4

I am using full disk encryption, through LinuxPBA and sedutil (https://github.com/Drive-Trust-Alliance/sedutil). In short, at boot, a BIOS-independent piece of code requests the disk passphrase. If correct, the disk is unlocked, system reboots without powering off the disk, I can see grub, the kernel proceeds and the distro starts.

Suspension is dangerous in this scenario, it's a known limitation [1] [2]. When it happens, data gets corrupted. The bad news is that I am experiencing random suspension events quite often.

I don't need suspension but I use hibernation. Is there a way to disable suspension (without affecting hibernation)? Perhaps recompiling the kernel, or via boot options...

[1] The suspend action triggers disk power off; this means that, at resume, the FS is encrypted. Linux tries to access sectors it had mapped before which are now encrypted, corrupting data. It soon detects the problem, remounts the FS in read-only and avoids further damage. Next reboot, fsck.ext4 usually repairs the damage. But as I am experiencing random suspension, not triggered by me, hard to debug/report, I would like to disable suspension completely as I figure out the root cause.

[2] Similar questions: suggestions like this https://wiki.debian.org/Suspend#Disable_suspend_and_hibernation are not enough. Also, it appears it is not possible to tell the kernel/ACPI "please do not turn of the disk at suspension" (Is it possible not to turn off an SSD in suspend/sleep/S3?).

Improve this question

1 Answer 1

Reset to default
1

Recompiling the kernel with CONFIG_SUSPEND=n and CONFIG_HIBERNATION=y ought to prevent suspend but still allow hibernate. Suspend only happens at userspace's request AFAIK, so you ought to be able to disable it that way as well.

Also, I'm not sure how the drives work exactly, but I'd also be worried that resets might cause them to lose the key. If so, beware that the Linux storage stack will reset devices that fail to respond — e.g., if they're busy retrying a bad block for a long time. /sys/block/sd?/device/timeout is where that timeout is set; it defaults to 30s.

Finally, you can use e.g., hdparm -Y to put just a drive into sleep mode. Probably nothing is doing that by default, but it's possible the drive is configured to put itself into standby (not sleep) mode; hopefully if it is, that doesn't lose the key.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.