Encrypt dom0 swap

This encrypts dom0 swap with a randomly generated key, which helps prevent its contents from being recovered later.
QubesOS · Aug 28, 2021 · 5252dca · 5252dca
1 parent e31837f
commit 5252dca
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 0 deletions.
diff --git a/rpm_spec/core-dom0-linux.spec.in b/rpm_spec/core-dom0-linux.spec.in
@@ -143,6 +143,9 @@ install -m 644 system-config/00-qubes-ignore-devices.rules $RPM_BUILD_ROOT%_udev
 install -m 644 system-config/12-qubes-ignore-lvm-devices.rules $RPM_BUILD_ROOT%_udevrulesdir
 install -m 644 system-config/99z-qubes-mark-ready.rules $RPM_BUILD_ROOT%_udevrulesdir
 install -m 644 -D system-config/disable-lesspipe.sh $RPM_BUILD_ROOT/etc/profile.d/zz-disable-lesspipe.sh
+install -m 644 -D system-config/[email protected] $RPM_BUILD_ROOT%_unitdir/[email protected]
+install -m 644 -D system-config/99-qubes-cryptsetup.conf $RPM_BUILD_ROOT%_unitdir/[email protected]/30_qubes.conf
+
 install -m 755 -D system-config/kernel-grub2.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/80-grub2.install
 install -m 755 -D system-config/kernel-xen-efi.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/90-xen-efi.install
 install -m 755 -D system-config/kernel-remove-bls.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/99-remove-bls.install

diff --git a/system-config/75-qubes-dom0.preset b/system-config/75-qubes-dom0.preset
@@ -54,3 +54,4 @@ enable qubesd.service
 enable anti-evil-maid-unseal.service
 enable anti-evil-maid-check-mount-devs.service
 enable anti-evil-maid-seal.service
+enable [email protected]
diff --git a/system-config/99-qubes-cryptsetup.conf b/system-config/99-qubes-cryptsetup.conf
@@ -0,0 +1,8 @@
+[Unit]
+Before=dev-mapper-%i.swap
+Requires=systemd-random-seed.service
+After=systemd-random-seed.service
+
+[Service]
+TimeoutSec=infinity
+ExecStartPost=/sbin/udevadm trigger /dev/mapper/%I
diff --git a/system-config/[email protected] b/system-config/[email protected]
@@ -0,0 +1,29 @@
+# Automatically generated by systemd-cryptsetup-generator
+
+[Unit]
+Description=Cryptography Setup for %I
+Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:[email protected](8)
+SourcePath=/etc/crypttab
+DefaultDependencies=no
+IgnoreOnIsolate=true
+After=cryptsetup-pre.target
+Before=blockdev@dev-mapper-%i.target
+Wants=blockdev@dev-mapper-%i.target
+Conflicts=umount.target
+After=systemd-random-seed.service
+BindsTo=dev-qubes_dom0-swap.device
+After=dev-qubes_dom0-swap.device
+Before=umount.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutSec=0
+KeyringMode=shared
+OOMScoreAdjust=500
+ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'swap' '/dev/qubes_dom0/swap' '/dev/urandom' 'swap,cipher=aes-xts-plain64,discard,size=512,nofail'
+ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'swap'
+ExecStartPost=/sbin/mkswap '/dev/mapper/swap'
+
+[Install]
+WantedBy=cryptsetup.target