Commit graph

535 commits

Author SHA1 Message Date
Michael Bestas
0e844b0289 Bring back file-based OTA edify functions [1/2]
Author: Tom Marshall <tdm.code@gmail.com>
Date:   Wed Oct 25 20:27:08 2017 +0200

    Revert "kill package_extract_dir"

    changes for P:
     - bring back the mkdir_recursively variant which takes a timestamp.
     - add libziparchive dependency
     - fix otautil header paths

    changes for Q:
     - change ziputil naming convention to lowercase

    This reverts commit 53c38b1538.

    Change-Id: I71c488e96a1f23aace3c38fc283aae0165129a12

Author: Tom Marshall <tdm.code@gmail.com>
Date:   Thu Dec 14 22:37:17 2017 +0100

    Revert "Remove the obsolete package_extract_dir() test"

    This reverts commit bb7e005a79.

    Change-Id: I643235d6605d7da2a189eca10ec999b25c23e1f9

Author: Tom Marshall <tdm.code@gmail.com>
Date:   Wed Aug 23 18:14:00 2017 +0000

    Revert "updater: Remove some obsoleted functions for file-based OTA."

    This reverts commit 63d786cf22.

    These functions will be used for third party OTA zips, so keep them.

    Change-Id: I24b67ba4c86f8f86d0a41429a395fece1a383efd

Author: Stricted <info@stricted.net>
Date:   Mon Mar 12 18:11:56 2018 +0100

    recovery: updater: Fix SymlinkFn args

    Change-Id: If2ba1b7a8b5ac471a2db84f352273fd0ea7c81a2

Author: Simon Shields <simon@lineageos.org>
Date:   Thu Aug 9 01:17:21 2018 +1000

    Revert "updater: Remove dead make_parents()."

    This reverts commit 5902691764.

    Change-Id: I69eadf1a091f6ecd45531789dedf72a178a055ba

Author: Simon Shields <simon@lineageos.org>
Date:   Thu Aug 9 01:20:40 2018 +1000

    Revert "otautil: Delete dirUnlinkHierarchy()."

    changes for P:
     - Fix missing PATH_MAX macro from limits.h

    This reverts commit 7934985e0c.

    Change-Id: I67ce71a1644b58a393dce45a6c3dee97830b9ee4

Author: XiNGRZ <chenxingyu92@gmail.com>
Date:   Tue Dec 3 14:31:56 2019 +0800

    updater: Fix lost capabilities of set_metadata

    This was broken since Android O. During a file-based incremental OTA,
    capability flags were cleared but not being set again properly, leading
    some critical processes (e.g. surfaceflinger and pm-service) fails.

    For more details, see: 65b8d749f7

    Change-Id: I20e616cd83ec1cd1b79717a6703919316ad77938

[mikeioannina]: Squash for Q and run through clang-format

[Chippa_a]: Adapt for Android R updater and libziparchive API

Change-Id: I91973bc9e9f8d100688c0112fda9043fd45eb86a
2024-09-08 00:58:50 +02:00
Treehugger Robot
d8c8c1b619 Merge "Migrate Test Targets to New Android Ownership Model" into main am: cd6618b619 am: 67666b2b47
Original change: https://android-review.googlesource.com/c/platform/bootable/recovery/+/2946233

Change-Id: Ia3c73c8e83b35bdae5cca8a592aa251e7569b821
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-04-22 18:03:39 +00:00
Treehugger Robot
cd6618b619 Merge "Migrate Test Targets to New Android Ownership Model" into main 2024-04-22 17:01:48 +00:00
Kelvin Zhang
c7ebad5fd6 rm -rf non-AB code
Bug: 324360816
Test: th
Change-Id: I3d82d9031446be355d8a1d077ab83283c7cc769c
2024-04-05 09:49:38 -07:00
Elliott Hughes
6929e4e5dc Fix connect() retry loop.
This would succeed eventually anyway: the first time round the connect() succeeds, returns 0, and we go around the loop again; the second time the connect() fails (because we're already connected), returns -1, and we set success to true and exit the loop. But this means that the intended retry functionality is broken.

Change-Id: If631d59e23b12e9aa952cdb528160b19b9a94b1c
2024-03-19 01:42:58 +00:00
Aditya Choudhary
eb84a17080 Migrate Test Targets to New Android Ownership Model
This CL is created as a best effort to migrate test targets to the new Android ownership model.
It is based on historical data from repository history and insights from git blame.
Given the nature of this effort, there may be instances of incorrect attribution. If you find incorrect or unnecessary
attribution in this CL, please create a new CL to fix that.

For detailed guidelines and further information on the migration please refer to the link below,
go/new-android-ownership-model

Bug: 304529413
Test: N/A
Change-Id: Ia2268756e71b22238b17b21d336f5f7e5bd35b0b
2024-02-02 13:56:16 +00:00
David Anderson
8ee048d750 Update recovery to use Health AIDL HAL V3.
Bug: 309792384
Test: m
Change-Id: I253dbee446c88e6a18718cedec090c3be1b56cfd
2023-11-17 20:39:19 -08:00
Elliott Hughes
da675a945f Use the hermetic gzip instead of minigzip.
Bug: http://b/288169261
Test: treehugger
Change-Id: I7cb3d5468a79faedcae13d75913f11f5a8ea9e80
2023-06-21 10:10:42 -07:00
Jack Wu
6b39dee45d Update health AIDL HAL to V2
Bug: 251425963
Test: Build
Change-Id: I471f8fb9c7eb1044ea0b920d55728613188bfbdf
Signed-off-by: Jack Wu <wjack@google.com>
2022-12-24 13:13:18 +00:00
Kelvin Zhang
9ce95441b2 Fix misconfigured recovery host test
Test: atest recovery_host_test
Bug: 241353143
Change-Id: I13bb9595745f65a63070cf9fe030c9155f75e4d0
2022-08-04 10:05:43 -07:00
Kelvin Zhang
117f263ada Disable flaky recovery test
Non-AB is under-maintained for years. Disable flaky test for now.

Test: th
Bug: 191730720
Change-Id: I3634afe291e717c35216021d69be1d24c5b8e5de
2022-02-24 13:43:16 -08:00
Chih-Hung Hsieh
af6d780eb2 Add timed out test files to tidy_timeout_srcs
* Timed out runs do not show any warning messages.
* These test files cannot finish clang-tidy runs with
  the following settings:
    TIDY_TIMEOUT=90
    WITH_TIDY=1
    CLANG_ANALYZER_CHECKS=1
* When TIDY_TIMEOUT is set, in Android continuous builds,
  tidy_timeout_srcs files will not be compiled by clang-tidy.
  When developers build locally without TIDY_TIMEOUT,
  tidy_timeout_srcs files will be compiled.
* Some of these test modules may be split into smaller ones,
  or disable some time consuming checks, and then
  enable clang-tidy to run within limited time.

Bug: 201099167
Test: make droid tidy-bootable-recovery_subset
Change-Id: I3c4606959ab70e339df201501356b24953d4fb8a
2022-02-17 22:03:12 -08:00
Jacky Liu
068329e977 Move package verifier from libinstall to libotautil
So it can be used by device-specific codes.

Bug: 184693830
Test: m; atest recovery_unit_test
Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
2021-12-22 23:31:08 +08:00
Yifan Hong
67a8fd2175 GetBatteryInfo() also reads AIDL health HAL.
Test: call GetBatteryInfo manually with and without AIDL health HAL
Bug: 170338625
Bug: 177269435
Change-Id: I123739e5bc372d5198fd711f592ceac04d46ab28
2021-12-06 16:53:58 -08:00
Elliott Hughes
a85d7a0936 Use gtest_prod_headers.
Bug: http://b/185916167
Test: treehugger
Change-Id: I3407052df4f12b01acc4a75c6bd0759f7a4b2c4c
2021-04-20 11:58:05 -07:00
Bob Badour
29be3f6ef1 [LSC] Add LOCAL_LICENSE_KINDS to bootable/recovery
Added SPDX-license-identifier-Apache-2.0 to:
  applypatch/Android.bp
  bootloader_message/Android.bp
  edify/Android.bp
  fuse_sideload/Android.bp
  install/Android.bp
  minadbd/Android.bp
  minui/Android.bp
  otautil/Android.bp
  recovery_ui/Android.bp
  recovery_utils/Android.bp
  tests/Android.bp
  tools/image_generator/Android.bp
  tools/recovery_l10n/Android.bp
  uncrypt/Android.bp
  update_verifier/Android.bp
  updater/Android.bp
  updater/Android.mk
  updater_sample/Android.bp
  updater_sample/tests/Android.bp

Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
    SPDX-license-identifier-OFL
to:
  Android.bp
  Android.mk

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
2021-02-14 10:37:20 -08:00
Kelvin Zhang
07ba4483a6 Re-enable failed imgpatch tests
Now we added a libz variant without the offending optimizations,
    re-enable tests.

Test: treehugger
Bug: 177076632
Change-Id: I6969090b2cb4c059d952df7cc034d0ed1ac366b2
2021-01-13 10:10:15 -05:00
Kelvin Zhang
2f2749f213 Switch imgdiff to use libz_stable
libz contain platform dependent optimization flags, and sometimes that
cause reconstruction of blobs to fail. Use libz_stable instead

Bug: 177076632
Test: treehugger

Change-Id: I3a8c1591672537d1c754b2bc5b26f939dd80ed47
2021-01-13 10:10:15 -05:00
Kelvin Zhang
d77e7ea105 Disable failed imgpatch tests
For a proper solution, add a variant of libz which doesn't have platform
dependent optimizations, and make imgdiff use that version.
Test: treehugger
Bug: 177076632

Change-Id: Ia9e926c1adf22d351315eeec5ad1fabc3d48efd5
2021-01-12 14:45:29 -05:00
Will Coster
de455707e6 Add a fuzzer for OTA package verification
This is a pretty simplistic approach, it just shoves random data at the
verifier. The OTA format isn't too complicated so this should hopefully
be sufficient to let the fuzzer exercise the potentially interesting
parsing code.

Test: Let the fuzzer run on device for awhile:
      1) FUZZ=libinstall_verify_package_fuzzer
      2) SANITIZE_TARGET=hwaddress make ${FUZZ}
      3) cd ${ANDROID_PRODUCT_OUT} && adb root && adb sync data
      4) adb shell /data/fuzz/arm64/${FUZZ}/${FUZZ}
Change-Id: Icac6bde017b497d9f92c06191eb29e107ba9c0a7
2020-11-10 14:26:17 -08:00
Tianjie
581a824401 Add test config for recovery_host_test
Bump the timeout as we see some flakiness in b/170178152. The other
part of the config is copied from the auto-generated config in
out/host/linux-x86/testcases/recovery_host_test/recovery_host_test.config

Bug: 170178152
Test: treehugger
Change-Id: Ia84c90ba6a686c47ecc7d8331c7e8c7cb4b78292
2020-10-06 23:31:04 +00:00
Kelvin Zhang
4f81130039 Switch to zip64 in recovery
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.

Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
2020-09-16 14:21:37 -04:00
Tianjie
78d1514173 Update language to comply with Android’s inclusive language guidance
https: //source.android.com/setup/contribute/respectful-code
Bug: 161896447
Test: Unit tests pass
Change-Id: I0f3f0333dbccc94241a096ca5d3d9bc28c281492
2020-07-23 14:02:21 -07:00
Tianjie
1bc976a74e Fix some wording to comply with respectful-code
https: //source.android.com/setup/contribute/respectful-code
Test: Unit tests pass
Change-Id: If447b2cf923f6bc7a3a3fb5f69b9fbc06a200ebb
2020-07-23 13:07:24 -07:00
Kelvin Zhang
e1ae78cd54 Add recovery support of dynamic fingerprints
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro

This CL updates recovery code to recognize them

Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
2020-06-29 16:22:08 -04:00
Automerger Merge Worker
a0df3e3584 Merge "Generate recovery.img for unittest during build time" am: bf885b6b21 am: 616db72209
Change-Id: I264469782af6ffab1c138edc01b577abb5fd2675
2020-02-24 19:14:38 +00:00
Tianjie Xu
fa77ee8470 Generate recovery.img for unittest during build time
The unit tests for imgpatch is comparing the compressed bytes. As
a result, these unit tests will fail with libz change.

Since the recovery image is just a gzipped ramdisk with some wrappings,
we can generate with minigzip it during the build time. This matches
the usage in the real world, where we generate the patch with the host
side libz; and apply the patch with the library on the device.

Bug: 149443852
Test: tests pass on Pixel3
Change-Id: I7885765a161c6bf765671bc55a72cfcaa04b4138
2020-02-20 23:09:44 -08:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
4139a30ec5 Merge "Revert "Force package installation with FUSE unless the package stores on device"" into qt-qpr1-dev-plus-aosp 2020-02-13 03:08:09 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Bryan Ferris
7bc9c8297b Merge "Force package installation with FUSE unless the package stores on device" into qt-qpr1-dev-plus-aosp 2020-02-12 23:37:34 +00:00
Steven Moreland
c7647926f4 rm libbinderthreadstate
This library is empty, and its functionality has moved
into libbinder/libhwbinder.

Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
2020-02-06 13:28:52 -08:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Peter Collingbourne
8b9ac5b83d Merge "Link libvndksupport dynamically instead of statically." 2019-12-19 17:27:37 +00:00
Yifan Hong
c77bb70166 Delete VINTF compatibility check during OTA.
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
2019-12-18 12:14:50 -08:00
Peter Collingbourne
8f2f0d09ea Link libvndksupport dynamically instead of statically.
Bug: 146456667
Change-Id: I839223d8fbc365fd3271634143b117604f6aa879
2019-12-17 17:51:42 -08:00
Tianjie Xu
3d57c84476 Consolidate the vendor space misc usage for Pixels
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.

We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.

Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
2019-11-12 10:53:04 -08:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Tao Bao
5234ad466c applypatch: Add backup_source parameter to PatchPartition.
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).

Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.

Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
      is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
2019-09-23 11:26:48 -07:00
Tao Bao
dfb053e815 tests: recovery_unit_test requires root.
Bug: 141272654
Test: TreeHugger (recovery_unit_test no longer fails)
Change-Id: I47cbee274e659e3d90be5a77b215466d2973c7d6
2019-09-19 08:08:54 -07:00
Pete Bentley
189d424ced Link libcrypto dynamically for recovery unit tests.
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md

Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.

Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
2019-09-13 12:18:44 +01:00
Steven Moreland
e4f1a781f5 Remove reference to libhwbinder_noltopgo.
No longer needed.

Bug: 135558503
Test: build only
Change-Id: Ia1257513c6276cdb01604fbedb411e7412d02b84
2019-09-05 14:29:23 -07:00
Tianjie Xu
60b242cfd5 Simulator: add the argument to keep the updated images
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.

Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.

Test: run simulation, run unit tests

Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
2019-07-30 17:11:35 -07:00
Tianjie Xu
45c40ec876 Remove libimgpatch
Stop building libimgpatch as it's merely a subset of libapplypatch.

Test: unit tests pass

Change-Id: I0735ec053344404434a50e53a36e3f55964c2e4f
2019-07-10 12:41:45 -07:00
Tianjie Xu
42d7779caf Build libimgdiff as a host only library
Stop building libimgdiff on device because we are only running
patching there.

Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
2019-06-28 11:04:07 -07:00
Tianjie Xu
c3a161e2b8 Add unit tests for simulator
Make sure the simulator succeeds executing common non-A/B update
functions.

Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
2019-06-27 16:17:05 -07:00
Tianjie Xu
f6158eb918 Support starting fuse from a block map
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.

This is part of the effort to install larger than 2GiB packages on ILP32
devices.

Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.

Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
2019-06-20 13:53:40 -07:00
Tianjie Xu
c1a5e26fd9 Implement an update simulator to verify BB OTA packages on host
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.

Bug: 131911365
Test: unit tests pass

Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
2019-05-28 15:18:25 -07:00
Tianjie Xu
27556d089f Some clean ups to the updater
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.

Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
2019-05-22 14:58:28 -07:00