From 545317f4fb99efd4d2c32187328e617ad6f69980 Mon Sep 17 00:00:00 2001 From: Tom Cherry Date: Tue, 28 Mar 2017 13:24:56 -0700 Subject: update_verifier: raise priority and ioprio and start with exec_start Raise the priority and ioprio of update_verifier and launch with exec_start. This saves ~100ms of time before `class_start main` is executed. Bug: 36511808 Bug: 36102163 Test: Boot bullhead Test: Verify boottime decrease on sailfish Change-Id: I944a6c0d4368ead5b99171f49142da2523ed1bdd --- update_verifier/Android.mk | 2 ++ update_verifier/update_verifier.rc | 11 +++++++++++ 2 files changed, 13 insertions(+) create mode 100644 update_verifier/update_verifier.rc (limited to 'update_verifier') diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index c1051a54a..1acd5eca0 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -32,6 +32,8 @@ LOCAL_SHARED_LIBRARIES := \ LOCAL_CFLAGS := -Werror LOCAL_C_INCLUDES += $(LOCAL_PATH)/.. +LOCAL_INIT_RC := update_verifier.rc + ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 endif diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc new file mode 100644 index 000000000..fc8a64dee --- /dev/null +++ b/update_verifier/update_verifier.rc @@ -0,0 +1,11 @@ +service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted + user root + class cache + priority -20 + ioprio rt 1 + +service update_verifier /system/bin/update_verifier ${vold.decrypt} + user root + class cache + priority -20 + ioprio rt 1 \ No newline at end of file -- cgit v1.2.3 From 3958a95f54f3039da80394911f64e5a4857f219d Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Wed, 1 Mar 2017 15:31:25 -0800 Subject: Update_verifier should read blocks in EIO mode Update_verifier will reboot the device if it fails to read some blocks on the care_map when veritymode=eio. Also make some partition name changes to match the care_map.txt. Test: Update_verifier reboots the device after read failures in eio mode. Change-Id: Icf68e6151dee72f626a9ab72946100cf482a4e6c --- update_verifier/update_verifier.cpp | 59 +++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 26 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 83b1c46c4..72b6dccc5 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -19,9 +19,14 @@ * update. It gets invoked by init, and will only perform the verification if * it's the first boot post an A/B OTA update. * - * It relies on dm-verity to capture any corruption on the partitions being - * verified. dm-verity must be in enforcing mode, so that it will reboot the - * device on dm-verity failures. When that happens, the bootloader should + * Update_verifier relies on dm-verity to capture any corruption on the partitions + * being verified. And its behavior varies depending on the dm-verity mode. + * Upon detection of failures: + * enforcing mode: dm-verity reboots the device + * eio mode: dm-verity fails the read and update_verifier reboots the device + * other mode: not supported and update_verifier reboots the device + * + * After a predefined number of failing boot attempts, the bootloader should * mark the slot as unbootable and stops trying. Other dm-verity modes ( * for example, veritymode=EIO) are not accepted and simply lead to a * verification failure. @@ -35,6 +40,7 @@ #include #include #include +#include #include #include @@ -46,6 +52,7 @@ #include #include #include +#include using android::sp; using android::hardware::boot::V1_0::IBootControl; @@ -66,18 +73,9 @@ static int dm_name_filter(const dirent* de) { return 0; } -static bool read_blocks(const std::string& blk_device, const std::string& range_str) { - // Parse the partition in the end of the block_device string. - // Here is one example: "/dev/block/bootdevice/by-name/system" - std::string partition; - if (android::base::EndsWith(blk_device, "system")) { - partition = "system"; - } else if (android::base::EndsWith(blk_device, "vendor")) { - partition = "vendor"; - } else { - LOG(ERROR) << "Failed to parse partition string in " << blk_device; - return false; - } +static bool read_blocks(const std::string& partition, const std::string& range_str) { + CHECK(partition == "system" || partition == "vendor") + << "partition name should be system or vendor" << partition; // Iterate the content of "/sys/block/dm-X/dm/name". If it matches "system" // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition. @@ -172,7 +170,7 @@ static bool verify_image(const std::string& care_map_name) { return true; } // Care map file has four lines (two lines if vendor partition is not present): - // First line has the block device name, e.g./dev/block/.../by-name/system. + // First line has the block partition name (system/vendor). // Second line holds all ranges of blocks to verify. // The next two lines have the same format but for vendor partition. std::string file_content; @@ -198,6 +196,14 @@ static bool verify_image(const std::string& care_map_name) { return true; } +static int reboot_device() { + if (android_reboot(ANDROID_RB_RESTART2, 0, nullptr) == -1) { + LOG(ERROR) << "Failed to reboot."; + return -1; + } + while (true) pause(); +} + int main(int argc, char** argv) { for (int i = 1; i < argc; i++) { LOG(INFO) << "Started with arg " << i << ": " << argv[i]; @@ -206,7 +212,7 @@ int main(int argc, char** argv) { sp module = IBootControl::getService(); if (module == nullptr) { LOG(ERROR) << "Error getting bootctrl module."; - return -1; + return reboot_device(); } uint32_t current_slot = module->getCurrentSlot(); @@ -221,18 +227,19 @@ int main(int argc, char** argv) { std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); if (verity_mode.empty()) { LOG(ERROR) << "Failed to get dm-verity mode."; - return -1; + return reboot_device(); } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) { - // We shouldn't see verity in EIO mode if the current slot hasn't booted - // successfully before. Therefore, fail the verification when veritymode=eio. - LOG(ERROR) << "Found dm-verity in EIO mode, skip verification."; - return -1; + // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before. + // Continue the verification until we fail to read some blocks. + LOG(WARNING) << "Found dm-verity in EIO mode."; } else if (verity_mode != "enforcing") { LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; - return -1; - } else if (!verify_image(CARE_MAP_FILE)) { + return reboot_device(); + } + + if (!verify_image(CARE_MAP_FILE)) { LOG(ERROR) << "Failed to verify all blocks in care map file."; - return -1; + return reboot_device(); } #else LOG(WARNING) << "dm-verity not enabled; marking without verification."; @@ -242,7 +249,7 @@ int main(int argc, char** argv) { module->markBootSuccessful([&cr](CommandResult result) { cr = result; }); if (!cr.success) { LOG(ERROR) << "Error marking booted successfully: " << cr.errMsg; - return -1; + return reboot_device(); } LOG(INFO) << "Marked slot " << current_slot << " as booted successfully."; } -- cgit v1.2.3 From 5a176c0d3c9a1d02046513da83076b8601fb691a Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Fri, 31 Mar 2017 16:36:12 -0700 Subject: Use regular check for partition name instead of CHECK() Bug: 36260064 Test: Device reboots for invalid care_map. Change-Id: Id614f0d118fc2b9d9abf24918aa4b4324f4c94e1 --- update_verifier/update_verifier.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 72b6dccc5..59f136c90 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -74,9 +74,10 @@ static int dm_name_filter(const dirent* de) { } static bool read_blocks(const std::string& partition, const std::string& range_str) { - CHECK(partition == "system" || partition == "vendor") - << "partition name should be system or vendor" << partition; - + if (partition != "system" && partition != "vendor") { + LOG(ERROR) << "partition name must be system or vendor: " << partition; + return false; + } // Iterate the content of "/sys/block/dm-X/dm/name". If it matches "system" // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition. // Afterwards, update_verifier will read every block on the care_map_file of -- cgit v1.2.3 From a015cd1d7a3af5d9c06622e00be47fee52ba4b02 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Mon, 3 Apr 2017 13:53:49 -0700 Subject: update_verifier: tweak priority of update_verifier for quick boot Highest ioprio is 0 for CFQ and we should run update_verifier with that. Tested on device and showing boottime decreased. Bug: 36511808 Bug: 36102163 Test: Boot marlin Change-Id: Iddd925951d976e21014b61e5590bcdae3cea8470 --- update_verifier/update_verifier.rc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc index fc8a64dee..8b60c3ffd 100644 --- a/update_verifier/update_verifier.rc +++ b/update_verifier/update_verifier.rc @@ -2,10 +2,10 @@ service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted user root class cache priority -20 - ioprio rt 1 + ioprio rt 0 service update_verifier /system/bin/update_verifier ${vold.decrypt} user root class cache priority -20 - ioprio rt 1 \ No newline at end of file + ioprio rt 0 -- cgit v1.2.3 From 3a8002f8c0382894b65ea3cece784287a75c7881 Mon Sep 17 00:00:00 2001 From: Tom Cherry Date: Fri, 31 Mar 2017 17:17:34 -0700 Subject: update_verifier: correct group in rc file update_verifier should be in the cache group, not 'class'. Also use PLOG instead of LOG if care_map.txt cannot be opened. Bug: 36818743 Test: boot sailfish Test: fake OTA on sailfish and verify update_verifier reads care_package Change-Id: I0ec844cac5ef5c63b18ebee90160854fd84ee829 --- update_verifier/update_verifier.cpp | 2 +- update_verifier/update_verifier.rc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 59f136c90..350020f13 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -167,7 +167,7 @@ static bool verify_image(const std::string& care_map_name) { // in /data/ota_package. To allow the device to continue booting in this situation, // we should print a warning and skip the block verification. if (care_map_fd.get() == -1) { - LOG(WARNING) << "Warning: care map " << care_map_name << " not found."; + PLOG(WARNING) << "Failed to open " << care_map_name; return true; } // Care map file has four lines (two lines if vendor partition is not present): diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc index fc8a64dee..75cfeb28d 100644 --- a/update_verifier/update_verifier.rc +++ b/update_verifier/update_verifier.rc @@ -1,11 +1,11 @@ service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted user root - class cache + group cache priority -20 ioprio rt 1 service update_verifier /system/bin/update_verifier ${vold.decrypt} user root - class cache + group cache priority -20 ioprio rt 1 \ No newline at end of file -- cgit v1.2.3 From 0ad2de5eab12dbf63ad43bd0c3e5ef729984cf81 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Tue, 18 Apr 2017 11:29:32 -0700 Subject: Add 'system' to update_verifier's gid This addresses the denial to /dev/cpuset/tasks: update_verifier: type=1400 audit(0.0:377): avc: denied { dac_override } for capability=1 scontext=u:r:update_verifier:s0 tcontext=u:r:update_verifier:s0 tclass=capability permissive=1 update_verifier: type=1400 audit(0.0:378): avc: granted { write } for name="tasks" dev="cgroup" ino=5 scontext=u:r:update_verifier:s0 tcontext=u:object_r:cgroup:s0 tclass=file Bug: 37358323 Test: denial message gone after adding system group Change-Id: I66b4925295a13fbc1c6f26a1bb9bd2f9cebcec3d --- update_verifier/update_verifier.rc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc index 808f2c055..862b06257 100644 --- a/update_verifier/update_verifier.rc +++ b/update_verifier/update_verifier.rc @@ -1,11 +1,11 @@ service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted user root - group cache + group cache system priority -20 ioprio rt 0 service update_verifier /system/bin/update_verifier ${vold.decrypt} user root - group cache + group cache system priority -20 ioprio rt 0 -- cgit v1.2.3 From 83b0780dddcaddd661ac48f277f51f7cb6ac13f6 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Wed, 26 Apr 2017 14:30:56 -0700 Subject: Separate libupdate_verifier module and add testcases. Enable -Wall and expose verify_image() for testing purpose. Test: mmma bootable/recovery Test: recovery_component_test Change-Id: I1ee1db2a775bafdc1112e25a1bc7194d8d6aee4f --- update_verifier/Android.mk | 42 +++++++++++++++++----- .../include/update_verifier/update_verifier.h | 24 +++++++++++++ update_verifier/update_verifier.cpp | 17 ++++----- update_verifier/update_verifier_main.cpp | 23 ++++++++++++ 4 files changed, 90 insertions(+), 16 deletions(-) create mode 100644 update_verifier/include/update_verifier/update_verifier.h create mode 100644 update_verifier/update_verifier_main.cpp (limited to 'update_verifier') diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index 1acd5eca0..37d9bfed3 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -14,12 +14,43 @@ LOCAL_PATH := $(call my-dir) +# libupdate_verifier (static library) +# =============================== include $(CLEAR_VARS) -LOCAL_CLANG := true -LOCAL_SRC_FILES := update_verifier.cpp +LOCAL_SRC_FILES := \ + update_verifier.cpp + +LOCAL_MODULE := libupdate_verifier +LOCAL_SHARED_LIBRARIES := \ + libbase \ + libcutils \ + android.hardware.boot@1.0 + +LOCAL_CFLAGS := -Wall -Werror + +LOCAL_EXPORT_C_INCLUDE_DIRS := \ + $(LOCAL_PATH)/include + +LOCAL_C_INCLUDES := \ + $(LOCAL_PATH)/include + +ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) +LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 +endif + +include $(BUILD_STATIC_LIBRARY) + +# update_verifier (executable) +# =============================== +include $(CLEAR_VARS) + +LOCAL_SRC_FILES := \ + update_verifier_main.cpp LOCAL_MODULE := update_verifier +LOCAL_STATIC_LIBRARIES := \ + libupdate_verifier LOCAL_SHARED_LIBRARIES := \ libbase \ libcutils \ @@ -29,13 +60,8 @@ LOCAL_SHARED_LIBRARIES := \ libhidlbase \ android.hardware.boot@1.0 -LOCAL_CFLAGS := -Werror -LOCAL_C_INCLUDES += $(LOCAL_PATH)/.. +LOCAL_CFLAGS := -Wall -Werror LOCAL_INIT_RC := update_verifier.rc -ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) - LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 -endif - include $(BUILD_EXECUTABLE) diff --git a/update_verifier/include/update_verifier/update_verifier.h b/update_verifier/include/update_verifier/update_verifier.h new file mode 100644 index 000000000..16b394e98 --- /dev/null +++ b/update_verifier/include/update_verifier/update_verifier.h @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +int update_verifier(int argc, char** argv); + +// Exposed for testing purpose. +bool verify_image(const std::string& care_map_name); diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 350020f13..1950cbd83 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -35,6 +35,8 @@ * verifier reaches the end after the verification. */ +#include "update_verifier/update_verifier.h" + #include #include #include @@ -59,12 +61,6 @@ using android::hardware::boot::V1_0::IBootControl; using android::hardware::boot::V1_0::BoolResult; using android::hardware::boot::V1_0::CommandResult; -constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; -constexpr auto DM_PATH_PREFIX = "/sys/block/"; -constexpr auto DM_PATH_SUFFIX = "/dm/name"; -constexpr auto DEV_PATH = "/dev/block/"; -constexpr int BLOCKSIZE = 4096; - // Find directories in format of "/sys/block/dm-X". static int dm_name_filter(const dirent* de) { if (android::base::StartsWith(de->d_name, "dm-")) { @@ -82,6 +78,7 @@ static bool read_blocks(const std::string& partition, const std::string& range_s // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition. // Afterwards, update_verifier will read every block on the care_map_file of // "/dev/block/dm-X" to ensure the partition's integrity. + static constexpr auto DM_PATH_PREFIX = "/sys/block/"; dirent** namelist; int n = scandir(DM_PATH_PREFIX, &namelist, dm_name_filter, alphasort); if (n == -1) { @@ -93,6 +90,8 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return false; } + static constexpr auto DM_PATH_SUFFIX = "/dm/name"; + static constexpr auto DEV_PATH = "/dev/block/"; std::string dm_block_device; while (n--) { std::string path = DM_PATH_PREFIX + std::string(namelist[n]->d_name) + DM_PATH_SUFFIX; @@ -143,6 +142,7 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return false; } + static constexpr int BLOCKSIZE = 4096; if (lseek64(fd.get(), static_cast(range_start) * BLOCKSIZE, SEEK_SET) == -1) { PLOG(ERROR) << "lseek to " << range_start << " failed"; return false; @@ -161,7 +161,7 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return true; } -static bool verify_image(const std::string& care_map_name) { +bool verify_image(const std::string& care_map_name) { android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY))); // If the device is flashed before the current boot, it may not have care_map.txt // in /data/ota_package. To allow the device to continue booting in this situation, @@ -205,7 +205,7 @@ static int reboot_device() { while (true) pause(); } -int main(int argc, char** argv) { +int update_verifier(int argc, char** argv) { for (int i = 1; i < argc; i++) { LOG(INFO) << "Started with arg " << i << ": " << argv[i]; } @@ -238,6 +238,7 @@ int main(int argc, char** argv) { return reboot_device(); } + static constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; if (!verify_image(CARE_MAP_FILE)) { LOG(ERROR) << "Failed to verify all blocks in care map file."; return reboot_device(); diff --git a/update_verifier/update_verifier_main.cpp b/update_verifier/update_verifier_main.cpp new file mode 100644 index 000000000..46e8bbb59 --- /dev/null +++ b/update_verifier/update_verifier_main.cpp @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// See the comments in update_verifier.cpp. + +#include "update_verifier/update_verifier.h" + +int main(int argc, char** argv) { + return update_verifier(argc, argv); +} -- cgit v1.2.3 From 8fa8f0b16c0dc03c2d841405dfb02a707c08d5b0 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Thu, 27 Apr 2017 11:47:35 -0700 Subject: Fix potential OOM in update_verifier Limit the size of each read to 1024 * BLOCKSIZE. (Same as the I/O limit of each transfer command for block based OTA). Bug: 37729708 Test: U_V sets slot successfully on sailfish, and it takes about ~20s (no noticeable time increase) Change-Id: I7a6cdc744fe4c0760e09e0afed75b89c16d8eac3 --- update_verifier/update_verifier.cpp | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 1950cbd83..fdbcfde56 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -44,6 +44,7 @@ #include #include +#include #include #include @@ -142,17 +143,21 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return false; } - static constexpr int BLOCKSIZE = 4096; + static constexpr size_t BLOCKSIZE = 4096; if (lseek64(fd.get(), static_cast(range_start) * BLOCKSIZE, SEEK_SET) == -1) { PLOG(ERROR) << "lseek to " << range_start << " failed"; return false; } - size_t size = (range_end - range_start) * BLOCKSIZE; - std::vector buf(size); - if (!android::base::ReadFully(fd.get(), buf.data(), size)) { - PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; - return false; + size_t remain = (range_end - range_start) * BLOCKSIZE; + while (remain > 0) { + size_t to_read = std::min(remain, 1024 * BLOCKSIZE); + std::vector buf(to_read); + if (!android::base::ReadFully(fd.get(), buf.data(), to_read)) { + PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; + return false; + } + remain -= to_read; } blk_count += (range_end - range_start); } -- cgit v1.2.3 From 8ed9738b62b075205a81489b01ec882520da183a Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Mon, 8 May 2017 13:41:28 -0400 Subject: update_verifier: Support AVB. When using AVB, PRODUCT_SUPPORTS_VERITY is not set so check for BOARD_ENABLE_AVB as well. Also AVB sets up the root filesystem as 'vroot' so map that to 'system' since this is what is expected. Managed to test at least that the code is at least compiled in: $ fastboot --set-active=_a Setting current slot to 'a'... OKAY [ 0.023s] finished. total time: 0.023s $ fastboot reboot rebooting... finished. total time: 0.050s $ adb wait-for-device $ adb logcat |grep update_verifier 03-04 05:28:56.773 630 630 I /system/bin/update_verifier: Started with arg 1: nonencrypted 03-04 05:28:56.776 630 630 I /system/bin/update_verifier: Booting slot 0: isSlotMarkedSuccessful=0 03-04 05:28:56.776 630 630 W /system/bin/update_verifier: Failed to open /data/ota_package/care_map.txt: No such file or directory 03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Marked slot 0 as booted successfully. 03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Leaving update_verifier. Bug: None Test: Manually tested on device using AVB bootloader. Change-Id: I13c0fe1cc5d0f397e36f5e62fcc05c8dfee5fd85 --- update_verifier/Android.mk | 4 ++++ update_verifier/update_verifier.cpp | 21 +++++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index 37d9bfed3..33c5fe9e7 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -39,6 +39,10 @@ ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 endif +ifeq ($(BOARD_AVB_ENABLE),true) +LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1 +endif + include $(BUILD_STATIC_LIBRARY) # update_verifier (executable) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index fdbcfde56..d3a5185b8 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -99,12 +99,21 @@ static bool read_blocks(const std::string& partition, const std::string& range_s std::string content; if (!android::base::ReadFileToString(path, &content)) { PLOG(WARNING) << "Failed to read " << path; - } else if (android::base::Trim(content) == partition) { - dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); - while (n--) { - free(namelist[n]); + } else { + std::string dm_block_name = android::base::Trim(content); +#ifdef BOARD_AVB_ENABLE + // AVB is using 'vroot' for the root block device but we're expecting 'system'. + if (dm_block_name == "vroot") { + dm_block_name = "system"; + } +#endif + if (dm_block_name == partition) { + dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); + while (n--) { + free(namelist[n]); + } + break; } - break; } free(namelist[n]); } @@ -229,7 +238,7 @@ int update_verifier(int argc, char** argv) { if (is_successful == BoolResult::FALSE) { // The current slot has not booted successfully. -#ifdef PRODUCT_SUPPORTS_VERITY +#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); if (verity_mode.empty()) { LOG(ERROR) << "Failed to get dm-verity mode."; -- cgit v1.2.3 From 336cbce2526e4ce6990aed5b98d39814e6456ea2 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Mon, 8 May 2017 13:41:28 -0400 Subject: update_verifier: Support AVB. When using AVB, PRODUCT_SUPPORTS_VERITY is not set so check for BOARD_ENABLE_AVB as well. Also AVB sets up the root filesystem as 'vroot' so map that to 'system' since this is what is expected. Managed to test at least that the code is at least compiled in: $ fastboot --set-active=_a Setting current slot to 'a'... OKAY [ 0.023s] finished. total time: 0.023s $ fastboot reboot rebooting... finished. total time: 0.050s $ adb wait-for-device $ adb logcat |grep update_verifier 03-04 05:28:56.773 630 630 I /system/bin/update_verifier: Started with arg 1: nonencrypted 03-04 05:28:56.776 630 630 I /system/bin/update_verifier: Booting slot 0: isSlotMarkedSuccessful=0 03-04 05:28:56.776 630 630 W /system/bin/update_verifier: Failed to open /data/ota_package/care_map.txt: No such file or directory 03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Marked slot 0 as booted successfully. 03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Leaving update_verifier. Bug: 62464819 Test: Manually tested on device using AVB bootloader. Merged-In: I13c0fe1cc5d0f397e36f5e62fcc05c8dfee5fd85 Change-Id: I2834b17688053411e7b904e31df9c83bf904cd56 --- update_verifier/Android.mk | 4 ++++ update_verifier/update_verifier.cpp | 21 +++++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index 37d9bfed3..33c5fe9e7 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -39,6 +39,10 @@ ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 endif +ifeq ($(BOARD_AVB_ENABLE),true) +LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1 +endif + include $(BUILD_STATIC_LIBRARY) # update_verifier (executable) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index fdbcfde56..d3a5185b8 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -99,12 +99,21 @@ static bool read_blocks(const std::string& partition, const std::string& range_s std::string content; if (!android::base::ReadFileToString(path, &content)) { PLOG(WARNING) << "Failed to read " << path; - } else if (android::base::Trim(content) == partition) { - dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); - while (n--) { - free(namelist[n]); + } else { + std::string dm_block_name = android::base::Trim(content); +#ifdef BOARD_AVB_ENABLE + // AVB is using 'vroot' for the root block device but we're expecting 'system'. + if (dm_block_name == "vroot") { + dm_block_name = "system"; + } +#endif + if (dm_block_name == partition) { + dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); + while (n--) { + free(namelist[n]); + } + break; } - break; } free(namelist[n]); } @@ -229,7 +238,7 @@ int update_verifier(int argc, char** argv) { if (is_successful == BoolResult::FALSE) { // The current slot has not booted successfully. -#ifdef PRODUCT_SUPPORTS_VERITY +#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); if (verity_mode.empty()) { LOG(ERROR) << "Failed to get dm-verity mode."; -- cgit v1.2.3 From 5fb9f532f00ffc885c7415c6dc48c4deed20a219 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Fri, 21 Jul 2017 15:15:31 -0700 Subject: update_verifier: Handle legacy care_map.txt gracefully. update_verifier should be backward compatible to not reject legacy care_map.txt from old releases, which could otherwise fail to boot into the new release. For example, we've changed the care_map format between N and O. An O update_verifier would fail to work with an N care_map.txt - a) we have switched update_verifier to read from device mapper in O; b) the last few blocks that contain metadata can't be read via device mapper. This could be a result of sideloading an O OTA while the device having a pending N update. Bug: 63544345 Test: As follows on sailfish: 1. Flash the device with this CL; 2. Put a copy of N care_map.txt at /data/ota_package/. Restore the permissions properly ('cache' group); 3. `adb reboot bootloader`; 4. `fastboot set_active ` 5. Device boots up into home screen, with a warning in logcat that says it has skipped legacy care_map.txt. Change-Id: I6acc88c9e655a9245e6531f176fef7953953935f (cherry picked from commit 5a1dee01df3af346729b5791606b72d59b8e9815) --- update_verifier/update_verifier.cpp | 71 ++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 29 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index d3a5185b8..b49011a12 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -175,40 +175,53 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return true; } +// Returns true to indicate a passing verification (or the error should be ignored); Otherwise +// returns false on fatal errors, where we should reject the current boot and trigger a fallback. +// Note that update_verifier should be backward compatible to not reject care_map.txt from old +// releases, which could otherwise fail to boot into the new release. For example, we've changed +// the care_map format between N and O. An O update_verifier would fail to work with N +// care_map.txt. This could be a result of sideloading an O OTA while the device having a pending N +// update. bool verify_image(const std::string& care_map_name) { - android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY))); - // If the device is flashed before the current boot, it may not have care_map.txt - // in /data/ota_package. To allow the device to continue booting in this situation, - // we should print a warning and skip the block verification. - if (care_map_fd.get() == -1) { - PLOG(WARNING) << "Failed to open " << care_map_name; - return true; - } - // Care map file has four lines (two lines if vendor partition is not present): - // First line has the block partition name (system/vendor). - // Second line holds all ranges of blocks to verify. - // The next two lines have the same format but for vendor partition. - std::string file_content; - if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) { - LOG(ERROR) << "Error reading care map contents to string."; - return false; - } + android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY))); + // If the device is flashed before the current boot, it may not have care_map.txt + // in /data/ota_package. To allow the device to continue booting in this situation, + // we should print a warning and skip the block verification. + if (care_map_fd.get() == -1) { + PLOG(WARNING) << "Failed to open " << care_map_name; + return true; + } + // Care map file has four lines (two lines if vendor partition is not present): + // First line has the block partition name (system/vendor). + // Second line holds all ranges of blocks to verify. + // The next two lines have the same format but for vendor partition. + std::string file_content; + if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) { + LOG(ERROR) << "Error reading care map contents to string."; + return false; + } - std::vector lines; - lines = android::base::Split(android::base::Trim(file_content), "\n"); - if (lines.size() != 2 && lines.size() != 4) { - LOG(ERROR) << "Invalid lines in care_map: found " << lines.size() - << " lines, expecting 2 or 4 lines."; - return false; - } + std::vector lines; + lines = android::base::Split(android::base::Trim(file_content), "\n"); + if (lines.size() != 2 && lines.size() != 4) { + LOG(ERROR) << "Invalid lines in care_map: found " << lines.size() + << " lines, expecting 2 or 4 lines."; + return false; + } - for (size_t i = 0; i < lines.size(); i += 2) { - if (!read_blocks(lines[i], lines[i+1])) { - return false; - } + for (size_t i = 0; i < lines.size(); i += 2) { + // We're seeing an N care_map.txt. Skip the verification since it's not compatible with O + // update_verifier (the last few metadata blocks can't be read via device mapper). + if (android::base::StartsWith(lines[i], "/dev/block/")) { + LOG(WARNING) << "Found legacy care_map.txt; skipped."; + return true; + } + if (!read_blocks(lines[i], lines[i+1])) { + return false; } + } - return true; + return true; } static int reboot_device() { -- cgit v1.2.3 From 3222dc0d76ca0f19795df2aad417dec2293b7242 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Mon, 7 Aug 2017 18:47:27 -0400 Subject: update_verifier: Support androidboot.veritymode being empty or 'disabled'. Bootloaders using libavb will set androidboot.veritymode=disabled if the "disable dm-verity" flag has been set. Additionally if the "disable verification" flag is set androidboot.veritymode will not be set at all. Handle both cases. Without this fix we'll end up in a bootloop. Test: Manually tested on a device using AVB. (cherry-picked from commit 1a0929cc8aac532dba00b3c98cea22715719a421) Bug: 64404283 Change-Id: I3adf93f8dfd528fe9b869a63afa775f5730a3f69 --- update_verifier/update_verifier.cpp | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index d3a5185b8..48242a5d0 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -239,23 +239,36 @@ int update_verifier(int argc, char** argv) { // The current slot has not booted successfully. #if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) + bool skip_verification = false; std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); if (verity_mode.empty()) { + // With AVB it's possible to disable verification entirely and + // in this case ro.boot.veritymode is empty. +#if defined(BOARD_AVB_ENABLE) + LOG(WARNING) << "verification has been disabled; marking without verification."; + skip_verification = true; +#else LOG(ERROR) << "Failed to get dm-verity mode."; return reboot_device(); +#endif } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) { // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before. // Continue the verification until we fail to read some blocks. LOG(WARNING) << "Found dm-verity in EIO mode."; + } else if (android::base::EqualsIgnoreCase(verity_mode, "disabled")) { + LOG(WARNING) << "dm-verity in disabled mode; marking without verification."; + skip_verification = true; } else if (verity_mode != "enforcing") { LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; return reboot_device(); } - static constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; - if (!verify_image(CARE_MAP_FILE)) { - LOG(ERROR) << "Failed to verify all blocks in care map file."; - return reboot_device(); + if (!skip_verification) { + static constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; + if (!verify_image(CARE_MAP_FILE)) { + LOG(ERROR) << "Failed to verify all blocks in care map file."; + return reboot_device(); + } } #else LOG(WARNING) << "dm-verity not enabled; marking without verification."; -- cgit v1.2.3 From bd9664b5a01c8941949212973ca12be4df1b5d54 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 2 Aug 2017 10:27:31 -0700 Subject: update_verifier: verify blocks in parallel This CL is to change update_verifier to verify blocks in parallel to maximize storage bandwidth, it also preallocate the buffer to avoid vector allocation within reading loop. Test: care_map.txt: system 16,0,517,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,483544,524288,524296 vendor 8,0,119,135,32770,32831,96150,98304,98306 With CL: init: Service 'update_verifier_nonencrypted' (pid 711) exited with status 0 waiting took 2.978424 seconds Without CL: init: Service 'update_verifier_nonencrypted' (pid 695) exited with status 0 waiting took 4.466320 seconds Bug: 63686531 Test: reboot with manual insert care_map.txt Change-Id: Idf791865f15f6ff6cad89bf7ff230ee46c6adccc --- update_verifier/update_verifier.cpp | 82 +++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 31 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index b49011a12..ceb3ec948 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -45,6 +45,7 @@ #include #include +#include #include #include @@ -123,11 +124,6 @@ static bool read_blocks(const std::string& partition, const std::string& range_s LOG(ERROR) << "Failed to find dm block device for " << partition; return false; } - android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(dm_block_device.c_str(), O_RDONLY))); - if (fd.get() == -1) { - PLOG(ERROR) << "Error reading " << dm_block_device << " for partition " << partition; - return false; - } // For block range string, first integer 'count' equals 2 * total number of valid ranges, // followed by 'count' number comma separated integers. Every two integers reprensent a @@ -142,37 +138,61 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return false; } - size_t blk_count = 0; - for (size_t i = 1; i < ranges.size(); i += 2) { - unsigned int range_start, range_end; - bool parse_status = android::base::ParseUint(ranges[i], &range_start); - parse_status = parse_status && android::base::ParseUint(ranges[i + 1], &range_end); - if (!parse_status || range_start >= range_end) { - LOG(ERROR) << "Invalid range pair " << ranges[i] << ", " << ranges[i + 1]; - return false; - } - - static constexpr size_t BLOCKSIZE = 4096; - if (lseek64(fd.get(), static_cast(range_start) * BLOCKSIZE, SEEK_SET) == -1) { - PLOG(ERROR) << "lseek to " << range_start << " failed"; - return false; - } + std::vector> threads; + size_t thread_num = std::thread::hardware_concurrency() ?: 4; + thread_num = std::min(thread_num, range_count / 2); + size_t group_range_count = range_count / thread_num; - size_t remain = (range_end - range_start) * BLOCKSIZE; - while (remain > 0) { - size_t to_read = std::min(remain, 1024 * BLOCKSIZE); - std::vector buf(to_read); - if (!android::base::ReadFully(fd.get(), buf.data(), to_read)) { - PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; + for (size_t t = 0; t < thread_num; t++) { + auto thread_func = [t, group_range_count, &dm_block_device, &ranges, &partition]() { + size_t blk_count = 0; + static constexpr size_t kBlockSize = 4096; + std::vector buf(1024 * kBlockSize); + android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(dm_block_device.c_str(), O_RDONLY))); + if (fd.get() == -1) { + PLOG(ERROR) << "Error reading " << dm_block_device << " for partition " << partition; return false; } - remain -= to_read; - } - blk_count += (range_end - range_start); + + for (size_t i = 1 + group_range_count * t; i < group_range_count * (t + 1) + 1; i += 2) { + unsigned int range_start, range_end; + bool parse_status = android::base::ParseUint(ranges[i], &range_start); + parse_status = parse_status && android::base::ParseUint(ranges[i + 1], &range_end); + if (!parse_status || range_start >= range_end) { + LOG(ERROR) << "Invalid range pair " << ranges[i] << ", " << ranges[i + 1]; + return false; + } + + if (lseek64(fd.get(), static_cast(range_start) * kBlockSize, SEEK_SET) == -1) { + PLOG(ERROR) << "lseek to " << range_start << " failed"; + return false; + } + + size_t remain = (range_end - range_start) * kBlockSize; + while (remain > 0) { + size_t to_read = std::min(remain, 1024 * kBlockSize); + if (!android::base::ReadFully(fd.get(), buf.data(), to_read)) { + PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; + return false; + } + remain -= to_read; + } + blk_count += (range_end - range_start); + } + LOG(INFO) << "Finished reading " << blk_count << " blocks on " << dm_block_device; + return true; + }; + + threads.emplace_back(std::async(std::launch::async, thread_func)); } - LOG(INFO) << "Finished reading " << blk_count << " blocks on " << dm_block_device; - return true; + bool ret = true; + for (auto& t : threads) { + ret = t.get() && ret; + } + LOG(INFO) << "Finished reading blocks on " << dm_block_device << " with " << thread_num + << " threads."; + return ret; } // Returns true to indicate a passing verification (or the error should be ignored); Otherwise -- cgit v1.2.3 From ba30867b0174463bebefc92198ee24ec9e4bdfa3 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Fri, 27 Oct 2017 23:39:45 -0700 Subject: update_verifier: Fix the wrong computation with group_range_count. 'group_range_count' doesn't properly consider the pair-wise range structure. It may split the ranges into wrong pairs if it evaluates to an odd number. For example, for an input range string of "6,0,2,10,12,20,22" with 4 threads, group_range_count becomes 1. It would then try to verify (0,2), (2,10), (10,12) and (12,20). Note that (2,10) and (12,20) are not valid ranges to be verified, and with (20,22) uncovered. Bug: 68343761 Test: Trigger update_verifier verification. Check the number of verified blocks against the one in care_map.txt. Change-Id: I7c5769325d9866be06c45e7dbcc0c8ea266de714 (cherry picked from commit 62caeb5f48c9d7b1a8ed97c4a021195b8499b804) (cherry picked from commit 559a6d1d2ae2e5145641e1eb16e2c015d756d8c9) --- update_verifier/update_verifier.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'update_verifier') diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index faebbede0..ba7b7aec4 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -137,11 +137,12 @@ static bool read_blocks(const std::string& partition, const std::string& range_s LOG(ERROR) << "Error in parsing range string."; return false; } + range_count /= 2; std::vector> threads; size_t thread_num = std::thread::hardware_concurrency() ?: 4; - thread_num = std::min(thread_num, range_count / 2); - size_t group_range_count = range_count / thread_num; + thread_num = std::min(thread_num, range_count); + size_t group_range_count = (range_count + thread_num - 1) / thread_num; for (size_t t = 0; t < thread_num; t++) { auto thread_func = [t, group_range_count, &dm_block_device, &ranges, &partition]() { @@ -154,7 +155,8 @@ static bool read_blocks(const std::string& partition, const std::string& range_s return false; } - for (size_t i = 1 + group_range_count * t; i < group_range_count * (t + 1) + 1; i += 2) { + for (size_t i = group_range_count * 2 * t + 1; + i < std::min(group_range_count * 2 * (t + 1) + 1, ranges.size()); i += 2) { unsigned int range_start, range_end; bool parse_status = android::base::ParseUint(ranges[i], &range_start); parse_status = parse_status && android::base::ParseUint(ranges[i + 1], &range_end); -- cgit v1.2.3