This function is used to parse the result of dumpKeys. It's no longer
needed as we are now parsing the public keys from the zipfile.
Bug: 116655889
Test: unit tests pass
Change-Id: I817906e451664058c644f4329ff499bbe4587ebb
For RSA keys, check if it has a 2048 bits modulus, and its public
exponent is 3 or 65537. For EC keys, check if the field size is 256
bits for its curve.
Bug: 116655889
Test: unit tests pass
Change-Id: I5c00f4d2b61c98c434f0b49db232155d5d0770ec
This fixes the build error as the initializer list no longer work
without the proper constructor for c++ class.
Bug: 74397117
Test: unit tests pass
Change-Id: If3ff508a1a01ad5326413dab8e05bacae8a946c8
These functions take the given GRSurface instances as inputs, which
shouldn't be altered.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test.
Test: `Run graphics test` on marlin.
Change-Id: I51bf408e85faae2b497d4f148ab1dec22dd16c93
This CL adds GRSurface::Create() and dtor for managing the allocated
memory in GRSurface class. It also adds GRSurface::data() that hides the
underlying implementation, with both of const and non-const overloads.
This allows `const GRSurface&` to be more useful - previously it only
ensured a const member variable of `data`, instead of a read-only buffer
it points to.
It also marks the parameters in gr_texticon() and gr_blit() as const, as
they're incoming source that shouldn't be altered. It corrects the type
of gr_draw, which is the sink to be painted on (an earlier attempt was
made in [1], but didn't get the full picture correctly).
[1] https://android-review.googlesource.com/c/platform/bootable/recovery/+/704757/
Test: mmma -j bootable/recovery
Test: recovery_unit_test on marlin
Test: Run graphics test on marlin (fbdev).
Test: Run graphics test on blueline (drm).
Change-Id: I7904df084cd6c08fa04a9da97d01b4b1a6e3a20c
Add a function in screenUI to display the pre-generated graphs for
rescue party. If these graphs are not valid, falls back to display
the old text strings.
Right now we haven't generated the localized graphs yet, so the UI
always shows the TextMenu.
Bug: 116655889
Test: check rescue party under recovery
Change-Id: I0558cb536b659cdc25c8b7946d3a39820935b003
Add a function to parse the zip archive and load the certificate from
all the zip entries with the suffix "x509.pem".
Bug: 116655889
Test: unittests pass
Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
As we plan to show localized rescue party dialogs under recovery mode
with pre-generated images, it becomes necessary to show the menu headers
and items with images.
This cl converts the menu class to a interface and derived TextMenu &
GraphicMenu classes. And the GraphicMenu uses GRSurfaces* as the menu header
and a list of GRSurfaces* as menu items.
Moreover, factor out the Draw* functions in the ScreenUI into a separate
DrawInterface. Therefore, the Menu class can access these draw functions and
use them to implement the DrawHeaders & DrawItems neatly.
Bug: 74397117
Test: unittests pass, boot into recovery and check menu
Change-Id: I95cee30f3e5eb666eb6fbcdfc873a7260fc177c1
We used to convert a pem certificate file to some intermediate plain
text format; and parse that format under recovery mode. This is
uncessary since the x509.pem can be directly parsed with openssl
functions.
Add the function to load the public key from one x509.pem file and
corresponding unit tests. And we will add more cls to extract the pem
files from otacert.zip later.
Bug: 116655889
Test: verify package with 5 supported certficate versions
Change-Id: Ibc6c696c534567f005db75143cc4ef8d4bdea6a0
The update_verifier now compares the fingerprint of a partition before
performing the blocks read. If the fingerprint of the current system property
mismatches the one embedded in the care_map, verification of this partition
will be skipped. This is useful for the possible system only updates in the
future.
Bug: 114778109
Test: unit tests pass
Change-Id: Iea309148a05109b5810dfb533d94260d77ab8540
dependency."
This reverts commit 26b86bb1dc.
Reason for revert: Dependencies which broke tests due to exclusion from
LOCAL_JNI_SHARED_LIBS have been added.
Change-Id: I364acfe8bd0526fb26f69cc29fb3545fc3e79764
This reverts commit a71c10b464.
Reason for revert: This breaks framework tests and blocks presubmit
Change-Id: Iae94878889c1e71e2da5336fe75af88dfd3bfcfa
The refactor separates out the parsing of care_map and the actual
verification of the partitions. Moreover, it skips the verification in case
of a format error in the care map.
Also, the parsing of care_map now uses the suffix of the file to
tell if it has the protobuf format or the plain text format.
Bug: 115740187
Test: unit test pass
Change-Id: I7aa32004db02af1deb7bfdc6f5bd7921eb7883e5
The recovery-persist used to look for the related recovery logs in
persist storage, and copy them under /data/misc/recovery during the
normal boot process.
As we also want to find out the sideload information from last_install,
it makes more sense to move the parse & report of non-a/b metrics to
recovery-persist. Thus we can avoid the race condition of the file
system between the native code and RecoverySystem.
Bug: 114278989
Test: unit test pass, check the event buffer for metrics report
Change-Id: I32d7b2b831bc74a61a70af9a2f0b8a7e9b3e36ee
applypatch() was initially designed for file-based OTA, operating on
individual files. It was later extended to allow patching eMMC targets
as a whole, in favor of block-based updates.
As we have deprecated file-based OTA since Oreo, part of the code in
applypatch() has become obsolete. This CL refactors the related
functions, by removing the obsolete logic and focusing on eMMC targets.
Since this CL substantially changes applypatch APIs, it adds new
functions to avoid unintentionally mixing them together. In particular,
it removes `applypatch()`, `applypatch_check()`, `applypatch_flash()`,
and adds `PatchPartition()`, `PatchPartitionCheck()`, `FlashPartition()`
and `CheckPartition()`. It also replaces the old Edify functions
`apply_patch()` and `apply_patch_check()` with `patch_partition()` and
`patch_partition_check()` respectively.
This CL requires matching changes to OTA generation script (in the same
topic).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: `m dist` with non-A/B target. Verify
/system/bin/install-recovery.sh on device.
Test: `m dist` with non-A/B target using BOARD_USES_FULL_RECOVERY_IMAGE.
Verify /system/bin/install-recovery.sh on device.
Test: Install an incremental OTA with the new updater and scripts.
Change-Id: Ia34a90114bb227f4216eb478c22dc98c8194cb7f
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
They serve the same purpose as {boot,recovery}.img, except that they're
not structured to be imgdiff'd. Remove the two files and replace all the
uses with {boot,recovery}.img instead.
Bug: 110106408
Test: Run recovery_{unit,component}_test on marlin.
Change-Id: I8e71187d5b0c142ad932f33717f6fae364b43abc
This would be the top-level class that represents and holds the info
parsed from a transfer list file.
Bug: 112151972
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I83b54df9d1411542eeeb8ef4a2db167e97f989c3
This file was somehow missed when converting from Android.mk to
Android.bp. This CL addresses the issue by picking up all the .cpp files
in the test source dir.
Test: Run recovery_{unit,component}_test on marlin. Check the reported
number of tests (94 for unit test and 157 for component test).
Change-Id: I50435b07fcb8602ef7b3f7e7d3a69e10b6a5932d
Also separate libupdater_defaults out to be shareable.
It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.
Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35
Bug: 112494634
Test: Build and boot into recovery image on taimen. Verify that
`Apply updates from ADB` keeps working.
Test: Run recovery_component_test on marlin.
Change-Id: I9ee8834053fda79a4fd77bfa83eab3cc51a90dff
Add hash_tree_info to represent the hash tree computation arguments in
the transfer commands 'compute_hash_tree'. Also add its parsing code in
the Command class.
Bug: 25170618
Test: unit tests pass
Change-Id: Ie8607968377968e8fb3e58d1af0b8ca315e145be
recovery is_battery_ok function uses get_health_service(),
which calls IHealth::getService("default") then
IHealth::getService("backup").
- An OEM can provide the default instance by installing
android.hardware.health@2.0-impl-<device>.so to recovery
partition.
- If that's not found, the "backup" instance is provided
to the recovery partition by default.
Test: call is_battery_ok() in recovery, successfully
get battery information.
Bug: 80132328
Change-Id: Ibfee80636325a07bc20b24d044d007a60b3dd7c2
This relands the previously reverted CL in commit
c70446ce7b ("Build and use minadbd as a
shared library."). `recovery` has been built with Soong, so the previous
concern (unintentionally installing `libminadbd_services.so` to normal
system image) no longer holds.
Note that `reocvery` can't use `libminadbd_services.a`, as functions
like `daemon_service_to_fd()` (needed by `libadbd.so`) won't be linked
into `recovery`.
This CL moves the dependency of `libminadbd_services` from `librecovery`
into `recovery`, as only the latter actually relies on it (via
`recovery_main.cpp`). Note that we no longer need to list the transitive
dependency on `libadbd` or `libasyncio`.
Bug: 112494634
Test: `mmma -j bootable/recovery`
Test: Build and boot into recovery with aosp_taimen-userdebug. Verify that
sideloading keeps working.
Test: `build/soong/build_test.bash --dist`
Change-Id: Ic086470b86d6770bede317e0f5534f608fa7b7d2
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I2617b87d13c585addf0ed2fbae8c3ce443ea7200
It doesn't change the functionality of the test, but allows easier
conversion to Soong.
Test: Run recovery_component_test on marlin.
Change-Id: Ic7419dc86c6b220531ae44e49ab4657394a5d7fa
This reverts commit 4fd4f89591.
The reverted CL has a side effect that unintentionally installs
a copy of libminadbd_services.so to the system image. This breaks the
check with `build/soong/build_test.bash --dist` which detects and
prevents vendor modules from installing files to the system image.
Prior to fully converting `recovery` to be built with Soong, we have to
statically link recovery-specific modules into `recovery`.
Bug: 110380063
Test: `m -j bootimage` with aosp_marlin-userdebug
Test: Run minadbd_test on marlin.
Test: Boot into recovery and verify that sideloading still works.
Test: `build/soong/build_test.bash --dist`
Change-Id: I290d55c82e17aa60a5afdf2ff7f896afc4dae8b3
The former `minadbd` module is now built as a shared library
(`libminadbd_services.so`) that serves sideloading under recovery, with
a dynamic dependency on `libadbd.so`.
This allows sharing and reusing libadbd code on device (both of `adbd`
and `recovery` now uses `libadbd.so`). As a result, it reduces the size
of `recovery` binary from 1407360-byte to (1272880 + 33032)-byte
(aosp_marlin-userdebug).
Bug: 78793464
Test: `m -j bootimage` with aosp_marlin-userdebug
Test: Run minadbd_test on marlin.
Test: Boot into recovery and verify that sideloading still works.
Change-Id: I6c2bc3d351d5af71220a9b9f956c8c039e52c781
We used to statically link the device-specific recovery UI extension
(`TARGET_RECOVERY_UI_LIB`) into `recovery`. Such a logic can't be easily
migrated to Soong, as modules specified by `TARGET_RECOVERY_UI_LIB` may
not be built with Soong.
Instead of porting all the device-specific codes over, this CL builds
and installs the UI lib as a shared library with Android.mk. `recovery`
dlopen(3)'s and dlsym(3)'s `make_device` to invoke the device-specific
UI lib on start.
Note that in order to make dlopen(3) actually working, we have to switch
`recovery` to be dynamically linked (we will make the move later
anyway).
Bug: 110380063
Test: Build and boot into marlin recovery image. Check that
device-specific recovery UI is successfully loaded.
Change-Id: Ia9861c7559a95f3f50676534540c0cb87cae4574
The new command is part of the transfer.list and allows us to compute the hash
tree on non-ab devices.
The required arguments for the hash_tree computation are:
hash_tree_ranges
source_ranges
hash_algorithm
salt_hex
root_hash
Bug: 25170618
Test: unit tests pass; run simulator with compute_hash_tree
Change-Id: I8ff0d582cc8adabb8a060db7845f38b35b28e62c
Normally calling a UI method will block
indefinitely until the UI is actually
used. This creates a method to interrupt
the UI, causing waitKey to return -2. This
in turn, will cause ShowMenu to return -2.
This allows switching between recovery and
fastbootd via usb commands.
Test: adb shell /data/nativetest64/recovery_unit_test/recovery_unit_test
Bug: 78793464
Change-Id: I4c6c9aa18d79070877841a5c9818acf723fa6096
Switching to the protobuf format helps to make the care_map more
extensible. As we have such plans in the future, add the support to
parse the protobuf message in the update_verifier.
Bug: 77867897
Test: unit tests pass, update_verifier successfully verifies a care_map.pb
Change-Id: I9fe83cb4dd3cc8d6fd0260f2a47338fe142d3938
This applies to the standalone applypatch executable
(/system/bin/applypatch on device). This executable is only used when
installing (via patching or flashing) a recovery image on non-A/B
device.
This CL removes the support for patching non-eMMC targets from
applypatch that has been deprecated as part of file-based OTA. For
patching eMMC targets, it also drops the support for accepting multiple
patches (not useful, since the source file must be fixed).
This CL needs the matching change in the same topic, which writes the
script of "/system/bin/install-recovery.sh". Note that this CL doesn't
chanage the applypatch API signatures, in order to minimize the CL size.
*BEFORE*
usage: /system/bin/applypatch [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> [<src-sha1>:<patch> ...]
or /system/bin/applypatch -c <file> [<sha1> ...]
or /system/bin/applypatch -l
Filenames may be of the form
EMMC:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...
to specify reading from or writing to an EMMC partition.
*AFTER*
Usage:
check mode
applypatch --check EMMC:<target-file>:<target-size>:<target-sha1>
flash mode
applypatch --flash <source-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
patch mode
applypatch [--bonus <bonus-file>]
--patch <patch-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
--source EMMC:<source-file>:<source-size>:<source-sha1>
show license
applypatch --license
Bug: 110106408
Test: Run recovery_component_test and recovery_unit_test on marlin.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh.
Verify that it installs recovery image successfully.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh in
flashing mode. Verify that it installs recovery image successfully.
Change-Id: I71f9a71fb457e6f663e0b5511946949e65b4b78c
The getopt_long(3) implementation in Android (upstream freebsd) expects
a null-terminated array while parsing long options with required args.
if (long_options[match].has_arg == required_argument) {
optarg = nargv[optind++];
}
...
if (long_options[match].has_arg == required_argument && optarg == NULL) {
return (BADARG);
}
This seems to make sense in practice, as getopt(3) takes the first two
arguments of argc and argv that are "as passed to the main() function on
program invocation", and both of C and C++ spec say "the value of
argv[argc] shall be 0".
Prior to the CL, we may run into undefined behavior on malformed input
command line (e.g. missing arg for an option that requires one). This CL
fixes the issue by always appending a nullptr to the argument list (but
without counting that into argc).
Test: Build and boot into recovery with commands.
Change-Id: Ic6c37548f4db2f30aeabd40f387ca916eeca5392
TemporaryDir only deletes empty dirs (not done by its dtor because it
tries to keep the temporary files available on error exit).
Also change FreeCacheTest::MockFreeSpaceChecker to be static.
Test: Run recovery_unit_test on marlin. Check /data/local/tmp post-run.
Change-Id: I1bd54eb840e3094b4f22ee84c059eec2998773bf
Prior to this CL, FreeSpaceForFile() was returning `size_t`, which may
overflow on ILP32 when called on a partition with 4GiB+ free space.
Additionally, it was returning static_cast<size_t>(-1) on error, but the
caller in freecache.cpp didn't check for that.
This CL changes its return type to `int64_t`, and moves the function
into freecache.cpp since there's no external caller.
Test: Run recovery_unit_test on marlin.
Test: Code search shows no external user of FreeSpaceForFile().
Change-Id: I00f501a057726e1f1ab69f367c46c77b30f2d774
We already know the flakiness happens in bspatch, and the issue is
tracked in b/80193170.
Bug: 67849209
Test: unit tests pass
Change-Id: Ib4772b8f2f0225125096fe7407d083b5bb542cfb
It used to return a Value blob to be consumed by sha1_check() (which has
been deprecated). Currently there's no other generic updater function
that works with BLOB Values. This CL changes read_file() to return a
string Value to make it more useful (e.g. allowing equality check).
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: Iba986ba649030112babefe898f26aa9ffe69eeb7
Also simplify the helper function expect() in {edify,updater}_test.cpp.
Test: Run recovery_component_test on marlin.
Change-Id: If54febba4b5013f6d71546318a1ca6b635204ac8
Test: mmma -j bootable/recovery
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: I4b240e3e771c387b9694be9c0f2f74e0265ab4cb
Also fix an error-pone behavior in previous code when verifying an eMMC
target. As long as it loads the partition content successfully according
to the SHAs embedded in the filename, it shouldn't further check against
the SHAs given in the second argument. Because the loaded contents
relate to a specific partition size.
For example:
apply_patch_check(
"EMMC:/boot.img:src_size:src_hash:tgt_size:tgt_hash",
"src_hash");
Assume "/boot.img" already has the desired hash of "tgt_hash", the
previous code would give wrong verification result. The issue can be
addressed by additionally listing "tgt_hash" as one of the desired SHAs
(or by applying this CL).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I8daafdbecd083f687e24d563ab089caa25667633
The matching edify function has been removed from EdifyGenerator [1]. In
theory device-specific releasetools script may still use this function,
but it no longer looks useful. Because a) we should use range_sha1()
when asserting the SHA-1 hash of a block device; b) we should look into
the contents when asserting a text file.
[1] https://android-review.googlesource.com/c/platform/build/+/714104
Test: Run recovery_component_test on marlin.
Test: Code search shows no active user.
Change-Id: Id39439101534fb89cf8c5cea80a4b758c8a1a60d
This will be used for testing purpose only, replacing the previously
used "fail", to intentionally abort an update.
As we're separating the logic between commands parsing and execution,
"abort" needs to be considered as a valid command during the parsing.
Test: recovery_unit_test and recovery_component_test on marlin.
Change-Id: I47c41c423e62c41cc8515fd92f3c5959be08da02
... into unit/applypatch_test.cpp. And rename the file to
component/applypatch_modes_test.cpp.
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ic23c4f054baa2fa0d5e8ea2fcffd22572f1f112e
Additionally checks for excess args when parsing ERASE, FREE, NEW, STASH
and ZERO. Note that the check for MOVE, BSDIFF, IMGDIFF has been covered
in Command::ParseTargetInfoAndSourceInfo.
Test: Run recovery_unit_test on marlin.
Change-Id: Ic8bc9b7a8dcf98f1f8db2e259607564508726857
The added codes are not used in the updater yet. The switch will happen
in subsequent CLs.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I1ae8a233280f02c2171b43ef028bdccdacb39c59
This shortens the gap between A/B and non-A/B builds, by replacing the
dependency on build-time flag with runtime detection instead. It also
allows building and testing both paths regardless of the target OTA
type.
The size increase to /sbin/recovery looks negligible (< 0.01%).
- marlin: increased from 2084928 to 2085024;
- angler: increased from 2084776 to 2084896.
Test: Run recovery_component_test on angler and marlin.
Test: Sideload an A/B OTA package on marlin.
Test: Sideload a non-A/B OTA package on angler.
Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
It addresses the ScreenRecoveryUITest failures on gce targets which
don't have any graphics backend. Probing for all backend devices in
tests could work, but would duplicate codes. This CL relies on the
result of gr_init().
As a side effect, it may give false negatives if gr_init() is supposed
to work but silently broken. But such issues are beyond
ScreenRecoveryUITest's concern, which should be captured by the tests
for minui or graphics backends instead.
Fixes: 79616356
Test: Run recovery_unit_test on marlin.
Test: Run recovery_unit_test on gce.
Change-Id: I121aacc61c8a614447509506057ecfd8d86163e4
The threads in RecoveryUI only get initialized if their Init()s finish
successfully.
Test: recovery_unit_test on marlin.
Change-Id: Ic4b62300a3cbd47887d9f4a90dc26f8a7deab616
As warned below (while running the test), the default death test style
(i.e. "fast") doesn't work well in a threaded context, which causes test
flakiness (timeout or early exit).
[WARNING] external/googletest/googletest/src/gtest-death-test.cc:836:: Death tests use fork(), which is unsafe particularly in a threaded context. For this test, Google Test detected 3 threads.
This CL specifies the death test styles to be "threadsafe" for the
following death tests.
- RangeSetTest.GetBlockNumber
- RangeSetTest.file_range
- ScreenRecoveryUITest.LoadAnimation_MissingAnimation
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin. Test passes and the above
warning is gone.
Change-Id: I245bbc09286702d5cb326f878c4391e842b66cc5
This is a stress test that instantiates multiple testcases that
interrupt a BBOTA update at every transfer command. Each testcase
asserts the last_command_file after the interruption, verifies the
update resumability, then resumes the update and asserts the updated
image.
The transfer list in the testcase covers most of the transfer commands
(stash/free/move/bsdiff/zero/new), as well as some special pattern like
having duplicate stash ids.
This CL also addresses one issue in the updater code, by resetting the
stash_map before each run. The stash map should be valid only per
block_image_verify/block_image_update run. Having leftover may cause
issue in subsequent runs, in particular when calling block_image_verify
after a previous run of block_image_{update,verify}.
Test: Run recovery_component_test on marlin.
Change-Id: I6f9a0368d194a754ce41a9c9819c6d5be2657248
Move the commands map parsing out of PerformBlockImageUpdate(), as this
can be done more easily by the caller.
The goal (not done in this CL) is to decouple command parsing logic from
the performers. This allows (a) focusing on the command logic in the
performer; and (b) extending BBOTA commands syntax separately.
Test: Run recovery_unit_test and recovery_component_test.
Change-Id: Ife202398a7660b152d84a3ba17b90f93d19c55f2
Otherwise tests may interfere with each other by using the same / default
location.
Test: Run recovery_component_test on marlin.
Change-Id: I6b0455489f2fdce819009964dd92bfd9bfeb06ef
The imgpatch will fail on empty deflates because the bspatch won't call
the sink function if the target length is zero.
Instead of compressing an empty string, it's cleaner to not generate such
empty deflate chunks in the patch. Therefore, we can just convert the
chunk type to raw if the target length is smaller than the patch data.
Also adjust some unit tests and add the testdata gzipped_source &
gzipped_target. These two files are ~1K each and are generated by
gzipping two slightly different regular files.
Bug: 79265132
Test: unit tests pass, imgpatch applys successfully on the given src/tgt
Change-Id: I6bfff3251918137f6762a6f9e9551642371a1124
Move the common codes into RunBlockImageUpdate(). Also clean up the
partition updated marker after running each test.
Test: Run recovery_component_test on marlin.
Change-Id: Id4302e4da4c664231b737a1e83d2e164ef58ed97
Test: Build and boot into recovery on walleye. Check the long press
detection; `Run graphics test`.
Change-Id: Ic3e9b0652fc3ff6fb3ad118df5ebb9bb4abda2cd
Move most source files into librecovery so they become testable. Only
recovery_main.cpp and logging.cpp are built into recovery module, as
they perform one-time setup (e.g. setting up logger).
Test: `mmma -j bootable/recovery` with
aosp_{angler,bullhead,fugu,dragon,marlin}-userdebug
Test: recovery_host_test; recovery_unit_test; recovery_component_test;
recovery_manual_test
Test: Build and boot into recovery image on angler.
Change-Id: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
Merged-In: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
Move most source files into librecovery so they become testable. Only
recovery_main.cpp and logging.cpp are built into recovery module, as
they perform one-time setup (e.g. setting up logger).
Test: `mmma -j bootable/recovery` with
aosp_{angler,bullhead,fugu,dragon,marlin}-userdebug
Test: recovery_host_test; recovery_unit_test; recovery_component_test;
recovery_manual_test
Test: Build and boot into recovery image on angler.
Change-Id: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
(cherry picked from commit bf4c006d7bc8a4517c82399bbffd9cb09971c0b4)
Reorder librecovery and librecovery_ui, so that librecovery stays closer
to recovery (in preparation for later changes that move more files
between the two). For the libraries in LOCAL_STATIC_LIBRARIES, reorder
them based on the dependency - local modules coming first, with external
libraries near the end. Sort the local / external modules, unless a
specific order is needed.
In tests/Android.mk, split the monolithic list of LOCAL_STATIC_LIBRARIES
based on modules. This makes adding / finding libraries easier.
There's no functionality in this CL.
Test: mmma -j bootable/recovery
Change-Id: I6836be574df565001ae9cd3d466a2b6460d90d08
The CL in [1] moved android.os.RecoverySystem to send the locale
argument in well-formed BCP 47 language tags (e.g. "en-US" instead of
"en_US"), with the matching changes to recovery code in [2]. However,
the one in ScreenRecoveryUI::SetLocale() was missed, which broke RTL
locale detection when using new format.
[1] commit 38715228 in platform/frameworks/base
[2] commit 2078b22e in platform/bootable/recovery
Test: Set the locale to "ar-EG". `Run graphics test` under recovery.
Check the progress bar.
Test: Run recovery_unit_test on marlin.
Change-Id: I7c7f5e0725bfb096109c7192c19f3f008e8e47e3
In order to support that, this CL adds Paths::set_resource_dir() to
override the default resource dir ("/res/images/") that's only available
under recovery. Note that since there're external modules depending on
libminui, it adds a separate function of res_set_resource_dir(), instead
of requiring the dependency on libotautil for everyone.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Change-Id: I0a7dcf4476808bea9e634eaffc9676f6cbaf92b7
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Test: Build and boot into recovery image on angler. Check the UI that
shows menu ('View recovery log', 'Wipe data', 'Run locale test').
Test: Start recovery with '--prompt_and_wipe_data'. Check the UI.
Change-Id: If8a4209e0bb4ca64f719f9f9465d3b3589a69cdc
Since we instantiate a Menu object each time for a given set of
header/items, we don't have a use case of re-populating an existing Menu
with different data (which is what Menu::Start() does).
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Test: Build and boot into recovery image on angler. Check the UI.
Change-Id: Iaa2ba9d406ebd74c015e43198c17c5335b38df53
Export its header (mounts.h) from there, and drop the dot dot dependency
from libupdater / updater.
Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: Ic26a6b9b78a34dbe1f178b138f3abaafffbec44c
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
Dump the SHA1 of the uncompressed data in applypatch to confirm if we
are at least doing the bspatch part correctly. (I expect so since the actual
length of the uncompressed data matches the expected length).
Also try to decompress the deflate chunk inside the recovery image for
these two flacky tests. In theory, there shouldn't be randomness in
zlib; so we would know if we process the data wrongly if the deflate fails
to decompress.
Bug: 67849209
Test: recovery_component_test
Change-Id: Id947522153b1eeb0d10d161298a96fb045f92018
The apply patch test should have a deterministic way to append patch
data. Add debug logs to dump the length and SHA1 of each step to further
track down the flakiness.
Also redirect the debug logging to stdout in case the logcat becomes too
chatty.
Bug: 67849209
Test: Run recovery_component_test
Change-Id: I42bafef2d9dee599719ae57840b3d8c00d243ebd
This allows the update_verifier in a general system image to work across
devices that have different verified boot versions (i.e. not supported /
verified boot 1.0 / verified boot 2.0 / disabled).
Bug: 78283982
Test: Run recovery_component_test on both of marlin and walleye.
Test: Generate an OTA that has this CL. Install this OTA and check the
update_verifier log during the post-reboot verification, on both
of marlin (VB 1.0) and walleye (VB 2.0).
Test: Build and flash walleye image with verified boot disabled. Check
that update_verifier marks the slot as successfully booted.
Change-Id: I828d87d59f911786531f774ffcf9b2ad7c2ca007
After splitting the previously flaky
ApplyPatchModesTest#PatchModeEmmcTarget tests,
PatchModeEmmcTargetWithMultiplePatches now becomes the sole victim. This
CL dumps additional info to narrow down the cause.
Bug: 67849209
Test: `recovery_component_test` on marlin.
Test: It dumps additional info after using corrupt bonus.file.
Change-Id: Ic5436de457cc882a51d03f49d5cee70077f7d3df
Although the tests were initially written for checking the validity of
the text images, it doesn't hurt to run them continuously as part of the
component test (recovery_manual_test requires reboots during the run,
due to the nature of the tests of recovery-{refresh,persist}). This also
allows detecting breaking changes to libminui or libpng.
There's a catch that the ResourcesTest won't be triggered via `atest`,
as the res-* testdata won't be picked up via AndroidTest.xml. Explored
a few options but not addressing that in this CL:
- `atest` is not fully working in AOSP yet (missing support in
tools/tradefederation/core/atest/atest.py).
- `atest` doesn't allow specifying the testdata with path in the 'push'
option.
- It won't fail the test run though, as ResourcesTest will skip the
tests automatically when it finds no text image file.
- APCT and manual `adb sync data` are not affected, and I don't see an
active user of `atest` other than a tool for manual test invocation.
- Unrelated to this CL, `atest` doesn't seem to work well with
recovery_component_test or recovery_unit_test while we have both of
them in one AndroidTest.xml. It randomly triggers only one of them,
despite of the given test name. When splitting AndroidTest.xml into
two, it tends to pick up the wrong testdata subdir and gives wrong
results.
Test: Run recovery_manual_test and recovery_component_test on marlin.
Change-Id: I3a237499a7770356e14085674bc8b9cb4551db85
As a private header for testing purpose. PngHandler additionally loads a
given filename if the one with '/res/images' prefix is not available. It
also provides color_type/bit_depth that are parsed from the PNG file.
This allows reusing the same code for the ResourcesTest (renamed from
ResourceTest).
Test: Run recovery_manual_test on marlin.
Change-Id: I3f939d79a1cb1b83a899847dbe2d51bde15d16d8
We set the limit of the max stash size to 80% of cache size. But the
cache space can still be insufficient for the update if the log files
occupy a large chunk of /cache. So remove the old logs for now to make
room for the update.
Bug: 77528881
Test: unit tests pass
Change-Id: Ia8bcb0ace11f8164ad9290bfb360e08e31d282cb
Also push the testdata in AndroidTest.xml for `atest`.
LOCAL_TEST_DATA was added in commit [1], which ships testdata next to
native tests.
With this CL,
1) manually sync-ing via `adb sync` and running tests with `adb shell`
keep working.
2) both of 32- and 64-bit recovery_{unit,component}_test now work in
APCT continuous tests. Note that 64-bit tests were failing
previously in APCT, due to missing testdata.
3) `atest recovery_unit_test` works, as the testdata gets pushed to
/data/local/tmp.
[1] commit d07ba4e2a625a8f000d042c1953adb612bccbbe2 in
https://android-review.googlesource.com/c/platform/build/+/312567.
Bug: 77320514
Test: Build recovery_{unit,component,manual}_test. Setup the test via
`adb sync data`. Run both of 32- and 64-bit versions on device.
Test: Build and run recovery_host_test on host, for both of 32- and
64-bit versions.
Test: `atest recovery_component_test`
Change-Id: Ie54037726043a3a659a80030b83db1f8c1de318d
Also consolidate the duplicate codes to draw the menu in ScreenRecoveryUI
and WearRecoveryUI. This helps us to support text icons as menu in the
future.
Bug: 74397117
Test: Check the menu under recovery on bullhead and a wear device.
Change-Id: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
Merged-In: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
We have added the support for building /product partition in build
system (the CL in [1]), where /product is an optional partition that
contains system files. This CL adds the matching support if /product
needs to be verified during A/B OTA (i.e. listed in care_map file).
[1]: commit b7735d81054002961b681f4bdf296d4de2701135,
https://android-review.googlesource.com/c/platform/build/+/598454
Bug: 63974895
Test: Run update_verifier test on walleye.
Change-Id: Ia1c35e9583b8e66c98a4495b1f81a5ea7e65036f
We have been seeing flakiness in continuous test, but unable to
reproduce locally. Break it down into smaller units to narrow down the
cause.
Bug: 67849209
Test: Run recovery_component_test on marlin.
Change-Id: Ia24b0c5d137bad27d502575fcd18d3ca9c9828b6
/system/bin/applypatch on device is expected to work with bsdiff based
recovery-from-boot patch automatically. Adding a test to ensure that's
always the case.
Bug: 72731506
Test: Run recovery_component_test on marlin.
Change-Id: I56283cd3ce7cf0215cc3bb3619b206fa01d552c4
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.
In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.
Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
In the split mode of imgdiff, we used to assume that the size of a split
target chunk is always greater than the blocksize i.e. 4096. This may
lead to the following assertion failure:
I0221 04:57:33.451323 818464 common.py:205 imgdiff F 02-21 04:57:33 821203 821203 imgdiff.cpp:999]
Check failed: tgt_size >= BLOCK_SIZE (tgt_size=476, BLOCK_SIZE=4096)
This CL removes the assumption and handles the edge cases.
Test: generate and verify the incremental update for TFs in the bug; unit test passes
Bug: 73757557
Bug: 73711365
Change-Id: Iadbb4ee658995f5856cd488f3793980881a59620
When performing an update, save the index and cmdline of the current
command into the last command file if this command writes to the stash
either explicitly of implicitly. This mitigates the overhead to update
the last command file for every command. I ran a simple test on angler
and the time to update 1000 times is ~2.3 seconds.
Upon resuming an update, read the saved index first; then
1. In verification mode, check if all commands before the saved index
have already produced the expected target blocks. If not, delete the
last command file so that we will later resume the update from the
start of the transfer list.
2. In update mode, skip all commands before the saved index. Therefore,
we can avoid deleting stashes with duplicate id unintentionally;
and also speed up the update.
If an update succeeds or is unresumable, delete the last command file.
Bug: 69858743
Test: Unittest passed, apply a failed update with invalid cmd on angler
and check the last_command content, apply a failed update with invalid
source hash and last_command is deleted.
Change-Id: Ib60ba1e3c6d111d9f33097759b17dbcef97a37bf
Prior to this CL, the block verification works were assigned based on
the pattern of the ranges, which could lead to unbalanced workloads. This
CL adds RangeSet::Split() and moves update_verifier over.
a) For the following care_map.txt on walleye:
system
20,0,347,348,540,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,524289,524291,524292,524348,529059
vendor
8,0,120,135,32770,32831,94564,98304,98306
Measured the time costs prior to and with this CL with the following
script.
$ cat test_update_verifier.sh
#!/bin/sh
adb shell stop
adb shell "cp /data/local/tmp/care_map.txt /data/ota_package/"
for i in $(seq 1 50)
do
echo "Iteration: $i"
adb shell "bootctl set-active-boot-slot 0"
adb shell "echo 3 > /proc/sys/vm/drop_caches"
adb shell "time /data/local/tmp/update_verifier"
sleep 3
done
Without this CL, the average time cost is 5.66s, while with the CL it's
reduced to 3.2s.
b) For the following care_map.txt, measured the performance on marlin:
system
18,0,271,286,457,8350,32770,33022,98306,98558,163842,164094,196609,204800,229378,229630,294914,295166,501547
vendor
10,0,42,44,85,2408,32770,32806,32807,36902,74242
It takes 12.9s and 5.6s without and with the CL respectively.
Fixes: 68553827
Test: recovery_unit_test
Test: Flash new build and trigger update_verifier. Check the balanced
block verification.
Change-Id: I5fa4bf09a84e6b9b0975ee5f522724464181333f
We used to CHECK and abort on parsing errors. While it works fine for
the updater use case (because recovery starts updater in a forked
process and collects the process exit code), it's difficult for other
clients to use RangeSet as a library (e.g. update_verifier).
This CL switches the aborts to returning empty RangeSet instead. Callers
need to check the parsing results explicitly.
The CL also separates RangeSet::PushBack() into a function, and moves
SortedRangeSet::Clear() into RangeSet.
Test: recovery_unit_test
Test: Sideload an OTA package with the new updater on angler.
Test: Sideload an OTA package with injected range string errors. The
updater aborts from the explicit checks.
Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
This CL mainly changes:
a) moving the interface in struct provider_vtab to std::function;
b) code cleanup, such as moving the declaration closer to the uses,
using explicit type conversion.
Test: recovery_component_test
Test: minadbd_test
Test: Sideload a package on marlin.
Change-Id: Id0e3c70f1ada54a4cd985b54c84438c23ed4687e
We encountered segfaults in Imgdiff host tests due to the failure to
reset states of getopt. The problem can be solved by switching to use
bionic's gtest where a new process is forked for each test.
Also modify the recovery_component_test to make sure it runs in parallel.
Changes include:
1. Merge the writes to misc partition into one single test.
2. Change the hard coded location "/cache/saved.file" into a configurable
variable.
Bug: 67849209
Test: recovery tests pass
Change-Id: I165d313f32b83393fb7922c5078636ac40b50bc2
~TemporaryDir() calls rmdir(2) directly, which works with empty
directories only.
Test: Run recovery_host_test; No leftover on host.
Test; Run recovery_component_test on marlin; No leftover on device.
Change-Id: Ib510efb16eeda61b34161e2b386499e6cb79a4ca
