summaryrefslogtreecommitdiffstats
path: root/install.cpp (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Recovery now expects public keys in zipfileTianjie Xu2018-10-221-5/+5
| | | | | | | | | | | This is in line with the build system change which copies the recovery ota install keys to a zipfile. And now recovery will parses and loads the public keys from /res/otacerts.zip. The legacy load_keys functions will be removed in later cls. Bug: 116655889 Test: sideload an ota package Change-Id: I95e91736ca9964df06d74aa292d672e2f9e442e8
* Track the change to update_engine_sideload path.Tao Bao2018-08-141-1/+1
| | | | | | | | | Bug: 112494634 Test: Build and boot into recovery image on taimen. Verify that `Apply updates from ADB` keeps working. Test: Run recovery_component_test on marlin. Change-Id: I9ee8834053fda79a4fd77bfa83eab3cc51a90dff
* Drop the dependency on AB_OTA_UPDATER flag.Tao Bao2018-06-191-24/+15
| | | | | | | | | | | | | | | | This shortens the gap between A/B and non-A/B builds, by replacing the dependency on build-time flag with runtime detection instead. It also allows building and testing both paths regardless of the target OTA type. The size increase to /sbin/recovery looks negligible (< 0.01%). - marlin: increased from 2084928 to 2085024; - angler: increased from 2084776 to 2084896. Test: Run recovery_component_test on angler and marlin. Test: Sideload an A/B OTA package on marlin. Test: Sideload a non-A/B OTA package on angler. Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
* otautil: Rename dir/sys/thermal utils.Tao Bao2018-05-041-2/+2
| | | | | Test: mmma -j bootable/recovery Change-Id: I32ab98549e91f993364306e4a88dc654221b3869
* Rename CacheLocation to Paths.Tao Bao2018-04-261-3/+3
| | | | | | | | | | We have a general need for overriding more paths (e.g. "/tmp"), mostly for testing purpose. Rename CacheLocation to Paths, and use that to manage TEMPORARY_{INSTALL,LOG}_FILE. Test: mmma -j bootable/recovery Test: recovery_component_test Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
* Revert "Revert "Move error_code.h into otautil.""Tao Bao2017-10-091-1/+1
| | | | | | | | | | | | | | | | This reverts commit 26436d6d6010d5323349af7e119ff8f34f85c40c to re-land "Move error_code.h into otautil.". This way it stops requiring relative path ".." in LOCAL_C_INCLUDES (uncrypt and edify). Soong doesn't accept non-local ".." in "local_include_dirs". This CL needs to land with device-specific module changes (e.g. adding the dependency on libotautil). Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug; mmma bootable/recovery Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
* Revert "Move error_code.h into otautil."Tao Bao2017-10-051-1/+1
| | | | | | | | This reverts commit 623fe7e701d5d0fb17082d1ced14498af1b44e5b. Reason for revert: Need to address device-specific modules. Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
* Move error_code.h into otautil.Tao Bao2017-10-041-1/+1
| | | | | | | | | This way it stops requiring relative path ".." in LOCAL_C_INCLUDES (uncrypt and edify). Soong doesn't accept non-local ".." in "local_include_dirs". Test: mmma bootable/recovery Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
* roots: Fix an issue with volume_for_path().Tao Bao2017-10-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The earlier commit in 2dfc1a38982c4052bb32bc7fc06edeadf3908fb9 unintentionally changed the behavior. It gives a different result when looking up non-existent mount points (e.g. /cache on marlin). The logic behind volume_for_path("/xyz") is unclear: - It's fine to return non-null value if it's called by ensure_path_mounted() before accessing that file "/xyz". (Just based on the function name, we're not actually having this case.) - It should return nullptr if the caller is interested in the existence of that particular mount point "/xyz". This CL renames the function to volume_for_mount_point(), which does an exact match by querying the given mount point from libfs_mgr. The former volume_for_path() has been moved down to function scope for serving ensure_path_mounted() only. Test: Build and boot into recovery on bullhead and marlin respectively. 'View recovery logs'. Test: 'Mount /system' Test: 'Apply update from ADB' Change-Id: I1a16390f57540cae08a2b8f3d439d17886975217
* Remove EXPAND/STRINGIFY macros.Tao Bao2017-09-131-1/+1
| | | | | | | | | | | | | | | | | | | This reverts commit 8be0f39fec7f26164fd0791ff6d15bde65fc849c to reland the change that removes EXPAND/STRINGIFY macros. It's error-prone by putting anything into a string (e.g. EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we forgot to pass -DRECOVERY_API_VERSION=3). The initial attempt put RECOVERY_API_VERSION into common.h, which might be included by device-specific codes but without defining that when compiling the module. This CL avoids the issue by using a constant in the header, with a static_assert in recovery.cpp that guards the consistency. Test: recovery_component_test Test: Sideload OTAs on bullhead and sailfish respectively. Change-Id: I12af3f73392a85554ba703f04970ec9d984ccbaa
* Merge "Add missing report of error code under recovery"Tianjie Xu2017-08-251-0/+3
|\
| * Add missing report of error code under recoveryTianjie Xu2017-08-231-0/+3
| | | | | | | | | | | | | | | | Add report of kMapFileFailure, kForkUpdateBinaryFailure and kUpdateBinaryCommandFailure. Test: unit test pass; kMapFileFailure reports correctly. Change-Id: I858c81b6c750b5e300b1b12760b1f0fa8e23b47d
* | Allow comparison against multi serial nums for A/B packageTianjie Xu2017-08-221-5/+15
|/ | | | | | | | | | | | | The metadata file now can have multiple serial numbers in the format: serialno=serialno1|serialno2|serialno3 ... Verifier will pass the check if the device serial number matches any of these numbers. Bug: 64802465 Test: Create a metadata file with 1000 numbers and sideload in sailfish. The checker detects both match and mismatch cases. Change-Id: I3f12b75e15f4179df260778e37f4563d65db0fa8
* Fix the android-cloexec-* warnings in bootable/recoveryTianjie Xu2017-07-191-1/+1
| | | | | | | | Add the O_CLOEXEC or 'e' accordingly. Bug: 63510015 Test: recovery tests pass Change-Id: I7094bcc6af22c9687eb535116b2ca6a59178b303
* avoid assuming build number is a 32-bit integerDaniel Micay2017-06-261-13/+9
| | | | | | | | | | | | | | | | | | | | | | | The install logging currently assumes that the build number is a 32-bit integer and prints an error when that doesn't hold true. However, that's only a convention used by Google builds. From build/core/version_defaults.mk: ifeq "" "$(BUILD_NUMBER)" # BUILD_NUMBER should be set to the source control value that # represents the current state of the source code. E.g., a # perforce changelist number or a git hash. Can be an arbitrary string # (to allow for source control that uses something other than numbers), # but must be a single word and a valid file name. # # If no BUILD_NUMBER is set, create a useful "I am an engineering build # from this date/time" value. Make it start with a non-digit so that # anyone trying to parse it as an integer will probably get "0". BUILD_NUMBER := eng.$(shell echo $${USER:0:6}).$(shell $(DATE) +%Y%m%d.%H%M%S) endif Change-Id: I8e7cec0618783f69545ba76d0dce2bbc1681784c
* Fix a race condition for temperature_loggerTianjie Xu2017-06-081-3/+7
| | | | | | | | | It's a rare deadlock that happens on fugu when the updater exits too fast due to a format error. Bug: 62379170 Test: fake-ota fails gracefully without hanging. Change-Id: Icbd6cff4f6b44ca20f4d75f8039332111f696cc5
* Add a binary path param to update_binary_command().Tao Bao2017-05-081-21/+23
| | | | | | | | | | | This allows writing native tests for non-A/B update_binary_command(). Prior to this CL, it was extracting the updater to a hard-coded location (/tmp/update_binary) that's not available under the test environment. Test: recovery_component_test on angler and marlin respectively. Test: Sideload OTA packages on angler and marlin respectively. Change-Id: I78b9cc211d90c0a16a84e94e339b65759300e2a8
* Revert "Remove EXPAND/STRINGIFY macros."Tao Bao2017-05-041-1/+1
| | | | | | | | | | This reverts commit ec9706738f35a859f66fd0758b73381055804f63. Reason for revert: It's not a good idea to put RECOVERY_API_VERSION in common.h, which might be included by device-specific codes (but with RECOVERY_API_VERSION undefined). Change-Id: I9feb9c64a5af3e9165164622a59b043aa28a8b8c
* Remove EXPAND/STRINGIFY macros.Tao Bao2017-05-031-1/+1
| | | | | | | | | | | | | | | | They are error-prone by putting anything into a string (e.g. EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we forgot to pass -DRECOVERY_API_VERSION=3). RECOVERY_API_VERSION is the only user (in bootable/recovery) that gets stringified. Assign it to a typed var and sanity check the value. Don't see other reference to the macros from device-specific recovery directories (they can still define that locally if really needed). Test: recovery_component_test Test: Sideload an OTA on angler and marlin respectively. Change-Id: I358bbdf8f0a99db5ce4c7bc2fdcafe8013501b64
* Move sysMapFile and sysReleaseMap into MemMapping class.Tao Bao2017-05-021-5/+1
| | | | | | | Test: recovery_component_test Test: recovery_unit_test Test: Apply an OTA on angler. Change-Id: I7170f03e4ce1fe06184ca1d7bcce0a695f33ac4d
* recovery: Change install_package() to take std::string.Tao Bao2017-05-011-69/+72
| | | | | | | | | Also change the parameter type for log_buffer from reference to pointer, so the styles for parameters look consistent. Test: mmma bootable/recovery Test: sideload a package with the new recovery image Change-Id: I8f25580ccf22977624648b3e2181cca44dd67c1b
* librecovery: Remove -Wno-unused-parameter and add -Wall.Tao Bao2017-04-241-1/+1
| | | | | Test: mmma bootable/recovery Change-Id: I5598d32bebb9dbda4a183a1502e0b7dc4918392e
* Merge "Call libvintf to verify package compatibility."Tao Bao2017-04-201-5/+10
|\
| * Call libvintf to verify package compatibility.Tao Bao2017-04-201-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | The libvintf API has landed. Hook up to do the actual verification. Bug: 36597505 Test: recovery_component_test Test: m recoveryimage; adb sideload on angler and sailfish, with packages that contain dummy compatibility entries. Test: m recoveryimage; adb sideload on angler and sailfish, with packages that don't contain any compatibility entries. Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f (cherry picked from commit da320ac6ab53395ddff3cc08b88a61f977ed939a)
* | Add tests for read_metadata_from_package().Tao Bao2017-04-191-43/+39
|/ | | | | Test: recovery_component_test Change-Id: I672a6a4f101c72e82b9f25f165dccd1c9520627b
* Minor clean up to install.cpp.Tao Bao2017-04-191-66/+61
| | | | | | | | | - Move some macros / constants into functions; - Remove unneeded #include "minui/minui.h"; - Remove two dead constants (DEFAULT_{FILES,IMAGES}_PROGRESS_FRACTION). Test: mmma bootable/recovery Change-Id: Ib808f14b7569e06e23a8a7cc9b2d4e9aa5469de1
* Add tests for update_binary_command().Tao Bao2017-04-181-82/+80
| | | | | | | | | | | | | | | Expose update_binary_command() through private/install.h for testing purpose. Also make minor clean-ups to install.cpp: a) adding more verbose logging on ExtractToMemory failures; b) update_binary_command() taking std::string instead of const char*; c) moving a few macro and global constants into update_binary_command(). Bug: 37300957 Test: recovery_component_test on marlin Test: Build new recovery and adb sideload on angler and sailfish. Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
* Fix the double free in verify_package_compatibility().Tao Bao2017-04-181-1/+0
| | | | | | | | | | | | | | | | | """ void* cookie; std::unique_ptr<void, decltype(&EndIteration)> guard(cookie, EndIteration); ... EndIteration(cookie); """ The above pattern is buggy that frees 'cookie' twice. Bug: 37413730 Test: Build new recovery and adb sideload a previously crashed package that contains 'compatibility.zip'. Change-Id: I183c33827fb28a438ebaedda446e84cabe7cb92d (cherry picked from commit f978278995d02a58e311fe017bdbb2c3702dd3bc)
* Verify the package compatibility with libvintf.Tao Bao2017-04-131-0/+73
| | | | | | | | | | | | | | | | verify_package_compatibility() is added to parse the compatibility entry (compatibility.zip) in a given OTA package. If entry is present, the information is sent to libvintf to check the compatibility. This CL doesn't actually call libvintf, since the API there is not available yet. Bug: 36597505 Test: Doesn't break the install with existing packages (i.e. w/o the compatibility entry). Test: recovery_component_test Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596 (cherry picked from commit 62e0bc7586077b3bde82759fb34b51b982cea20f)
* Log temperature during OTA updateTianjie Xu2017-03-281-5/+47
| | | | | | | | | | | | Log the maximum temperature as well as the start/end temperature of an update to last_install. Check the temperature at the end of each block_image_update(verify). To get the maximum temp, we iterate through /sys/class/thermal/thermal_zone*/temp and find the maximum value present. Bug: 32518487 Test: temperature logs in last_install Change-Id: Iaf22a9fbc5b18611bbc5320ffea995417872e514
* Skip logging the warning for uncrypt_status for devices w/o /cacheTianjie Xu2017-03-261-5/+9
| | | | | | | | | This warning may cause confusion for users. Bug: 36590598 Test: Warning line no longer shows for sailfish. Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be Merged-In: I277c87a50a72fdb499be790ee25b97f815d980be
* verify_file: Add constness to a few addresses.Tao Bao2017-03-211-1/+1
| | | | | | | | | | We should not touch any data while verifying packages (or parsing the in-memory ASN.1 structures). Test: mmma bootable/recovery Test: recovery_component_test passes. Test: recovery_unit_test passes. Change-Id: Ie990662c6451ec066a1807b3081c9296afbdb0bf
* Drop the dependency on 'ui' in verify_file().Tao Bao2017-03-171-19/+21
| | | | | | | | | | | | | | verify_file() has a dependency on the global variable of 'ui' for posting the verification progress, which requires the users of libverifier to provide a UI instance. This CL adds an optional argument to verify_file() so that it can post the progress through the provided callback function. As a result, we can drop the MockUI class in verifier_test.cpp. Test: recovery_component_test passes. Test: verify_file() posts progress update when installing an OTA. Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
* Replace _exit(-1) with _exit(EXIT_FAILURE).Tao Bao2017-02-031-1/+1
| | | | | | | | | -1 is not a valid exit status. Also replace a few exit(1) with exit(EXIT_FAILURE). Test: mmma bootable/recovery Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
* Avoid to call UI functions in child processTianjie Xu2017-02-031-1/+5
| | | | | | | | | | | ui_print uses a mutex to protect the critical section. And a forked child process may intialize the mutex inappropriatly, which leads to a hanging child process. So we shall avoid to call the UI functions in child process. Bug: 34769056 Test: fake ota on fugu failed as expected due to updater format mismatch. Change-Id: I81bc942a796878fac19cf712512092c2b0d807c9
* Print with newline for ui_print.Tao Bao2017-01-221-5/+1
| | | | | | | | | | | | | | | | | | | Currently the ui_print command between the recovery and updater doesn't append newline. Updater has to send an extra "ui_print" command without any argument to get the line break. This looks unnecessary. And not all the callers (including the ones in bootable/recovery) are following this protocol when sending the ui_print command. This CL simplifies the protocol to always print with a newline for ui_print command. When updating from an old recovery with the new updater, all the ui_print'd strings would appear in one line as a side effect. But a) it would only affect the text-mode UI, which won't be shown to users; b) log files won't be affected. Bug: 32305035 Test: Apply an update with the new updater on top of an old and new recovery image respectively. Change-Id: I305a0ffc6f180daf60919cf99d24d1495d68749b
* recovery: Move property_get() to android::base::GetProperty().Tao Bao2017-01-131-68/+66
| | | | | | | | Test: Apply two A/B incremental OTAs with the new recovery image. The one with incorrect pre-build should be blocked, while the other works fine. Change-Id: I94d97eb8798599da1630f66343fb603e87464187
* recovery: Clean up try_update_binary() in install.cpp.Tao Bao2017-01-061-145/+166
| | | | | | | | | | | Move functions over to android::base versions. - strtok(3) => android::base::Split() - strtol(3) => android::base::ParseInt() - strtof(3) => android::base::ParseDouble() Test: Build recovery image and apply a package that calls ui_print / progress / set_progress commands. Change-Id: I953b4985e0bd9e277362ae53e233d755cf27d80c
* Remove the obsolete comments for firmware update.Tao Bao2016-12-141-9/+0
| | | | | | | | The corresponding code was removed in commit e08991e02a7d678f2574e85289a34b2a9a537c82 in 2010 (Froyo). Test: N/A Change-Id: I2b296e1b07d54232bade79fda7501387d65a4c37
* Merge "Revert "Revert "Some cleanups to recovery."""Tao Bao2016-11-041-2/+0
|\ | | | | | | | | | | am: a7a8262944 Change-Id: Iab6de4788c4dbecd33d076144f8324fde53b4024
| * Revert "Revert "Some cleanups to recovery.""Tao Bao2016-11-031-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 8584fcf677dd45b30121bd0490b06297e6be1871. This CL re-lands commit c0319b60f56d445c2d1c74f551e01f069b028fe6. The "stage" and "reason" variables are now declared as global by dropping the static qualifier, because they may be used by vendor recovery libraries. Test: lunch aosp_angler-userdebug; mmma bootable/recovery Test: lunch aosp_dragon-userdebug; mmma bootable/recovery Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
* | Merge "Revert "Some cleanups to recovery.""Dan Albert2016-10-271-0/+2
|\| | | | | | | | | | | am: 9514eb1934 Change-Id: Id96135ffde5adaebd45811b9c3d319a99fe28ecd
| * Revert "Some cleanups to recovery."Dan Albert2016-10-271-0/+2
| | | | | | | | | | | | | | | | This reverts commit c0319b60f56d445c2d1c74f551e01f069b028fe6. Reason for revert: Broke builds. Change-Id: I82aa880b83de5ae6c36fd7567cb001920559a972
* | Merge "Some cleanups to recovery."Tao Bao2016-10-271-2/+0
|\| | | | | | | | | | | am: 46fb0a6a6f Change-Id: Ic247a408b1bd3e2eab1db34eb4b14423d9fd16d6
| * Some cleanups to recovery.Tao Bao2016-10-261-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | - Remove the duplicate gCurrentUI variable in recovery.cpp; - Refactor the load/save of locale functions; - Clean up ui_print() to get rid of 256-byte buffer limit; - Declare ui in common.h; - Move the typedef of Volume into roots.h. Test: Build and boot into recovery image. Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
| * Verify wipe package when wiping A/B device in recovery.Yabin Cui2016-10-191-25/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Based on the original cherrypick, this CL also has additional changes to address the LOG statements and libziparchive changes. Bug: 29159185 Test: Build and boot into recovery. Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168 (cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
* | resolve merge conflicts of 6fba98c to stage-aosp-masterTianjie Xu2016-10-181-36/+43
|\| | | | | | | Change-Id: I2fa8b85109309ec88c1f8d8def593aa65ab885d7
| * Replace minzip with libziparchiveTianjie Xu2016-10-181-22/+23
| | | | | | | | | | | | | | | | | | | | | | Clean up the duplicated codes that handle the zip files in bootable/recovery; and rename the library of the remaining utility functions to libotautil. Test: Update package installed successfully on angler. Bug: 19472796 Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
| * Fix the prefix matching for uncrypt status.Tao Bao2016-10-141-2/+2
| | | | | | | | | | | | | | | | | | Also change its logging statement from PLOG to LOG, since android::base::StartsWith() doesn't set errno. Test: Build and reboot into recovery image. Check last_log. Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
* | Report uncrypt errors in detailsTianjie Xu2016-09-291-1/+1
| | | | | | | | | | | | | | | | | | | | Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit 0c68675f5ae80cd669e0bf014a69689b6fe08eee)
* | Merge "Report uncrypt errors in details" am: af8b9363c6 am: 7582609d61Tianjie Xu2016-09-271-1/+1
|\| | | | | | | | | | | am: fc887a8fba Change-Id: I5e83be10f4443c8b107821975b3506381fcbdf0c
| * Report uncrypt errors in detailsTianjie Xu2016-09-271-1/+1
| | | | | | | | | | | | | | | | | | Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
| * Duplicate the last_install content into last_log.Tao Bao2016-09-261-30/+30
| | | | | | | | | | | | | | | | | | | | | | Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
* | Duplicate the last_install content into last_log.Tao Bao2016-09-261-30/+30
| | | | | | | | | | | | | | | | | | | | | | | | Currently we save the OTA metrics in last_install, which keeps the data for the _last_ install only. This CL logs the same content into last_log so that we keep the metrics for every install. Bug: 31607469 Test: Apply an update (via OTA and sideload) and check last_log and last_install. Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c (cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
* | Fail gracefully when we fail to fork the update binaryMatthew Bouyack2016-09-211-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | This change was original made in cw-f-dev but caused failures in nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE' This version of the change uses the new 'LOG(ERROR)' style logging instead. See bug b/31395655 Test: attempt a memory intensive incremental OTA on a low-memory device Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554
* | Revert "DO NOT MERGE Fail gracefully when we fail to fork the update binary am: de1b53d067"Matthew Bouyack2016-09-211-8/+0
| | | | | | | | | | | | This reverts commit 78563fdf78861884f300a6a874d2a0306f1eb002. Change-Id: I1ea4956a9843130aa41f2f7bc011c72e64fd7b62
* | DO NOT MERGE Fail gracefully when we fail to fork the update binaryMatthew Bouyack2016-09-201-0/+8
|\ \ | | | | | | | | | | | | | | | am: de1b53d067 Change-Id: Ic7a42220ed7e842dad1d5d2aacdd12253bd5ad84
| * | DO NOT MERGE Fail gracefully when we fail to fork the update binaryMatthew Bouyack2016-09-201-0/+8
| | | | | | | | | | | | | | | | | | See bug b/31395655 Change-Id: Ic5a046bc80ea88d7eb52755838bdbf4e1e47da50
| * | Check corruption when reading uncrypt_status fileTianjie Xu2016-09-131-0/+2
| | | | | | | | | | | | | | | | | | Bug: 31383361 Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1 (cherry picked from commit 1c1864f321b129c81883ed527b1da8c69661e51f)
* | | Merge "Check corruption when reading uncrypt_status file" am: 3cf815a6a9 am: 40bae5e1c6Tianjie Xu2016-09-141-0/+2
|\ \ \ | | |/ | |/| | | | | | | | | | am: 1d55666106 Change-Id: I2081d6803377a7bf26175a55b3b5defb7c9d09d1
| * | Check corruption when reading uncrypt_status fileTianjie Xu2016-09-131-0/+2
| | | | | | | | | | | | | | | Bug: 31383361 Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
| * | save uncrypt status to last_installTianjie Xu2016-09-131-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833 Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
| * | Switch recovery to libbase loggingTianjie Xu2016-09-011-15/+17
| | | | | | | | | | | | | | | | | | | | | | | | Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
* | | save uncrypt status to last_install am: e16e799dfdTianjie Xu2016-09-131-0/+13
|\ \ \ | | |/ | |/| | | | | | | | | | am: 4769f209dc Change-Id: Ic9056d4af518df3747743ec6b2886fa437029395
| * | save uncrypt status to last_installTianjie Xu2016-09-131-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. (cherry picked from commit fe16b5ccaf80f6e04d5b722c37c1abd70457ad28) Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
| * | Add inttypes.h for PRIu64.Alex Deymo2016-08-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This missing header is needed to use PRIu64 macros. Bug: 27178350 TEST=`mma bootable/recovery` on the failing branch. Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
* | | Fix a typo of variable name in install.cppTianjie Xu2016-09-021-6/+6
| | | | | | | | | | | | Change-Id: I42057bc2fb5096ce009fe6e4b787bc9082cd572f
* | | Switch recovery to libbase loggingTianjie Xu2016-09-011-33/+30
| | | | | | | | | | | | | | | | | | | | | | | | Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 (cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
* | | Merge "Fix clang-tidy warnings in bootable/recovery." am: 89bf2bdc85 am: 9968866e86Chih-Hung Hsieh2016-08-271-2/+2
|\ \ \ | | |/ | |/| | | | | | | | | | am: d987fe1d57 Change-Id: Idd53009ad61bb4a0b573febdbedc5dc0eee8265f
| * | Fix clang-tidy warnings in bootable/recovery.Chih-Hung Hsieh2016-08-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use const reference type for read-only parameters. Bug: 30407689 * Use faster overloaded string find function. Bug: 30411878 * Add parentheses around macro parameters. Bug: 28705665 Test: build with WITH_TIDY=1 Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
| * | Merge "Free mmaped area if keys fail to load"Tao Bao2016-08-181-0/+1
| |\ \ | | | | | | | | | | | | | | | | | | | | am: f599414aec Change-Id: Id96153c211ca1fcc1cd78d6e662b0b48795c0d76
| | * | Free mmaped area if keys fail to loadWiZarD2016-08-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keys for package verification is loaded after the update package is mmaped into memory. This mmaped area needs to be freed when exiting the function. Another approach would be to mmap after loading the keys. Change-Id: Ib77711a8acd5c363b5517da12dc311fb8f9f4605 Signed-off-by: WiZarD <WiZarD.Devel@gmail.com>
* | | | Add inttypes.h for PRIu64.Alex Deymo2016-08-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This missing header is needed to use PRIu64 macros. Bug: 27178350 TEST=`mma bootable/recovery` on the failing branch. Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
* | | | resolve merge conflicts of 66940b9 to nyc-mr1-dev-plus-aospAlex Deymo2016-08-121-18/+181
|\ \ \ \ | | |_|/ | |/| | | | | | Change-Id: Icd879395a88ff1de0fcf0c754c0633d8fb6cf208
| * | | Call update_engine_sideload from recovery.Alex Deymo2016-08-121-18/+181
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables sideloading an OTA on A/B devices while running from recovery. Recovery accepts the same OTA package format as recent versions of GMS, which consists of .zip file with the payload in it. Bug: 27178350 TEST=`adb sideload` successfully a full OTA (*) TEST=Failed to take several invalid payloads (wrong product, fingerprint, update type, serial, etc). <small>(*) with no postinstall script.</small> Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
* | | | resolve merge conflicts of ed4c49c to nyc-mr1-dev-plus-aospYabin Cui2016-06-211-23/+37
|\| | | | |/ / |/| | | | | Change-Id: I8788cc80473dc77bfa0cd2682f3acb6e17ac36df
| * | Verify wipe package when wiping A/B device in recovery.Yabin Cui2016-06-211-23/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Bug: 29159185 Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
* | | resolve merge conflicts of 179c0d8 to stage-aosp-masterElliott Hughes2016-06-161-2/+0
|\ \ \ | | |/ | |/| | | | Change-Id: Iba5aec266444cabf83f600f2bdb45a3c027e5995
| * | Remove obsolete MTD support.Elliott Hughes2016-06-101-2/+0
| | | | | | | | | | | | | | | Bug: http://b/29250988 Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
* | | Log source/target build version to last_installTianjie Xu2016-06-101-0/+55
|\ \ \ | | |/ | |/| | | | | | | | | | am: b0ddae55e5 Change-Id: Ifd9e006588de8bea233a4e90a5c80ed6b894054a
| * | Log source/target build version to last_installTianjie Xu2016-06-101-0/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Parse the build.version.incremental from the metadata of the update package; and log it to last_install. Example: In metadata we read: post-build-incremental=2951741 pre-build-incremental=2943039 In last install we log: source_build: 2943039 target_build: 2951741 Bug: 28658632 Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
* | | resolve merge conflicts of 7ce287d to nyc-dev-plus-aospTianjie Xu2016-06-041-6/+13
|\| | | | | | | | | | | Change-Id: I2194d1170281f58eb508f2ef63b39c8729125f76
| * | Call ioctl before each write on retryTianjie Xu2016-06-031-6/+13
| | | | | | | | | | | | | | | | | | | | | | | | If the update is a retry, ioctl(BLKDISCARD) the destination blocks before writing to these blocks. Bug: 28990135 Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
* | | resolve merge conflicts of 50f6417 to nyc-dev-plus-aospTianjie Xu2016-05-231-2/+11
|\| | | | | | | | | | | Change-Id: I42c127f7946e678acf6596f6352f090abc0ca019
| * | Allow recovery to return error codesTianjie Xu2016-05-201-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Write error code, cause code, and retry count into last_install. So we can have more information about the reason of a failed OTA. Example of new last_install: @/cache/recovery/block.map package name 0 install result retry: 1 retry count (new) error: 30 error code (new) cause: 12 error cause (new) Details in: go/android-ota-errorcode Bug: 28471955 Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
* | | Add time and I/O info to last_installTianjie Xu2016-05-181-4/+23
|\| | | | | | | | | | | | | | | | | | | | | | | | | | am: dd874b1c87 * commit 'dd874b1c87eb04f28db0db2629df0adde568a74c': Add time and I/O info to last_install Change-Id: I02aa858d5ce488d3acbf5400811e2565cf7d9c75
| * | Add time and I/O info to last_installTianjie Xu2016-05-161-4/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One example of last_install is: /sideload/package.zip 1 time_total: 101 bytes_written_system: 14574000 bytes_stashed_system: 100 bytes_written_vendor: 5107400 bytes_stashed_vendor: 0 Bug: 28658632 Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
* | | resolve merge conflicts of 8febafa to nyc-dev-plus-aospElliott Hughes2016-04-141-6/+8
|\| | | |/ |/| | | Change-Id: I423937b4b20a2079714aa38ab7f8b199782df689
| * Use BoringSSL instead of mincrypt to speed up package verification.Elliott Hughes2016-04-141-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with merge conflict resolution, extra logging in verifier.cpp, and an increase in the hash chunk size from 4KiB to 1MiB. Bug: http://b/28135231 Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
| * Reboot and retry on I/O errorsTianjie Xu2016-03-101-0/+6
| | | | | | | | | | | | | | | | | | When I/O error happens, reboot and retry installation two times before we abort this OTA update. Bug: 25633753 Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69 (cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
* | Convert recovery to use BoringSSL instead of mincrypt.Mattias Nissler2016-04-061-2/+1
| | | | | | | | | | | | | | This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
* | Reboot and retry on I/O errorsTianjie Xu2016-03-031-0/+6
| | | | | | | | | | | | | | | | When I/O error happens, reboot and retry installation two times before we abort this OTA update. Bug: 25633753 Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
* | Fix some memory leaks.Yabin Cui2016-02-111-5/+5
|/ | | | | Bug: 26906328 Change-Id: Iebaf03db0cb3054f91715f8c849be6087d01b27b
* recovery: Refactor verifier and verifier_test.Tao Bao2016-02-031-7/+6
| | | | | | | | Move to using std::vector and std::unique_ptr to manage key certificates to stop memory leaks. Bug: 26908001 Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
* Log update outputs in orderTao Bao2015-06-031-2/+2
| | | | | | | | | | | | | | Although stdout and stderr are both redirected to log file with no buffering, we are seeing some outputs are mixed in random order. This is because ui_print commands from the updater are passed to the recovery binary via a pipe, which may interleave with other outputs that go to stderr directly. In recovery, adding ui::PrintOnScreenOnly() function to handle ui_print command, which skips printing to stdout. Meanwhile, updater prints the contents to stderr in addition to piping them to recovery. Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
* Update the comments for package installer commandsTao Bao2015-04-111-1/+13
| | | | | | | | These commands are for the communication between the installer and the update binary (edify interpreter). Update the comments in sync with the codes. Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
* Rotate logs only when there are actual operationsTao Bao2015-04-081-0/+2
| | | | | | | | | | Currently it rotates the log files every time it boots into the recovery mode. We lose useful logs after ten times. This CL changes the rotation condition so that it will rotate only if it performs some actual operations that modify the flash (installs, wipes, sideloads and etc). Bug: 19695622 Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
* Factor out option variables from int to bool typesTao Bao2015-03-251-5/+5
| | | | Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
* Add missing includes.Elliott Hughes2015-01-281-0/+1
| | | | Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
* sideload without holding the whole package in RAMDoug Zongker2014-07-021-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a new method of sideloading over ADB that does not require the entire package to be held in RAM (useful for low-RAM devices and devices using block OTA where we'd rather have more RAM available for binary patching). We communicate with the host using a new adb service called "sideload-host", which makes the host act as a server, sending us different parts of the package file on request. We create a FUSE filesystem that creates a virtual file "/sideload/package.zip" that is backed by the ADB connection -- users see a normal file, but when they read from the file we're actually fetching the data from the adb host. This file is then passed to the verification and installation systems like any other. To prevent a malicious adb host implementation from serving different data to the verification and installation phases of sideloading, the FUSE filesystem verifies that the contents of the file don't change between reads -- every time we fetch a block from the host we compare its hash to the previous hash for that block (if it was read before) and cause the read to fail if it changes. One necessary change is that the minadbd started by recovery in sideload mode no longer drops its root privileges (they're needed to mount the FUSE filesystem). We rely on SELinux enforcement to restrict the set of things that can be accessed. Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
* disable async reboot during package installationDoug Zongker2014-05-231-0/+7
| | | | | | | | | | The default recovery UI will reboot the device when the power key is pressed 7 times in a row, regardless of what recovery is doing. Disable this feature during package installation, to minimize the chance of corrupting the device due to a mid-install reboot. (Debug packages can explicitly request that the feature be reenabled.) Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
* do verification and extraction on memory, not filesDoug Zongker2014-01-161-7/+23
| | | | | | | | | | | | | | | | Changes minzip and recovery's file signature verification to work on memory regions, rather than files. For packages which are regular files, install.cpp now mmap()s them into memory and then passes the mapped memory to the verifier and to the minzip library. Support for files which are raw block maps (which will be used when we have packages written to encrypted data partitions) is present but largely untested so far. Bug: 12188746 Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
* Restore default umask after forking for update-binary.Alistair Strachan2013-11-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | A system/core change made in Mar 26 2012 6ebf12f "init: Change umask of forked processes to 077" changed the default umask of services forked from init. Because recovery is forked from init, it has a umask of 077. Therefore when update-binary is forked from recovery, it too has a umask of 077. This umask is overly restrictive and can cause problems for scripts relying on minzip to extract binaries directly into the target filesystem. Any directories updated by minzip will have their permissions reset to r-x------ and created files will have similarly restrictive permissions. As it seems unlikely this security measure was intended to have this side effect on legacy sideloads that do not have chmods to repair the damage done by minzip, this change reverts the umask to 022 in the fork made for update-binary. Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
* recovery: install packages in a known mount environmentDoug Zongker2013-08-211-5/+10
| | | | | | | | | | | When installing a package, we should have /tmp and /cache mounted and nothing else. Ensure this is true by explicitly mounting them and unmounting everything else as the first step of every install. Also fix an error in the progress bar that crops up when you do multiple package installs in one instance of recovery. Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
* recovery: move log output to stdoutDoug Zongker2013-07-091-0/+1
| | | | | | | | Recovery currently has a random mix of messages printed to stdout and messages printed to stderr, which can make logs hard to read. Move everything to stdout. Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
* verifier: update to support certificates using SHA-256Doug Zongker2013-04-101-1/+1
| | | | Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
* move key loading to verifier codeDoug Zongker2012-11-021-100/+0
| | | | | | | Add an option to verifier_test to load keys from a file, the way the recovery does. Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
* add simple text to recovery UIDoug Zongker2012-08-231-1/+1
| | | | | | | | | | | | | | | - recovery takes a --locale argument, which will be passed by the main system - the locale is saved in cache, in case the --locale argument is missing (eg, when recovery is started from fastboot) - we include images that have prerendered text for many locales - we split the background states into four (installing update, erasing, no command, error) so that appropriate text can be shown. Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
* support version 2 (2048-bit e=65537) keys in recoveryDoug Zongker2012-07-251-1/+25
| | | | Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
* minor recovery changesDoug Zongker2012-04-121-0/+2
| | | | | | | | | | | | - add the --just_exit option to make recovery exit normally without doing anything - make it possible to build updater extensions in C++ - add the clear_display command so that the updater binary can request recovery switch to the NONE background UI These are all used to support the notion of using OTA as a factory reflash mechanism. Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
* refactor ui functions into a classDoug Zongker2011-10-291-14/+20
| | | | | | | | | | | Move all the functions in ui.c to be members of a ScreenRecoveryUI class, which is a subclass of an abstract RecoveryUI class. Recovery then creates a global singleton instance of this class and then invoke the methods to drive the UI. We use this to allow substitution of a different RecoveryUI implementation for devices with radically different form factors (eg, that don't have a screen). Change-Id: I7fd8b2949d0db5a3f47c52978bca183966c86f33
* turn recovery into a C++ binaryDoug Zongker2011-10-281-0/+314
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316