Add fsverity release cert
The release cert helps verifying CTS in a release build.
Bug: 153112812
Test: build, reboot, see a new key in /proc/keys
Change-Id: I6d8f4af6b1b0c023b668e81b7a1c71c7583d93d9
diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index 434cbfc..ddce759 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -81,6 +81,7 @@
framework-res \
framework-sysconfig.xml \
fsck_msdos \
+ fsverity-release-cert-der \
fs_config_files_system \
fs_config_dirs_system \
group_system \
diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
index 080706b..5f4f82b 100644
--- a/target/product/security/Android.bp
+++ b/target/product/security/Android.bp
@@ -3,3 +3,11 @@
name: "aosp-testkey",
certificate: "testkey",
}
+
+// Google-owned certificate for CTS testing, since we can't trust arbitrary keys on release devices.
+prebuilt_etc {
+ name: "fsverity-release-cert-der",
+ src: "fsverity-release.x509.der",
+ sub_dir: "security/fsverity",
+ filename_from_src: true,
+}
diff --git a/target/product/security/fsverity-release.x509.der b/target/product/security/fsverity-release.x509.der
new file mode 100644
index 0000000..cd8cd79
--- /dev/null
+++ b/target/product/security/fsverity-release.x509.der
Binary files differ
