The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
This is part of the effort to remove libmetricslogger in platform.
Remove the reporting since the status from non-A/B update is less
important to us. Plus the gmscore already has a copy of the logic
to parse the contents from last_install and report non-A/B metrics
to the clearcut log.
bug: 147776349
Test: build
Change-Id: I4fc5d58fb616edb3eb1edadf4614d3eca15c7ce1
Getting rid of warning, so using new define for turning on verbose
errors:
%define parse.error verbose
Bug: 31194194
Test: N/A
Change-Id: I47c200a1e669b5c5fc53d392f32b4c264a42182d
Linkerconfig binary itself should be built as static, so size of
executable is hard to be reduced. However, this used lots of space from
recovery so only small space left in it. To avoid this linker config
from recovery should be generated within build time and use prebuilt
one. Prebuilt ld.config.txt will be located under /system/etc as before,
and init will copy the file into /linkerconfig so we can use same
location for both recovery and normal boot.
Bug: 146384333
Test: m -j passed && crosshatch bootloader worked with this change
Change-Id: I96300f1c8301167234787274820086a4c6ea0e6e
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.
Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
Minui currently really only supports composing in 2 different formats
(see gr_color()) with ALPHA always as MSB. However, some devices
interpret PixelFormat as either Big Endian (i.e. ARGB has alpha at MSB)
or Little Endian (i.e. BGRA has alpha at MSB).
This change attempts to give multiple options to specify the same format
depending on device interpretation, while keeping just 2 different
composition formats supported by minui.
* ARGB + BGRA: Pixels have (A)lpha at MSB and (B)lue at LSB
* RGBX + ABGR: Pixels have (A)lpha at MSB and (R)ed at LSB
With this in mind, limiting the use of png_set_bgr() to happen only for
(ARGB/BGRA) combination while leaving (RGBX/ABGR) unchanged.
Bug: 143480444
Test: Boot device with TARGET_RECOVERY_PIXEL_FORMAT := <<all>>
Change-Id: Ia0f94ccbc564b8def7c9416483712ff1abbbf49a
Generate linker config from recovery init to be used from recovery
processes.
Bug: 139638519
Test: Tested from crosshatch
Change-Id: I777a8baf08254b07375b8039bb252864637e29e7
