summaryrefslogtreecommitdiffstats
path: root/install.cpp (follow)
Commit message (Collapse)AuthorAgeFilesLines
* DO NOT MERGE Report uncrypt errors in detailsTianjie Xu2016-09-291-1/+1
|\ | | | | | | | | | | am: 37d7d67ca2 Change-Id: I4da910cde3f1a84b9dfb5839a43b00818a942dbd
| * DO NOT MERGE Report uncrypt errors in detailsTianjie Xu2016-09-291-1/+1
| | | | | | | | | | | | | | | | | | | | Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit da44cf18f3ce4bbffa85ad0a50bb25e9cb54a86d)
* | DO NOT MERGE Duplicate the last_install content into last_log.Tao Bao2016-09-271-31/+30
|\| | | | | | | | | | | am: a8c0d0b43a Change-Id: I6ba873dcf7b833daaf6ca74d49a6410be3e4fbcb
| * DO NOT MERGE Duplicate the last_install content into last_log.Tao Bao2016-09-271-31/+30
| | | | | | | | | | | | | | | | | | | | | | | | Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c (cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
* | DO NOT MERGE Fail gracefully when we fail to fork the update binaryMatthew Bouyack2016-09-201-0/+8
|/ | | | | | See bug b/31395655 Change-Id: Ic5a046bc80ea88d7eb52755838bdbf4e1e47da50
* Check corruption when reading uncrypt_status fileTianjie Xu2016-09-131-0/+2
| | | | | | Bug: 31383361 Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1 (cherry picked from commit 1c1864f321b129c81883ed527b1da8c69661e51f)
* save uncrypt status to last_installTianjie Xu2016-09-131-0/+13
| | | | | | | | | | | | Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. (cherry picked from commit fe16b5ccaf80f6e04d5b722c37c1abd70457ad28) Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
* Add inttypes.h for PRIu64.Alex Deymo2016-08-121-0/+1
| | | | | | | | | This missing header is needed to use PRIu64 macros. Bug: 27178350 TEST=`mma bootable/recovery` on the failing branch. Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
* Call update_engine_sideload from recovery.Alex Deymo2016-08-121-18/+181
| | | | | | | | | | | | | | | This patch enables sideloading an OTA on A/B devices while running from recovery. Recovery accepts the same OTA package format as recent versions of GMS, which consists of .zip file with the payload in it. Bug: 27178350 TEST=`adb sideload` successfully a full OTA (*) TEST=Failed to take several invalid payloads (wrong product, fingerprint, update type, serial, etc). <small>(*) with no postinstall script.</small> Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
* Verify wipe package when wiping A/B device in recovery.Yabin Cui2016-06-211-23/+37
| | | | | | | | | | To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Bug: 29159185 Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
* Log source/target build version to last_installTianjie Xu2016-06-101-0/+55
| | | | | | | | | | | | | | | | Parse the build.version.incremental from the metadata of the update package; and log it to last_install. Example: In metadata we read: post-build-incremental=2951741 pre-build-incremental=2943039 In last install we log: source_build: 2943039 target_build: 2951741 Bug: 28658632 Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
* Call ioctl before each write on retryTianjie Xu2016-06-031-6/+13
| | | | | | | | If the update is a retry, ioctl(BLKDISCARD) the destination blocks before writing to these blocks. Bug: 28990135 Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
* Allow recovery to return error codesTianjie Xu2016-05-201-2/+11
| | | | | | | | | | | | | | | | | | Write error code, cause code, and retry count into last_install. So we can have more information about the reason of a failed OTA. Example of new last_install: @/cache/recovery/block.map package name 0 install result retry: 1 retry count (new) error: 30 error code (new) cause: 12 error cause (new) Details in: go/android-ota-errorcode Bug: 28471955 Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
* Add time and I/O info to last_installTianjie Xu2016-05-161-4/+23
| | | | | | | | | | | | | | | One example of last_install is: /sideload/package.zip 1 time_total: 101 bytes_written_system: 14574000 bytes_stashed_system: 100 bytes_written_vendor: 5107400 bytes_stashed_vendor: 0 Bug: 28658632 Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
* Use BoringSSL instead of mincrypt to speed up package verification.Elliott Hughes2016-04-141-8/+9
| | | | | | | | | | | | This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with merge conflict resolution, extra logging in verifier.cpp, and an increase in the hash chunk size from 4KiB to 1MiB. Bug: http://b/28135231 Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
* Reboot and retry on I/O errorsTianjie Xu2016-03-101-0/+6
| | | | | | | | | When I/O error happens, reboot and retry installation two times before we abort this OTA update. Bug: 25633753 Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69 (cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
* recovery: Refactor verifier and verifier_test.Tao Bao2016-02-031-7/+6
| | | | | | | | Move to using std::vector and std::unique_ptr to manage key certificates to stop memory leaks. Bug: 26908001 Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
* Log update outputs in orderTao Bao2015-06-031-2/+2
| | | | | | | | | | | | | | Although stdout and stderr are both redirected to log file with no buffering, we are seeing some outputs are mixed in random order. This is because ui_print commands from the updater are passed to the recovery binary via a pipe, which may interleave with other outputs that go to stderr directly. In recovery, adding ui::PrintOnScreenOnly() function to handle ui_print command, which skips printing to stdout. Meanwhile, updater prints the contents to stderr in addition to piping them to recovery. Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
* Update the comments for package installer commandsTao Bao2015-04-111-1/+13
| | | | | | | | These commands are for the communication between the installer and the update binary (edify interpreter). Update the comments in sync with the codes. Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
* Rotate logs only when there are actual operationsTao Bao2015-04-081-0/+2
| | | | | | | | | | Currently it rotates the log files every time it boots into the recovery mode. We lose useful logs after ten times. This CL changes the rotation condition so that it will rotate only if it performs some actual operations that modify the flash (installs, wipes, sideloads and etc). Bug: 19695622 Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
* Factor out option variables from int to bool typesTao Bao2015-03-251-5/+5
| | | | Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
* Add missing includes.Elliott Hughes2015-01-281-0/+1
| | | | Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
* sideload without holding the whole package in RAMDoug Zongker2014-07-021-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a new method of sideloading over ADB that does not require the entire package to be held in RAM (useful for low-RAM devices and devices using block OTA where we'd rather have more RAM available for binary patching). We communicate with the host using a new adb service called "sideload-host", which makes the host act as a server, sending us different parts of the package file on request. We create a FUSE filesystem that creates a virtual file "/sideload/package.zip" that is backed by the ADB connection -- users see a normal file, but when they read from the file we're actually fetching the data from the adb host. This file is then passed to the verification and installation systems like any other. To prevent a malicious adb host implementation from serving different data to the verification and installation phases of sideloading, the FUSE filesystem verifies that the contents of the file don't change between reads -- every time we fetch a block from the host we compare its hash to the previous hash for that block (if it was read before) and cause the read to fail if it changes. One necessary change is that the minadbd started by recovery in sideload mode no longer drops its root privileges (they're needed to mount the FUSE filesystem). We rely on SELinux enforcement to restrict the set of things that can be accessed. Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
* disable async reboot during package installationDoug Zongker2014-05-231-0/+7
| | | | | | | | | | The default recovery UI will reboot the device when the power key is pressed 7 times in a row, regardless of what recovery is doing. Disable this feature during package installation, to minimize the chance of corrupting the device due to a mid-install reboot. (Debug packages can explicitly request that the feature be reenabled.) Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
* do verification and extraction on memory, not filesDoug Zongker2014-01-161-7/+23
| | | | | | | | | | | | | | | | Changes minzip and recovery's file signature verification to work on memory regions, rather than files. For packages which are regular files, install.cpp now mmap()s them into memory and then passes the mapped memory to the verifier and to the minzip library. Support for files which are raw block maps (which will be used when we have packages written to encrypted data partitions) is present but largely untested so far. Bug: 12188746 Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
* Restore default umask after forking for update-binary.Alistair Strachan2013-11-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | A system/core change made in Mar 26 2012 6ebf12f "init: Change umask of forked processes to 077" changed the default umask of services forked from init. Because recovery is forked from init, it has a umask of 077. Therefore when update-binary is forked from recovery, it too has a umask of 077. This umask is overly restrictive and can cause problems for scripts relying on minzip to extract binaries directly into the target filesystem. Any directories updated by minzip will have their permissions reset to r-x------ and created files will have similarly restrictive permissions. As it seems unlikely this security measure was intended to have this side effect on legacy sideloads that do not have chmods to repair the damage done by minzip, this change reverts the umask to 022 in the fork made for update-binary. Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
* recovery: install packages in a known mount environmentDoug Zongker2013-08-211-5/+10
| | | | | | | | | | | When installing a package, we should have /tmp and /cache mounted and nothing else. Ensure this is true by explicitly mounting them and unmounting everything else as the first step of every install. Also fix an error in the progress bar that crops up when you do multiple package installs in one instance of recovery. Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
* recovery: move log output to stdoutDoug Zongker2013-07-091-0/+1
| | | | | | | | Recovery currently has a random mix of messages printed to stdout and messages printed to stderr, which can make logs hard to read. Move everything to stdout. Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
* verifier: update to support certificates using SHA-256Doug Zongker2013-04-101-1/+1
| | | | Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
* move key loading to verifier codeDoug Zongker2012-11-021-100/+0
| | | | | | | Add an option to verifier_test to load keys from a file, the way the recovery does. Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
* add simple text to recovery UIDoug Zongker2012-08-231-1/+1
| | | | | | | | | | | | | | | - recovery takes a --locale argument, which will be passed by the main system - the locale is saved in cache, in case the --locale argument is missing (eg, when recovery is started from fastboot) - we include images that have prerendered text for many locales - we split the background states into four (installing update, erasing, no command, error) so that appropriate text can be shown. Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
* support version 2 (2048-bit e=65537) keys in recoveryDoug Zongker2012-07-251-1/+25
| | | | Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
* minor recovery changesDoug Zongker2012-04-121-0/+2
| | | | | | | | | | | | - add the --just_exit option to make recovery exit normally without doing anything - make it possible to build updater extensions in C++ - add the clear_display command so that the updater binary can request recovery switch to the NONE background UI These are all used to support the notion of using OTA as a factory reflash mechanism. Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
* refactor ui functions into a classDoug Zongker2011-10-291-14/+20
| | | | | | | | | | | Move all the functions in ui.c to be members of a ScreenRecoveryUI class, which is a subclass of an abstract RecoveryUI class. Recovery then creates a global singleton instance of this class and then invoke the methods to drive the UI. We use this to allow substitution of a different RecoveryUI implementation for devices with radically different form factors (eg, that don't have a screen). Change-Id: I7fd8b2949d0db5a3f47c52978bca183966c86f33
* turn recovery into a C++ binaryDoug Zongker2011-10-281-0/+314
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316