Add standalone binary to verify CompOs keys.
This is intended to be executed by odsign, to replace the existing
verifyCompOsKey() function along with all of FakeCompOs.
It checks that we have an existing image file, private key blob and
public key, starts the VM from the image and gets it to verify the key
pair.
Either the current instance or the pending one can be checked. If
verification succeeds the execution returns success, and if it was the
pending instance it is moved to replace the previous current one. If
verification fails the directory and all the files in it are deleted.
This is based on the logic in verifyCompOsKey() and also the code in
compos_key_cmd, converted from C++ to Rust and productionized
somewhat, and various existing Rust tools.
Still to do: changes to odsign to run this, along with required
sepolicy; extract some of the code to a common library (I'll do that
when I have the second use case); use onPayloadReady().
Bug: 193603140
Test: Manual, in various success & failure situations
Change-Id: Ie126e1ead75c695dc2d193bdcf4edf11dac7f7fc
diff --git a/compos/apex/Android.bp b/compos/apex/Android.bp
index 5b21802..853b9f4 100644
--- a/compos/apex/Android.bp
+++ b/compos/apex/Android.bp
@@ -39,6 +39,7 @@
binaries: [
"compos_key_cmd",
+ "compos_verify_key",
"compsvc",
"pvm_exec",
],