The builtin keyring was exported prior to this which allowed
android-verity to simply lookup the key in the builtin keyring and
verify the signature of the verity metadata.
This is now broken as the kernel expects the signature to be
in pkcs#7 format (same used for module signing). Obviously, this doesn't
work with the verity metadata as we just append the raw signature in the
metadata .. sigh.
*This one time*, add an API to accept arbitrary signature and verify
that with a key from system's trusted keyring.
Bug: 72722987
Test:
$ adb push verity_fs.img /data/local/tmp/
$ adb root && adb shell
> cd /data/local/tmp
> losetup /dev/block/loop0 verity_fs.img
> dmctl create verity-fs android-verity 0 4200 Android:#7e4333f9bba00adfe0ede979e28ed1920492b40f 7:0
> mount -t ext4 /dev/block/dm-0 temp/
> cat temp/foo.txt temp/bar.txt
Change-Id: I0c14f3cb2b587b73a4c75907367769688756213e
Signed-off-by: Sandeep Patil <sspatil@google.com>
4c2a8d2ef8