From d24991a26e94fa298bed8ff9d5f77b9e9cd4b7a7 Mon Sep 17 00:00:00 2001
From: Victor Hsieh <victorhsieh@google.com>
Date: Fri, 3 Apr 2020 15:04:09 -0700
Subject: [PATCH] Add fsverity release cert

The release cert helps verifying CTS in a release build.

Bug: 153112812
Test: build, reboot, see a new key in /proc/keys
Change-Id: I6d8f4af6b1b0c023b668e81b7a1c71c7583d93d9
---
 target/product/base_system.mk                    |   1 +
 target/product/security/Android.bp               |   8 ++++++++
 .../product/security/fsverity-release.x509.der   | Bin 0 -> 1484 bytes
 3 files changed, 9 insertions(+)
 create mode 100644 target/product/security/fsverity-release.x509.der

diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index 434cbfcfd6..ddce7593f0 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -81,6 +81,7 @@ PRODUCT_PACKAGES += \
     framework-res \
     framework-sysconfig.xml \
     fsck_msdos \
+    fsverity-release-cert-der \
     fs_config_files_system \
     fs_config_dirs_system \
     group_system \
diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
index 080706b115..5f4f82b3e2 100644
--- a/target/product/security/Android.bp
+++ b/target/product/security/Android.bp
@@ -3,3 +3,11 @@ android_app_certificate {
     name: "aosp-testkey",
     certificate: "testkey",
 }
+
+// Google-owned certificate for CTS testing, since we can't trust arbitrary keys on release devices.
+prebuilt_etc {
+    name: "fsverity-release-cert-der",
+    src: "fsverity-release.x509.der",
+    sub_dir: "security/fsverity",
+    filename_from_src: true,
+}
diff --git a/target/product/security/fsverity-release.x509.der b/target/product/security/fsverity-release.x509.der
new file mode 100644
index 0000000000000000000000000000000000000000..cd8cd795cff8f420aa33249e1e67ef874ebe70c9
GIT binary patch
literal 1484
zcmc)Jdo<Ju6bJB`-wc|k(Tu4~n3&Aa#&0~b%3IPZA>nvL9@ES)#&{*t((DN-8`6r@
zY8g=|#b6cX73CE%%;XU@sPz_GXf}WBp7xymfB(Fnd;hrSp6><ua;+dAc0UgWKmmY2
zKnl`*LyJ{*?;`CN$L+>lN`Hk1G4cqV#Dj?|7$_7a2LU7LC=ekJbA`*}0aq6~9#q;W
zHsO&rejN76&~Pr>k4^*$8>oQCID|%VBmLN1vKyNbO(%exHynva*@cEOISld-+yGrV
z4#aLK3a?<r4Ga%u2mURve*`3N!RUjafj&q#F`^rN@3~b`A2j+F{-?e8fX256g33W)
zd_WNb@&P2k2cVEU-$nJS9h4Gc#)S({rc$+T9WExN4(UElA~e<$OeOPn6~$HCRN8h;
za0Fl6cLkWWyZg-;_uRi`?oRG}iCFWV+s3MS!<)GfNhxTqpnO0p^muDrhFf-{01CE6
ztb$29uz)$HCtVJ1y2}v$-Ze||zuf_6=h?Y{VLRS~tqs~m*KI0mllyyBgZYRH7w0l{
z7&nO6pQ=M@arL!#8c1j}9nhW(m_+nhXr`E3E}K;gKfW%C&7ehE)oprSl?m(bo0QTt
z)PmPV)yfsO?#PA!mxA_=?%&GFaH;x^Eg2%?#H{t0lA}?>GP)xk=fkA2+cX;+GE;Kj
z@j0YrxGo~zRWzzNf3_k}LhEE}AF=0kV-ucG-a|{`x)dyBCmxt4bz9Y+FR9U4MUOwq
zFEsOlGF1E1%&dtwm;5Ot|H+uj5D7Wi!*+0OkSg?XgVZdn$oC)j!J})iuSCv<hjx2B
z4Wb&tKClF6?qJyV#spj48S<=6v9RsoC9amTcq%W;B*d6w`1H^AC8$|PLExFa;vcW3
z^+Z0I5OE%9XsEt3wYM8MObqB7)4jN5kNec;nGCExF2uefCnEbgBgo=Z`1Azr=H{a5
zlH3qM!le4${dOj|&!i-ody2CWg*|il6`AVlQb@GpKmn)WijR6pz4yt-g%@H^ntYJ}
zFen6??*twJ(O)yJiigXAFep?8s%}(RI1x^uPFEG!);bOY$i*KY(%OPA6JEuD>KkoM
z_*RgZ@ZSUfe#)<zgF<$oSFJxL5XYLT`BEKg+?w&Yux_L!NdvilYQR*l4k}&fuC#WN
zT*uU{`pS^a#~N5garw3KtA)xVpR<C8=>y`Q(=g?%KaMmFm06S-q0H2nMjq&BR<xZr
zini})LbG>0PvN!C!?5_PTwdQkrjQo%3`qG>Ra%-YdhC^cd@QzrWNh$0sT(5S)Ipp{
zev!VnoFtz8bkN&U+7S=t;Go=~wx&fT@^ZXkxpr63x#?UtOOht#@`!c$v$RcNmG^jo
zE1hXW<$V%G`zlK1X$8VgPNG`PePLBmMsm~uD^xb>urTx~F#k}%pd+G}(0gfJ6vHbS
zaj{sHmL2kHZ@i(meZ9@0XnJBFzMLSe&ih5O=KnfgW|3*N)0QN^2unvWtmm_`n%$O5
zOQ@5ToYqE%7bX%Fu7mag$y6+F+~BOh)7hf6#rFlx1{fABYIQ^m?#y`U>tJN=c8uSi
z)C^Xk(;ZO)=1Z|dm(xwQ`juS%gGAg`21Po$@|=0%EwSh$taHcYRS$#nfu(yur@0ZO
zH>`;9*=x;$Y*F|qq<3s>GHs2F1hdp}sgBNGoebVvt?7zSicIBu+3rhav#B}fxcdt{
zXIoj1>IbPYu1?g-#W=xX*smIU&6(77=R~E#3_UX9ne)8XO3qoKZ^LQQK=rn!R%|qN
F`7e_TbKU>|

literal 0
HcmV?d00001