| Commit message (Collapse) | Author | Files | Lines |
|
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
|
|
If we use the default parameter we'll get O_CLOEXEC, which will close the fd
that we pass to the child process, which will cause it to fail. Passing zero
avoids the problem.
Bug: 122813742
Test: Verify that non-A/B OTA update is successful.
Change-Id: Ia61bc7260f17d9209715583e6ded69e1196ed3f6
|
|
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c8b92671ea5ebb4eeff00757fcee187)
|
|
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
|
|
android::vintf::VintfObjectRecovery::CheckCompatibility() may try to
mount partitions in order to read the needed files, which may not be
feasible when resuming an interrupted update. This CL changes the logic
to enforce compatibility check on fresh install only.
Fix: 122864541
Test: Sideloading on taimen keeps working.
Test: Sideload a package by setting the retry bit. Check that
compatibility check is skipped.
Change-Id: I018a0c802c85a0e84a6f2aac50630a677d64382a
|
|
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.
Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
|
|
Also clean up the comments regarding updater/recovery protocol.
Test: Sideload a package on taimen. Check that /tmp/recovery.log
contains the log from update_engine_sideload.
Test: Factory reset on taimen. Check that log file has the info from
mke2fs.
Change-Id: If560269ce7007769fc85a63bd228813bdd75bebd
|
|
Test: Build and boot into recovery on marlin. Factory reset.
Test: Build and install a non-A/B OTA that calls format.
Change-Id: I72416e775e237fc15ca5eff1036175a9eef43b76
|
|
Convert code to use C++ Fstab struct and C++ std::strings.
Bug: 62292478
Bug: 118634720
Test: boots
Change-Id: Ibdc1df5831bc885d7c1574419f41af026e49a137
|
|
WEXITSTATUS only gives meaningful value if WIFEXITED is true. So we may
see a slightly confusing message of "E:Error in /path/to/package (Status
0)" for a killed updater process (e.g. updater calling abort(3)). This
CL dumps the signal number for such a case.
Test: abort() in child process. Check the output.
Change-Id: I72e6654a6499d65155085de658062efb9f1e36ac
|
|
The two functions check_wipe_package() and check_newer_ab_build() were
using the same flow; and checked the same device properties against the
metadata file in the package. These properties include: ota_type,
pre-device, and serial number.
Therefore, we can consolidate the checks to a single function; and
continue to check the fingerprint and timestamp only for AB updates.
This change also addresses the need to accept multiple serial number in
the wipe package.
Bug: 118401208
Test: unit tests pass
Change-Id: Ia6bc48fb6effcae059a2ff2cf71764b4136b4c00
|
|
This is in line with the build system change which copies the recovery ota
install keys to a zipfile. And now recovery will parses and loads the public
keys from /res/otacerts.zip. The legacy load_keys functions will be
removed in later cls.
Bug: 116655889
Test: sideload an ota package
Change-Id: I95e91736ca9964df06d74aa292d672e2f9e442e8
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
Bug: 112494634
Test: Build and boot into recovery image on taimen. Verify that
`Apply updates from ADB` keeps working.
Test: Run recovery_component_test on marlin.
Change-Id: I9ee8834053fda79a4fd77bfa83eab3cc51a90dff
|
|
This shortens the gap between A/B and non-A/B builds, by replacing the
dependency on build-time flag with runtime detection instead. It also
allows building and testing both paths regardless of the target OTA
type.
The size increase to /sbin/recovery looks negligible (< 0.01%).
- marlin: increased from 2084928 to 2085024;
- angler: increased from 2084776 to 2084896.
Test: Run recovery_component_test on angler and marlin.
Test: Sideload an A/B OTA package on marlin.
Test: Sideload a non-A/B OTA package on angler.
Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
|
|
Test: mmma -j bootable/recovery
Change-Id: I32ab98549e91f993364306e4a88dc654221b3869
|
|
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
|
|
This reverts commit 26436d6d6010d5323349af7e119ff8f34f85c40c to re-land
"Move error_code.h into otautil.".
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
This CL needs to land with device-specific module changes (e.g. adding
the dependency on libotautil).
Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
|
|
This reverts commit 623fe7e701d5d0fb17082d1ced14498af1b44e5b.
Reason for revert: Need to address device-specific modules.
Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
|
|
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
Test: mmma bootable/recovery
Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
|
|
The earlier commit in 2dfc1a38982c4052bb32bc7fc06edeadf3908fb9
unintentionally changed the behavior. It gives a different result when
looking up non-existent mount points (e.g. /cache on marlin).
The logic behind volume_for_path("/xyz") is unclear:
- It's fine to return non-null value if it's called by
ensure_path_mounted() before accessing that file "/xyz". (Just based
on the function name, we're not actually having this case.)
- It should return nullptr if the caller is interested in the existence
of that particular mount point "/xyz".
This CL renames the function to volume_for_mount_point(), which does an
exact match by querying the given mount point from libfs_mgr. The former
volume_for_path() has been moved down to function scope for serving
ensure_path_mounted() only.
Test: Build and boot into recovery on bullhead and marlin respectively.
'View recovery logs'.
Test: 'Mount /system'
Test: 'Apply update from ADB'
Change-Id: I1a16390f57540cae08a2b8f3d439d17886975217
|
|
This reverts commit 8be0f39fec7f26164fd0791ff6d15bde65fc849c to reland
the change that removes EXPAND/STRINGIFY macros.
It's error-prone by putting anything into a string (e.g.
EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we
forgot to pass -DRECOVERY_API_VERSION=3).
The initial attempt put RECOVERY_API_VERSION into common.h, which might
be included by device-specific codes but without defining that when
compiling the module. This CL avoids the issue by using a constant
in the header, with a static_assert in recovery.cpp that guards the
consistency.
Test: recovery_component_test
Test: Sideload OTAs on bullhead and sailfish respectively.
Change-Id: I12af3f73392a85554ba703f04970ec9d984ccbaa
|
|
Add report of kMapFileFailure, kForkUpdateBinaryFailure and
kUpdateBinaryCommandFailure.
Test: unit test pass; kMapFileFailure reports correctly.
Change-Id: I858c81b6c750b5e300b1b12760b1f0fa8e23b47d
|
|
The metadata file now can have multiple serial numbers in the format:
serialno=serialno1|serialno2|serialno3 ...
Verifier will pass the check if the device serial number matches any of
these numbers.
Bug: 64802465
Test: Create a metadata file with 1000 numbers and sideload in sailfish.
The checker detects both match and mismatch cases.
Change-Id: I3f12b75e15f4179df260778e37f4563d65db0fa8
|
|
Add the O_CLOEXEC or 'e' accordingly.
Bug: 63510015
Test: recovery tests pass
Change-Id: I7094bcc6af22c9687eb535116b2ca6a59178b303
|
|
The install logging currently assumes that the build number is a 32-bit
integer and prints an error when that doesn't hold true. However, that's
only a convention used by Google builds.
From build/core/version_defaults.mk:
ifeq "" "$(BUILD_NUMBER)"
# BUILD_NUMBER should be set to the source control value that
# represents the current state of the source code. E.g., a
# perforce changelist number or a git hash. Can be an arbitrary string
# (to allow for source control that uses something other than numbers),
# but must be a single word and a valid file name.
#
# If no BUILD_NUMBER is set, create a useful "I am an engineering build
# from this date/time" value. Make it start with a non-digit so that
# anyone trying to parse it as an integer will probably get "0".
BUILD_NUMBER := eng.$(shell echo $${USER:0:6}).$(shell $(DATE) +%Y%m%d.%H%M%S)
endif
Change-Id: I8e7cec0618783f69545ba76d0dce2bbc1681784c
|
|
It's a rare deadlock that happens on fugu when the updater exits too
fast due to a format error.
Bug: 62379170
Test: fake-ota fails gracefully without hanging.
Change-Id: Icbd6cff4f6b44ca20f4d75f8039332111f696cc5
|
|
This allows writing native tests for non-A/B update_binary_command().
Prior to this CL, it was extracting the updater to a hard-coded
location (/tmp/update_binary) that's not available under the test
environment.
Test: recovery_component_test on angler and marlin respectively.
Test: Sideload OTA packages on angler and marlin respectively.
Change-Id: I78b9cc211d90c0a16a84e94e339b65759300e2a8
|
|
This reverts commit ec9706738f35a859f66fd0758b73381055804f63.
Reason for revert: It's not a good idea to put RECOVERY_API_VERSION in
common.h, which might be included by device-specific codes (but with
RECOVERY_API_VERSION undefined).
Change-Id: I9feb9c64a5af3e9165164622a59b043aa28a8b8c
|
|
They are error-prone by putting anything into a string (e.g.
EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we
forgot to pass -DRECOVERY_API_VERSION=3).
RECOVERY_API_VERSION is the only user (in bootable/recovery) that gets
stringified. Assign it to a typed var and sanity check the value.
Don't see other reference to the macros from device-specific recovery
directories (they can still define that locally if really needed).
Test: recovery_component_test
Test: Sideload an OTA on angler and marlin respectively.
Change-Id: I358bbdf8f0a99db5ce4c7bc2fdcafe8013501b64
|
|
Test: recovery_component_test
Test: recovery_unit_test
Test: Apply an OTA on angler.
Change-Id: I7170f03e4ce1fe06184ca1d7bcce0a695f33ac4d
|
|
Also change the parameter type for log_buffer from reference to pointer,
so the styles for parameters look consistent.
Test: mmma bootable/recovery
Test: sideload a package with the new recovery image
Change-Id: I8f25580ccf22977624648b3e2181cca44dd67c1b
|
|
Test: mmma bootable/recovery
Change-Id: I5598d32bebb9dbda4a183a1502e0b7dc4918392e
|
|
The libvintf API has landed. Hook up to do the actual verification.
Bug: 36597505
Test: recovery_component_test
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that contain dummy compatibility entries.
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that don't contain any compatibility entries.
Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f
(cherry picked from commit da320ac6ab53395ddff3cc08b88a61f977ed939a)
|
|
The libvintf API has landed. Hook up to do the actual verification.
Bug: 36597505
Test: recovery_component_test
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that contain dummy compatibility entries.
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that don't contain any compatibility entries.
Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f
|
|
Test: recovery_component_test
Change-Id: I672a6a4f101c72e82b9f25f165dccd1c9520627b
|
|
- Move some macros / constants into functions;
- Remove unneeded #include "minui/minui.h";
- Remove two dead constants (DEFAULT_{FILES,IMAGES}_PROGRESS_FRACTION).
Test: mmma bootable/recovery
Change-Id: Ib808f14b7569e06e23a8a7cc9b2d4e9aa5469de1
|
|
Expose update_binary_command() through private/install.h for testing
purpose.
Also make minor clean-ups to install.cpp: a) adding more verbose logging
on ExtractToMemory failures; b) update_binary_command() taking
std::string instead of const char*; c) moving a few macro and global
constants into update_binary_command().
Bug: 37300957
Test: recovery_component_test on marlin
Test: Build new recovery and adb sideload on angler and sailfish.
Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
Merged-In: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
(cherry picked from commit bc4b1fe4c4305ebf0fbfc891b9b508c14b5c8ef8)
|
|
Expose update_binary_command() through private/install.h for testing
purpose.
Also make minor clean-ups to install.cpp: a) adding more verbose logging
on ExtractToMemory failures; b) update_binary_command() taking
std::string instead of const char*; c) moving a few macro and global
constants into update_binary_command().
Bug: 37300957
Test: recovery_component_test on marlin
Test: Build new recovery and adb sideload on angler and sailfish.
Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
|
|
"""
void* cookie;
std::unique_ptr<void, decltype(&EndIteration)> guard(cookie, EndIteration);
...
EndIteration(cookie);
"""
The above pattern is buggy that frees 'cookie' twice.
Bug: 37413730
Test: Build new recovery and adb sideload a previously crashed package
that contains 'compatibility.zip'.
Change-Id: I183c33827fb28a438ebaedda446e84cabe7cb92d
(cherry picked from commit f978278995d02a58e311fe017bdbb2c3702dd3bc)
|
|
"""
void* cookie;
std::unique_ptr<void, decltype(&EndIteration)> guard(cookie, EndIteration);
...
EndIteration(cookie);
"""
The above pattern is buggy that frees 'cookie' twice.
Bug: 37413730
Test: Build new recovery and adb sideload a previously crashed package
that contains 'compatibility.zip'.
Change-Id: I183c33827fb28a438ebaedda446e84cabe7cb92d
|
|
verify_package_compatibility() is added to parse the compatibility entry
(compatibility.zip) in a given OTA package. If entry is present, the
information is sent to libvintf to check the compatibility.
This CL doesn't actually call libvintf, since the API there is not
available yet.
Bug: 36597505
Test: Doesn't break the install with existing packages (i.e. w/o the
compatibility entry).
Test: recovery_component_test
Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596
(cherry picked from commit 62e0bc7586077b3bde82759fb34b51b982cea20f)
|
|
verify_package_compatibility() is added to parse the compatibility entry
(compatibility.zip) in a given OTA package. If entry is present, the
information is sent to libvintf to check the compatibility.
This CL doesn't actually call libvintf, since the API there is not
available yet.
Bug: 36597505
Test: Doesn't break the install with existing packages (i.e. w/o the
compatibility entry).
Test: recovery_component_test
Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596
|
|
am: 556ca4e301
Change-Id: Ib75bdbee801b1caa2ff7b94b174feae1f7d85688
(cherry picked from commit 6ccd0b780fe0953bcea4c538fe2c0a1f2b9f5af2)
|
|
Log the maximum temperature as well as the start/end temperature of an
update to last_install. Check the temperature at the end of each
block_image_update(verify). To get the maximum temp, we iterate through
/sys/class/thermal/thermal_zone*/temp and find the maximum value
present.
Bug: 32518487
Test: temperature logs in last_install
Change-Id: Iaf22a9fbc5b18611bbc5320ffea995417872e514
|
|
This warning may cause confusion for users.
Bug: 36590598
Test: Warning line no longer shows for sailfish.
Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be
(cherry picked from commit bcb5b18630f518835a0768535b43ccfe91683fc9)
|
|
This warning may cause confusion for users.
Bug: 36590598
Test: Warning line no longer shows for sailfish.
Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be
Merged-In: I277c87a50a72fdb499be790ee25b97f815d980be
|
|
This warning may cause confusion for users.
Bug: 36590598
Test: Warning line no longer shows for sailfish.
Change-Id: I277c87a50a72fdb499be790ee25b97f815d980be
(cherry picked from commit bcb5b18630f518835a0768535b43ccfe91683fc9)
|
|
We should not touch any data while verifying packages (or parsing the
in-memory ASN.1 structures).
Test: mmma bootable/recovery
Test: recovery_component_test passes.
Test: recovery_unit_test passes.
Change-Id: Ie990662c6451ec066a1807b3081c9296afbdb0bf
|
|
verify_file() has a dependency on the global variable of 'ui' for
posting the verification progress, which requires the users of
libverifier to provide a UI instance.
This CL adds an optional argument to verify_file() so that it can
post the progress through the provided callback function. As a result,
we can drop the MockUI class in verifier_test.cpp.
Test: recovery_component_test passes.
Test: verify_file() posts progress update when installing an OTA.
Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
(cherry picked from commit 5e535014dd7961fbf812abeaa27f3339775031f1)
|
|
verify_file() has a dependency on the global variable of 'ui' for
posting the verification progress, which requires the users of
libverifier to provide a UI instance.
This CL adds an optional argument to verify_file() so that it can
post the progress through the provided callback function. As a result,
we can drop the MockUI class in verifier_test.cpp.
Test: recovery_component_test passes.
Test: verify_file() posts progress update when installing an OTA.
Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
|
|
-1 is not a valid exit status.
Also replace a few exit(1) with exit(EXIT_FAILURE).
Test: mmma bootable/recovery
Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
|
|
ui_print uses a mutex to protect the critical section. And a forked
child process may intialize the mutex inappropriatly, which leads to a
hanging child process. So we shall avoid to call the UI functions in
child process.
Bug: 34769056
Test: fake ota on fugu failed as expected due to updater format mismatch.
Change-Id: I81bc942a796878fac19cf712512092c2b0d807c9
|
|
Currently the ui_print command between the recovery and updater doesn't
append newline. Updater has to send an extra "ui_print" command without
any argument to get the line break. This looks unnecessary. And not all
the callers (including the ones in bootable/recovery) are following this
protocol when sending the ui_print command.
This CL simplifies the protocol to always print with a newline for
ui_print command. When updating from an old recovery with the new
updater, all the ui_print'd strings would appear in one line as a side
effect. But a) it would only affect the text-mode UI, which won't be
shown to users; b) log files won't be affected.
Bug: 32305035
Test: Apply an update with the new updater on top of an old and new
recovery image respectively.
Change-Id: I305a0ffc6f180daf60919cf99d24d1495d68749b
|
|
Test: Apply two A/B incremental OTAs with the new recovery image. The
one with incorrect pre-build should be blocked, while the other
works fine.
Change-Id: I94d97eb8798599da1630f66343fb603e87464187
|
|
Move functions over to android::base versions.
- strtok(3) => android::base::Split()
- strtol(3) => android::base::ParseInt()
- strtof(3) => android::base::ParseDouble()
Test: Build recovery image and apply a package that calls ui_print /
progress / set_progress commands.
Change-Id: I953b4985e0bd9e277362ae53e233d755cf27d80c
|
|
The corresponding code was removed in commit
e08991e02a7d678f2574e85289a34b2a9a537c82 in 2010 (Froyo).
Test: N/A
Change-Id: I2b296e1b07d54232bade79fda7501387d65a4c37
|
|
This change was original made in cw-f-dev but caused failures in
nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE'
This version of the change uses the new 'LOG(ERROR)' style logging
instead.
See bug b/31395655
Test: attempt a memory intensive incremental OTA on a low-memory device
Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554
(cherry picked from commit c8db4817809e163d887f7955a03ad0f97159f12b)
|
|
This patch enables sideloading an OTA on A/B devices while running from
recovery. Recovery accepts the same OTA package format as recent
versions of GMS, which consists of .zip file with the payload in it.
Bug: 27178350
TEST=`adb sideload` successfully a full OTA (*)
TEST=Failed to take several invalid payloads (wrong product,
fingerprint, update type, serial, etc).
<small>(*) with no postinstall script.</small>
Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
(cherry picked from commit 4344d636d4f8687054593f88ddd7509ff8581419)
|
|
This reverts commit 8584fcf677dd45b30121bd0490b06297e6be1871.
This CL re-lands commit c0319b60f56d445c2d1c74f551e01f069b028fe6.
The "stage" and "reason" variables are now declared as global by
dropping the static qualifier, because they may be used by vendor
recovery libraries.
Test: lunch aosp_angler-userdebug; mmma bootable/recovery
Test: lunch aosp_dragon-userdebug; mmma bootable/recovery
Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
|
|
This reverts commit c0319b60f56d445c2d1c74f551e01f069b028fe6.
Reason for revert: Broke builds.
Change-Id: I82aa880b83de5ae6c36fd7567cb001920559a972
|
|
- Remove the duplicate gCurrentUI variable in recovery.cpp;
- Refactor the load/save of locale functions;
- Clean up ui_print() to get rid of 256-byte buffer limit;
- Declare ui in common.h;
- Move the typedef of Volume into roots.h.
Test: Build and boot into recovery image.
Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
|
|
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.
Bug: 29159185
Test: Build and boot into recovery.
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
|
|
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
|
|
Also change its logging statement from PLOG to LOG, since
android::base::StartsWith() doesn't set errno.
Test: Build and reboot into recovery image. Check last_log.
Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
(cherry picked from commit ee9b95544a7af548e98f2b7a080e2eb7abaaf981)
(cherry picked from commit e30a5b3a44c6c2134750e28a88efd5876a28bfac)
|
|
Also change its logging statement from PLOG to LOG, since
android::base::StartsWith() doesn't set errno.
Test: Build and reboot into recovery image. Check last_log.
Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
(cherry picked from commit ee9b95544a7af548e98f2b7a080e2eb7abaaf981)
|
|
Also change its logging statement from PLOG to LOG, since
android::base::StartsWith() doesn't set errno.
Test: Build and reboot into recovery image. Check last_log.
Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
|
|
Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
(cherry picked from commit 0c68675f5ae80cd669e0bf014a69689b6fe08eee)
|
|
Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
(cherry picked from commit da44cf18f3ce4bbffa85ad0a50bb25e9cb54a86d)
|
|
Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
|
|
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.
Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.
Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
(cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
|
|
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.
Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.
Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
(cherry picked from commit f4885adc189f246ac3c651aa5cb2e74a240f3f1e)
|
|
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.
Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.
Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
|
|
This change was original made in cw-f-dev but caused failures in
nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE'
This version of the change uses the new 'LOG(ERROR)' style logging
instead.
See bug b/31395655
Test: attempt a memory intensive incremental OTA on a low-memory device
Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554
|
|
This reverts commit 78563fdf78861884f300a6a874d2a0306f1eb002.
Change-Id: I1ea4956a9843130aa41f2f7bc011c72e64fd7b62
|
|
See bug b/31395655
Change-Id: Ic5a046bc80ea88d7eb52755838bdbf4e1e47da50
|
|
Bug: 31383361
Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
(cherry picked from commit 1c1864f321b129c81883ed527b1da8c69661e51f)
|
|
Bug: 31383361
Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
|
|
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.
Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.
(cherry picked from commit fe16b5ccaf80f6e04d5b722c37c1abd70457ad28)
Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
|
|
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.
Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.
Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
|
|
Change-Id: I42057bc2fb5096ce009fe6e4b787bc9082cd572f
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
(cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
* Use const reference type for read-only parameters.
Bug: 30407689
* Use faster overloaded string find function.
Bug: 30411878
* Add parentheses around macro parameters.
Bug: 28705665
Test: build with WITH_TIDY=1
Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
|
|
Keys for package verification is loaded after the update
package is mmaped into memory. This mmaped area needs
to be freed when exiting the function.
Another approach would be to mmap after loading the keys.
Change-Id: Ib77711a8acd5c363b5517da12dc311fb8f9f4605
Signed-off-by: WiZarD <WiZarD.Devel@gmail.com>
|
|
This missing header is needed to use PRIu64 macros.
Bug: 27178350
TEST=`mma bootable/recovery` on the failing branch.
Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
|
|
This missing header is needed to use PRIu64 macros.
Bug: 27178350
TEST=`mma bootable/recovery` on the failing branch.
Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
|
|
This patch enables sideloading an OTA on A/B devices while running from
recovery. Recovery accepts the same OTA package format as recent
versions of GMS, which consists of .zip file with the payload in it.
Bug: 27178350
TEST=`adb sideload` successfully a full OTA (*)
TEST=Failed to take several invalid payloads (wrong product,
fingerprint, update type, serial, etc).
<small>(*) with no postinstall script.</small>
Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
|
|
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Bug: 29159185
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
|
|
Bug: http://b/29250988
Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
|
|
Parse the build.version.incremental from the metadata of the update
package; and log it to last_install.
Example:
In metadata we read:
post-build-incremental=2951741
pre-build-incremental=2943039
In last install we log:
source_build: 2943039
target_build: 2951741
Bug: 28658632
Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
|
|
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before
writing to these blocks.
Bug: 28990135
Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
|
|
Write error code, cause code, and retry count into last_install. So we
can have more information about the reason of a failed OTA.
Example of new last_install:
@/cache/recovery/block.map package name
0 install result
retry: 1 retry count (new)
error: 30 error code (new)
cause: 12 error cause (new)
Details in:
go/android-ota-errorcode
Bug: 28471955
Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
|
|
One example of last_install is:
/sideload/package.zip
1
time_total: 101
bytes_written_system: 14574000
bytes_stashed_system: 100
bytes_written_vendor: 5107400
bytes_stashed_vendor: 0
Bug: 28658632
Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.
Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
(cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
|
|
Bug: 26906328
Change-Id: Iebaf03db0cb3054f91715f8c849be6087d01b27b
|
|
Move to using std::vector and std::unique_ptr to manage key
certificates to stop memory leaks.
Bug: 26908001
Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
|
|
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.
In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.
Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
|
|
These commands are for the communication between the installer and the
update binary (edify interpreter). Update the comments in sync with the
codes.
Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
|
|
Currently it rotates the log files every time it boots into the recovery
mode. We lose useful logs after ten times. This CL changes the rotation
condition so that it will rotate only if it performs some actual
operations that modify the flash (installs, wipes, sideloads and etc).
Bug: 19695622
Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
|
|
Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
|
|
Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
|
|
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
|
|
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
|
|
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.
For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.
Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.
Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
|
|
A system/core change made in Mar 26 2012 6ebf12f "init: Change umask
of forked processes to 077" changed the default umask of services
forked from init.
Because recovery is forked from init, it has a umask of 077. Therefore
when update-binary is forked from recovery, it too has a umask of 077.
This umask is overly restrictive and can cause problems for scripts
relying on minzip to extract binaries directly into the target
filesystem. Any directories updated by minzip will have their
permissions reset to r-x------ and created files will have similarly
restrictive permissions.
As it seems unlikely this security measure was intended to have this
side effect on legacy sideloads that do not have chmods to repair
the damage done by minzip, this change reverts the umask to 022 in
the fork made for update-binary.
Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
|
|
(cherry picked from commit bac7fba02763ae5e78e8e4ba0bea727330ad953e)
Change-Id: I01c38d7fea088622a8b0bbf2c833fa2d969417af
|
|
When installing a package, we should have /tmp and /cache mounted and
nothing else. Ensure this is true by explicitly mounting them and
unmounting everything else as the first step of every install.
Also fix an error in the progress bar that crops up when you do
multiple package installs in one instance of recovery.
Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
|
|
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read. Move
everything to stdout.
Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
|
|
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
|
|
Add an option to verifier_test to load keys from a file, the way the
recovery does.
Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
|
|
- recovery takes a --locale argument, which will be passed by the main
system
- the locale is saved in cache, in case the --locale argument is
missing (eg, when recovery is started from fastboot)
- we include images that have prerendered text for many locales
- we split the background states into four (installing update,
erasing, no command, error) so that appropriate text can be shown.
Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
|
|
Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
|
|
- add the --just_exit option to make recovery exit normally without doing anything
- make it possible to build updater extensions in C++
- add the clear_display command so that the updater binary can request
recovery switch to the NONE background UI
These are all used to support the notion of using OTA as a factory
reflash mechanism.
Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
|
|
Move all the functions in ui.c to be members of a ScreenRecoveryUI
class, which is a subclass of an abstract RecoveryUI class. Recovery
then creates a global singleton instance of this class and then invoke
the methods to drive the UI. We use this to allow substitution of a
different RecoveryUI implementation for devices with radically
different form factors (eg, that don't have a screen).
Change-Id: I76bdd34eca506149f4cc07685df6a4890473f3d9
|
|
Change-Id: I423a23581048d451d53eef46e5f5eac485b77555
|
|
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316
|
|
updater now has a function "wipe_cache();" which causes recovery to
wipe the cache partition after the successful installation of the
package. Move log copying around a bit so logs and the last_install
flag file are copied to cache after it's wiped.
Bug: 5314244
Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
|
|
When installing a package, create /cache/recovery/last_install, which
contains the filename of the package and a 1 or 0 for success or
failure.
Also, don't mount ext4 and vfat filesystems as read-only (on devices
where /cache is ext4, we need it to be read-write).
Change-Id: I0cf2a1921bbd65e06343aa74e2006577fac77c2c
|
|
Remove the wacky notion of "roots" and "root paths" (those things that
look like "FOO:some/path" instead of just "/foo/some/path"). Let each
device specify its own table of available partitions and how to mount
them (needed for devices that use both MTD/yaffs2 and EMMC/ext4
partitions).
(Cherrypicked from gingerbread w/slight edits.)
Change-Id: I2479ce76b13e73f1d12035c89386c3a82b3edf51
|
|
Remove the wacky notion of "roots" and "root paths" (those things that
look like "FOO:some/path" instead of just "/foo/some/path"). Let each
device specify its own table of available partitions and how to mount
them (needed for devices that use both MTD/yaffs2 and EMMC/ext4
partitions).
Change-Id: I18b0a572a71c5e087e0b7ae11b1774388339bfd1
|
|
Recovery itself no longer needs to access all these partitions;
manipulation of them is done by the updater binary. This is a small
first step towards removing roots entirely.
Change-Id: I3fbcada32079a37db4cc097861dfa91e0a08da30
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Close the update package before invoking the binary, to allow the
installer to unmount /cache if it wants to. Add a function to allow
remounting of a mount as read-only.
Change-Id: Idfcc96c3da66083295177f729263560be58034e4
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Fix potential string format bug.
Change-Id: Ie05aac53b2c45a48bd68e340b76ccb21edfd28b7
|
|
Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update(). This
functionality is now done by an edify extension library that lives in
vendor/htc.
Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
|
|
%i can't be used to read unsigned ints (though it happens to work with
bionic). Change to %x and %u as appropriate.
Change-Id: I8ea9ca16a939501757cf70fc5953abee26c8231c
http://b/2402231 - Parser for /res/keys interprets n0inv as a signed int
|
|
|
|
|
|
In recovery, verify a signature that covers the entire zip file,
instead of using the jarsigner format to verify individual files.
Bug: 1328985
|
|
Yank all the code to install OTA packages out of the recovery binary
itself. Now packages are installed by a binary included in the
package (run as a child of recovery), so we can make improvements in
the installation process without waiting for a new release to use
them.
|
|
Let recovery accept set_progress commands to control progress over the
'current segment' of the bar. Add a set_progress() builtin to the
updater binary.
|
|
To do a firmware-install-on-reboot, the update binary tells recovery
what file to install before rebooting. Let this file be specified as
"PACKAGE:<foo>" to indicate taking the file out of the OTA package,
avoiding an extra copy to /tmp. Bump the API version number to
reflect this change.
|
|
A few more changes to edify:
- fix write_raw_image(); my last change neglected to close the write
context, so the written image was corrupt.
- each expression tracks the span of the source code from which it
was compiled, so that assert()'s error message can include the
source of the expression that failed.
- the 'cookie' argument to each Function is replaced with a State
object, which contains the cookie, the source script (for use with
the above spans), and the current error message (replacing the
global variables that were used for this purpose).
- in the recovery image, a new command "ui_print" can be sent back
through the command pipe to cause text to appear on the screen.
Add a new ui_print() function to print things from scripts.
Rename existing "print" function to "stdout".
|
|
Adds more edify functions for OTAs:
is_mounted getprop apply_patch apply_patch_check apply_patch_space
write_raw_image write_firmware_image package_extract_file
This allows us to install radios, hboots, boot images, and install
incremental OTA packages.
Fixes a couple of dumb bugs in edify itself:
- we were doubling the size of the function table each time it was
*not* full, rather than each time it was full
- "no such function" errors weren't visible to the parser, so they
didn't prevent execution of the script.
|
|
Adds the following edify functions:
mount unmount format show_progress delete delete_recursive
package_extract symlink set_perm set_perm_recursive
This set is enough to extract and install the system part of a (full)
OTA package.
Adds the updater binary that extracts an edify script from the OTA
package and then executes it. Minor changes to the edify core (adds a
sleep() builtin for debugging, adds "." to the set of characters that
can appear in an unquoted string).
|
|
Allow installation of OTA packages which do not contain an
update-script, but instead contain an update-binary.
|
|
Change the recovery UI so that when there is a hboot or radio update
pending (which the user most do a home+back reboot to actually
install), the UI tells them so, instead of saying "Install from sdcard
complete."
|
|
them from an external file in the recovery image. Use the
test-keys for all builds.
Original author: dougz
Merged from: //branches/donutburger/...
Automated import of CL 144132
|
|
them from an external file in the recovery image. Use the
test-keys for all builds.
Automated import of CL 144130
|
|
|
|
|