6 files changed, 220 insertions, 0 deletions
diff --git a/linhes/mkinitcpio-openswap/LICENSE b/linhes/mkinitcpio-openswap/LICENSE
new file mode 100644
index 0000000..870dd64
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2016 Fabio Tea
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/linhes/mkinitcpio-openswap/PKGBUILD b/linhes/mkinitcpio-openswap/PKGBUILD
new file mode 100644
index 0000000..ac3bb14
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/PKGBUILD
@@ -0,0 +1,28 @@
+# Maintainer: Jenya Sovetkin <e.sovetkin@gmail.com>
+# Maintainer: Adam Bambuch <adam.bambuch2@gmail.com>
+# Contributors: https://aur.archlinux.org/account/f4bio
+pkgname=mkinitcpio-openswap
+pkgver=0.1.1
+pkgrel=1
+pkgdesc="mkinitcpio hook to open swap at boot time"
+arch=(any)
+license=('unknown')
+url="https://aur.archlinux.org/packages/mkinitcpio-openswap/"
+depends=(mkinitcpio)
+backup=('etc/openswap.conf')
+install="usage.install"
+source=('openswap.hook'
+        'openswap.install'
+        'openswap.conf')
+sha256sums=('9e836a588098f2811e651e60dae98096aa59db8a402bc9cb94c42000a5052e3a'
+            '2d60c98d4bd54134a5a4543848ecc7bce598e6faa7bd96a2df0a4767f6e9f3dd'
+            '71516c53543d7deca0fa25efcbf91ca0df869ec0a9fac1ec94e587b18e064c16')
+
+package() {  
+  install -Dm 644 openswap.hook \
+     "${pkgdir}/usr/lib/initcpio/hooks/openswap"
+  install -Dm 644 openswap.install \
+     "${pkgdir}/usr/lib/initcpio/install/openswap"
+  install -Dm 644 openswap.conf \
+     "${pkgdir}/etc/openswap.conf"
+}
diff --git a/linhes/mkinitcpio-openswap/openswap.conf b/linhes/mkinitcpio-openswap/openswap.conf
new file mode 100644
index 0000000..6ca341a
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/openswap.conf
@@ -0,0 +1,62 @@
+## cryptsetup open $swap_device $crypt_swap_name
+## get uuid using e.g. lsblk -f
+swap_device=/dev/disk/by-uuid/2788eb78-074d-4424-9f1d-ebffc9c37262
+crypt_swap_name=cryptswap
+
+## unlock_method can be either password, keyfile or keyfile_raw
+## keyfile will use the keyfile_device and keyfile_filename to unlock the swap
+## keyfile_raw will use the keyfile_device and keyfile_block_number to unlock the swap
+## password will prompt for the password to unlock the swap
+## if unlock_method is not set, then method is keyfile if keyfile_device and keyfile_filename are set
+## otherwise it is password
+unlock_method="password"
+####### WARNING: There is a risk of data loss when using unlock_method="keyfile"
+## You should double-check keyfile_device_mount_options,
+## and note that this method is potentially dangerous regardless.
+## https://docs.kernel.org/power/swsusp.html
+## https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs
+
+
+## keyfile_device is the device that contains the keyfile
+## set it to the device that contains the keyfile
+## e.g. /dev/mapper/root-device
+####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile OR keyfile_raw
+keyfile_device=
+
+## keyfile_filename is the path to the keyfile on the keyfile_device
+## e.g. /etc/swap.key
+####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile
+keyfile_filename=
+
+## keyfile_block_number is the block number of the keyfile on the keyfile_device
+## e.g. 12345
+## on the ext4 filesystem, you can get the block number using
+## debugfs $keyfile_device
+## extents $keyfile_filename
+## the relevant block number will appear under the Physical column in the output
+####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
+keyfile_block_number=
+
+## key_size is the size of the key in bytes
+## e.g., 4096
+## This is the size of the keyfile and should match the actual size of the keyfile.
+## You can get the size of the keyfile using: wc -c <keyfile_filename>
+## The openswap script will fail if the keyfile is fragmented,
+## so keyfile_length should not exceed the filesystem block size.
+## For ext4 filesystems, keyfile_length should not exceed 4096 bytes,
+## and it SHOULD be greater than ~200 bytes to avoid inode inlining.
+####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
+keyfile_length=4096
+
+## additional arguments are given to mount for keyfile_device
+## has to start with --options
+## it is important to use the correct options for your filesystem
+## to prevent any writes to the keyfile device and thus
+## minimize the risk of data loss
+#keyfile_device_mount_options="--options=subvol=__active/__"
+keyfile_device_mount_options="--options=ro,noload"
+
+## additional arguments are given to cryptsetup
+## --allow-discards options is desired in case swap is on SSD partition
+cryptsetup_options="--type luks"
+
diff --git a/linhes/mkinitcpio-openswap/openswap.hook b/linhes/mkinitcpio-openswap/openswap.hook
new file mode 100644
index 0000000..3a237c0
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/openswap.hook
@@ -0,0 +1,24 @@
+run_hook ()
+{
+    ## read openswap configurations
+    source /openswap.conf
+
+    ## Optional: To avoid race conditions
+    x=0;
+    while [ ! -b "$keyfile_device" ] && [ $x -le 10 ]; do
+          x=$((x+1))
+          sleep .2
+    done
+    ## End of optional
+
+    if [ "$unlock_method" = "password" ]; then
+      cryptsetup open $cryptsetup_options "$swap_device" "$crypt_swap_name"
+    elif [ "$unlock_method" = "keyfile" ]; then
+      mkdir openswap_keymount
+      mount $keyfile_device_mount_options "$keyfile_device" openswap_keymount
+      cryptsetup open $cryptsetup_options --key-file "openswap_keymount/$keyfile_filename" "$swap_device" "$crypt_swap_name"
+      umount openswap_keymount
+    elif [ "$unlock_method" = "keyfile_raw" ]; then
+      dd "if=$keyfile_device" "bs=$keyfile_length" "skip=$keyfile_block_number" count=1 | cryptsetup open --key-file=- "$swap_device" "$crypt_swap_name"
+    fi
+}
diff --git a/linhes/mkinitcpio-openswap/openswap.install b/linhes/mkinitcpio-openswap/openswap.install
new file mode 100644
index 0000000..65dab09
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/openswap.install
@@ -0,0 +1,76 @@
+build ()
+{
+    grep "swap_device="      /etc/openswap.conf  > "$BUILDROOT/openswap.conf"
+    grep "crypt_swap_name="  /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "keyfile_device="   /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "keyfile_filename=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "keyfile_device_mount_options=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "cryptsetup_options=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "keyfile_block_number=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "unlock_method=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+    grep "keyfile_length=" /etc/openswap.conf >> "$BUILDROOT/openswap.conf"
+
+    source "$BUILDROOT/openswap.conf"
+
+    if [ -z "$unlock_method" ]; then
+      # unlock_method is not set, determine it based on keyfile_device and keyfile_filename
+      # for backward compatibility.
+      if [ -z "$keyfile_device" ] || [ -z "$keyfile_filename" ]; then
+        unlock_method="password"
+      else
+        unlock_method="keyfile"
+      fi
+    fi
+    echo "unlock_method=$unlock_method" >> "$BUILDROOT/openswap.conf"
+
+    if [ -z "$swap_device" ]; then
+      warning "swap_device variable is not set"
+    fi
+
+    if [ -z "$crypt_swap_name" ]; then
+      warning "crypt_swap_name variable is not set"
+    fi
+
+    if [ "$unlock_method" = "keyfile" ]; then
+      warning "you are using potentially dangerous unlock_method keyfile, please make sure you know what you are doing"
+      warning "https://docs.kernel.org/power/swsusp.html"
+      warning "https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs"
+      if [ -z "$keyfile_device" ]; then
+        warning "keyfile_device variable is not set and unlock_method is set to keyfile"
+      fi
+      if [ -z "$keyfile_filename" ]; then
+        warning "keyfile_filename variable is not set and unlock_method is set to keyfile"
+      fi
+
+      if [ -z "$keyfile_device_mount_options" ]; then
+        warning "keyfile_device_mount_options variable is not set and unlock_method is set to keyfile"
+      fi
+    fi
+
+    if [ "$unlock_method" = "keyfile_raw" ]; then
+      if [ -z "$keyfile_device" ]; then
+        warning "keyfile_device variable is not set and unlock_method is set to keyfile_raw"
+      fi
+      if [ -z "$keyfile_block_number" ]; then
+        warning "keyfile_block_number variable is not set and unlock_method is set to keyfile_raw"
+      fi
+      if [ -z "$keyfile_length" ]; then
+        warning "keyfile_length variable is not set and unlock_method is set to keyfile_raw"
+      fi
+    fi
+
+    # check if unlock_method is valid
+    if [ "$unlock_method" != "password" ] && [ "$unlock_method" != "keyfile" ] && [ "$unlock_method" != "keyfile_raw" ]; then
+      error "unlock_method is set to $unlock_method, but it can only be password, keyfile or keyfile_raw"
+      error "please change the unlock_method variable in /etc/openswap.conf"
+      exit 1
+    fi
+
+    add_runscript
+}
+help ()
+{
+cat<<HELPEOF
+  This hook opens a swap at boot time
+HELPEOF
+}
diff --git a/linhes/mkinitcpio-openswap/usage.install b/linhes/mkinitcpio-openswap/usage.install
new file mode 100644
index 0000000..3610e9d
--- /dev/null
+++ b/linhes/mkinitcpio-openswap/usage.install
@@ -0,0 +1,9 @@
+post_install() {
+	echo ""
+  echo "Alter /etc/openswap.conf file for your swap device name, keyfiles, etc..."
+  echo ""
+  echo "For more information see: https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#mkinitcpio_hook"
+  echo ""
+	echo "Don't forget to add the openswap hook after encrypt and before resume in your /etc/mkinitcpio.conf and run mkinitcpio -p linux..."
+	echo ""
+}