* Replace blowfish by AES, since recent CPU could have optimisation for it.

* Miss-interpretation of the --skip option of cryptsetup. Ciphered partition labels are not supported. Labels are erased when doing mkswap on the ciphered partition. * Avoid doing swapon on devices which are already listed in /proc/swaps. * Remove no longer listed devices with only one swapoff command. svn path=/nixos/trunk/; revision=19164
2009-12-31 13:56:47 +00:00 · 2009-12-31 13:56:47 +00:00 · 81d621b4f7
commit 81d621b4f7
parent df21f0f06d
1 changed files with 25 additions and 26 deletions
--- a/modules/tasks/swap.nix
+++ b/modules/tasks/swap.nix
@ -57,7 +57,8 @@ in
            example = true;
            type = types.bool;
            description = "
-              Cipher the swap device to protect swapped data.
+              Cipher the swap device to protect swapped data.  This option
              does not work with labels.
            ";
          };
@ -78,18 +79,24 @@ in
          command = ''
            if test -e "${config.device}"; then
              ${if config.cipher then ''
-                # swap labels could be preserved by using --skip (PAGE_SIZE / key size)
+                  plainDevice="${config.device}"
-                # The current settings won't work on system with a PAGE_SIZE != 4096.
+                  name="crypt$(echo "$plainDevice" | sed -e 's,/,.,g')"
-                oldDevice="${config.device}"
+                  device="/dev/mapper/$name"
-                device="crypt$(echo "$oldDevice" | sed -e 's,/,.,')"
+                  if ! test -e "$device"; then
-                ${cryptsetup}/sbin/cryptsetup --skip 16 -c blowfish -s 256 -d /dev/urandom create "$device" "$oldDevice"
+                    ${cryptsetup}/sbin/cryptsetup -c aes -s 128 -d /dev/urandom create "$name" "$plainDevice"
-                ${utillinux}/sbin/swapon "/dev/mapper/$newDevice" || true
+                    ${utillinux}/sbin/mkswap -f "$device" || true
-              ''
+                  fi
-              else ''
+                ''
-                device="${config.device}"
+                else ''
-                ${utillinux}/sbin/swapon "${config.device}" || true
+                  device="${config.device}"
-              ''}
+                ''
-              swapDevices="$swapDevices $device"
+              }
              # Add new swap devices.
              if echo $unused | grep -q "^$device\$"; then
                unused="$(echo $unused | grep -v "^$device\$")"
              else
                ${utillinux}/sbin/swapon "$device" || true
              fi
            fi
          '';
        };
@ -100,7 +107,6 @@ in
  };
  ###### implementation
  config = {
@ -112,19 +118,12 @@ in
        script =
          ''
            unused="$(sed '1d; s/ .*//' /proc/swaps)"
            ${toString (map (x: x.command) config.swapDevices)}
-            # Remove swap devices not listed in swapDevices.
+            # Remove remaining swap devices.
-            for used in $(cat /proc/swaps | grep '^/' | sed 's/ .*//'); do
+            test -n "$unused" && ${utillinux}/sbin/swapoff $unused || true
                found=
                for device in $swapDevices; do
                    device=$(readlink -f $device)
                    if test "$used" = "$device"; then found=1; fi
                done
                if test -z "$found"; then
                    ${utillinux}/sbin/swapoff "$used" || true
                fi
            done
          '';
      };