Commit graph

38 commits

Author SHA1 Message Date
Yabin Cui
a58a6dbe3d uncrypt: split libbootloader_message_writer for reuse.
init and vold also need to write bootloader message, so
split this function from uncrypt into a separate library.

Bug: 27176738
Change-Id: If9b0887b4f6ffab6162d9cb47a6ceb7eedd60b4d
2016-04-08 11:46:56 -07:00
Yabin Cui
912e87e91d Merge "uncrypt: fix call to close()." into nyc-dev 2016-03-29 22:48:08 +00:00
Yabin Cui
ffa3a1c222 uncrypt: fix call to close().
Bug: 27897229
Change-Id: Iab5e829af1676f7fcd8a4b00a194aa679ed4e372
2016-03-29 15:35:58 -07:00
Yabin Cui
61799baba3 uncrypt: remove --read-bcb option.
Bug: 27897241
Change-Id: I4f52ada58e8f204dba8c974ea0ae03876411ecf0
2016-03-29 14:33:35 -07:00
Tao Bao
3a2bb594df uncrypt: Communicate via /dev/socket/uncrypt.
We used to rely on files (e.g. /cache/recovery/command and
/cache/recovery/uncrypt_status) to communicate between uncrypt and its
caller (i.e. system_server). Since A/B devices may not have /cache
partitions anymore, we switch to socket communication instead.

We will keep the use of /cache/recovery/uncrypt_file to indicate the OTA
package to be uncrypt'd though. Because there is existing logic in
ShutdownThread.java that depends on the existence of the file to
detect pending uncrypt works. This part won't affect A/B devices without
/cache partitions, because such devices won't need uncrypt service (i.e
the real de-encrypt work) anyway.

Bug: 27176738
Change-Id: I481406e09e3ffc7b80f2c9e39003b9fca028742e
2016-03-02 23:23:32 -08:00
Tao Bao
5b3b373a49 uncrypt: Retire pre-recovery service.
The framework CL in [1] removes the use of "pre-recovery" service which
is basically to trigger a reboot into the recovery.

[1] commit e8a403d57c8ea540f8287cdaee8b90f0cf9626a3

Bug: 26830925
Change-Id: I131f31a228df59e4f9c3024b238bbdee0be2b157
2016-02-22 17:33:41 -08:00
Yabin Cui
2d46da57e1 uncrypt: add options to setup bcb and clear bcb.
Bug: 26696173

Change-Id: I3a612f045aaa9e93e61ae45b05300d02b19bb3ad
2016-02-03 10:43:03 -08:00
Yabin Cui
25dd0386fe uncrypt: generate map file by renaming tmp file.
Writing map file directly can break consistency in map file if
it fails in the middle. Instead, we write a temporary file and
rename the temporary file to map file.

Bug: 26883096
Change-Id: I5e99e942e1b75e758af5f7a48f8a08a0b0041d6a
2016-02-01 14:43:14 -08:00
Daniel Micay
c5631fc096 uncrypt: avoid use-after-free
The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.

This was detected via OpenBSD malloc's junk filling feature.

Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
2016-01-12 14:08:34 -08:00
Tao Bao
b8df5fb90e uncrypt: Suppress the compiler warnings on LP64.
We have the following warnings when compiling uncrypt on LP64 (e.g.
aosp_angler-userdebug).

bootable/recovery/uncrypt/uncrypt.cpp:77:53: warning: format specifies type 'long long' but the argument has type 'off64_t' (aka 'long') [-Wformat]
        ALOGE("error seeking to offset %lld: %s\n", offset, strerror(errno));
                                       ~~~~         ^~~~~~
                                       %ld
bootable/recovery/uncrypt/uncrypt.cpp:84:54: warning: format specifies type 'long long' but the argument has type 'unsigned long' [-Wformat]
            ALOGE("error writing offset %lld: %s\n", (offset + written), strerror(errno));
                                        ~~~~         ^~~~~~~~~~~~~~~~~~
                                        %lu
bootable/recovery/uncrypt/uncrypt.cpp:246:16: warning: comparison of integers of different signs: 'size_t' (aka 'unsigned long') and 'off_t' (aka 'long') [-Wsign-compare]
    while (pos < sb.st_size) {
           ~~~ ^ ~~~~~~~~~~

According to POSIX spec [1], we have:
  off_t and blksize_t shall be signed integer types;
  size_t shall be an unsigned integer type;
  blksize_t and size_t are no greater than the width of type long.

And on Android, we always have a 64-bit st_size from stat(2)
(//bionic/libc/include/sys/stat.h).

Fix the type and add necessary casts to suppress the warnings.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_types.h.html

Change-Id: I5d64d5b7919c541441176c364752de047f9ecb20
2015-12-09 10:45:39 -08:00
Elliott Hughes
4b166f0e69 Track rename from base/ to android-base/.
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
2015-12-04 15:30:20 -08:00
Elliott Hughes
63b089e3aa We can use fclose directly in std::unique_ptr.
It turns out the standard explicitly states that if the pointer is
null, the deleter function won't be called. So it doesn't matter that
fclose(3) doesn't accept null.

Change-Id: I10e6e0d62209ec03ac60e673edd46f32ba279a04
2015-11-12 21:07:55 -08:00
Jaegeuk Kim
cc4e3c6002 uncrypt: remove O_SYNC to avoid time-out failures
This patch removes costly O_SYNC flag for encrypted block device.
After writing whole decrypted blocks, fsync should guarantee their consistency
from further power failures.
This patch reduces the elapsed time significantly consumed by upgrading packages
on an encrypted partition, so that it could avoid another time-out failures too.

Change-Id: I1fb9022c83ecc00bad09d107fc87a6a09babb0ec
Signed-off-by: Jaegeuk Kim <jaegeuk@motorola.com>
2015-11-04 11:43:58 -08:00
Tom Cherry
daa6d04434 move uncrypt from init.rc to uncrypt.rc
Move uncrypt from /init.rc to /system/etc/init/uncrypt.rc using the
LOCAL_INIT_RC mechanism

Bug 23186545

Change-Id: Ib8cb6dffd2212f524298279787fd557bc84aa7b9
2015-09-03 16:32:54 -07:00
Tao Bao
c754792a07 Use unique_ptr and unique_fd to manager FDs.
Clean up leaky file descriptors in uncrypt/uncrypt.cpp. Add unique_fd
for open() and unique_file for fopen() to close FDs on destruction.

Bug: 21496020
Change-Id: I0174db0de9d5f59cd43b44757b8ef0f5912c91a2
2015-08-09 22:35:49 -07:00
Tao Bao
7cf50c60b5 uncrypt: Support file level encryption.
Bug: 22534003
Change-Id: I2bc22418c416491da573875dce78daed24f2c046
(cherry picked from commit 6e9dda70cb)
2015-07-24 11:13:25 -07:00
Tao Bao
ac6aa7ede0 uncrypt: Write status when it reboots to factory reset
When it reboots into recovery for a factory reset, it still needs to
write the uncrypt status (-1) to the pipe.

Bug: 21511893
(cherry picked from commit 2c2cae8a4a)
Change-Id: Ia5a75c5edf3afbd916153da1b4de4db2f00d0209
2015-06-09 15:02:22 -07:00
Tao Bao
383b00d0e4 Separate uncrypt into two modes
uncrypt needs to be triggered to prepare the OTA package before
rebooting into the recovery. Separate uncrypt into two modes. In
mode 1, it uncrypts the OTA package, but will not reboot the
device. In mode 2, it wipes the /misc partition and reboots.

Needs matching changes in frameworks/base, system/core and
external/sepolicy to work properly.

Bug: 20012567
Bug: 20949086
(cherry picked from commit 158e11d673)
Change-Id: I349f6d368a0d6f6ee4332831c4cd4075a47426ff
2015-06-09 15:01:10 -07:00
Tao Bao
80e46e08de recovery: Switch to clang
And a few trival fixes to suppress warnings.

Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
2015-06-03 11:30:03 -07:00
Tao Bao
752386319c Clean up the sleep()'s after poking init services
Change-Id: I77564fe5c59e604f1377b278681b7d1bff53a77a
2015-05-27 14:48:56 -07:00
Tao Bao
381f455cac uncrypt: Switch to C++
Also apply some trivial changes like int -> bool and clean-ups.

Change-Id: Ic55fc8b82d7e91b321f69d10175be23d5c04eb92
2015-05-06 11:43:11 -07:00
Tao Bao
fb4ccef1df uncrypt: package on non-data partition should follow the right path
Fix the accidental change of behavior in [1]. OTA packages not on /data
partition should still go through the path that has validity checks and
wipe_misc() steps.

[1]: commit eaf33654c1.

Change-Id: Ice9a049f6259cd2368d2fb95a991f8a6a0120bdd
2015-05-05 17:51:28 -07:00
Elliott Hughes
7bad7c4646 Check all lseek calls succeed.
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.

Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
2015-04-29 17:46:43 -07:00
Elliott Hughes
40862ab59e am aeecac54: Merge "Add missing includes."
* commit 'aeecac5444ce55d2e82ee1b2aa35ff61a038c14e':
  Add missing includes.
2015-01-30 21:16:36 +00:00
Elliott Hughes
cd3c55ab40 Add missing includes.
Change-Id: I06ea08400efa511e627be37a4fd70fbdfadea2e6
2015-01-29 20:50:08 -08:00
Elliott Hughes
6bb8f47686 am 538d7d83: Merge "Fix missing #includes in bootable/recovery."
* commit '538d7d838d82e29c738145431aa64c587dc84943':
  Fix missing #includes in bootable/recovery.
2014-12-30 12:29:31 +00:00
Elliott Hughes
d4d4c2456a Fix missing #includes in bootable/recovery.
Change-Id: I58dfbac6ca1aa80d3659f53a8fad1bbbbdc9b941
2014-12-29 12:46:43 -08:00
Sungmin Choi
a72512cd05 Add O_CREAT option for open
Factory reset fails if there is no file, for example, RECOVERY_COMMAND_FILE_TMP.
So create file as adding O_CREAT option if it does not exist.

error log:
--------- beginning of crash
12-10 02:35:17.190  3059  3059 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x30 in tid 3059 (uncrypt)
12-10 02:35:17.296   766  1528 W NativeCrashListener: Couldn't find ProcessRecord for pid 3059
12-10 02:35:17.296   191   191 I DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-10 02:35:17.296   191   191 E DEBUG   : AM write failure (32 / Broken pipe)
12-10 02:35:17.296   191   191 I DEBUG   : Build fingerprint: 'Android/aosp_hammerhead/hammerhead:5.1/LMP/hopemini12052127:userdebug/test-keys'
12-10 02:35:17.296   191   191 I DEBUG   : Revision: '10'
12-10 02:35:17.297   191   191 I DEBUG   : ABI: 'arm'
12-10 02:35:17.297   191   191 I DEBUG   : pid: 3059, tid: 3059, name: uncrypt  >>> /system/bin/uncrypt <<<
12-10 02:35:17.297   191   191 I DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x30
12-10 02:35:17.302   191   191 I DEBUG   :     r0 00000001  r1 be94b690  r2 fffffe90  r3 b6fdbf7c
12-10 02:35:17.302   191   191 I DEBUG   :     r4 00000000  r5 00000000  r6 b6fd8ca4  r7 be94b67c
12-10 02:35:17.302   191   191 I DEBUG   :     r8 00000000  r9 ffffffff  sl b6ff582b  fp be94b68d
12-10 02:35:17.302   191   191 I DEBUG   :     ip b6fcfd08  sp be94b648  lr b6f98fe5  pc b6f98fe4  cpsr 20070030
12-10 02:35:17.303   191   191 I DEBUG   :
12-10 02:35:17.303   191   191 I DEBUG   : backtrace:
12-10 02:35:17.303   191   191 I DEBUG   :     #00 pc 00032fe4  /system/lib/libc.so (fputs+29)
12-10 02:35:17.303   191   191 I DEBUG   :     #01 pc 000016a1  /system/bin/uncrypt
12-10 02:35:17.303   191   191 I DEBUG   :     #02 pc 0000114b  /system/bin/uncrypt
12-10 02:35:17.303   191   191 I DEBUG   :     #03 pc 00012df5  /system/lib/libc.so (__libc_init+44)
12-10 02:35:17.303   191   191 I DEBUG   :     #04 pc 000013cc  /system/bin/uncrypt
12-10 02:35:17.325   191   191 I DEBUG   :
12-10 02:35:17.325   191   191 I DEBUG   : Tombstone written to: /data/tombstones/tombstone_00

Bug: 18709330
Change-Id: Ib5dccdd366e829049938a188ea5f98d9e4e282db
2014-12-10 21:50:46 -08:00
Michael Runge
4b54239173 Force write to disk while doing uncrypt
This should reduce errors if the device reboots before the blocks
are commited to disk.

Bug: 18481902

Change-Id: I13cda1c78955e4c83522fbcf87ddb16cc9f97683
2014-11-21 16:27:28 -08:00
Doug Zongker
574443d895 create block map for all update packages on /data
Always create the block map for packages on /data; don't only look at
the encryptable/encrypted flags.

Bug: 17395453
Change-Id: Iaa7643a32898328277841e324305b9419a9e071c
2014-09-05 08:22:12 -07:00
Doug Zongker
f449db2f30 open misc device in write-only mode
Opening the misc block device in read-write mode runs afoul of
SELinux, which keeps the wipe code from working.  Fix.  Also change
various things to log to logcat so we can see them happening, for
future debugging.

Bug: 16715412
Change-Id: Ia14066f0a371cd605fcb544547b58a41acca70b9
2014-08-26 09:22:57 -07:00
Doug Zongker
2efc9d994c clear BCB in misc partition before rebooting
Something is leaving behind wipe commands in the BCB area of the /misc
partition.  We don't know what is doing that.  It should always be
safe to zero out that area from uncrypt, though (because if uncrypt is
running then it's got the command we want in the recovery command file
rather than the BCB).

Bug: 16715412
Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211
2014-08-18 15:55:28 -07:00
Doug Zongker
1a35a58690 revert uncrypt back to dynamic linking, fix libs
Bug: 17029174, 17015157
Change-Id: I1d24f3402875dfb972daa6daef0f385baeff84e9
2014-08-14 10:32:46 -07:00
Doug Zongker
537d34f907 change uncrypt to static linking
Bug: 17015157
Change-Id: I3c4bdcf4f11d44b617bb731a48413e3707044d1c
2014-08-14 08:01:17 -07:00
Doug Zongker
eaf33654c1 only do uncryption on packages in /data
If recovery is invoked with a package somewhere other than /data,
leave it alone.

Change-Id: Ief358b53df467ae24a65e30e7a631da59bf13683
2014-07-31 15:42:13 -07:00
Mark Salyzyn
2605dec597 recovery: 64 bit build issues
Change-Id: Ie88c49dea13cce5f4eb428e97f5a0956f2656a30
2014-03-19 15:30:25 -07:00
Maxim Siniavine
e7b2888245 Fix a crash when going into recovery mode.
When going into recovery mode withoug recovery command file present, uncrypt crashes
and the device gets stuck and eventually shuts down.

Check that the command file is present before trying to read from it.

Change-Id: If0192d597032be0067738e437188d92993ce56f7
2014-02-13 15:53:38 -08:00
Doug Zongker
76adfc5309 program to store unencrypted files in an encrypted filesystem
uncrypt can read a file on an encrypted filesystem and rewrite it to
the same blocks on the underlying (unencrypted) block device.  This
destroys the contents of the file as far as the encrypted filesystem
is concerned, but allows the data to be read without the encryption
key if you know which blocks of the raw device to access.  uncrypt
produces a "block map" file which lists the blocks that contain the file.

For unencrypted filesystem, uncrypt will produce the block map without
touching the data.

Bug: 12188746
Change-Id: Ib7259b9e14dac8af406796b429d58378a00c7c63
2014-01-16 13:37:55 -08:00