Encrypt dom0 swap

DemiMarie · DemiMarie · commit 3780cdc90a6f · 2024-11-20T22:59:31.000-05:00
This encrypts dom0 swap with a randomly generated key, which helps
prevent its contents from being recovered later.
diff --git a/rpm_spec/core-dom0-linux.spec.in b/rpm_spec/core-dom0-linux.spec.in
@@ -155,6 +155,8 @@ install -m 644 system-config/12-qubes-ignore-lvm-devices.rules $RPM_BUILD_ROOT%_
 install -m 644 system-config/11-qubes-ignore-zvol-devices.rules $RPM_BUILD_ROOT%_udevrulesdir
 install -m 644 system-config/99z-qubes-mark-ready.rules $RPM_BUILD_ROOT%_udevrulesdir
 install -m 644 -D system-config/disable-lesspipe.sh $RPM_BUILD_ROOT/etc/profile.d/zz-disable-lesspipe.sh
+install -m 644 -D system-config/systemd-cryptsetup@swap.service $RPM_BUILD_ROOT%_unitdir/systemd-cryptsetup@swap.service
+
 install -m 755 -D system-config/kernel-grub2.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/80-grub2.install
 install -m 755 -D system-config/kernel-xen-efi.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/90-xen-efi.install
 install -m 755 -D system-config/kernel-remove-bls.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/99-remove-bls.install
diff --git a/system-config/75-qubes-dom0.preset b/system-config/75-qubes-dom0.preset
@@ -71,3 +71,4 @@ enable qubesd.service
 enable anti-evil-maid-unseal.service
 enable anti-evil-maid-check-mount-devs.service
 enable anti-evil-maid-seal.service
+enable systemd-cryptsetup@swap.service
diff --git a/system-config/systemd-cryptsetup@swap.service b/system-config/systemd-cryptsetup@swap.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=Qubes OS Encrypted Swap
+
+# This is a dependency of sysinit.target, so it cannot depend on it (deadlock).
+DefaultDependencies=no
+
+# Do not stop this when trying to isolate a unit.
+IgnoreOnIsolate=true
+
+# Default dependencies for any encrypted volume.
+After=cryptsetup-pre.target systemd-udevd-kernel.socket systemd-random-seed.service
+
+# Ensure that this unit comes after its backing device,
+# and is shut down if its backing device is shut down.
+After=dev-qubes_dom0-swap.device
+BindsTo=dev-qubes_dom0-swap.device
+
+# Ensure that this unit is started before the block device gets used.
+Before=blockdev@dev-mapper-%i.target
+Wants=blockdev@dev-mapper-%i.target
+Requires=systemd-random-seed.service
+
+# Stop this unit when umounting volumes on shutdown.
+Conflicts=umount.target
+Before=umount.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutSec=infinity
+ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'swap' '/dev/qubes_dom0/swap' '/dev/urandom' 'plain,swap,cipher=aes-xts-plain64'
+ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'swap'
+ExecStartPost=/usr/lib/systemd/systemd-makefs swap '/dev/mapper/swap'
+# Prevent mlock() of the whole locale archive.
+Environment=LC_ALL=C
