From 88da3c4943af7a73ab32d7417b0a1aff3c3fbdda Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Mon, 26 Aug 2019 11:22:46 -0700 Subject: [PATCH] Delete fsverity_init.sh for the C++ implementation Test: fsverity keys are still loaded Bug: 112038744 Change-Id: I0503ba6bfb7008872e30c1b5052b46d77b2b91d4 --- rootdir/Android.mk | 9 --------- rootdir/fsverity_init.sh | 32 -------------------------------- 2 files changed, 41 deletions(-) delete mode 100644 rootdir/fsverity_init.sh diff --git a/rootdir/Android.mk b/rootdir/Android.mk index 455905048..8045abe79 100644 --- a/rootdir/Android.mk +++ b/rootdir/Android.mk @@ -57,15 +57,6 @@ endif endif -####################################### -# fsverity_init - -include $(CLEAR_VARS) -LOCAL_MODULE:= fsverity_init -LOCAL_MODULE_CLASS := EXECUTABLES -LOCAL_SRC_FILES := fsverity_init.sh -include $(BUILD_PREBUILT) - ####################################### # init.environ.rc diff --git a/rootdir/fsverity_init.sh b/rootdir/fsverity_init.sh deleted file mode 100644 index 4fee15fb3..000000000 --- a/rootdir/fsverity_init.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/system/bin/sh -# -# Copyright (C) 2019 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# Enforce fsverity signature checking -echo 1 > /proc/sys/fs/verity/require_signatures - -# Load all keys -for cert in /product/etc/security/fsverity/*.der; do - /system/bin/mini-keyctl padd asymmetric fsv_product .fs-verity < "$cert" || - log -p e -t fsverity_init "Failed to load $cert" -done - -DEBUGGABLE=$(getprop ro.debuggable) -if [ $DEBUGGABLE != "1" ]; then - # Prevent future key links to .fs-verity keyring - /system/bin/mini-keyctl restrict_keyring .fs-verity || - log -p e -t fsverity_init "Failed to restrict .fs-verity keyring" -fi