Initialize fs-verity keys in shell script This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: See keys loaded in /proc/keys Bug: 128607724 Change-Id: Ia45f6e9dea80d037c0820cf1fd2bc9d7c8bb6302

commit: 59183120c29e5e2747222b24de09484b7cd8cf17 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Wed Mar 20 15:52:45 2019 -0700
committer: Victor Hsieh <victorhsieh@google.com> Fri Mar 22 09:18:00 2019 -0700
tree: e95aee4f80ae6f695c3b51cc9c0bf1d702d7c92b
parent: b4ef0beb990d02600cad57096bcd20c9d646c8fa [diff] [blame]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 8e63a81..fec1e68 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -420,12 +420,7 @@
 
     # Load fsverity keys. This needs to happen before apexd, as post-install of
     # APEXes may rely on keys.
-    exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
-    exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
-    # Prevent future key links to fsverity keyring
-    exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
-    # Enforce fsverity signature checking
-    write /proc/sys/fs/verity/require_signatures 1
+    exec -- /system/bin/fsverity_init
 
     # Make sure that apexd is started in the default namespace
     enter_default_mount_ns
commit	59183120c29e5e2747222b24de09484b7cd8cf17	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Wed Mar 20 15:52:45 2019 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Fri Mar 22 09:18:00 2019 -0700
tree	e95aee4f80ae6f695c3b51cc9c0bf1d702d7c92b
parent	b4ef0beb990d02600cad57096bcd20c9d646c8fa [diff] [blame]