Revert "Set earlyBootEnded before apex starts"

    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree

    start lmkd

    # Set an initial boot level - start at 10 in case we need to add earlier ones.

    setprop keystore.boot_level 10

    # Start essential services.

    start servicemanager

    start hwservicemanager

    write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1

on post-fs-data

    # Boot level 30 - at this point daemons like apexd and odsign run

    setprop keystore.boot_level 30

    mark_post_data

    mkdir /data/bootchart 0755 shell shell encryption=Require

    bootchart start

    # Avoid predictable entropy pool. Carry over entropy from previous boot.

    copy /data/system/entropy.dat /dev/urandom

    mkdir /data/vendor 0771 root root encryption=Require

    mkdir /data/vendor_ce 0771 root root encryption=None

    mkdir /data/vendor_de 0771 root root encryption=None

    # Make sure that apexd is started in the default namespace

    enter_default_mount_ns

    # set up keystore directory structure first so that we can end early boot

    # and start apexd

    mkdir /data/misc 01771 system misc encryption=Require

    mkdir /data/misc/keystore 0700 keystore keystore

    # Boot level 30

    # odsign signing keys have MAX_BOOT_LEVEL=30

    # This is currently the earliest boot level, but we start at 30

    # to leave room for earlier levels.

    setprop keystore.boot_level 30

    # Now that /data is mounted and we have created /data/misc/keystore,

    # we can tell keystore to stop allowing use of early-boot keys,

    # and access its database for the first time to support creation and

    # use of MAX_BOOT_LEVEL keys.

    exec - system system -- /system/bin/vdc keymaster earlyBootEnded

    # /data/apex is now available. Start apexd to scan and activate APEXes.

    mkdir /data/apex 0755 root system encryption=None

    mkdir /data/apex/active 0755 root system

    mkdir /data/apex/ota_reserved 0700 root system encryption=Require

    start apexd

    # create rest of basic filesystem structure

    # Avoid predictable entropy pool. Carry over entropy from previous boot.

    copy /data/system/entropy.dat /dev/urandom

    # create basic filesystem structure

    mkdir /data/misc 01771 system misc encryption=Require

    mkdir /data/misc/recovery 0770 system log

    copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1

    chmod 0440 /data/misc/recovery/ro.build.fingerprint.1

    mkdir /data/misc/nfc 0770 nfc nfc

    mkdir /data/misc/nfc/logs 0770 nfc nfc

    mkdir /data/misc/credstore 0700 credstore credstore

    mkdir /data/misc/keystore 0700 keystore keystore

    mkdir /data/misc/gatekeeper 0700 system system

    mkdir /data/misc/keychain 0771 system system

    mkdir /data/misc/net 0750 root shell

    # odsign to be done with the key

    wait_for_prop odsign.key.done 1

    # After apexes are mounted, tell keymaster early boot has ended, so it will

    # stop allowing use of early-boot keys

    exec - system system -- /system/bin/vdc keymaster earlyBootEnded

    # Lock the fs-verity keyring, so no more keys can be added

    exec -- /system/bin/fsverity_init --lock

    # Bump the boot level to 1000000000; this prevents further on-device signing.

    # This is a special value that shuts down the thread which listens for

    # further updates.

    setprop keystore.boot_level 1000000000

    setprop keystore.boot_level 40

    # Allow apexd to snapshot and restore device encrypted apex data in the case

    # of a rollback. This should be done immediately after DE_user data keys