Merge "Enable fsverity signature checking" am: aaee497db2 am: 0d8d105e32 Change-Id: I01ddf98d6d66f6e9c2490b919059c67432f33878

commit: 71a53ac181e68084fb6e2cbd53f5caf226b81dbd [log] [tgz]
author: Xiaoyong Zhou <xzhou@google.com> Tue Mar 19 10:05:05 2019 -0700
committer: android-build-merger <android-build-merger@google.com> Tue Mar 19 10:05:05 2019 -0700
tree: 59b8cfe47c178ad434683072f2c137e7a1154732
parent: 4db34294d68194d41dccdae1c31d3223c458f9c9 [diff]
parent: 415566c019a041270af4beebe4db5e7ea6b81690 [diff]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0e96163..8e63a81 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -424,6 +424,8 @@
     exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
     # Prevent future key links to fsverity keyring
     exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
+    # Enforce fsverity signature checking
+    write /proc/sys/fs/verity/require_signatures 1
 
     # Make sure that apexd is started in the default namespace
     enter_default_mount_ns
commit	71a53ac181e68084fb6e2cbd53f5caf226b81dbd	[log] [tgz]
author	Xiaoyong Zhou <xzhou@google.com>	Tue Mar 19 10:05:05 2019 -0700
committer	android-build-merger <android-build-merger@google.com>	Tue Mar 19 10:05:05 2019 -0700
tree	59b8cfe47c178ad434683072f2c137e7a1154732
parent	4db34294d68194d41dccdae1c31d3223c458f9c9 [diff]
parent	415566c019a041270af4beebe4db5e7ea6b81690 [diff]