -L swap /dev/vg/swap

After this part you continue the Gentoo installation as per the usual http://www.gentoo.org/doc/en/handbook/.

The next thing to note is that to properly boot up you will need an initramfs with cryptsetup and tools built statically and available on the initramfs itself. Also for tux on ice you will need to copy the tuxoniceui_text and or tuxoniceui_fbsplash as well. The details of configuring the initial ram fs will be detailed in Part 2 along with tux on ice configuration setup.

 

Part 2 – Creating the initramfs (Coming Soon)