Commit graph

41 commits

Author SHA1 Message Date
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Tianjie Xu
eb27bfe1e8 Retire the Tron metrics reporting for non-A/B update
This is part of the effort to remove libmetricslogger in platform.
Remove the reporting since the status from non-A/B update is less
important to us. Plus the gmscore already has a copy of the logic
to parse the contents from last_install and report non-A/B metrics
to the clearcut log.

bug: 147776349
Test: build
Change-Id: I4fc5d58fb616edb3eb1edadf4614d3eca15c7ce1
2020-01-16 15:17:41 -08:00
David Anderson
8444dec7ac Merge "Force merges to complete before wiping data or metadata." 2019-11-15 04:27:59 +00:00
David Anderson
89d2d050a0 Force merges to complete before wiping data or metadata.
After an OTA is applied, a wipe in recovery may overwrite components of
dynamic partitions living in userdata. If the OTA has not yet begun
merging, we mark the current slot unbootable. If the OTA has begun
merging, we wait for the merge to complete. This logic is encapsulated
in libsnapshot.

Bug: 139156011
Test: manual test
Change-Id: Id6544a1b8583afcbba11559d46214ec2e68ffa40
2019-11-11 01:02:12 +00:00
Tom Cherry
bcd3f35462 Move init and ueventd scripts from / to /system/etc
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc.  There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.

Bug: 131087886
Bug: 140313207
Test: build/boot + boot to recovery
Merged-In: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
Change-Id: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
2019-11-07 11:29:06 -08:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
xunchang
316e971746 Move wipe cache|data to libinstall
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.

The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.

Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
2019-04-15 12:22:11 -07:00
xunchang
34690ced91 Add socket communication between recovery and minadbd
This cl adds a socket pair to support the communication between recovery
and minadbd. Therefore, minadbd will be able to issue multiple commands
to recovery and get back the status of each command.

This cl also switches the adb sideload from the recovery menu to use
this protocol; and moves minadbd to a separate binary.

Bug: 130166585
Test: sideload a package
Change-Id: I80d36d5c4e6fe1ae3ea23640907bc50c0dc0d482
2019-04-11 14:23:53 -07:00
Tao Bao
0deed3389b Build libinstall as a static library.
It was once considered to be shared between recovery and minadbd, so
that the latter can start an install on its own. The plan has been
changed, since package install -- including device wipe operations --
could be device-specific, which should be done by recovery only.

This CL moves libinstall back to a static library, which also saves the
overall size (reducing from 140256 + 660576 to 555880 bytes on
aosp_taimen-userdebug).

Bug: 130166585
Test: Run recovery_component_test.
Test: `adb sideload` on taimen.
Change-Id: Ib1f5f79f235df4682c0bd104425c9c122f6091ba
2019-04-08 11:59:48 -07:00
Tao Bao
cecad743c1 libotautil exports libfstab header.
otautil/roots.h includes <fstab/fstab.h>, but users of otautil/roots.h
don't need to explicitly depend on libfstab unless they have a real
need.

Also remove the unneeded include of <fstab/fstab.h> from
fsck_unshare_blocks.cpp.

Test: mmma -j bootable/recovery
Change-Id: Id3dc995a4769e631ab242843ee439bd94b2bf0bc
2019-04-03 11:41:54 -07:00
xunchang
2478885f3c Move install to separate module
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.

Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
2019-03-29 10:27:51 -07:00
Tianjie Xu
8f397309b4 Move librecovery_ui to a sub-directory
This helps to expose librecovery_ui for device specific RecoveryUi.

Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
2019-03-21 10:46:11 -07:00
xunchang
ea2912f187 Create a FuseDataProvider base class
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.

In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.

Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
2019-03-19 11:11:58 -07:00
xunchang
37304f3cc9 Implement FilePackage class
This is another implementation of the Package class. And we will later
need it when reading the package from FUSE.

Bug: 127071893
Test: unit tests pass, sideload a file package on sailfish
Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
2019-03-14 15:35:09 -07:00
xunchang
f07ed2efeb Create a wrapper class for update package
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.

Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
2019-03-11 10:43:52 -07:00
Tom Cherry
72a114a3e1 Add android::fs_mgr namespace for new Fstab code
Also add libfstab dependencies where needed.  Previously the
`typedef struct FstabEntry Volume;` line served to both define a
`struct FstabEntry` as well as alias Volume to it.  With the new
namespace for android::fs_mgr::FstabEntry, `struct FstabEntry` isn't
compatible anymore, so we need to alias Volume to the real
android::fs_mgr::FstabEntry.

In doing so, we need to include <fstab/fstab.h> and this requires
libfstab as a library, which a few modules did not have before.

Test: treehugger
Change-Id: I655209a0efb304b3e0568db0748bd5cf7cecbdb7
2019-01-31 09:00:40 -08:00
Elliott Hughes
31b92a5d75 C++17 is the default now.
Test: builds
Change-Id: I91923da25f470621189589711c50f3d67e435c68
2018-12-03 09:27:17 -08:00
Tianjie Xu
0dd9685311 Load X509 keys from ziparchive
Add a function to parse the zip archive and load the certificate from
all the zip entries with the suffix "x509.pem".

Bug: 116655889
Test: unittests pass
Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
2018-10-18 11:42:01 -07:00
Tianjie Xu
2b1a464a70 Move the parse of last_install to recovery-persist
The recovery-persist used to look for the related recovery logs in
persist storage, and copy them under /data/misc/recovery during the
normal boot process.

As we also want to find out the sideload information from last_install,
it makes more sense to move the parse & report of non-a/b metrics to
recovery-persist. Thus we can avoid the race condition of the file
system between the native code and RecoverySystem.

Bug: 114278989
Test: unit test pass, check the event buffer for metrics report
Change-Id: I32d7b2b831bc74a61a70af9a2f0b8a7e9b3e36ee
2018-09-13 13:27:55 -07:00
Tao Bao
43bfa6e429 Enable c++17 in recovery_defaults.
And add the first few users.

Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ifdf093d011478b6a1dd0405b0ba48c145b509cc8
2018-08-28 10:49:07 -07:00
Tao Bao
7c074d97bd Depend on mke2fs.conf.recovery.
Bug: 112780007
Test: `m dist` along with other changes in the topic. Check the file
      under recovery. Trigger factory reset from recovery UI.
Change-Id: I2fb6954576eefecea60712a21506a2aeb1cecc53
2018-08-21 12:32:03 -07:00
Tao Bao
ef5e38fef0 tests: Move to Android.bp.
Also separate libupdater_defaults out to be shareable.

It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.

Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35
2018-08-14 21:46:45 -07:00
Treehugger Robot
19a5316412 Merge "Add fastboot mode to recovery" 2018-08-14 21:25:50 +00:00
Yifan Hong
ce2f0d85fb Merge "recovery uses IHealth::getService" 2018-08-14 21:06:58 +00:00
Tao Bao
b0f132e244 recovery: Drop the dependency on libcrypto_utils.so and libsparse.so.
They're only needed in past when we statically linked libs that had
dependencies on them. Dropping them doesn't affect the recovery image
size, as there're still other users of the libs. But this would avoid
the false dependencies on them.

Test: `mmma -j bootable/recovery`
Change-Id: Ib43cc42221edde9efea1f12357cfc2f2232ec520
2018-08-13 23:02:17 -07:00
Hridya Valsaraju
20c81b308d Add fastboot mode to recovery
Add a fastboot mode to recovery that can be
entered with command line args or with the ui.

Add usb property triggers to switch between
fastboot and adb configurations.

Allow switching between fastboot and adb through
usb commands by opening a unix socket. adbd/fastbootd
writes to this socket, which interrupts the ui and
switches to the new mode.

Test: Use fastboot mode
Bug: 78793464
Change-Id: I7891bb84427ec734a21a872036629b95ab3fb13c
2018-08-13 21:18:18 -07:00
Yifan Hong
056538c0a9 recovery uses IHealth::getService
recovery is_battery_ok function uses get_health_service(),
which calls IHealth::getService("default") then
IHealth::getService("backup").

- An OEM can provide the default instance by installing
  android.hardware.health@2.0-impl-<device>.so to recovery
  partition.

- If that's not found, the "backup" instance is provided
  to the recovery partition by default.

Test: call is_battery_ok() in recovery, successfully
  get battery information.

Bug: 80132328

Change-Id: Ibfee80636325a07bc20b24d044d007a60b3dd7c2
2018-08-13 16:16:18 -07:00
Tao Bao
7d2a63afe1 Reland "Build and use minadbd as a shared library."
This relands the previously reverted CL in commit
c70446ce7b ("Build and use minadbd as a
shared library."). `recovery` has been built with Soong, so the previous
concern (unintentionally installing `libminadbd_services.so` to normal
system image) no longer holds.

Note that `reocvery` can't use `libminadbd_services.a`, as functions
like `daemon_service_to_fd()` (needed by `libadbd.so`) won't be linked
into `recovery`.

This CL moves the dependency of `libminadbd_services` from `librecovery`
into `recovery`, as only the latter actually relies on it (via
`recovery_main.cpp`). Note that we no longer need to list the transitive
dependency on `libadbd` or `libasyncio`.

Bug: 112494634
Test: `mmma -j bootable/recovery`
Test: Build and boot into recovery with aosp_taimen-userdebug. Verify that
      sideloading keeps working.
Test: `build/soong/build_test.bash --dist`
Change-Id: Ic086470b86d6770bede317e0f5534f608fa7b7d2
2018-08-13 14:09:58 -07:00
Tao Bao
5fc72a103b Build recovery with Soong.
Fixes: 110380063
Test: `mmma -j bootable/recovery` with aosp_taimen-userdebug
Test: Build and boot into recovery on taimen. Check the basic
      functionalities (`Apply update from ADB`, `View recovery logs`,
      `Run graphics test`).
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: Modify `recovery.cpp` locally to trigger the call to
      is_battery_ok(). Check that the battery info is reported
      correctly.
Test: `build/soong/build_test.bash --dist`
Change-Id: I391eb201d57c760e457ba2bf2410ceb72596795c
2018-08-10 14:43:27 -07:00
Tao Bao
818f938188 recovery uses more shared libraries.
Bug: 110380063
Test: `m -j installclean && mmma -j bootable/recovery` with
      aosp_taimen-userdebug
Test: Build (`m -j bootimage`) and boot into recovery. Check that
      `adb sideload` and `Run graphics test` both work.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ie6ed0e7cafa352d5faff9d1b6ccef724a0415e65
2018-08-08 14:26:27 -07:00
Jerry Zhang
152933a28e recovery: Refactor logging code into logging.cpp
Move common logging related functions to
rotate_logs.cpp, and rename that to logging.cpp.

Test: Recovery works
Bug: 78793464
Merged-In: I00f20a79a296680122b8437d54a87897c5cb2fc7
Change-Id: I00f20a79a296680122b8437d54a87897c5cb2fc7
2018-05-07 14:14:17 -07:00
Tao Bao
9a319f01f8 Merge libmounts into libotautil.
Export its header (mounts.h) from there, and drop the dot dot dependency
from libupdater / updater.

Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: Ic26a6b9b78a34dbe1f178b138f3abaafffbec44c
2018-04-27 21:13:57 -07:00
Tao Bao
d2f2ad6a3c Move a few modules to Soong.
libmounts
librecovery_ui_default
librecovery_ui_wear
librecovery_ui_vr
libverifier
recovery-persist
recovery-refresh

They are all trivially converted.

Test: mmma -j bootable/recovery
Change-Id: Id783b3eec32bd15e74f42df17053732db5666675
2018-03-26 21:35:41 -07:00
Tao Bao
e8fdb1ab0b Drop the no-op Android.bp.
The "subdirs=" statement no longer has any effect (with the CL in [1]
that's merged last November). All the Android.bp's will be picked up
automatically.

[1] commit 4f21237342e715cbbac6e409cd67e86a304483c4 in
https://android-review.googlesource.com/c/platform/build/blueprint/+/530115.

Test: mmma -j bootable/recovery
Change-Id: Idd39af1fff907e8c1886f91eea0dd4a9e38a4079
2018-03-07 18:03:23 +00:00
Tao Bao
a2a68a522e uncrypt: Move to Soong.
Test: mmma -j bootable/recovery
Change-Id: I405f2a70f51904c02c49a287c23cbc115a4c5132
2017-11-09 12:34:00 -08:00
Tao Bao
582b67850f applypatch: Move to Soong.
Test: mmma bootable/recovery
Change-Id: Ie163aff1c4c2b3b15bb705825779ada6bc38ad67
2017-10-11 16:26:06 -07:00
Tao Bao
e6f7f95d34 edify: Export the header and move to Soong.
Also make matching changes to applypatch modules which include
edify/expr.h.

Test: mmma bootable/recovery
Change-Id: Ia72be3caa010d7f56a70add2da345e631b306378
2017-10-09 14:08:00 -07:00
Tao Bao
a26e32d2a3 otafault: Move to soong.
Test: mmma bootable/recovery
Change-Id: I5f2520ea457ba66743aa3aa1d5b3b488a93084a3
2017-09-29 11:05:24 -07:00
Tom Cherry
600e806384 libbootloader_message: convert to Android.bp
Test: build
Change-Id: Ia0c2e141673e37eea29306817d2f4b2c944213b0
2017-05-17 11:43:29 -07:00
Steven Moreland
f3ae55a167 otautil: Android.mk -> Android.bp
Test: flash and boot recovery on internal angler
Change-Id: Id8845b4b422d0078b251333eb6d30ce14771ef10
2017-05-09 16:09:41 -07:00