Stop reading fs-verity certificate from keystore
We punting support for extra certificate to S.
Test: boot
Bug: 112038744
Change-Id: I3bc342a7df0c47c02494ef6fdae24e7ad00a8507
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
index 407849d..3c9ade0 100644
--- a/fsverity_init/Android.bp
+++ b/fsverity_init/Android.bp
@@ -9,7 +9,6 @@
],
shared_libs: [
"libbase",
- "libkeystore_binder",
"libkeyutils",
"liblog",
"liblogwrap",
diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
index 7052375..e2a8bf7 100644
--- a/fsverity_init/fsverity_init.cpp
+++ b/fsverity_init/fsverity_init.cpp
@@ -19,20 +19,14 @@
#include <sys/types.h>
#include <filesystem>
-#include <memory>
#include <string>
-#include <vector>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/strings.h>
-#include <keystore/keystore_client.h>
-#include <keystore/keystore_client_impl.h>
-#include <keystore/keystore_get.h>
#include <log/log.h>
#include <mini_keyctl_utils.h>
-#include <private/android_filesystem_config.h>
bool LoadKeyToKeyring(key_serial_t keyring_id, const char* desc, const char* data, size_t size) {
key_serial_t key = add_key("asymmetric", desc, data, size, keyring_id);
@@ -61,31 +55,6 @@
}
}
-std::unique_ptr<keystore::KeystoreClient> CreateKeystoreInstance() {
- return std::unique_ptr<keystore::KeystoreClient>(
- static_cast<keystore::KeystoreClient*>(new keystore::KeystoreClientImpl));
-}
-
-void LoadKeysFromKeystore(key_serial_t keyring_id) {
- auto client = CreateKeystoreInstance();
-
- std::vector<std::string> aliases;
- if (client == nullptr || !client->listKeysOfUid("FSV_", AID_FSVERITY_CERT, &aliases)) {
- LOG(ERROR) << "Failed to list key";
- return;
- }
-
- // Always try to load all keys even if some fails to load. The rest may still
- // be important to have.
- for (auto& alias : aliases) {
- auto blob = client->getKey(alias, AID_FSVERITY_CERT);
- if (!LoadKeyToKeyring(keyring_id, "fsv_user", reinterpret_cast<char*>(blob->data()),
- blob->size())) {
- LOG(ERROR) << "Failed to load key " << alias << " from keyring";
- }
- }
-}
-
int main(int /*argc*/, const char** /*argv*/) {
key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
if (keyring_id < 0) {
@@ -100,7 +69,6 @@
}
LoadKeyFromVerifiedPartitions(keyring_id);
- LoadKeysFromKeystore(keyring_id);
if (!android::base::GetBoolProperty("ro.debuggable", false)) {
if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index 8b9e28d..2cd42cf 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp
@@ -57,8 +57,6 @@
user_euid user_euids[] = {{AID_VPN, AID_SYSTEM},
{AID_WIFI, AID_SYSTEM},
{AID_ROOT, AID_SYSTEM},
- {AID_FSVERITY_CERT, AID_ROOT},
- {AID_FSVERITY_CERT, AID_SYSTEM},
#ifdef GRANT_ROOT_ALL_PERMISSIONS
// Allow VTS tests to act on behalf of the wifi user