summaryrefslogtreecommitdiffstats
path: root/install.cpp (unfollow)
Commit message (Collapse)AuthorFilesLines
2017-04-24librecovery: Remove -Wno-unused-parameter and add -Wall.Tao Bao1-1/+1
Test: mmma bootable/recovery Change-Id: I5598d32bebb9dbda4a183a1502e0b7dc4918392e
2017-04-20Call libvintf to verify package compatibility.Tao Bao1-5/+10
The libvintf API has landed. Hook up to do the actual verification. Bug: 36597505 Test: recovery_component_test Test: m recoveryimage; adb sideload on angler and sailfish, with packages that contain dummy compatibility entries. Test: m recoveryimage; adb sideload on angler and sailfish, with packages that don't contain any compatibility entries. Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f (cherry picked from commit da320ac6ab53395ddff3cc08b88a61f977ed939a)
2017-04-19Add tests for read_metadata_from_package().Tao Bao1-43/+39
Test: recovery_component_test Change-Id: I672a6a4f101c72e82b9f25f165dccd1c9520627b
2017-04-19Minor clean up to install.cpp.Tao Bao1-66/+61
- Move some macros / constants into functions; - Remove unneeded #include "minui/minui.h"; - Remove two dead constants (DEFAULT_{FILES,IMAGES}_PROGRESS_FRACTION). Test: mmma bootable/recovery Change-Id: Ib808f14b7569e06e23a8a7cc9b2d4e9aa5469de1
2017-04-18Add tests for update_binary_command().Tao Bao1-82/+80
Expose update_binary_command() through private/install.h for testing purpose. Also make minor clean-ups to install.cpp: a) adding more verbose logging on ExtractToMemory failures; b) update_binary_command() taking std::string instead of const char*; c) moving a few macro and global constants into update_binary_command(). Bug: 37300957 Test: recovery_component_test on marlin Test: Build new recovery and adb sideload on angler and sailfish. Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
2017-04-18Fix the double free in verify_package_compatibility().Tao Bao1-1/+0
""" void* cookie; std::unique_ptr<void, decltype(&EndIteration)> guard(cookie, EndIteration); ... EndIteration(cookie); """ The above pattern is buggy that frees 'cookie' twice. Bug: 37413730 Test: Build new recovery and adb sideload a previously crashed package that contains 'compatibility.zip'. Change-Id: I183c33827fb28a438ebaedda446e84cabe7cb92d (cherry picked from commit f978278995d02a58e311fe017bdbb2c3702dd3bc)
2017-04-13Verify the package compatibility with libvintf.Tao Bao1-0/+73
verify_package_compatibility() is added to parse the compatibility entry (compatibility.zip) in a given OTA package. If entry is present, the information is sent to libvintf to check the compatibility. This CL doesn't actually call libvintf, since the API there is not available yet. Bug: 36597505 Test: Doesn't break the install with existing packages (i.e. w/o the compatibility entry). Test: recovery_component_test Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596 (cherry picked from commit 62e0bc7586077b3bde82759fb34b51b982cea20f)
2017-03-28Log temperature during OTA updateTianjie Xu1-5/+47
Log the maximum temperature as well as the start/end temperature of an update to last_install. Check the temperature at the end of each block_image_update(verify). To get the maximum temp, we iterate through /sys/class/thermal/thermal_zone*/temp and find the maximum value present. Bug: 32518487 Test: temperature logs in last_install Change-Id: Iaf22a9fbc5b18611bbc5320ffea995417872e514
2017-03-27Skip logging the warning for uncrypt_status for devices w/o /cacheTianjie Xu1-5/+9
This warning may cause confusion for users. Bug: 36590598 Test: Warning line no longer shows for sailfish. Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be (cherry picked from commit bcb5b18630f518835a0768535b43ccfe91683fc9)
2017-03-26Skip logging the warning for uncrypt_status for devices w/o /cacheTianjie Xu1-5/+9
This warning may cause confusion for users. Bug: 36590598 Test: Warning line no longer shows for sailfish. Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be Merged-In: I277c87a50a72fdb499be790ee25b97f815d980be
2017-03-26Skip logging the warning for uncrypt_status for devices w/o /cacheTianjie Xu1-5/+9
This warning may cause confusion for users. Bug: 36590598 Test: Warning line no longer shows for sailfish. Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be (cherry picked from commit bcb5b18630f518835a0768535b43ccfe91683fc9)
2017-03-21verify_file: Add constness to a few addresses.Tao Bao1-1/+1
We should not touch any data while verifying packages (or parsing the in-memory ASN.1 structures). Test: mmma bootable/recovery Test: recovery_component_test passes. Test: recovery_unit_test passes. Change-Id: Ie990662c6451ec066a1807b3081c9296afbdb0bf
2017-03-17Drop the dependency on 'ui' in verify_file().Tao Bao1-19/+21
verify_file() has a dependency on the global variable of 'ui' for posting the verification progress, which requires the users of libverifier to provide a UI instance. This CL adds an optional argument to verify_file() so that it can post the progress through the provided callback function. As a result, we can drop the MockUI class in verifier_test.cpp. Test: recovery_component_test passes. Test: verify_file() posts progress update when installing an OTA. Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
2017-02-03Replace _exit(-1) with _exit(EXIT_FAILURE).Tao Bao1-1/+1
-1 is not a valid exit status. Also replace a few exit(1) with exit(EXIT_FAILURE). Test: mmma bootable/recovery Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
2017-02-03Avoid to call UI functions in child processTianjie Xu1-1/+5
ui_print uses a mutex to protect the critical section. And a forked child process may intialize the mutex inappropriatly, which leads to a hanging child process. So we shall avoid to call the UI functions in child process. Bug: 34769056 Test: fake ota on fugu failed as expected due to updater format mismatch. Change-Id: I81bc942a796878fac19cf712512092c2b0d807c9
2017-01-22Print with newline for ui_print.Tao Bao1-5/+1
Currently the ui_print command between the recovery and updater doesn't append newline. Updater has to send an extra "ui_print" command without any argument to get the line break. This looks unnecessary. And not all the callers (including the ones in bootable/recovery) are following this protocol when sending the ui_print command. This CL simplifies the protocol to always print with a newline for ui_print command. When updating from an old recovery with the new updater, all the ui_print'd strings would appear in one line as a side effect. But a) it would only affect the text-mode UI, which won't be shown to users; b) log files won't be affected. Bug: 32305035 Test: Apply an update with the new updater on top of an old and new recovery image respectively. Change-Id: I305a0ffc6f180daf60919cf99d24d1495d68749b
2017-01-13recovery: Move property_get() to android::base::GetProperty().Tao Bao1-68/+66
Test: Apply two A/B incremental OTAs with the new recovery image. The one with incorrect pre-build should be blocked, while the other works fine. Change-Id: I94d97eb8798599da1630f66343fb603e87464187
2017-01-06recovery: Clean up try_update_binary() in install.cpp.Tao Bao1-145/+166
Move functions over to android::base versions. - strtok(3) => android::base::Split() - strtol(3) => android::base::ParseInt() - strtof(3) => android::base::ParseDouble() Test: Build recovery image and apply a package that calls ui_print / progress / set_progress commands. Change-Id: I953b4985e0bd9e277362ae53e233d755cf27d80c
2016-12-14Remove the obsolete comments for firmware update.Tao Bao1-9/+0
The corresponding code was removed in commit e08991e02a7d678f2574e85289a34b2a9a537c82 in 2010 (Froyo). Test: N/A Change-Id: I2b296e1b07d54232bade79fda7501387d65a4c37
2016-11-21Fail gracefully when we fail to fork the update binaryMatthew Bouyack1-0/+8
This change was original made in cw-f-dev but caused failures in nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE' This version of the change uses the new 'LOG(ERROR)' style logging instead. See bug b/31395655 Test: attempt a memory intensive incremental OTA on a low-memory device Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554 (cherry picked from commit c8db4817809e163d887f7955a03ad0f97159f12b)
2016-11-20Call update_engine_sideload from recovery.Alex Deymo1-15/+178
This patch enables sideloading an OTA on A/B devices while running from recovery. Recovery accepts the same OTA package format as recent versions of GMS, which consists of .zip file with the payload in it. Bug: 27178350 TEST=`adb sideload` successfully a full OTA (*) TEST=Failed to take several invalid payloads (wrong product, fingerprint, update type, serial, etc). <small>(*) with no postinstall script.</small> Change-Id: I951869340100feb5a37e41fac0ee59c10095659e (cherry picked from commit 4344d636d4f8687054593f88ddd7509ff8581419)
2016-11-03Revert "Revert "Some cleanups to recovery.""Tao Bao1-2/+0
This reverts commit 8584fcf677dd45b30121bd0490b06297e6be1871. This CL re-lands commit c0319b60f56d445c2d1c74f551e01f069b028fe6. The "stage" and "reason" variables are now declared as global by dropping the static qualifier, because they may be used by vendor recovery libraries. Test: lunch aosp_angler-userdebug; mmma bootable/recovery Test: lunch aosp_dragon-userdebug; mmma bootable/recovery Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
2016-10-27Revert "Some cleanups to recovery."Dan Albert1-0/+2
This reverts commit c0319b60f56d445c2d1c74f551e01f069b028fe6. Reason for revert: Broke builds. Change-Id: I82aa880b83de5ae6c36fd7567cb001920559a972
2016-10-26Some cleanups to recovery.Tao Bao1-2/+0
- Remove the duplicate gCurrentUI variable in recovery.cpp; - Refactor the load/save of locale functions; - Clean up ui_print() to get rid of 256-byte buffer limit; - Declare ui in common.h; - Move the typedef of Volume into roots.h. Test: Build and boot into recovery image. Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
2016-10-19Verify wipe package when wiping A/B device in recovery.Yabin Cui1-25/+41
To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Based on the original cherrypick, this CL also has additional changes to address the LOG statements and libziparchive changes. Bug: 29159185 Test: Build and boot into recovery. Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168 (cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
2016-10-18Replace minzip with libziparchiveTianjie Xu1-22/+23
Clean up the duplicated codes that handle the zip files in bootable/recovery; and rename the library of the remaining utility functions to libotautil. Test: Update package installed successfully on angler. Bug: 19472796 Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
2016-10-14Fix the prefix matching for uncrypt status.Tao Bao1-1/+1
Also change its logging statement from PLOG to LOG, since android::base::StartsWith() doesn't set errno. Test: Build and reboot into recovery image. Check last_log. Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57 (cherry picked from commit ee9b95544a7af548e98f2b7a080e2eb7abaaf981) (cherry picked from commit e30a5b3a44c6c2134750e28a88efd5876a28bfac)
2016-10-14Fix the prefix matching for uncrypt status.Tao Bao1-2/+2
Also change its logging statement from PLOG to LOG, since android::base::StartsWith() doesn't set errno. Test: Build and reboot into recovery image. Check last_log. Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
2016-09-29Report uncrypt errors in detailsTianjie Xu1-1/+1
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit 0c68675f5ae80cd669e0bf014a69689b6fe08eee)
2016-09-29DO NOT MERGE Report uncrypt errors in detailsTianjie Xu1-1/+1
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit da44cf18f3ce4bbffa85ad0a50bb25e9cb54a86d)
2016-09-27Report uncrypt errors in detailsTianjie Xu1-1/+1
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
2016-09-27DO NOT MERGE Duplicate the last_install content into last_log.Tao Bao1-31/+30
Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c (cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
2016-09-26Duplicate the last_install content into last_log.Tao Bao1-30/+30
Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c (cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
2016-09-26Duplicate the last_install content into last_log.Tao Bao1-30/+30
Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
2016-09-21Fail gracefully when we fail to fork the update binaryMatthew Bouyack1-0/+8
This change was original made in cw-f-dev but caused failures in nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE' This version of the change uses the new 'LOG(ERROR)' style logging instead. See bug b/31395655 Test: attempt a memory intensive incremental OTA on a low-memory device Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554
2016-09-21Revert "DO NOT MERGE Fail gracefully when we fail to fork the update binary am: de1b53d067"Matthew Bouyack1-8/+0
This reverts commit 78563fdf78861884f300a6a874d2a0306f1eb002. Change-Id: I1ea4956a9843130aa41f2f7bc011c72e64fd7b62
2016-09-20DO NOT MERGE Fail gracefully when we fail to fork the update binaryMatthew Bouyack1-0/+8
See bug b/31395655 Change-Id: Ic5a046bc80ea88d7eb52755838bdbf4e1e47da50
2016-09-13Check corruption when reading uncrypt_status fileTianjie Xu1-0/+2
Bug: 31383361 Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1 (cherry picked from commit 1c1864f321b129c81883ed527b1da8c69661e51f)
2016-09-13Check corruption when reading uncrypt_status fileTianjie Xu1-0/+2
Bug: 31383361 Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
2016-09-13save uncrypt status to last_installTianjie Xu1-0/+13
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. (cherry picked from commit fe16b5ccaf80f6e04d5b722c37c1abd70457ad28) Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
2016-09-13save uncrypt status to last_installTianjie Xu1-1/+13
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833 Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
2016-09-02Fix a typo of variable name in install.cppTianjie Xu1-6/+6
Change-Id: I42057bc2fb5096ce009fe6e4b787bc9082cd572f
2016-09-01Switch recovery to libbase loggingTianjie Xu1-33/+30
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 (cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
2016-09-01Switch recovery to libbase loggingTianjie Xu1-15/+17
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-08-26Fix clang-tidy warnings in bootable/recovery.Chih-Hung Hsieh1-2/+2
* Use const reference type for read-only parameters. Bug: 30407689 * Use faster overloaded string find function. Bug: 30411878 * Add parentheses around macro parameters. Bug: 28705665 Test: build with WITH_TIDY=1 Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
2016-08-18Free mmaped area if keys fail to loadWiZarD1-0/+1
Keys for package verification is loaded after the update package is mmaped into memory. This mmaped area needs to be freed when exiting the function. Another approach would be to mmap after loading the keys. Change-Id: Ib77711a8acd5c363b5517da12dc311fb8f9f4605 Signed-off-by: WiZarD <WiZarD.Devel@gmail.com>
2016-08-12Add inttypes.h for PRIu64.Alex Deymo1-0/+1
This missing header is needed to use PRIu64 macros. Bug: 27178350 TEST=`mma bootable/recovery` on the failing branch. Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
2016-08-12Add inttypes.h for PRIu64.Alex Deymo1-0/+1
This missing header is needed to use PRIu64 macros. Bug: 27178350 TEST=`mma bootable/recovery` on the failing branch. Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
2016-08-12Call update_engine_sideload from recovery.Alex Deymo1-18/+181
This patch enables sideloading an OTA on A/B devices while running from recovery. Recovery accepts the same OTA package format as recent versions of GMS, which consists of .zip file with the payload in it. Bug: 27178350 TEST=`adb sideload` successfully a full OTA (*) TEST=Failed to take several invalid payloads (wrong product, fingerprint, update type, serial, etc). <small>(*) with no postinstall script.</small> Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
2016-06-21Verify wipe package when wiping A/B device in recovery.Yabin Cui1-23/+37
To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Bug: 29159185 Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
2016-06-10Remove obsolete MTD support.Elliott Hughes1-2/+0
Bug: http://b/29250988 Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
2016-06-10Log source/target build version to last_installTianjie Xu1-0/+55
Parse the build.version.incremental from the metadata of the update package; and log it to last_install. Example: In metadata we read: post-build-incremental=2951741 pre-build-incremental=2943039 In last install we log: source_build: 2943039 target_build: 2951741 Bug: 28658632 Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
2016-06-03Call ioctl before each write on retryTianjie Xu1-6/+13
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before writing to these blocks. Bug: 28990135 Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
2016-05-20Allow recovery to return error codesTianjie Xu1-2/+11
Write error code, cause code, and retry count into last_install. So we can have more information about the reason of a failed OTA. Example of new last_install: @/cache/recovery/block.map package name 0 install result retry: 1 retry count (new) error: 30 error code (new) cause: 12 error cause (new) Details in: go/android-ota-errorcode Bug: 28471955 Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
2016-05-16Add time and I/O info to last_installTianjie Xu1-4/+23
One example of last_install is: /sideload/package.zip 1 time_total: 101 bytes_written_system: 14574000 bytes_stashed_system: 100 bytes_written_vendor: 5107400 bytes_stashed_vendor: 0 Bug: 28658632 Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
2016-04-14Use BoringSSL instead of mincrypt to speed up package verification.Elliott Hughes1-8/+9
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with merge conflict resolution, extra logging in verifier.cpp, and an increase in the hash chunk size from 4KiB to 1MiB. Bug: http://b/28135231 Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
2016-04-06Convert recovery to use BoringSSL instead of mincrypt.Mattias Nissler1-2/+1
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
2016-03-10Reboot and retry on I/O errorsTianjie Xu1-0/+6
When I/O error happens, reboot and retry installation two times before we abort this OTA update. Bug: 25633753 Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69 (cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
2016-03-03Reboot and retry on I/O errorsTianjie Xu1-0/+6
When I/O error happens, reboot and retry installation two times before we abort this OTA update. Bug: 25633753 Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
2016-02-11Fix some memory leaks.Yabin Cui1-5/+5
Bug: 26906328 Change-Id: Iebaf03db0cb3054f91715f8c849be6087d01b27b
2016-02-03recovery: Refactor verifier and verifier_test.Tao Bao1-7/+6
Move to using std::vector and std::unique_ptr to manage key certificates to stop memory leaks. Bug: 26908001 Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
2015-06-03Log update outputs in orderTao Bao1-2/+2
Although stdout and stderr are both redirected to log file with no buffering, we are seeing some outputs are mixed in random order. This is because ui_print commands from the updater are passed to the recovery binary via a pipe, which may interleave with other outputs that go to stderr directly. In recovery, adding ui::PrintOnScreenOnly() function to handle ui_print command, which skips printing to stdout. Meanwhile, updater prints the contents to stderr in addition to piping them to recovery. Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
2015-04-11Update the comments for package installer commandsTao Bao1-1/+13
These commands are for the communication between the installer and the update binary (edify interpreter). Update the comments in sync with the codes. Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
2015-04-08Rotate logs only when there are actual operationsTao Bao1-0/+2
Currently it rotates the log files every time it boots into the recovery mode. We lose useful logs after ten times. This CL changes the rotation condition so that it will rotate only if it performs some actual operations that modify the flash (installs, wipes, sideloads and etc). Bug: 19695622 Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
2015-03-25Factor out option variables from int to bool typesTao Bao1-5/+5
Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
2015-01-28Add missing includes.Elliott Hughes1-0/+1
Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
2014-07-02sideload without holding the whole package in RAMDoug Zongker1-4/+6
Implement a new method of sideloading over ADB that does not require the entire package to be held in RAM (useful for low-RAM devices and devices using block OTA where we'd rather have more RAM available for binary patching). We communicate with the host using a new adb service called "sideload-host", which makes the host act as a server, sending us different parts of the package file on request. We create a FUSE filesystem that creates a virtual file "/sideload/package.zip" that is backed by the ADB connection -- users see a normal file, but when they read from the file we're actually fetching the data from the adb host. This file is then passed to the verification and installation systems like any other. To prevent a malicious adb host implementation from serving different data to the verification and installation phases of sideloading, the FUSE filesystem verifies that the contents of the file don't change between reads -- every time we fetch a block from the host we compare its hash to the previous hash for that block (if it was read before) and cause the read to fail if it changes. One necessary change is that the minadbd started by recovery in sideload mode no longer drops its root privileges (they're needed to mount the FUSE filesystem). We rely on SELinux enforcement to restrict the set of things that can be accessed. Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
2014-05-23disable async reboot during package installationDoug Zongker1-0/+7
The default recovery UI will reboot the device when the power key is pressed 7 times in a row, regardless of what recovery is doing. Disable this feature during package installation, to minimize the chance of corrupting the device due to a mid-install reboot. (Debug packages can explicitly request that the feature be reenabled.) Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
2014-01-16do verification and extraction on memory, not filesDoug Zongker1-7/+23
Changes minzip and recovery's file signature verification to work on memory regions, rather than files. For packages which are regular files, install.cpp now mmap()s them into memory and then passes the mapped memory to the verifier and to the minzip library. Support for files which are raw block maps (which will be used when we have packages written to encrypted data partitions) is present but largely untested so far. Bug: 12188746 Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
2013-11-18Restore default umask after forking for update-binary.Alistair Strachan1-0/+1
A system/core change made in Mar 26 2012 6ebf12f "init: Change umask of forked processes to 077" changed the default umask of services forked from init. Because recovery is forked from init, it has a umask of 077. Therefore when update-binary is forked from recovery, it too has a umask of 077. This umask is overly restrictive and can cause problems for scripts relying on minzip to extract binaries directly into the target filesystem. Any directories updated by minzip will have their permissions reset to r-x------ and created files will have similarly restrictive permissions. As it seems unlikely this security measure was intended to have this side effect on legacy sideloads that do not have chmods to repair the damage done by minzip, this change reverts the umask to 022 in the fork made for update-binary. Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
2013-09-25verifier: update to support certificates using SHA-256Doug Zongker1-1/+1
(cherry picked from commit bac7fba02763ae5e78e8e4ba0bea727330ad953e) Change-Id: I01c38d7fea088622a8b0bbf2c833fa2d969417af
2013-08-21recovery: install packages in a known mount environmentDoug Zongker1-5/+10
When installing a package, we should have /tmp and /cache mounted and nothing else. Ensure this is true by explicitly mounting them and unmounting everything else as the first step of every install. Also fix an error in the progress bar that crops up when you do multiple package installs in one instance of recovery. Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
2013-07-09recovery: move log output to stdoutDoug Zongker1-0/+1
Recovery currently has a random mix of messages printed to stdout and messages printed to stderr, which can make logs hard to read. Move everything to stdout. Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
2013-04-10verifier: update to support certificates using SHA-256Doug Zongker1-1/+1
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
2012-11-02move key loading to verifier codeDoug Zongker1-100/+0
Add an option to verifier_test to load keys from a file, the way the recovery does. Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
2012-08-23add simple text to recovery UIDoug Zongker1-1/+1
- recovery takes a --locale argument, which will be passed by the main system - the locale is saved in cache, in case the --locale argument is missing (eg, when recovery is started from fastboot) - we include images that have prerendered text for many locales - we split the background states into four (installing update, erasing, no command, error) so that appropriate text can be shown. Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
2012-07-25support version 2 (2048-bit e=65537) keys in recoveryDoug Zongker1-1/+25
Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
2012-04-12minor recovery changesDoug Zongker1-0/+2
- add the --just_exit option to make recovery exit normally without doing anything - make it possible to build updater extensions in C++ - add the clear_display command so that the updater binary can request recovery switch to the NONE background UI These are all used to support the notion of using OTA as a factory reflash mechanism. Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
2011-10-31refactor ui functions into a classDoug Zongker1-14/+20
Move all the functions in ui.c to be members of a ScreenRecoveryUI class, which is a subclass of an abstract RecoveryUI class. Recovery then creates a global singleton instance of this class and then invoke the methods to drive the UI. We use this to allow substitution of a different RecoveryUI implementation for devices with radically different form factors (eg, that don't have a screen). Change-Id: I76bdd34eca506149f4cc07685df6a4890473f3d9
2011-10-31turn recovery into a C++ binaryDoug Zongker1-29/+33
Change-Id: I423a23581048d451d53eef46e5f5eac485b77555
2011-10-28turn recovery into a C++ binaryDoug Zongker1-310/+0
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316
2011-10-19allow recovery packages to wipe cacheDoug Zongker1-11/+12
updater now has a function "wipe_cache();" which causes recovery to wipe the cache partition after the successful installation of the package. Move log copying around a bit so logs and the last_install flag file are copied to cache after it's wiped. Bug: 5314244 Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
2011-04-12save a last_install file with the result of the last package install attemptDoug Zongker1-2/+24
When installing a package, create /cache/recovery/last_install, which contains the filename of the package and a 1 or 0 for success or failure. Also, don't mount ext4 and vfat filesystems as read-only (on devices where /cache is ext4, we need it to be read-write). Change-Id: I0cf2a1921bbd65e06343aa74e2006577fac77c2c
2010-09-21remove the notion of "root path"; support mixed flash typesDoug Zongker1-11/+4
Remove the wacky notion of "roots" and "root paths" (those things that look like "FOO:some/path" instead of just "/foo/some/path"). Let each device specify its own table of available partitions and how to mount them (needed for devices that use both MTD/yaffs2 and EMMC/ext4 partitions). (Cherrypicked from gingerbread w/slight edits.) Change-Id: I2479ce76b13e73f1d12035c89386c3a82b3edf51
2010-09-21remove the notion of "root path"; support mixed flash types (do not merge)Doug Zongker1-11/+4
Remove the wacky notion of "roots" and "root paths" (those things that look like "FOO:some/path" instead of just "/foo/some/path"). Let each device specify its own table of available partitions and how to mount them (needed for devices that use both MTD/yaffs2 and EMMC/ext4 partitions). Change-Id: I18b0a572a71c5e087e0b7ae11b1774388339bfd1
2010-09-17remove unneeded partition rootsDoug Zongker1-13/+2
Recovery itself no longer needs to access all these partitions; manipulation of them is done by the updater binary. This is a small first step towards removing roots entirely. Change-Id: I3fbcada32079a37db4cc097861dfa91e0a08da30
2010-09-15support for ext4/EMMC filesystems in updater binaryDoug Zongker1-1/+1
Make the mount and format functions take extra parameters describing the filesystem type and add support for mounting and formatting ext4 filesystems on EMMC. Change recovery to consistently use stdout for status messages instead of mixing stdout and stderr.
2010-09-15close update package before installing; allow remountDoug Zongker1-1/+3
Close the update package before invoking the binary, to allow the installer to unmount /cache if it wants to. Add a function to allow remounting of a mount as read-only. Change-Id: Idfcc96c3da66083295177f729263560be58034e4
2010-07-02support for ext4/EMMC filesystems in updater binaryDoug Zongker1-1/+1
Make the mount and format functions take extra parameters describing the filesystem type and add support for mounting and formatting ext4 filesystems on EMMC. Change recovery to consistently use stdout for status messages instead of mixing stdout and stderr.
2010-06-25Add __attribute__((format(printf, a, b))) to printf like functions.Nick Kralevich1-1/+1
Fix potential string format bug. Change-Id: Ie05aac53b2c45a48bd68e340b76ccb21edfd28b7
2010-02-03bump updater API version to 3; deprecate firmware update commandDoug Zongker1-84/+7
Remove support for the HTC-specific "firmware" update command and the corresponding edify function write_firmware_update(). This functionality is now done by an edify extension library that lives in vendor/htc. Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
2010-01-29fix parsing of dumpkeys outputDoug Zongker1-4/+4
%i can't be used to read unsigned ints (though it happens to work with bionic). Change to %x and %u as appropriate. Change-Id: I8ea9ca16a939501757cf70fc5953abee26c8231c http://b/2402231 - Parser for /res/keys interprets n0inv as a signed int
2009-11-13eclair snapshotJean-Baptiste Queru1-16/+18
2009-08-17do not merge: cherry-picked 60151a295ccf726238dc47456d80b427db6d6a38 from master branchDoug Zongker1-16/+18
2009-08-15verify whole-file signature instead of jarsigner signaturesDoug Zongker1-16/+18
In recovery, verify a signature that covers the entire zip file, instead of using the jarsigner format to verify individual files. Bug: 1328985
2009-07-15remove amendDoug Zongker1-103/+2
Yank all the code to install OTA packages out of the recovery binary itself. Now packages are installed by a binary included in the package (run as a child of recovery), so we can make improvements in the installation process without waiting for a new release to use them.
2009-06-24improve updater progress barDoug Zongker1-1/+13
Let recovery accept set_progress commands to control progress over the 'current segment' of the bar. Add a set_progress() builtin to the updater binary.
2009-06-18let the "firmware" command take the file straight from the packageDoug Zongker1-22/+44
To do a firmware-install-on-reboot, the update binary tells recovery what file to install before rebooting. Let this file be specified as "PACKAGE:<foo>" to indicate taking the file out of the OTA package, avoiding an extra copy to /tmp. Bump the API version number to reflect this change.
2009-06-12fixes to edify and updater scriptDoug Zongker1-0/+10
A few more changes to edify: - fix write_raw_image(); my last change neglected to close the write context, so the written image was corrupt. - each expression tracks the span of the source code from which it was compiled, so that assert()'s error message can include the source of the expression that failed. - the 'cookie' argument to each Function is replaced with a State object, which contains the cookie, the source script (for use with the above spans), and the current error message (replacing the global variables that were used for this purpose). - in the recovery image, a new command "ui_print" can be sent back through the command pipe to cause text to appear on the screen. Add a new ui_print() function to print things from scripts. Rename existing "print" function to "stdout".
2009-06-12edify extensions for OTA package installation, part 2Doug Zongker1-1/+2
Adds more edify functions for OTAs: is_mounted getprop apply_patch apply_patch_check apply_patch_space write_raw_image write_firmware_image package_extract_file This allows us to install radios, hboots, boot images, and install incremental OTA packages. Fixes a couple of dumb bugs in edify itself: - we were doubling the size of the function table each time it was *not* full, rather than each time it was full - "no such function" errors weren't visible to the parser, so they didn't prevent execution of the script.
2009-06-12edify extensions for OTA package installation, part 1Doug Zongker1-1/+1
Adds the following edify functions: mount unmount format show_progress delete delete_recursive package_extract symlink set_perm set_perm_recursive This set is enough to extract and install the system part of a (full) OTA package. Adds the updater binary that extracts an edify script from the OTA package and then executes it. Minor changes to the edify core (adds a sleep() builtin for debugging, adds "." to the set of characters that can appear in an unquoted string).
2009-06-05allow OTA package to provide binary instead of scriptDoug Zongker1-1/+169
Allow installation of OTA packages which do not contain an update-script, but instead contain an update-binary.
2009-05-29don't say "install complete" when it really isn'tDoug Zongker1-1/+1
Change the recovery UI so that when there is a hboot or radio update pending (which the user most do a home+back reboot to actually install), the UI tells them so, instead of saying "Install from sdcard complete."
2009-04-02AI 144132: am: CL 144130 Don't build OTA package keys into the recovery binary; readDoug Zongker1-8/+88
them from an external file in the recovery image. Use the test-keys for all builds. Original author: dougz Merged from: //branches/donutburger/... Automated import of CL 144132
2009-04-02AI 144130: Don't build OTA package keys into the recovery binary; readDoug Zongker1-8/+88
them from an external file in the recovery image. Use the test-keys for all builds. Automated import of CL 144130
2009-03-04auto import from //depot/cupcake/@135843The Android Open Source Project1-0/+186
2009-03-04auto import from //depot/cupcake/@135843The Android Open Source Project1-186/+0