| Commit message (Collapse) | Author | Files | Lines |
|
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.
Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.
Also reduce the test data size to 100 blocks to avoid the test timeout.
Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.
Change-Id: Id429b2c2f31951897961525609fa12c3657216b7
(cherry picked from commit 6ed175d5412deeaec9691f85757e45452407b8e3)
|
|
This file no longer exists:
- /file_contexts has been split into plat_file_contexts and
nonplat_file_contexts since commit
b236eb6ca204cefcb926e19bd5682f9dcad4021d (system/sepolicy).
- It was named /file_contexts.bin prior to the split.
'-S file_contexts' is also no longer required by e2fsdroid, since commit
2fff6fb036cbbb6dedd7da3d208b312a9038a5ce (external/e2fsprogs). It will
load the file contexts via libselinux.
Test: Trigger the path by performing a data wipe for converting to FBE.
Change-Id: I179939da409e5c0415ae0ea0bf5ddb23f9e6331e
|
|
Add a new writer that can decode the brotli-compressed system/vendor
new data stored in the OTA zip.
Brotli generally gives better compression rate at the cost of slightly
increased time consumption. The patch.dat is already compressed
by BZ; so there's no point to further compress it.
For the given 1.9G bullhead system image:
Size: 875M -> 787M; ~10% reduction of package size.
Time: 147s -> 153s; ~4% increase of the block_image_update execution time.
(I guess I/O takes much longer time than decompression.)
Also it takes 4 minutes to compress the system image on my local
machine, 3 more minutes than zip.
Test: recovery tests pass && apply a full OTA with brotli compressed
system/vendor.new.dat on bullhead
Change-Id: I232335ebf662a9c55579ca073ad45265700a621e
|
|
Execute mke2fs to create empty ext4 filesystem.
Execute e2fsdroid to add files to filesystem.
Test: enter recovery mode and wipe data
Bug: 35219933
Change-Id: I10a9f4c1f4754ad864b2df45b1f879180ab33876
Merged-In: I10a9f4c1f4754ad864b2df45b1f879180ab33876
|
|
Execute mke2fs to create empty ext4 filesystem.
Execute e2fsdroid to add files to filesystem.
Test: enter recovery mode and wipe data
Bug: 35219933
Change-Id: I10a9f4c1f4754ad864b2df45b1f879180ab33876
|
|
Fixed by Loading the file_contexts specified in libselinux, whereas
previously recovery loaded /file_contexts which no longer exists.
Bug: 62587423
Test: build and flash recovery on Angler. Warning is gone.
Test: Wipe data and cache.
Test: sideload OTA
Change-Id: I11581c878b860ac5f412e6e8e7acde811f37870f
(cherry picked from commit 2330dd8733ce0b207058e3003a3b1efebc022394)
|
|
Fixed by Loading the file_contexts specified in libselinux, whereas
previously recovery loaded /file_contexts which no longer exists.
Bug: 62587423
Test: build and flash recovery on Angler. Warning is gone.
Test: Wipe data and cache.
Test: sideload OTA
Change-Id: I11581c878b860ac5f412e6e8e7acde811f37870f
|
|
We have seen one case when bspatch failed likely due to patch
corruption. Since the package has passed verification before, we want
to reboot and retry the patch command again since there's no
alternative for users.
We won't delete the stash before reboot, and the src has passed SHA1
check. If there's an error on the patch, it will fail the package
verification during retry.
Bug: 37855643
Test: angler reboots and retries the update when bspatch fails.
Change-Id: I2ebac9621bd1f0649bb301b9a28a0dd079ed4e1d
|
|
It's only used by file-based OTA which has been deprecated for O.
Test: mma
Change-Id: I439c93155ca94554d827142c99aa6c0845cc7561
|
|
Commit adeb41a8c0da3122a2907acb4aafd7ff9bce26af has switched the
argument for recovery. This CL handles the case for updater.
Note that there's a chance the updater may run against the old
recovery (and f2fs 1.4.1 binary). Not sending a 0-sector argument to
f2fs 1.4.1 also works.
Bug: 37758867
Test: Make an OTA package that calls format f2fs, with mkfs.f2fs 1.8.0
and 1.4.1 binaries respectively.
Change-Id: I4d4bbe8c57544d1c514b7aa37fbf22a0aab14e2c
|
|
We didn't report error/cause codes unless there's an explict "Abort()"
call inside the updater script. As a result, some cause codes set by
ErrorAbort() didn't show up in last_install.
To fix the issue, add a default error code when the script terminates
abnormally (i.e. with non zero status).
Bug: 37912405
Test: error/cause code shows up in last_install when argument parsing fails
Change-Id: Ic6d3bd1855b853aeaa0760071e593a00cf6f0209
|
|
Test: recovery_component_test
Test: recovery_unit_test
Test: Apply an OTA on angler.
Change-Id: I7170f03e4ce1fe06184ca1d7bcce0a695f33ac4d
|
|
Bug: 37401320
Test: build and push OTA and hit adb reboot recovery,quiescent. The screen should remain off throughout the upgrade process.
(cherry picked from commit 8706a98aa635236a95795f0a0c122bb3e591a50d)
Change-Id: I79789a151f6faafda8ecc6198c2182cc2a91da70
|
|
Bug: 37401320
Test: build and push OTA and hit adb reboot recovery,quiescent. The screen should remain off throughout the upgrade process.
Change-Id: Ibed3795c09e26c4fa73684d40b94e40c78394d3f
|
|
Right now the update stuck in a deadlock if there's less new data than
expection. Add some checkers and abort the update if such case happens.
Also add a corresponding test.
Bug: 36787146
Test: update aborts correctly on bullhead && recovery_component_test passes
Change-Id: I914e4a2a4cf157b99ef2fc65bd21c6981e38ca47
|
|
This CL makes the following changes to RangeSet:
- Uses std::pair<size_t, size_t> to represent a Range;
- Uses std::vector<Range> to represent a RangeSet;
- Provides const iterators (forward and reverse);
- Provides const accessor;
- 'blocks()' returns the number of blocks (formerly 'size');
- 'size()' returns the number of Range's (formerly 'count').
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ia1fbb343370a152e1f7aa050cf914c2da09b1396
|
|
We don't need to take raw pointers out of the parsed arguments.
std::unique_ptr handles the dereferencing automatically.
Test: mmma bootable/recovery
Change-Id: I1beabf6e04dc350bdad7b36cee5fb345c82b28f2
|
|
Also move RangeSet into a header file to make it testable, and add unit
tests.
In RangeSet::Parse() (the former parse_range()), use libbase logging to
do assertions. This has the same effect as the previous
exit(EXIT_FAILURE) to terminate the updater process and abort an update.
The difference lies in the exit status code (i.e. WEXITSTATUS(status) in
install.cpp), which changes from 1 (i.e. EXIT_FAILURE) to 0.
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ie8393c78b0d8ae0fd5f0ca0646d871308d71fff0
|
|
LOG(INFO) already appends a newline. Don't print redundant newline.
Test: No extra blank lines when calling ui_print(). And on-screen UI
shows the same.
Change-Id: I74e9a8504a7146a6cb3dae02fe2406d0dd54069b
|
|
Then rename RangeSinkState to RangeSinkWriter. RangeSinkWriter reads
data from the given FD, and writes them to the desination RangeSet.
Test: Apply an incremental with the new updater.
Change-Id: I5e3ab6fc082efa1726562c55b56e2d418fe4acaf
|
|
Test: mmma bootable/recovery system/update_engine
Test: recovery_component_test
Change-Id: I93c2caa87bf94a53509bb37f98f2c02bcadb6f5c
|
|
Mostly for applypatch family APIs like ApplyBSDiffPatch() and
ApplyImagePatch(). Changing to size_t doesn't indicate they would
necessarily work with very large size_t (e.g. > ssize_t), just
similar to write(2). But otherwise accepting negative length doesn't
make much sense.
Also change the return type of SinkFn from ssize_t to size_t. Callers
tell a successful sink by comparing the number of written bytes against
the desired value. Negative return values like -1 are not needed. This
also makes it consistent with bsdiff::bspatch interface.
Test: recovery_component_test
Test: Apply an incremental with the new updater.
Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
|
|
Rename to LoadSourceBlocks() by moving the target blocks parsing part
into the caller. This allows detecting whether the target blocks have
already had the expected data before loading the source blocks. It
doesn't affect anything when applying an update package for the first
time, but it skips loading the unneeded source blocks when resuming an
update. It additionally avoids unnecessarily dumping the "corrupt"
source/stash blocks when resuming an update.
Bug: 33694730
Test: Apply an incremental update with the new updater.
Test: Resume an incremental update with the new updater.
Change-Id: I794fd0d1045be7b3b7f8619285dc0dade01398d0
|
|
Clean up a few functions that take CommandParameters& as the first
parameter. We don't need to take duplicate arguments if they always come
from CommandParameters. This redundancy came from the point we replaced
strtok()s (commit baad2d454dc07ce916442987a2908a93fe6ae298).
Test: Apply an incremental update with the new updater.
Change-Id: I2912b8ce6bc7580bf7f566e125f12270e679e155
|
|
The script support for BBOTA v1 and v2 has been dropped in commit
8fad03e7712082eb880ffaaffb69eb13252ce220 (platform/build).
Bug: 33694730
Test: Apply an incremental with the new updater.
Test: recovery_component_test
Change-Id: I038b1bf8d10f030cab8ec0aa6ee565c5a9545dfd
|
|
In c++ code would be cleaner to use
c++ retinterpret cast instead of old
c-style notation
Change-Id: Ibeef5e0c374addf108c0a8876a6be45063d8e396
|
|
As of C++ specification size_type erase( const key_type& key );
removes the element (if one exists). There is no need to perform
the check twice.
Change-Id: I4b057c08526abc7c2a483a60f9e166e4d8f56a74
|
|
Scanf expectation is to have same type
of pointer to store parsed value and
modifier in format string
|
|
It's valid to provide only 1 argument to apply_patch_check(). We
shouldn't fail the argument parsing.
Bug: 36541737
Test: recovery_component_test passes.
Test: recovery_component_test captures the failure without the fix.
Test: The previously failed update applies successfully.
Change-Id: Iee4c54ed33b877fc4885945b085341ec5c64f663
|
|
And switch them to std::vector & std::unique_ptr
Bug: 32117870
Test: recovery tests passed on sailfish
Change-Id: I5a45951c4bdf895be311d6d760e52e7a1b0798c3
|
|
Our updater created the stashes with root permission. This causes an
access denial when the RecoverySystem service tries to clean up these
blocks after a failing update. As a result, the subsequent OTA updates
may fail due to insufficient cache space.
Bug: 36457133
Test: stashed blocks cleaned successfully after reboot
Change-Id: If0ca99638cdfa1033646f29d9cc92b5ff1bacac1
|
|
Since this was putting the intermediate file in obj/PACKAGING, every
installclean was removing it and triggering updater to rebuild. Instead,
use the standard generated-sources-dir. The dep file can also be removed
now that ninja will re-run the generator if the command line changes.
Test: m -j updater; m installclean; m -j updater
Test: Only change to aosp_fugu updater before/after is the debug info
Change-Id: I20928bd2049d4a3d4e21f83fd64d16cfdc541958
|
|
This reverts commit 90eff6a340f9983792d700df3b1ea0203aced207.
Also fix the bug where stashed blocks are not freed.
Bug: 21124445
Test: Previous failed update succeeded on bullhead
Change-Id: I23d232331a2beb51b6dcc82c957c87bc247d0268
|
|
Test: Apply an incremental BBOTA package with the new updater.
Test: Resume an interrupted BBOTA (so it cleans up the partial stash).
Change-Id: I620cc57ee6366845bcffbc19210f7a01e2196052
|
|
This reverts commit bb0cd75a0e1f6760bdf96bd141f3a546ffa45fbc.
Broke the 'free' command that deletes a stash.
Bug: 36242722
Test: The previously failed incremental applies successfully.
Change-Id: I1237cb0a33adfbeea57e0465b629704862ba13aa
|
|
It will be helpful for debug if we know which blocks are corrupted after
a verification failure. This CL prints the SHA-1 for each source block
in a transfer command if these blocks don't have an expected hash. And
along with the correct SHA-1, we will catch the corrupted blocks.
Bug: 21124445
Test: Printed the mismatched SHA-1 for bullhead during an update.
Change-Id: I683d4bdaf9a335035045b3f532b3a265b2fcbbfc
|
|
This CL removes the updater support for delete(), symlink(), rename(),
set_metadata() and set_metadata_recursive(). Such functions have been
removed from the generation script in commit
f388104eaacd05cfa075d6478369e1d0df5ddbf3 (platform/build).
Note: This CL also removes delete_recursive() which seems to have never
been supported in generation script.
Bug: 35853185
Test: recovery_component_test passes.
Change-Id: I51e1ec946fa73761118fa1eaa082423df6d588e9
|
|
-1 is not a valid exit status.
Also replace a few exit(1) with exit(EXIT_FAILURE).
Test: mmma bootable/recovery
Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
|
|
Now ApplyBSDiffPatch() will stream the output to sink as we go instead
of sinking everything at the end.
Test: recovery_host_test
Bug: 26982501
Change-Id: I05b6ed40d45e4b1b19ae72784cf705b731b976e3
|
|
Bug: 34220783
Test: make checkbuild
Change-Id: Iceea20e440a4bb6a3b254486a65a86401a2241ef
|
|
Currently the ui_print command between the recovery and updater doesn't
append newline. Updater has to send an extra "ui_print" command without
any argument to get the line break. This looks unnecessary. And not all
the callers (including the ones in bootable/recovery) are following this
protocol when sending the ui_print command.
This CL simplifies the protocol to always print with a newline for
ui_print command. When updating from an old recovery with the new
updater, all the ui_print'd strings would appear in one line as a side
effect. But a) it would only affect the text-mode UI, which won't be
shown to users; b) log files won't be affected.
Bug: 32305035
Test: Apply an update with the new updater on top of an old and new
recovery image respectively.
Change-Id: I305a0ffc6f180daf60919cf99d24d1495d68749b
|
|
Bug: 34220783
Change-Id: I358f931f0b29f5bd526e1475180e477e2e90b936
|
|
Bug: 34220783
Change-Id: I34ccc3b11da0d1b48805967ad75b9ddade569930
|
|
We could inject I/O faults during an OTA update for test purpose. But we
should skip the injection if the update is an retry. Otherwise the
update test will simply keeps failing.
Bug: 34159970
Test: Apply the same package on angler and the update succeeds on the 2nd try.
Change-Id: Id274e5475e3bc8d25d50a8cf61a77d2e32c569d6
|
|
Returning the parsed RangeSet directly (as opposed to using some pointer
parameter) to make the code cleaner.
Test: Apply an incremental with the new updater.
Change-Id: I8c99e701f189eb6a3eacc0d647e5a3a85fbeb3eb
|
|
Change the stash size computation from int to size_t.
Test: Apply an incremental BBOTA with the new updater.
Change-Id: Ib45b71b826fec6aa0ffafc67c17735825634eae0
|
|
We should include "bootloader_message/bootloader_message.h" now.
Test: m updater
Change-Id: I65b22a8a0bcc5976ff1ba827bd30b46ee9d59c53
|
|
Shift operator ("<<") has a higher precedence level than ternary
operator ("?").
Test: BBOTA update log says "performing update" as opposed to
"performing 0".
Change-Id: I0cf60cbfc11415e94f1f9f6effe75f14d13a1874
|
|
Commit 81e54eddd4132895d70ab8b2307c693311799e05 introduced the
inconsistency when resolving the merge conflict into master.
Test: mmma bootable/recovery
Change-Id: I43b7ec76a7eee000708cdca60bd372173e1fac2f
|
|
Test: Build an updater into a package and apply it on device.
Change-Id: I289b5768e9b1e44ef78e0479c64dbaa36fb1a685
|
|
We should always use unique_fd or unique_file to hold the FD or FILE*
pointer when opening via ota_(f)open functions.
This CL avoids accidentally closing raw FDs or FILE* pointers that are
managed by unique_fd/unique_file.
Test: recovery_component_test passes.
Change-Id: If58eb8b5c5da507563f85efd5d56276472a1c957
|
|
Add read_bootloader_message_from() and write_bootloader_message_to() to
allow specifying the BCB device (/misc).
Also add testcases for set_stage() and get_stage().
Test: recovery_component_test passes.
Test: Build a recovery image and apply a two-step OTA package.
Change-Id: If5ab06a1aaaea168d2a9e5dd63c07c0a3190e4ae
|
|
Test: recovery_component_test passes.
Change-Id: I3af4707bc42c7331ca961be8b967a53de82ea25b
|
|
write_value(value, filename) writes 'value' to 'filename'. It can be
used to tune device settings when applying an OTA package. For example,
write_value("960000", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq").
Bug: 32463933
Test: recovery_component_test passes.
Test: Apply an OTA package that contains a call to write_value(), and
check the result.
Change-Id: Ib009ecb8a45a94353f10c59e2383fe1f49796e35
(cherry picked from commit d0f3088aa95e255b39ed4b83da6b08866c2c3e0c)
|
|
write_value(value, filename) writes 'value' to 'filename'. It can be
used to tune device settings when applying an OTA package. For example,
write_value("960000", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq").
Bug: 32463933
Test: recovery_component_test passes.
Test: Apply an OTA package that contains a call to write_value(), and
check the result.
Change-Id: Ib009ecb8a45a94353f10c59e2383fe1f49796e35
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
(cherry picked from commit ef0eb3b01b66fbbc97908667a3dd1e02d710cbb7)
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
|
|
Clean up SymlinkFn() a bit. Also clean up the temp files created when
running the tests; otherwise non-empty TemporaryDir won't be removed.
Test: recovery_component_test passes.
Change-Id: Id3844abebd168c40125c4dcec54e6ef680a83c3a
|
|
Switch to use const std::string; and add corresponding tests.
Bug: 32649858
Test: Component tests pass
Change-Id: I640f3ec81f1481fa91aa310f8d4d96dac9649cb9
|
|
Test: recovery_component_test passes.
Change-Id: Iba5a0fdf6c79e2bed6b30b8fc19a306c1ab29d8a
|
|
Also add a testcase for delete() function.
Test: recovery_component_test passes.
Change-Id: I064d1ad4693c3ed339d0a69eabadd08a61a2ea86
|
|
Also add a testcase for file_getprop().
Test: recovery_component_test passes.
Change-Id: I8eb2f9a5702b43997ac9f4b29665eea087b1c146
|
|
ReadArgs will switch to using std::string and std::unique_ptr. Also
cleanup the callers.
Test: mma & component test passed.
Change-Id: I4724406ae6c0c134a27bbd1cdd24ad5d343b2a3b
|
|
Test: Unit tests and install-recovery.sh pass on angler and dragon.
Change-Id: I328e6554edca667cf850f5584ebf1ac211e3d4d1
|
|
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
|
|
Changing the field of 'Value' in edify to std::string from char*.
Meanwhile cleaning up the users of 'Value' and switching them to
cpp style.
Test: compontent tests passed.
Bug: 31713288
Change-Id: Iec5a7d601b1e4ca40935bf1c70d325dafecec235
|
|
- Remove dead declarations in expr.h: SetError(), GetError(),
ClearError().
- Remove the declaration of Build() out of expr.h.
- Use std::unordered_map to implement RegisterFunction() and
FindFunction(); kill FinishRegistration().
- Add a testcase for calling unknown functions.
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I9af6825ae677f92b22d716a4a5682f58522af03b
|
|
Also add a testcase for sha1_check().
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I4d06d551a771aec84e460148544f68b247a7e721
|
|
So that we can write native tests for updater functions. This CL adds a
testcase for getprop() function.
Test: mmma bootable/recovery; Run recovery_component_test on device.
Change-Id: Iff4c1ff63c5c71aded2f9686fed6b71cc298c228
|
|
Test: `mmma bootable/recovery`
Change-Id: I70ccddb3ddf46bb012fdc5f632afc46ebdd5473e
|
|
Test: `mmma bootable/recovery`
Change-Id: I70ccddb3ddf46bb012fdc5f632afc46ebdd5473e
(cherry picked from commit 3cbe1d20978dc488272e2b1ba10890a006fdfab9)
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
(cherry picked from commit 59dcb9cbea8fb70ab933fd10d35582b08cd13f37)
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
(cherry picked from commit 7aa88748f6ec4e53333d1a15747bc44826ccc410)
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
|
|
Bug: http://b/23102347
Test: boot into recovery.
Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
Merged-In: Ib2ca560f1312961c21fbaa294bb068de19cb883e
|
|
Bug: http://b/23102347
Test: boot into recovery.
Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
(cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
We might end up in an infinite loop if read(2) reached EOF unexpectedly.
The problematic code in uncrypt mentioned in the bug has been fixed
by switching to libbase ReadFully(). So I grepped through the recovery
code and fixed some other occurences of the issue.
Bug: 31073201
Change-Id: Ib867029158ba23363b8f85d61c25058a635c5a6b
|
|
Bug: http://b/30708454
Change-Id: I7a5048beff1d8b783a9683dcb4a79606a77f20ee
|
|
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad
Bug: 29767315
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
(cherry picked from commit efacd80364c7ed42d56310949790d89febaf3444)
|
|
And move off the bionic __nonnull macro, which I'm removing.
Change-Id: I40b4424f4fd7bd8076e0eee3ec35de36c3ded8de
|
|
Check the results from applypatch in PerformCommandDiff; and abort the
update on failure.
Bug:29339536
Change-Id: I5087d79ba532b54250f4c17560524255c8a4fabc
|
|
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
|
|
Bug: http://b/29250988
Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
|
|
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before
writing to these blocks.
Bug: 28990135
Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
|
|
Fix a typo for ota_fclose().
Change-Id: Ia93e911aa5391afc604874fc3a09c5a45c094c80
|
|
Write error code, cause code, and retry count into last_install. So we
can have more information about the reason of a failed OTA.
Example of new last_install:
@/cache/recovery/block.map package name
0 install result
retry: 1 retry count (new)
error: 30 error code (new)
cause: 12 error cause (new)
Details in:
go/android-ota-errorcode
Bug: 28471955
Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
|
|
One example of last_install is:
/sideload/package.zip
1
time_total: 101
bytes_written_system: 14574000
bytes_stashed_system: 100
bytes_written_vendor: 5107400
bytes_stashed_vendor: 0
Bug: 28658632
Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
|
|
Remove O_SYNC from mzExtractRecursive() and PackageExtractFileFn().
These functions deal with extracting whole files from the update
package onto a filesystem. If run on ext4 on a rotating disk, for
example, the O_SYNC flag will cause serious performance problems
and the extraction proecss can take over 30 minutes, with no
obvious benefits.
This API function already calls fsync(fd) after each file is
extracted to ensure data and metadata is written to the underlying
block device, so the O_SYNC calls should be superfluous and safely
removable.
This change does not affect the OTA patch paths or any modification
of the bootloader partition or writes to other 'emmc' partitions.
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Change-Id: I9cbb98a98e6278bf5c0d7efaae340773d1fbfcd2
|
|
Bug: 28341362
Change-Id: I5b35ae16c069e7e9229e66963386f322bd808af1
|
|
[1] switched a few things to android::base::unique_fd including
CommandParameters.fd. However, we were using memset(3) to zero out the
struct, which effectively assigned unique_fd(0) to fd. When it called
fd.reset(), file descriptor 0 was unintentionally closed. When FD 0 was
later reassigned via open(2), it led to lseek(2) errors: "Bad file
descriptor".
This CL switches to using braced-init (i.e. '= {}') instead, so that the
default constructor unique_fd(-1) would be called.
[1]: commit bcabd0929316fdd022ea102cc86396547ad9f070
Bug: 28391985
Change-Id: If1f99932b15552714c399e65c8b80550344b758a
|
|
Bug: 28220065
Change-Id: Ida199c66692a1638be6990d583d2ed42583fb592
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
|
Bug: http://b/27764900
Change-Id: Ib62a59edcb13054f40f514c404d32b87b14ed5f1
|
|
Change-Id: I13ba3f40bd52b5f3e3fe9002a45a9a8630040129
|
|
Currently block_image_verify() stashes source blocks to /cache and
in some case triggers I/O errors. To avoid this risk, We create
a map from the hash value to the source blocks' range_set. When
executing stash command in verify mode, source range is saved but block
contents aren't stashed. And load_stash could get its value from
either the stashed file from the previous update, or the contents on
the source partition specified by the saved range.
Bug: 27584487
Bug: 25633753
Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996
(cherry picked from commit 0188935d55206e8c2becb29e995f166cb7040355)
|
|
Currently block_image_verify() stashes source blocks to /cache and
in some case triggers I/O errors. To avoid this risk, We create
a map from the hash value to the source blocks' range_set. When
executing stash command in verify mode, source range is saved but block
contents aren't stashed. And load_stash could get its value from
either the stashed file from the previous update, or the contents on
the source partition specified by the saved range.
Bug: 27584487
Bug: 25633753
Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996
|
|
Bug: 27724259
Change-Id: I65bdefed10b3fb85fcb9e1147eaf0687d7d438f4
|
|
This reverts commit f73abf36bcfd433a3fdd1664a77e8e531346c1b1.
Bug: 27724259
Change-Id: I1301fdad15650837d0b1febd0c3239134e2b94fb
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
|
|
Cherry pick this patch because it fixes the problem that
a newed Value is released by free().
Bug: 26906416
Change-Id: Ib53b445cd415a1ed5e95733fbc4073f9ef4dbc43
(cherry picked from commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad)
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
(cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
|
|
If two libraries both use LOCAL_WHOLE_STATIC_LIBRARIES and include a same
library, there would be linking errors when generating a shared library
(or executable) that depends on the two libraries both.
Also clean up Android.mk files.
Remove the "LOCAL_MODULE_TAGS := eng" line for the updater module. The
module will then default to "optional" which won't be built until needed.
Change-Id: I3ec227109b8aa744b7568e7f82f575aae3fe0e6f
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
(cherry picked from commit d940887dde23597dc358b16d96ca48dd7480fee6)
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
|
|
Bug: 26960931
Change-Id: Ieae45caccfb4728fcf514f0d920976585d8e6caf
|
|
Bug: 26906416
Change-Id: Ib53b445cd415a1ed5e95733fbc4073f9ef4dbc43
|
|
Bug: 25951086
Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
(cherry-picked from commit f1fc48c6e62cfee42d25ad12f443e22d50c15d0b)
|
|
Bug: 26907377
Change-Id: I384c0131322b2d12f0ef489735e70e86819846a4
|
|
Bug: 18790686
Change-Id: I7d2136fb39b2266f5ae5be24819c617b08a6c21e
|
|
Add and register a function to check if the device has been remounted
since last update during incremental OTA. This function reads block 0
and executes before partition recovery for version >= 4.
Bug: 21124327
Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f
(cherry picked from commit 30bf4765593e639966df9f460df22c3fe912e7bf)
|
|
Bug: 25951086
Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
|
|
Add and register a function to check if the device has been remounted
since last update during incremental OTA. This function reads block 0
and executes before partition recovery for version >= 4.
Bug: 21124327
Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f
|
|
We are already using O_SYNC and fsync() for the recursive case
(package_extract_dir()). Make it consistent for the single-file case.
Bug: 20625549
Change-Id: I487736fe5a0647dd4a2428845e76bf642e0f0dff
|
|
Output messages in log when recovery is attempted or succeeded during
incremental OTA update.
Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda
(cherry picked from commit b686ba211443490111729ba9d82eb0c0b305e185)
|
|
Output messages in log when recovery is attempted or succeeded during
incremental OTA update.
Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda
|
|
Change-Id: I36346fa199a3261da1ae1bc310b3557fe1716d96
|
|
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
|
|
Change-Id: Ibe3173edd6274b61bd9ca5ec394d7f6b4a403639
(cherry picked from commit 1b1ea17d554d127a970afe1d6004dd4627cd596e)
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270
(cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
|
|
Only trusted input is passed to parse_range, but check for invalid
input to catch possible problems in transfer lists.
Bug: 21033983
Bug: 21034030
Bug: 21034172
Bug: 21034406
Change-Id: I1e266de3de15c99ee596ebdb034419fdfe7eba1f
(cherry picked from commit f2bac04e1ba0a5b79f8adbc35b493923b776f8b2)
|
|
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.
Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
(cherry picked from commit e49a9e527a51f43db792263bb60bfc91293848da)
|
|
And a few trival fixes to suppress warnings.
Change-Id: Id28e3581aaca4bda59826afa80c0c1cdfb0442fc
(cherry picked from commit 80e46e08de5f65702fa7f7cd3ef83f905d919bbc)
|
|
To accommodate new changes in N release, such as error correction [1]
and other potential changes to the updater.
[1]: commit 0a7b47397db3648afe6f3aeb2abb175934c2cbca
Change-Id: I4dd44417d07dd0a31729894628635a0aa1659008
|
|
Add block_image_recover function to rewrite corrupted blocks on the
partition. This can be attempted if block_image_verify fails.
Note that we cannot use libfec during block_image_update as it may
overwrite blocks required for error correction. A separate recovery
pass in case the image is corrupted is the only viable option.
Bug: 21893453
Change-Id: I6ff25648fff68d5f50b41a601c95c509d1cc5bce
|
|
We have the last line being empty as a result of
android::base::Split("a\nb\n"), which leads to "missing command"
warnings in the update. Just skip all the empty lines.
Bug: 24373789
Change-Id: I5827e4600bd5cf0418d95477e4592fec47bbd3a9
|
|
Change-Id: Ic769eafc8d9535b1d517d3dcbd398c3fd65cddd9
|
|
Change-Id: I63f28b3b4ba4185c23b972fc8f93517295b1672a
|
|
When processing ui_print commands in the updater, it misses a line break
when printing to the recovery log.
Also clean up uiPrintf() and UIPrintFn() with std::string's.
Change-Id: Ie5dbbfbc40b024929887d3c3ccd3a334249a8c9d
|
|
Change-Id: Ide489e18dd8daf161b612f65b28921b61cdd8d8d
|
|
And inline the call to LoadSrcTgtVersion1() into SaveStash().
Change-Id: Ibf4ef2bfa2cc62df59c4e8de99fd7d8039e71ecf
|
|
Replace C-string with std::string, pointers with references, and
variable-size arrays in struct with std::vector.
Change-Id: I57f361a0e58286cbcd113e9be225981da56721b2
|
|
Change-Id: I6a8d9bea4c1cd8ea7b534682061b90e893b227a2
|
|
There is an integer overflow when the size of system goes beyond the
signed int limits. Hence changing pos to size_t.
Change-Id: I6e5e1b2f0e72030b30a6df09a01642f4c82abc79
|
|
So we can remove a few free()s. And also replace a few pointers with
references.
Change-Id: I4b6332216704f4f9ea4a044b8d4bb7aa42a7ef26
|
|
We need to ensure the renamed filename reaches the underlying storage.
Bug: 22840552
Change-Id: I824b6e9d8a9c5966035be7b42a73678d07376342
(cherry picked from commit dc3922622a94af4f6412fd68e8f075f839ab2348)
|
|
We need to ensure the renamed filename reaches the underlying storage.
Bug: 22840552
Change-Id: Ide2e753a2038691d472b6ee173cbf68ac998a084
|
|
Currently the fsync() inside write_all() may be called multiple times
when performing a command. Move that to the outer loop and call it
only after completing the command.
Also remove the O_SYNC flag when writing a stash.
Change-Id: I71e51d76051a2f7f504eef1aa585d2cb7a000d80
|
|
Change-Id: I18da9e6da64fccab495dc5a96e3efd95cc6d88bf
(cherry picked from commit 1b1ea17d554d127a970afe1d6004dd4627cd596e)
|
|
Change-Id: Ibe3173edd6274b61bd9ca5ec394d7f6b4a403639
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I1b0481465c67c3bbca35a839d0764190d84ff34e
(cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270
|
|
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9.
It slows down the update too much on some devices (e.g. increased
from 8 mins to 40 mins to take a full OTA update).
Bug: 22129621
Change-Id: I016e3b47313e3113f01bb4f8eb3c14856bdc35e5
(cherry picked from commit 7125f9594db027ce4313d940ce2cafac67ae8c31)
|
|
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9.
It slows down the update too much on some devices (e.g. increased
from 8 mins to 40 mins to take a full OTA update).
Bug: 22129621
Change-Id: I4e8d4f6734967caf4f0d19c734027f7b6c107370
|
|
A RangeSet has half-closed half-open bounds. For example, "3,5" contains
blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped.
Bug: 22098085
Change-Id: I362d259f8b5d62478858ad0422b635bc5068698d
(cherry picked from commit c0f56ad76680df555689d4a2397487ef8c16b1a6)
|
|
A RangeSet has half-closed half-open bounds. For example, "3,5" contains
blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped.
Bug: 22098085
Change-Id: I75e54a6506f2a20255d782ee710e889fad2eaf29
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
(cherry picked from commit a3c75e3ea60d61df93461f5c356befe825c429d2)
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
|
|
This reverts commit 96392b97f6bf1670d478494fb6df89a3410e53fa.
Change-Id: I77acc27158bad3cd8948390a3955197646a43a31
|
|
This reverts commit 604c583c9dd3d47906b1a57c14a7e9650df7471e.
Change-Id: I2b0b283dc3f44bae55c5e9f7231d7c712630c2b5
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
(cherry picked from commit 96392b97f6bf1670d478494fb6df89a3410e53fa)
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
|
|
And a few trival fixes to suppress warnings.
Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
|
|
Change-Id: I66ae21a25a25fa3c70837bc54a7d406182d4cf37
|
|
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.
In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.
Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
|
|
I missed one last time.
Bug: http://b/20501816
Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
(cherry picked from commit b3ac676192a093c561b7f15064cbd67733407b12)
|
|
In the block updater, if BLKDISCARD fails, the error is silently
ignored and some of the blocks may not be erased. This means the
target partition will have inconsistent contents.
If the ioctl fails, return an error and abort the update.
Bug: 20614277
Change-Id: I33867ba9337c514de8ffae59f28584b285324067
(cherry picked from commit cc2428c8181d18c9a88db908fa4eabd2db5601ad)
|
|
I missed one last time.
Bug: http://b/20501816
Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
|
|
In the block updater, if BLKDISCARD fails, the error is silently
ignored and some of the blocks may not be erased. This means the
target partition will have inconsistent contents.
If the ioctl fails, return an error and abort the update.
Bug: 20614277
Change-Id: I33867ba9337c514de8ffae59f28584b285324067
|
|
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.
Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
|
|
Bug: http://b/20501816
Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
(cherry picked from commit b47afedb42866e85b76822736d915afd371ef5f0)
|
|
Bug: http://b/20501816
Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
|
|
Only trusted input is passed to parse_range, but check for invalid
input to catch possible problems in transfer lists.
Bug: 21033983
Bug: 21034030
Bug: 21034172
Bug: 21034406
Change-Id: Ia17537a2d23d5f701522fbc42ed38924e1ee3366
|
|
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.
Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
(cherry picked from commit 7bad7c4646ee8fd8d6e6ed0ffd3ddbb0c1b41a2f)
|
|
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.
Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
|
|
When automatically stashing overlapping blocks, should the stash
file already exist due to an explicit stash command, it's not safe
to remove the stash file after the command has completed.
Note that it is safe to assume that the stash file will remain in
place during the execution of the next command, so we don't have
take other measures to preserve overlapping blocks.
The stash file itself will be removed by a free command when it's
no longer needed.
Bug: 20297065
Change-Id: I8ff1a798b94086adff183c5aac03260eb947ae2c
|
|
Change-Id: I7009959043150fabf5853a43ee2448c7fbea176e
|
|
Return NULL to abort the update process. Note that returning ""
won't stop the script.
Change-Id: Ifd108c1356f7c92a905c8776247a8842c6445319
|
|
I've added explanatory comments to mzExtractRecursive because
that function will live on as a utility even after we move the
zip format related logic to libziparchive.
bug: 19472796
Change-Id: Id69db859b9b90c13429134d40ba72c1d7c17aa8e
|
|
I've added explanatory comments to mzExtractRecursive because
that function will live on as a utility even after we move the
zip format related logic to libziparchive.
bug: 19472796
(cherry-picked from commit c9ccdfd7a42de08c47ab771b94dc5b9d1f957b95)
Change-Id: I8b7fb6fa3eafb2e7ac080ef7a7eceb691b252d8a
|
|
warning: format '%lu' expects argument of type 'long unsigned int', but
argument 3 has type 'unsigned int' [-Wformat] sizeof(RangeSet) + num * sizeof(int));
Change-Id: I4a3c6fc8d40c08ea84f8f5ee13f39350e4264027
|
|
Change-Id: I480c02ffedd811f4dda9940ef979a05ff54f1435
Bug: 19410117
|
|
This notice was added for libsyspatch and libxdelta3, but that code
has been removed since.
Change-Id: I4008878ded56ca1d5094a8208728f8c02fe1fe03
|
|
Add support for transfer list version 3, which allows us to
verify the status of each command and resume an interrupted
block based OTA update. Notes on the changes:
- Move the previous BlockImageUpdateFn to a shorter and
reusable PerformBlockImageUpdate, which can be used also
in BlockImageVerifyFn for verification.
- Split individual transfer list commands into separate
functions with unified parameters for clarity, and use
a hash table to locate them during execution.
- Move common block reading and writing to ReadBlocks and
WriteBlocks to reduce code duplication, and rename the
readblock and writeblock to less confusing read_all and
write_all.
The coding style of the new functions follows the existing
style in the updater/edify code.
Needs matching changes from
Ia5c56379f570047f10f0aa7373a1025439495c98
Bug: 18262110
Change-Id: I1e752464134aeb2d396946348e6041acabe13942
|
|
Change-Id: I06ea08400efa511e627be37a4fd70fbdfadea2e6
|
|
When building for 32p, we need to be explicit that we wish to build
the 32bit version of the binaries that will be placed in the recovery
image. The recovery image doesn't actually care... but if we are not
explicit in this, the makefiles will ask for the 64bit binaries but the
Android.mk for the binaries will supply the 32bit images (causing the
build to fail).
Change-Id: Iea2d5f412740c082795da4358765751138a4b167
|
|
This allows tune2fs to be executed from within OTA scripts,
allowing for file system modifications without formatting the
partition
Bug: 18430740
Change-Id: I0c2e05b5ef4a81ecea043e9b7b99b545d18fe5e6
|
|
This allows tune2fs to be executed from within OTA scripts,
allowing for file system modifications without formatting the
partition
Bug: 18430740
Change-Id: I0c2e05b5ef4a81ecea043e9b7b99b545d18fe5e6
|
|
Bug: 18092022
Change-Id: I6c42038ebeb1cfc1e7ca0d3e12310fdce1b990b0
|
|
At the end of the OTA script, we walk through /system, updating
all the permissions on the filesystem, including the UID, GID,
standard UNIX permissions, capabilities, and SELinux labels.
In the case of a symbolic link, however, we want to skip most of
those operations. The UID, GID, UNIX permissions, and capabilities
don't meaningfully apply to symbolic links.
However, that's not true with SELinux labels. The SELinux label on
a symbolic link is important. We need to make sure the label on the
symbolic link is always updated, even if none of the other attributes
are updated.
This change unconditionally updates the SELinux label on the symbolic
link itself. lsetfilecon() is used, so that the link itself is updated,
not what it's pointing to.
In addition, drop the ENOTSUP special case. SELinux has been a
requirement since Android 4.4. Running without filesystem extended
attributes is no longer supported, and we shouldn't even try to handle
non-SELinux updates anymore. (Note: this could be problematic if
these scripts are ever used to produce OTA images for 4.2 devices)
Bug: 18079773
Change-Id: I87f99a1c88fe02bb2914f1884cac23ce1b385f91
|
|
Bug: 18079773
Bug: 18092222
Change-Id: Ifc3f3e123de729dfbb2f49414b3207afa96268d5
|
|
Bug: 18079773
Change-Id: Ic6fddbcbcb6ddb9e1cbd1698df98387c0033ae15
|
|
This should help with reentrant OTAs.
Bug: 18079773
Change-Id: I102fd738e3b450483ecd4471384c12e89fc586e2
|
|
In version 2 of block image diffs, we support a new command to load
data from the image and store it in the "stash table" and then
subsequently use entries in the stash table to fill in missing bits of
source data we're not allowed to read when doing move/bsdiff/imgdiff
commands.
This leads to smaller update packages because we can break cycles in
the ordering of how pieces are updated by storing data away and using
it later, rather than not using the data as input to the patch system
at all. This comes at the cost of the RAM or scratch disk needed to
store the data.
The implementation is backwards compatible; it can still handle the
existing version 1 of the transfer file format.
Change-Id: I4559bfd76d5403859637aeac832f3a5e9e13b63a
|
|
In version 2 of block image diffs, we support a new command to load
data from the image and store it in the "stash table" and then
subsequently use entries in the stash table to fill in missing bits of
source data we're not allowed to read when doing move/bsdiff/imgdiff
commands.
This leads to smaller update packages because we can break cycles in
the ordering of how pieces are updated by storing data away and using
it later, rather than not using the data as input to the patch system
at all. This comes at the cost of the RAM or scratch disk needed to
store the data.
The implementation is backwards compatible; it can still handle the
existing version 1 of the transfer file format.
Change-Id: I7fafe741d86b92d82d46feb2939ecf5a3890dc64
|
|
The comment for the DEBUG_ERASE setting is exactly backwards.
Change-Id: I98ab5828365894217fc78976817a131e7d22d5c1
|
|
Otherwise, overflow problems can occur with images larger than
2G since the offsets will overflow a 32-bit off_t.
Change-Id: I05951a38ebeae83ad2cb938594e8d8adb323e2aa
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Superseded by newer code.
Bug: 16984795
Change-Id: I842299f6a02af7ccf51ef2ca174d813ca53deef1
|
|
Superseded by newer code.
Bug: 16984795
Change-Id: I70c1d29dc03287b06ea909d17f729ec51ccb0344
|
|
The computation of file offsets was overflowing for partitions larger
than 2 GB. The parsing of the transfer file could fail at the end if
the data happened to not be properly null-terminated.
Bug: 16984795
Change-Id: I3ce6eb3e54ab7b55aa9bbed252da5a7eacd3317a
|
|
(Cherry-pick back from master.)
Bug: 16984795
Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4
|
|
Bug: 16984795
Change-Id: I90f958446baed83dec658de2430c8fc5e9c3047e
|
|
These error messages include empty parens after each string
substition. Ill-advised cut and paste, probably.
Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc
|
|
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Bug: 16458395
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
|
|
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
|
|
This adds F2FS support
- for wiping a device
- for the install "format" command.
Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
|
|
While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.
Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371
|
|
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
|
|
The new build.prop for Sprout includes lines of the format:
import xxx.prop
These can be safely ignored when reading the property file.
Change-Id: Ia84a138e71461ffe8e591e88143b9787873def29
|
|
Change-Id: I92d5abd1a628feab3b0246924fab7f97ba3b9d34
|
|
Make package_extract_file() take an optional third argument which is
the pathname (in the package zip) of a map of don't-care regions to
skip over when writing the file.
Modify syspatch() to take source and target don't-care maps and use
them when patching the system partition.
Add the wipe_block_device() function to do a discard of all data on
the partition.
Change-Id: I8c856054edfb6aab2f3e5177f16d9d78add20be4
|
|
updater now depends on the GPL'd libraries libsyspatch and libxdelta3,
so be careful when taking code from this directory.
Change-Id: Ib6f8c50ce7052912b9d81ff96d095f778bf9a3d0
|
|
Change-Id: Id38b08607829bccc031693cc03e60e849903b6f8
|
|
Change-Id: I1541534ee6978ddf8d548433986679ce9507d508
|
|
Older versions of android supported an ASLR system where binaries were
randomly twiddled at OTA install time. Remove support for this; we
now use the ASLR support in the linux kernel.
Change-Id: I8348eb0d6424692668dc1a00e2416fbef6c158a2
|
|
Add the syspatch() function, which can apply xdelta3+xz patches using
the libsyspatch library.
Change-Id: Idc1921e449020923bcaf425a1983bec0833e47ed
|
|
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.
For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.
Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.
Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
|
|
Change-Id: I85726bf736203d602428114145c3b98692580656
|
|
In order to support multi-stage recovery packages, we add the
set_stage() and get_stage() functions, which store a short string
somewhere it can be accessed across invocations of recovery. We also
add reboot_now() which updater can invoke to immediately reboot the
device, without doing normal recovery cleanup. (It can also choose
whether to boot off the boot or recovery partition.)
If the stage string is of the form "#/#", recovery's UI will be
augmented with a simple indicator of what stage you're in, so it
doesn't look like a reboot loop.
Change-Id: I62f7ff0bc802b549c9bcf3cc154a6bad99f94603
|
|
try to process them via patch + rename, instead of
delete + add.
b/11437930
Change-Id: I984349fbc9a8dac4379e00c0d66fc7d22c4eb834
|
|
(cherry picked from commit bac7fba02763ae5e78e8e4ba0bea727330ad953e)
Change-Id: I01c38d7fea088622a8b0bbf2c833fa2d969417af
|
|
set_perm and set_perm_recursive are no longer used. Delete.
(cherry picked from commit 08ef9a957027183dcf55e432441e8fb0d5299aba)
Change-Id: I1bcc90ae19af9df4f0705496c5876987159f75ac
|
|
set_perm and set_perm_recursive are no longer used. Delete.
Change-Id: I3bb40b934b6c093b24b88aa4ed6f3c7de2bb52f0
|
|
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: I57cb14af59682c5f25f1e091564548bdbf20f74e
|
|
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: I57cb14af59682c5f25f1e091564548bdbf20f74e
|
|
Introduce two new updater functions:
* set_metadata
* set_metadata_recursive
Long term, these functions are intended to be more flexible replacements
for the following methods:
* set_perm
* set_perm_recursive
Usage:
set_metadata("filename", "key1", "value1", "key2", "value2", ...)
set_metadata_recursive("dirname", "key1", "value1", "key2", "value2", ...)
Description:
set_metadata() and set_metadata_recursive() set the attributes on a file/directory
according to the key/value pairs provided. Today, the following keys are
supported:
* uid
* gid
* mode (set_perm_extd only)
* fmode (set_perm_extd_recursive only)
* dmode (set_perm_extd_recursive only)
* selabel
* capabilities
Unknown keys are logged as warnings, but are not fatal errors.
Examples:
* set_metadata("/system/bin/netcfg", "selabel", "u:object_r:system_file:s0");
This sets the SELinux label of /system/bin/netcfg to u:object_r:system_file:s0.
No other changes occur.
* set_metadata("/system/bin/netcfg", "uid", 0, "gid", 3003, "mode", 02750, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
This sets /system/bin/netcfg to uid=0, gid=3003, mode=02750,
selinux label=u:object_r:system_file:s0, and clears the capabilities
associated with the file.
* set_metadata_recursive("/system", "uid", 0, "gid", 0, "fmode", 0644, "dmode", 0755, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
All files and directories under /system are set to uid=0, gid=0,
and selinux label=u:object_r:system_file:s0. Directories are set to
mode=0755. Files are set to mode=0644 and all capabilities are cleared.
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: Ifdcf186a7ed45265511dc493c4036e1ac5e3d0af
|
|
This reverts commit 627eb30f73c29257acaeb6568f3da38880784f7c.
Bug: 10183961
Bug: 10186213
|
|
Modify the OTA installer to understand SELinux filesystem labels.
We do this by introducing new set_perm2 / set_perm2_recursive
calls, which understand SELinux filesystem labels. These filesystem
labels are applied at the same time that we apply the
UID / GID / permission changes.
For compatibility, we preserve the behavior of the existing
set_perm / set_perm_recursive calls.
If the destination kernel doesn't support security labels, don't
fail. SELinux isn't enabled on all kernels.
Bug: 8985290
Change-Id: I99800499f01784199e4918a82e3e2db1089cf25b
|
|
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read. Move
everything to stdout.
Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
|
|
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
|
|
Bug: 8580410
Change-Id: Ie60dade81c06589cb0daee431611ded34adef8e6
|
|
Change-Id: Ia96201f20f7838d7d9e8926208977d3f8318ced4
|
|
The bonus data option lets you give an additional blob of uncompressed
data to be used when constructing a patch for chunk #1 of an image.
The same blob must be available at patch time, and can be passed to
the command-line applypatch tool (this feature is not accessible from
edify scripts).
This will be used to reduce the size of recovery-from-boot patches by
storing parts of the recovery ramdisk (the UI images) on the system
partition.
Change-Id: Iac1959cdf7f5e4582f8d434e83456e483b64c02c
|
|
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
|
|
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
|
|
Full OTAs currently fail if the build contains a directory containing
only symlinks, because nothing creates that directory. Change the
symlink() command to create any ancestor directories that don't exist.
They're created as owner root perms 0700 because we assume that in
practice subsequent set_perm_recursive() calls will fix up their
ownership and permissions.
Change-Id: I4681cbc85863d9778e36b924f0532b2b3ef14310
|
|
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
|
|
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
|
|
libext4_utils requires libsparse, link against it as well.
Change-Id: I4d6aec0e5edcf1ed42118b7b77adcded2858d3dd
|
|
instead of creating the list file whenever loading the Android.mk
Change-Id: I78e4820754399dff3993a863eede8b75da9f6d29
|
|
Requires I5a63fd61a7e74d386d0803946d06bcf2fa8a857e
Change-Id: Ica5fb73d6f2ffb981b74d1896538988dbc4d9b24
|
|
Extend minzip, recovery, and updater to set the security context on
files based on the file_contexts configuration included in the package.
Change-Id: Ied379f266a16c64f2b4dca15dc39b98fcce16f29
|
|
It's surprising if these fail, so abort the whole edify script to
catch any problems early.
Bug: 2284848
Change-Id: Ia2a0b60e7f086fc590b242616028905a229c9e05
|
|
Removes the retouch_binaries and undo_retouch_binaries from updater;
newly generated OTA packages should not call them any more.
Note that applypatch retains the ability to unretouch a file as it
reads it. This will be needed as long as we want to support OTAs from
devices that were installed with retouching.
Change-Id: Ib3f6baeae90c84ba85983f626d821ab7e436ceb2
|
|
libext4_utils now calls libselinux in order to determine the
file security context to set on files when creating ext4 images.
Change-Id: I09fb9d563d22ee106bf100eacd4cd9c6300b1152
|
|
Replace the device-specific functions with a class. Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class. Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).
Change-Id: I698f6fd21c67a1e55429312a0484b6c393cad46f
|
|
Replace the device-specific functions with a class. Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class. Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).
Change-Id: I8bdea6505da7974631bf3d9ac3ee308f8c0f76e1
|
|
updater now has a function "wipe_cache();" which causes recovery to
wipe the cache partition after the successful installation of the
package. Move log copying around a bit so logs and the last_install
flag file are copied to cache after it's wiped.
Bug: 5314244
Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
|
|
Change-Id: I787c086223b674050c0a12fc575add9badb471af
|
|
diff: out/target/product/generic/obj/PACKAGING/updater_extensions_intermediates/register.inc.list:
No such file or directory
Change-Id: I269b1703b6091b343db45b1c5cdd0962c738788b
|
|
write_raw_image() can now take either a blob or a filename as the
source. The blob format eliminates the need for a temp file.
Change-Id: I0c6effec53d47862040efcec75e64b7c951cdcf7
|
|
When formatting /data, if it's an ext4 filesystem, reserve the
last 16 Kbytes for the crypto footer.
Change-Id: I7b401d851ee87732e5da5860df0287a1c331c5b7
|
|
Change-Id: Id96e98da76b3091987b01651f980797b1d6b49d8
|
|
Change-Id: Ie6e309b127e80cd6475f1deaa5dbadf9f5cc2746
|
|
Change-Id: I9d34e491022d7dfed653a861b0728a0a656f1fbe
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Close the update package before invoking the binary, to allow the
installer to unmount /cache if it wants to. Add a function to allow
remounting of a mount as read-only.
Change-Id: Idfcc96c3da66083295177f729263560be58034e4
|
|
An extra parameter was added to the make_ext4fs() function, we these tools need
to be updated to match.
Change-Id: Id640a7f2b03153eb333b00337f0f991ff5332349
|
|
Separate files for retouch functionality are in minelf/*
ASLR for shared libraries is controlled by "-a" in ota_from_target_files.
Binary files are self-contained. Retouch logic can recover from crashes.
Signed-off-by: Hristo Bojinov <hristo@google.com>
Change-Id: I76c596abf4febd68c14f9d807ac62e8751e0b1bd
|
|
This CL removes the following line from the top of build logs:
"diff: out/target/product/*/obj/PACKAGING/updater_extensions_intermediates/register.inc.list: No such file or directory"
Change-Id: I79c15a69a0b1b0da0e45620b45a7a0fea5625250
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Change the applypatch function to take meaningful arguments instead of
argc and argv. Move all the parsing of arguments into main.c (for the
standalone binary) and into install.c (for the updater function).
applypatch() takes patches as Value objects, so we can pass in blobs
extracted from the package without ever writing them to temp files.
The patching code is changed to read the patch from memory instead of
a file.
A bunch of compiler warnings (mostly about signed vs unsigned types)
are fixed.
Support for the IMGDIFF1 format is dropped. (We've been generating
IMGDIFF2 packages for some time now.)
Change-Id: I217563c500012750f27110db821928a06211323f
|
|
- Move applypatch to this package (from build).
- Add a rudimentary type system to edify: instead of just returning a
char*, functions now return a Value*, which is a struct that can
carry different types of value (currently just STRING and BLOB).
Convert all functions to this new scheme.
- Change the one-argument form of package_extract_file to return a
Value of the new BLOB type.
- Add read_file() to load a local file and return a blob, and
sha1_check() to test a blob (or string) against a set of possible
sha1s. read_file() uses the file-loading code from applypatch so it
can read MTD partitions as well.
This is the start of better integration between applypatch and the
rest of edify.
b/2361316 - VZW Issue PP628: Continuous reset to Droid logo:
framework-res.apk update failed (CR LIBtt59130)
Change-Id: Ibd038074749a4d515de1f115c498c6c589ee91e5
|
|
Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update(). This
functionality is now done by an edify extension library that lives in
vendor/htc.
Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
|
|
Add a version of package_extract_file that returns the file data as
its return value (to be consumed by some other edify function that
expects to receive a bunch of binary data as an argument). Lets us
avoid having two copies of a big file in memory (extracting it into
/tmp, which is a ramdisk, and then having something load it into
memory) when doing things like radio updates.
Change-Id: Ie26ece5fbae457eb0ddcd8a13d74d78a769fbc70
|
|
|
|
The symlink() function should remove existing files before creating
symlinks, so scripts are idempotent. Log messages when various system
calls fail (but don't make the whole script fail).
|
|
Handy for producing debugging OTA packages (eg, running sqlite3 or
whatever in recovery).
|
|
updater (which is only needed in OTA packages) is getting included in
/system/bin, where it just takes up (quite a bit of) space. Use the
hack of including it only in eng builds so it's not there for user
builds.
|
|
We were inadvertently skipping over the first filename in the list of
arguments.
|
|
Let recovery accept set_progress commands to control progress over the
'current segment' of the bar. Add a set_progress() builtin to the
updater binary.
|
|
Allow devices (in BoardConfig.mk) to define additional static
libraries to be linked in to updater, to make device-specific
functions available in edify scripts. Modify the updater makefile to
arrange for device libraries to register their edify functions.
|
|
Add a function to read a property from a ".prop"-formatted file
(key=value pairs, one per line, ignore # comment lines and blank
lines). Move ErrorAbort to the core of edify; it's not specific to
updater now that errors aren't stored in the app cookie.
|
|
To do a firmware-install-on-reboot, the update binary tells recovery
what file to install before rebooting. Let this file be specified as
"PACKAGE:<foo>" to indicate taking the file out of the OTA package,
avoiding an extra copy to /tmp. Bump the API version number to
reflect this change.
|
|
A few more changes to edify:
- fix write_raw_image(); my last change neglected to close the write
context, so the written image was corrupt.
- each expression tracks the span of the source code from which it
was compiled, so that assert()'s error message can include the
source of the expression that failed.
- the 'cookie' argument to each Function is replaced with a State
object, which contains the cookie, the source script (for use with
the above spans), and the current error message (replacing the
global variables that were used for this purpose).
- in the recovery image, a new command "ui_print" can be sent back
through the command pipe to cause text to appear on the screen.
Add a new ui_print() function to print things from scripts.
Rename existing "print" function to "stdout".
|
|
Adds more edify functions for OTAs:
is_mounted getprop apply_patch apply_patch_check apply_patch_space
write_raw_image write_firmware_image package_extract_file
This allows us to install radios, hboots, boot images, and install
incremental OTA packages.
Fixes a couple of dumb bugs in edify itself:
- we were doubling the size of the function table each time it was
*not* full, rather than each time it was full
- "no such function" errors weren't visible to the parser, so they
didn't prevent execution of the script.
|
|
Adds the following edify functions:
mount unmount format show_progress delete delete_recursive
package_extract symlink set_perm set_perm_recursive
This set is enough to extract and install the system part of a (full)
OTA package.
Adds the updater binary that extracts an edify script from the OTA
package and then executes it. Minor changes to the edify core (adds a
sleep() builtin for debugging, adds "." to the set of characters that
can appear in an unquoted string).
|