ro.bootimage.* sysprops will be removed as they are redundant. Read
ro.build.fingerprint instead.
This is safe because:
2) ro.bootimage.build.fingerprint is the same as other
ro.<partition>.build.fingerprint all of which are from
$(BUILD_FINGERPRINT_FILE).
3) BUILD_FINGERPRINT_FILE is composed of PRODUCT_BRAND, TARGET_PRODUCT,
TARGET_DEVICE, etc.
4) ro.build.fingerprint is auto-composed by init at runtime by the same
rule as #3.
Bug: 117892318
Test: enter into the recovery mode and manually inspect the title line
Change-Id: If28d710f45b98a0effc0159851bca6afb2aa5735
After a reboot function call, we should always wait for it to finish
without executing other instructions.
Bug: 151110322
Test: build
Change-Id: I1dda291a0835ff96df7eaf42eba1a38267a3beeb
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
For non A/B and Virtual A/B devices where sideloading may affect
the existing OS,
- If sideload has failed, show a warning message in recovery menu header.
- If sideload has interrupted, automatically reboot back into recovery and
show the warning message in recovery menu header.
Test: the above
Fixes: 140749209
Change-Id: Ifdfc28b45975cdc31b6fce2ecb99acc31bc61fa8
If previous installation fails, menu item 'Reboot system now'
and 'Power off' now prompts for confirmation from the user.
Known issues:
- If the sideload is interrupted, it'll still boot into normal
Android in the next cycle.
- If 'Enter fastbootd' is chosen, and then 'Enter recovery', such
prompt do not show up.
Test: manual
Fixes: 142892891
Change-Id: I929b80e0520bd3b9f56d88a4b2203fcdd8d7b013
This code is dead. It was briefly used to support "adb remount" with
deduplicated partitions, but was very quickly obsoleted by overlayfs
support. There is no reason to include it anymore.
Bug: N/A
Test: N/A
Change-Id: I4cdcbf66bec80092f954826eaae037934ff37765
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.
Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
Additionally kill the global variable: reason, stage; move them to a
separate BootState class instead. Vendor specific recovery code will
need to call getters from Device() class to access these variables.
Bug: 137705917
Test: unit tests pass, boot sailfish into recovery, code search and no
code includes common.h in vendor specific recovery.
Change-Id: Ia50a5ea951212c25548562f29cc9cf78505b5e34
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();
Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
We may fail to memory map the package on 32 bit builds for packages with
2GiB+ size. This cl tries to install the package with fuse when memory map
fails in such cases.
Bug: 127071893
Test: build 32 bit version sailfish, push package and block.map, reboot into recovery with
the corresponding update_package argument.
Change-Id: I5dae4f3e27ccaf8d64ff3657d36f0e75db2330b0
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
Therefore InstallPackage() doesn't need to worry about the details of a
given Package.
Bug: 127071893
Test: run update from /bin/recovery --update_package=@path, sideload a package
Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
shutdown and reboot should have a corresponding sub-reason.
Adding:
"reboot,userrequested,fastboot"
"reboot,userrequested,recovery"
"reboot,userrequested,recovery,ui"
"shutdown,userrequested,fastboot"
"shutdown,userrequested,recovery"
"reboot,unknown#" (Can't happen, debug)
Test: manual, multiple targets, enter recovery, be able to exit recovery
Bug: 133326470
Change-Id: Ibfcb2a23158e8e99922e8053edd815fb592150f2
This reverts commit 6f4e4db4f9.
Reason for revert: Booting out of recovery (choose `Reboot system now`)
on taimen is broken. Device keeps booting back into recovery.
Bug: 133326470
Test: Choose `Reboot system now` from recovery menu. Deivce attempts
normal boot.
Change-Id: I6e85fc248e18953a6fb94513c3abc7e7e0fb0477
shutdown and reboot should have a corresponding sub-reason.
Adding:
"reboot,fastboot_menu"
"reboot,recovery_menu"
"reboot,recovery_ui"
"shutdown,fastboot"
"shutdown,recovery"
"reboot,unknown#"
Test: none
Change-Id: Icf1ab0d462ec2de2272914a36994a095998d6186
Test: Choose `Reboot system now`, `Power off`, `Reboot to bootloader`
from recovery UI respectively.
Test: `adb reboot recovery` while under sideload mode.
Change-Id: I0f3d55b80b472178ea4f6970b29cd9df0778b639
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.
Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.
This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.
It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.
Bug: 128505466
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
This used to be a helper function that allows printing message to UI.
We no longer have any active user in bootable/recovery. Device-specific
code can achieve the same functionality by calling GetUI()->Print()
instead.
Test: mmma -j bootable/recovery
Change-Id: If584fc8a51d1af466f1d94d8ea5faa262603a784
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
Move the sdcard installation function and all helper functions to a
separate file, and drop the dependency on common.h.
In the future, we want to move these functions into the install class.
Bug: 127071893
Test: unit tests pass
Change-Id: I0b7f7cbf0b68918e638e13878ca28bfca367088a
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.
In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.
Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
The wipe package used to open the zip file directly from the content
string. Switch to use the interface from the new package class instead.
Bug: 127071893
Test: unit tests pass
Change-Id: I990e7f00c5148710722d17140bab2e343eea3b6b
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.
Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
This gives us finer control over the partitions to wipe on the host
side.
Bug: 127492427
Test: unit tests pass, install a wipe package on sailfish
Change-Id: I612f8bac743a310f28e365b490ef388b278cfccb
Convert code to use C++ Fstab struct and C++ std::strings.
Bug: 62292478
Bug: 118634720
Test: boots
Change-Id: Ibdc1df5831bc885d7c1574419f41af026e49a137
After we generate the localized confirmation text images for certain dpi,
we can now load these images and display them under recovery. Devices that
cannot load the images will use the backup text strings as before.
Bug: 74397117
Test: check the menu with multiple locales, and check all the images locally
with locale test, check the fall back strings.
Change-Id: Ic31a55670026c909ec7a05cb0bb4a0fc1d5d15c7
Add a get_system_root() function in roots.cpp
which returns / or /system based on fstab.
This factors out the 'if' check from recovery.cpp
and fsck_unshare_blocks.cpp.
Test: boot recovery, mount system
Bug: 118634720
Change-Id: If4947cba3a3f08dbe695fd2b50a9354cd302ee03
The two functions check_wipe_package() and check_newer_ab_build() were
using the same flow; and checked the same device properties against the
metadata file in the package. These properties include: ota_type,
pre-device, and serial number.
Therefore, we can consolidate the checks to a single function; and
continue to check the fingerprint and timestamp only for AB updates.
This change also addresses the need to accept multiple serial number in
the wipe package.
Bug: 118401208
Test: unit tests pass
Change-Id: Ia6bc48fb6effcae059a2ff2cf71764b4136b4c00
Add a function in screenUI to display the pre-generated graphs for
rescue party. If these graphs are not valid, falls back to display
the old text strings.
Right now we haven't generated the localized graphs yet, so the UI
always shows the TextMenu.
Bug: 116655889
Test: check rescue party under recovery
Change-Id: I0558cb536b659cdc25c8b7946d3a39820935b003
If there is a "/system" in the fstab, then can not be a
system as root image.
Test: compile
Bug: 109821005
Change-Id: I2c852dcbdcf6de437d39039937799feeef949516
