Commit graph

57 commits

Author SHA1 Message Date
Treehugger Robot
cd6618b619 Merge "Migrate Test Targets to New Android Ownership Model" into main 2024-04-22 17:01:48 +00:00
Kelvin Zhang
e366fe9f01 Check for build-tags before installing sideload OTA
Only allow test-key OTA to be installed on test-key devices,
and only allow release-key OTA to be installed on release-key devices.

Test: sideload recovery OTA
Bug: 314013134
Change-Id: I6609923929247ab498d3a315637765ae2d1370b0
2024-03-26 15:55:08 -07:00
Aditya Choudhary
eb84a17080 Migrate Test Targets to New Android Ownership Model
This CL is created as a best effort to migrate test targets to the new Android ownership model.
It is based on historical data from repository history and insights from git blame.
Given the nature of this effort, there may be instances of incorrect attribution. If you find incorrect or unnecessary
attribution in this CL, please create a new CL to fix that.

For detailed guidelines and further information on the migration please refer to the link below,
go/new-android-ownership-model

Bug: 304529413
Test: N/A
Change-Id: Ia2268756e71b22238b17b21d336f5f7e5bd35b0b
2024-02-02 13:56:16 +00:00
Kelvin Zhang
735499480d Add recovery flag to reformat /data
For 16K dev options, we might need to reformat /data partition as ext4
before enabling the feature. Add necessary support to recovery.

Test: Trigger reboot with --wipe_data --reformat_data=ext4, make sure
/data is reformatted with ext4 on next boot
Bug: 293313353

Change-Id: I3cb67a62635a2df578472cd48cf6d2f5e04b5f82
2024-01-04 16:43:53 -08:00
Florian Mayer
0feef55859 Add --keep_memtag_mode for --wipe_data
This allows us to erase the system image without resetting the MTE
state. This is useful for TestHarness looking to re-use an MTE enabled
device without incurring an extra reboot to re-enable after reboot.

Bug: 300694575
Change-Id: Ie1ea6891361e561189b9390b97b0b4a4c3a6d7e8
2023-10-30 17:42:31 +00:00
Kelvin Zhang
170ad59954 Allow brick OTA package to be sideloaded in recovery
Makes testing easier, brick packaegs can now be tested directly in
recovery w/o having to go through GOTA.

Test: adb sideload brick_ota.zip
Bug: 273561331
Change-Id: I48214dc03e63b69e61fc217bc3f58923bb90a9a6
2023-03-14 17:10:42 -07:00
Kelvin Zhang
2a8c6e0842 Require serialno field for brick OTA package on release-key devices
Bug: 273561331
Test: th
Change-Id: Ifba030dca61275bb05bc5a8b62413830d28ba2d4
2023-03-14 12:29:52 -07:00
Tim Zimmermann
78e524e418
Only check for powerwash in A/B ota packages
* A-only doesn't have payload_properties.txt
  causing an user-facing error

Change-Id: If749c9a8cf1c3bbdf0300a2da06ec2246fc75484
2022-10-14 20:06:41 +02:00
Florian Mayer
21d50b280f [MTE] Reset memtag message on factory reset.
Bug: 235255174
Test: https://gist.github.com/fmayer/8900b52636574ee079fa1943e5da918e
Change-Id: If42faa0417f9717d66eaa4247a88de61985b21b0
2022-06-23 13:39:22 -07:00
Eric Biggers
fde69fbd8a Remove support for converting from FDE to FBE
Devices that launched with Android 10 or later require FBE (File Based
Encryption) from the beginning, so there's no need to support converting
to FBE after the fact anymore.  This was only ever a developer option,
so it probably wasn't used much.  And in any case, it's not used
anymore, as isConvertibleToFBE() is hard-coded to return false.  Besides
the fact that FBE has been required for several releases now, this
functionality was only ever available on devices that use FDE (Full Disk
Encryption), but FDE support has been removed from Android.

Therefore, remove this unused code.

Bug: 208476087
Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
2022-03-10 22:48:49 +00:00
Kelvin Zhang
a4208b5f90 Perform data wipe in recovery if ota package has powerwash set
Normally, if an ota package has --wipe_user_data flag, we set bootloader
parameter --wipe_data, so that next boot into bootloader will wipe
userdata. But this doesn't work in recovery, likely because after
recovery we don't reboot to bootloader, but directly boot into android.
Therefore perform data reset in recovery if the OTA package has
POWERWASH flag.

Bug: 203507329
Test: apply an OTA pkg with --wipe_user_data, verify that data wipe
happened

Change-Id: Icca4a5f74246bde44a5fd589395404c9f57867ee
2022-02-14 20:20:08 -08:00
Jacky Liu
068329e977 Move package verifier from libinstall to libotautil
So it can be used by device-specific codes.

Bug: 184693830
Test: m; atest recovery_unit_test
Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
2021-12-22 23:31:08 +08:00
Kelvin Zhang
33c62fc4b8 Check SPL downgrade before install OTA in recovery
Applying an SPL downgrade package can cause boot failures
(/data failed to decrypt). Today's ota_from_target_files
tool already try to prevent this. But Packages generated
using older tools are still around.

Add check in recovery to prevent such OTA package from
installing.

Test: th
Test: Sideload an OTA with newer SPL, make sure check passes
Test; Sideload an OTA with older SPL, make sure check fails

Bug: 186581246

Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
2021-05-17 16:25:00 -04:00
Tianjie
32b4e72a24 Bring up the erase animation early for data wipe
Right now the "Erasing" animation displays after the merge step
during the FDR process; and the merge can take 3-4 minutes. The
users maybe confused about the blank screen and forcefully
reboot the device.

Bug: 181636823
Test: add sleep merge, check the animation displays correctly.
Change-Id: Ib23b1ed3a84e95640271a429c51a3d3c142dc404
2021-03-02 16:42:07 -08:00
Bob Badour
29be3f6ef1 [LSC] Add LOCAL_LICENSE_KINDS to bootable/recovery
Added SPDX-license-identifier-Apache-2.0 to:
  applypatch/Android.bp
  bootloader_message/Android.bp
  edify/Android.bp
  fuse_sideload/Android.bp
  install/Android.bp
  minadbd/Android.bp
  minui/Android.bp
  otautil/Android.bp
  recovery_ui/Android.bp
  recovery_utils/Android.bp
  tests/Android.bp
  tools/image_generator/Android.bp
  tools/recovery_l10n/Android.bp
  uncrypt/Android.bp
  update_verifier/Android.bp
  updater/Android.bp
  updater/Android.mk
  updater_sample/Android.bp
  updater_sample/tests/Android.bp

Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
    SPDX-license-identifier-OFL
to:
  Android.bp
  Android.mk

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
2021-02-14 10:37:20 -08:00
David Anderson
ebce8e6306 Fix SnapshotManager instantiation.
New() should be used instead of NewForFirstStageMount().

Bug: 168258606
Test: data wipe with VABC merge in progress
Change-Id: Idf2b01a504b577766da303091721764242e99a69
2021-02-04 20:23:15 -08:00
Kelvin Zhang
d1ba38f7c9 Check for overflow before allocating memory fore decompression.
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.

Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
2020-09-18 17:41:51 -04:00
Kelvin Zhang
4f81130039 Switch to zip64 in recovery
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.

Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
2020-09-16 14:21:37 -04:00
Kelvin Zhang
e1ae78cd54 Add recovery support of dynamic fingerprints
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro

This CL updates recovery code to recognize them

Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
2020-06-29 16:22:08 -04:00
Yifan Hong
d5c56cee29 Detect non-A/B vs. A/B packages correctly. am: f2af5629d2
Change-Id: I7e5e67f90fbc49fbc99e1e251c06ceaa93f6c2d9
2020-05-20 00:55:00 +00:00
Yifan Hong
f2af5629d2 Detect non-A/B vs. A/B packages correctly.
Check the package metadata to determine whether this is an
A/B or non-A/B update package. This is more accurate.

Also checks ro.virtual_ab.allow_non_ab flag. This is useful for
continuously supporting (and testing) non-A/B.

Bug: 153581609
Test: apply non-A/B update on cuttlefish

Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667
(cherry picked from commit 2a4afd29a1)
Merged-In: I629a533a67966d46d9cd87a59c6b9af26daf1667
2020-05-19 15:20:14 -07:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Treehugger Robot
5ee782079a Merge "Mount snapshotted /system in Virtual A/B devices" 2020-01-07 20:26:43 +00:00
Yifan Hong
c77bb70166 Delete VINTF compatibility check during OTA.
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
2019-12-18 12:14:50 -08:00
Alessio Balsini
a9665ced57 Mount snapshotted /system in Virtual A/B devices
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.

Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
2019-12-16 21:25:45 +00:00
David Anderson
89d2d050a0 Force merges to complete before wiping data or metadata.
After an OTA is applied, a wipe in recovery may overwrite components of
dynamic partitions living in userdata. If the OTA has not yet begun
merging, we mark the current slot unbootable. If the OTA has begun
merging, we wait for the merge to complete. This logic is encapsulated
in libsnapshot.

Bug: 139156011
Test: manual test
Change-Id: Id6544a1b8583afcbba11559d46214ec2e68ffa40
2019-11-11 01:02:12 +00:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Steven Moreland
e2ca8ba293 Merge "Remove libhidltransport deps" 2019-09-30 15:56:03 +00:00
Tao Bao
3305d48b0b minadbd: Export minadbd/types.h to libinstall.
Test: mmma bootable/recovery
Change-Id: I503e942b23cc51024aa752c1eb3db5455a44a9d1
2019-09-26 00:04:11 -07:00
Steven Moreland
ff9b62b781 Remove libhidltransport deps
Since this was combined into libhidlbase.

Bug: 135686713
Test: build only (libhidltransport is empty)
Change-Id: I253e50726967044714275ab995fb8a8a57bcde36
2019-09-25 15:12:30 -07:00
Tianjie Xu
164c60a4f3 Clean up some global variables in common.h
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();

Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
2019-07-24 11:36:03 -07:00
Tao Bao
89cc79cbb6 Merge "minadbd sends heartbeat to rescue service for getprop command." 2019-07-10 19:52:44 +00:00
Tianjie Xu
e521861508 Create a fallback to install from fuse if mmap fails
We may fail to memory map the package on 32 bit builds for packages with
2GiB+ size. This cl tries to install the package with fuse when memory map
fails in such cases.

Bug: 127071893
Test: build 32 bit version sailfish, push package and block.map, reboot into recovery with
the corresponding update_package argument.

Change-Id: I5dae4f3e27ccaf8d64ff3657d36f0e75db2330b0
2019-07-09 14:15:18 -07:00
Tao Bao
2223e6a9f8 minadbd sends heartbeat to rescue service for getprop command.
We start minadbd and rescue services in two processes. In particular,
minadbd handles the requests from host, then communicates with rescue
service to do install/wipe works. When resuce service doesn't see any
request in a pre-defined timeout (currently 300s), rescue service will
exit to avoid endless waiting.

This CL changes minadbd to additionally send a no-op command to rescue
service as a heartbeat signal, so that host side can finish
time-consuming operations (e.g. downloading over network) while keeping
rescue service alive.

Bug: 136457446
Test: Enter resuce mode on blueline. Send `adb rescue getprop
      ro.build.fingerprint` and check that rescue service doesn't exit.
Test: Stop sending the getprop command. Check that rescue service exits
      after 300s.
Change-Id: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
2019-07-09 11:09:34 -07:00
Tianjie Xu
f6158eb918 Support starting fuse from a block map
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.

This is part of the effort to install larger than 2GiB packages on ILP32
devices.

Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.

Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
2019-06-20 13:53:40 -07:00
Tianjie Xu
87e2275970 Merge "InstallPackage now takes a package as parameter" 2019-06-14 00:24:49 +00:00
Tianjie Xu
980f92ec00 InstallPackage now takes a package as parameter
Therefore InstallPackage() doesn't need to worry about the details of a
given Package.

Bug: 127071893
Test: run update from /bin/recovery --update_package=@path, sideload a package
Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
2019-06-13 13:36:56 -07:00
Elliott Hughes
39ac1c013c Use the new ziparchive Next std::string_view overload.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ieec83126e36b330da33092a172e365376cd04dfe
2019-06-12 12:20:37 -07:00
Elliott Hughes
88d8001e75 Move off the Next ZipString overload.
Bug: http://b/129068177
Test: treehugger
Change-Id: I3c8f70b0d8cc5dc6b3b4439dbe0b9a5bd85003c4
2019-05-22 18:52:29 -07:00
Elliott Hughes
143a03fa03 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: I618bbcf38914dd81e042e0cfd1976ff26274dc30
2019-05-08 17:28:22 -07:00
Elliott Hughes
a86dddbfa5 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
2019-05-06 10:28:14 -07:00
Tao Bao
adc99efd1c install: Install functions return InstallResult.
Test: `atest recovery_unit_test recovery_component_test`
Test: Sideload a package on taimen.
Change-Id: I2d42f55a89931ee495ea5c5d9e6b5ee1058e8e52
2019-04-30 13:58:03 -07:00
Tao Bao
36c7276cb2 install: Return bool for a few check functions.
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult.  Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.

This CL changes them to return bool instead.

Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
2019-04-30 13:58:03 -07:00
Tao Bao
40ccbe3324 Merge "Add install/wipe_device.cpp." 2019-04-29 18:46:53 +00:00
Tao Bao
7f19d100b5 Add install/wipe_device.cpp.
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.

Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
2019-04-26 23:23:19 -07:00
xunchang
fedeef6f6d Support wipe command in rescue mode
Bug: 131037235
Test: unit tests pass, run `adb rescue wipe`
Change-Id: I22668f2c98fe2d9195d2561f961c28a7c08e712c
2019-04-26 10:36:48 -07:00
Tao Bao
d9cb014d43 Parse BCB command to enter rescue mode.
bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.

This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.

It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.

Bug: 128505466
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
      install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
2019-04-25 14:02:41 -07:00
Tao Bao
10f441a9db minadbd: Support adb reboot under sideload/rescue modes.
Bug: 128415917
Test: Run the following commands under sideload and rescue modes
      respectively.
$ adb reboot
$ adb reboot bootloader
$ adb reboot recovery
$ adb reboot rescue
$ adb reboot invalid
Change-Id: I84daf63e3360b7b4a0af5e055149a4f54e10ba90
2019-04-23 23:50:12 -07:00