Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 66fc7eb1 authored by Xiaoyong Zhou's avatar Xiaoyong Zhou
Browse files

Enable fsverity signature checking 

This CL enable fsverity signature checking.

Bug: 112038861
Test: cat /proc/sys/fs/verity/require_signatures -> 1
Change-Id: I57aaf6094aa503bdcac93306cafd7f71f202e711
parent 830f8372

rootdir/init.rc

+2 −0
Original line number Original line Diff line number Diff line
@@ -424,6 +424,8 @@ on post-fs-data 
    exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity

    exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity

    # Prevent future key links to fsverity keyring

    # Prevent future key links to fsverity keyring

    exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity

    exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity

    # Enforce fsverity signature checking

    write /proc/sys/fs/verity/require_signatures 1





    # Make sure that apexd is started in the default namespace

    # Make sure that apexd is started in the default namespace

    enter_default_mount_ns

    enter_default_mount_ns