Actually enforce AVB + signing fixes

- Turns out AVB was set permissive this entire time :(
  --flags 2 == VERIFICATION_DISABLED
- APEX support from GrapheneOS
- Disable vbmeta chaining like GrapheneOS
  and optionally handle it like CalyxOS

taimen 19.1 boots with locked bootloader successfully after this

Signed-off-by: Tad <tad@spotco.us>

Scripts/Common/Enable_Verity.sh

@@ -35,9 +35,20 @@ export -f enableVerity;
 enableAVB() {
 	if [ -d "$DOS_BUILD_BASE/$1" ]; then
 		cd "$DOS_BUILD_BASE/$1";
-		sed -i 's/--set_hashtree_disabled_flag//' *.mk &>/dev/null || true;
-		sed -i 's/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' *.mk &>/dev/null || true;
-		#TODO: investigate BOARD_AVB_RECOVERY_KEY_PATH
+		awk -i inplace '!/AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/' *.mk &>/dev/null || true;
+		awk -i inplace '!/AVB_MAKE_VBMETA_IMAGE_ARGS += --flag/' *.mk &>/dev/null || true;
+		#Disable chaining
+		if [ "$DOS_SIGNING_NOCHAIN" = true ]; then
+			awk -i inplace '!/BOARD_AVB_VBMETA_SYSTEM/' *.mk &>/dev/null || true;
+			awk -i inplace '!/BOARD_AVB_BOOT/' *.mk &>/dev/null || true;
+			awk -i inplace '!/BOARD_AVB_RECOVERY/' *.mk &>/dev/null || true;
+			sed -i 's/vbmeta_system//' *.mk &>/dev/null || true;
+			sed -i '/\/system /{s|avb=vbmeta_system|avb=vbmeta|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/system_ext/{s|avb=vbmeta_system|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/system_ext/{s|avb=vbmeta|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/vendor/{s|avb=vbmeta_system|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/vendor/{s|avb=vbmeta|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+		fi;
 		echo "Enabled AVB for $1";
 		cd "$DOS_BUILD_BASE";
 	fi;