Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / core / 02530649585c94306e3d0eb3c1282177140e2ba9^1..02530649585c94306e3d0eb3c1282177140e2ba9 / .
commit02530649585c94306e3d0eb3c1282177140e2ba9[log] [tgz]
authorMartijn Coenen <maco@google.com>Mon Dec 07 15:27:05 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Mon Dec 07 15:27:05 2020 +0000
treeb736bc7e860bb95e11ddd09bc4b7df2765d11c67
parent1d0a800951be3505606773adda488a58e2218caf [diff]
parent5152e1f862826ea44a4784ec974cbe5b841973eb [diff]
Merge "Split fsverity_init in two phases." am: cd91f86618 am: b7ab0c71a1 am: 5152e1f862

Original change: https://android-review.googlesource.com/c/platform/system/core/+/1513212

Change-Id: Id01798e8c9c2aea01dce532e2d1f2b22cec92d61

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 2de066d..de608b1 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -612,6 +612,9 @@
     # HALs required before storage encryption can get unlocked (FBE/FDE)
     class_start early_hal
 
+    # Load trusted keys from dm-verity protected partitions
+    exec -- /system/bin/fsverity_init --load-verified-keys
+
 on post-fs-data
     mark_post_data
 
@@ -853,6 +856,9 @@
     wait_for_prop apexd.status activated
     perform_apex_config
 
+    # Lock the fs-verity keyring, so no more keys can be added
+    exec -- /system/bin/fsverity_init --lock
+
     # After apexes are mounted, tell keymaster early boot has ended, so it will
     # stop allowing use of early-boot keys
     exec - system system -- /system/bin/vdc keymaster earlyBootEnded
@@ -1034,9 +1040,6 @@
 
     class_start core
 
-    # Requires keystore (currently a core service) to be ready first.
-    exec -- /system/bin/fsverity_init
-
 on nonencrypted
     class_start main
     class_start late_start