From e94b36637dd2084a3a611dc45a87c5bea7408707 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Tue, 9 Mar 2021 10:57:00 +0100
Subject: [PATCH] Add some keystore boot levels.

The first user of keystore boot levels is on-device signing; transition
the boot level to 30 before running the post-fs data hook, and
transition it to 40 right after on-device signing is done. This leaves
some space for future boot levels to be inserted, if we wanted.

Bug: 165630556
Test: inspect logs
Change-Id: If0a74cbe9ea8fce806020d8a42a978cfb9117ded
---
 rootdir/init.rc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 04e954e31..6873bd97f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -621,6 +621,9 @@ on late-fs
     exec -- /system/bin/fsverity_init --load-verified-keys
 
 on post-fs-data
+    # Boot level 30 - at this point daemons like apexd and odsign run
+    setprop keystore.boot_level 30
+
     mark_post_data
 
     # Start checkpoint before we touch data
@@ -899,6 +902,8 @@ on post-fs-data
     # Lock the fs-verity keyring, so no more keys can be added
     exec -- /system/bin/fsverity_init --lock
 
+    setprop keystore.boot_level 40
+
     # Allow apexd to snapshot and restore device encrypted apex data in the case
     # of a rollback. This should be done immediately after DE_user data keys
     # are loaded. APEXes should not access this data until this has been