Commit graph

521 commits

Author SHA1 Message Date
Elliott Hughes
a85d7a0936 Use gtest_prod_headers.
Bug: http://b/185916167
Test: treehugger
Change-Id: I3407052df4f12b01acc4a75c6bd0759f7a4b2c4c
2021-04-20 11:58:05 -07:00
Bob Badour
29be3f6ef1 [LSC] Add LOCAL_LICENSE_KINDS to bootable/recovery
Added SPDX-license-identifier-Apache-2.0 to:
  applypatch/Android.bp
  bootloader_message/Android.bp
  edify/Android.bp
  fuse_sideload/Android.bp
  install/Android.bp
  minadbd/Android.bp
  minui/Android.bp
  otautil/Android.bp
  recovery_ui/Android.bp
  recovery_utils/Android.bp
  tests/Android.bp
  tools/image_generator/Android.bp
  tools/recovery_l10n/Android.bp
  uncrypt/Android.bp
  update_verifier/Android.bp
  updater/Android.bp
  updater/Android.mk
  updater_sample/Android.bp
  updater_sample/tests/Android.bp

Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
    SPDX-license-identifier-OFL
to:
  Android.bp
  Android.mk

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
2021-02-14 10:37:20 -08:00
Kelvin Zhang
07ba4483a6 Re-enable failed imgpatch tests
Now we added a libz variant without the offending optimizations,
    re-enable tests.

Test: treehugger
Bug: 177076632
Change-Id: I6969090b2cb4c059d952df7cc034d0ed1ac366b2
2021-01-13 10:10:15 -05:00
Kelvin Zhang
2f2749f213 Switch imgdiff to use libz_stable
libz contain platform dependent optimization flags, and sometimes that
cause reconstruction of blobs to fail. Use libz_stable instead

Bug: 177076632
Test: treehugger

Change-Id: I3a8c1591672537d1c754b2bc5b26f939dd80ed47
2021-01-13 10:10:15 -05:00
Kelvin Zhang
d77e7ea105 Disable failed imgpatch tests
For a proper solution, add a variant of libz which doesn't have platform
dependent optimizations, and make imgdiff use that version.
Test: treehugger
Bug: 177076632

Change-Id: Ia9e926c1adf22d351315eeec5ad1fabc3d48efd5
2021-01-12 14:45:29 -05:00
Will Coster
de455707e6 Add a fuzzer for OTA package verification
This is a pretty simplistic approach, it just shoves random data at the
verifier. The OTA format isn't too complicated so this should hopefully
be sufficient to let the fuzzer exercise the potentially interesting
parsing code.

Test: Let the fuzzer run on device for awhile:
      1) FUZZ=libinstall_verify_package_fuzzer
      2) SANITIZE_TARGET=hwaddress make ${FUZZ}
      3) cd ${ANDROID_PRODUCT_OUT} && adb root && adb sync data
      4) adb shell /data/fuzz/arm64/${FUZZ}/${FUZZ}
Change-Id: Icac6bde017b497d9f92c06191eb29e107ba9c0a7
2020-11-10 14:26:17 -08:00
Tianjie
581a824401 Add test config for recovery_host_test
Bump the timeout as we see some flakiness in b/170178152. The other
part of the config is copied from the auto-generated config in
out/host/linux-x86/testcases/recovery_host_test/recovery_host_test.config

Bug: 170178152
Test: treehugger
Change-Id: Ia84c90ba6a686c47ecc7d8331c7e8c7cb4b78292
2020-10-06 23:31:04 +00:00
Kelvin Zhang
4f81130039 Switch to zip64 in recovery
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.

Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
2020-09-16 14:21:37 -04:00
Tianjie
78d1514173 Update language to comply with Android’s inclusive language guidance
https: //source.android.com/setup/contribute/respectful-code
Bug: 161896447
Test: Unit tests pass
Change-Id: I0f3f0333dbccc94241a096ca5d3d9bc28c281492
2020-07-23 14:02:21 -07:00
Tianjie
1bc976a74e Fix some wording to comply with respectful-code
https: //source.android.com/setup/contribute/respectful-code
Test: Unit tests pass
Change-Id: If447b2cf923f6bc7a3a3fb5f69b9fbc06a200ebb
2020-07-23 13:07:24 -07:00
Kelvin Zhang
e1ae78cd54 Add recovery support of dynamic fingerprints
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro

This CL updates recovery code to recognize them

Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
2020-06-29 16:22:08 -04:00
Automerger Merge Worker
a0df3e3584 Merge "Generate recovery.img for unittest during build time" am: bf885b6b21 am: 616db72209
Change-Id: I264469782af6ffab1c138edc01b577abb5fd2675
2020-02-24 19:14:38 +00:00
Tianjie Xu
fa77ee8470 Generate recovery.img for unittest during build time
The unit tests for imgpatch is comparing the compressed bytes. As
a result, these unit tests will fail with libz change.

Since the recovery image is just a gzipped ramdisk with some wrappings,
we can generate with minigzip it during the build time. This matches
the usage in the real world, where we generate the patch with the host
side libz; and apply the patch with the library on the device.

Bug: 149443852
Test: tests pass on Pixel3
Change-Id: I7885765a161c6bf765671bc55a72cfcaa04b4138
2020-02-20 23:09:44 -08:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
4139a30ec5 Merge "Revert "Force package installation with FUSE unless the package stores on device"" into qt-qpr1-dev-plus-aosp 2020-02-13 03:08:09 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Bryan Ferris
7bc9c8297b Merge "Force package installation with FUSE unless the package stores on device" into qt-qpr1-dev-plus-aosp 2020-02-12 23:37:34 +00:00
Steven Moreland
c7647926f4 rm libbinderthreadstate
This library is empty, and its functionality has moved
into libbinder/libhwbinder.

Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
2020-02-06 13:28:52 -08:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Peter Collingbourne
8b9ac5b83d Merge "Link libvndksupport dynamically instead of statically." 2019-12-19 17:27:37 +00:00
Yifan Hong
c77bb70166 Delete VINTF compatibility check during OTA.
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
2019-12-18 12:14:50 -08:00
Peter Collingbourne
8f2f0d09ea Link libvndksupport dynamically instead of statically.
Bug: 146456667
Change-Id: I839223d8fbc365fd3271634143b117604f6aa879
2019-12-17 17:51:42 -08:00
Tianjie Xu
3d57c84476 Consolidate the vendor space misc usage for Pixels
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.

We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.

Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
2019-11-12 10:53:04 -08:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Tao Bao
5234ad466c applypatch: Add backup_source parameter to PatchPartition.
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).

Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.

Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
      is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
2019-09-23 11:26:48 -07:00
Tao Bao
dfb053e815 tests: recovery_unit_test requires root.
Bug: 141272654
Test: TreeHugger (recovery_unit_test no longer fails)
Change-Id: I47cbee274e659e3d90be5a77b215466d2973c7d6
2019-09-19 08:08:54 -07:00
Pete Bentley
189d424ced Link libcrypto dynamically for recovery unit tests.
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md

Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.

Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
2019-09-13 12:18:44 +01:00
Steven Moreland
e4f1a781f5 Remove reference to libhwbinder_noltopgo.
No longer needed.

Bug: 135558503
Test: build only
Change-Id: Ia1257513c6276cdb01604fbedb411e7412d02b84
2019-09-05 14:29:23 -07:00
Tianjie Xu
60b242cfd5 Simulator: add the argument to keep the updated images
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.

Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.

Test: run simulation, run unit tests

Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
2019-07-30 17:11:35 -07:00
Tianjie Xu
45c40ec876 Remove libimgpatch
Stop building libimgpatch as it's merely a subset of libapplypatch.

Test: unit tests pass

Change-Id: I0735ec053344404434a50e53a36e3f55964c2e4f
2019-07-10 12:41:45 -07:00
Tianjie Xu
42d7779caf Build libimgdiff as a host only library
Stop building libimgdiff on device because we are only running
patching there.

Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
2019-06-28 11:04:07 -07:00
Tianjie Xu
c3a161e2b8 Add unit tests for simulator
Make sure the simulator succeeds executing common non-A/B update
functions.

Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
2019-06-27 16:17:05 -07:00
Tianjie Xu
f6158eb918 Support starting fuse from a block map
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.

This is part of the effort to install larger than 2GiB packages on ILP32
devices.

Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.

Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
2019-06-20 13:53:40 -07:00
Tianjie Xu
c1a5e26fd9 Implement an update simulator to verify BB OTA packages on host
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.

Bug: 131911365
Test: unit tests pass

Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
2019-05-28 15:18:25 -07:00
Tianjie Xu
27556d089f Some clean ups to the updater
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.

Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
2019-05-22 14:58:28 -07:00
Tianjie Xu
e7b3c5698e Merge "Add UpdaterRuntime class" 2019-05-21 17:07:30 +00:00
Tianjie Xu
1536db887f Add UpdaterRuntime class
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.

Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
2019-05-20 18:03:27 -07:00
Tao Bao
7ae0169842 Add misc_writer.
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).

Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF

Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
      the call finishes successfully. Then check the contents written to
      /misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
2019-05-20 15:51:26 -07:00
Tianjie Xu
58d59129e1 Add Updater class and remove UpdaterInfo
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.

Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
2019-05-08 23:07:04 -07:00
Elliott Hughes
a86dddbfa5 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
2019-05-06 10:28:14 -07:00
xunchang
311e6ca7b6 Implement FuseBlockDataProvider
Adds a fuse data provider that parses the metadata from a block map,
reads the data from the given ranges of the block device; and provides
the data to the fuse.

Bug: 127071893
Test: unit tests pass, install a package from block map
Change-Id: Ie9925ee9144e98642505b3f5e1a4a186d2b21ed0
2019-05-01 12:09:38 -07:00
Tao Bao
36c7276cb2 install: Return bool for a few check functions.
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult.  Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.

This CL changes them to return bool instead.

Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
2019-04-30 13:58:03 -07:00
Tao Bao
4a01f36d21 tests: Merge recovery_component_test into recovery_unit_test.
Most of the tests in component/ are in fact unit tests. And it doesn't
look practically beneficial to distinguish between the two:
- They have the same test setup;
- We always run both (recovery_unit_test and recovery_component_test)
  at the same time;
- Breaking any of them would be equally bad.

This CL merges the tests in recovery_component_test into
recovery_unit_test to save the effort to maintain both.

Test: Run recovery_unit_test on marlin (via `adb sync data`).
Test: `atest recovery_unit_test`
Change-Id: I93ff32e7219cd83425a4bcfe5613978a8dd48d75
2019-04-30 09:13:36 -07:00
Tao Bao
7f19d100b5 Add install/wipe_device.cpp.
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.

Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
2019-04-26 23:23:19 -07:00
Tao Bao
83186dddb2 Add recovery_host_test to TEST_MAPPING.
Also remove the AndroidTest.xml file, which is no longer needed (the
`data` property in Android.bp takes care of that). The AndroidTest.xml
file would otherwise block `atest recovery_host_test` from running.

Test: TreeHugger; check the test result.
Change-Id: If545878a1f3ae627986e19a94b42162f133b9098
2019-04-26 10:05:55 -07:00
xunchang
34723087fe matches_locale no longer accept empty locales in the png file
The legacy png files have an empty line in the end. And the recovery
used to match any missing locale, e.g. "he" with that line and gets an
empty image.

Since the empty image is barely useful, we should just error out and
fall back to the default locale.

This reversed the unit test check added in d17a688525

Bug: 128934634
Test: run locale test with "he" and legacy images, recovery reports
error and doesn't crash even without default locale fall back

Change-Id: Ibdb7dd0b42348de5e392c834cce67ff02be85c24
2019-04-22 15:32:17 -07:00
Tao Bao
2be9737cf4 Remove the FD parameter from FuseDataProvider ctor.
This leaves the FD implementation details to subclasses. In particular,
it allows minadbd to do additional works with the FD after sideloading.

Bug: 128415917
Test: atest recovery_component_test
Test: atest minadbd_test
Test: Sideload package on taimen.
Change-Id: I106bbaad05201227bbc5fe28890bbbb06fdcb67e
2019-04-15 16:53:31 -07:00
xunchang
2478885f3c Move install to separate module
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.

Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
2019-03-29 10:27:51 -07:00
Tianjie Xu
3168ddf79d Merge "Allow RSA 4096 key in package verification" 2019-03-27 17:57:38 +00:00