blob: f43ba8bc710d5e25877a6191e19613a6b653c4f7 [file] [log] [blame]
# Copyright 2020 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Add fs-verity certficates required for ARCVM"
author ""
# We only needs to load the certificates once per boot, since .fs-verity keyring
# is a singleton in the kernel. Also, the task need to finish before /data can
# be used.
start on starting system-services
# The task is short-lived and must not be interrupted during the execution.
oom score never
# Add certificates to the keyring only if the feature is enabled.
if [ -e /sys/fs/ext4/features/verity ]; then
# Add the CTS release certificate from AOSP.
keyctl padd asymmetric fsv-play %keyring:.fs-verity < \
# Add the Play FSI certificate.
keyctl padd asymmetric fsv-cts %keyring:.fs-verity < \
# Since these are currently the only certificates in the whole OS, make the
# keyring restricted to accept no more certificates.
keyctl restrict_keyring %keyring:.fs-verity
end script