Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 1 | Some warnings, first. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 2 | |
| 3 | * BIG FAT WARNING ********************************************************* |
| 4 | * |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 5 | * If you touch anything on disk between suspend and resume... |
| 6 | * ...kiss your data goodbye. |
| 7 | * |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 8 | * If you do resume from initrd after your filesystems are mounted... |
| 9 | * ...bye bye root partition. |
| 10 | * [this is actually same case as above] |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 11 | * |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 12 | * If you have unsupported (*) devices using DMA, you may have some |
| 13 | * problems. If your disk driver does not support suspend... (IDE does), |
| 14 | * it may cause some problems, too. If you change kernel command line |
| 15 | * between suspend and resume, it may do something wrong. If you change |
| 16 | * your hardware while system is suspended... well, it was not good idea; |
| 17 | * but it will probably only crash. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 18 | * |
| 19 | * (*) suspend/resume support is needed to make it safe. |
| 20 | |
| 21 | You need to append resume=/dev/your_swap_partition to kernel command |
| 22 | line. Then you suspend by |
| 23 | |
| 24 | echo shutdown > /sys/power/disk; echo disk > /sys/power/state |
| 25 | |
| 26 | . If you feel ACPI works pretty well on your system, you might try |
| 27 | |
| 28 | echo platform > /sys/power/disk; echo disk > /sys/power/state |
| 29 | |
Rafael J. Wysocki | 853609b | 2006-02-01 03:05:07 -0800 | [diff] [blame] | 30 | If you want to limit the suspend image size to N bytes, do |
Rafael J. Wysocki | ca0aec0 | 2006-01-06 00:15:56 -0800 | [diff] [blame] | 31 | |
| 32 | echo N > /sys/power/image_size |
| 33 | |
| 34 | before suspend (it is limited to 500 MB by default). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 35 | |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 36 | Encrypted suspend image: |
| 37 | ------------------------ |
| 38 | If you want to store your suspend image encrypted with a temporary |
| 39 | key to prevent data gathering after resume you must compile |
| 40 | crypto and the aes algorithm into the kernel - modules won't work |
| 41 | as they cannot be loaded at resume time. |
| 42 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 43 | |
| 44 | Article about goals and implementation of Software Suspend for Linux |
| 45 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 46 | Author: Gábor Kuti |
| 47 | Last revised: 2003-10-20 by Pavel Machek |
| 48 | |
| 49 | Idea and goals to achieve |
| 50 | |
| 51 | Nowadays it is common in several laptops that they have a suspend button. It |
| 52 | saves the state of the machine to a filesystem or to a partition and switches |
| 53 | to standby mode. Later resuming the machine the saved state is loaded back to |
| 54 | ram and the machine can continue its work. It has two real benefits. First we |
| 55 | save ourselves the time machine goes down and later boots up, energy costs |
| 56 | are real high when running from batteries. The other gain is that we don't have to |
| 57 | interrupt our programs so processes that are calculating something for a long |
| 58 | time shouldn't need to be written interruptible. |
| 59 | |
| 60 | swsusp saves the state of the machine into active swaps and then reboots or |
| 61 | powerdowns. You must explicitly specify the swap partition to resume from with |
| 62 | ``resume='' kernel option. If signature is found it loads and restores saved |
| 63 | state. If the option ``noresume'' is specified as a boot parameter, it skips |
| 64 | the resuming. |
| 65 | |
| 66 | In the meantime while the system is suspended you should not add/remove any |
| 67 | of the hardware, write to the filesystems, etc. |
| 68 | |
| 69 | Sleep states summary |
| 70 | ==================== |
| 71 | |
| 72 | There are three different interfaces you can use, /proc/acpi should |
| 73 | work like this: |
| 74 | |
| 75 | In a really perfect world: |
| 76 | echo 1 > /proc/acpi/sleep # for standby |
| 77 | echo 2 > /proc/acpi/sleep # for suspend to ram |
| 78 | echo 3 > /proc/acpi/sleep # for suspend to ram, but with more power conservative |
| 79 | echo 4 > /proc/acpi/sleep # for suspend to disk |
| 80 | echo 5 > /proc/acpi/sleep # for shutdown unfriendly the system |
| 81 | |
| 82 | and perhaps |
| 83 | echo 4b > /proc/acpi/sleep # for suspend to disk via s4bios |
| 84 | |
| 85 | Frequently Asked Questions |
| 86 | ========================== |
| 87 | |
| 88 | Q: well, suspending a server is IMHO a really stupid thing, |
| 89 | but... (Diego Zuccato): |
| 90 | |
| 91 | A: You bought new UPS for your server. How do you install it without |
| 92 | bringing machine down? Suspend to disk, rearrange power cables, |
| 93 | resume. |
| 94 | |
| 95 | You have your server on UPS. Power died, and UPS is indicating 30 |
| 96 | seconds to failure. What do you do? Suspend to disk. |
| 97 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 98 | |
| 99 | Q: Maybe I'm missing something, but why don't the regular I/O paths work? |
| 100 | |
| 101 | A: We do use the regular I/O paths. However we cannot restore the data |
| 102 | to its original location as we load it. That would create an |
| 103 | inconsistent kernel state which would certainly result in an oops. |
| 104 | Instead, we load the image into unused memory and then atomically copy |
| 105 | it back to it original location. This implies, of course, a maximum |
| 106 | image size of half the amount of memory. |
| 107 | |
| 108 | There are two solutions to this: |
| 109 | |
| 110 | * require half of memory to be free during suspend. That way you can |
| 111 | read "new" data onto free spots, then cli and copy |
| 112 | |
| 113 | * assume we had special "polling" ide driver that only uses memory |
| 114 | between 0-640KB. That way, I'd have to make sure that 0-640KB is free |
| 115 | during suspending, but otherwise it would work... |
| 116 | |
| 117 | suspend2 shares this fundamental limitation, but does not include user |
| 118 | data and disk caches into "used memory" by saving them in |
| 119 | advance. That means that the limitation goes away in practice. |
| 120 | |
| 121 | Q: Does linux support ACPI S4? |
| 122 | |
| 123 | A: Yes. That's what echo platform > /sys/power/disk does. |
| 124 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 125 | Q: What is 'suspend2'? |
| 126 | |
| 127 | A: suspend2 is 'Software Suspend 2', a forked implementation of |
| 128 | suspend-to-disk which is available as separate patches for 2.4 and 2.6 |
| 129 | kernels from swsusp.sourceforge.net. It includes support for SMP, 4GB |
| 130 | highmem and preemption. It also has a extensible architecture that |
| 131 | allows for arbitrary transformations on the image (compression, |
| 132 | encryption) and arbitrary backends for writing the image (eg to swap |
| 133 | or an NFS share[Work In Progress]). Questions regarding suspend2 |
| 134 | should be sent to the mailing list available through the suspend2 |
| 135 | website, and not to the Linux Kernel Mailing List. We are working |
| 136 | toward merging suspend2 into the mainline kernel. |
| 137 | |
| 138 | Q: A kernel thread must voluntarily freeze itself (call 'refrigerator'). |
| 139 | I found some kernel threads that don't do it, and they don't freeze |
| 140 | so the system can't sleep. Is this a known behavior? |
| 141 | |
| 142 | A: All such kernel threads need to be fixed, one by one. Select the |
| 143 | place where the thread is safe to be frozen (no kernel semaphores |
| 144 | should be held at that point and it must be safe to sleep there), and |
| 145 | add: |
| 146 | |
Linus Torvalds | 2031d0f | 2005-06-25 17:16:53 -0700 | [diff] [blame] | 147 | try_to_freeze(); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 148 | |
| 149 | If the thread is needed for writing the image to storage, you should |
Pavel Machek | fc5fb2c | 2005-06-25 14:55:07 -0700 | [diff] [blame] | 150 | instead set the PF_NOFREEZE process flag when creating the thread (and |
| 151 | be very carefull). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 152 | |
| 153 | |
| 154 | Q: What is the difference between between "platform", "shutdown" and |
| 155 | "firmware" in /sys/power/disk? |
| 156 | |
| 157 | A: |
| 158 | |
| 159 | shutdown: save state in linux, then tell bios to powerdown |
| 160 | |
| 161 | platform: save state in linux, then tell bios to powerdown and blink |
| 162 | "suspended led" |
| 163 | |
| 164 | firmware: tell bios to save state itself [needs BIOS-specific suspend |
| 165 | partition, and has very little to do with swsusp] |
| 166 | |
| 167 | "platform" is actually right thing to do, but "shutdown" is most |
| 168 | reliable. |
| 169 | |
| 170 | Q: I do not understand why you have such strong objections to idea of |
| 171 | selective suspend. |
| 172 | |
| 173 | A: Do selective suspend during runtime power managment, that's okay. But |
| 174 | its useless for suspend-to-disk. (And I do not see how you could use |
| 175 | it for suspend-to-ram, I hope you do not want that). |
| 176 | |
| 177 | Lets see, so you suggest to |
| 178 | |
| 179 | * SUSPEND all but swap device and parents |
| 180 | * Snapshot |
| 181 | * Write image to disk |
| 182 | * SUSPEND swap device and parents |
| 183 | * Powerdown |
| 184 | |
| 185 | Oh no, that does not work, if swap device or its parents uses DMA, |
| 186 | you've corrupted data. You'd have to do |
| 187 | |
| 188 | * SUSPEND all but swap device and parents |
| 189 | * FREEZE swap device and parents |
| 190 | * Snapshot |
| 191 | * UNFREEZE swap device and parents |
| 192 | * Write |
| 193 | * SUSPEND swap device and parents |
| 194 | |
| 195 | Which means that you still need that FREEZE state, and you get more |
| 196 | complicated code. (And I have not yet introduce details like system |
| 197 | devices). |
| 198 | |
| 199 | Q: There don't seem to be any generally useful behavioral |
| 200 | distinctions between SUSPEND and FREEZE. |
| 201 | |
| 202 | A: Doing SUSPEND when you are asked to do FREEZE is always correct, |
| 203 | but it may be unneccessarily slow. If you want USB to stay simple, |
| 204 | slowness may not matter to you. It can always be fixed later. |
| 205 | |
| 206 | For devices like disk it does matter, you do not want to spindown for |
| 207 | FREEZE. |
| 208 | |
| 209 | Q: After resuming, system is paging heavilly, leading to very bad interactivity. |
| 210 | |
| 211 | A: Try running |
| 212 | |
| 213 | cat `cat /proc/[0-9]*/maps | grep / | sed 's:.* /:/:' | sort -u` > /dev/null |
| 214 | |
Adrian Bunk | a58a414 | 2006-01-10 00:08:17 +0100 | [diff] [blame] | 215 | after resume. swapoff -a; swapon -a may also be useful. |
Pavel Machek | fc5fb2c | 2005-06-25 14:55:07 -0700 | [diff] [blame] | 216 | |
| 217 | Q: What happens to devices during swsusp? They seem to be resumed |
| 218 | during system suspend? |
| 219 | |
| 220 | A: That's correct. We need to resume them if we want to write image to |
| 221 | disk. Whole sequence goes like |
| 222 | |
| 223 | Suspend part |
| 224 | ~~~~~~~~~~~~ |
| 225 | running system, user asks for suspend-to-disk |
| 226 | |
| 227 | user processes are stopped |
| 228 | |
| 229 | suspend(PMSG_FREEZE): devices are frozen so that they don't interfere |
| 230 | with state snapshot |
| 231 | |
| 232 | state snapshot: copy of whole used memory is taken with interrupts disabled |
| 233 | |
| 234 | resume(): devices are woken up so that we can write image to swap |
| 235 | |
| 236 | write image to swap |
| 237 | |
| 238 | suspend(PMSG_SUSPEND): suspend devices so that we can power off |
| 239 | |
| 240 | turn the power off |
| 241 | |
| 242 | Resume part |
| 243 | ~~~~~~~~~~~ |
| 244 | (is actually pretty similar) |
| 245 | |
| 246 | running system, user asks for suspend-to-disk |
| 247 | |
| 248 | user processes are stopped (in common case there are none, but with resume-from-initrd, noone knows) |
| 249 | |
| 250 | read image from disk |
| 251 | |
| 252 | suspend(PMSG_FREEZE): devices are frozen so that they don't interfere |
| 253 | with image restoration |
| 254 | |
| 255 | image restoration: rewrite memory with image |
| 256 | |
| 257 | resume(): devices are woken up so that system can continue |
| 258 | |
| 259 | thaw all user processes |
| 260 | |
| 261 | Q: What is this 'Encrypt suspend image' for? |
| 262 | |
| 263 | A: First of all: it is not a replacement for dm-crypt encrypted swap. |
| 264 | It cannot protect your computer while it is suspended. Instead it does |
| 265 | protect from leaking sensitive data after resume from suspend. |
| 266 | |
| 267 | Think of the following: you suspend while an application is running |
| 268 | that keeps sensitive data in memory. The application itself prevents |
| 269 | the data from being swapped out. Suspend, however, must write these |
| 270 | data to swap to be able to resume later on. Without suspend encryption |
| 271 | your sensitive data are then stored in plaintext on disk. This means |
| 272 | that after resume your sensitive data are accessible to all |
| 273 | applications having direct access to the swap device which was used |
| 274 | for suspend. If you don't need swap after resume these data can remain |
| 275 | on disk virtually forever. Thus it can happen that your system gets |
| 276 | broken in weeks later and sensitive data which you thought were |
| 277 | encrypted and protected are retrieved and stolen from the swap device. |
| 278 | To prevent this situation you should use 'Encrypt suspend image'. |
| 279 | |
| 280 | During suspend a temporary key is created and this key is used to |
| 281 | encrypt the data written to disk. When, during resume, the data was |
| 282 | read back into memory the temporary key is destroyed which simply |
| 283 | means that all data written to disk during suspend are then |
| 284 | inaccessible so they can't be stolen later on. The only thing that |
| 285 | you must then take care of is that you call 'mkswap' for the swap |
| 286 | partition used for suspend as early as possible during regular |
| 287 | boot. This asserts that any temporary key from an oopsed suspend or |
| 288 | from a failed or aborted resume is erased from the swap device. |
| 289 | |
| 290 | As a rule of thumb use encrypted swap to protect your data while your |
| 291 | system is shut down or suspended. Additionally use the encrypted |
| 292 | suspend image to prevent sensitive data from being stolen after |
| 293 | resume. |
Pavel Machek | 7e95888 | 2005-09-03 15:56:56 -0700 | [diff] [blame] | 294 | |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 295 | Q: Why can't we suspend to a swap file? |
Pavel Machek | 7e95888 | 2005-09-03 15:56:56 -0700 | [diff] [blame] | 296 | |
| 297 | A: Because accessing swap file needs the filesystem mounted, and |
| 298 | filesystem might do something wrong (like replaying the journal) |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 299 | during mount. |
| 300 | |
| 301 | There are few ways to get that fixed: |
| 302 | |
| 303 | 1) Probably could be solved by modifying every filesystem to support |
| 304 | some kind of "really read-only!" option. Patches welcome. |
| 305 | |
| 306 | 2) suspend2 gets around that by storing absolute positions in on-disk |
| 307 | image (and blocksize), with resume parameter pointing directly to |
| 308 | suspend header. |
| 309 | |
| 310 | Q: Is there a maximum system RAM size that is supported by swsusp? |
| 311 | |
| 312 | A: It should work okay with highmem. |
| 313 | |
| 314 | Q: Does swsusp (to disk) use only one swap partition or can it use |
| 315 | multiple swap partitions (aggregate them into one logical space)? |
| 316 | |
| 317 | A: Only one swap partition, sorry. |
| 318 | |
| 319 | Q: If my application(s) causes lots of memory & swap space to be used |
| 320 | (over half of the total system RAM), is it correct that it is likely |
| 321 | to be useless to try to suspend to disk while that app is running? |
| 322 | |
| 323 | A: No, it should work okay, as long as your app does not mlock() |
| 324 | it. Just prepare big enough swap partition. |
| 325 | |
Adrian Bunk | a58a414 | 2006-01-10 00:08:17 +0100 | [diff] [blame] | 326 | Q: What information is useful for debugging suspend-to-disk problems? |
Pavel Machek | d7ae79c | 2005-09-06 15:16:21 -0700 | [diff] [blame] | 327 | |
| 328 | A: Well, last messages on the screen are always useful. If something |
| 329 | is broken, it is usually some kernel driver, therefore trying with as |
| 330 | little as possible modules loaded helps a lot. I also prefer people to |
| 331 | suspend from console, preferably without X running. Booting with |
| 332 | init=/bin/bash, then swapon and starting suspend sequence manually |
| 333 | usually does the trick. Then it is good idea to try with latest |
| 334 | vanilla kernel. |
| 335 | |
| 336 | |