Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2 debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-17 08:06:26 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-17 08:06:26 +0000
commit: fd888e850cf413955483bfb993aeeea5ea611289 (patch)
tree: 6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/scripts
parent: Adding upstream version 2:2.6.1. (diff)
download: cryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.tar.xz
cryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.zip
19 files changed, 1516 insertions, 0 deletions
diff --git a/debian/scripts/cryptdisks_start b/debian/scripts/cryptdisks_start
new file mode 100644
index 0000000..623423f
--- /dev/null
+++ b/debian/scripts/cryptdisks_start
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# cryptdisks_start - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code and (c) 2007 Jon Dowland <jon@alcopop.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+FORCE_START="yes"
+
+usage() {
+    local rv="${1:-1}"
+    echo "Usage: $0 [-r|--readonly] <name> [.. <name>]" >&2
+    echo >&2
+    echo "reads $TABFILE and starts the mapping corresponding to <name>" >&2
+    exit $rv
+}
+
+CRYPTTAB_EXTRA_OPTIONS=
+while [ $# -gt 0 ]; do
+    case "$1" in
+        -r|--readonly) CRYPTTAB_EXTRA_OPTIONS="${CRYPTTAB_EXTRA_OPTIONS:+$CRYPTTAB_EXTRA_OPTIONS,}readonly";;
+        -h|--help|-\?) usage 0;;
+        --) shift; break;;
+        -*) echo "Error: unknown option '$1'" >&2; usage 1;;
+        *) break;;
+    esac
+    shift
+done
+[ $# -gt 0 ] || usage 1
+
+if [ $(id -u) -ne 0 ]; then
+    log_warning_msg "$0 needs root privileges"
+    exit 1
+fi
+
+log_action_begin_msg "Starting crypto disk"
+mount_fs
+
+rv=0
+for name in "$@"; do
+    if ! crypttab_find_entry --quiet "$name"; then
+        device_msg "$name" "failed, not found in crypttab"
+        rv=1
+    else
+        if [ -n "$CRYPTTAB_EXTRA_OPTIONS" ]; then
+            CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+            _CRYPTTAB_OPTIONS="$_CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+        fi
+        setup_mapping || rv=$?
+    fi
+done
+umount_fs
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/cryptdisks_stop b/debian/scripts/cryptdisks_stop
new file mode 100644
index 0000000..ea0faaf
--- /dev/null
+++ b/debian/scripts/cryptdisks_stop
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# cryptdisks_stop - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code stolen from cryptdisks_start by Jon Dowland <jon@alcopop.org>
+# Copyright (C) 2008 by Jonas Meurer <jonas@freesources.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "usage: $0 <name>" >&2
+    echo >&2
+    echo "reads /etc/crypttab and stops the mapping corresponding to <name>" >&2
+    exit 1
+fi
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+
+if [ $(id -u) -ne 0 ]; then
+    log_warning_msg "$0 needs root privileges"
+    exit 1
+fi
+
+log_action_begin_msg "Stopping crypto disk"
+
+rv=0
+for name in "$@"; do
+    remove_mapping "$name" || rv=$?
+done
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..0e1e418
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+    echo "$0: must be executed with a crypto device as argument" >&2
+    exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+    if [ "${keys#:}" = "$keys" ]; then
+        printf '%s' "$keys"
+        exit 0
+    else
+        echo "$0: device $1 uses the kernel keyring" >&2
+    fi
+elif [ $count -eq 0 ]; then
+    echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+    echo "$0: more than one device match" >&2
+fi
+exit 1
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
new file mode 100644
index 0000000..18ab575
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+decrypt_gpg () {
+	echo "Performing GPG symmetric decryption ..." >&2
+	if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \
+		/usr/bin/gpg -q --batch --no-options  \
+		--no-random-seed-file --no-default-keyring \
+		--keyring /dev/null --secret-keyring /dev/null \
+		--trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
+		return 1
+	fi
+	return 0
+}
+
+if [ ! -x /usr/bin/gpg ]; then
+	echo "$0: /usr/bin/gpg is not available" >&2
+	exit 1
+fi
+
+if [ -z "$1" ]; then
+	echo "$0: missing key as argument" >&2
+	exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc
new file mode 100644
index 0000000..84eb62c
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg-sc
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+if [ -d "/cryptroot/gnupghome" ]; then
+    export GNUPGHOME="/cryptroot/gnupghome"
+fi
+
+run_gpg() {
+    gpg --no-options --trust-model=always "$@"
+}
+decrypt_gpg () {
+    local console _
+    if ! GPG_TTY="$(tty)"; then
+        read console _ </proc/consoles
+        GPG_TTY="/dev/$console"
+    fi
+    export GPG_TTY
+
+    if ! run_gpg --decrypt -- "$1"; then
+        return 1
+    fi
+    return 0
+}
+
+# `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's
+# harder to retrieve the return code
+if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then
+    echo "Please insert OpenPGP SmartCard..." >&2
+    until run_gpg --batch --quiet --no-tty --card-status; do
+        sleep 1
+    done >/dev/null 2>&1
+fi
+
+if [ ! -x /usr/bin/gpg ]; then
+    echo "$0: /usr/bin/gpg is not available" >&2
+    exit 1
+fi
+
+if [ -z "$1" ] || [ ! -f "$1" ]; then
+    echo "$0: missing key as argument" >&2
+    exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl
new file mode 100644
index 0000000..6032db0
--- /dev/null
+++ b/debian/scripts/decrypt_keyctl
@@ -0,0 +1,55 @@
+#!/bin/sh
+# decrypt_keyctl - to use in /etc/crypttab as keyscript
+#  Allows to cache passwords for cryptdevices for 60s
+#  The same password is used for for cryptdevices with the same identifier.
+#  The keyfile parameter, which is the third field from /etc/crypttab, is
+#  used as identifier in this keyscript.
+#
+# sample crypttab entries:
+# test1   /dev/sda1    test_pw         luks,keyscript=decrypt_keyctl
+# test2   /dev/sda2    test_pw         luks,keyscript=decrypt_keyctl
+# test3   /dev/sda3    test_other_pw   luks,keyscript=decrypt_keyctl
+#
+#  test1 and test2 have the same identifier thus test2 does not need a password
+#  typed in manually
+
+die()
+{
+    echo "$@" >&2
+    exit 1
+}
+
+if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+    # store the passphrase in the key name used by systemd-ask-password
+    ID_="cryptsetup"
+else
+    # the keyfile given from crypttab is used as identifier in the keyring
+    # including the prefix "cryptsetup:"
+    ID_="cryptsetup:$CRYPTTAB_KEY"
+fi
+TIMEOUT_='60'
+ASKPASS_='/lib/cryptsetup/askpass'
+PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: "
+
+
+if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
+        [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+    # key not found or wrong, ask the user
+    KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
+    if [ -n "$KID_" ]; then
+        # I have cached wrong password and now i may use either `keyctl update`
+        # to update $KID_ or just unlink old key, and add new. With `update` i
+        # may hit "Key has expired", though. So i'll go "unlink and add" way.
+        keyctl unlink "$KID_" @u
+        KID_=""
+    fi
+    KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
+    [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
+    if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
+        keyctl unlink "$KID_" @u
+        die "Error setting timeout on key ($KID_), removing"
+    fi
+else
+    echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
+fi
+keyctl pipe "$KID_"
diff --git a/debian/scripts/decrypt_opensc b/debian/scripts/decrypt_opensc
new file mode 100644
index 0000000..b06fc98
--- /dev/null
+++ b/debian/scripts/decrypt_opensc
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Why not use "openct-tool rwait" instead of polling opensc-tool exit status?
+# Well openct daemon has to be running which interferes with pcscd since both
+# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't
+# work with the CCID driver in openct, however it does work with pcscd.
+
+# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status?
+# Although opensc-tool --help reports that there is a --wait option, it doesn't
+# seem to be implemented.
+
+check_card() {
+    cardfound=0
+
+    if /usr/bin/opensc-tool -n >/dev/null 2>&1; then
+        cardfound=1
+    fi
+}
+
+wait_card() {
+    check_card
+    if [ $cardfound = 0 ] ; then
+        echo "Waiting for Smart Card..." >&2
+        tries=0
+        while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do
+            sleep 1
+            check_card
+            tries=$(($tries + 1))
+        done
+        if [ $cardfound = 0 ] ; then
+            echo 'Failed to find Smart Card card!' >&2
+            exit 1
+        fi
+    fi
+}
+
+wait_card
+if [ -x /bin/plymouth ] && plymouth --ping; then
+	# Get pin number from plymouth
+	/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \
+		--pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
+else
+	# Get pin number from console
+	/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console
+fi
+exit $?
diff --git a/debian/scripts/decrypt_ssl b/debian/scripts/decrypt_ssl
new file mode 100644
index 0000000..6664001
--- /dev/null
+++ b/debian/scripts/decrypt_ssl
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Script to decrypt the key which is encrypted with openssl.
+# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key.
+#
+
+decrypt_ssl () {
+	echo "" >&2
+	echo "Decrypting ssl key $1..." >&2
+	if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then
+		return 1
+	fi
+	return 0
+}
+
+decrypt_ssl "$1"
+exit $?
diff --git a/debian/scripts/gen-ssl-key b/debian/scripts/gen-ssl-key
new file mode 100644
index 0000000..70a6fb3
--- /dev/null
+++ b/debian/scripts/gen-ssl-key
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# script to generate a keyfile that is encrypted with openssl
+#
+# Written 2005 by Markus Nass <generalstone@gmx.net>
+# Improved 2006 by Jonas Meurer <jonas@freesources.org>
+# Further improved 2006 by Markus Nass <generalstone@gmx.net>
+
+usage() {
+  echo "Usage: $0 <key>"
+  exit 1
+}
+
+if [ -z "${1-}" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  usage
+fi
+
+if [ -x /usr/bin/openssl ]; then
+	dd if=/dev/random bs=1c count=256 | openssl enc -aes-256-cbc -e -salt >"$1"
+else
+	echo "/usr/bin/openssl is not available" && exit 1
+fi
diff --git a/debian/scripts/luksformat b/debian/scripts/luksformat
new file mode 100644
index 0000000..ae17f79
--- /dev/null
+++ b/debian/scripts/luksformat
@@ -0,0 +1,133 @@
+#!/usr/bin/perl -w
+
+# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy
+# creation of an encrypted device.
+#
+# (C) 2005 Canonical Ltd.
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+use Getopt::Long qw(:config pass_through);
+
+BEGIN {
+    eval 'use Locale::gettext';
+    if ($@) {
+        *gettext = sub { shift };
+        *textdomain = sub { "" };
+        *LC_MESSAGES = sub { 5 };
+    }
+    eval {
+        require POSIX;
+        import POSIX qw(setlocale);
+    };
+    if ($@) {
+        *setlocale = sub { return 1 };
+    }
+}
+
+setlocale(LC_MESSAGES, "");
+textdomain("luksformat");
+
+if ($> != 0) {
+    print STDERR gettext("This program needs to be started as root\n");
+    exit 1;
+}
+
+sub usage() {
+    print gettext("luksformat - Create and format an encrypted LUKS device
+Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n\n");
+    exit 1;
+}
+
+# default file system
+$fs = 'vfat';
+exit 1 unless GetOptions ('t|type=s' => \$fs);
+
+GetOptions ('help', \$help);
+if (($#ARGV < 0) || ($help)) {
+    usage();
+}
+
+$device = shift(@ARGV);
+
+open(MOUNTS, "/proc/mounts");
+while (<MOUNTS>) {
+    die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/)
+}
+
+if (-x "/usr/sbin/mkfs.$fs") {
+    $mkfs = "/usr/sbin/mkfs.$fs";
+}
+elsif (-x "/usr/bin/mkfs.$fs") {
+    $mkfs = "/usr/bin/mkfs.$fs";
+}
+elsif (-x "/sbin/mkfs.$fs") {
+    $mkfs = "/sbin/mkfs.$fs";
+}
+elsif (-x "/bin/mkfs.$fs") {
+    $mkfs = "/bin/mkfs.$fs";
+}
+else {
+    printf STDERR (gettext("Error: invalid file system: %s\n"), $fs);
+    exit 1;
+}
+
+# generate temporary mapped device name which is not yet used
+$name = "";
+for ($i = 1; $i < 100; $i++) {
+    if (! -e "/dev/mapper/luksformat$i") {
+	$name = "luksformat$i";
+	last;
+    }
+}
+
+$name or die sprintf(gettext("Error: could not generate temporary mapped device name"));
+
+# we do not need to be overly concerned with race conditions here, cryptsetup
+# will just fail if the name already exists now.
+printf (gettext("Creating encrypted device on %s...\n"), $device);
+if ((system 'cryptsetup', 'luksFormat', $device)) {
+    die sprintf(gettext("Could not create LUKS device %s"), $device);
+}
+
+print gettext("Please enter your passphrase again to verify it\n");
+if ((system 'cryptsetup', 'open', '--type', 'luks', $device, $name) != 0) {
+    print STDERR gettext("The passphrases you entered were not identical\n");
+    exit 1;
+}
+
+$result = system $mkfs, "/dev/mapper/$name", @ARGV;
+print "\n";
+system 'udevadm', 'settle', '--timeout=30';
+system 'cryptsetup', 'luksClose', $name;
+
+die sprintf(gettext("Could not format device with file system %s"), $fs) if $result;
+
+__END__
+
+=head1 NAME
+
+luksformat - Create and format an encrypted LUKS device
+
+=head1 SYNOPSIS
+
+B<luksformat> [B<-t> I<fstype>] I<device> [ mkfs options ]
+
+=head1 DESCRIPTION
+
+B<luksformat> is a wrapper around B<cryptsetup> and B<mkfs> which provides an
+easy interface for creating an encrypted device that follows the LUKS standard
+and for putting a file system onto the encrypted device.
+
+The default file system is B<vfat> since that is most commonly used on
+removable devices. However, you can specify any available file system with the
+B<-t> option.
+
+=head1 SEE ALSO
+
+L<cryptsetup(8)>, L<mkfs(8)>
+
+=head1 AUTHOR
+
+This program was written by Martin Pitt <martin.pitt@ubuntu.com>.
diff --git a/debian/scripts/passdev.c b/debian/scripts/passdev.c
new file mode 100644
index 0000000..845ccae
--- /dev/null
+++ b/debian/scripts/passdev.c
@@ -0,0 +1,286 @@
+/*
+ * passdev.c - waits for a given device to appear, mounts it and reads a
+ *             key from it which is piped to stdout.
+ *
+ * Copyright (C) 2008   David Härdeman <david@hardeman.nu>
+ *
+ * This package is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This package is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this package; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ */
+
+
+#define _DEFAULT_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/mount.h>
+
+static bool do_debug = false;
+
+static void
+debug(const char *fmt, ...)
+{
+	va_list ap;
+
+	if (!do_debug)
+		return;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+}
+
+static bool
+do_mount(const char *device, const char *dir)
+{
+	pid_t pid;
+	int status;
+	char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" };
+	int fsindex;
+
+	if (!device || !dir)
+		return false;
+
+	for (fsindex = 0;
+	     fsindex < (sizeof(fstypes) / sizeof(fstypes[0]));
+	     fsindex++)
+	{
+		pid = fork();
+		if (pid < 0) {
+			/* Error */
+			return false;
+		} else if (pid > 0) {
+			/* We're in the parent process */
+			do {
+				waitpid(pid, &status, 0);
+			} while (!WIFEXITED(status) && !WIFSIGNALED(status));
+			if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS)
+				return true;
+
+			/* Let's try another fstype */
+			continue;
+		} else {
+			/* We're in the child process */
+			debug("Mounting %s at %s\n", device, dir);
+			close(STDIN_FILENO);
+			close(STDOUT_FILENO);
+			close(STDERR_FILENO);
+			open("/dev/null", O_RDONLY, 0);
+			open("/dev/null", O_WRONLY, 0);
+			open("/dev/null", O_WRONLY, 0);
+			execl("/bin/mount", "/bin/mount", "-n", "-t",
+			      fstypes[fsindex],
+			      /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/
+			      "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro",
+			      device, dir, (char *)NULL);
+
+			/* If execl works, we won't end up here */
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	/* We've tried all fstypes with no luck */
+	return false;
+}
+
+int
+main(int argc, char **argv, char **envp)
+{
+	char *debugval;
+	char *devpath;
+	char *filepath;
+	struct stat st;
+	char *tmppath;
+	char tpath[] = "/tmp/passdev.XXXXXX";
+	char *keypath;
+	int fd;
+	size_t toread;
+	size_t bytesread;
+	char *keybuffer;
+	size_t towrite;
+	size_t byteswritten;
+	ssize_t bytes;
+	char *to;
+	int timeout = 0;
+	bool do_timeout = false;
+
+	/* We only take one argument */
+	if (argc != 2) {
+		fprintf(stderr, "Incorrect number of arguments\n");
+		goto error;
+	}
+
+	/* If DEBUG=1 is in the environment, enable debug messages */
+	debugval = getenv("DEBUG");
+	if (debugval && atoi(debugval) > 0)
+		do_debug = true;
+
+	/* Split string into device and path (and timeout) */
+	devpath = argv[1];
+	filepath = strchr(devpath, ':');
+	if (!filepath || !(*filepath) || !(*(filepath + 1))) {
+		fprintf(stderr, "Invalid key path\n");
+		goto error;
+	}
+	*filepath = '\0';
+	filepath++;
+	to = strchr(filepath, ':');
+	if (to && (*to) && (*(to + 1))) {
+		*to = '\0';
+		to++;
+		timeout = atoi(to);
+		if (timeout > 0)
+			do_timeout = true;
+	}
+	debug("Path is %p and filepath is %p\n", devpath, filepath);
+	if (do_timeout)
+		debug("Timeout is %i\n",timeout);
+
+	/* Wait until device is available */
+	if (access(devpath, F_OK)) {
+		debug("Waiting for %s\n", devpath);
+		while(access(devpath, F_OK)) {
+			sleep(1);
+			if (do_timeout) {
+				if (timeout <= 0)
+					break;
+				timeout--;
+			}
+		}
+	}
+
+	/* Make sure device is a blockdev */
+	if (stat(devpath, &st)) {
+		fprintf(stderr, "Unable to stat %s\n", devpath);
+		goto error;
+	} else if (!S_ISBLK(st.st_mode)) {
+		fprintf(stderr, "%s is no block device\n", devpath);
+		goto error;
+	}
+
+	/* Create a tmp dir where we mount the device */
+	tmppath = mkdtemp(tpath);
+	if (!tmppath) {
+		fprintf(stderr, "Failed to create temporary directory\n");
+		goto error;
+	}
+
+	/* Ok, mount it */
+	if (!do_mount(devpath, tmppath)) {
+		fprintf(stderr, "Failed to mount %s\n", devpath);
+		goto error_rmdir;
+	}
+
+	/* Generate the full path to the keyfile */
+	keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1);
+	if (!keypath) {
+		fprintf(stderr, "Failed to allocate memory\n");
+		goto error_umount;
+	}
+	sprintf(keypath, "%s/%s", tmppath, filepath);
+
+	/* Check that the keyfile exists */
+	if (access(keypath, F_OK)) {
+		fprintf(stderr, "Keyfile doesn't exist\n");
+		goto error_free;
+	}
+
+	/* Get the size of the keyfile */
+	if (stat(keypath, &st)) {
+		fprintf(stderr, "Unable to stat keyfile\n");
+		goto error_free;
+	}
+
+	/* Check the size of the keyfile */
+	if (st.st_size < 0) {
+		fprintf(stderr, "Invalid keyfile size\n");
+		goto error_free;
+	}
+	toread = (size_t)st.st_size;
+
+	/* Open the keyfile */
+	if ((fd = open(keypath, O_RDONLY)) < 0) {
+		fprintf(stderr, "Failed to open keyfile\n");
+		goto error_free;
+	}
+
+	/* Allocate a buffer for the keyfile contents */
+	keybuffer = malloc(toread);
+	if (!keybuffer) {
+		fprintf(stderr, "Failed to allocate memory\n");
+		goto error_close;
+		exit(EXIT_FAILURE);
+	}
+
+	/* Read the keyfile */
+	bytesread = 0;
+	while (bytesread < toread) {
+		bytes = read(fd, keybuffer + bytesread, toread - bytesread);
+		if (bytes <= 0) {
+			fprintf(stderr, "Failed to read entire key\n");
+			goto error_keybuffer;
+		}
+		bytesread += bytes;
+	}
+
+	/* Clean up */
+	close(fd);
+	free(keypath);
+	umount(tmppath);
+	rmdir(tmppath);
+
+	/* Write result */
+	byteswritten = 0;
+	towrite = toread;
+	while (byteswritten < towrite) {
+		bytes = write(STDOUT_FILENO, keybuffer + byteswritten,
+			      towrite - byteswritten);
+		if (bytes <= 0) {
+			fprintf(stderr, "Failed to write entire key\n");
+			memset(keybuffer, 0, toread);
+			free(keybuffer);
+			goto error;
+		}
+		byteswritten += bytes;
+	}
+
+	/* Clean up */
+	memset(keybuffer, 0, toread);
+	free(keybuffer);
+
+	/* Done */
+	exit(EXIT_SUCCESS);
+
+	/* Error handling */
+error_keybuffer:
+	memset(keybuffer, 0, toread);
+	free(keybuffer);
+error_close:
+	close(fd);
+error_free:
+	free(keypath);
+error_umount:
+	umount(tmppath);
+error_rmdir:
+	rmdir(tmppath);
+error:
+	exit(EXIT_FAILURE);
+}
+
diff --git a/debian/scripts/po/Makefile b/debian/scripts/po/Makefile
new file mode 100644
index 0000000..9eb8acf
--- /dev/null
+++ b/debian/scripts/po/Makefile
@@ -0,0 +1,39 @@
+XGETTEXT = xgettext
+MSGFMT = msgfmt
+MSGMERGE = msgmerge
+
+LOCALEDIR = /usr/share/locale
+
+.SUFFIXES: .po .mo .pot
+
+%.mo: %.po
+	$(MSGFMT) -o $@ $<
+
+PO = $(wildcard *.po)
+LANG = $(basename $(PO))
+MO = $(addsuffix .mo,$(LANG))
+SOURCES = ../luksformat
+
+all: update $(MO)
+update: luksformat.pot
+	-@for po in $(PO); do \
+	echo -n "Updating $$po"; \
+	$(MSGMERGE) -U $$po luksformat.pot; \
+	done;
+
+luksformat.pot: $(SOURCES)
+	$(XGETTEXT) -c -L Perl -kgtx \
+	--msgid-bugs-address=pkg-cryptsetup-devel@alioth-lists.debian.net \
+	-o $@ $(SOURCES)
+
+install: all
+	for i in $(MO) ; do \
+	  t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\
+	  install -d $$t ;\
+	  install -m 644 $$i $$t/luksformat.mo ;\
+	done
+
+clean:
+	$(RM) $(MO) *~
+
+.PHONY: update
diff --git a/debian/scripts/po/de.po b/debian/scripts/po/de.po
new file mode 100644
index 0000000..76c7f2f
--- /dev/null
+++ b/debian/scripts/po/de.po
@@ -0,0 +1,76 @@
+# German translations for cryptsetup package
+# German messages for luksformat in cryptsetup.
+# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Jonas Meurer <jonas@freesources.org>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-1\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: 2011-03-08 19:40+0100\n"
+"Last-Translator: Jonas Meurer <jonas@freesources.org>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr "Dieses Programm muss als Benutzer root gestartet werden\n"
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+"luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n"
+"Verwendung: luksformat [-t <Dateisystem>] <Partition> [ mkfs Optionen ]\n"
+"\n"
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr "Fehler: Partition ist eingebunden: %s\n"
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr "Fehler: Ungültiges Dateisystem: %s\n"
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr "Fehler: Erstellen einer temporären Partition schlug fehl"
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr "Erstelle verschlüsselte Partition auf %s...\n"
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr "Erstellen der LUKS-Partition %s schlug fehl"
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n"
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr "Die eingegebenen Passwörter waren nicht identisch\n"
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl"
+
+#~ msgid "%s: %s"
+#~ msgstr "%s: %s"
diff --git a/debian/scripts/po/luksformat.pot b/debian/scripts/po/luksformat.pot
new file mode 100644
index 0000000..f6c1e56
--- /dev/null
+++ b/debian/scripts/po/luksformat.pot
@@ -0,0 +1,69 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr ""
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr ""
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr ""
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr ""
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr ""
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr ""
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr ""
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr ""
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr ""
diff --git a/debian/scripts/suspend/cryptsetup-suspend-wrapper b/debian/scripts/suspend/cryptsetup-suspend-wrapper
new file mode 100644
index 0000000..953196c
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend-wrapper
@@ -0,0 +1,320 @@
+#!/bin/sh
+
+# Wrapper for cryptsetup-suspend(7)
+#
+# Copyright © 2019-2020 Tim <tim@systemli.org>
+#           © 2019-2020 Jonas Meurer <jonas@freesources.org>
+#           © 2020-2022 Guilhem Moulin <guilhem@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set -ue
+PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+export PATH
+
+# import cryptsetup shell functions
+[ -f /lib/cryptsetup/functions ] || return 0
+. /lib/cryptsetup/functions
+
+INITRAMFS_MNT="/run/cryptsetup/cryptsetup-suspend-initramfs"
+SYSTEM_SLEEP_PATH="/lib/systemd/system-sleep"
+CONFIG_FILE="/etc/cryptsetup/suspend.conf"
+unset -v INITRAMFS_DIR
+
+read_config() {
+    # define defaults
+    export UNLOCK_SESSIONS="false"
+    export KEEP_INITRAMFS="false"
+
+    # read config file if it exists
+    # shellcheck source=/etc/cryptsetup/suspend.conf
+    [ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE" || true
+}
+
+# run_dir ARGS...
+# Run all executable scripts in directory SYSTEM_SLEEP_PATH with arguments ARGS
+# mimic systemd behavior
+run_dir() {
+    [ -d "$SYSTEM_SLEEP_PATH" ] || return 0
+    find "$SYSTEM_SLEEP_PATH" -type f -executable -execdir {} "$@" \;
+}
+
+log_error() {
+    # arg1 should be message
+    echo "Error: $1" | systemd-cat -t cryptsetup-suspend -p err
+    echo "Error: $1" >&2
+}
+
+mount_initramfs() {
+    local k v u IFS MemAvailable=0 SwapFree=0 new="n"
+    # update-initramfs(8) hardcodes /boot also: there is a `-b bootdir`
+    # option but no config file to put it to
+    local INITRAMFS="/boot/initrd.img-$(uname -r)" p
+    if [ ! -f "$INITRAMFS" ]; then
+        log_error "No initramfs found at $INITRAMFS"
+        exit 1
+    fi
+
+    if [ -d "$INITRAMFS_MNT" ] && [ ! "$INITRAMFS" -ot "$INITRAMFS_MNT" ]; then
+        # need to unpack again: initramfs is newer than what we unpacked earlier
+        if mountpoint -q "$INITRAMFS_MNT"; then
+            umount "$INITRAMFS_MNT"
+        fi
+        rmdir "$INITRAMFS_MNT" || exit 1
+    fi
+
+    if [ ! -d "$INITRAMFS_MNT" ]; then
+        # we need at about 300 MiB on ubuntu, 200 on debian
+        # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773
+        while IFS=" 	" read -r k v u; do
+            # /proc/meminfo format is documented in proc(5)
+            case "$u" in
+                MB) u=1048576;;
+                kB) u=1024;;
+                *)  u=1;;
+            esac
+            case "$k" in
+                "MemAvailable:") MemAvailable=$((v*u));;
+                "SwapFree:") SwapFree=$((v*u));;
+            esac
+        done </proc/meminfo
+        if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
+            log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
+            exit 1
+        fi
+
+        mkdir -m0700 "$INITRAMFS_MNT"
+        mount -t ramfs -o nodev,mode=0700 ramfs "$INITRAMFS_MNT"
+
+        # extract initrd.img to initramfs dir
+        unmkinitramfs "$INITRAMFS" "$INITRAMFS_MNT"
+        new="y"
+    fi
+
+    # unmkinitramfs(8) extracts microcode into folders "early*" and the actual initramfs into "main"
+    if [ -f "$INITRAMFS_MNT/sbin/cryptsetup" ]; then
+        INITRAMFS_DIR="$INITRAMFS_MNT"
+    elif [ -f "$INITRAMFS_MNT/main/sbin/cryptsetup" ]; then
+        INITRAMFS_DIR="$INITRAMFS_MNT/main"
+    else
+        log_error "Directory $INITRAMFS_MNT has unpected content" >&2
+        exit 1
+    fi
+
+    if [ "$new" = "y" ]; then
+        for p in /dev /proc /run /sys; do
+            if [ ! -d "$INITRAMFS_DIR$p" ]; then
+                mkdir -m0755 "$INITRAMFS_DIR$p"
+            fi
+        done
+
+        # copy our binary to ramdisk
+        install -m0755 -t "$INITRAMFS_DIR/bin" /lib/cryptsetup/scripts/suspend/cryptsetup-suspend
+
+        # copy all firmware files to ramdisk to prevent dead-lock
+        # see https://salsa.debian.org/mejo/cryptsetup-suspend/issues/38)
+        # TODO we should try to identify which firmwares need to be loaded
+        # and only copy those
+        if [ -d /lib/firmware ] && [ ! -d "$INITRAMFS_DIR/lib/firmware" ]; then
+            cp -dR -T -- /lib/firmware "$INITRAMFS_DIR/lib/firmware"
+        fi
+    fi
+
+    # from initramfs-tools-core's /usr/share/initramfs-tools/init
+    mount -t devtmpfs -o noexec,nosuid,mode=0755 udev "$INITRAMFS_DIR/dev"
+    mount -t proc -o nodev,noexec,nosuid proc "$INITRAMFS_DIR/proc"
+    mount -t ramfs -o nodev,noexec,nosuid,mode=0755 ramfs "$INITRAMFS_DIR/run"
+    mount -t sysfs -o nodev,noexec,nosuid sysfs "$INITRAMFS_DIR/sys"
+
+    [ -d "$INITRAMFS_DIR/dev/pts" ] || mkdir -m0755 "$INITRAMFS_DIR/dev/pts"
+    mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts "$INITRAMFS_DIR/dev/pts" || true
+
+    # remount read-only, private and unbindable
+    mount -oremount,ro --make-rprivate --make-runbindable "$INITRAMFS_MNT"
+}
+
+umount_initramfs() {
+    if [ -d "${INITRAMFS_DIR-}" ]; then
+        umount -- "$INITRAMFS_DIR/dev/pts"
+        umount -- "$INITRAMFS_DIR/dev"
+        umount -- "$INITRAMFS_DIR/proc"
+        umount -- "$INITRAMFS_DIR/run"
+        umount -- "$INITRAMFS_DIR/sys"
+    fi
+    if [ "$KEEP_INITRAMFS" != "true" ] || [ -z "${INITRAMFS_DIR+x}" ]; then
+        # always unmount if we error out before setting INITRAMFS_DIR
+        umount -- "$INITRAMFS_MNT"
+        rmdir -- "$INITRAMFS_MNT"
+    fi
+}
+
+CGROUP_FREEZER=
+freeze_cgroup() {
+    local c="$1" v
+    # freeze cgroup if non-frozen
+    if [ -f "$c" ] && v="$(cat <"$c")" && [ $v -eq 0 ]; then
+        echo 1 >"$c"
+        CGROUP_FREEZER="$c${CGROUP_FREEZER:+" $CGROUP_FREEZER"}"
+    fi
+}
+freeze_cgroups() {
+    local mycgroup c
+
+    # freeze all machines/containers and user cgroups
+    freeze_cgroup "$hierarchy/machine.slice/cgroup.freeze"
+    freeze_cgroup "$hierarchy/user.slice/cgroup.freeze"
+
+    # get my second level cgroup
+    mycgroup="$(grep -m1 "^0::" /proc/self/cgroup | cut -sd/ -f3)"
+
+    # freeze all system cgroups except ours and systemd-suspend
+    for c in "$hierarchy"/system.slice/*/cgroup.freeze; do
+        if  [ "$c" != "$hierarchy/system.slice/$mycgroup/cgroup.freeze" ] && \
+                [ "${c#"$hierarchy/system.slice/systemd-suspend."}" = "$c" ]; then
+            freeze_cgroup "$c"
+        fi
+    done
+
+    # freeze systemd itself
+    freeze_cgroup "$hierarchy/init.scope/cgroup.freeze"
+}
+
+thaw_cgroups() {
+    local c
+    for c in $CGROUP_FREEZER; do
+        echo 0 >"$c"
+    done
+}
+
+populate_ACTIVE_DEVICES() {
+    local DEV MAJ MIN
+    if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
+        # silently ignore unmapped devices
+        return 0
+    elif [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then
+        cryptsetup_message "ERROR: $CRYPTTAB_NAME: Subsystem mismatch"
+        return 1
+    elif ! _resolve_device "$CRYPTTAB_SOURCE"; then
+        cryptsetup_message "ERROR: $CRYPTTAB_NAME: Missing source $CRYPTTAB_SOURCE"
+        return 1
+    elif [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
+        cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
+        return 1
+    fi
+
+    if ! crypttab_parse_options --quiet; then
+        cryptsetup_message "ERROR: $CRYPTTAB_NAME: Unable to parse options field"
+        return 1
+    elif [ "$CRYPTTAB_TYPE" != "luks" ]; then
+        # XXX does it even work with detached headers?
+        cryptsetup_message "WARNING: $CRYPTTAB_NAME: unable to suspend non-LUKS device"
+        return 0
+    fi
+
+    # XXX that's not robust since $CRYPTTAB_NAME might contain spaces or
+    # special characters; we need to create a NUL-delimited list in a
+    # file instead
+    ACTIVE_DEVICES="${ACTIVE_DEVICES:+"$ACTIVE_DEVICES "}$CRYPTTAB_NAME"
+}
+
+clean_up() {
+    # we always want to run through the whole cleanup
+    set +e
+
+    # thaw all frozen cgroups
+    thaw_cgroups
+
+    # Run post-suspend scripts
+    run_dir post suspend
+
+    umount_initramfs
+
+    # unlock sessions
+    if [ "$UNLOCK_SESSIONS" = "true" ]; then
+        loginctl unlock-sessions
+    fi
+}
+
+## Main script
+
+# check unified cgroups hierarchy
+# https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
+if [ -d /sys/fs/cgroup/system.slice ]; then
+    hierarchy="/sys/fs/cgroup"
+elif [ -d /sys/fs/cgroup/unified/system.slice ]; then
+    # hybrid cgroup hierarchy
+    hierarchy="/sys/fs/cgroup/unified"
+else
+    log_error "No unified cgroups hierarchy"
+    exit 1
+fi
+
+# check that not run as user
+# XXX: We should catch also cases where libpam-systemd is not installed
+if grep -Eq '^[0-9]+:[^:]*:/user\.slice/' /proc/self/cgroup; then
+    log_error "Don't run this script as user"
+    exit 1
+fi
+
+# always thaw cgroups, re-mount filesystems and remove initramfs at the end of the script
+trap clean_up EXIT
+
+read_config
+
+# extract temporary filesystem to switch to
+mount_initramfs
+
+# Run pre-suspend scripts
+run_dir pre suspend
+
+# populate list of active crypt devices
+ACTIVE_DEVICES=""
+crypttab_foreach_entry populate_ACTIVE_DEVICES
+
+# freeze all cgroups but us
+freeze_cgroups
+
+# No longer fail in case of errors
+set +e
+
+# change into ramdisk
+devices_remaining="$(chroot "$INITRAMFS_DIR" /bin/sh -c "
+    # suspend active luks devices (in reverse order) and system
+    /bin/cryptsetup-suspend --reverse $ACTIVE_DEVICES
+
+    TABFILE=\"/cryptroot/crypttab\"
+    . /lib/cryptsetup/functions
+
+    # resume active luks devices (only initramfs devices)
+    for dev in $ACTIVE_DEVICES; do
+        if crypttab_find_entry --quiet \"\$dev\"; then
+            DM_DISABLE_UDEV=y resume_device \"\$dev\" || sleep 5
+        else
+            # write remaining devices to FD3
+            printf \"%s \" \"\$dev\" >&3
+        fi
+    done
+" 3>&- 3>&1 >&2)"
+
+# resume remaining active luks devices (non-initramfs devices)
+for dev in $devices_remaining; do
+    if crypttab_find_entry --quiet "$dev"; then
+        # explicitely disable udev support, cf. #1020553
+        # XXX this is not ideal since udev might be required in some situations
+        # (detached header or key material on removable device comes to mind)
+        DM_DISABLE_UDEV=y resume_device "$dev" || true
+    else
+        log_error "'$dev' not found in /etc/crypttab"
+    fi
+done
diff --git a/debian/scripts/suspend/cryptsetup-suspend.c b/debian/scripts/suspend/cryptsetup-suspend.c
new file mode 100644
index 0000000..af1b6f6
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend.c
@@ -0,0 +1,225 @@
+/*
+ * Small program to LUKS suspend devices before system suspend
+ *
+ * Copyright: (c) 2018      Guilhem Moulin <guilhem@debian.org>
+ *            (c) 2018-2020 Jonas Meurer <jonas@freesources.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <err.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include <libcryptsetup.h>
+
+#define SYSFS_POWER_SYNC_ON_SUSPEND "/sys/power/sync_on_suspend"
+#define SYSFS_POWER_STATE           "/sys/power/state"
+
+void usage() {
+    printf("Usage: cryptsetup-suspend [-r|--reverse] <blkdev> [<blkdev> ...]\n"
+           "      -r, --reverse             process luks devices in reverse order\n\n");
+    exit(1);
+}
+
+/* Calculate free memory (MemAvailable + SwapFree) from /proc/meminfo */
+uint32_t get_mem_swap_avail_kb() {
+    FILE *meminfo = fopen("/proc/meminfo", "r");
+    if (meminfo == NULL)
+        err(EXIT_FAILURE, "couldn't open /proc/meminfo");
+
+    int mem_avail_kb, swap_free_kb = 0;
+    char line[256];
+    while (fgets(line, sizeof(line), meminfo)) {
+        if (strncmp(line, "MemAvailable", strlen("MemAvailable")) == 0) {
+            if (sscanf(line, "MemAvailable: %d kB", &mem_avail_kb) != 1)
+                errx(EXIT_FAILURE, "couldn't read MemAvailable from /proc/meminfo");
+        } else if (strncmp(line, "SwapFree", strlen("SwapFree")) == 0) {
+            if (sscanf(line, "SwapFree: %d kB", &swap_free_kb) != 1)
+                errx(EXIT_FAILURE, "couldn't read SwapFree from /proc/meminfo");
+        }
+    }
+    fclose(meminfo);
+
+    uint32_t mem_swap_avail_kb = mem_avail_kb + swap_free_kb;
+    if (mem_swap_avail_kb == 0)
+       errx(EXIT_FAILURE, "error reading available memory and swap from /proc/meminfo");
+
+    return mem_swap_avail_kb;
+}
+
+int main(int argc, char *argv[]) {
+    int rv = 0;
+    bool reverse = 0;
+    int d_size;
+    bool sync_on_suspend_reset = 0;
+    FILE *sos = NULL;
+
+    /* Process commandline arguments */
+    if (argc < 2) {
+        usage();
+    } else if ((strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--reverse") == 0)) {
+        if (argc < 3)
+            usage();
+
+        reverse = 1;
+        d_size = argc-2;
+    } else {
+        d_size = argc-1;
+    }
+
+    /* Read in devices */
+    const char *devices[d_size];
+    if (!reverse) {
+        for (int i = 0; i < d_size; i++) {
+            devices[i] = argv[i+1];
+        }
+    } else {
+        for (int i = 0; i < d_size; i++) {
+            devices[i] = argv[argc-i-1];
+        }
+    }
+
+    /* Disable sync_on_suspend in Linux kernel
+     *
+     * Only available in Linux kernel >= 5.6 */
+    if (access(SYSFS_POWER_SYNC_ON_SUSPEND, W_OK) < 0) {
+        if (errno == ENOENT)
+            warnx("kernel too old, can't disable sync on suspend");
+    } else {
+        sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "r+");
+        if (!sos)
+            err(EXIT_FAILURE, "couldn't open sysfs file");
+
+        int sos_c = fgetc(sos);
+        if (fgetc(sos) == EOF)
+            err(EXIT_FAILURE, "couldn't read from file");
+
+        if (sos_c == '0') {
+            /* Already disabled */
+        } else if (sos_c == '1') {
+            sync_on_suspend_reset = 1;
+            if (fputc('0', sos) <= 0)
+                err(EXIT_FAILURE, "couldn't write to file");
+        } else {
+            errx(EXIT_FAILURE, "unexpected value from %s", SYSFS_POWER_SYNC_ON_SUSPEND);
+        }
+
+        fclose(sos);
+    }
+
+    /* Change process priority to -20 (highest) to avoid races between
+     * the LUKS suspend(s) and the suspend-on-ram. */
+    if (setpriority(PRIO_PROCESS, 0, -20) == -1)
+        warn("can't lower process priority to -20");
+
+    /* Get memory settings of keyslots from processed LUKS2 devices */
+    uint32_t argon2i_max_memory_kb = 0;
+    for (int i = 0; i < d_size; i++) {
+        struct crypt_device *cd = NULL;
+        if (crypt_init_by_name(&cd, devices[i])) {
+            warnx("couldn't init LUKS device %s", devices[i]);
+            rv = EXIT_FAILURE;
+        } else {
+            /* Only LUKS2 devices may use argon2i PBKDF */
+            if (strcmp(crypt_get_type(cd), CRYPT_LUKS2) != 0)
+                continue;
+            int ks_max = crypt_keyslot_max(crypt_get_type(cd));
+            for (int j = 0; j < ks_max; j++) {
+                crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
+                /* Only look at active keyslots */
+                if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
+                    continue;
+                struct crypt_pbkdf_type pbkdf_ki;
+                if (crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki) < 0) {
+                    warn("couldn't get PBKDF for keyslot %d of device %s", j, devices[i]);
+                    rv = EXIT_FAILURE;
+                } else {
+                    if (pbkdf_ki.max_memory_kb > argon2i_max_memory_kb)
+                        argon2i_max_memory_kb = pbkdf_ki.max_memory_kb;
+                }
+            }
+        }
+        crypt_free(cd);
+    }
+
+    /* Add some more memory to be on the safe side
+     * TODO: find a reasonable value */
+    argon2i_max_memory_kb += 2 * 1024; // 2MB
+
+    /* Check if we have enough memory available to prevent mlock() from
+     * triggering the OOM killer. */
+    uint32_t mem_swap_avail_kb = get_mem_swap_avail_kb();
+    if (argon2i_max_memory_kb > mem_swap_avail_kb) {
+        errx(EXIT_FAILURE, "Error: Available memory (%d kb) less than required (%d kb)",
+                        mem_swap_avail_kb, argon2i_max_memory_kb);
+    }
+
+    /* Allocate and lock memory for later usage by LUKS resume in order to
+     * prevent swapping out after LUKS devices (which might include swap
+     * storage) have been suspended. */
+    fprintf(stderr, "Allocating and mlocking memory: %d kb\n", argon2i_max_memory_kb);
+    char *mem;
+    if (!(mem = malloc(argon2i_max_memory_kb)))
+        err(EXIT_FAILURE, "couldn't allocate enough memory");
+    if (mlock(mem, argon2i_max_memory_kb) == -1)
+        err(EXIT_FAILURE, "couldn't lock enough memory");
+    /* Fill the allocated memory to make sure it's really reserved even if
+     * memory pages are copy-on-write. */
+    size_t i;
+    size_t page_size = getpagesize();
+    for (i = 0; i < argon2i_max_memory_kb; i += page_size)
+        mem[i] = 0;
+
+    /* Do the final filesystem sync since we disabled sync_on_suspend in
+     * Linux kernel. */
+    sync();
+
+    for (int i = 0; i < d_size; i++) {
+        struct crypt_device *cd = NULL;
+        if (crypt_init_by_name(&cd, devices[i]) || crypt_suspend(cd, devices[i])) {
+            warnx("couldn't suspend LUKS device %s", devices[i]);
+            rv = EXIT_FAILURE;
+        }
+        crypt_free(cd);
+    }
+
+    fprintf(stderr, "Sleeping...\n");
+    FILE *s = fopen(SYSFS_POWER_STATE, "w");
+    if (!s)
+        err(EXIT_FAILURE, "failed to open %s", SYSFS_POWER_STATE);
+    if (fputs("mem", s) <= 0)
+        err(EXIT_FAILURE, "couldn't write to %s", SYSFS_POWER_STATE);
+    fclose(s);
+    fprintf(stderr, "Resuming...\n");
+
+    /* Restore original sync_on_suspend value */
+    if (sync_on_suspend_reset) {
+        sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "w");
+        if (!sos)
+            err(EXIT_FAILURE, "couldn't open sysfs file");
+        if (fputc('1', sos) <= 0)
+            err(EXIT_FAILURE, "couldn't write to file");
+        fclose(sos);
+    }
+
+    return rv;
+}
diff --git a/debian/scripts/suspend/cryptsetup-suspend.shutdown b/debian/scripts/suspend/cryptsetup-suspend.shutdown
new file mode 100644
index 0000000..f7d9f5d
--- /dev/null
+++ b/debian/scripts/suspend/cryptsetup-suspend.shutdown
@@ -0,0 +1,3 @@
+#!/bin/sh
+umount -R /run/cryptsetup/cryptsetup-suspend-initramfs
+rmdir /run/cryptsetup/cryptsetup-suspend-initramfs
diff --git a/debian/scripts/suspend/suspend.conf b/debian/scripts/suspend/suspend.conf
new file mode 100644
index 0000000..79b2287
--- /dev/null
+++ b/debian/scripts/suspend/suspend.conf
@@ -0,0 +1,10 @@
+# Caution: This file will be sourced by another script.
+# For security reasons, it should only be writable by root.
+
+# Automatically unlock user sessions after resume
+# UNLOCK_SESSIONS="false"
+
+# Keep unpacked initramfs in RAM to accelerate suspension (this setting
+# is ignored when the default initramfs image is newer than the
+# cached/unpacked image)
+# KEEP_INITRAMFS="false"
diff --git a/debian/scripts/suspend/systemd/cryptsetup-suspend.conf b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf
new file mode 100644
index 0000000..10664cf
--- /dev/null
+++ b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf
@@ -0,0 +1,12 @@
+[Service]
+# Protect against OOM killer. luksResume with Argon2 needs a lot of memory
+OOMScoreAdjust=-1000
+# Give us higher priority
+Nice=-10
+# override ExecStart of systemd-suspend.service
+ExecStart=
+# use VT 8 as workaround for https://gitlab.gnome.org/GNOME/gdm/issues/527
+# XXX on systems specifying the console= kernel parameter (such as a serial
+# port) we should probably honor it
+ExecStart=/bin/openvt -ws -c8 \
+    /lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-17 08:06:26 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-17 08:06:26 +0000
commit	fd888e850cf413955483bfb993aeeea5ea611289 (patch)
tree	6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/scripts
parent	Adding upstream version 2:2.6.1. (diff)
download	cryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.tar.xz cryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.zip