Add a checker for signature boundary in verifier am: 54ea136fde am: 0a34b17c8b am: fb80b4f72d am: d3d5e54a45 am: 6ea9888d51 am: a055eb93c3 am: 15ca2a4763
am: ca50d7b66a
Change-Id: Ic6e05b8812f4b765b9114149373c7a00ad9ec78d
diff --git a/Android.mk b/Android.mk
index 65d123a..589bff4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -31,7 +31,6 @@
LOCAL_SRC_FILES := \
adb_install.cpp \
asn1_decoder.cpp \
- bootloader.cpp \
device.cpp \
fuse_sdcard_provider.cpp \
install.cpp \
@@ -66,6 +65,7 @@
LOCAL_STATIC_LIBRARIES := \
libbatterymonitor \
+ libbootloader_message \
libext4_utils_static \
libsparse_static \
libminzip \
@@ -93,6 +93,10 @@
LOCAL_STATIC_LIBRARIES += libext4_utils_static libz
endif
+ifeq ($(AB_OTA_UPDATER),true)
+ LOCAL_CFLAGS += -DAB_OTA_UPDATER=1
+endif
+
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/sbin
ifeq ($(TARGET_RECOVERY_UI_LIB),)
@@ -139,15 +143,17 @@
LOCAL_STATIC_LIBRARIES := libcrypto_static
include $(BUILD_STATIC_LIBRARY)
-include $(LOCAL_PATH)/minui/Android.mk \
+include \
+ $(LOCAL_PATH)/applypatch/Android.mk \
+ $(LOCAL_PATH)/bootloader_message/Android.mk \
+ $(LOCAL_PATH)/edify/Android.mk \
+ $(LOCAL_PATH)/minui/Android.mk \
$(LOCAL_PATH)/minzip/Android.mk \
$(LOCAL_PATH)/minadbd/Android.mk \
$(LOCAL_PATH)/mtdutils/Android.mk \
+ $(LOCAL_PATH)/otafault/Android.mk \
$(LOCAL_PATH)/tests/Android.mk \
$(LOCAL_PATH)/tools/Android.mk \
- $(LOCAL_PATH)/edify/Android.mk \
$(LOCAL_PATH)/uncrypt/Android.mk \
- $(LOCAL_PATH)/otafault/Android.mk \
$(LOCAL_PATH)/updater/Android.mk \
$(LOCAL_PATH)/update_verifier/Android.mk \
- $(LOCAL_PATH)/applypatch/Android.mk
diff --git a/bootloader.cpp b/bootloader.cpp
deleted file mode 100644
index d80c5e7..0000000
--- a/bootloader.cpp
+++ /dev/null
@@ -1,218 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <fs_mgr.h>
-
-#include "bootloader.h"
-#include "common.h"
-#include "mtdutils/mtdutils.h"
-#include "roots.h"
-#include "unique_fd.h"
-
-static int get_bootloader_message_mtd(bootloader_message* out, const Volume* v);
-static int set_bootloader_message_mtd(const bootloader_message* in, const Volume* v);
-static int get_bootloader_message_block(bootloader_message* out, const Volume* v);
-static int set_bootloader_message_block(const bootloader_message* in, const Volume* v);
-
-int get_bootloader_message(bootloader_message* out) {
- Volume* v = volume_for_path("/misc");
- if (v == nullptr) {
- LOGE("Cannot load volume /misc!\n");
- return -1;
- }
- if (strcmp(v->fs_type, "mtd") == 0) {
- return get_bootloader_message_mtd(out, v);
- } else if (strcmp(v->fs_type, "emmc") == 0) {
- return get_bootloader_message_block(out, v);
- }
- LOGE("unknown misc partition fs_type \"%s\"\n", v->fs_type);
- return -1;
-}
-
-int set_bootloader_message(const bootloader_message* in) {
- Volume* v = volume_for_path("/misc");
- if (v == nullptr) {
- LOGE("Cannot load volume /misc!\n");
- return -1;
- }
- if (strcmp(v->fs_type, "mtd") == 0) {
- return set_bootloader_message_mtd(in, v);
- } else if (strcmp(v->fs_type, "emmc") == 0) {
- return set_bootloader_message_block(in, v);
- }
- LOGE("unknown misc partition fs_type \"%s\"\n", v->fs_type);
- return -1;
-}
-
-// ------------------------------
-// for misc partitions on MTD
-// ------------------------------
-
-static const int MISC_PAGES = 3; // number of pages to save
-static const int MISC_COMMAND_PAGE = 1; // bootloader command is this page
-
-static int get_bootloader_message_mtd(bootloader_message* out,
- const Volume* v) {
- size_t write_size;
- mtd_scan_partitions();
- const MtdPartition* part = mtd_find_partition_by_name(v->blk_device);
- if (part == nullptr || mtd_partition_info(part, nullptr, nullptr, &write_size)) {
- LOGE("failed to find \"%s\"\n", v->blk_device);
- return -1;
- }
-
- MtdReadContext* read = mtd_read_partition(part);
- if (read == nullptr) {
- LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
-
- const ssize_t size = write_size * MISC_PAGES;
- char data[size];
- ssize_t r = mtd_read_data(read, data, size);
- if (r != size) LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
- mtd_read_close(read);
- if (r != size) return -1;
-
- memcpy(out, &data[write_size * MISC_COMMAND_PAGE], sizeof(*out));
- return 0;
-}
-static int set_bootloader_message_mtd(const bootloader_message* in,
- const Volume* v) {
- size_t write_size;
- mtd_scan_partitions();
- const MtdPartition* part = mtd_find_partition_by_name(v->blk_device);
- if (part == nullptr || mtd_partition_info(part, nullptr, nullptr, &write_size)) {
- LOGE("failed to find \"%s\"\n", v->blk_device);
- return -1;
- }
-
- MtdReadContext* read = mtd_read_partition(part);
- if (read == nullptr) {
- LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
-
- ssize_t size = write_size * MISC_PAGES;
- char data[size];
- ssize_t r = mtd_read_data(read, data, size);
- if (r != size) LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
- mtd_read_close(read);
- if (r != size) return -1;
-
- memcpy(&data[write_size * MISC_COMMAND_PAGE], in, sizeof(*in));
-
- MtdWriteContext* write = mtd_write_partition(part);
- if (write == nullptr) {
- LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
- if (mtd_write_data(write, data, size) != size) {
- LOGE("failed to write \"%s\": %s\n", v->blk_device, strerror(errno));
- mtd_write_close(write);
- return -1;
- }
- if (mtd_write_close(write)) {
- LOGE("failed to finish \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
-
- LOGI("Set boot command \"%s\"\n", in->command[0] != 255 ? in->command : "");
- return 0;
-}
-
-
-// ------------------------------------
-// for misc partitions on block devices
-// ------------------------------------
-
-static void wait_for_device(const char* fn) {
- int tries = 0;
- int ret;
- do {
- ++tries;
- struct stat buf;
- ret = stat(fn, &buf);
- if (ret == -1) {
- printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno));
- sleep(1);
- }
- } while (ret && tries < 10);
-
- if (ret) {
- printf("failed to stat \"%s\"\n", fn);
- }
-}
-
-static int get_bootloader_message_block(bootloader_message* out,
- const Volume* v) {
- wait_for_device(v->blk_device);
- FILE* f = fopen(v->blk_device, "rb");
- if (f == nullptr) {
- LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
- bootloader_message temp;
- int count = fread(&temp, sizeof(temp), 1, f);
- if (count != 1) {
- LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
- if (fclose(f) != 0) {
- LOGE("failed to close \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
- memcpy(out, &temp, sizeof(temp));
- return 0;
-}
-
-static int set_bootloader_message_block(const bootloader_message* in,
- const Volume* v) {
- wait_for_device(v->blk_device);
- unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC));
- if (fd.get() == -1) {
- LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
-
- size_t written = 0;
- const uint8_t* start = reinterpret_cast<const uint8_t*>(in);
- size_t total = sizeof(*in);
- while (written < total) {
- ssize_t wrote = TEMP_FAILURE_RETRY(write(fd.get(), start + written, total - written));
- if (wrote == -1) {
- LOGE("failed to write %" PRId64 " bytes: %s\n",
- static_cast<off64_t>(written), strerror(errno));
- return -1;
- }
- written += wrote;
- }
-
- if (fsync(fd.get()) == -1) {
- LOGE("failed to fsync \"%s\": %s\n", v->blk_device, strerror(errno));
- return -1;
- }
- return 0;
-}
diff --git a/bootloader.h b/bootloader.h
index 742a4ab..9c84a1c 100644
--- a/bootloader.h
+++ b/bootloader.h
@@ -14,58 +14,5 @@
* limitations under the License.
*/
-#ifndef _RECOVERY_BOOTLOADER_H
-#define _RECOVERY_BOOTLOADER_H
-
-/* Bootloader Message
- *
- * This structure describes the content of a block in flash
- * that is used for recovery and the bootloader to talk to
- * each other.
- *
- * The command field is updated by linux when it wants to
- * reboot into recovery or to update radio or bootloader firmware.
- * It is also updated by the bootloader when firmware update
- * is complete (to boot into recovery for any final cleanup)
- *
- * The status field is written by the bootloader after the
- * completion of an "update-radio" or "update-hboot" command.
- *
- * The recovery field is only written by linux and used
- * for the system to send a message to recovery or the
- * other way around.
- *
- * The stage field is written by packages which restart themselves
- * multiple times, so that the UI can reflect which invocation of the
- * package it is. If the value is of the format "#/#" (eg, "1/3"),
- * the UI will add a simple indicator of that status.
- *
- * The slot_suffix field is used for A/B implementations where the
- * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
- * commandline parameter. This is used by fs_mgr to mount /system and
- * other partitions with the slotselect flag set in fstab. A/B
- * implementations are free to use all 32 bytes and may store private
- * data past the first NUL-byte in this field.
- */
-struct bootloader_message {
- char command[32];
- char status[32];
- char recovery[768];
-
- // The 'recovery' field used to be 1024 bytes. It has only ever
- // been used to store the recovery command line, so 768 bytes
- // should be plenty. We carve off the last 256 bytes to store the
- // stage string (for multistage packages) and possible future
- // expansion.
- char stage[32];
- char slot_suffix[32];
- char reserved[192];
-};
-
-/* Read and write the bootloader command from the "misc" partition.
- * These return zero on success.
- */
-int get_bootloader_message(struct bootloader_message *out);
-int set_bootloader_message(const struct bootloader_message *in);
-
-#endif
+// TODO: Remove this file once we remove all places that include this file.
+#include "bootloader_message/include/bootloader_message/bootloader_message.h"
diff --git a/bootloader_message/Android.mk b/bootloader_message/Android.mk
new file mode 100644
index 0000000..815ac67
--- /dev/null
+++ b/bootloader_message/Android.mk
@@ -0,0 +1,24 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := bootloader_message.cpp
+LOCAL_MODULE := libbootloader_message
+LOCAL_STATIC_LIBRARIES := libbase libfs_mgr
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+include $(BUILD_STATIC_LIBRARY)
diff --git a/bootloader_message/bootloader_message.cpp b/bootloader_message/bootloader_message.cpp
new file mode 100644
index 0000000..9de7dff
--- /dev/null
+++ b/bootloader_message/bootloader_message.cpp
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <bootloader_message/bootloader_message.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/system_properties.h>
+
+#include <string>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+#include <fs_mgr.h>
+
+static struct fstab* read_fstab(std::string* err) {
+ // The fstab path is always "/fstab.${ro.hardware}".
+ std::string fstab_path = "/fstab.";
+ char value[PROP_VALUE_MAX];
+ if (__system_property_get("ro.hardware", value) == 0) {
+ *err = "failed to get ro.hardware";
+ return nullptr;
+ }
+ fstab_path += value;
+ struct fstab* fstab = fs_mgr_read_fstab(fstab_path.c_str());
+ if (fstab == nullptr) {
+ *err = "failed to read " + fstab_path;
+ }
+ return fstab;
+}
+
+static std::string get_misc_blk_device(std::string* err) {
+ struct fstab* fstab = read_fstab(err);
+ if (fstab == nullptr) {
+ return "";
+ }
+ fstab_rec* record = fs_mgr_get_entry_for_mount_point(fstab, "/misc");
+ if (record == nullptr) {
+ *err = "failed to find /misc partition";
+ return "";
+ }
+ return record->blk_device;
+}
+
+// In recovery mode, recovery can get started and try to access the misc
+// device before the kernel has actually created it.
+static bool wait_for_device(const std::string& blk_device, std::string* err) {
+ int tries = 0;
+ int ret;
+ err->clear();
+ do {
+ ++tries;
+ struct stat buf;
+ ret = stat(blk_device.c_str(), &buf);
+ if (ret == -1) {
+ *err += android::base::StringPrintf("failed to stat %s try %d: %s\n",
+ blk_device.c_str(), tries, strerror(errno));
+ sleep(1);
+ }
+ } while (ret && tries < 10);
+
+ if (ret) {
+ *err += android::base::StringPrintf("failed to stat %s\n", blk_device.c_str());
+ }
+ return ret == 0;
+}
+
+static bool read_misc_partition(void* p, size_t size, size_t offset, std::string* err) {
+ std::string misc_blk_device = get_misc_blk_device(err);
+ if (misc_blk_device.empty()) {
+ return false;
+ }
+ if (!wait_for_device(misc_blk_device, err)) {
+ return false;
+ }
+ android::base::unique_fd fd(open(misc_blk_device.c_str(), O_RDONLY));
+ if (fd.get() == -1) {
+ *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) {
+ *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ if (!android::base::ReadFully(fd.get(), p, size)) {
+ *err = android::base::StringPrintf("failed to read %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ return true;
+}
+
+static bool write_misc_partition(const void* p, size_t size, size_t offset, std::string* err) {
+ std::string misc_blk_device = get_misc_blk_device(err);
+ if (misc_blk_device.empty()) {
+ return false;
+ }
+ android::base::unique_fd fd(open(misc_blk_device.c_str(), O_WRONLY | O_SYNC));
+ if (fd.get() == -1) {
+ *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) {
+ *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ if (!android::base::WriteFully(fd.get(), p, size)) {
+ *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+
+ // TODO: O_SYNC and fsync duplicates each other?
+ if (fsync(fd.get()) == -1) {
+ *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(),
+ strerror(errno));
+ return false;
+ }
+ return true;
+}
+
+bool read_bootloader_message(bootloader_message* boot, std::string* err) {
+ return read_misc_partition(boot, sizeof(*boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err);
+}
+
+bool write_bootloader_message(const bootloader_message& boot, std::string* err) {
+ return write_misc_partition(&boot, sizeof(boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err);
+}
+
+bool clear_bootloader_message(std::string* err) {
+ bootloader_message boot = {};
+ return write_bootloader_message(boot, err);
+}
+
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err) {
+ bootloader_message boot = {};
+ strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
+ strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
+ for (const auto& s : options) {
+ strlcat(boot.recovery, s.c_str(), sizeof(boot.recovery));
+ if (s.back() != '\n') {
+ strlcat(boot.recovery, "\n", sizeof(boot.recovery));
+ }
+ }
+ return write_bootloader_message(boot, err);
+}
+
+bool read_wipe_package(std::string* package_data, size_t size, std::string* err) {
+ package_data->resize(size);
+ return read_misc_partition(&(*package_data)[0], size, WIPE_PACKAGE_OFFSET_IN_MISC, err);
+}
+
+bool write_wipe_package(const std::string& package_data, std::string* err) {
+ return write_misc_partition(package_data.data(), package_data.size(),
+ WIPE_PACKAGE_OFFSET_IN_MISC, err);
+}
+
+extern "C" bool write_bootloader_message(const char* options) {
+ std::string err;
+ return write_bootloader_message({options}, &err);
+}
diff --git a/bootloader_message/include/bootloader_message/bootloader_message.h b/bootloader_message/include/bootloader_message/bootloader_message.h
new file mode 100644
index 0000000..c63aeca
--- /dev/null
+++ b/bootloader_message/include/bootloader_message/bootloader_message.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _BOOTLOADER_MESSAGE_H
+#define _BOOTLOADER_MESSAGE_H
+
+#include <stddef.h>
+
+// Spaces used by misc partition are as below:
+// 0 - 2K Bootloader Message
+// 2K - 16K Used by Vendor's bootloader
+// 16K - 64K Used by uncrypt and recovery to store wipe_package for A/B devices
+// Note that these offsets are admitted by bootloader,recovery and uncrypt, so they
+// are not configurable without changing all of them.
+static const size_t BOOTLOADER_MESSAGE_OFFSET_IN_MISC = 0;
+static const size_t WIPE_PACKAGE_OFFSET_IN_MISC = 16 * 1024;
+
+/* Bootloader Message
+ *
+ * This structure describes the content of a block in flash
+ * that is used for recovery and the bootloader to talk to
+ * each other.
+ *
+ * The command field is updated by linux when it wants to
+ * reboot into recovery or to update radio or bootloader firmware.
+ * It is also updated by the bootloader when firmware update
+ * is complete (to boot into recovery for any final cleanup)
+ *
+ * The status field is written by the bootloader after the
+ * completion of an "update-radio" or "update-hboot" command.
+ *
+ * The recovery field is only written by linux and used
+ * for the system to send a message to recovery or the
+ * other way around.
+ *
+ * The stage field is written by packages which restart themselves
+ * multiple times, so that the UI can reflect which invocation of the
+ * package it is. If the value is of the format "#/#" (eg, "1/3"),
+ * the UI will add a simple indicator of that status.
+ *
+ * The slot_suffix field is used for A/B implementations where the
+ * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
+ * commandline parameter. This is used by fs_mgr to mount /system and
+ * other partitions with the slotselect flag set in fstab. A/B
+ * implementations are free to use all 32 bytes and may store private
+ * data past the first NUL-byte in this field.
+ */
+struct bootloader_message {
+ char command[32];
+ char status[32];
+ char recovery[768];
+
+ // The 'recovery' field used to be 1024 bytes. It has only ever
+ // been used to store the recovery command line, so 768 bytes
+ // should be plenty. We carve off the last 256 bytes to store the
+ // stage string (for multistage packages) and possible future
+ // expansion.
+ char stage[32];
+ char slot_suffix[32];
+ char reserved[192];
+};
+
+#ifdef __cplusplus
+
+#include <string>
+#include <vector>
+
+bool read_bootloader_message(bootloader_message* boot, std::string* err);
+bool write_bootloader_message(const bootloader_message& boot, std::string* err);
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
+bool clear_bootloader_message(std::string* err);
+
+bool read_wipe_package(std::string* package_data, size_t size, std::string* err);
+bool write_wipe_package(const std::string& package_data, std::string* err);
+
+
+#else
+
+#include <stdbool.h>
+
+// C Interface.
+bool write_bootloader_message(const char* options);
+
+#endif // ifdef __cplusplus
+
+#endif // _BOOTLOADER_MESSAGE_H
diff --git a/device.cpp b/device.cpp
index 2465b07..e717ddd 100644
--- a/device.cpp
+++ b/device.cpp
@@ -22,32 +22,42 @@
"Apply update from ADB",
"Apply update from SD card",
"Wipe data/factory reset",
+#ifndef AB_OTA_UPDATER
"Wipe cache partition",
+#endif // !AB_OTA_UPDATER
"Mount /system",
"View recovery logs",
"Run graphics test",
"Power off",
- NULL
+ NULL,
};
+static const Device::BuiltinAction MENU_ACTIONS[] = {
+ Device::REBOOT,
+ Device::REBOOT_BOOTLOADER,
+ Device::APPLY_ADB_SIDELOAD,
+ Device::APPLY_SDCARD,
+ Device::WIPE_DATA,
+#ifndef AB_OTA_UPDATER
+ Device::WIPE_CACHE,
+#endif // !AB_OTA_UPDATER
+ Device::MOUNT_SYSTEM,
+ Device::VIEW_RECOVERY_LOGS,
+ Device::RUN_GRAPHICS_TEST,
+ Device::SHUTDOWN,
+};
+
+static_assert(sizeof(MENU_ITEMS) / sizeof(MENU_ITEMS[0]) ==
+ sizeof(MENU_ACTIONS) / sizeof(MENU_ACTIONS[0]) + 1,
+ "MENU_ITEMS and MENU_ACTIONS should have the same length, "
+ "except for the extra NULL entry in MENU_ITEMS.");
+
const char* const* Device::GetMenuItems() {
return MENU_ITEMS;
}
Device::BuiltinAction Device::InvokeMenuItem(int menu_position) {
- switch (menu_position) {
- case 0: return REBOOT;
- case 1: return REBOOT_BOOTLOADER;
- case 2: return APPLY_ADB_SIDELOAD;
- case 3: return APPLY_SDCARD;
- case 4: return WIPE_DATA;
- case 5: return WIPE_CACHE;
- case 6: return MOUNT_SYSTEM;
- case 7: return VIEW_RECOVERY_LOGS;
- case 8: return RUN_GRAPHICS_TEST;
- case 9: return SHUTDOWN;
- default: return NO_ACTION;
- }
+ return menu_position < 0 ? NO_ACTION : MENU_ACTIONS[menu_position];
}
int Device::HandleMenuKey(int key, int visible) {
diff --git a/error_code.h b/error_code.h
index 259319a..fe38ba4 100644
--- a/error_code.h
+++ b/error_code.h
@@ -21,7 +21,8 @@
kNoError = -1,
kLowBattery = 20,
kZipVerificationFailure,
- kZipOpenFailure
+ kZipOpenFailure,
+ kBootreasonInBlacklist
};
enum CauseCode {
diff --git a/install.cpp b/install.cpp
index 5a439a1..02c845c 100644
--- a/install.cpp
+++ b/install.cpp
@@ -17,6 +17,7 @@
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
+#include <inttypes.h>
#include <limits.h>
#include <string.h>
#include <sys/stat.h>
@@ -24,12 +25,15 @@
#include <unistd.h>
#include <chrono>
+#include <limits>
+#include <map>
#include <string>
#include <vector>
#include <android-base/parseint.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
+#include <cutils/properties.h>
#include "common.h"
#include "error_code.h"
@@ -46,6 +50,8 @@
extern RecoveryUI* ui;
#define ASSUMED_UPDATE_BINARY_NAME "META-INF/com/google/android/update-binary"
+static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt";
+static constexpr const char* AB_OTA_PAYLOAD = "payload.bin";
#define PUBLIC_KEYS_FILE "/res/keys"
static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata";
@@ -70,20 +76,27 @@
return -1;
}
-// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
-static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) {
+bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data) {
const ZipEntry* meta_entry = mzFindZipEntry(zip, METADATA_PATH);
if (meta_entry == nullptr) {
LOGE("Failed to find %s in update package.\n", METADATA_PATH);
- return;
+ return false;
}
- std::string meta_data(meta_entry->uncompLen, '\0');
- if (!mzReadZipEntry(zip, meta_entry, &meta_data[0], meta_entry->uncompLen)) {
+ meta_data->resize(meta_entry->uncompLen, '\0');
+ if (!mzReadZipEntry(zip, meta_entry, &(*meta_data)[0], meta_entry->uncompLen)) {
LOGE("Failed to read metadata in update package.\n");
+ return false;
+ }
+ return true;
+}
+
+// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
+static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) {
+ std::string meta_data;
+ if (!read_metadata_from_package(zip, &meta_data)) {
return;
}
-
// Examples of the pre-build and post-build strings in metadata:
// pre-build-incremental=2943039
// post-build-incremental=2951741
@@ -106,17 +119,152 @@
}
}
-// If the package contains an update binary, extract it and run it.
+// Extract the update binary from the open zip archive |zip| located at |path|
+// and store into |cmd| the command line that should be called. The |status_fd|
+// is the file descriptor the child process should use to report back the
+// progress of the update.
static int
-try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache,
- std::vector<std::string>& log_buffer, int retry_count)
-{
- read_source_target_build(zip, log_buffer);
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+ int status_fd, std::vector<std::string>* cmd);
+#ifdef AB_OTA_UPDATER
+
+// Parses the metadata of the OTA package in |zip| and checks whether we are
+// allowed to accept this A/B package. Downgrading is not allowed unless
+// explicitly enabled in the package and only for incremental packages.
+static int check_newer_ab_build(ZipArchive* zip)
+{
+ std::string metadata_str;
+ if (!read_metadata_from_package(zip, &metadata_str)) {
+ return INSTALL_CORRUPT;
+ }
+ std::map<std::string, std::string> metadata;
+ for (const std::string& line : android::base::Split(metadata_str, "\n")) {
+ size_t eq = line.find('=');
+ if (eq != std::string::npos) {
+ metadata[line.substr(0, eq)] = line.substr(eq + 1);
+ }
+ }
+ char value[PROPERTY_VALUE_MAX];
+
+ property_get("ro.product.device", value, "");
+ const std::string& pkg_device = metadata["pre-device"];
+ if (pkg_device != value || pkg_device.empty()) {
+ LOGE("Package is for product %s but expected %s\n",
+ pkg_device.c_str(), value);
+ return INSTALL_ERROR;
+ }
+
+ // We allow the package to not have any serialno, but if it has a non-empty
+ // value it should match.
+ property_get("ro.serialno", value, "");
+ const std::string& pkg_serial_no = metadata["serialno"];
+ if (!pkg_serial_no.empty() && pkg_serial_no != value) {
+ LOGE("Package is for serial %s\n", pkg_serial_no.c_str());
+ return INSTALL_ERROR;
+ }
+
+ if (metadata["ota-type"] != "AB") {
+ LOGE("Package is not A/B\n");
+ return INSTALL_ERROR;
+ }
+
+ // Incremental updates should match the current build.
+ property_get("ro.build.version.incremental", value, "");
+ const std::string& pkg_pre_build = metadata["pre-build-incremental"];
+ if (!pkg_pre_build.empty() && pkg_pre_build != value) {
+ LOGE("Package is for source build %s but expected %s\n",
+ pkg_pre_build.c_str(), value);
+ return INSTALL_ERROR;
+ }
+ property_get("ro.build.fingerprint", value, "");
+ const std::string& pkg_pre_build_fingerprint = metadata["pre-build"];
+ if (!pkg_pre_build_fingerprint.empty() &&
+ pkg_pre_build_fingerprint != value) {
+ LOGE("Package is for source build %s but expected %s\n",
+ pkg_pre_build_fingerprint.c_str(), value);
+ return INSTALL_ERROR;
+ }
+
+ // Check for downgrade version.
+ int64_t build_timestampt = property_get_int64(
+ "ro.build.date.utc", std::numeric_limits<int64_t>::max());
+ int64_t pkg_post_timespampt = 0;
+ // We allow to full update to the same version we are running, in case there
+ // is a problem with the current copy of that version.
+ if (metadata["post-timestamp"].empty() ||
+ !android::base::ParseInt(metadata["post-timestamp"].c_str(),
+ &pkg_post_timespampt) ||
+ pkg_post_timespampt < build_timestampt) {
+ if (metadata["ota-downgrade"] != "yes") {
+ LOGE("Update package is older than the current build, expected a "
+ "build newer than timestamp %" PRIu64 " but package has "
+ "timestamp %" PRIu64 " and downgrade not allowed.\n",
+ build_timestampt, pkg_post_timespampt);
+ return INSTALL_ERROR;
+ }
+ if (pkg_pre_build_fingerprint.empty()) {
+ LOGE("Downgrade package must have a pre-build version set, not "
+ "allowed.\n");
+ return INSTALL_ERROR;
+ }
+ }
+
+ return 0;
+}
+
+static int
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+ int status_fd, std::vector<std::string>* cmd)
+{
+ int ret = check_newer_ab_build(zip);
+ if (ret) {
+ return ret;
+ }
+
+ // For A/B updates we extract the payload properties to a buffer and obtain
+ // the RAW payload offset in the zip file.
+ const ZipEntry* properties_entry =
+ mzFindZipEntry(zip, AB_OTA_PAYLOAD_PROPERTIES);
+ if (!properties_entry) {
+ LOGE("Can't find %s\n", AB_OTA_PAYLOAD_PROPERTIES);
+ return INSTALL_CORRUPT;
+ }
+ std::vector<unsigned char> payload_properties(
+ mzGetZipEntryUncompLen(properties_entry));
+ if (!mzExtractZipEntryToBuffer(zip, properties_entry,
+ payload_properties.data())) {
+ LOGE("Can't extract %s\n", AB_OTA_PAYLOAD_PROPERTIES);
+ return INSTALL_CORRUPT;
+ }
+
+ const ZipEntry* payload_entry = mzFindZipEntry(zip, AB_OTA_PAYLOAD);
+ if (!payload_entry) {
+ LOGE("Can't find %s\n", AB_OTA_PAYLOAD);
+ return INSTALL_CORRUPT;
+ }
+ long payload_offset = mzGetZipEntryOffset(payload_entry);
+ *cmd = {
+ "/sbin/update_engine_sideload",
+ android::base::StringPrintf("--payload=file://%s", path),
+ android::base::StringPrintf("--offset=%ld", payload_offset),
+ "--headers=" + std::string(payload_properties.begin(),
+ payload_properties.end()),
+ android::base::StringPrintf("--status_fd=%d", status_fd),
+ };
+ return 0;
+}
+
+#else // !AB_OTA_UPDATER
+
+static int
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+ int status_fd, std::vector<std::string>* cmd)
+{
+ // On traditional updates we extract the update binary from the package.
const ZipEntry* binary_entry =
mzFindZipEntry(zip, ASSUMED_UPDATE_BINARY_NAME);
if (binary_entry == NULL) {
- mzCloseZipArchive(zip);
return INSTALL_CORRUPT;
}
@@ -124,22 +272,48 @@
unlink(binary);
int fd = creat(binary, 0755);
if (fd < 0) {
- mzCloseZipArchive(zip);
LOGE("Can't make %s\n", binary);
return INSTALL_ERROR;
}
bool ok = mzExtractZipEntryToFile(zip, binary_entry, fd);
close(fd);
- mzCloseZipArchive(zip);
if (!ok) {
LOGE("Can't copy %s\n", ASSUMED_UPDATE_BINARY_NAME);
return INSTALL_ERROR;
}
+ *cmd = {
+ binary,
+ EXPAND(RECOVERY_API_VERSION), // defined in Android.mk
+ std::to_string(status_fd),
+ path,
+ };
+ if (retry_count > 0)
+ cmd->push_back("retry");
+ return 0;
+}
+#endif // !AB_OTA_UPDATER
+
+// If the package contains an update binary, extract it and run it.
+static int
+try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache,
+ std::vector<std::string>& log_buffer, int retry_count)
+{
+ read_source_target_build(zip, log_buffer);
+
int pipefd[2];
pipe(pipefd);
+ std::vector<std::string> args;
+ int ret = update_binary_command(path, zip, retry_count, pipefd[1], &args);
+ mzCloseZipArchive(zip);
+ if (ret) {
+ close(pipefd[0]);
+ close(pipefd[1]);
+ return ret;
+ }
+
// When executing the update binary contained in the package, the
// arguments passed are:
//
@@ -189,22 +363,19 @@
// update attempt.
//
- const char** args = (const char**)malloc(sizeof(char*) * 6);
- args[0] = binary;
- args[1] = EXPAND(RECOVERY_API_VERSION); // defined in Android.mk
- char* temp = (char*)malloc(10);
- sprintf(temp, "%d", pipefd[1]);
- args[2] = temp;
- args[3] = (char*)path;
- args[4] = retry_count > 0 ? "retry" : NULL;
- args[5] = NULL;
+ // Convert the vector to a NULL-terminated char* array suitable for execv.
+ const char* chr_args[args.size() + 1];
+ chr_args[args.size()] = NULL;
+ for (size_t i = 0; i < args.size(); i++) {
+ chr_args[i] = args[i].c_str();
+ }
pid_t pid = fork();
if (pid == 0) {
umask(022);
close(pipefd[0]);
- execv(binary, (char* const*)args);
- fprintf(stdout, "E:Can't run %s (%s)\n", binary, strerror(errno));
+ execv(chr_args[0], const_cast<char**>(chr_args));
+ fprintf(stdout, "E:Can't run %s (%s)\n", chr_args[0], strerror(errno));
_exit(-1);
}
close(pipefd[1]);
@@ -300,31 +471,16 @@
return INSTALL_CORRUPT;
}
- // Load keys.
- std::vector<Certificate> loadedKeys;
- if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
- LOGE("Failed to load keys\n");
- return INSTALL_CORRUPT;
- }
- LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
-
// Verify package.
- ui->Print("Verifying update package...\n");
- auto t0 = std::chrono::system_clock::now();
- int err = verify_file(map.addr, map.length, loadedKeys);
- std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
- ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
- if (err != VERIFY_SUCCESS) {
- LOGE("signature verification failed\n");
+ if (!verify_package(map.addr, map.length)) {
log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure));
-
sysReleaseMap(&map);
return INSTALL_CORRUPT;
}
// Try to open the package.
ZipArchive zip;
- err = mzOpenZipArchive(map.addr, map.length, &zip);
+ int err = mzOpenZipArchive(map.addr, map.length, &zip);
if (err != 0) {
LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure));
@@ -387,3 +543,25 @@
}
return result;
}
+
+bool verify_package(const unsigned char* package_data, size_t package_size) {
+ std::vector<Certificate> loadedKeys;
+ if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
+ LOGE("Failed to load keys\n");
+ return false;
+ }
+ LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
+
+ // Verify package.
+ ui->Print("Verifying update package...\n");
+ auto t0 = std::chrono::system_clock::now();
+ int err = verify_file(const_cast<unsigned char*>(package_data), package_size, loadedKeys);
+ std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+ ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
+ if (err != VERIFY_SUCCESS) {
+ LOGE("Signature verification failed\n");
+ LOGE("error: %d\n", kZipVerificationFailure);
+ return false;
+ }
+ return true;
+}
diff --git a/install.h b/install.h
index 66764f5..14de225 100644
--- a/install.h
+++ b/install.h
@@ -17,11 +17,10 @@
#ifndef RECOVERY_INSTALL_H_
#define RECOVERY_INSTALL_H_
-#include "common.h"
+#include <string>
-#ifdef __cplusplus
-extern "C" {
-#endif
+#include "common.h"
+#include "minzip/Zip.h"
enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED,
INSTALL_RETRY };
@@ -31,8 +30,12 @@
int install_package(const char* root_path, bool* wipe_cache, const char* install_file,
bool needs_mount, int retry_count);
-#ifdef __cplusplus
-}
-#endif
+// Verify the package by ota keys. Return true if the package is verified successfully,
+// otherwise return false.
+bool verify_package(const unsigned char* package_data, size_t package_size);
+
+// Read meta data file of the package, write its content in the string pointed by meta_data.
+// Return true if succeed, otherwise return false.
+bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data);
#endif // RECOVERY_INSTALL_H_
diff --git a/recovery.cpp b/recovery.cpp
index 10f8414..ccb2d22 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -19,7 +19,9 @@
#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
+#include <inttypes.h>
#include <limits.h>
+#include <linux/fs.h>
#include <linux/input.h>
#include <stdarg.h>
#include <stdio.h>
@@ -33,12 +35,16 @@
#include <unistd.h>
#include <chrono>
+#include <string>
+#include <vector>
#include <adb.h>
#include <android/log.h> /* Android Log Priority Tags */
#include <android-base/file.h>
#include <android-base/parseint.h>
#include <android-base/stringprintf.h>
+#include <android-base/strings.h>
+#include <bootloader_message/bootloader_message.h>
#include <cutils/android_reboot.h>
#include <cutils/properties.h>
#include <log/logger.h> /* Android Log packet format */
@@ -47,7 +53,6 @@
#include <healthd/BatteryMonitor.h>
#include "adb_install.h"
-#include "bootloader.h"
#include "common.h"
#include "device.h"
#include "error_code.h"
@@ -56,8 +61,10 @@
#include "install.h"
#include "minui/minui.h"
#include "minzip/DirUtil.h"
+#include "minzip/Zip.h"
#include "roots.h"
#include "ui.h"
+#include "unique_fd.h"
#include "screen_ui.h"
struct selabel_handle *sehandle;
@@ -77,9 +84,17 @@
{ "shutdown_after", no_argument, NULL, 'p' },
{ "reason", required_argument, NULL, 'r' },
{ "security", no_argument, NULL, 'e'},
+ { "wipe_ab", no_argument, NULL, 0 },
+ { "wipe_package_size", required_argument, NULL, 0 },
{ NULL, 0, NULL, 0 },
};
+// More bootreasons can be found in "system/core/bootstat/bootstat.cpp".
+static const std::vector<std::string> bootreason_blacklist {
+ "kernel_panic",
+ "Panic",
+};
+
static const char *CACHE_LOG_DIR = "/cache/recovery";
static const char *COMMAND_FILE = "/cache/recovery/command";
static const char *INTENT_FILE = "/cache/recovery/intent";
@@ -104,6 +119,7 @@
// So we should check battery with a slightly lower limitation.
static const int BATTERY_OK_PERCENTAGE = 20;
static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
+constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe";
RecoveryUI* ui = NULL;
static const char* locale = "en_US";
@@ -293,9 +309,13 @@
// - the contents of COMMAND_FILE (one per line)
static void
get_args(int *argc, char ***argv) {
- struct bootloader_message boot;
- memset(&boot, 0, sizeof(boot));
- get_bootloader_message(&boot); // this may fail, leaving a zeroed structure
+ bootloader_message boot = {};
+ std::string err;
+ if (!read_bootloader_message(&boot, &err)) {
+ LOGE("%s\n", err.c_str());
+ // If fails, leave a zeroed bootloader_message.
+ memset(&boot, 0, sizeof(boot));
+ }
stage = strndup(boot.stage, sizeof(boot.stage));
if (boot.command[0] != 0 && boot.command[0] != 255) {
@@ -357,16 +377,20 @@
strlcat(boot.recovery, (*argv)[i], sizeof(boot.recovery));
strlcat(boot.recovery, "\n", sizeof(boot.recovery));
}
- set_bootloader_message(&boot);
+ if (!write_bootloader_message(boot, &err)) {
+ LOGE("%s\n", err.c_str());
+ }
}
static void
set_sdcard_update_bootloader_message() {
- struct bootloader_message boot;
- memset(&boot, 0, sizeof(boot));
+ bootloader_message boot = {};
strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
- set_bootloader_message(&boot);
+ std::string err;
+ if (!write_bootloader_message(boot, &err)) {
+ LOGE("%s\n", err.c_str());
+ }
}
// Read from kernel log into buffer and write out to file.
@@ -527,9 +551,11 @@
copy_logs();
// Reset to normal system boot so recovery won't cycle indefinitely.
- struct bootloader_message boot;
- memset(&boot, 0, sizeof(boot));
- set_bootloader_message(&boot);
+ bootloader_message boot = {};
+ std::string err;
+ if (!write_bootloader_message(boot, &err)) {
+ LOGE("%s\n", err.c_str());
+ }
// Remove the command file, so recovery won't repeat indefinitely.
if (has_cache) {
@@ -854,46 +880,184 @@
return success;
}
-static void choose_recovery_file(Device* device) {
- if (!has_cache) {
- ui->Print("No /cache partition found.\n");
- return;
+// Secure-wipe a given partition. It uses BLKSECDISCARD, if supported.
+// Otherwise, it goes with BLKDISCARD (if device supports BLKDISCARDZEROES) or
+// BLKZEROOUT.
+static bool secure_wipe_partition(const std::string& partition) {
+ unique_fd fd(TEMP_FAILURE_RETRY(open(partition.c_str(), O_WRONLY)));
+ if (fd.get() == -1) {
+ LOGE("failed to open \"%s\": %s\n", partition.c_str(), strerror(errno));
+ return false;
}
+ uint64_t range[2] = {0, 0};
+ if (ioctl(fd.get(), BLKGETSIZE64, &range[1]) == -1 || range[1] == 0) {
+ LOGE("failed to get partition size: %s\n", strerror(errno));
+ return false;
+ }
+ printf("Secure-wiping \"%s\" from %" PRIu64 " to %" PRIu64 ".\n",
+ partition.c_str(), range[0], range[1]);
+
+ printf("Trying BLKSECDISCARD...\t");
+ if (ioctl(fd.get(), BLKSECDISCARD, &range) == -1) {
+ printf("failed: %s\n", strerror(errno));
+
+ // Use BLKDISCARD if it zeroes out blocks, otherwise use BLKZEROOUT.
+ unsigned int zeroes;
+ if (ioctl(fd.get(), BLKDISCARDZEROES, &zeroes) == 0 && zeroes != 0) {
+ printf("Trying BLKDISCARD...\t");
+ if (ioctl(fd.get(), BLKDISCARD, &range) == -1) {
+ printf("failed: %s\n", strerror(errno));
+ return false;
+ }
+ } else {
+ printf("Trying BLKZEROOUT...\t");
+ if (ioctl(fd.get(), BLKZEROOUT, &range) == -1) {
+ printf("failed: %s\n", strerror(errno));
+ return false;
+ }
+ }
+ }
+
+ printf("done\n");
+ return true;
+}
+
+// Check if the wipe package matches expectation:
+// 1. verify the package.
+// 2. check metadata (ota-type, pre-device and serial number if having one).
+static bool check_wipe_package(size_t wipe_package_size) {
+ if (wipe_package_size == 0) {
+ LOGE("wipe_package_size is zero.\n");
+ return false;
+ }
+ std::string wipe_package;
+ std::string err_str;
+ if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
+ LOGE("Failed to read wipe package: %s\n", err_str.c_str());
+ return false;
+ }
+ if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
+ wipe_package.size())) {
+ LOGE("Failed to verify package.\n");
+ return false;
+ }
+
+ // Extract metadata
+ ZipArchive zip;
+ int err = mzOpenZipArchive(reinterpret_cast<unsigned char*>(&wipe_package[0]),
+ wipe_package.size(), &zip);
+ if (err != 0) {
+ LOGE("Can't open wipe package: %s\n", err != -1 ? strerror(err) : "bad");
+ return false;
+ }
+ std::string metadata;
+ if (!read_metadata_from_package(&zip, &metadata)) {
+ mzCloseZipArchive(&zip);
+ return false;
+ }
+ mzCloseZipArchive(&zip);
+
+ // Check metadata
+ std::vector<std::string> lines = android::base::Split(metadata, "\n");
+ bool ota_type_matched = false;
+ bool device_type_matched = false;
+ bool has_serial_number = false;
+ bool serial_number_matched = false;
+ for (const auto& line : lines) {
+ if (line == "ota-type=BRICK") {
+ ota_type_matched = true;
+ } else if (android::base::StartsWith(line, "pre-device=")) {
+ std::string device_type = line.substr(strlen("pre-device="));
+ char real_device_type[PROPERTY_VALUE_MAX];
+ property_get("ro.build.product", real_device_type, "");
+ device_type_matched = (device_type == real_device_type);
+ } else if (android::base::StartsWith(line, "serialno=")) {
+ std::string serial_no = line.substr(strlen("serialno="));
+ char real_serial_no[PROPERTY_VALUE_MAX];
+ property_get("ro.serialno", real_serial_no, "");
+ has_serial_number = true;
+ serial_number_matched = (serial_no == real_serial_no);
+ }
+ }
+ return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
+}
+
+// Wipe the current A/B device, with a secure wipe of all the partitions in
+// RECOVERY_WIPE.
+static bool wipe_ab_device(size_t wipe_package_size) {
+ ui->SetBackground(RecoveryUI::ERASING);
+ ui->SetProgressType(RecoveryUI::INDETERMINATE);
+
+ if (!check_wipe_package(wipe_package_size)) {
+ LOGE("Failed to verify wipe package\n");
+ return false;
+ }
+ std::string partition_list;
+ if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
+ LOGE("failed to read \"%s\".\n", RECOVERY_WIPE);
+ return false;
+ }
+
+ std::vector<std::string> lines = android::base::Split(partition_list, "\n");
+ for (const std::string& line : lines) {
+ std::string partition = android::base::Trim(line);
+ // Ignore '#' comment or empty lines.
+ if (android::base::StartsWith(partition, "#") || partition.empty()) {
+ continue;
+ }
+
+ // Proceed anyway even if it fails to wipe some partition.
+ secure_wipe_partition(partition);
+ }
+ return true;
+}
+
+static void choose_recovery_file(Device* device) {
// "Back" + KEEP_LOG_COUNT * 2 + terminating nullptr entry
char* entries[1 + KEEP_LOG_COUNT * 2 + 1];
memset(entries, 0, sizeof(entries));
unsigned int n = 0;
- // Add LAST_LOG_FILE + LAST_LOG_FILE.x
- // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
- for (int i = 0; i < KEEP_LOG_COUNT; i++) {
- char* log_file;
- int ret;
- ret = (i == 0) ? asprintf(&log_file, "%s", LAST_LOG_FILE) :
- asprintf(&log_file, "%s.%d", LAST_LOG_FILE, i);
- if (ret == -1) {
- // memory allocation failure - return early. Should never happen.
- return;
- }
- if ((ensure_path_mounted(log_file) != 0) || (access(log_file, R_OK) == -1)) {
- free(log_file);
- } else {
- entries[n++] = log_file;
- }
+ if (has_cache) {
+ // Add LAST_LOG_FILE + LAST_LOG_FILE.x
+ // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
+ for (int i = 0; i < KEEP_LOG_COUNT; i++) {
+ char* log_file;
+ int ret;
+ ret = (i == 0) ? asprintf(&log_file, "%s", LAST_LOG_FILE) :
+ asprintf(&log_file, "%s.%d", LAST_LOG_FILE, i);
+ if (ret == -1) {
+ // memory allocation failure - return early. Should never happen.
+ return;
+ }
+ if ((ensure_path_mounted(log_file) != 0) || (access(log_file, R_OK) == -1)) {
+ free(log_file);
+ } else {
+ entries[n++] = log_file;
+ }
- char* kmsg_file;
- ret = (i == 0) ? asprintf(&kmsg_file, "%s", LAST_KMSG_FILE) :
- asprintf(&kmsg_file, "%s.%d", LAST_KMSG_FILE, i);
- if (ret == -1) {
- // memory allocation failure - return early. Should never happen.
- return;
+ char* kmsg_file;
+ ret = (i == 0) ? asprintf(&kmsg_file, "%s", LAST_KMSG_FILE) :
+ asprintf(&kmsg_file, "%s.%d", LAST_KMSG_FILE, i);
+ if (ret == -1) {
+ // memory allocation failure - return early. Should never happen.
+ return;
+ }
+ if ((ensure_path_mounted(kmsg_file) != 0) || (access(kmsg_file, R_OK) == -1)) {
+ free(kmsg_file);
+ } else {
+ entries[n++] = kmsg_file;
+ }
}
- if ((ensure_path_mounted(kmsg_file) != 0) || (access(kmsg_file, R_OK) == -1)) {
- free(kmsg_file);
- } else {
- entries[n++] = kmsg_file;
+ } else {
+ // If cache partition is not found, view /tmp/recovery.log instead.
+ ui->Print("No /cache partition found.\n");
+ if (access(TEMPORARY_LOG_FILE, R_OK) == -1) {
+ return;
+ } else{
+ entries[n++] = strdup(TEMPORARY_LOG_FILE);
}
}
@@ -1227,7 +1391,7 @@
}
static void set_retry_bootloader_message(int retry_count, int argc, char** argv) {
- struct bootloader_message boot {};
+ bootloader_message boot = {};
strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
@@ -1246,7 +1410,34 @@
snprintf(buffer, sizeof(buffer), "--retry_count=%d\n", retry_count+1);
strlcat(boot.recovery, buffer, sizeof(boot.recovery));
}
- set_bootloader_message(&boot);
+ std::string err;
+ if (!write_bootloader_message(boot, &err)) {
+ LOGE("%s\n", err.c_str());
+ }
+}
+
+static bool bootreason_in_blacklist() {
+ char bootreason[PROPERTY_VALUE_MAX];
+ if (property_get("ro.boot.bootreason", bootreason, nullptr) > 0) {
+ for (const auto& str : bootreason_blacklist) {
+ if (strcasecmp(str.c_str(), bootreason) == 0) {
+ return true;
+ }
+ }
+ }
+ return false;
+}
+
+static void log_failure_code(ErrorCode code, const char *update_package) {
+ FILE* install_log = fopen_path(TEMPORARY_INSTALL_FILE, "w");
+ if (install_log != nullptr) {
+ fprintf(install_log, "%s\n", update_package);
+ fprintf(install_log, "0\n");
+ fprintf(install_log, "error: %d\n", code);
+ fclose(install_log);
+ } else {
+ LOGE("failed to open last_install: %s\n", strerror(errno));
+ }
}
static ssize_t logbasename(
@@ -1341,6 +1532,8 @@
const char *update_package = NULL;
bool should_wipe_data = false;
bool should_wipe_cache = false;
+ bool should_wipe_ab = false;
+ size_t wipe_package_size = 0;
bool show_text = false;
bool sideload = false;
bool sideload_auto_reboot = false;
@@ -1350,7 +1543,8 @@
bool security_update = false;
int arg;
- while ((arg = getopt_long(argc, argv, "", OPTIONS, NULL)) != -1) {
+ int option_index;
+ while ((arg = getopt_long(argc, argv, "", OPTIONS, &option_index)) != -1) {
switch (arg) {
case 'i': send_intent = optarg; break;
case 'n': android::base::ParseInt(optarg, &retry_count, 0); break;
@@ -1373,6 +1567,16 @@
case 'p': shutdown_after = true; break;
case 'r': reason = optarg; break;
case 'e': security_update = true; break;
+ case 0: {
+ if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) {
+ should_wipe_ab = true;
+ break;
+ } else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) {
+ android::base::ParseUint(optarg, &wipe_package_size);
+ break;
+ }
+ break;
+ }
case '?':
LOGE("Invalid command argument\n");
continue;
@@ -1459,15 +1663,12 @@
BATTERY_OK_PERCENTAGE);
// Log the error code to last_install when installation skips due to
// low battery.
- FILE* install_log = fopen_path(LAST_INSTALL_FILE, "w");
- if (install_log != nullptr) {
- fprintf(install_log, "%s\n", update_package);
- fprintf(install_log, "0\n");
- fprintf(install_log, "error: %d\n", kLowBattery);
- fclose(install_log);
- } else {
- LOGE("failed to open last_install: %s\n", strerror(errno));
- }
+ log_failure_code(kLowBattery, update_package);
+ status = INSTALL_SKIPPED;
+ } else if (bootreason_in_blacklist()) {
+ // Skip update-on-reboot when bootreason is kernel_panic or similar
+ ui->Print("bootreason is in the blacklist; skip OTA installation\n");
+ log_failure_code(kBootreasonInBlacklist, update_package);
status = INSTALL_SKIPPED;
} else {
status = install_package(update_package, &should_wipe_cache,
@@ -1511,6 +1712,10 @@
if (!wipe_cache(false, device)) {
status = INSTALL_ERROR;
}
+ } else if (should_wipe_ab) {
+ if (!wipe_ab_device(wipe_package_size)) {
+ status = INSTALL_ERROR;
+ }
} else if (sideload) {
// 'adb reboot sideload' acts the same as user presses key combinations
// to enter the sideload mode. When 'sideload-auto-reboot' is used, text
diff --git a/screen_ui.cpp b/screen_ui.cpp
index 85f789f..2a0769e 100644
--- a/screen_ui.cpp
+++ b/screen_ui.cpp
@@ -105,29 +105,41 @@
// Here's the intended layout:
-// | regular large
-// ---------+--------------------
-// | 220dp 366dp
-// icon | (200dp) (200dp)
-// | 68dp 68dp
-// text | (14sp) (14sp)
-// | 32dp 32dp
-// progress | (2dp) (2dp)
-// | 194dp 340dp
+// | portrait large landscape large
+// ---------+-------------------------------------------------
+// gap | 220dp 366dp 142dp 284dp
+// icon | (200dp)
+// gap | 68dp 68dp 56dp 112dp
+// text | (14sp)
+// gap | 32dp 32dp 26dp 52dp
+// progress | (2dp)
+// gap | 194dp 340dp 131dp 262dp
// Note that "baseline" is actually the *top* of each icon (because that's how our drawing
// routines work), so that's the more useful measurement for calling code.
+enum Layout { PORTRAIT = 0, PORTRAIT_LARGE = 1, LANDSCAPE = 2, LANDSCAPE_LARGE = 3, LAYOUT_MAX };
+enum Dimension { PROGRESS = 0, TEXT = 1, ICON = 2, DIMENSION_MAX };
+static constexpr int kLayouts[LAYOUT_MAX][DIMENSION_MAX] = {
+ { 194, 32, 68, }, // PORTRAIT
+ { 340, 32, 68, }, // PORTRAIT_LARGE
+ { 131, 26, 56, }, // LANDSCAPE
+ { 262, 52, 112, }, // LANDSCAPE_LARGE
+};
+
int ScreenRecoveryUI::GetAnimationBaseline() {
- return GetTextBaseline() - PixelsFromDp(68) - gr_get_height(loopFrames[0]);
+ return GetTextBaseline() - PixelsFromDp(kLayouts[layout_][ICON]) -
+ gr_get_height(loopFrames[0]);
}
int ScreenRecoveryUI::GetTextBaseline() {
- return GetProgressBaseline() - PixelsFromDp(32) - gr_get_height(installing_text);
+ return GetProgressBaseline() - PixelsFromDp(kLayouts[layout_][TEXT]) -
+ gr_get_height(installing_text);
}
int ScreenRecoveryUI::GetProgressBaseline() {
- return gr_fb_height() - PixelsFromDp(is_large_ ? 340 : 194) - gr_get_height(progressBarFill);
+ return gr_fb_height() - PixelsFromDp(kLayouts[layout_][PROGRESS]) -
+ gr_get_height(progressBarFill);
}
// Clear the screen and draw the currently selected background icon (if any).
@@ -439,7 +451,11 @@
gr_init();
density_ = static_cast<float>(property_get_int32("ro.sf.lcd_density", 160)) / 160.f;
- is_large_ = gr_fb_height() > PixelsFromDp(800);
+
+ // Are we portrait or landscape?
+ layout_ = (gr_fb_width() > gr_fb_height()) ? LANDSCAPE : PORTRAIT;
+ // Are we the large variant of our base layout?
+ if (gr_fb_height() > PixelsFromDp(800)) ++layout_;
gr_font_size(&char_width_, &char_height_);
text_rows_ = gr_fb_height() / char_height_;
diff --git a/screen_ui.h b/screen_ui.h
index 4319b76..8987757 100644
--- a/screen_ui.h
+++ b/screen_ui.h
@@ -77,8 +77,8 @@
// The scale factor from dp to pixels. 1.0 for mdpi, 4.0 for xxxhdpi.
float density_;
- // True if we should use the large layout.
- bool is_large_;
+ // The layout to use.
+ int layout_;
GRSurface* error_icon;
diff --git a/uncrypt/Android.mk b/uncrypt/Android.mk
index 09cfdfc..bb276ed 100644
--- a/uncrypt/Android.mk
+++ b/uncrypt/Android.mk
@@ -15,15 +15,6 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_CLANG := true
-LOCAL_SRC_FILES := bootloader_message_writer.cpp
-LOCAL_MODULE := libbootloader_message_writer
-LOCAL_STATIC_LIBRARIES := libbase libfs_mgr
-LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
-LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
-include $(BUILD_STATIC_LIBRARY)
-
-include $(CLEAR_VARS)
LOCAL_CLANG := true
@@ -33,7 +24,7 @@
LOCAL_MODULE := uncrypt
-LOCAL_STATIC_LIBRARIES := libbootloader_message_writer libbase \
+LOCAL_STATIC_LIBRARIES := libbootloader_message libbase \
liblog libfs_mgr libcutils \
LOCAL_INIT_RC := uncrypt.rc
diff --git a/uncrypt/bootloader_message_writer.cpp b/uncrypt/bootloader_message_writer.cpp
deleted file mode 100644
index 3bb106a..0000000
--- a/uncrypt/bootloader_message_writer.cpp
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <sys/system_properties.h>
-
-#include <string>
-#include <vector>
-
-#include <android-base/file.h>
-#include <android-base/stringprintf.h>
-#include <android-base/unique_fd.h>
-#include <fs_mgr.h>
-
-#include "bootloader.h"
-
-static struct fstab* read_fstab(std::string* err) {
- // The fstab path is always "/fstab.${ro.hardware}".
- std::string fstab_path = "/fstab.";
- char value[PROP_VALUE_MAX];
- if (__system_property_get("ro.hardware", value) == 0) {
- *err = "failed to get ro.hardware";
- return nullptr;
- }
- fstab_path += value;
- struct fstab* fstab = fs_mgr_read_fstab(fstab_path.c_str());
- if (fstab == nullptr) {
- *err = "failed to read " + fstab_path;
- }
- return fstab;
-}
-
-static std::string get_misc_blk_device(std::string* err) {
- struct fstab* fstab = read_fstab(err);
- if (fstab == nullptr) {
- return "";
- }
- fstab_rec* record = fs_mgr_get_entry_for_mount_point(fstab, "/misc");
- if (record == nullptr) {
- *err = "failed to find /misc partition";
- return "";
- }
- return record->blk_device;
-}
-
-static bool write_bootloader_message(const bootloader_message& boot, std::string* err) {
- std::string misc_blk_device = get_misc_blk_device(err);
- if (misc_blk_device.empty()) {
- return false;
- }
- android::base::unique_fd fd(open(misc_blk_device.c_str(), O_WRONLY | O_SYNC));
- if (fd.get() == -1) {
- *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
- strerror(errno));
- return false;
- }
- if (!android::base::WriteFully(fd.get(), &boot, sizeof(boot))) {
- *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(),
- strerror(errno));
- return false;
- }
- // TODO: O_SYNC and fsync duplicates each other?
- if (fsync(fd.get()) == -1) {
- *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(),
- strerror(errno));
- return false;
- }
- return true;
-}
-
-bool clear_bootloader_message(std::string* err) {
- bootloader_message boot = {};
- return write_bootloader_message(boot, err);
-}
-
-bool write_bootloader_message(const std::vector<std::string>& options, std::string* err) {
- bootloader_message boot = {};
- strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
- strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
- for (const auto& s : options) {
- strlcat(boot.recovery, s.c_str(), sizeof(boot.recovery));
- if (s.back() != '\n') {
- strlcat(boot.recovery, "\n", sizeof(boot.recovery));
- }
- }
- return write_bootloader_message(boot, err);
-}
-
-extern "C" bool write_bootloader_message(const char* options) {
- std::string err;
- return write_bootloader_message({options}, &err);
-}
diff --git a/uncrypt/include/bootloader_message_writer.h b/uncrypt/include/bootloader_message_writer.h
deleted file mode 100644
index e0ca3f4..0000000
--- a/uncrypt/include/bootloader_message_writer.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef BOOTLOADER_MESSAGE_WRITER_H
-#define BOOTLOADER_MESSAGE_WRITER_H
-
-#ifdef __cplusplus
-#include <string>
-#include <vector>
-
-bool clear_bootloader_message(std::string* err);
-
-bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
-
-#else
-#include <stdbool.h>
-
-// C Interface.
-bool write_bootloader_message(const char* options);
-#endif
-
-#endif // BOOTLOADER_MESSAGE_WRITER_H
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index d7105a0..5e804bc 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -109,7 +109,7 @@
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
-#include <bootloader_message_writer.h>
+#include <bootloader_message/bootloader_message.h>
#include <cutils/android_reboot.h>
#include <cutils/properties.h>
#include <cutils/sockets.h>
@@ -503,14 +503,31 @@
return false;
}
ALOGI(" received command: [%s] (%zu)", content.c_str(), content.size());
+ std::vector<std::string> options = android::base::Split(content, "\n");
+ std::string wipe_package;
+ for (auto& option : options) {
+ if (android::base::StartsWith(option, "--wipe_package=")) {
+ std::string path = option.substr(strlen("--wipe_package="));
+ if (!android::base::ReadFileToString(path, &wipe_package)) {
+ ALOGE("failed to read %s: %s", path.c_str(), strerror(errno));
+ return false;
+ }
+ option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size());
+ }
+ }
// c8. setup the bcb command
std::string err;
- if (!write_bootloader_message({content}, &err)) {
+ if (!write_bootloader_message(options, &err)) {
ALOGE("failed to set bootloader message: %s", err.c_str());
write_status_to_socket(-1, socket);
return false;
}
+ if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) {
+ ALOGE("failed to set wipe package: %s", err.c_str());
+ write_status_to_socket(-1, socket);
+ return false;
+ }
// c10. send "100" status
write_status_to_socket(100, socket);
return true;
diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk
index 7f28bce..2bfd016 100644
--- a/update_verifier/Android.mk
+++ b/update_verifier/Android.mk
@@ -18,7 +18,10 @@
LOCAL_CLANG := true
LOCAL_SRC_FILES := update_verifier.cpp
+
LOCAL_MODULE := update_verifier
-LOCAL_SHARED_LIBRARIES := libhardware liblog
+LOCAL_SHARED_LIBRARIES := libbase libcutils libhardware liblog
+
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
include $(BUILD_EXECUTABLE)
diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp
index be70cec..5cff8be 100644
--- a/update_verifier/update_verifier.cpp
+++ b/update_verifier/update_verifier.cpp
@@ -22,24 +22,123 @@
* It relies on dm-verity to capture any corruption on the partitions being
* verified. dm-verity must be in enforcing mode, so that it will reboot the
* device on dm-verity failures. When that happens, the bootloader should
- * mark the slot as unbootable and stops trying. We should never see a device
- * started in dm-verity logging mode but with isSlotMarkedSuccessful equals to
- * 0.
+ * mark the slot as unbootable and stops trying. Other dm-verity modes (
+ * for example, veritymode=EIO) are not accepted and simply lead to a
+ * verification failure.
*
* The current slot will be marked as having booted successfully if the
* verifier reaches the end after the verification.
*
- * TODO: The actual verification part will be added later after we have the
- * A/B OTA package format in place.
*/
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
#include <string.h>
-#include <hardware/boot_control.h>
+#include <string>
+#include <vector>
+#include <android-base/file.h>
+#include <android-base/parseint.h>
+#include <android-base/strings.h>
+#include <android-base/unique_fd.h>
+#include <cutils/properties.h>
+#include <hardware/boot_control.h>
#define LOG_TAG "update_verifier"
#include <log/log.h>
+constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt";
+constexpr int BLOCKSIZE = 4096;
+
+static bool read_blocks(const std::string& blk_device_prefix, const std::string& range_str) {
+ char slot_suffix[PROPERTY_VALUE_MAX];
+ property_get("ro.boot.slot_suffix", slot_suffix, "");
+ std::string blk_device = blk_device_prefix + std::string(slot_suffix);
+ android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(blk_device.c_str(), O_RDONLY)));
+ if (fd.get() == -1) {
+ SLOGE("Error reading partition %s: %s\n", blk_device.c_str(), strerror(errno));
+ return false;
+ }
+
+ // For block range string, first integer 'count' equals 2 * total number of valid ranges,
+ // followed by 'count' number comma separated integers. Every two integers reprensent a
+ // block range with the first number included in range but second number not included.
+ // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150).
+ std::vector<std::string> ranges = android::base::Split(range_str, ",");
+ size_t range_count;
+ bool status = android::base::ParseUint(ranges[0].c_str(), &range_count);
+ if (!status || (range_count == 0) || (range_count % 2 != 0) ||
+ (range_count != ranges.size()-1)) {
+ SLOGE("Error in parsing range string.\n");
+ return false;
+ }
+
+ size_t blk_count = 0;
+ for (size_t i = 1; i < ranges.size(); i += 2) {
+ unsigned int range_start, range_end;
+ bool parse_status = android::base::ParseUint(ranges[i].c_str(), &range_start);
+ parse_status = parse_status && android::base::ParseUint(ranges[i+1].c_str(), &range_end);
+ if (!parse_status || range_start >= range_end) {
+ SLOGE("Invalid range pair %s, %s.\n", ranges[i].c_str(), ranges[i+1].c_str());
+ return false;
+ }
+
+ if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) {
+ SLOGE("lseek to %u failed: %s.\n", range_start, strerror(errno));
+ return false;
+ }
+
+ size_t size = (range_end - range_start) * BLOCKSIZE;
+ std::vector<uint8_t> buf(size);
+ if (!android::base::ReadFully(fd.get(), buf.data(), size)) {
+ SLOGE("Failed to read blocks %u to %u: %s.\n", range_start, range_end,
+ strerror(errno));
+ return false;
+ }
+ blk_count += (range_end - range_start);
+ }
+
+ SLOGI("Finished reading %zu blocks on %s.\n", blk_count, blk_device.c_str());
+ return true;
+}
+
+static bool verify_image(const std::string& care_map_name) {
+ android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY)));
+ // If the device is flashed before the current boot, it may not have care_map.txt
+ // in /data/ota_package. To allow the device to continue booting in this situation,
+ // we should print a warning and skip the block verification.
+ if (care_map_fd.get() == -1) {
+ SLOGI("Warning: care map %s not found.\n", care_map_name.c_str());
+ return true;
+ }
+ // Care map file has four lines (two lines if vendor partition is not present):
+ // First line has the block device name, e.g./dev/block/.../by-name/system.
+ // Second line holds all ranges of blocks to verify.
+ // The next two lines have the same format but for vendor partition.
+ std::string file_content;
+ if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) {
+ SLOGE("Error reading care map contents to string.\n");
+ return false;
+ }
+
+ std::vector<std::string> lines;
+ lines = android::base::Split(android::base::Trim(file_content), "\n");
+ if (lines.size() != 2 && lines.size() != 4) {
+ SLOGE("Invalid lines in care_map: found %zu lines, expecting 2 or 4 lines.\n",
+ lines.size());
+ return false;
+ }
+
+ for (size_t i = 0; i < lines.size(); i += 2) {
+ if (!read_blocks(lines[i], lines[i+1])) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
int main(int argc, char** argv) {
for (int i = 1; i < argc; i++) {
SLOGI("Started with arg %d: %s\n", i, argv[i]);
@@ -58,15 +157,24 @@
unsigned current_slot = module->getCurrentSlot(module);
int is_successful= module->isSlotMarkedSuccessful(module, current_slot);
SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful);
-
if (is_successful == 0) {
// The current slot has not booted successfully.
-
- // TODO: Add the actual verification after we have the A/B OTA package
- // format in place.
-
- // TODO: Assert the dm-verity mode. Bootloader should never boot a newly
- // flashed slot (isSlotMarkedSuccessful == 0) with dm-verity logging mode.
+ char verity_mode[PROPERTY_VALUE_MAX];
+ if (property_get("ro.boot.veritymode", verity_mode, "") == -1) {
+ SLOGE("Failed to get dm-verity mode");
+ return -1;
+ } else if (strcasecmp(verity_mode, "eio") == 0) {
+ // We shouldn't see verity in EIO mode if the current slot hasn't booted
+ // successfully before. Therefore, fail the verification when veritymode=eio.
+ SLOGE("Found dm-verity in EIO mode, skip verification.");
+ return -1;
+ } else if (strcmp(verity_mode, "enforcing") != 0) {
+ SLOGE("Unexpected dm-verity mode : %s, expecting enforcing.", verity_mode);
+ return -1;
+ } else if (!verify_image(CARE_MAP_FILE)) {
+ SLOGE("Failed to verify all blocks in care map file.\n");
+ return -1;
+ }
int ret = module->markBootSuccessful(module);
if (ret != 0) {
diff --git a/updater/install.cpp b/updater/install.cpp
index 1a647df..005f9f9 100644
--- a/updater/install.cpp
+++ b/updater/install.cpp
@@ -1417,7 +1417,7 @@
v->data = nullptr;
FileContents fc;
- if (LoadFileContents(filename, &fc) != 0) {
+ if (LoadFileContents(filename, &fc) == 0) {
v->data = static_cast<char*>(malloc(fc.data.size()));
if (v->data != nullptr) {
memcpy(v->data, fc.data.data(), fc.data.size());
