From 3780cdc90a6f28cb86dc9b9a37369fda80cadc52 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sat, 28 Aug 2021 11:16:38 -0400 Subject: [PATCH] Encrypt dom0 swap This encrypts dom0 swap with a randomly generated key, which helps prevent its contents from being recovered later. --- rpm_spec/core-dom0-linux.spec.in | 2 ++ system-config/75-qubes-dom0.preset | 1 + system-config/systemd-cryptsetup@swap.service | 35 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 system-config/systemd-cryptsetup@swap.service diff --git a/rpm_spec/core-dom0-linux.spec.in b/rpm_spec/core-dom0-linux.spec.in index 355da35..fbef5ef 100644 --- a/rpm_spec/core-dom0-linux.spec.in +++ b/rpm_spec/core-dom0-linux.spec.in @@ -155,6 +155,8 @@ install -m 644 system-config/12-qubes-ignore-lvm-devices.rules $RPM_BUILD_ROOT%_ install -m 644 system-config/11-qubes-ignore-zvol-devices.rules $RPM_BUILD_ROOT%_udevrulesdir install -m 644 system-config/99z-qubes-mark-ready.rules $RPM_BUILD_ROOT%_udevrulesdir install -m 644 -D system-config/disable-lesspipe.sh $RPM_BUILD_ROOT/etc/profile.d/zz-disable-lesspipe.sh +install -m 644 -D system-config/systemd-cryptsetup@swap.service $RPM_BUILD_ROOT%_unitdir/systemd-cryptsetup@swap.service + install -m 755 -D system-config/kernel-grub2.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/80-grub2.install install -m 755 -D system-config/kernel-xen-efi.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/90-xen-efi.install install -m 755 -D system-config/kernel-remove-bls.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/99-remove-bls.install diff --git a/system-config/75-qubes-dom0.preset b/system-config/75-qubes-dom0.preset index aa1a4e2..34325c3 100644 --- a/system-config/75-qubes-dom0.preset +++ b/system-config/75-qubes-dom0.preset @@ -71,3 +71,4 @@ enable qubesd.service enable anti-evil-maid-unseal.service enable anti-evil-maid-check-mount-devs.service enable anti-evil-maid-seal.service +enable systemd-cryptsetup@swap.service diff --git a/system-config/systemd-cryptsetup@swap.service b/system-config/systemd-cryptsetup@swap.service new file mode 100644 index 0000000..1a5f0be --- /dev/null +++ b/system-config/systemd-cryptsetup@swap.service @@ -0,0 +1,35 @@ +[Unit] +Description=Qubes OS Encrypted Swap + +# This is a dependency of sysinit.target, so it cannot depend on it (deadlock). +DefaultDependencies=no + +# Do not stop this when trying to isolate a unit. +IgnoreOnIsolate=true + +# Default dependencies for any encrypted volume. +After=cryptsetup-pre.target systemd-udevd-kernel.socket systemd-random-seed.service + +# Ensure that this unit comes after its backing device, +# and is shut down if its backing device is shut down. +After=dev-qubes_dom0-swap.device +BindsTo=dev-qubes_dom0-swap.device + +# Ensure that this unit is started before the block device gets used. +Before=blockdev@dev-mapper-%i.target +Wants=blockdev@dev-mapper-%i.target +Requires=systemd-random-seed.service + +# Stop this unit when umounting volumes on shutdown. +Conflicts=umount.target +Before=umount.target + +[Service] +Type=oneshot +RemainAfterExit=yes +TimeoutSec=infinity +ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'swap' '/dev/qubes_dom0/swap' '/dev/urandom' 'plain,swap,cipher=aes-xts-plain64' +ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'swap' +ExecStartPost=/usr/lib/systemd/systemd-makefs swap '/dev/mapper/swap' +# Prevent mlock() of the whole locale archive. +Environment=LC_ALL=C