Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e94b3663 authored by Martijn Coenen's avatar Martijn Coenen
Browse files

Add some keystore boot levels.

The first user of keystore boot levels is on-device signing; transition
the boot level to 30 before running the post-fs data hook, and
transition it to 40 right after on-device signing is done. This leaves
some space for future boot levels to be inserted, if we wanted.

Bug: 165630556
Test: inspect logs
Change-Id: If0a74cbe9ea8fce806020d8a42a978cfb9117ded
parent 75a2bba1
Loading
Loading
Loading
Loading
+5 −0
Original line number Diff line number Diff line
@@ -621,6 +621,9 @@ on late-fs
    exec -- /system/bin/fsverity_init --load-verified-keys

on post-fs-data
    # Boot level 30 - at this point daemons like apexd and odsign run
    setprop keystore.boot_level 30

    mark_post_data

    # Start checkpoint before we touch data
@@ -899,6 +902,8 @@ on post-fs-data
    # Lock the fs-verity keyring, so no more keys can be added
    exec -- /system/bin/fsverity_init --lock

    setprop keystore.boot_level 40

    # Allow apexd to snapshot and restore device encrypted apex data in the case
    # of a rollback. This should be done immediately after DE_user data keys
    # are loaded. APEXes should not access this data until this has been