Ensure update_verifier run before zygote

Currently zygote is started early for FBE device but update_verifier is run later
which creates a potential risk. This CL ensures update_verifier run before
zygote touches anything within data/ partition. With this change, we also start zygote
early for unencrypted/unsupported encryption state device.

Bug: 37543411
Test: marlin boots

(cherry picked from commit 5dc05effec)

Change-Id: I97cde0c20f74b1b17c995d84c2e31c86fe006395

rootdir/init.rc

@@ -498,13 +498,28 @@ on post-fs-data
     # Set indication (checked by vold) that we have finished this action
     #setprop vold.post_fs_data_done 1
 
-# This trigger will be triggered before 'zygote-start' since there is no zygote-start defined in
-# current init.rc. It is recommended to put unnecessary data/ initialization from post-fs-data
-# to start-zygote to unblock zygote start.
+# It is recommended to put unnecessary data/ initialization from post-fs-data
+# to start-zygote in device's init.rc to unblock zygote start.
+on zygote-start && property:ro.crypto.state=unencrypted
+    # A/B update verifier that marks a successful boot.
+    exec_start update_verifier_nonencrypted
+    start netd
+    start zygote
+    start zygote_secondary
+
+on zygote-start && property:ro.crypto.state=unsupported
+    # A/B update verifier that marks a successful boot.
+    exec_start update_verifier_nonencrypted
+    start netd
+    start zygote
+    start zygote_secondary
+
 on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file
-   start netd
-   start zygote
-   start zygote_secondary
+    # A/B update verifier that marks a successful boot.
+    exec_start update_verifier_nonencrypted
+    start netd
+    start zygote
+    start zygote_secondary
 
 on boot
     # basic network init
@@ -603,8 +618,6 @@ on boot
     class_start core
 
 on nonencrypted
-    # A/B update verifier that marks a successful boot.
-    exec_start update_verifier_nonencrypted
     class_start main
     class_start late_start