Merge "Enable fsverity signature checking"

2019-03-19 16:40:48 +00:00 · 2019-03-19 16:40:48 +00:00 · aaee497db2
commit aaee497db2
parent d503239292 66fc7eb195
1 changed files with 2 additions and 0 deletions
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@ -424,6 +424,8 @@ on post-fs-data
    exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
    # Prevent future key links to fsverity keyring
    exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
+    # Enforce fsverity signature checking
+    write /proc/sys/fs/verity/require_signatures 1

    # Make sure that apexd is started in the default namespace
    enter_default_mount_ns