| Commit message (Collapse) | Author | Files | Lines |
|
Bug: http://b/185916167
Test: treehugger
Change-Id: I3407052df4f12b01acc4a75c6bd0759f7a4b2c4c
|
|
mount_flags_list is a c-style NULL terminated array, but when
iterating over it via
for (const auto& [name, value] : mount_flags_list)
the last { 0, 0 } is considered a valid entry.
Then `name` is NULL but checked with (flag == name),
which causes SIGSEGV.
Also move the definition to within setMountFlag()
and make it an std::pair array
Change-Id: Ia6670113620c6e8f95151fda764c3ab40bc2d67e
|
|
Added SPDX-license-identifier-Apache-2.0 to:
applypatch/Android.bp
bootloader_message/Android.bp
edify/Android.bp
fuse_sideload/Android.bp
install/Android.bp
minadbd/Android.bp
minui/Android.bp
otautil/Android.bp
recovery_ui/Android.bp
recovery_utils/Android.bp
tests/Android.bp
tools/image_generator/Android.bp
tools/recovery_l10n/Android.bp
uncrypt/Android.bp
update_verifier/Android.bp
updater/Android.bp
updater/Android.mk
updater_sample/Android.bp
updater_sample/tests/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
SPDX-license-identifier-OFL
to:
Android.bp
Android.mk
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
|
|
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.
Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
|
|
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
|
|
https: //source.android.com/setup/contribute/respectful-code
Test: Unit tests pass
Change-Id: If447b2cf923f6bc7a3a3fb5f69b9fbc06a200ebb
|
|
If device supports both A/B and non-A/B, when applying a
non-A/B package, add current slot suffix and apply the update
to the partition at current slot.
This includes:
- (un)map_partition in edify script. For example,
map_partition("system") will automatically append slot suffix
to "system" before calling CreateLogicalPartition.
- All operations in dynamic_partitions_op_list. For example,
add foo group_foo
will automatically append slot suffix to foo and group_foo
before editing the super partition metadata.
Test: apply update
Bug: 153581609
Change-Id: Idbd0bfea142529a33dddb4d2debfc74513290730
(cherry picked from commit bc7e1db2118feba14d2efe19651d40df7cf202be)
Merged-In: Idbd0bfea142529a33dddb4d2debfc74513290730
|
|
This function appends androidboot.slot_suffix to the
value of the argument.
Test: apply update
Bug: 153581609
Change-Id: I28a4047b5f2051acc039084f65a71deb492d9dcb
(cherry picked from commit dff80042750992ed635056cd9719481a14f93007)
Merged-In: I28a4047b5f2051acc039084f65a71deb492d9dcb
|
|
If device supports both A/B and non-A/B, when applying a
non-A/B package, add current slot suffix and apply the update
to the partition at current slot.
This includes:
- (un)map_partition in edify script. For example,
map_partition("system") will automatically append slot suffix
to "system" before calling CreateLogicalPartition.
- All operations in dynamic_partitions_op_list. For example,
add foo group_foo
will automatically append slot suffix to foo and group_foo
before editing the super partition metadata.
Test: apply update
Bug: 153581609
Change-Id: Idbd0bfea142529a33dddb4d2debfc74513290730
|
|
This function appends androidboot.slot_suffix to the
value of the argument.
Test: apply update
Bug: 153581609
Change-Id: I28a4047b5f2051acc039084f65a71deb492d9dcb
|
|
It's needed by libfec
Bug: 144388532
Test: mma
Change-Id: Ic82671f6506e7718afa965a511261b1b329ea38f
(cherry picked from commit 2bb374a86d0161700f01b68433063b0b13adc86a)
|
|
After a reboot function call, we should always wait for it to finish
without executing other instructions.
Bug: 151110322
Test: build
Change-Id: I1dda291a0835ff96df7eaf42eba1a38267a3beeb
(cherry picked from commit 00c4aba9bf428717fc00e26a03e97401eca76ee8)
|
|
If enabling the oem partition, it will be mounted by updater before
reading product properties from it. To be safety, we want to enable AVB
to this oem partition. But this means the oem partition can never be
mounted to writable. Otherwise, that partition will be corrupted to AVB
verifying.
This change follows fs_mgr to allow to pass more mounting options to the
updater.
BUG: 150156957
Test: make ota package which mounts AVB oem partition to read only and
run OTA.
Change-Id: I2ebbe3c8ac53c70112f3fed2703fcba9170405a6
|
|
If enabling the oem partition, it will be mounted by updater before
reading product properties from it. To be safety, we want to enable AVB
to this oem partition. But this means the oem partition can never be
mounted to writable. Otherwise, that partition will be corrupted to AVB
verifying.
This change follows fs_mgr to allow to pass more mounting options to the
updater.
BUG: 150156957
Test: make ota package which mounts AVB oem partition to read only and
run OTA.
Change-Id: I2ebbe3c8ac53c70112f3fed2703fcba9170405a6
|
|
After a reboot function call, we should always wait for it to finish
without executing other instructions.
Bug: 151110322
Test: build
Change-Id: I1dda291a0835ff96df7eaf42eba1a38267a3beeb
|
|
The following warnngs generate when compile with WITH_TIDY=1
.../bootable/recovery/applypatch/imgdiff.cpp:968:7: warning: 'src_ranges' used after it was moved [bugprone-use-after-move]
src_ranges.Clear();
^
.../bootable/recovery/applypatch/imgdiff.cpp:966:27: note: move occurred here
split_src_ranges->push_back(std::move(src_ranges));
The logic itself seems correct since the class is meant to be cleared
after move. I feel the std::move in 966 is actually useful to call the
move constructor in RangeSet. So I just modify L968 to suppress the
warning.
Less important ones:
bootable/recovery/applypatch/applypatch_modes.cpp:79:34: warning: passing result of std::move() as a const reference argument; no move will actually happen [performance-move-const-arg]
bootable/recovery/applypatch/imgdiff.cpp:1038:30: warning: passing result of std::move() as a const reference argument; no move will actually happen [performance-move-const-arg]
bootable/recovery/applypatch/imgdiff.cpp:1054:48: warning: passing result of std::move() as a const reference argument; no move will actually happen [performance-move-const-arg]
bootable/recovery/updater/include/private/commands.h:310:16: warning: std::move of the variable 'patch' of the trivially-copyable type 'PatchInfo' has no effect; remove std::move() [performance-move-const-arg]
bootable/recovery/updater/install.cpp:663:43: warning: passing result of std::move() as a const reference argument; no move will actually happen [performance-move-const-arg]
Bug: 150955971
Test: build
Change-Id: Ieb75f0229c47d470d4f5ac93fab39c5698d3f914
|
|
It's needed by libfec
Test: mma
Change-Id: Ic82671f6506e7718afa965a511261b1b329ea38f
|
|
Bug: 130696912
Test: m update_host_simulator
Change-Id: I7b3c0217268a3edcf76548a5c83030050b2d17f3
|
|
We need to run the these tests when starting updater to verify the
statically linked libcrypto. The test function is based on the known
answer tests, and it doesn't compute the hash of the libcrypto library.
Bug: 141003171
Test: unit tests pass, run a updater on cuttlefish
Change-Id: I897918a54bca76ea0c928102e7287df27505e1cc
|
|
All the active users of mounts.h now live in updater/.
Test: mmma bootable/recovery
Test: Run recovery_unit_test on taimen.
Test: Code search shows no reference to otautil/mounts.h in device dirs.
Change-Id: I6c35d2e403e92a0111102d00aa4773f4f524650e
|
|
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.
Bug: 141248879
Test: m checkbuild
Change-Id: I0affaa292237bdbc772d3adc36086905ed6fbe9d
|
|
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
|
|
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md
Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.
Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
|
|
updater is built in Make and statically links libcrypto,
so it needs to set LOCAL_INJECT_BSSL_HASH to make the FIPS self
test pass.
Bug: 137267623
Test: m checkbuild
Change-Id: Ib253c870090ac8026f5cbb005d6b0e935c73edd1
|
|
Bug: 135752105
Test: mm libupdater_device
Change-Id: I9dc6dc1e9112177ee5c0a96b8969dc3dc02d95f2
|
|
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.
Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.
Test: run simulation, run unit tests
Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
|
|
Add a command line parser. Also add the support to parse the oem
property file and skip certain functions.
Bug: 131911365
Test: run simulator for wear builds
Change-Id: Ide306b53d3f42b29c02279969aeb18bec4045d6f
|
|
The device specific libs prevent us from building an universal simulator to add
to the otatools. Drop the support since there is currently no active users of the
simulator extension; plus we will unlikely to implement the device specific simulator
runtime.
As a alternation, we will add the commandline arguments to skip certain unsupported
functions, and move the simulator build to the bp file.
Bug: 131911365
Test: mma
Change-Id: I3ff0f45dbebe3ed72d5f4670a869b40e6cfd5a7c
|
|
As system_ext partition will be linked to system/system_ext, update
the path to system/system_ext.
Bug: 134359158
Test: build
Change-Id: I5a49adfe7e045e24bf6dfbf6990a965b8a5e1ce1
|
|
Corresponds to GetMappedPackageAddress.
There is at least one custom device recovery with an extension to copy
the package somewhere else as a backup. Ability to do this was removed
in change ag/955273.
Test: lunch cf_x86_tv-eng; make
Test: atest recovery_unit_test recovery_component_test
Change-Id: I0e61d8a8839c47721874526504ea03b9ca7bafa9
|
|
Bug: 134359158
Test: build and boot
Change-Id: I2ea21a0e528bdbab7d2479b48c73e7f2274ecca5
|
|
Make sure the simulator succeeds executing common non-A/B update
functions.
Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
|
|
This method no longer contains a timeout parameter; it has been
removed in favor of changes to libdm.
Bug: 135771280
Test: builds
Change-Id: Id8c0f17c2787412bc4588af5a1bc49cc8e6edd51
|
|
The simulator skips executing the operations for dynamic partitions, and
will use the logical images under target_files/IMAGES directly. (Similar
to the targets without DAP enabled)
Bug: 131911365
Test: run update on cuttlefish, run simulator
Change-Id: Id318d97ece4560df9f20dc5cabeb8b2e261bdf9c
|
|
This reverts commit 46ec20b69298ff267fcc9f42a742015fb541b4a4.
Reason for revert: breaks all camera use cases
Bug: 135568875
Change-Id: I86747c0df5489f80d1966dd07669637597fb2b00
(cherry picked from commit cdbd84de26bb213fee6d8560976d9b99eea75f77)
|
|
This reverts commit 46ec20b69298ff267fcc9f42a742015fb541b4a4.
Reason for revert: breaks all camera use cases
Bug: 135568875
Change-Id: I86747c0df5489f80d1966dd07669637597fb2b00
|
|
libprocessgroup symbols are being moved into libcutils in order to
optimize linking/memory usage. libprocessgroup will no longer be
required in the future (however removing references to it will come
separately).
Since libcutils is used statically here, the dependencies of
libprocessgroup need to be explicitly listed.
Bug: 135145426
Test: boot
Change-Id: I91c082f0fa2f5f5c52751065cd5f50f5cb965b23
|
|
The TargetFile class parses a target-file and provides functions to read
its contents. And the BuildInfo tries to simulate the device with files
on host. Some work it does includes parsing the build properties,
and extracting the image files for partitions specified in the fstab.
Bug: 131911365
Test: unit tests pass, run simulator with cuttlefish, wear devices and from extracted TF.
Change-Id: Iefe4a96d619d2e4b3d038e31480f11a0f9a70afa
|
|
Disable building the simulator and its support libraries to resolve the breakage
on mac host targets. Because the simulator is not intended to use on mac anyway.
Bug: 134047992
Test: mma
Change-Id: I488ab50cab1282f03250010b5334f1895d44f98b
|
|
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.
Bug: 131911365
Test: unit tests pass
Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
|
|
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.
Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
|
|
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.
Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
|
|
The hashtree computation is designed to execute after we write all the
bytes to the target block device. And executing the command during block
image verify will almost always fail since we are still on the source
build.
Test: run simulator
Change-Id: If8ebb66739969520367a0815f5f8f89f6fae47cf
|
|
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.
Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
|
|
Test: Choose `Reboot system now`, `Power off`, `Reboot to bootloader`
from recovery UI respectively.
Test: `adb reboot recovery` while under sideload mode.
Change-Id: I0f3d55b80b472178ea4f6970b29cd9df0778b639
|
|
Switch to 64 bit integers since the size of the entire src/tgt images may
not fit in size_t of ILP32.
There are other theoretical overflow cases in memory allocation and I/O
functions. However, they reside within a single transfer command and are
less likely to happen. I will evaluate and address them in separate
cls.
Test: unit tests pass
Bug: 122461124
Change-Id: Ib719ee695920877458fcfaa25c6ac058a5bbabf2
|
|
Test: sideload full OTA on cuttlefish
Test: sideload incremental OTA on cuttlefish (that grows
system, shrinks vendor, and move vendor to group foo)
Test: verify that /cache/recovery/cc46ebfd04058569d0c6c1431c6af6c1328458e4
exists (sha1sum of "system")
Bug: 111801737
Change-Id: Ibdf6565bc1b60f3665c01739b4c95a85f0261ae5
|
|
When applying an OTA package onto the device in OTA mode,
if the recovery logs haven't been viewed, there is a chance
that /cache/recovery does not exist. Then, stash creation will
fail. Create stash directories recursively to avoid this error.
Test: without /cache/recovery, sideload the OTA on cuttlefish
Change-Id: I5cc01a067d866476a3594e795dcb5b15649e817b
|
|
Test: sideload on cuttlefish
Bug: 111801737
Change-Id: I784a2142049054f38d6b70c7af7e88a451996d83
|
|
It also reduces the space cost for devices using f2fs (e.g. crosshatch).
/sbin/mkfs.f2fs 722560 => /system/bin/make_f2fs 49568
/sbin/sload.f2fs 1182456 => /system/bin/sload_f2fs 150032
Test: Build and boot recovery on crosshatch. Factory reset.
Test: Install a non-A/B OTA package that formats a f2fs partition.
Change-Id: Ibe70c8d91a1d07e1c78ff9eac19b1f7955800161
|
|
Test: Build and boot into recovery on marlin. Factory reset.
Test: Build and install a non-A/B OTA that calls format.
Change-Id: I72416e775e237fc15ca5eff1036175a9eef43b76
|
|
Bug: 119875846
Change-Id: Ibff18ea6f92620852222fff4073379ec8afd0e10
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
Test: Run recovery_component_test on marlin.
Change-Id: If23baf42aeacb48500edabc2eadd2e7119a848da
|
|
Test: build
Change-Id: If56b33c9c420237ff441779ba1dbebffd9dae8e3
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
|
|
applypatch() was initially designed for file-based OTA, operating on
individual files. It was later extended to allow patching eMMC targets
as a whole, in favor of block-based updates.
As we have deprecated file-based OTA since Oreo, part of the code in
applypatch() has become obsolete. This CL refactors the related
functions, by removing the obsolete logic and focusing on eMMC targets.
Since this CL substantially changes applypatch APIs, it adds new
functions to avoid unintentionally mixing them together. In particular,
it removes `applypatch()`, `applypatch_check()`, `applypatch_flash()`,
and adds `PatchPartition()`, `PatchPartitionCheck()`, `FlashPartition()`
and `CheckPartition()`. It also replaces the old Edify functions
`apply_patch()` and `apply_patch_check()` with `patch_partition()` and
`patch_partition_check()` respectively.
This CL requires matching changes to OTA generation script (in the same
topic).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: `m dist` with non-A/B target. Verify
/system/bin/install-recovery.sh on device.
Test: `m dist` with non-A/B target using BOARD_USES_FULL_RECOVERY_IMAGE.
Verify /system/bin/install-recovery.sh on device.
Test: Install an incremental OTA with the new updater and scripts.
Change-Id: Ia34a90114bb227f4216eb478c22dc98c8194cb7f
|
|
And add the first few users.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ifdf093d011478b6a1dd0405b0ba48c145b509cc8
|
|
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
|
|
This would be the top-level class that represents and holds the info
parsed from a transfer list file.
Bug: 112151972
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I83b54df9d1411542eeeb8ef4a2db167e97f989c3
|
|
Bug: 112151972
Test: Run recovery_unit_test on marlin.
Change-Id: Ica2a7b3c768f5d8ca5d591a9560bca9f8ed847c5
|
|
Also separate libupdater_defaults out to be shareable.
It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.
Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35
|
|
Add hash_tree_info to represent the hash tree computation arguments in
the transfer commands 'compute_hash_tree'. Also add its parsing code in
the Command class.
Bug: 25170618
Test: unit tests pass
Change-Id: Ie8607968377968e8fb3e58d1af0b8ca315e145be
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I2617b87d13c585addf0ed2fbae8c3ce443ea7200
|
|
The new command is part of the transfer.list and allows us to compute the hash
tree on non-ab devices.
The required arguments for the hash_tree computation are:
hash_tree_ranges
source_ranges
hash_algorithm
salt_hex
root_hash
Bug: 25170618
Test: unit tests pass; run simulator with compute_hash_tree
Change-Id: I8ff0d582cc8adabb8a060db7845f38b35b28e62c
|
|
They are doing exactly the same thing, except for the slightly different
error return value (1 vs -1).
int CacheSizeCheck(size_t bytes);
int MakeFreeSpaceOnCache(size_t bytes_needed);
This CL consolidates the two functions and uses bool as its return type.
// Checks whether /cache partition has at least 'bytes'-byte free space. Returns true immediately
// if so. Otherwise, it will try to free some space by removing older logs, checks again and
// returns the checking result.
bool CheckAndFreeSpaceOnCache(size_t bytes);
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I94a96934d2b18713f8f39ad5aa96a02c98d87963
|
|
It used to return a Value blob to be consumed by sha1_check() (which has
been deprecated). Currently there's no other generic updater function
that works with BLOB Values. This CL changes read_file() to return a
string Value to make it more useful (e.g. allowing equality check).
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: Iba986ba649030112babefe898f26aa9ffe69eeb7
|
|
Also simplify the helper function expect() in {edify,updater}_test.cpp.
Test: Run recovery_component_test on marlin.
Change-Id: If54febba4b5013f6d71546318a1ca6b635204ac8
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: I4b240e3e771c387b9694be9c0f2f74e0265ab4cb
|
|
The matching edify function has been removed from EdifyGenerator [1]. In
theory device-specific releasetools script may still use this function,
but it no longer looks useful. Because a) we should use range_sha1()
when asserting the SHA-1 hash of a block device; b) we should look into
the contents when asserting a text file.
[1] https://android-review.googlesource.com/c/platform/build/+/714104
Test: Run recovery_component_test on marlin.
Test: Code search shows no active user.
Change-Id: Id39439101534fb89cf8c5cea80a4b758c8a1a60d
|
|
This will be used for testing purpose only, replacing the previously
used "fail", to intentionally abort an update.
As we're separating the logic between commands parsing and execution,
"abort" needs to be considered as a valid command during the parsing.
Test: recovery_unit_test and recovery_component_test on marlin.
Change-Id: I47c41c423e62c41cc8515fd92f3c5959be08da02
|
|
During block verification, load stash reads from the source blocks on
the device instead of the stashed files. And for interrupted update,
it's pretty common that the source blocks has already been overwritten
by subsequent commands.
In that case the hash printing is mostly useless. Moreover we should have
already printed the hash when the first update failed.
Bug: 80241799
Test: Unit tests pass. No longer prints mismatching stashed source blocks on retry.
Change-Id: I4effe684280b0325199f6cc4b2cc26e91295c2d7
|
|
Additionally checks for excess args when parsing ERASE, FREE, NEW, STASH
and ZERO. Note that the check for MOVE, BSDIFF, IMGDIFF has been covered
in Command::ParseTargetInfoAndSourceInfo.
Test: Run recovery_unit_test on marlin.
Change-Id: Ic8bc9b7a8dcf98f1f8db2e259607564508726857
|
|
The added codes are not used in the updater yet. The switch will happen
in subsequent CLs.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I1ae8a233280f02c2171b43ef028bdccdacb39c59
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_component_test on marlin.
Change-Id: Ifcf244346a88dac833d91b169a4c2aee1fe677f1
|
|
The two utilities are now converted to dynamic executables as shared
libraries are supported in recovery mode.
As part of the conversion, their location has moved from /sbin to
/system/bin. Reflect the change in the program 'recovery'
Bug: 79146551
Test: adb reboot recovery, and select 'Wipe data/factory reset'. The
data partition is formatted and there is no selinux denial.
Change-Id: Ie7cfc4c50ab1e6767e4a5170533ccf826ec7d7f3
|
|
This avoids leaving the created new data writer thread unjoined, in the
presence of transfer list parsing errors, or the early exit case on
`total_blocks == 0`.
Also fix a minor issue when dumping the errno on pthread_create error
(pthread_create returns the error number, as opposed to setting errno).
Test: Run recovery_component_test on marlin.
Change-Id: Icfac27fef0c64736eb8c76264da73c223b4960cb
|
|
Test: Run recovery_component_test on marlin.
Change-Id: I93afca891c5c9c1a351c907b023cd20c4704a66a
|
|
Test: recovery_component_test on marlin.
Change-Id: I2ac2bd47469d1aec8a97a8c4ed0fe80ffd65c95b
|
|
As suggested by the style guide
(https://google.github.io/styleguide/cppguide.html#Reference_Arguments),
all parameters passed by reference must be labeled const. This CL moves
most of the non-const references in blockimg.cpp to pointers, except for
the CommandParameters& parameter in PerformCommand* functions, which
will be handled in separate CLs.
Test: mmma -j bootable/recovery
Test: Run recovery_component_test on marlin.
Change-Id: I84299208e9a1699f5381fb2228d4120f0c8dacb3
|
|
This is a stress test that instantiates multiple testcases that
interrupt a BBOTA update at every transfer command. Each testcase
asserts the last_command_file after the interruption, verifies the
update resumability, then resumes the update and asserts the updated
image.
The transfer list in the testcase covers most of the transfer commands
(stash/free/move/bsdiff/zero/new), as well as some special pattern like
having duplicate stash ids.
This CL also addresses one issue in the updater code, by resetting the
stash_map before each run. The stash map should be valid only per
block_image_verify/block_image_update run. Having leftover may cause
issue in subsequent runs, in particular when calling block_image_verify
after a previous run of block_image_{update,verify}.
Test: Run recovery_component_test on marlin.
Change-Id: I6f9a0368d194a754ce41a9c9819c6d5be2657248
|
|
None of the callers actually uses the value.
(Even in the earlier versions, e.g. the one in M, the value wasn't used
either.)
Test: Run recovery_component_test on marlin.
Change-Id: I53e61a1afa211f71a200889ed3aa4046763b46ea
|
|
Move the commands map parsing out of PerformBlockImageUpdate(), as this
can be done more easily by the caller.
The goal (not done in this CL) is to decouple command parsing logic from
the performers. This allows (a) focusing on the command logic in the
performer; and (b) extending BBOTA commands syntax separately.
Test: Run recovery_unit_test and recovery_component_test.
Change-Id: Ife202398a7660b152d84a3ba17b90f93d19c55f2
|
|
This avoids the signedness issue, and makes the code more readable.
Test: mmma bootable/recovery
Test: Run recovery_component_test.
Change-Id: I01c3a0357887cfd7c9d4aba4239ef650cfa18388
|
|
It no longer needs to be conditional, as we've removed the support for
BBOTA v1/v2.
Test: mmma bootable/recovery
Change-Id: I881de8afa38cc5b41b48e6d48d85170699ea5eb4
|
|
The last command file has the last executed stash command by convention.
So we should update the file after we actually finishes executing the command;
instead of after loading src/tgt.
Bug: 79756267
Test: unit tests pass
Change-Id: I4535b5836e7eb13b3abe3d02f9f362ec5e9ec969
|
|
We cannot skip "new" commands while resuming an update with
last_command_file, because they read in the data sequentially from the
package.
Bug: 69858743
Test: Interrupt an update that has new commands. Check the update log.
Change-Id: I05fb67246f5ea3ba2a0f78f10255c0d9b0bc2f5a
|
|
Prior to the change, the BBOTA updater would try to re-run all the
commands for a given partition on retry, including creating stashes
according to the list of commands. This could fail a retry when the
previous update had moved on to next stage, with leftovers in /cache.
This CL creates a marker on /cache upon successfully updating a
partition. The update commands will be skipped when trying to apply
updates on an updated partition. Note that the marker is expected to be
removed while doing a normal boot (in particular, handled by
RecoverySystem#handleAftermath). If that didn't happen, the updater
would also remove the marker before starting next fresh update.
Alternatively, we can achieve the same goal by changing the OTA script,
which needs to additionally compare the checksum against the target
build. For example,
range_sha1("/system", "ranges") == SHA1_of_updated_system ||
block_image_update("/system");
The downside is that we need to pay that cost on each install, as the
edify script doesn't support caching the result in a variable.
Bug: 79165963
Test: Simulate the process on device (by triggering a reboot while
updating /vendor). Check the update log and result.
Change-Id: I731031fa336133e1221b33edfc469969706e8091
|
|
This breaks the dependency on common.h (which belongs to
recovery/librecovery) from librecovery_ui. reboot() is now owned by
libotautil, which is expected to be a leaf node to be depended on.
With the change, recovery and updater also share the same reboot() code
now.
Test: mmma -j bootable/recovery
Change-Id: I1cc5d702cfe49302048db33d31c9c87ddc97ac71
|
|
Test: mmma -j bootable/recovery
Change-Id: I32ab98549e91f993364306e4a88dc654221b3869
|
|
Export its header (mounts.h) from there, and drop the dot dot dependency
from libupdater / updater.
Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: Ic26a6b9b78a34dbe1f178b138f3abaafffbec44c
|
|
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
|
|
StringValue() makes a copy of the arg.
Test: mmma bootable/recovery
Change-Id: I1002994e7496c840aa05c785019bdeca281f467e
|
|
As they're accepting the SinkFn callback, it makes more sense to leave
the work to their callers.
Test: mmma -j bootable/recovery
Test: Run recovery_component_test on marlin.
Test: No other active user of the two functions.
Change-Id: I8d67b38ce037925442296f136b483e0c71983777
|
|
Bug: 74604441
Bug 67380979
Change-Id: Iab1cc9aef356f0ddf6e2491578a2bd53009182ce
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
The total sectors that we want to format is used in different meanings from
various users. This notifies its size based on 512 bytes explicitly.
Bug: 76407663
Change-Id: I20687b40a1733d3b459a45f8b64a338c37a7bc95
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
The total sectors that we want to format is used in different meanings from
various users. This notifies its size based on 512 bytes explicitly.
Bug: 76407663
Change-Id: I20687b40a1733d3b459a45f8b64a338c37a7bc95
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
Otherwise the applypatch executable will fail to back up the source
file to /cache when patching the recovery image.
Bug: 74198354
Test: run applypatch from boot to recovery
(cherry picked from commit b4e3a370bf6fe2bbb6ad8e33d16ce3210595aaef)
Change-Id: I37b7fd88d66ab49ef953d4b7dca22577bd1472e1
|
|
Otherwise the applypatch executable will fail to back up the source
file to /cache when patching the recovery image.
Bug: 74198354
Test: run applypatch from boot to recovery
Change-Id: I6e5b9cd06d6ed0b26066b779a348437ecf984b92
|
|
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.
In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.
Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
|
|
In BlockImageVerify some commands are undefined, e.g. "erase", "new",
"zero". And we should not error out if the corresponding function
pointer of these commands is null; otherwise we will fail the
verification.
The old code is:
if (cmd->f != nullptr && cmd->f(params) == -1)
return false;
In the last_command_file change the logic was wrongly modified to
if (cmd->f == nullptr)
return false;
...
if (cmd->f(params) == -1)
return false;
Test: sideload an incremental OTA twice on bullhead
Change-Id: I2561c365badb850da0e416629ccd61f0df7da5d7
|
|
There is no logical change to the file; merely the function definition
reorder and some comestic change to make the future review easier.
Test: mma
Change-Id: I7ffe952f8c78e840f10aa6bfad0c4b5a58e29896
|
|
When performing an update, save the index and cmdline of the current
command into the last command file if this command writes to the stash
either explicitly of implicitly. This mitigates the overhead to update
the last command file for every command. I ran a simple test on angler
and the time to update 1000 times is ~2.3 seconds.
Upon resuming an update, read the saved index first; then
1. In verification mode, check if all commands before the saved index
have already produced the expected target blocks. If not, delete the
last command file so that we will later resume the update from the
start of the transfer list.
2. In update mode, skip all commands before the saved index. Therefore,
we can avoid deleting stashes with duplicate id unintentionally;
and also speed up the update.
If an update succeeds or is unresumable, delete the last command file.
Bug: 69858743
Test: Unittest passed, apply a failed update with invalid cmd on angler
and check the last_command content, apply a failed update with invalid
source hash and last_command is deleted.
Change-Id: Ib60ba1e3c6d111d9f33097759b17dbcef97a37bf
|
|
The AbortFn() used to overwrite the error message, hiding the real
failure reported in ErrorAbort(). And we will miss the failure in
the script patterns like 'blockimageupdate() || abort()'
We will ensure there's one line break at the end of ErrorAbort's
error message; and append to the existing error message when calling
abort().
Test: Message from ErrorAbort shows up in the log
Change-Id: I3aebd06629c5129330250c7fe5e8cdead2ae85bc
|
|
Change-Id: Iddfe54b2b36f2d531925cbe61c98dbfb4903c0d1
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
An interrupted update may stash extra blocks in /cache, leading to a
failure when checking the cache size. We can save the incremented
retry_count in the BCB before installing the update; and distinguish
a fresh update from an interrupted one this way.
Bug: 68679601
Test: An interrupted update reapplies successfully.
Change-Id: Ic1403e1fd25a937c91ef34c14b92a0f6c8f1c0f4
|
|
Change-Id: Ia393b7b78b45f09964449ec0e255aa26bb3b8ddf
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
It used to be "const Value*", but nullptr won't be a valid input.
Test: recovery_host_test; recovery_component_test
Change-Id: I904b5689ac3e64504088bf0544c9fb5d45a52243
|
|
We used to CHECK and abort on parsing errors. While it works fine for
the updater use case (because recovery starts updater in a forked
process and collects the process exit code), it's difficult for other
clients to use RangeSet as a library (e.g. update_verifier).
This CL switches the aborts to returning empty RangeSet instead. Callers
need to check the parsing results explicitly.
The CL also separates RangeSet::PushBack() into a function, and moves
SortedRangeSet::Clear() into RangeSet.
Test: recovery_unit_test
Test: Sideload an OTA package with the new updater on angler.
Test: Sideload an OTA package with injected range string errors. The
updater aborts from the explicit checks.
Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
|
|
Bug: 64395169
Change-Id: I6f6a4f82b225435c6ad5c828e110fa135e6f7579
|
|
Bug: 64395169
Change-Id: I6f6a4f82b225435c6ad5c828e110fa135e6f7579
|
|
The thread to receive new data may still be alive after we exit
PerformBlockImageUpdate() upon failures. This caused memory corruption
when we run the unittest repeatedly. Set the receiver_available flag
to false and make sure the receiver exits when the update fails.
Bug: 65430057
Test: unittests passed with tsan
Change-Id: Icb232d13fb96c78262249ffbd29cdbe5b77f1fce
|
|
The only one left is libedify. Will handle that in a separate CL.
Test: mmma bootable/recovery
Change-Id: I732a5f85229da90fd767bee2e46c5c95f529c396
|
|
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from
applypatch modules.
Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
|
|
This reverts commit 26436d6d6010d5323349af7e119ff8f34f85c40c to re-land
"Move error_code.h into otautil.".
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
This CL needs to land with device-specific module changes (e.g. adding
the dependency on libotautil).
Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
|
|
Use forward declartion to avoid pull in the module that contains
error_code.h (trying to move it into libotautil). Otherwise all the
modules that include "edify/expr.h" need to depend on the module that
exports error_code.h.
.cpp sources should include "error_code.h" explicitly to use the enums.
Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: Ic82db2746c7deb866e8cdfb3c57e0b1ecc71c4dc
|
|
This reverts commit 623fe7e701d5d0fb17082d1ced14498af1b44e5b.
Reason for revert: Need to address device-specific modules.
Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
|
|
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
Test: mmma bootable/recovery
Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
|
|
Test: mmma bootable/recovery
Change-Id: I3ceb72f703c7c2857d656c137d71baa1fccd8238
|
|
Turn on -Wall for all modules. Also remove the obsolete file_cmp() in
apply_patch test and now() in wear_ui.
The only exception is lib_edify due to the unused functions in the
intermediate cpp files generated from the lex files. It will be handled
in a seperate CL.
Bug: 64939312
Test: mma, unit tests pass
Change-Id: Ic53f76b60b6401ab20db3d98130d674c08e3702f
|
|
1. Move the declaration of the Image classes to the header file to make
testing easier.
2. Also move rangeset.h to bootable/recovery to allow access in imgdiff.
Test: recovery component test
Change-Id: I68a863e60a3f2e7ae46ee48f48eb15391f5f4330
|
|
This is useful in imgdiff to maintain the block ranges of
splitted source image.
Bug: 34220646
Test: mma && unit tests pass
Change-Id: I6427f2ea50f0e3b0aa3dd01880ec0206679b7429
|
|
Its former callers in RenameFn() and SymlinkFn() have been removed in
commit 63d786cf22cb44fe32e8b9c1f18b32da3c9d2e1b.
Test: mmma -j bootable/recovery
Change-Id: I26ed126202554fc5840811ec7ae162da70593213
|
|
This file no longer exists:
- /file_contexts has been split into plat_file_contexts and
nonplat_file_contexts since commit
b236eb6ca204cefcb926e19bd5682f9dcad4021d (system/sepolicy).
- It was named /file_contexts.bin prior to the split.
'-S file_contexts' is also no longer required by e2fsdroid, since commit
2fff6fb036cbbb6dedd7da3d208b312a9038a5ce (external/e2fsprogs). It will
load the file contexts via libselinux.
Test: Trigger the path by performing a data wipe for converting to FBE.
Change-Id: I179939da409e5c0415ae0ea0bf5ddb23f9e6331e
(cherry picked from commit 7af933b6a6fd687bd17710ef6fda0ad5483e4d6d)
|
|
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.
Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.
Also reduce the test data size to 100 blocks to avoid the test timeout.
Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.
Change-Id: Id429b2c2f31951897961525609fa12c3657216b7
(cherry picked from commit 6ed175d5412deeaec9691f85757e45452407b8e3)
|
|
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.
Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.
Also reduce the test data size to 100 blocks to avoid the test timeout.
Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.
Change-Id: I9442f2536b74e48dbf7eeb062a8539c82c6dab47
|
|
Execute mke2fs to create empty ext4 filesystem.
Execute e2fsdroid to add files to filesystem.
Test: enter recovery mode and wipe data
Bug: 35219933
Change-Id: I10a9f4c1f4754ad864b2df45b1f879180ab33876
(cherry picked from commit ac31808cd37cfb98755e5821dbb2efb5fe5cb12a)
|
|
This file no longer exists:
- /file_contexts has been split into plat_file_contexts and
nonplat_file_contexts since commit
b236eb6ca204cefcb926e19bd5682f9dcad4021d (system/sepolicy).
- It was named /file_contexts.bin prior to the split.
'-S file_contexts' is also no longer required by e2fsdroid, since commit
2fff6fb036cbbb6dedd7da3d208b312a9038a5ce (external/e2fsprogs). It will
load the file contexts via libselinux.
Test: Trigger the path by performing a data wipe for converting to FBE.
Change-Id: I179939da409e5c0415ae0ea0bf5ddb23f9e6331e
|
|
Add a new writer that can decode the brotli-compressed system/vendor
new data stored in the OTA zip.
Brotli generally gives better compression rate at the cost of slightly
increased time consumption. The patch.dat is already compressed
by BZ; so there's no point to further compress it.
For the given 1.9G bullhead system image:
Size: 875M -> 787M; ~10% reduction of package size.
Time: 147s -> 153s; ~4% increase of the block_image_update execution time.
(I guess I/O takes much longer time than decompression.)
Also it takes 4 minutes to compress the system image on my local
machine, 3 more minutes than zip.
Test: recovery tests pass && apply a full OTA with brotli compressed
system/vendor.new.dat on bullhead
Change-Id: I232335ebf662a9c55579ca073ad45265700a621e
|
|
Execute mke2fs to create empty ext4 filesystem.
Execute e2fsdroid to add files to filesystem.
Test: enter recovery mode and wipe data
Bug: 35219933
Change-Id: I10a9f4c1f4754ad864b2df45b1f879180ab33876
Merged-In: I10a9f4c1f4754ad864b2df45b1f879180ab33876
|
|
Execute mke2fs to create empty ext4 filesystem.
Execute e2fsdroid to add files to filesystem.
Test: enter recovery mode and wipe data
Bug: 35219933
Change-Id: I10a9f4c1f4754ad864b2df45b1f879180ab33876
|
|
Fixed by Loading the file_contexts specified in libselinux, whereas
previously recovery loaded /file_contexts which no longer exists.
Bug: 62587423
Test: build and flash recovery on Angler. Warning is gone.
Test: Wipe data and cache.
Test: sideload OTA
Change-Id: I11581c878b860ac5f412e6e8e7acde811f37870f
(cherry picked from commit 2330dd8733ce0b207058e3003a3b1efebc022394)
|
|
Fixed by Loading the file_contexts specified in libselinux, whereas
previously recovery loaded /file_contexts which no longer exists.
Bug: 62587423
Test: build and flash recovery on Angler. Warning is gone.
Test: Wipe data and cache.
Test: sideload OTA
Change-Id: I11581c878b860ac5f412e6e8e7acde811f37870f
|
|
We have seen one case when bspatch failed likely due to patch
corruption. Since the package has passed verification before, we want
to reboot and retry the patch command again since there's no
alternative for users.
We won't delete the stash before reboot, and the src has passed SHA1
check. If there's an error on the patch, it will fail the package
verification during retry.
Bug: 37855643
Test: angler reboots and retries the update when bspatch fails.
Change-Id: I2ebac9621bd1f0649bb301b9a28a0dd079ed4e1d
|
|
It's only used by file-based OTA which has been deprecated for O.
Test: mma
Change-Id: I439c93155ca94554d827142c99aa6c0845cc7561
|
|
Commit adeb41a8c0da3122a2907acb4aafd7ff9bce26af has switched the
argument for recovery. This CL handles the case for updater.
Note that there's a chance the updater may run against the old
recovery (and f2fs 1.4.1 binary). Not sending a 0-sector argument to
f2fs 1.4.1 also works.
Bug: 37758867
Test: Make an OTA package that calls format f2fs, with mkfs.f2fs 1.8.0
and 1.4.1 binaries respectively.
Change-Id: I4d4bbe8c57544d1c514b7aa37fbf22a0aab14e2c
|
|
We didn't report error/cause codes unless there's an explict "Abort()"
call inside the updater script. As a result, some cause codes set by
ErrorAbort() didn't show up in last_install.
To fix the issue, add a default error code when the script terminates
abnormally (i.e. with non zero status).
Bug: 37912405
Test: error/cause code shows up in last_install when argument parsing fails
Change-Id: Ic6d3bd1855b853aeaa0760071e593a00cf6f0209
|
|
Test: recovery_component_test
Test: recovery_unit_test
Test: Apply an OTA on angler.
Change-Id: I7170f03e4ce1fe06184ca1d7bcce0a695f33ac4d
|
|
Bug: 37401320
Test: build and push OTA and hit adb reboot recovery,quiescent. The screen should remain off throughout the upgrade process.
(cherry picked from commit 8706a98aa635236a95795f0a0c122bb3e591a50d)
Change-Id: I79789a151f6faafda8ecc6198c2182cc2a91da70
|
|
Bug: 37401320
Test: build and push OTA and hit adb reboot recovery,quiescent. The screen should remain off throughout the upgrade process.
Change-Id: Ibed3795c09e26c4fa73684d40b94e40c78394d3f
|
|
Right now the update stuck in a deadlock if there's less new data than
expection. Add some checkers and abort the update if such case happens.
Also add a corresponding test.
Bug: 36787146
Test: update aborts correctly on bullhead && recovery_component_test passes
Change-Id: I914e4a2a4cf157b99ef2fc65bd21c6981e38ca47
|
|
This CL makes the following changes to RangeSet:
- Uses std::pair<size_t, size_t> to represent a Range;
- Uses std::vector<Range> to represent a RangeSet;
- Provides const iterators (forward and reverse);
- Provides const accessor;
- 'blocks()' returns the number of blocks (formerly 'size');
- 'size()' returns the number of Range's (formerly 'count').
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ia1fbb343370a152e1f7aa050cf914c2da09b1396
|
|
We don't need to take raw pointers out of the parsed arguments.
std::unique_ptr handles the dereferencing automatically.
Test: mmma bootable/recovery
Change-Id: I1beabf6e04dc350bdad7b36cee5fb345c82b28f2
|
|
Also move RangeSet into a header file to make it testable, and add unit
tests.
In RangeSet::Parse() (the former parse_range()), use libbase logging to
do assertions. This has the same effect as the previous
exit(EXIT_FAILURE) to terminate the updater process and abort an update.
The difference lies in the exit status code (i.e. WEXITSTATUS(status) in
install.cpp), which changes from 1 (i.e. EXIT_FAILURE) to 0.
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ie8393c78b0d8ae0fd5f0ca0646d871308d71fff0
|
|
LOG(INFO) already appends a newline. Don't print redundant newline.
Test: No extra blank lines when calling ui_print(). And on-screen UI
shows the same.
Change-Id: I74e9a8504a7146a6cb3dae02fe2406d0dd54069b
|
|
Then rename RangeSinkState to RangeSinkWriter. RangeSinkWriter reads
data from the given FD, and writes them to the desination RangeSet.
Test: Apply an incremental with the new updater.
Change-Id: I5e3ab6fc082efa1726562c55b56e2d418fe4acaf
|
|
Test: mmma bootable/recovery system/update_engine
Test: recovery_component_test
Change-Id: I93c2caa87bf94a53509bb37f98f2c02bcadb6f5c
|
|
Mostly for applypatch family APIs like ApplyBSDiffPatch() and
ApplyImagePatch(). Changing to size_t doesn't indicate they would
necessarily work with very large size_t (e.g. > ssize_t), just
similar to write(2). But otherwise accepting negative length doesn't
make much sense.
Also change the return type of SinkFn from ssize_t to size_t. Callers
tell a successful sink by comparing the number of written bytes against
the desired value. Negative return values like -1 are not needed. This
also makes it consistent with bsdiff::bspatch interface.
Test: recovery_component_test
Test: Apply an incremental with the new updater.
Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
|
|
Rename to LoadSourceBlocks() by moving the target blocks parsing part
into the caller. This allows detecting whether the target blocks have
already had the expected data before loading the source blocks. It
doesn't affect anything when applying an update package for the first
time, but it skips loading the unneeded source blocks when resuming an
update. It additionally avoids unnecessarily dumping the "corrupt"
source/stash blocks when resuming an update.
Bug: 33694730
Test: Apply an incremental update with the new updater.
Test: Resume an incremental update with the new updater.
Change-Id: I794fd0d1045be7b3b7f8619285dc0dade01398d0
|
|
Clean up a few functions that take CommandParameters& as the first
parameter. We don't need to take duplicate arguments if they always come
from CommandParameters. This redundancy came from the point we replaced
strtok()s (commit baad2d454dc07ce916442987a2908a93fe6ae298).
Test: Apply an incremental update with the new updater.
Change-Id: I2912b8ce6bc7580bf7f566e125f12270e679e155
|
|
The script support for BBOTA v1 and v2 has been dropped in commit
8fad03e7712082eb880ffaaffb69eb13252ce220 (platform/build).
Bug: 33694730
Test: Apply an incremental with the new updater.
Test: recovery_component_test
Change-Id: I038b1bf8d10f030cab8ec0aa6ee565c5a9545dfd
|
|
In c++ code would be cleaner to use
c++ retinterpret cast instead of old
c-style notation
Change-Id: Ibeef5e0c374addf108c0a8876a6be45063d8e396
|
|
As of C++ specification size_type erase( const key_type& key );
removes the element (if one exists). There is no need to perform
the check twice.
Change-Id: I4b057c08526abc7c2a483a60f9e166e4d8f56a74
|
|
Scanf expectation is to have same type
of pointer to store parsed value and
modifier in format string
|
|
It's valid to provide only 1 argument to apply_patch_check(). We
shouldn't fail the argument parsing.
Bug: 36541737
Test: recovery_component_test passes.
Test: recovery_component_test captures the failure without the fix.
Test: The previously failed update applies successfully.
Change-Id: Iee4c54ed33b877fc4885945b085341ec5c64f663
|
|
And switch them to std::vector & std::unique_ptr
Bug: 32117870
Test: recovery tests passed on sailfish
Change-Id: I5a45951c4bdf895be311d6d760e52e7a1b0798c3
|
|
Our updater created the stashes with root permission. This causes an
access denial when the RecoverySystem service tries to clean up these
blocks after a failing update. As a result, the subsequent OTA updates
may fail due to insufficient cache space.
Bug: 36457133
Test: stashed blocks cleaned successfully after reboot
Change-Id: If0ca99638cdfa1033646f29d9cc92b5ff1bacac1
|
|
Since this was putting the intermediate file in obj/PACKAGING, every
installclean was removing it and triggering updater to rebuild. Instead,
use the standard generated-sources-dir. The dep file can also be removed
now that ninja will re-run the generator if the command line changes.
Test: m -j updater; m installclean; m -j updater
Test: Only change to aosp_fugu updater before/after is the debug info
Change-Id: I20928bd2049d4a3d4e21f83fd64d16cfdc541958
|
|
This reverts commit 90eff6a340f9983792d700df3b1ea0203aced207.
Also fix the bug where stashed blocks are not freed.
Bug: 21124445
Test: Previous failed update succeeded on bullhead
Change-Id: I23d232331a2beb51b6dcc82c957c87bc247d0268
|
|
Test: Apply an incremental BBOTA package with the new updater.
Test: Resume an interrupted BBOTA (so it cleans up the partial stash).
Change-Id: I620cc57ee6366845bcffbc19210f7a01e2196052
|
|
This reverts commit bb0cd75a0e1f6760bdf96bd141f3a546ffa45fbc.
Broke the 'free' command that deletes a stash.
Bug: 36242722
Test: The previously failed incremental applies successfully.
Change-Id: I1237cb0a33adfbeea57e0465b629704862ba13aa
|
|
It will be helpful for debug if we know which blocks are corrupted after
a verification failure. This CL prints the SHA-1 for each source block
in a transfer command if these blocks don't have an expected hash. And
along with the correct SHA-1, we will catch the corrupted blocks.
Bug: 21124445
Test: Printed the mismatched SHA-1 for bullhead during an update.
Change-Id: I683d4bdaf9a335035045b3f532b3a265b2fcbbfc
|
|
This CL removes the updater support for delete(), symlink(), rename(),
set_metadata() and set_metadata_recursive(). Such functions have been
removed from the generation script in commit
f388104eaacd05cfa075d6478369e1d0df5ddbf3 (platform/build).
Note: This CL also removes delete_recursive() which seems to have never
been supported in generation script.
Bug: 35853185
Test: recovery_component_test passes.
Change-Id: I51e1ec946fa73761118fa1eaa082423df6d588e9
|
|
-1 is not a valid exit status.
Also replace a few exit(1) with exit(EXIT_FAILURE).
Test: mmma bootable/recovery
Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
|
|
Now ApplyBSDiffPatch() will stream the output to sink as we go instead
of sinking everything at the end.
Test: recovery_host_test
Bug: 26982501
Change-Id: I05b6ed40d45e4b1b19ae72784cf705b731b976e3
|
|
Bug: 34220783
Test: make checkbuild
Change-Id: Iceea20e440a4bb6a3b254486a65a86401a2241ef
|
|
Currently the ui_print command between the recovery and updater doesn't
append newline. Updater has to send an extra "ui_print" command without
any argument to get the line break. This looks unnecessary. And not all
the callers (including the ones in bootable/recovery) are following this
protocol when sending the ui_print command.
This CL simplifies the protocol to always print with a newline for
ui_print command. When updating from an old recovery with the new
updater, all the ui_print'd strings would appear in one line as a side
effect. But a) it would only affect the text-mode UI, which won't be
shown to users; b) log files won't be affected.
Bug: 32305035
Test: Apply an update with the new updater on top of an old and new
recovery image respectively.
Change-Id: I305a0ffc6f180daf60919cf99d24d1495d68749b
|
|
Bug: 34220783
Change-Id: I358f931f0b29f5bd526e1475180e477e2e90b936
|
|
Bug: 34220783
Change-Id: I34ccc3b11da0d1b48805967ad75b9ddade569930
|
|
We could inject I/O faults during an OTA update for test purpose. But we
should skip the injection if the update is an retry. Otherwise the
update test will simply keeps failing.
Bug: 34159970
Test: Apply the same package on angler and the update succeeds on the 2nd try.
Change-Id: Id274e5475e3bc8d25d50a8cf61a77d2e32c569d6
|
|
Returning the parsed RangeSet directly (as opposed to using some pointer
parameter) to make the code cleaner.
Test: Apply an incremental with the new updater.
Change-Id: I8c99e701f189eb6a3eacc0d647e5a3a85fbeb3eb
|
|
Change the stash size computation from int to size_t.
Test: Apply an incremental BBOTA with the new updater.
Change-Id: Ib45b71b826fec6aa0ffafc67c17735825634eae0
|
|
We should include "bootloader_message/bootloader_message.h" now.
Test: m updater
Change-Id: I65b22a8a0bcc5976ff1ba827bd30b46ee9d59c53
|
|
Shift operator ("<<") has a higher precedence level than ternary
operator ("?").
Test: BBOTA update log says "performing update" as opposed to
"performing 0".
Change-Id: I0cf60cbfc11415e94f1f9f6effe75f14d13a1874
|
|
Commit 81e54eddd4132895d70ab8b2307c693311799e05 introduced the
inconsistency when resolving the merge conflict into master.
Test: mmma bootable/recovery
Change-Id: I43b7ec76a7eee000708cdca60bd372173e1fac2f
|
|
Test: Build an updater into a package and apply it on device.
Change-Id: I289b5768e9b1e44ef78e0479c64dbaa36fb1a685
|
|
We should always use unique_fd or unique_file to hold the FD or FILE*
pointer when opening via ota_(f)open functions.
This CL avoids accidentally closing raw FDs or FILE* pointers that are
managed by unique_fd/unique_file.
Test: recovery_component_test passes.
Change-Id: If58eb8b5c5da507563f85efd5d56276472a1c957
|
|
Add read_bootloader_message_from() and write_bootloader_message_to() to
allow specifying the BCB device (/misc).
Also add testcases for set_stage() and get_stage().
Test: recovery_component_test passes.
Test: Build a recovery image and apply a two-step OTA package.
Change-Id: If5ab06a1aaaea168d2a9e5dd63c07c0a3190e4ae
|
|
Test: recovery_component_test passes.
Change-Id: I3af4707bc42c7331ca961be8b967a53de82ea25b
|
|
write_value(value, filename) writes 'value' to 'filename'. It can be
used to tune device settings when applying an OTA package. For example,
write_value("960000", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq").
Bug: 32463933
Test: recovery_component_test passes.
Test: Apply an OTA package that contains a call to write_value(), and
check the result.
Change-Id: Ib009ecb8a45a94353f10c59e2383fe1f49796e35
(cherry picked from commit d0f3088aa95e255b39ed4b83da6b08866c2c3e0c)
|
|
write_value(value, filename) writes 'value' to 'filename'. It can be
used to tune device settings when applying an OTA package. For example,
write_value("960000", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq").
Bug: 32463933
Test: recovery_component_test passes.
Test: Apply an OTA package that contains a call to write_value(), and
check the result.
Change-Id: Ib009ecb8a45a94353f10c59e2383fe1f49796e35
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
(cherry picked from commit ef0eb3b01b66fbbc97908667a3dd1e02d710cbb7)
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
|
|
Clean up SymlinkFn() a bit. Also clean up the temp files created when
running the tests; otherwise non-empty TemporaryDir won't be removed.
Test: recovery_component_test passes.
Change-Id: Id3844abebd168c40125c4dcec54e6ef680a83c3a
|
|
Switch to use const std::string; and add corresponding tests.
Bug: 32649858
Test: Component tests pass
Change-Id: I640f3ec81f1481fa91aa310f8d4d96dac9649cb9
|
|
Test: recovery_component_test passes.
Change-Id: Iba5a0fdf6c79e2bed6b30b8fc19a306c1ab29d8a
|
|
Also add a testcase for delete() function.
Test: recovery_component_test passes.
Change-Id: I064d1ad4693c3ed339d0a69eabadd08a61a2ea86
|
|
Also add a testcase for file_getprop().
Test: recovery_component_test passes.
Change-Id: I8eb2f9a5702b43997ac9f4b29665eea087b1c146
|
|
ReadArgs will switch to using std::string and std::unique_ptr. Also
cleanup the callers.
Test: mma & component test passed.
Change-Id: I4724406ae6c0c134a27bbd1cdd24ad5d343b2a3b
|
|
Test: Unit tests and install-recovery.sh pass on angler and dragon.
Change-Id: I328e6554edca667cf850f5584ebf1ac211e3d4d1
|
|
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
|
|
Changing the field of 'Value' in edify to std::string from char*.
Meanwhile cleaning up the users of 'Value' and switching them to
cpp style.
Test: compontent tests passed.
Bug: 31713288
Change-Id: Iec5a7d601b1e4ca40935bf1c70d325dafecec235
|
|
- Remove dead declarations in expr.h: SetError(), GetError(),
ClearError().
- Remove the declaration of Build() out of expr.h.
- Use std::unordered_map to implement RegisterFunction() and
FindFunction(); kill FinishRegistration().
- Add a testcase for calling unknown functions.
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I9af6825ae677f92b22d716a4a5682f58522af03b
|
|
Also add a testcase for sha1_check().
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I4d06d551a771aec84e460148544f68b247a7e721
|
|
So that we can write native tests for updater functions. This CL adds a
testcase for getprop() function.
Test: mmma bootable/recovery; Run recovery_component_test on device.
Change-Id: Iff4c1ff63c5c71aded2f9686fed6b71cc298c228
|
|
Test: `mmma bootable/recovery`
Change-Id: I70ccddb3ddf46bb012fdc5f632afc46ebdd5473e
|
|
Test: `mmma bootable/recovery`
Change-Id: I70ccddb3ddf46bb012fdc5f632afc46ebdd5473e
(cherry picked from commit 3cbe1d20978dc488272e2b1ba10890a006fdfab9)
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
(cherry picked from commit 59dcb9cbea8fb70ab933fd10d35582b08cd13f37)
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
(cherry picked from commit 7aa88748f6ec4e53333d1a15747bc44826ccc410)
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
|
|
Bug: http://b/23102347
Test: boot into recovery.
Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
Merged-In: Ib2ca560f1312961c21fbaa294bb068de19cb883e
|
|
Bug: http://b/23102347
Test: boot into recovery.
Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
(cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
We might end up in an infinite loop if read(2) reached EOF unexpectedly.
The problematic code in uncrypt mentioned in the bug has been fixed
by switching to libbase ReadFully(). So I grepped through the recovery
code and fixed some other occurences of the issue.
Bug: 31073201
Change-Id: Ib867029158ba23363b8f85d61c25058a635c5a6b
|
|
Bug: http://b/30708454
Change-Id: I7a5048beff1d8b783a9683dcb4a79606a77f20ee
|
|
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad
Bug: 29767315
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
(cherry picked from commit efacd80364c7ed42d56310949790d89febaf3444)
|
|
And move off the bionic __nonnull macro, which I'm removing.
Change-Id: I40b4424f4fd7bd8076e0eee3ec35de36c3ded8de
|
|
Check the results from applypatch in PerformCommandDiff; and abort the
update on failure.
Bug:29339536
Change-Id: I5087d79ba532b54250f4c17560524255c8a4fabc
|
|
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
|
|
Bug: http://b/29250988
Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
|
|
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before
writing to these blocks.
Bug: 28990135
Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
|
|
Fix a typo for ota_fclose().
Change-Id: Ia93e911aa5391afc604874fc3a09c5a45c094c80
|
|
Write error code, cause code, and retry count into last_install. So we
can have more information about the reason of a failed OTA.
Example of new last_install:
@/cache/recovery/block.map package name
0 install result
retry: 1 retry count (new)
error: 30 error code (new)
cause: 12 error cause (new)
Details in:
go/android-ota-errorcode
Bug: 28471955
Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
|
|
One example of last_install is:
/sideload/package.zip
1
time_total: 101
bytes_written_system: 14574000
bytes_stashed_system: 100
bytes_written_vendor: 5107400
bytes_stashed_vendor: 0
Bug: 28658632
Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
|
|
Remove O_SYNC from mzExtractRecursive() and PackageExtractFileFn().
These functions deal with extracting whole files from the update
package onto a filesystem. If run on ext4 on a rotating disk, for
example, the O_SYNC flag will cause serious performance problems
and the extraction proecss can take over 30 minutes, with no
obvious benefits.
This API function already calls fsync(fd) after each file is
extracted to ensure data and metadata is written to the underlying
block device, so the O_SYNC calls should be superfluous and safely
removable.
This change does not affect the OTA patch paths or any modification
of the bootloader partition or writes to other 'emmc' partitions.
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Change-Id: I9cbb98a98e6278bf5c0d7efaae340773d1fbfcd2
|
|
Bug: 28341362
Change-Id: I5b35ae16c069e7e9229e66963386f322bd808af1
|
|
[1] switched a few things to android::base::unique_fd including
CommandParameters.fd. However, we were using memset(3) to zero out the
struct, which effectively assigned unique_fd(0) to fd. When it called
fd.reset(), file descriptor 0 was unintentionally closed. When FD 0 was
later reassigned via open(2), it led to lseek(2) errors: "Bad file
descriptor".
This CL switches to using braced-init (i.e. '= {}') instead, so that the
default constructor unique_fd(-1) would be called.
[1]: commit bcabd0929316fdd022ea102cc86396547ad9f070
Bug: 28391985
Change-Id: If1f99932b15552714c399e65c8b80550344b758a
|
|
Bug: 28220065
Change-Id: Ida199c66692a1638be6990d583d2ed42583fb592
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
|
Bug: http://b/27764900
Change-Id: Ib62a59edcb13054f40f514c404d32b87b14ed5f1
|
|
Change-Id: I13ba3f40bd52b5f3e3fe9002a45a9a8630040129
|
|
Currently block_image_verify() stashes source blocks to /cache and
in some case triggers I/O errors. To avoid this risk, We create
a map from the hash value to the source blocks' range_set. When
executing stash command in verify mode, source range is saved but block
contents aren't stashed. And load_stash could get its value from
either the stashed file from the previous update, or the contents on
the source partition specified by the saved range.
Bug: 27584487
Bug: 25633753
Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996
(cherry picked from commit 0188935d55206e8c2becb29e995f166cb7040355)
|
|
Currently block_image_verify() stashes source blocks to /cache and
in some case triggers I/O errors. To avoid this risk, We create
a map from the hash value to the source blocks' range_set. When
executing stash command in verify mode, source range is saved but block
contents aren't stashed. And load_stash could get its value from
either the stashed file from the previous update, or the contents on
the source partition specified by the saved range.
Bug: 27584487
Bug: 25633753
Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996
|
|
Bug: 27724259
Change-Id: I65bdefed10b3fb85fcb9e1147eaf0687d7d438f4
|
|
This reverts commit f73abf36bcfd433a3fdd1664a77e8e531346c1b1.
Bug: 27724259
Change-Id: I1301fdad15650837d0b1febd0c3239134e2b94fb
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
|
|
Cherry pick this patch because it fixes the problem that
a newed Value is released by free().
Bug: 26906416
Change-Id: Ib53b445cd415a1ed5e95733fbc4073f9ef4dbc43
(cherry picked from commit d6c93afcc28cc65217ba65eeb646009c4f15a2ad)
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
(cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
|
|
If two libraries both use LOCAL_WHOLE_STATIC_LIBRARIES and include a same
library, there would be linking errors when generating a shared library
(or executable) that depends on the two libraries both.
Also clean up Android.mk files.
Remove the "LOCAL_MODULE_TAGS := eng" line for the updater module. The
module will then default to "optional" which won't be built until needed.
Change-Id: I3ec227109b8aa744b7568e7f82f575aae3fe0e6f
|
|
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
(cherry picked from commit d940887dde23597dc358b16d96ca48dd7480fee6)
|
|
Bug: 26570379
Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
|
|
Bug: 26960931
Change-Id: Ieae45caccfb4728fcf514f0d920976585d8e6caf
|
|
Bug: 26906416
Change-Id: Ib53b445cd415a1ed5e95733fbc4073f9ef4dbc43
|
|
Bug: 25951086
Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
(cherry-picked from commit f1fc48c6e62cfee42d25ad12f443e22d50c15d0b)
|
|
Bug: 26907377
Change-Id: I384c0131322b2d12f0ef489735e70e86819846a4
|
|
Bug: 18790686
Change-Id: I7d2136fb39b2266f5ae5be24819c617b08a6c21e
|
|
Add and register a function to check if the device has been remounted
since last update during incremental OTA. This function reads block 0
and executes before partition recovery for version >= 4.
Bug: 21124327
Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f
(cherry picked from commit 30bf4765593e639966df9f460df22c3fe912e7bf)
|
|
Bug: 25951086
Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
|
|
Add and register a function to check if the device has been remounted
since last update during incremental OTA. This function reads block 0
and executes before partition recovery for version >= 4.
Bug: 21124327
Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f
|
|
We are already using O_SYNC and fsync() for the recursive case
(package_extract_dir()). Make it consistent for the single-file case.
Bug: 20625549
Change-Id: I487736fe5a0647dd4a2428845e76bf642e0f0dff
|
|
Output messages in log when recovery is attempted or succeeded during
incremental OTA update.
Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda
(cherry picked from commit b686ba211443490111729ba9d82eb0c0b305e185)
|
|
Output messages in log when recovery is attempted or succeeded during
incremental OTA update.
Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda
|
|
Change-Id: I36346fa199a3261da1ae1bc310b3557fe1716d96
|
|
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
|
|
Change-Id: Ibe3173edd6274b61bd9ca5ec394d7f6b4a403639
(cherry picked from commit 1b1ea17d554d127a970afe1d6004dd4627cd596e)
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270
(cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
|
|
Only trusted input is passed to parse_range, but check for invalid
input to catch possible problems in transfer lists.
Bug: 21033983
Bug: 21034030
Bug: 21034172
Bug: 21034406
Change-Id: I1e266de3de15c99ee596ebdb034419fdfe7eba1f
(cherry picked from commit f2bac04e1ba0a5b79f8adbc35b493923b776f8b2)
|
|
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.
Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
(cherry picked from commit e49a9e527a51f43db792263bb60bfc91293848da)
|
|
And a few trival fixes to suppress warnings.
Change-Id: Id28e3581aaca4bda59826afa80c0c1cdfb0442fc
(cherry picked from commit 80e46e08de5f65702fa7f7cd3ef83f905d919bbc)
|
|
To accommodate new changes in N release, such as error correction [1]
and other potential changes to the updater.
[1]: commit 0a7b47397db3648afe6f3aeb2abb175934c2cbca
Change-Id: I4dd44417d07dd0a31729894628635a0aa1659008
|
|
Add block_image_recover function to rewrite corrupted blocks on the
partition. This can be attempted if block_image_verify fails.
Note that we cannot use libfec during block_image_update as it may
overwrite blocks required for error correction. A separate recovery
pass in case the image is corrupted is the only viable option.
Bug: 21893453
Change-Id: I6ff25648fff68d5f50b41a601c95c509d1cc5bce
|
|
We have the last line being empty as a result of
android::base::Split("a\nb\n"), which leads to "missing command"
warnings in the update. Just skip all the empty lines.
Bug: 24373789
Change-Id: I5827e4600bd5cf0418d95477e4592fec47bbd3a9
|
|
Change-Id: Ic769eafc8d9535b1d517d3dcbd398c3fd65cddd9
|
|
Change-Id: I63f28b3b4ba4185c23b972fc8f93517295b1672a
|
|
When processing ui_print commands in the updater, it misses a line break
when printing to the recovery log.
Also clean up uiPrintf() and UIPrintFn() with std::string's.
Change-Id: Ie5dbbfbc40b024929887d3c3ccd3a334249a8c9d
|
|
Change-Id: Ide489e18dd8daf161b612f65b28921b61cdd8d8d
|
|
And inline the call to LoadSrcTgtVersion1() into SaveStash().
Change-Id: Ibf4ef2bfa2cc62df59c4e8de99fd7d8039e71ecf
|
|
Replace C-string with std::string, pointers with references, and
variable-size arrays in struct with std::vector.
Change-Id: I57f361a0e58286cbcd113e9be225981da56721b2
|
|
Change-Id: I6a8d9bea4c1cd8ea7b534682061b90e893b227a2
|
|
There is an integer overflow when the size of system goes beyond the
signed int limits. Hence changing pos to size_t.
Change-Id: I6e5e1b2f0e72030b30a6df09a01642f4c82abc79
|
|
So we can remove a few free()s. And also replace a few pointers with
references.
Change-Id: I4b6332216704f4f9ea4a044b8d4bb7aa42a7ef26
|
|
We need to ensure the renamed filename reaches the underlying storage.
Bug: 22840552
Change-Id: I824b6e9d8a9c5966035be7b42a73678d07376342
(cherry picked from commit dc3922622a94af4f6412fd68e8f075f839ab2348)
|
|
We need to ensure the renamed filename reaches the underlying storage.
Bug: 22840552
Change-Id: Ide2e753a2038691d472b6ee173cbf68ac998a084
|
|
Currently the fsync() inside write_all() may be called multiple times
when performing a command. Move that to the outer loop and call it
only after completing the command.
Also remove the O_SYNC flag when writing a stash.
Change-Id: I71e51d76051a2f7f504eef1aa585d2cb7a000d80
|
|
Change-Id: I18da9e6da64fccab495dc5a96e3efd95cc6d88bf
(cherry picked from commit 1b1ea17d554d127a970afe1d6004dd4627cd596e)
|
|
Change-Id: Ibe3173edd6274b61bd9ca5ec394d7f6b4a403639
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I1b0481465c67c3bbca35a839d0764190d84ff34e
(cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
|
|
Mostly trivial changes to make cpp compiler happy.
Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270
|
|
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9.
It slows down the update too much on some devices (e.g. increased
from 8 mins to 40 mins to take a full OTA update).
Bug: 22129621
Change-Id: I016e3b47313e3113f01bb4f8eb3c14856bdc35e5
(cherry picked from commit 7125f9594db027ce4313d940ce2cafac67ae8c31)
|
|
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9.
It slows down the update too much on some devices (e.g. increased
from 8 mins to 40 mins to take a full OTA update).
Bug: 22129621
Change-Id: I4e8d4f6734967caf4f0d19c734027f7b6c107370
|
|
A RangeSet has half-closed half-open bounds. For example, "3,5" contains
blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped.
Bug: 22098085
Change-Id: I362d259f8b5d62478858ad0422b635bc5068698d
(cherry picked from commit c0f56ad76680df555689d4a2397487ef8c16b1a6)
|
|
A RangeSet has half-closed half-open bounds. For example, "3,5" contains
blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped.
Bug: 22098085
Change-Id: I75e54a6506f2a20255d782ee710e889fad2eaf29
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
(cherry picked from commit a3c75e3ea60d61df93461f5c356befe825c429d2)
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
|
|
This reverts commit 96392b97f6bf1670d478494fb6df89a3410e53fa.
Change-Id: I77acc27158bad3cd8948390a3955197646a43a31
|
|
This reverts commit 604c583c9dd3d47906b1a57c14a7e9650df7471e.
Change-Id: I2b0b283dc3f44bae55c5e9f7231d7c712630c2b5
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
(cherry picked from commit 96392b97f6bf1670d478494fb6df89a3410e53fa)
|
|
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.
Bug: 20614277
Bug: 20881595
Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
|
|
And a few trival fixes to suppress warnings.
Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
|
|
Change-Id: I66ae21a25a25fa3c70837bc54a7d406182d4cf37
|
|
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.
In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.
Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
|
|
I missed one last time.
Bug: http://b/20501816
Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
(cherry picked from commit b3ac676192a093c561b7f15064cbd67733407b12)
|
|
In the block updater, if BLKDISCARD fails, the error is silently
ignored and some of the blocks may not be erased. This means the
target partition will have inconsistent contents.
If the ioctl fails, return an error and abort the update.
Bug: 20614277
Change-Id: I33867ba9337c514de8ffae59f28584b285324067
(cherry picked from commit cc2428c8181d18c9a88db908fa4eabd2db5601ad)
|
|
I missed one last time.
Bug: http://b/20501816
Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
|
|
In the block updater, if BLKDISCARD fails, the error is silently
ignored and some of the blocks may not be erased. This means the
target partition will have inconsistent contents.
If the ioctl fails, return an error and abort the update.
Bug: 20614277
Change-Id: I33867ba9337c514de8ffae59f28584b285324067
|
|
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.
Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
|
|
Bug: http://b/20501816
Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
(cherry picked from commit b47afedb42866e85b76822736d915afd371ef5f0)
|
|
Bug: http://b/20501816
Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
|
|
Only trusted input is passed to parse_range, but check for invalid
input to catch possible problems in transfer lists.
Bug: 21033983
Bug: 21034030
Bug: 21034172
Bug: 21034406
Change-Id: Ia17537a2d23d5f701522fbc42ed38924e1ee3366
|
|
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.
Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
(cherry picked from commit 7bad7c4646ee8fd8d6e6ed0ffd3ddbb0c1b41a2f)
|
|
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.
Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
|
|
When automatically stashing overlapping blocks, should the stash
file already exist due to an explicit stash command, it's not safe
to remove the stash file after the command has completed.
Note that it is safe to assume that the stash file will remain in
place during the execution of the next command, so we don't have
take other measures to preserve overlapping blocks.
The stash file itself will be removed by a free command when it's
no longer needed.
Bug: 20297065
Change-Id: I8ff1a798b94086adff183c5aac03260eb947ae2c
|
|
Change-Id: I7009959043150fabf5853a43ee2448c7fbea176e
|
|
Return NULL to abort the update process. Note that returning ""
won't stop the script.
Change-Id: Ifd108c1356f7c92a905c8776247a8842c6445319
|
|
I've added explanatory comments to mzExtractRecursive because
that function will live on as a utility even after we move the
zip format related logic to libziparchive.
bug: 19472796
Change-Id: Id69db859b9b90c13429134d40ba72c1d7c17aa8e
|
|
I've added explanatory comments to mzExtractRecursive because
that function will live on as a utility even after we move the
zip format related logic to libziparchive.
bug: 19472796
(cherry-picked from commit c9ccdfd7a42de08c47ab771b94dc5b9d1f957b95)
Change-Id: I8b7fb6fa3eafb2e7ac080ef7a7eceb691b252d8a
|
|
warning: format '%lu' expects argument of type 'long unsigned int', but
argument 3 has type 'unsigned int' [-Wformat] sizeof(RangeSet) + num * sizeof(int));
Change-Id: I4a3c6fc8d40c08ea84f8f5ee13f39350e4264027
|
|
Change-Id: I480c02ffedd811f4dda9940ef979a05ff54f1435
Bug: 19410117
|
|
This notice was added for libsyspatch and libxdelta3, but that code
has been removed since.
Change-Id: I4008878ded56ca1d5094a8208728f8c02fe1fe03
|
|
Add support for transfer list version 3, which allows us to
verify the status of each command and resume an interrupted
block based OTA update. Notes on the changes:
- Move the previous BlockImageUpdateFn to a shorter and
reusable PerformBlockImageUpdate, which can be used also
in BlockImageVerifyFn for verification.
- Split individual transfer list commands into separate
functions with unified parameters for clarity, and use
a hash table to locate them during execution.
- Move common block reading and writing to ReadBlocks and
WriteBlocks to reduce code duplication, and rename the
readblock and writeblock to less confusing read_all and
write_all.
The coding style of the new functions follows the existing
style in the updater/edify code.
Needs matching changes from
Ia5c56379f570047f10f0aa7373a1025439495c98
Bug: 18262110
Change-Id: I1e752464134aeb2d396946348e6041acabe13942
|
|
Change-Id: I06ea08400efa511e627be37a4fd70fbdfadea2e6
|
|
When building for 32p, we need to be explicit that we wish to build
the 32bit version of the binaries that will be placed in the recovery
image. The recovery image doesn't actually care... but if we are not
explicit in this, the makefiles will ask for the 64bit binaries but the
Android.mk for the binaries will supply the 32bit images (causing the
build to fail).
Change-Id: Iea2d5f412740c082795da4358765751138a4b167
|
|
This allows tune2fs to be executed from within OTA scripts,
allowing for file system modifications without formatting the
partition
Bug: 18430740
Change-Id: I0c2e05b5ef4a81ecea043e9b7b99b545d18fe5e6
|
|
This allows tune2fs to be executed from within OTA scripts,
allowing for file system modifications without formatting the
partition
Bug: 18430740
Change-Id: I0c2e05b5ef4a81ecea043e9b7b99b545d18fe5e6
|
|
Bug: 18092022
Change-Id: I6c42038ebeb1cfc1e7ca0d3e12310fdce1b990b0
|
|
At the end of the OTA script, we walk through /system, updating
all the permissions on the filesystem, including the UID, GID,
standard UNIX permissions, capabilities, and SELinux labels.
In the case of a symbolic link, however, we want to skip most of
those operations. The UID, GID, UNIX permissions, and capabilities
don't meaningfully apply to symbolic links.
However, that's not true with SELinux labels. The SELinux label on
a symbolic link is important. We need to make sure the label on the
symbolic link is always updated, even if none of the other attributes
are updated.
This change unconditionally updates the SELinux label on the symbolic
link itself. lsetfilecon() is used, so that the link itself is updated,
not what it's pointing to.
In addition, drop the ENOTSUP special case. SELinux has been a
requirement since Android 4.4. Running without filesystem extended
attributes is no longer supported, and we shouldn't even try to handle
non-SELinux updates anymore. (Note: this could be problematic if
these scripts are ever used to produce OTA images for 4.2 devices)
Bug: 18079773
Change-Id: I87f99a1c88fe02bb2914f1884cac23ce1b385f91
|
|
Bug: 18079773
Bug: 18092222
Change-Id: Ifc3f3e123de729dfbb2f49414b3207afa96268d5
|
|
Bug: 18079773
Change-Id: Ic6fddbcbcb6ddb9e1cbd1698df98387c0033ae15
|
|
This should help with reentrant OTAs.
Bug: 18079773
Change-Id: I102fd738e3b450483ecd4471384c12e89fc586e2
|
|
In version 2 of block image diffs, we support a new command to load
data from the image and store it in the "stash table" and then
subsequently use entries in the stash table to fill in missing bits of
source data we're not allowed to read when doing move/bsdiff/imgdiff
commands.
This leads to smaller update packages because we can break cycles in
the ordering of how pieces are updated by storing data away and using
it later, rather than not using the data as input to the patch system
at all. This comes at the cost of the RAM or scratch disk needed to
store the data.
The implementation is backwards compatible; it can still handle the
existing version 1 of the transfer file format.
Change-Id: I4559bfd76d5403859637aeac832f3a5e9e13b63a
|
|
In version 2 of block image diffs, we support a new command to load
data from the image and store it in the "stash table" and then
subsequently use entries in the stash table to fill in missing bits of
source data we're not allowed to read when doing move/bsdiff/imgdiff
commands.
This leads to smaller update packages because we can break cycles in
the ordering of how pieces are updated by storing data away and using
it later, rather than not using the data as input to the patch system
at all. This comes at the cost of the RAM or scratch disk needed to
store the data.
The implementation is backwards compatible; it can still handle the
existing version 1 of the transfer file format.
Change-Id: I7fafe741d86b92d82d46feb2939ecf5a3890dc64
|
|
The comment for the DEBUG_ERASE setting is exactly backwards.
Change-Id: I98ab5828365894217fc78976817a131e7d22d5c1
|
|
Otherwise, overflow problems can occur with images larger than
2G since the offsets will overflow a 32-bit off_t.
Change-Id: I05951a38ebeae83ad2cb938594e8d8adb323e2aa
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Superseded by newer code.
Bug: 16984795
Change-Id: I842299f6a02af7ccf51ef2ca174d813ca53deef1
|
|
Superseded by newer code.
Bug: 16984795
Change-Id: I70c1d29dc03287b06ea909d17f729ec51ccb0344
|
|
The computation of file offsets was overflowing for partitions larger
than 2 GB. The parsing of the transfer file could fail at the end if
the data happened to not be properly null-terminated.
Bug: 16984795
Change-Id: I3ce6eb3e54ab7b55aa9bbed252da5a7eacd3317a
|
|
(Cherry-pick back from master.)
Bug: 16984795
Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4
|
|
Bug: 16984795
Change-Id: I90f958446baed83dec658de2430c8fc5e9c3047e
|
|
These error messages include empty parens after each string
substition. Ill-advised cut and paste, probably.
Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc
|
|
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Bug: 16458395
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
|
|
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
|
|
This adds F2FS support
- for wiping a device
- for the install "format" command.
Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
|
|
While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.
Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371
|
|
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
|
|
The new build.prop for Sprout includes lines of the format:
import xxx.prop
These can be safely ignored when reading the property file.
Change-Id: Ia84a138e71461ffe8e591e88143b9787873def29
|
|
Change-Id: I92d5abd1a628feab3b0246924fab7f97ba3b9d34
|
|
Make package_extract_file() take an optional third argument which is
the pathname (in the package zip) of a map of don't-care regions to
skip over when writing the file.
Modify syspatch() to take source and target don't-care maps and use
them when patching the system partition.
Add the wipe_block_device() function to do a discard of all data on
the partition.
Change-Id: I8c856054edfb6aab2f3e5177f16d9d78add20be4
|
|
updater now depends on the GPL'd libraries libsyspatch and libxdelta3,
so be careful when taking code from this directory.
Change-Id: Ib6f8c50ce7052912b9d81ff96d095f778bf9a3d0
|
|
Change-Id: Id38b08607829bccc031693cc03e60e849903b6f8
|
|
Change-Id: I1541534ee6978ddf8d548433986679ce9507d508
|
|
Older versions of android supported an ASLR system where binaries were
randomly twiddled at OTA install time. Remove support for this; we
now use the ASLR support in the linux kernel.
Change-Id: I8348eb0d6424692668dc1a00e2416fbef6c158a2
|
|
Add the syspatch() function, which can apply xdelta3+xz patches using
the libsyspatch library.
Change-Id: Idc1921e449020923bcaf425a1983bec0833e47ed
|
|
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.
For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.
Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.
Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
|
|
Change-Id: I85726bf736203d602428114145c3b98692580656
|
|
In order to support multi-stage recovery packages, we add the
set_stage() and get_stage() functions, which store a short string
somewhere it can be accessed across invocations of recovery. We also
add reboot_now() which updater can invoke to immediately reboot the
device, without doing normal recovery cleanup. (It can also choose
whether to boot off the boot or recovery partition.)
If the stage string is of the form "#/#", recovery's UI will be
augmented with a simple indicator of what stage you're in, so it
doesn't look like a reboot loop.
Change-Id: I62f7ff0bc802b549c9bcf3cc154a6bad99f94603
|
|
try to process them via patch + rename, instead of
delete + add.
b/11437930
Change-Id: I984349fbc9a8dac4379e00c0d66fc7d22c4eb834
|
|
(cherry picked from commit bac7fba02763ae5e78e8e4ba0bea727330ad953e)
Change-Id: I01c38d7fea088622a8b0bbf2c833fa2d969417af
|
|
set_perm and set_perm_recursive are no longer used. Delete.
(cherry picked from commit 08ef9a957027183dcf55e432441e8fb0d5299aba)
Change-Id: I1bcc90ae19af9df4f0705496c5876987159f75ac
|
|
set_perm and set_perm_recursive are no longer used. Delete.
Change-Id: I3bb40b934b6c093b24b88aa4ed6f3c7de2bb52f0
|
|
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: I57cb14af59682c5f25f1e091564548bdbf20f74e
|
|
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: I57cb14af59682c5f25f1e091564548bdbf20f74e
|
|
Introduce two new updater functions:
* set_metadata
* set_metadata_recursive
Long term, these functions are intended to be more flexible replacements
for the following methods:
* set_perm
* set_perm_recursive
Usage:
set_metadata("filename", "key1", "value1", "key2", "value2", ...)
set_metadata_recursive("dirname", "key1", "value1", "key2", "value2", ...)
Description:
set_metadata() and set_metadata_recursive() set the attributes on a file/directory
according to the key/value pairs provided. Today, the following keys are
supported:
* uid
* gid
* mode (set_perm_extd only)
* fmode (set_perm_extd_recursive only)
* dmode (set_perm_extd_recursive only)
* selabel
* capabilities
Unknown keys are logged as warnings, but are not fatal errors.
Examples:
* set_metadata("/system/bin/netcfg", "selabel", "u:object_r:system_file:s0");
This sets the SELinux label of /system/bin/netcfg to u:object_r:system_file:s0.
No other changes occur.
* set_metadata("/system/bin/netcfg", "uid", 0, "gid", 3003, "mode", 02750, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
This sets /system/bin/netcfg to uid=0, gid=3003, mode=02750,
selinux label=u:object_r:system_file:s0, and clears the capabilities
associated with the file.
* set_metadata_recursive("/system", "uid", 0, "gid", 0, "fmode", 0644, "dmode", 0755, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
All files and directories under /system are set to uid=0, gid=0,
and selinux label=u:object_r:system_file:s0. Directories are set to
mode=0755. Files are set to mode=0644 and all capabilities are cleared.
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: Ifdcf186a7ed45265511dc493c4036e1ac5e3d0af
|
|
This reverts commit 627eb30f73c29257acaeb6568f3da38880784f7c.
Bug: 10183961
Bug: 10186213
|
|
Modify the OTA installer to understand SELinux filesystem labels.
We do this by introducing new set_perm2 / set_perm2_recursive
calls, which understand SELinux filesystem labels. These filesystem
labels are applied at the same time that we apply the
UID / GID / permission changes.
For compatibility, we preserve the behavior of the existing
set_perm / set_perm_recursive calls.
If the destination kernel doesn't support security labels, don't
fail. SELinux isn't enabled on all kernels.
Bug: 8985290
Change-Id: I99800499f01784199e4918a82e3e2db1089cf25b
|
|
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read. Move
everything to stdout.
Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
|
|
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
|
|
Bug: 8580410
Change-Id: Ie60dade81c06589cb0daee431611ded34adef8e6
|
|
Change-Id: Ia96201f20f7838d7d9e8926208977d3f8318ced4
|
|
The bonus data option lets you give an additional blob of uncompressed
data to be used when constructing a patch for chunk #1 of an image.
The same blob must be available at patch time, and can be passed to
the command-line applypatch tool (this feature is not accessible from
edify scripts).
This will be used to reduce the size of recovery-from-boot patches by
storing parts of the recovery ramdisk (the UI images) on the system
partition.
Change-Id: Iac1959cdf7f5e4582f8d434e83456e483b64c02c
|
|
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
|
|
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
|
|
Full OTAs currently fail if the build contains a directory containing
only symlinks, because nothing creates that directory. Change the
symlink() command to create any ancestor directories that don't exist.
They're created as owner root perms 0700 because we assume that in
practice subsequent set_perm_recursive() calls will fix up their
ownership and permissions.
Change-Id: I4681cbc85863d9778e36b924f0532b2b3ef14310
|
|
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
|
|
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
|
|
libext4_utils requires libsparse, link against it as well.
Change-Id: I4d6aec0e5edcf1ed42118b7b77adcded2858d3dd
|
|
instead of creating the list file whenever loading the Android.mk
Change-Id: I78e4820754399dff3993a863eede8b75da9f6d29
|
|
Requires I5a63fd61a7e74d386d0803946d06bcf2fa8a857e
Change-Id: Ica5fb73d6f2ffb981b74d1896538988dbc4d9b24
|
|
Extend minzip, recovery, and updater to set the security context on
files based on the file_contexts configuration included in the package.
Change-Id: Ied379f266a16c64f2b4dca15dc39b98fcce16f29
|
|
It's surprising if these fail, so abort the whole edify script to
catch any problems early.
Bug: 2284848
Change-Id: Ia2a0b60e7f086fc590b242616028905a229c9e05
|
|
Removes the retouch_binaries and undo_retouch_binaries from updater;
newly generated OTA packages should not call them any more.
Note that applypatch retains the ability to unretouch a file as it
reads it. This will be needed as long as we want to support OTAs from
devices that were installed with retouching.
Change-Id: Ib3f6baeae90c84ba85983f626d821ab7e436ceb2
|
|
libext4_utils now calls libselinux in order to determine the
file security context to set on files when creating ext4 images.
Change-Id: I09fb9d563d22ee106bf100eacd4cd9c6300b1152
|
|
Replace the device-specific functions with a class. Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class. Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).
Change-Id: I698f6fd21c67a1e55429312a0484b6c393cad46f
|
|
Replace the device-specific functions with a class. Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class. Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).
Change-Id: I8bdea6505da7974631bf3d9ac3ee308f8c0f76e1
|
|
updater now has a function "wipe_cache();" which causes recovery to
wipe the cache partition after the successful installation of the
package. Move log copying around a bit so logs and the last_install
flag file are copied to cache after it's wiped.
Bug: 5314244
Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
|
|
Change-Id: I787c086223b674050c0a12fc575add9badb471af
|
|
diff: out/target/product/generic/obj/PACKAGING/updater_extensions_intermediates/register.inc.list:
No such file or directory
Change-Id: I269b1703b6091b343db45b1c5cdd0962c738788b
|
|
write_raw_image() can now take either a blob or a filename as the
source. The blob format eliminates the need for a temp file.
Change-Id: I0c6effec53d47862040efcec75e64b7c951cdcf7
|
|
When formatting /data, if it's an ext4 filesystem, reserve the
last 16 Kbytes for the crypto footer.
Change-Id: I7b401d851ee87732e5da5860df0287a1c331c5b7
|
|
Change-Id: Id96e98da76b3091987b01651f980797b1d6b49d8
|
|
Change-Id: Ie6e309b127e80cd6475f1deaa5dbadf9f5cc2746
|
|
Change-Id: I9d34e491022d7dfed653a861b0728a0a656f1fbe
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Close the update package before invoking the binary, to allow the
installer to unmount /cache if it wants to. Add a function to allow
remounting of a mount as read-only.
Change-Id: Idfcc96c3da66083295177f729263560be58034e4
|
|
An extra parameter was added to the make_ext4fs() function, we these tools need
to be updated to match.
Change-Id: Id640a7f2b03153eb333b00337f0f991ff5332349
|
|
Separate files for retouch functionality are in minelf/*
ASLR for shared libraries is controlled by "-a" in ota_from_target_files.
Binary files are self-contained. Retouch logic can recover from crashes.
Signed-off-by: Hristo Bojinov <hristo@google.com>
Change-Id: I76c596abf4febd68c14f9d807ac62e8751e0b1bd
|
|
This CL removes the following line from the top of build logs:
"diff: out/target/product/*/obj/PACKAGING/updater_extensions_intermediates/register.inc.list: No such file or directory"
Change-Id: I79c15a69a0b1b0da0e45620b45a7a0fea5625250
|
|
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.
Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
|
|
Change the applypatch function to take meaningful arguments instead of
argc and argv. Move all the parsing of arguments into main.c (for the
standalone binary) and into install.c (for the updater function).
applypatch() takes patches as Value objects, so we can pass in blobs
extracted from the package without ever writing them to temp files.
The patching code is changed to read the patch from memory instead of
a file.
A bunch of compiler warnings (mostly about signed vs unsigned types)
are fixed.
Support for the IMGDIFF1 format is dropped. (We've been generating
IMGDIFF2 packages for some time now.)
Change-Id: I217563c500012750f27110db821928a06211323f
|
|
- Move applypatch to this package (from build).
- Add a rudimentary type system to edify: instead of just returning a
char*, functions now return a Value*, which is a struct that can
carry different types of value (currently just STRING and BLOB).
Convert all functions to this new scheme.
- Change the one-argument form of package_extract_file to return a
Value of the new BLOB type.
- Add read_file() to load a local file and return a blob, and
sha1_check() to test a blob (or string) against a set of possible
sha1s. read_file() uses the file-loading code from applypatch so it
can read MTD partitions as well.
This is the start of better integration between applypatch and the
rest of edify.
b/2361316 - VZW Issue PP628: Continuous reset to Droid logo:
framework-res.apk update failed (CR LIBtt59130)
Change-Id: Ibd038074749a4d515de1f115c498c6c589ee91e5
|
|
Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update(). This
functionality is now done by an edify extension library that lives in
vendor/htc.
Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
|
|
Add a version of package_extract_file that returns the file data as
its return value (to be consumed by some other edify function that
expects to receive a bunch of binary data as an argument). Lets us
avoid having two copies of a big file in memory (extracting it into
/tmp, which is a ramdisk, and then having something load it into
memory) when doing things like radio updates.
Change-Id: Ie26ece5fbae457eb0ddcd8a13d74d78a769fbc70
|
|
|
|
The symlink() function should remove existing files before creating
symlinks, so scripts are idempotent. Log messages when various system
calls fail (but don't make the whole script fail).
|
|
Handy for producing debugging OTA packages (eg, running sqlite3 or
whatever in recovery).
|
|
updater (which is only needed in OTA packages) is getting included in
/system/bin, where it just takes up (quite a bit of) space. Use the
hack of including it only in eng builds so it's not there for user
builds.
|
|
We were inadvertently skipping over the first filename in the list of
arguments.
|
|
Let recovery accept set_progress commands to control progress over the
'current segment' of the bar. Add a set_progress() builtin to the
updater binary.
|
|
Allow devices (in BoardConfig.mk) to define additional static
libraries to be linked in to updater, to make device-specific
functions available in edify scripts. Modify the updater makefile to
arrange for device libraries to register their edify functions.
|
|
Add a function to read a property from a ".prop"-formatted file
(key=value pairs, one per line, ignore # comment lines and blank
lines). Move ErrorAbort to the core of edify; it's not specific to
updater now that errors aren't stored in the app cookie.
|
|
To do a firmware-install-on-reboot, the update binary tells recovery
what file to install before rebooting. Let this file be specified as
"PACKAGE:<foo>" to indicate taking the file out of the OTA package,
avoiding an extra copy to /tmp. Bump the API version number to
reflect this change.
|
|
A few more changes to edify:
- fix write_raw_image(); my last change neglected to close the write
context, so the written image was corrupt.
- each expression tracks the span of the source code from which it
was compiled, so that assert()'s error message can include the
source of the expression that failed.
- the 'cookie' argument to each Function is replaced with a State
object, which contains the cookie, the source script (for use with
the above spans), and the current error message (replacing the
global variables that were used for this purpose).
- in the recovery image, a new command "ui_print" can be sent back
through the command pipe to cause text to appear on the screen.
Add a new ui_print() function to print things from scripts.
Rename existing "print" function to "stdout".
|
|
Adds more edify functions for OTAs:
is_mounted getprop apply_patch apply_patch_check apply_patch_space
write_raw_image write_firmware_image package_extract_file
This allows us to install radios, hboots, boot images, and install
incremental OTA packages.
Fixes a couple of dumb bugs in edify itself:
- we were doubling the size of the function table each time it was
*not* full, rather than each time it was full
- "no such function" errors weren't visible to the parser, so they
didn't prevent execution of the script.
|
|
Adds the following edify functions:
mount unmount format show_progress delete delete_recursive
package_extract symlink set_perm set_perm_recursive
This set is enough to extract and install the system part of a (full)
OTA package.
Adds the updater binary that extracts an edify script from the OTA
package and then executes it. Minor changes to the edify core (adds a
sleep() builtin for debugging, adds "." to the set of characters that
can appear in an unquoted string).
|