3 files changed, 14 insertions, 0 deletions

diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp
index 48ddf29e8..10e70d6e5 100644
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@@ -557,6 +557,11 @@ int fs_mgr_is_verified(const struct fstab_rec *fstab)
     return fstab->fs_mgr_flags & MF_VERIFY;
 }
 
+int fs_mgr_is_verifyatboot(const struct fstab_rec *fstab)
+{
+    return fstab->fs_mgr_flags & MF_VERIFYATBOOT;
+}
+
 int fs_mgr_is_encryptable(const struct fstab_rec *fstab)
 {
     return fstab->fs_mgr_flags & (MF_CRYPT | MF_FORCECRYPT | MF_FORCEFDEORFBE);
diff --git a/fs_mgr/include/fs_mgr.h b/fs_mgr/include/fs_mgr.h
index 7b389cd1c..0402b5593 100644
--- a/fs_mgr/include/fs_mgr.h
+++ b/fs_mgr/include/fs_mgr.h
@@ -117,6 +117,7 @@ struct fstab_rec *fs_mgr_get_entry_for_mount_point(struct fstab *fstab, const ch
 int fs_mgr_is_voldmanaged(const struct fstab_rec *fstab);
 int fs_mgr_is_nonremovable(const struct fstab_rec *fstab);
 int fs_mgr_is_verified(const struct fstab_rec *fstab);
+int fs_mgr_is_verifyatboot(const struct fstab_rec *fstab);
 int fs_mgr_is_encryptable(const struct fstab_rec *fstab);
 int fs_mgr_is_file_encrypted(const struct fstab_rec *fstab);
 const char* fs_mgr_get_file_encryption_mode(const struct fstab_rec *fstab);
diff --git a/init/init.cpp b/init/init.cpp
index 702186cfa..2399f5c6f 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -799,6 +799,14 @@ static bool early_mount() {
         return true;
     }
 
+    // don't allow verifyatboot for early mounted partitions
+    if ((odm_rec && fs_mgr_is_verifyatboot(odm_rec)) ||
+        (system_rec && fs_mgr_is_verifyatboot(system_rec)) ||
+        (vendor_rec && fs_mgr_is_verifyatboot(vendor_rec))) {
+        LOG(ERROR) << "Early mount partitions can't be verified at boot";
+        return false;
+    }
+
     // assume A/B device if we find 'slotselect' in any fstab entry
     bool is_ab = ((odm_rec && fs_mgr_is_slotselect(odm_rec)) ||
                   (system_rec && fs_mgr_is_slotselect(system_rec)) ||