Commit graph

25 commits

Author SHA1 Message Date
Eric Biggers
fde69fbd8a Remove support for converting from FDE to FBE
Devices that launched with Android 10 or later require FBE (File Based
Encryption) from the beginning, so there's no need to support converting
to FBE after the fact anymore.  This was only ever a developer option,
so it probably wasn't used much.  And in any case, it's not used
anymore, as isConvertibleToFBE() is hard-coded to return false.  Besides
the fact that FBE has been required for several releases now, this
functionality was only ever available on devices that use FDE (Full Disk
Encryption), but FDE support has been removed from Android.

Therefore, remove this unused code.

Bug: 208476087
Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
2022-03-10 22:48:49 +00:00
Kelvin Zhang
a4208b5f90 Perform data wipe in recovery if ota package has powerwash set
Normally, if an ota package has --wipe_user_data flag, we set bootloader
parameter --wipe_data, so that next boot into bootloader will wipe
userdata. But this doesn't work in recovery, likely because after
recovery we don't reboot to bootloader, but directly boot into android.
Therefore perform data reset in recovery if the OTA package has
POWERWASH flag.

Bug: 203507329
Test: apply an OTA pkg with --wipe_user_data, verify that data wipe
happened

Change-Id: Icca4a5f74246bde44a5fd589395404c9f57867ee
2022-02-14 20:20:08 -08:00
Jacky Liu
068329e977 Move package verifier from libinstall to libotautil
So it can be used by device-specific codes.

Bug: 184693830
Test: m; atest recovery_unit_test
Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
2021-12-22 23:31:08 +08:00
Kelvin Zhang
33c62fc4b8 Check SPL downgrade before install OTA in recovery
Applying an SPL downgrade package can cause boot failures
(/data failed to decrypt). Today's ota_from_target_files
tool already try to prevent this. But Packages generated
using older tools are still around.

Add check in recovery to prevent such OTA package from
installing.

Test: th
Test: Sideload an OTA with newer SPL, make sure check passes
Test; Sideload an OTA with older SPL, make sure check fails

Bug: 186581246

Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
2021-05-17 16:25:00 -04:00
Kelvin Zhang
d1ba38f7c9 Check for overflow before allocating memory fore decompression.
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.

Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
2020-09-18 17:41:51 -04:00
Kelvin Zhang
4f81130039 Switch to zip64 in recovery
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.

Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
2020-09-16 14:21:37 -04:00
Kelvin Zhang
e1ae78cd54 Add recovery support of dynamic fingerprints
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro

This CL updates recovery code to recognize them

Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
2020-06-29 16:22:08 -04:00
Yifan Hong
d5c56cee29 Detect non-A/B vs. A/B packages correctly. am: f2af5629d2
Change-Id: I7e5e67f90fbc49fbc99e1e251c06ceaa93f6c2d9
2020-05-20 00:55:00 +00:00
Yifan Hong
f2af5629d2 Detect non-A/B vs. A/B packages correctly.
Check the package metadata to determine whether this is an
A/B or non-A/B update package. This is more accurate.

Also checks ro.virtual_ab.allow_non_ab flag. This is useful for
continuously supporting (and testing) non-A/B.

Bug: 153581609
Test: apply non-A/B update on cuttlefish

Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667
(cherry picked from commit 2a4afd29a1)
Merged-In: I629a533a67966d46d9cd87a59c6b9af26daf1667
2020-05-19 15:20:14 -07:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Yifan Hong
c77bb70166 Delete VINTF compatibility check during OTA.
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
2019-12-18 12:14:50 -08:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Tianjie Xu
164c60a4f3 Clean up some global variables in common.h
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();

Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
2019-07-24 11:36:03 -07:00
Tianjie Xu
87e2275970 Merge "InstallPackage now takes a package as parameter" 2019-06-14 00:24:49 +00:00
Tianjie Xu
980f92ec00 InstallPackage now takes a package as parameter
Therefore InstallPackage() doesn't need to worry about the details of a
given Package.

Bug: 127071893
Test: run update from /bin/recovery --update_package=@path, sideload a package
Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
2019-06-13 13:36:56 -07:00
Elliott Hughes
39ac1c013c Use the new ziparchive Next std::string_view overload.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ieec83126e36b330da33092a172e365376cd04dfe
2019-06-12 12:20:37 -07:00
Elliott Hughes
88d8001e75 Move off the Next ZipString overload.
Bug: http://b/129068177
Test: treehugger
Change-Id: I3c8f70b0d8cc5dc6b3b4439dbe0b9a5bd85003c4
2019-05-22 18:52:29 -07:00
Elliott Hughes
143a03fa03 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: I618bbcf38914dd81e042e0cfd1976ff26274dc30
2019-05-08 17:28:22 -07:00
Elliott Hughes
a86dddbfa5 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
2019-05-06 10:28:14 -07:00
Tao Bao
adc99efd1c install: Install functions return InstallResult.
Test: `atest recovery_unit_test recovery_component_test`
Test: Sideload a package on taimen.
Change-Id: I2d42f55a89931ee495ea5c5d9e6b5ee1058e8e52
2019-04-30 13:58:03 -07:00
Tao Bao
36c7276cb2 install: Return bool for a few check functions.
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult.  Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.

This CL changes them to return bool instead.

Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
2019-04-30 13:58:03 -07:00
xunchang
316e971746 Move wipe cache|data to libinstall
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.

The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.

Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
2019-04-15 12:22:11 -07:00
xunchang
2478885f3c Move install to separate module
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.

Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
2019-03-29 10:27:51 -07:00
Renamed from install.cpp (Browse further)