From 79a67391bde590704c199a8567661ad130c4d90e Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Thu, 6 Jul 2023 17:27:46 +0000
Subject: [PATCH] init.rc: stop using fsverity_init --lock

Remove the code that "locked" the .fs-verity keyring at a certain point
in the boot.  It probably was thought that this achieved some useful
security property, which is a bit questionable.  Regardless, Android no
longer uses fsverity builtin signatures.  The only code that is still
being kept around is enough to access existing files on old kernels, and
for this "locking" the keyring is definitely not essential.

Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: Ide5729aeac5772658b2a3f0abe835988b8842b02
---
 rootdir/init.rc | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index a8b78d5d8..3d45df249 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -1021,13 +1021,9 @@ on post-fs-data
     # Must start after 'derive_classpath' to have *CLASSPATH variables set.
     start odsign
 
-    # Before we can lock keys and proceed to the next boot stage, wait for
-    # odsign to be done with the key
+    # Wait for odsign to be done with the key.
     wait_for_prop odsign.key.done 1
 
-    # Lock the fs-verity keyring, so no more keys can be added
-    exec -- /system/bin/fsverity_init --lock
-
     # Bump the boot level to 1000000000; this prevents further on-device signing.
     # This is a special value that shuts down the thread which listens for
     # further updates.