Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 7acaea67 authored by Eric Biggers's avatar Eric Biggers
Browse files

init.rc: stop calling 'fsverity_init --load-verified-keys' 

Since Android 14, Android does not use fsverity builtin signatures.
(fsverity remains supported, but signatures are verified in userspace,
or fsverity is used for integrity-only use cases.)  Therefore, the only
reason to still run 'fsverity_init --load-verified-keys' at boot time is
to ensure that old files can still be opened, if:

- They were created by Android 13 or earlier, with an fsverity builtin
  signature by a key in /{system,product}/etc/security/fsverity/.

- *And*, the kernel still has CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.

However, it appears that this isn't actually needed anymore.  Only two
features could potentially be affected: APK verity and updatable fonts.
APK verity wasn't widely rolled out before being disabled, and updatable
fonts have recovery logic in place for when the files cannot be opened.
And in any case, disabling CONFIG_FS_VERITY_BUILTIN_SIGNATURES in the
kernel is recommended and would avoid any problem.

Bug: 290064770
Test: presubmit
Change-Id: I3376c3f0b4b9bd4ba2fd614259522be0c1daafb6
parent 72c3ca16
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment