| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add call to __android_log_pmsg_file_write for recovery logging.
- Add call to refresh pmsg if we reboot back into recovery and then
allow overwrite of those logs.
- Add a new one-time executable recovery-refresh that refreshes pmsg
in post-fs phase of init. We rely on pmsg eventually scrolling off
to age the content after recovery-persist has done its job.
- Add a new one-time executable recovery-persist that transfers from
pmsg to /data/misc/recovery/ directory if /cache is not mounted
in post-fs-data phase of init.
- Build and appropriately trigger the above two as required if
BOARD_CACHEIMAGE_PARTITION_SIZE is undefined.
- Add some simple unit tests
NB: Test failure is expected on systems that do not deliver either
the recovery-persist or recovery-refresh executables, e.g. systems
with /cache. Tests also require a timely reboot sequence of test
to truly verify, tests provide guidance on stderr to direct.
Bug: 27176738
Change-Id: I17bb95980234984f6b2087fd5941b0a3126b706b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If two libraries both use LOCAL_WHOLE_STATIC_LIBRARIES and include a same
library, there would be linking errors when generating a shared library
(or executable) that depends on the two libraries both.
Also clean up Android.mk files.
Remove the "LOCAL_MODULE_TAGS := eng" line for the updater module. The
module will then default to "optional" which won't be built until needed.
Change-Id: I3ec227109b8aa744b7568e7f82f575aae3fe0e6f
|
|
|
|
|
|
| |
Bug: 26879394
Change-Id: I63dce5bc50c2e104129f1bcab7d3cad5682bf45d
|
|
|
|
|
|
| |
Bug: 25951086
Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
(cherry-picked from commit f1fc48c6e62cfee42d25ad12f443e22d50c15d0b)
|
|
|
|
|
| |
Bug: 26962907
Change-Id: I5f80636af1740badeff7d08193f08e23f4e4fee1
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
update_verifier checks the integrity of the updated system and vendor
partitions on the first boot post an A/B OTA update. It marks the
current slot as having booted successfully if it passes the verification.
This CL doesn't perform any actual verification work which will be
addressed in follow-up CLs.
Bug: 26039641
Change-Id: Ia5504ed25b799b48b5886c2fc68073a360127f42
(cherry picked from commit 1171d3a12b13ca3f1d4301985cf068076e55ae26)
|
|\
| |
| |
| |
| |
| |
| | |
am: a412198699
* commit 'a4121986990d7dde7918252a96d87e4c3c11c13c':
recovery: Depend on mkfs.f2fs only if needed.
|
| |
| |
| |
| |
| |
| | |
Don't build mkfs.f2fs unless device defines TARGET_USERIMAGES_USE_F2FS.
Change-Id: Ifac592c30315bbe7590c8fbf3a0844e6a7a31a1a
|
| |
| |
| |
| | |
Change-Id: I68770ad1a9e99caee292f8010cfd37dfea3acc64
|
|\ \
| | |
| | |
| | |
| | | |
* commit '337db14f274fc73dd540aa71d2c21c431fe686ec':
recovery: Factor out wear_ui.{cpp,h} into bootable/recovery.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Every watch has a (mostly identical) copy of the wear_ui. Factor them
out into a single copy for easier maintenance. Device-specific settings
should be defined in recovery_ui.cpp that inherits WearRecoveryUI class.
Bug: 22451422
Change-Id: Id07efca37d1b1d330e6327506c7b73ccf6ae9241
|
| |/
|/|
| |
| |
| | |
Change-Id: Id50c3e6febd0ab61f10a654b9b265cf21a2d1701
(cherry picked from commit 71dc365f25676cfb3f62dbb7163697a8c3c5243d)
|
| |
| |
| |
| |
| |
| | |
And a few trival fixes to suppress warnings.
Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
|
|/
|
|
|
|
|
|
| |
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.
Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
|
|
|
|
|
|
|
|
|
|
|
| |
This makes it easier for us to deal with arbitrary information at the
top, and means that headers added by specific commands don't overwrite
the default ones.
Add the fingerprint back, but broken up so it fits even on sprout's
display.
Change-Id: Id71da79ab1aa455a611d72756a3100a97ceb4c1c
|
|
|
|
|
|
|
| |
Everyone's adding secret key combinations for this anyway, and it's
very useful when debugging.
Change-Id: Iad549452b872a7af963dd649f283ebcd3ea24234
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current abstract class was a nice idea but has led to a lot of
copy & paste in practice. Right now, no one we know of has any extra
menu items, so let's make the default menu available to everyone.
(If we assume that someone somewhere really does need custom
device-specific menu options, a better API would let them add to
our menu rather than replacing it.)
Change-Id: I59f6a92f3ecd830c2ce78ce9da19eaaf472c5dfa
|
|
|
|
|
|
|
|
| |
This eliminated the previous hack, that doesn't work reliably with the
"LOCAL_REQUIRED_MODULES := mkfs.f2fs".
Bug: 19666886
Change-Id: I1f0a2d41129f402c0165f3b86b6fda077291f282
|
|
|
|
|
|
|
|
| |
I think everything left now is here to stay (services.c might get
massaged in to libadbd if it gets refactored).
Bug: 17626262
Change-Id: I01faf8b277a601a40e3a0f4c3b8206c97f1d2ce6
|
|
|
|
|
|
|
| |
adb.h has diverged a bit, so that one will be more involved, but these
three are all trivial, unimportant changes.
Change-Id: Ief8474c1c2927d7e955adf04f887c76ab37077a6
|
|
|
|
|
| |
Bug: 17626262
Change-Id: If41031ba20a3a75fa510f155c654a482b47e409d
|
|\ |
|
| |
| |
| |
| |
| |
| | |
The cryptfs.h files is always included, but its path is only included when TARGET_USERIMAGES_USE_EXT4 is defined.
Change-Id: Iec6aa4601a56a1feac456a21a53a08557dc1d00d
|
|\ \ |
|
| |/
| |
| |
| |
| | |
Bug: 17626262
Change-Id: I8ce7cff2b7789f39f35a4211d7120d072c05a863
|
|/
|
|
|
|
|
|
| |
This include path was needed because system/vold/cryptfs.h included an
OpenSSL header just to get the length of a SHA-256 hash. This has been
fixed in https://android-review.googlesource.com/#/c/124477/1.
Change-Id: I06a8ba0ee5b9efcc3260598f07d9819f065711de
|
|
|
|
|
|
|
|
|
| |
Make a fuse filesystem that sits on top of the selected package file
on the sdcard, so we can verify that the file contents don't change
while being read and avoid copying the file to /tmp (that is, RAM)
before verifying and installing it.
Change-Id: Ifd982aa68bfe469eda5f839042648654bf7386a1
|
|
|
|
|
|
|
|
|
| |
Split the adb-specific portions (fetching a block from the adb host
and closing the connections) out from the rest of the FUSE filesystem
code, so that we can reuse the fuse stuff for installing off sdcards
as well.
Change-Id: I0ba385fd35999c5f5cad27842bc82024a264dd14
|
|
|
|
|
|
| |
Instead of LOCAL_ADDITIONAL_DEPENDENCIES.
Bug: 15702524
Change-Id: Ic152ae60354bf09eccdb9a85dcd04f0f076a6422
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds F2FS support
- for wiping a device
- for the install "format" command.
Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
|
|\ |
|
| |
| |
| |
| |
| |
| | |
cryptfs.h now includes sha header from libcrypto folder
Change-Id: Icd02c88971aedf96040c3bd9ca759e531546023b
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recovery now draws directly to the framebuffer by rolling its own
graphics code, rather than depending on libpixelflinger.
The recovery UI is modified slightly to eliminate operations that are
slow with the software implementation: when the text display / menu is
turned on, it now appears on a black background instead of a dimmed
version of the recovery icon.
There's probably substantial room for optimization of the graphics
operations.
Bug: 12131110
Change-Id: Iab6520e0a7aaec39e2ce39377c10aef82ae0c595
|
|
|
|
| |
Change-Id: I1541534ee6978ddf8d548433986679ce9507d508
|
|
|
|
|
|
|
|
| |
Older versions of android supported an ASLR system where binaries were
randomly twiddled at OTA install time. Remove support for this; we
now use the ASLR support in the linux kernel.
Change-Id: I8348eb0d6424692668dc1a00e2416fbef6c158a2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
uncrypt can read a file on an encrypted filesystem and rewrite it to
the same blocks on the underlying (unencrypted) block device. This
destroys the contents of the file as far as the encrypted filesystem
is concerned, but allows the data to be read without the encryption
key if you know which blocks of the raw device to access. uncrypt
produces a "block map" file which lists the blocks that contain the file.
For unencrypted filesystem, uncrypt will produce the block map without
touching the data.
Bug: 12188746
Change-Id: Ib7259b9e14dac8af406796b429d58378a00c7c63
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.
For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.
Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.
Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
|
|
|
|
|
|
|
|
|
| |
This assumes that the metadata is correctly defined in fstab.
Which apparently some devices don't do.
Bug: 8766487
Bug: 12112624
Change-Id: I1b14b9d4c888e9348527984be3dce04bdd9f4de0
|
|\
| |
| |
| |
| | |
* commit 'fc7eab961f9dc85ee88e8c37ca1dc31a7f7b8331':
Add support for ECDSA signatures
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds support for key version 5 which is an EC key using the NIST
P-256 curve parameters. OTAs may be signed with these keys using the
ECDSA signature algorithm with SHA-256.
Change-Id: Id88672a3deb70681c78d5ea0d739e10f839e4567
|
|/
|
|
|
|
|
| |
Also provide a default implementation of CheckKey that's reasonable
for many devices (those that have power and volume keys).
Change-Id: Icf6c7746ebd866152d402059dbd27fd16bd51ff8
|
|
|
|
|
| |
Bug: 8580410
Change-Id: Ie60dade81c06589cb0daee431611ded34adef8e6
|
|
|
|
|
|
|
| |
Instead of reading it's own fstab, have recovery invoke
fs_mgr to read the unified fstab.
Change-Id: I80c75d2c53b809ac60a4a69f0ef7ebfa707c39e9
|
|\
| |
| |
| | |
Change-Id: I861e3a6aa07c448909b2ae54618bba178bd6e457
|
| |
| |
| |
| | |
Change-Id: Ia96201f20f7838d7d9e8926208977d3f8318ced4
|
|/
|
|
| |
Change-Id: I0bdc2df5ef358813587f613a1b50eaa850e95782
|
|
|
|
| |
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
|
|
|
|
| |
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
|
|
|
|
|
|
| |
libext4_utils requires libsparse, link against it as well.
Change-Id: I4d6aec0e5edcf1ed42118b7b77adcded2858d3dd
|
|\
| |
| |
| | |
Change-Id: I2e8298ff5988a96754f56f80a5186c9605ad9928
|
| |
| |
| |
| |
| |
| |
| | |
Extend minzip, recovery, and updater to set the security context on
files based on the file_contexts configuration included in the package.
Change-Id: Ied379f266a16c64f2b4dca15dc39b98fcce16f29
|
| |
| |
| |
| |
| |
| |
| | |
libext4_utils now calls libselinux in order to determine the
file security context to set on files when creating ext4 images.
Change-Id: I09fb9d563d22ee106bf100eacd4cd9c6300b1152
|
| |
| |
| |
| | |
Change-Id: I082995c338feaf5d11288300768624cd51b027a4
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rather than depending on the existence of some place to store a file
that is accessible to users on an an unbootable device (eg, a physical
sdcard, external USB drive, etc.), add support for sideloading
packages sent to the device with adb.
This change adds a "minimal adbd" which supports nothing but receiving
a package over adb (with the "adb sideload" command) and storing it to
a fixed filename in the /tmp ramdisk, from where it can be verified
and sideloaded in the usual way. This should be leave available even
on locked user-build devices.
The user can select "apply package from ADB" from the recovery menu,
which starts minimal-adb mode (shutting down any real adbd that may be
running). Once minimal-adb has received a package it exits
(restarting real adbd if appropriate) and then verification and
installation of the received package proceeds.
Change-Id: I6fe13161ca064a98d06fa32104e1f432826582f5
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move the key for handling keys from ScreenRecoveryUI to RecoveryUI, so
it can be used by devices without screens. Remove the UIParameters
struct and replace it with some new member variables in
ScreenRecoveryUI.
Change-Id: I70094ecbc4acbf76ce44d5b5ec2036c36bdc3414
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace the device-specific functions with a class. Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class. Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).
Change-Id: I698f6fd21c67a1e55429312a0484b6c393cad46f
|
| |
| |
| |
| | |
Change-Id: I61f249861b27180225fb786901275d2da611531b
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move all the functions in ui.c to be members of a ScreenRecoveryUI
class, which is a subclass of an abstract RecoveryUI class. Recovery
then creates a global singleton instance of this class and then invoke
the methods to drive the UI. We use this to allow substitution of a
different RecoveryUI implementation for devices with radically
different form factors (eg, that don't have a screen).
Change-Id: I76bdd34eca506149f4cc07685df6a4890473f3d9
|
|/
|
|
| |
Change-Id: I423a23581048d451d53eef46e5f5eac485b77555
|
|
|
|
|
|
| |
Bug: 5010576
Change-Id: Ib465fdb42c8621899bea15c04a427d7ab1641a8c
|
|
|
|
| |
Change-Id: Iada6268b0a72ee832113ea397334cc7950a37051
|
|
|
|
|
|
|
| |
This was never used; encrypted filesystems are being done a different
way now.
Change-Id: I519c57b9be44d001f0b81516af7bfc252069892b
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the wacky notion of "roots" and "root paths" (those things that
look like "FOO:some/path" instead of just "/foo/some/path"). Let each
device specify its own table of available partitions and how to mount
them (needed for devices that use both MTD/yaffs2 and EMMC/ext4
partitions).
(Cherrypicked from gingerbread w/slight edits.)
Change-Id: I2479ce76b13e73f1d12035c89386c3a82b3edf51
|
|
|
|
|
|
|
|
|
|
| |
Separate files for retouch functionality are in minelf/*
ASLR for shared libraries is controlled by "-a" in ota_from_target_files.
Binary files are self-contained. Retouch logic can recover from crashes.
Signed-off-by: Hristo Bojinov <hristo@google.com>
Change-Id: I76c596abf4febd68c14f9d807ac62e8751e0b1bd
|
|
|
|
| |
Change-Id: I827af624c9ec7c64decb702de8c0310cf19b4141
|
|
|
|
| |
Change-Id: I932f73a6f937aac061128e1134eab08c30f0471d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Move applypatch to this package (from build).
- Add a rudimentary type system to edify: instead of just returning a
char*, functions now return a Value*, which is a struct that can
carry different types of value (currently just STRING and BLOB).
Convert all functions to this new scheme.
- Change the one-argument form of package_extract_file to return a
Value of the new BLOB type.
- Add read_file() to load a local file and return a blob, and
sha1_check() to test a blob (or string) against a set of possible
sha1s. read_file() uses the file-loading code from applypatch so it
can read MTD partitions as well.
This is the start of better integration between applypatch and the
rest of edify.
b/2361316 - VZW Issue PP628: Continuous reset to Droid logo:
framework-res.apk update failed (CR LIBtt59130)
Change-Id: Ibd038074749a4d515de1f115c498c6c589ee91e5
|
|
|
|
|
|
|
|
|
| |
Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update(). This
functionality is now done by an edify extension library that lives in
vendor/htc.
Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
|
|\
| |
| |
| |
| |
| |
| | |
Merge commit '9b430e11d6c4fb907d0aa96667142e2c00585e09'
* commit '9b430e11d6c4fb907d0aa96667142e2c00585e09':
add a simple unit test for the OTA package verifier
|
| | |
|
|/
|
|
| |
This change enables/disables the Encrypted file systems feature. It reads some properties form the data partition, wipes the partition out, and then rewrites the proper properties again into the data partition to signal that encrypted FS are enabled.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Yank all the code to install OTA packages out of the recovery binary
itself. Now packages are installed by a binary included in the
package (run as a child of recovery), so we can make improvements in
the installation process without waiting for a new release to use
them.
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
To do a firmware-install-on-reboot, the update binary tells recovery
what file to install before rebooting. Let this file be specified as
"PACKAGE:<foo>" to indicate taking the file out of the OTA package,
avoiding an extra copy to /tmp. Bump the API version number to
reflect this change.
|
| | |
|
|\|
| |
| |
| |
| |
| |
| | |
Merge commit '9931f7f3c1288171319e9ff7d053ebaad07db720'
* commit '9931f7f3c1288171319e9ff7d053ebaad07db720':
edify extensions for OTA package installation, part 1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds the following edify functions:
mount unmount format show_progress delete delete_recursive
package_extract symlink set_perm set_perm_recursive
This set is enough to extract and install the system part of a (full)
OTA package.
Adds the updater binary that extracts an edify script from the OTA
package and then executes it. Minor changes to the edify core (adds a
sleep() builtin for debugging, adds "." to the set of characters that
can appear in an unquoted string).
|
| |
| |
| |
| |
| |
| |
| | |
them from an external file in the recovery image. Use the
test-keys for all builds.
Automated import of CL 144130
|
| |
| |
| |
| |
| |
| | |
about 60k from the recovery and system images.
Automated import of CL 143128
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Take some device-specific details of the recovery UI (eg, what keys to
press to bring up the interface and perform actions, exact text of the
menu, etc.) and split them out into separate C functions. Arrange to
take implementations of those functions from the appropriate vendor
directory at build time. Provide a default implementation in case no
vendor-specific one is available.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
them from an external file in the recovery image. Use the
test-keys for all builds.
Original author: dougz
Merged from: //branches/donutburger/...
Automated import of CL 144132
|
|/
|
|
|
|
|
|
| |
about 60k from the recovery and system images.
Original author: dougz
Merged from: //branches/donutburger/...
Automated import of CL 143289
|
| |
|
| |
|
| |
|
|
|