diff options
author | Martijn Coenen <maco@google.com> | 2020-12-07 14:10:20 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-12-07 14:10:20 +0000 |
commit | b7ab0c71a1eaa8d999aa87b8902deb8082dde041 (patch) | |
tree | 12b87407390f107f94bfdcff22f93853462c4ed7 | |
parent | f92fe9ae13f7176ff3532f62cc1d5e3eaa82edfa (diff) | |
parent | cd91f866180106de7e4acda2e3245d2012f36df5 (diff) | |
download | core-b7ab0c71a1eaa8d999aa87b8902deb8082dde041.tar.gz |
Merge "Split fsverity_init in two phases." am: cd91f86618
Original change: https://android-review.googlesource.com/c/platform/system/core/+/1513212
Change-Id: I6a5d18d3023de35754f33097b4e3373d06ffa3ef
-rw-r--r-- | rootdir/init.rc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc index 2de066de4..de608b164 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -612,6 +612,9 @@ on late-fs # HALs required before storage encryption can get unlocked (FBE/FDE) class_start early_hal + # Load trusted keys from dm-verity protected partitions + exec -- /system/bin/fsverity_init --load-verified-keys + on post-fs-data mark_post_data @@ -853,6 +856,9 @@ on post-fs-data wait_for_prop apexd.status activated perform_apex_config + # Lock the fs-verity keyring, so no more keys can be added + exec -- /system/bin/fsverity_init --lock + # After apexes are mounted, tell keymaster early boot has ended, so it will # stop allowing use of early-boot keys exec - system system -- /system/bin/vdc keymaster earlyBootEnded @@ -1034,9 +1040,6 @@ on boot class_start core - # Requires keystore (currently a core service) to be ready first. - exec -- /system/bin/fsverity_init - on nonencrypted class_start main class_start late_start |