Commit graph

346 commits

Author SHA1 Message Date
Alessandro Astone
8d038450d7 recovery: Don't consider manual install aborts as errors
* From android-11, recovery warns the user about the danger of
   rebooting after a failed update, but if we didn't even start
   the install procedure it doesn't really make much sense.

Change-Id: Ifaf5eae9fe6e1d915a035e2570c22260de59f99b
2024-09-08 01:00:30 +02:00
Kelvin Zhang
c031e9d3d1 Fix sticky rescue party boot
When entering recovery via rescue party, recovery does not call
FinishRecovery() to reset BCB. This causes the rescue party command to
stick, and device keeps rebooting into rescue party mode after entering
bootloader mode and reboot.

Test: enter rescue party, reboot bootloader, fastboot reboot
Bug: 332621855
Change-Id: I958a77ccb2433d76aecb44f8c6f8fedebe08bbe0
2024-04-05 09:28:58 -07:00
Kelvin Zhang
735499480d Add recovery flag to reformat /data
For 16K dev options, we might need to reformat /data partition as ext4
before enabling the feature. Add necessary support to recovery.

Test: Trigger reboot with --wipe_data --reformat_data=ext4, make sure
/data is reformatted with ext4 on next boot
Bug: 293313353

Change-Id: I3cb67a62635a2df578472cd48cf6d2f5e04b5f82
2024-01-04 16:43:53 -08:00
Florian Mayer
0feef55859 Add --keep_memtag_mode for --wipe_data
This allows us to erase the system image without resetting the MTE
state. This is useful for TestHarness looking to re-use an MTE enabled
device without incurring an extra reboot to re-enable after reboot.

Bug: 300694575
Change-Id: Ie1ea6891361e561189b9390b97b0b4a4c3a6d7e8
2023-10-30 17:42:31 +00:00
Eric Biggers
fde69fbd8a Remove support for converting from FDE to FBE
Devices that launched with Android 10 or later require FBE (File Based
Encryption) from the beginning, so there's no need to support converting
to FBE after the fact anymore.  This was only ever a developer option,
so it probably wasn't used much.  And in any case, it's not used
anymore, as isConvertibleToFBE() is hard-coded to return false.  Besides
the fact that FBE has been required for several releases now, this
functionality was only ever available on devices that use FDE (Full Disk
Encryption), but FDE support has been removed from Android.

Therefore, remove this unused code.

Bug: 208476087
Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
2022-03-10 22:48:49 +00:00
Kelvin Zhang
a4208b5f90 Perform data wipe in recovery if ota package has powerwash set
Normally, if an ota package has --wipe_user_data flag, we set bootloader
parameter --wipe_data, so that next boot into bootloader will wipe
userdata. But this doesn't work in recovery, likely because after
recovery we don't reboot to bootloader, but directly boot into android.
Therefore perform data reset in recovery if the OTA package has
POWERWASH flag.

Bug: 203507329
Test: apply an OTA pkg with --wipe_user_data, verify that data wipe
happened

Change-Id: Icca4a5f74246bde44a5fd589395404c9f57867ee
2022-02-14 20:20:08 -08:00
Jacky Liu
068329e977 Move package verifier from libinstall to libotautil
So it can be used by device-specific codes.

Bug: 184693830
Test: m; atest recovery_unit_test
Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
2021-12-22 23:31:08 +08:00
Xin Li
6b3621a8c1 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: Id0fd2855f322967c1169f246d44e55a9dfdad6bb
Change-Id: Ic3ff0b38939d817df63ab5fdc2860781b69a53ce
2020-08-27 10:16:03 -07:00
Kelvin Zhang
9ebf0653bf Return the correct action for PromptAndWait
Bug: 163613552
Test: mma
Change-Id: I204f6aa272c2b56725e658e5613530b27bd223c6
2020-08-13 18:16:40 -04:00
Tianjie
1bc976a74e Fix some wording to comply with respectful-code
https: //source.android.com/setup/contribute/respectful-code
Test: Unit tests pass
Change-Id: If447b2cf923f6bc7a3a3fb5f69b9fbc06a200ebb
2020-07-23 13:07:24 -07:00
Jiyong Park
941bf55f9d Merge "Use ro.build.fingerprint instead of ro.bootimage.*" am: d081fbceba am: fb9d4fc54b
Change-Id: Idb4ae52052578e578d0844b479a4d0ede190337e
2020-05-29 21:52:11 +00:00
Jiyong Park
fb9d4fc54b Merge "Use ro.build.fingerprint instead of ro.bootimage.*" am: d081fbceba
Change-Id: Ia91690b4826ce358a08766ebe6e756cb1fec0ba1
2020-05-29 21:43:04 +00:00
Jiyong Park
bfd6764bf6 Use ro.build.fingerprint instead of ro.bootimage.*
ro.bootimage.* sysprops will be removed as they are redundant. Read
ro.build.fingerprint instead.

This is safe because:
2) ro.bootimage.build.fingerprint is the same as other
ro.<partition>.build.fingerprint all of which are from
$(BUILD_FINGERPRINT_FILE).
3) BUILD_FINGERPRINT_FILE is composed of PRODUCT_BRAND, TARGET_PRODUCT,
TARGET_DEVICE, etc.
4) ro.build.fingerprint is auto-composed by init at runtime by the same
rule as #3.

Bug: 117892318
Test: enter into the recovery mode and manually inspect the title line
Change-Id: If28d710f45b98a0effc0159851bca6afb2aa5735
2020-05-25 18:14:53 +09:00
Automerger Merge Worker
07e1577a3e Merge "Consolidate the wait in recovery's reboot" am: a69c69b26f am: 737a2e41bd
Change-Id: I31c2402def47126ba364ef44b9c2fe5effc3ca94
2020-03-14 23:04:41 +00:00
Automerger Merge Worker
2bc65f82f6 Merge "Consolidate the wait in recovery's reboot" am: a69c69b26f am: 737a2e41bd
Change-Id: I962b324436ab4139ed2fa24430599d9403a983e1
2020-03-14 23:04:41 +00:00
Tianjie Xu
00c4aba9bf Consolidate the wait in recovery's reboot
After a reboot function call, we should always wait for it to finish
without executing other instructions.

Bug: 151110322
Test: build
Change-Id: I1dda291a0835ff96df7eaf42eba1a38267a3beeb
2020-03-13 16:09:48 -07:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
4139a30ec5 Merge "Revert "Force package installation with FUSE unless the package stores on device"" into qt-qpr1-dev-plus-aosp 2020-02-13 03:08:09 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Bryan Ferris
7bc9c8297b Merge "Force package installation with FUSE unless the package stores on device" into qt-qpr1-dev-plus-aosp 2020-02-12 23:37:34 +00:00
Automerger Merge Worker
1551e2a5d1 Merge "Show warning message if sideload failed or is interrupted." am: e1d76ef395 am: d93d116134 am: 9763f002db
Change-Id: I987619c409d8fc9defb3184a51849ee2b81e25b8
2020-01-30 22:43:41 +00:00
Yifan Hong
13b099696f Show warning message if sideload failed or is interrupted.
For non A/B and Virtual A/B devices where sideloading may affect
the existing OS,
- If sideload has failed, show a warning message in recovery menu header.
- If sideload has interrupted, automatically reboot back into recovery and
  show the warning message in recovery menu header.

Test: the above
Fixes: 140749209
Change-Id: Ifdfc28b45975cdc31b6fce2ecb99acc31bc61fa8
2020-01-29 16:59:07 -08:00
Automerger Merge Worker
89c9eae51e Merge "Prompt for confirmation before reboot if installation fails." am: 1b208af5d4 am: 05eec42808 am: 565397643b
Change-Id: I874e028ac058aac56430b6f2fb69d8217a3c13ec
2020-01-29 21:57:36 +00:00
Yifan Hong
c9163fdacc Prompt for confirmation before reboot if installation fails.
If previous installation fails, menu item 'Reboot system now'
and 'Power off' now prompts for confirmation from the user.

Known issues:
- If the sideload is interrupted, it'll still boot into normal
Android in the next cycle.
- If 'Enter fastbootd' is chosen, and then 'Enter recovery', such
prompt do not show up.

Test: manual
Fixes: 142892891

Change-Id: I929b80e0520bd3b9f56d88a4b2203fcdd8d7b013
2020-01-28 12:47:55 -08:00
Automerger Merge Worker
5fa9733f9d Merge "Remove fsck_unshare_blocks." am: 699ea0f325 am: 79ce1d3420 am: ffea0e7333
Change-Id: If590516c09963e73b304cca1b7e07b62271d7c5c
2020-01-28 01:34:15 +00:00
David Anderson
969787cffd Remove fsck_unshare_blocks.
This code is dead. It was briefly used to support "adb remount" with
deduplicated partitions, but was very quickly obsoleted by overlayfs
support. There is no reason to include it anymore.

Bug: N/A
Test: N/A
Change-Id: I4cdcbf66bec80092f954826eaae037934ff37765
2020-01-27 09:30:55 -08:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Automerger Merge Worker
1bbec589b7 Merge "Mount snapshotted /system in Virtual A/B devices" am: 5ee782079a am: bc4b2b44e9 am: 367f7d173e
Change-Id: I5411bcca707627f0e821b4e4052476577e29faf4
2020-01-07 21:00:52 +00:00
Alessio Balsini
a9665ced57 Mount snapshotted /system in Virtual A/B devices
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.

Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
2019-12-16 21:25:45 +00:00
Tianjie Xu
b8ba2fa86e Merge "Force package installation with FUSE unless the package stores on device" 2019-10-16 22:20:27 +00:00
Tianjie Xu
58a27693b2 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2019-10-16 11:35:17 -07:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Tianjie Xu
b63a2215b5 Remove common.h
Additionally kill the global variable: reason, stage; move them to a
separate BootState class instead. Vendor specific recovery code will
need to call getters from Device() class to access these variables.

Bug: 137705917
Test: unit tests pass, boot sailfish into recovery, code search and no
code includes common.h in vendor specific recovery.
Change-Id: Ia50a5ea951212c25548562f29cc9cf78505b5e34
2019-08-15 13:40:16 -07:00
Tianjie Xu
164c60a4f3 Clean up some global variables in common.h
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();

Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
2019-07-24 11:36:03 -07:00
Tianjie Xu
e521861508 Create a fallback to install from fuse if mmap fails
We may fail to memory map the package on 32 bit builds for packages with
2GiB+ size. This cl tries to install the package with fuse when memory map
fails in such cases.

Bug: 127071893
Test: build 32 bit version sailfish, push package and block.map, reboot into recovery with
the corresponding update_package argument.

Change-Id: I5dae4f3e27ccaf8d64ff3657d36f0e75db2330b0
2019-07-09 14:15:18 -07:00
Tianjie Xu
f6158eb918 Support starting fuse from a block map
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.

This is part of the effort to install larger than 2GiB packages on ILP32
devices.

Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.

Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
2019-06-20 13:53:40 -07:00
Tianjie Xu
980f92ec00 InstallPackage now takes a package as parameter
Therefore InstallPackage() doesn't need to worry about the details of a
given Package.

Bug: 127071893
Test: run update from /bin/recovery --update_package=@path, sideload a package
Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
2019-06-13 13:36:56 -07:00
Mark Salyzyn
488cc05c96 recovery: report compliant reboot reason (Part Deux)
shutdown and reboot should have a corresponding sub-reason.

Adding:
    "reboot,userrequested,fastboot"
    "reboot,userrequested,recovery"
    "reboot,userrequested,recovery,ui"
    "shutdown,userrequested,fastboot"
    "shutdown,userrequested,recovery"
    "reboot,unknown#" (Can't happen, debug)

Test: manual, multiple targets, enter recovery, be able to exit recovery
Bug: 133326470
Change-Id: Ibfcb2a23158e8e99922e8053edd815fb592150f2
2019-05-23 13:58:53 -07:00
Tao Bao
feefbf2f56 Revert "recovery: report compliant reboot reason"
This reverts commit 6f4e4db4f9.

Reason for revert: Booting out of recovery (choose `Reboot system now`)
on taimen is broken. Device keeps booting back into recovery.

Bug: 133326470
Test: Choose `Reboot system now` from recovery menu. Deivce attempts
      normal boot.
Change-Id: I6e85fc248e18953a6fb94513c3abc7e7e0fb0477
2019-05-22 11:06:26 -07:00
Mark Salyzyn
6f4e4db4f9 recovery: report compliant reboot reason
shutdown and reboot should have a corresponding sub-reason.

Adding:
    "reboot,fastboot_menu"
    "reboot,recovery_menu"
    "reboot,recovery_ui"
    "shutdown,fastboot"
    "shutdown,recovery"
    "reboot,unknown#"

Test: none
Change-Id: Icf1ab0d462ec2de2272914a36994a095998d6186
2019-05-20 13:52:10 -07:00
Tao Bao
f90d9a102f roots: Remove get_system_root and logical_partitions_mapped.
Test: TreeHugger
Test: Boot into recovery on blueline. Choose "Mount system partition".
Change-Id: Iac475d18ce2415de09dc0bf009ad4cf0383ffede
2019-05-10 10:42:56 -07:00
Tao Bao
adc99efd1c install: Install functions return InstallResult.
Test: `atest recovery_unit_test recovery_component_test`
Test: Sideload a package on taimen.
Change-Id: I2d42f55a89931ee495ea5c5d9e6b5ee1058e8e52
2019-04-30 13:58:03 -07:00
Tao Bao
189c8f9aeb Merge "Consolidate the codes that handle reboot/shutdown." 2019-04-29 21:53:41 +00:00
Tao Bao
782dcc1996 Consolidate the codes that handle reboot/shutdown.
Test: Choose `Reboot system now`, `Power off`, `Reboot to bootloader`
      from recovery UI respectively.
Test: `adb reboot recovery` while under sideload mode.
Change-Id: I0f3d55b80b472178ea4f6970b29cd9df0778b639
2019-04-29 12:12:25 -07:00
Tao Bao
40ccbe3324 Merge "Add install/wipe_device.cpp." 2019-04-29 18:46:53 +00:00
Tao Bao
7f19d100b5 Add install/wipe_device.cpp.
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.

Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
2019-04-26 23:23:19 -07:00
xunchang
fedeef6f6d Support wipe command in rescue mode
Bug: 131037235
Test: unit tests pass, run `adb rescue wipe`
Change-Id: I22668f2c98fe2d9195d2561f961c28a7c08e712c
2019-04-26 10:36:48 -07:00
Tao Bao
d9cb014d43 Parse BCB command to enter rescue mode.
bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.

This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.

It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.

Bug: 128505466
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
      install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
2019-04-25 14:02:41 -07:00
Tao Bao
10f441a9db minadbd: Support adb reboot under sideload/rescue modes.
Bug: 128415917
Test: Run the following commands under sideload and rescue modes
      respectively.
$ adb reboot
$ adb reboot bootloader
$ adb reboot recovery
$ adb reboot rescue
$ adb reboot invalid
Change-Id: I84daf63e3360b7b4a0af5e055149a4f54e10ba90
2019-04-23 23:50:12 -07:00