This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This makes the applypatch executable a vendor module.
This change supports making dependencies of the applypatch executable available
to applypatch, which is now on vendor.
Since install-recovery.sh is now a vendor service, we add the
applypatch/vendor_flash_recovery.rc file to /vendor/etc/init to start the
service.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: I01c0800ee6078aa6c9d716d5f154ad2d63c7af84
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
The expression "!fd" calls the implicit conversion to int, but comparing
the raw fd against 0 does not work, since open() and other POSIX calls
returning a file descriptor use -1 to signal an error.
Test: m recovery
Change-Id: I0847c276f39cb9dd09c7ffb96951276113418fc8
applypatch() was initially designed for file-based OTA, operating on
individual files. It was later extended to allow patching eMMC targets
as a whole, in favor of block-based updates.
As we have deprecated file-based OTA since Oreo, part of the code in
applypatch() has become obsolete. This CL refactors the related
functions, by removing the obsolete logic and focusing on eMMC targets.
Since this CL substantially changes applypatch APIs, it adds new
functions to avoid unintentionally mixing them together. In particular,
it removes `applypatch()`, `applypatch_check()`, `applypatch_flash()`,
and adds `PatchPartition()`, `PatchPartitionCheck()`, `FlashPartition()`
and `CheckPartition()`. It also replaces the old Edify functions
`apply_patch()` and `apply_patch_check()` with `patch_partition()` and
`patch_partition_check()` respectively.
This CL requires matching changes to OTA generation script (in the same
topic).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: `m dist` with non-A/B target. Verify
/system/bin/install-recovery.sh on device.
Test: `m dist` with non-A/B target using BOARD_USES_FULL_RECOVERY_IMAGE.
Verify /system/bin/install-recovery.sh on device.
Test: Install an incremental OTA with the new updater and scripts.
Change-Id: Ia34a90114bb227f4216eb478c22dc98c8194cb7f
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
This applies to the standalone applypatch executable
(/system/bin/applypatch on device). This executable is only used when
installing (via patching or flashing) a recovery image on non-A/B
device.
This CL removes the support for patching non-eMMC targets from
applypatch that has been deprecated as part of file-based OTA. For
patching eMMC targets, it also drops the support for accepting multiple
patches (not useful, since the source file must be fixed).
This CL needs the matching change in the same topic, which writes the
script of "/system/bin/install-recovery.sh". Note that this CL doesn't
chanage the applypatch API signatures, in order to minimize the CL size.
*BEFORE*
usage: /system/bin/applypatch [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> [<src-sha1>:<patch> ...]
or /system/bin/applypatch -c <file> [<sha1> ...]
or /system/bin/applypatch -l
Filenames may be of the form
EMMC:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...
to specify reading from or writing to an EMMC partition.
*AFTER*
Usage:
check mode
applypatch --check EMMC:<target-file>:<target-size>:<target-sha1>
flash mode
applypatch --flash <source-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
patch mode
applypatch [--bonus <bonus-file>]
--patch <patch-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
--source EMMC:<source-file>:<source-size>:<source-sha1>
show license
applypatch --license
Bug: 110106408
Test: Run recovery_component_test and recovery_unit_test on marlin.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh.
Verify that it installs recovery image successfully.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh in
flashing mode. Verify that it installs recovery image successfully.
Change-Id: I71f9a71fb457e6f663e0b5511946949e65b4b78c
They are doing exactly the same thing, except for the slightly different
error return value (1 vs -1).
int CacheSizeCheck(size_t bytes);
int MakeFreeSpaceOnCache(size_t bytes_needed);
This CL consolidates the two functions and uses bool as its return type.
// Checks whether /cache partition has at least 'bytes'-byte free space. Returns true immediately
// if so. Otherwise, it will try to free some space by removing older logs, checks again and
// returns the checking result.
bool CheckAndFreeSpaceOnCache(size_t bytes);
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I94a96934d2b18713f8f39ad5aa96a02c98d87963
Prior to this CL, FreeSpaceForFile() was returning `size_t`, which may
overflow on ILP32 when called on a partition with 4GiB+ free space.
Additionally, it was returning static_cast<size_t>(-1) on error, but the
caller in freecache.cpp didn't check for that.
This CL changes its return type to `int64_t`, and moves the function
into freecache.cpp since there's no external caller.
Test: Run recovery_unit_test on marlin.
Test: Code search shows no external user of FreeSpaceForFile().
Change-Id: I00f501a057726e1f1ab69f367c46c77b30f2d774
We already know the flakiness happens in bspatch, and the issue is
tracked in b/80193170.
Bug: 67849209
Test: unit tests pass
Change-Id: Ib4772b8f2f0225125096fe7407d083b5bb542cfb
Test: mmma -j bootable/recovery
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: I4b240e3e771c387b9694be9c0f2f74e0265ab4cb
Also fix an error-pone behavior in previous code when verifying an eMMC
target. As long as it loads the partition content successfully according
to the SHAs embedded in the filename, it shouldn't further check against
the SHAs given in the second argument. Because the loaded contents
relate to a specific partition size.
For example:
apply_patch_check(
"EMMC:/boot.img:src_size:src_hash:tgt_size:tgt_hash",
"src_hash");
Assume "/boot.img" already has the desired hash of "tgt_hash", the
previous code would give wrong verification result. The issue can be
addressed by additionally listing "tgt_hash" as one of the desired SHAs
(or by applying this CL).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I8daafdbecd083f687e24d563ab089caa25667633
Note that the code exists in debugging path only, and won't be hit
unless device has flaky flash.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I0c71adc271f08f00e3eabd9d14cd8af3186c5bae
Also two minor changes (other than renaming some parameters):
- Added constness to the first parameter of FindMatchingPatch();
- Declared WriteToPartition() as static.
Bug: 110106408
Test: mmma -j bootable/recovery
Change-Id: I388958c944a23ce4a38a757ce2249f6a89dd4f03
Save the target file to tempfile upon unittest failures so that we can
try to decompress the deflate chunks in the flaky unittests. And print
the zlib version in case that gets changed.
Also the SHA1 of the uncompressed data seems correct; so only keep the
final SHA1 to double confirm.
Bug: 67849209
Test: recovery_component_test
Change-Id: Ic6447c2b75c29379d6844cd23a0ff1c4305694a0
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
The apply patch test should have a deterministic way to append patch
data. Add debug logs to dump the length and SHA1 of each step to further
track down the flakiness.
Also redirect the debug logging to stdout in case the logcat becomes too
chatty.
Bug: 67849209
Test: Run recovery_component_test
Change-Id: I42bafef2d9dee599719ae57840b3d8c00d243ebd
As they're accepting the SinkFn callback, it makes more sense to leave
the work to their callers.
Test: mmma -j bootable/recovery
Test: Run recovery_component_test on marlin.
Test: No other active user of the two functions.
Change-Id: I8d67b38ce037925442296f136b483e0c71983777
After splitting the previously flaky
ApplyPatchModesTest#PatchModeEmmcTarget tests,
PatchModeEmmcTargetWithMultiplePatches now becomes the sole victim. This
CL dumps additional info to narrow down the cause.
Bug: 67849209
Test: `recovery_component_test` on marlin.
Test: It dumps additional info after using corrupt bonus.file.
Change-Id: Ic5436de457cc882a51d03f49d5cee70077f7d3df
We set the limit of the max stash size to 80% of cache size. But the
cache space can still be insufficient for the update if the log files
occupy a large chunk of /cache. So remove the old logs for now to make
room for the update.
Bug: 77528881
Test: unit tests pass
Change-Id: Ia8bcb0ace11f8164ad9290bfb360e08e31d282cb
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.
In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.
Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
When running the update simulation, we choose to skip the cache size
check for now due to the lack of "/cache" on host. And in later cls we
can implement a cache size estimator to make the check more constrained.
Also build the host version of support libraries.
Test: unit test pass
Change-Id: I3ed93c857fd02f7b62f5baba9130f75c3236e717
It used to keep track of the stat(2) info (e.g. st_mode/st_gid/st_uid)
while patching a file in file-based OTA.
Test: Build and use the new updater to apply an update on bullhead.
Change-Id: Ibf8f0f4b14298a9489bf24a2678bb279c5d9c8f3
It used to be "const Value*", but nullptr won't be a valid input.
Test: recovery_host_test; recovery_component_test
Change-Id: I904b5689ac3e64504088bf0544c9fb5d45a52243
We encountered segfaults in Imgdiff host tests due to the failure to
reset states of getopt. The problem can be solved by switching to use
bionic's gtest where a new process is forked for each test.
Also modify the recovery_component_test to make sure it runs in parallel.
Changes include:
1. Merge the writes to misc partition into one single test.
2. Change the hard coded location "/cache/saved.file" into a configurable
variable.
Bug: 67849209
Test: recovery tests pass
Change-Id: I165d313f32b83393fb7922c5078636ac40b50bc2
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from
applypatch modules.
Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
Mostly for applypatch family APIs like ApplyBSDiffPatch() and
ApplyImagePatch(). Changing to size_t doesn't indicate they would
necessarily work with very large size_t (e.g. > ssize_t), just
similar to write(2). But otherwise accepting negative length doesn't
make much sense.
Also change the return type of SinkFn from ssize_t to size_t. Callers
tell a successful sink by comparing the number of written bytes against
the desired value. Negative return values like -1 are not needed. This
also makes it consistent with bsdiff::bspatch interface.
Test: recovery_component_test
Test: Apply an incremental with the new updater.
Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
Patching regular files is used in file-based OTA only, which has become
obsolete.
Bug: 35853185
Test: Apply an incremental that patches the boot.img.
Test: /system/bin/install-recovery.sh works.
Test: recovery_component_test passes.
Change-Id: Id44e42c4bc63f2162ecc8a6df1cb528b7ae6b0a9
https://code.google.com/p/android/issues/detail?id=230602
On the second attempt, open the file with O_RDONLY,
which causing a write failure。
Change-Id: If89165b8c7619fe25722073a46b3cc7c61530a71
Signed-off-by: katao <ustckato@gmail.com>
We should always use unique_fd or unique_file to hold the FD or FILE*
pointer when opening via ota_(f)open functions.
This CL avoids accidentally closing raw FDs or FILE* pointers that are
managed by unique_fd/unique_file.
Test: recovery_component_test passes.
Change-Id: If58eb8b5c5da507563f85efd5d56276472a1c957
We were using the below sequence prior to the CL in [1].
unique_fd fd(ota_open(...));
ota_close(fd);
fd.reset(ota_open(...));
fd.reset() may unintentionally close the newly opened FD if it
has the same value as the early ota_open. The CL in [1] changed to
"ota_close(fd.release())" to avoid the issue. This CL adds a new
overloaded function ota_close(unique_fd&) to handle the release
automatically.
Similarly add ota_fclose(std::unique_ptr<FILE>&).
[1] commit 48cf770471.
Bug: 33034669
Test: recovery_component_test passes.
Change-Id: Ief91edc590e95a7426e33364b28754173efb1056
We use android::base::unique_fd() to avoid leaking FD. We also want to
call close (or ota_close) to explicitly check the close result. When
combining the two together, we need to release the unique_fd to avoid
closing the same FD twice.
Bug: 33034669
Test: Trigger applypatch with install-recovery.sh.
Change-Id: I1a4f5d5fba7a23ef98d8bd7b7b07e87ae6f705c5
Add unique_fd that calls ota_close() instead of the default closer.
Test: recovery_component_test passes.
Test: Apply a package that calls apply_patch().
Change-Id: I0c19921731757934f76cf7d5215916673a8f2777
We don't need three vectors to sort the (size, SHA-1) pairs.
Test: recovery_component_test passes.
Test: Apply a package that calls apply_patch_check() to patch EMMC
partitions.
Change-Id: I4a6620630a6711f490822cf30f1e7fe5cea6ce49
Applypatch_check should be skipped if no sha is specified. As the
comments said: "It's okay to specify no sha1s; the check will pass if
the LoadFileContents is successful. Useful for reading partitions,
where the filename encodes the sha1s."
Test: The update package applied on angler successfully.
Bug: 32243751
Change-Id: Ib8f3dadf19f745c2dbd350d60da46ab12d75bc87
Changing the field of 'Value' in edify to std::string from char*.
Meanwhile cleaning up the users of 'Value' and switching them to
cpp style.
Test: compontent tests passed.
Bug: 31713288
Change-Id: Iec5a7d601b1e4ca40935bf1c70d325dafecec235
We might end up in an infinite loop if read(2) reached EOF unexpectedly.
The problematic code in uncrypt mentioned in the bug has been fixed
by switching to libbase ReadFully(). So I grepped through the recovery
code and fixed some other occurences of the issue.
Bug: 31073201
Change-Id: Ib867029158ba23363b8f85d61c25058a635c5a6b
If two libraries both use LOCAL_WHOLE_STATIC_LIBRARIES and include a same
library, there would be linking errors when generating a shared library
(or executable) that depends on the two libraries both.
Also clean up Android.mk files.
Remove the "LOCAL_MODULE_TAGS := eng" line for the updater module. The
module will then default to "optional" which won't be built until needed.
Change-Id: I3ec227109b8aa744b7568e7f82f575aae3fe0e6f
