The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult. Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.
This CL changes them to return bool instead.
Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
Most of the tests in component/ are in fact unit tests. And it doesn't
look practically beneficial to distinguish between the two:
- They have the same test setup;
- We always run both (recovery_unit_test and recovery_component_test)
at the same time;
- Breaking any of them would be equally bad.
This CL merges the tests in recovery_component_test into
recovery_unit_test to save the effort to maintain both.
Test: Run recovery_unit_test on marlin (via `adb sync data`).
Test: `atest recovery_unit_test`
Change-Id: I93ff32e7219cd83425a4bcfe5613978a8dd48d75
2019-04-30 09:13:36 -07:00
Renamed from tests/component/install_test.cpp (Browse further)