-
-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This encrypts dom0 swap with a randomly generated key, which helps prevent its contents from being recovered later.
- Loading branch information
Showing
3 changed files
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -155,6 +155,8 @@ install -m 644 system-config/12-qubes-ignore-lvm-devices.rules $RPM_BUILD_ROOT%_ | |
| install -m 644 system-config/11-qubes-ignore-zvol-devices.rules $RPM_BUILD_ROOT%_udevrulesdir | ||
| install -m 644 system-config/99z-qubes-mark-ready.rules $RPM_BUILD_ROOT%_udevrulesdir | ||
| install -m 644 -D system-config/disable-lesspipe.sh $RPM_BUILD_ROOT/etc/profile.d/zz-disable-lesspipe.sh | ||
| install -m 644 -D system-config/[email protected] $RPM_BUILD_ROOT%_unitdir/[email protected] | ||
|
|
||
| install -m 755 -D system-config/kernel-grub2.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/80-grub2.install | ||
| install -m 755 -D system-config/kernel-xen-efi.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/90-xen-efi.install | ||
| install -m 755 -D system-config/kernel-remove-bls.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/99-remove-bls.install | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,3 +71,4 @@ enable qubesd.service | |
| enable anti-evil-maid-unseal.service | ||
| enable anti-evil-maid-check-mount-devs.service | ||
| enable anti-evil-maid-seal.service | ||
| enable [email protected] | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| [Unit] | ||
| Description=Qubes OS Encrypted Swap | ||
|
|
||
| # This is a dependency of sysinit.target, so it cannot depend on it (deadlock). | ||
| DefaultDependencies=no | ||
|
|
||
| # Do not stop this when trying to isolate a unit. | ||
| IgnoreOnIsolate=true | ||
|
|
||
| # Default dependencies for any encrypted volume. | ||
| After=cryptsetup-pre.target systemd-udevd-kernel.socket systemd-random-seed.service | ||
|
|
||
| # Ensure that this unit comes after its backing device, | ||
| # and is shut down if its backing device is shut down. | ||
| After=dev-qubes_dom0-swap.device | ||
| BindsTo=dev-qubes_dom0-swap.device | ||
|
|
||
| # Ensure that this unit is started before the block device gets used. | ||
| Before=blockdev@dev-mapper-%i.target | ||
| Wants=blockdev@dev-mapper-%i.target | ||
| Requires=systemd-random-seed.service | ||
|
|
||
| # Stop this unit when umounting volumes on shutdown. | ||
| Conflicts=umount.target | ||
| Before=umount.target | ||
|
|
||
| [Service] | ||
| Type=oneshot | ||
| RemainAfterExit=yes | ||
| TimeoutSec=infinity | ||
| ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'swap' '/dev/qubes_dom0/swap' '/dev/urandom' 'plain,swap,cipher=aes-xts-plain64' | ||
| ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'swap' | ||
| ExecStartPost=/usr/lib/systemd/systemd-makefs swap '/dev/mapper/swap' | ||
| # Prevent mlock() of the whole locale archive. | ||
| Environment=LC_ALL=C |