This would succeed eventually anyway: the first time round the connect() succeeds, returns 0, and we go around the loop again; the second time the connect() fails (because we're already connected), returns -1, and we set success to true and exit the loop. But this means that the intended retry functionality is broken.
Change-Id: If631d59e23b12e9aa952cdb528160b19b9a94b1c
Now we added a libz variant without the offending optimizations,
re-enable tests.
Test: treehugger
Bug: 177076632
Change-Id: I6969090b2cb4c059d952df7cc034d0ed1ac366b2
For a proper solution, add a variant of libz which doesn't have platform
dependent optimizations, and make imgdiff use that version.
Test: treehugger
Bug: 177076632
Change-Id: Ia9e926c1adf22d351315eeec5ad1fabc3d48efd5
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro
This CL updates recovery code to recognize them
Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.
We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.
Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.
Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.
Test: run simulation, run unit tests
Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
Make sure the simulator succeeds executing common non-A/B update
functions.
Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.
Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.
Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).
Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF
Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
the call finishes successfully. Then check the contents written to
/misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.
Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
Adds a fuse data provider that parses the metadata from a block map,
reads the data from the given ranges of the block device; and provides
the data to the fuse.
Bug: 127071893
Test: unit tests pass, install a package from block map
Change-Id: Ie9925ee9144e98642505b3f5e1a4a186d2b21ed0
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult. Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.
This CL changes them to return bool instead.
Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
Most of the tests in component/ are in fact unit tests. And it doesn't
look practically beneficial to distinguish between the two:
- They have the same test setup;
- We always run both (recovery_unit_test and recovery_component_test)
at the same time;
- Breaking any of them would be equally bad.
This CL merges the tests in recovery_component_test into
recovery_unit_test to save the effort to maintain both.
Test: Run recovery_unit_test on marlin (via `adb sync data`).
Test: `atest recovery_unit_test`
Change-Id: I93ff32e7219cd83425a4bcfe5613978a8dd48d75
The legacy png files have an empty line in the end. And the recovery
used to match any missing locale, e.g. "he" with that line and gets an
empty image.
Since the empty image is barely useful, we should just error out and
fall back to the default locale.
This reversed the unit test check added in d17a688525
Bug: 128934634
Test: run locale test with "he" and legacy images, recovery reports
error and doesn't crash even without default locale fall back
Change-Id: Ibdb7dd0b42348de5e392c834cce67ff02be85c24
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
We will reuse them to implement the fuse provider from block maps.
Test: unit tests pass, sideload an OTA
Change-Id: Iaa409d19569c4ccc0bb24e12518044fcddb45c69
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
This is another implementation of the Package class. And we will later
need it when reading the package from FUSE.
Bug: 127071893
Test: unit tests pass, sideload a file package on sailfish
Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
Seems they're racing with SurfaceFlinger in acquiring the display, which
occasionally takes down the device and leads to test failures.
Bug: 120601844
Test: Run recovery_unit_test on marlin. ScreenRecoveryUITest not
triggered.
Change-Id: I80b21595247a87fc1f2f95aa68df59f58bdf0257
GRSurface::Create() doesn't need to rely on caller specifying the buffer
size, as it can compute that info based on the given args.
This CL also uses `size_t` for all the parameters in
GRSurface::Create().
Test: Run recovery_unit_test on marlin.
Test: Build and boot into blueline recovery. `Run graphics test`.
Test: Build and boot into blueline charger mode.
Change-Id: Idec9381079196abf13553a475006fefcfca10950
This is a bug introduced while refactoring init_display_surface(), in
[1]. As a result, user of res_create_multi_display_surface(), which is
effectively `charger` right now, crashes due to buffer overrun.
This CL fixes the wrong arg and adds a sanity test for
res_create_multi_display_surface(). The testdata (battery_scale.png) is
copied from system/core/healthd/images/battery_scale.png.
[1] commit 44820ac1e3.
Bug: 119122296
Test: Run recovery_unit_test on marlin.
Test: Build and boot into charger mode on blueline. Verify that
`charger` no longer crashes.
Change-Id: Ib6d083e1512a9c3c6eb63874d26d22658921d693
Clone() allows duplicating the image that's stored in the GRSurface.
Test: Run recovery_unit_test.
Change-Id: Ia50d507c6200f2de5f17143775de805247a60e1f
This prepares for the removal of the default and copy ctors, by making
GRSurface::Create() as the only way to get GRSurface instances.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Change-Id: I0c34c3f3967e252deb020907c83acbac8a8f36b9
This fixes the build error as the initializer list no longer work
without the proper constructor for c++ class.
Bug: 74397117
Test: unit tests pass
Change-Id: If3ff508a1a01ad5326413dab8e05bacae8a946c8
These functions take the given GRSurface instances as inputs, which
shouldn't be altered.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test.
Test: `Run graphics test` on marlin.
Change-Id: I51bf408e85faae2b497d4f148ab1dec22dd16c93
This CL adds GRSurface::Create() and dtor for managing the allocated
memory in GRSurface class. It also adds GRSurface::data() that hides the
underlying implementation, with both of const and non-const overloads.
This allows `const GRSurface&` to be more useful - previously it only
ensured a const member variable of `data`, instead of a read-only buffer
it points to.
It also marks the parameters in gr_texticon() and gr_blit() as const, as
they're incoming source that shouldn't be altered. It corrects the type
of gr_draw, which is the sink to be painted on (an earlier attempt was
made in [1], but didn't get the full picture correctly).
[1] https://android-review.googlesource.com/c/platform/bootable/recovery/+/704757/
Test: mmma -j bootable/recovery
Test: recovery_unit_test on marlin
Test: Run graphics test on marlin (fbdev).
Test: Run graphics test on blueline (drm).
Change-Id: I7904df084cd6c08fa04a9da97d01b4b1a6e3a20c
Add a function in screenUI to display the pre-generated graphs for
rescue party. If these graphs are not valid, falls back to display
the old text strings.
Right now we haven't generated the localized graphs yet, so the UI
always shows the TextMenu.
Bug: 116655889
Test: check rescue party under recovery
Change-Id: I0558cb536b659cdc25c8b7946d3a39820935b003
As we plan to show localized rescue party dialogs under recovery mode
with pre-generated images, it becomes necessary to show the menu headers
and items with images.
This cl converts the menu class to a interface and derived TextMenu &
GraphicMenu classes. And the GraphicMenu uses GRSurfaces* as the menu header
and a list of GRSurfaces* as menu items.
Moreover, factor out the Draw* functions in the ScreenUI into a separate
DrawInterface. Therefore, the Menu class can access these draw functions and
use them to implement the DrawHeaders & DrawItems neatly.
Bug: 74397117
Test: unittests pass, boot into recovery and check menu
Change-Id: I95cee30f3e5eb666eb6fbcdfc873a7260fc177c1
