Commit graph

43 commits

Author SHA1 Message Date
Tianjie Xu
da44cf18f3 Report uncrypt errors in details
Add the error codes for uncrypt and report the failure details in
uncrypt_status.

Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
2016-09-26 22:48:45 -07:00
Tao Bao
f4885adc18 Duplicate the last_install content into last_log.
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.

Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.

Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
2016-09-26 14:46:12 -07:00
Tianjie Xu
1c1864f321 Check corruption when reading uncrypt_status file
Bug: 31383361
Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
2016-09-13 13:56:00 -07:00
Tianjie Xu
fe16b5ccaf save uncrypt status to last_install
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.

Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.

Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
2016-09-12 22:55:36 +00:00
Tianjie Xu
7b0ad9c638 Switch recovery to libbase logging
Clean up the recovery image and switch to libbase logging.

Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-09-01 18:33:25 +00:00
Chih-Hung Hsieh
8b23811d2a Fix clang-tidy warnings in bootable/recovery.
* Use const reference type for read-only parameters.
Bug: 30407689
* Use faster overloaded string find function.
Bug: 30411878
* Add parentheses around macro parameters.
Bug: 28705665

Test: build with WITH_TIDY=1
Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
2016-08-26 14:54:29 -07:00
Tao Bao
b3ddc0a4bf Merge "Free mmaped area if keys fail to load"
am: f599414aec

Change-Id: Id96153c211ca1fcc1cd78d6e662b0b48795c0d76
2016-08-18 06:14:46 +00:00
WiZarD
edafac6c7b Free mmaped area if keys fail to load
Keys for package verification is loaded after the update
package is mmaped into memory. This mmaped area needs
to be freed when exiting the function.

Another approach would be to mmap after loading the keys.

Change-Id: Ib77711a8acd5c363b5517da12dc311fb8f9f4605
Signed-off-by: WiZarD <WiZarD.Devel@gmail.com>
2016-08-18 05:20:40 +00:00
Elliott Hughes
274d17dc0f resolve merge conflicts of 179c0d8 to stage-aosp-master
Change-Id: Iba5aec266444cabf83f600f2bdb45a3c027e5995
2016-06-15 15:22:17 -07:00
Elliott Hughes
63a319201f Remove obsolete MTD support.
Bug: http://b/29250988
Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
2016-06-10 13:45:35 -07:00
Tianjie Xu
9d2657fbb7 Log source/target build version to last_install
am: b0ddae55e5

Change-Id: Ifd9e006588de8bea233a4e90a5c80ed6b894054a
2016-06-10 17:21:40 +00:00
Tianjie Xu
b0ddae55e5 Log source/target build version to last_install
Parse the build.version.incremental from the metadata of the update
package; and log it to last_install.
Example:
In metadata we read:
post-build-incremental=2951741
pre-build-incremental=2943039

In last install we log:
source_build: 2943039
target_build: 2951741

Bug: 28658632
Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
2016-06-09 17:29:04 -07:00
Tianjie Xu
64f46fb16c resolve merge conflicts of 7ce287d to nyc-dev-plus-aosp
Change-Id: I2194d1170281f58eb508f2ef63b39c8729125f76
2016-06-03 15:44:52 -07:00
Tianjie Xu
7ce287d432 Call ioctl before each write on retry
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before
writing to these blocks.

Bug: 28990135
Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
2016-06-03 12:12:50 -07:00
Tianjie Xu
84478e8823 resolve merge conflicts of 50f6417 to nyc-dev-plus-aosp
Change-Id: I42c127f7946e678acf6596f6352f090abc0ca019
2016-05-23 12:24:28 -07:00
Tianjie Xu
162558382b Allow recovery to return error codes
Write error code, cause code, and retry count into last_install. So we
can have more information about the reason of a failed OTA.

Example of new last_install:
@/cache/recovery/block.map     package name
0                              install result
retry: 1                       retry count (new)
error: 30                      error code (new)
cause: 12                      error cause (new)

Details in:
go/android-ota-errorcode

Bug: 28471955
Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
2016-05-20 13:56:53 -07:00
Tianjie Xu
142b864ba1 Add time and I/O info to last_install
am: dd874b1c87

* commit 'dd874b1c87eb04f28db0db2629df0adde568a74c':
  Add time and I/O info to last_install

Change-Id: I02aa858d5ce488d3acbf5400811e2565cf7d9c75
2016-05-18 18:44:31 +00:00
Tianjie Xu
dd874b1c87 Add time and I/O info to last_install
One example of last_install is:

/sideload/package.zip
1
time_total: 101
bytes_written_system: 14574000
bytes_stashed_system: 100
bytes_written_vendor: 5107400
bytes_stashed_vendor: 0

Bug: 28658632
Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
2016-05-16 14:54:37 -07:00
Elliott Hughes
6e08bff22b resolve merge conflicts of 8febafa to nyc-dev-plus-aosp
Change-Id: I423937b4b20a2079714aa38ab7f8b199782df689
2016-04-14 09:39:47 -07:00
Elliott Hughes
8febafa67e Use BoringSSL instead of mincrypt to speed up package verification.
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.

Cherry-pick of 452df6d99c, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.

Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
2016-04-13 16:39:56 -07:00
Mattias Nissler
452df6d99c Convert recovery to use BoringSSL instead of mincrypt.
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.

Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
2016-04-06 15:54:17 +02:00
Tianjie Xu
fa12b9737d Reboot and retry on I/O errors
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.

Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
(cherry picked from commit 3c62b67faf)
2016-03-10 11:50:28 -08:00
Tianjie Xu
3c62b67faf Reboot and retry on I/O errors
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.

Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
2016-03-02 17:31:05 -08:00
Yabin Cui
4425c1d960 Fix some memory leaks.
Bug: 26906328
Change-Id: Iebaf03db0cb3054f91715f8c849be6087d01b27b
2016-02-10 15:32:19 -08:00
Tao Bao
71e3e09ec2 recovery: Refactor verifier and verifier_test.
Move to using std::vector and std::unique_ptr to manage key
certificates to stop memory leaks.

Bug: 26908001
Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
2016-02-02 21:51:32 -08:00
Tao Bao
b6918c7c43 Log update outputs in order
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.

In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.

Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
2015-06-02 22:15:40 -07:00
Tao Bao
b07e1f3a3a Update the comments for package installer commands
These commands are for the communication between the installer and the
update binary (edify interpreter). Update the comments in sync with the
codes.

Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
2015-04-10 16:18:32 -07:00
Tao Bao
682c34bbc3 Rotate logs only when there are actual operations
Currently it rotates the log files every time it boots into the recovery
mode. We lose useful logs after ten times. This CL changes the rotation
condition so that it will rotate only if it performs some actual
operations that modify the flash (installs, wipes, sideloads and etc).

Bug: 19695622
Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
2015-04-07 22:02:27 -07:00
Tao Bao
145d861460 Factor out option variables from int to bool types
Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
2015-03-25 15:56:15 -07:00
Elliott Hughes
26dbad2b98 Add missing includes.
Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
2015-01-28 12:09:05 -08:00
Doug Zongker
075ad800c5 sideload without holding the whole package in RAM
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).

We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.

We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host.  This file is then passed to the
verification and installation systems like any other.

To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.

One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem).  We rely on SELinux enforcement to
restrict the set of things that can be accessed.

Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
2014-07-02 12:16:36 -07:00
Doug Zongker
c704e06ce5 disable async reboot during package installation
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot.  (Debug
packages can explicitly request that the feature be reenabled.)

Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
2014-05-23 08:52:31 -07:00
Doug Zongker
99916f0496 do verification and extraction on memory, not files
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.

For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.

Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.

Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
2014-01-16 13:29:28 -08:00
Alistair Strachan
027429a34f Restore default umask after forking for update-binary.
A system/core change made in Mar 26 2012 6ebf12f "init: Change umask
of forked processes to 077" changed the default umask of services
forked from init.

Because recovery is forked from init, it has a umask of 077. Therefore
when update-binary is forked from recovery, it too has a umask of 077.

This umask is overly restrictive and can cause problems for scripts
relying on minzip to extract binaries directly into the target
filesystem. Any directories updated by minzip will have their
permissions reset to r-x------ and created files will have similarly
restrictive permissions.

As it seems unlikely this security measure was intended to have this
side effect on legacy sideloads that do not have chmods to repair
the damage done by minzip, this change reverts the umask to 022 in
the fork made for update-binary.

Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
2013-11-18 09:52:46 -08:00
Doug Zongker
239ac6abac recovery: install packages in a known mount environment
When installing a package, we should have /tmp and /cache mounted and
nothing else.  Ensure this is true by explicitly mounting them and
unmounting everything else as the first step of every install.

Also fix an error in the progress bar that crops up when you do
multiple package installs in one instance of recovery.

Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
2013-08-21 13:44:35 -07:00
Doug Zongker
fafc85b4ad recovery: move log output to stdout
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read.  Move
everything to stdout.

Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
2013-07-09 12:50:24 -07:00
Doug Zongker
bac7fba027 verifier: update to support certificates using SHA-256
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
2013-04-10 11:32:17 -07:00
Doug Zongker
6c249f7ae8 move key loading to verifier code
Add an option to verifier_test to load keys from a file, the way the
recovery does.

Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
2012-11-02 15:09:57 -07:00
Doug Zongker
02ec6b88ed add simple text to recovery UI
- recovery takes a --locale argument, which will be passed by the main
  system

- the locale is saved in cache, in case the --locale argument is
  missing (eg, when recovery is started from fastboot)

- we include images that have prerendered text for many locales

- we split the background states into four (installing update,
  erasing, no command, error) so that appropriate text can be shown.

Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
2012-08-22 17:26:40 -07:00
Doug Zongker
17495277b1 support version 2 (2048-bit e=65537) keys in recovery
Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
2012-07-25 13:10:58 -07:00
Doug Zongker
e5d5ac76cc minor recovery changes
- add the --just_exit option to make recovery exit normally without doing anything
- make it possible to build updater extensions in C++
- add the clear_display command so that the updater binary can request
  recovery switch to the NONE background UI

These are all used to support the notion of using OTA as a factory
reflash mechanism.

Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
2012-04-12 11:01:22 -07:00
Doug Zongker
7440630caa refactor ui functions into a class
Move all the functions in ui.c to be members of a ScreenRecoveryUI
class, which is a subclass of an abstract RecoveryUI class.  Recovery
then creates a global singleton instance of this class and then invoke
the methods to drive the UI.  We use this to allow substitution of a
different RecoveryUI implementation for devices with radically
different form factors (eg, that don't have a screen).

Change-Id: I7fd8b2949d0db5a3f47c52978bca183966c86f33
2011-10-28 15:13:10 -07:00
Doug Zongker
10e418d3c8 turn recovery into a C++ binary
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316
2011-10-28 10:33:05 -07:00
Renamed from install.c (Browse further)