tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
2739 commits 1 branch 0 tags 12 MiB
Commit graph

4 commits

Author SHA1 Message Date
Martijn Coenen
0aeee3d632 Split fsverity_init in multiple phases. 
Soon we'll have a need for multiple fs-verity keys in the keyring; we
need a central place to manage the keys, as well as restrict the
keyring. fsverity_init makes most sense for this.

Allow fsverity_init to be called in 3 different ways:
--load-verified-keys: loads preloaded keys from trusted partitions
--load-extra-key: loads an additional key passed in from stdin; the key
name is given as an argument.
--lock: locks the keyring, and prevents new keys from being loaded

Bug: 165630556
Test: boot, cat /proc/keys/
Change-Id: I758e49a5c4229edc531d01ac2e8873a22a1da73e
 2020-12-03 10:03:17 +01:00
Victor Hsieh
753ac2a34b Also load fs-verity cert from /system/etc/security/fsverity/ 
Bug: 153112812
Test: able to use the new cert after reboot
Change-Id: I01085913f81898592a3a1edcaa97aff6dc8ac89c
 2020-04-03 15:30:09 -07:00
Victor Hsieh
2bcd5376ec Stop reading fs-verity certificate from keystore 
We punting support for extra certificate to S.

Test: boot
Bug: 112038744
Change-Id: I3bc342a7df0c47c02494ef6fdae24e7ad00a8507
 2020-02-26 12:39:15 -08:00
Victor Hsieh
d0a4b202a4 Rewrite fsverity_init in C++ and load keys from keystore 
Test: still see keys loaded from /product appears in /proc/keys
Test: Add X.509 DER cert files to keystore, see the key in
      /proc/keys after reboot
Bug: 112038744
Change-Id: I08006d8befa69e4bf416a2bed9e1813725877147
 2019-09-25 09:52:19 -07:00