ART: Add fsverity to ART preinstall

Add a pass that installs fsverity signatures into boot
classpath components.

Bug: 125474642
Test: m
Test: manual
Change-Id: I68c78deefd5a168e4f6f785f424e5e795d128f7e
diff --git a/build/apex/art_preinstall_hook_boot.sh b/build/apex/art_preinstall_hook_boot.sh
index 9656cc9..c462603 100644
--- a/build/apex/art_preinstall_hook_boot.sh
+++ b/build/apex/art_preinstall_hook_boot.sh
@@ -73,3 +73,8 @@
   --no-inline-from=core-oj.jar \
   --abort-on-hard-verifier-error \
   --force-determinism || { log_error "Dex2oat failed" ; exit 102 ; }
+
+FILES=`find /data/dalvik-cache/$DEX2OAT_TARGET_ARCH -type f`
+for FILE in $FILES ; do
+  setup_fsverity $FILE || exit 103
+done
diff --git a/build/apex/art_prepostinstall_utils.sh b/build/apex/art_prepostinstall_utils.sh
index b52b45e..bc21b76 100644
--- a/build/apex/art_prepostinstall_utils.sh
+++ b/build/apex/art_prepostinstall_utils.sh
@@ -47,3 +47,20 @@
   ARCHES=`echo $ARCHES | uniq`
   return 0
 }
+
+function setup_fsverity {
+  local file=$1
+  local signature_file="/apex/com.android.runtime.signatures/etc/$file.sig"
+  # Setup.
+  log -t art_apex "fsverity setup for $file"
+  SETUP_MSG=`fsverity setup $file --signature=$signature_file --hash=sha256 2>&1` || \
+    { log_error "Setup failed: $SETUP_MSG" ; return 300 ; }
+  # Enable.
+  log -t art_apex "fsverity enable for $file"
+  ENABLE_MSG=`fsverity enable $file 2>&1` || \
+    { log_error "Enable failed: $ENABLE_MSG" ; return 301 ; }
+  # Test integrity.
+  INTEGRITY_MSG=`dd if=$file of=/dev/null bs=4k 2>&1` || \
+    { log_error "Integrity failed: $INTEGRITY_MSG" ; return 302 ; }
+  return 0
+}