Merge "Split fsverity_init in two phases." am: cd91f86618 am: b7ab0c71a1 am: 5152e1f862
Original change: https://android-review.googlesource.com/c/platform/system/core/+/1513212
Change-Id: Id01798e8c9c2aea01dce532e2d1f2b22cec92d61
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 2de066d..de608b1 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -612,6 +612,9 @@
# HALs required before storage encryption can get unlocked (FBE/FDE)
class_start early_hal
+ # Load trusted keys from dm-verity protected partitions
+ exec -- /system/bin/fsverity_init --load-verified-keys
+
on post-fs-data
mark_post_data
@@ -853,6 +856,9 @@
wait_for_prop apexd.status activated
perform_apex_config
+ # Lock the fs-verity keyring, so no more keys can be added
+ exec -- /system/bin/fsverity_init --lock
+
# After apexes are mounted, tell keymaster early boot has ended, so it will
# stop allowing use of early-boot keys
exec - system system -- /system/bin/vdc keymaster earlyBootEnded
@@ -1034,9 +1040,6 @@
class_start core
- # Requires keystore (currently a core service) to be ready first.
- exec -- /system/bin/fsverity_init
-
on nonencrypted
class_start main
class_start late_start