| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Add fs-verity certficates required for ARCVM" |
| author "chromium-os-dev@chromium.org" |
| |
| # We only needs to load the certificates once per boot, since .fs-verity keyring |
| # is a singleton in the kernel. Also, the task need to finish before /data can |
| # be used. |
| start on starting system-services |
| |
| # The task is short-lived and must not be interrupted during the execution. |
| oom score never |
| task |
| |
| script |
| # Add certificates to the keyring only if the feature is enabled. |
| if [ -e /sys/fs/ext4/features/verity ]; then |
| # Add the CTS release certificate from AOSP. |
| keyctl padd asymmetric fsv-play %keyring:.fs-verity < \ |
| /usr/share/arcvm/fsverity-certs/fsverity-release.x509.der |
| |
| # Add the Play FSI certificate. |
| keyctl padd asymmetric fsv-cts %keyring:.fs-verity < \ |
| /usr/share/arcvm/fsverity-certs/play_store_fsi_cert.der |
| |
| # Since these are currently the only certificates in the whole OS, make the |
| # keyring restricted to accept no more certificates. |
| keyctl restrict_keyring %keyring:.fs-verity |
| fi |
| end script |
