From 66fc7eb195820d9e8e6649495e51b738d41924a5 Mon Sep 17 00:00:00 2001
From: Xiaoyong Zhou <xzhou@google.com>
Date: Mon, 18 Mar 2019 14:28:18 -0700
Subject: [PATCH] Enable fsverity signature checking

This CL enable fsverity signature checking.

Bug: 112038861
Test: cat /proc/sys/fs/verity/require_signatures -> 1
Change-Id: I57aaf6094aa503bdcac93306cafd7f71f202e711
---
 rootdir/init.rc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0e961631b..8e63a819c 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -424,6 +424,8 @@ on post-fs-data
     exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
     # Prevent future key links to fsverity keyring
     exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
+    # Enforce fsverity signature checking
+    write /proc/sys/fs/verity/require_signatures 1
 
     # Make sure that apexd is started in the default namespace
     enter_default_mount_ns