Commit graph

59 commits

Author SHA1 Message Date
Bob Badour
29be3f6ef1 [LSC] Add LOCAL_LICENSE_KINDS to bootable/recovery
Added SPDX-license-identifier-Apache-2.0 to:
  applypatch/Android.bp
  bootloader_message/Android.bp
  edify/Android.bp
  fuse_sideload/Android.bp
  install/Android.bp
  minadbd/Android.bp
  minui/Android.bp
  otautil/Android.bp
  recovery_ui/Android.bp
  recovery_utils/Android.bp
  tests/Android.bp
  tools/image_generator/Android.bp
  tools/recovery_l10n/Android.bp
  uncrypt/Android.bp
  update_verifier/Android.bp
  updater/Android.bp
  updater/Android.mk
  updater_sample/Android.bp
  updater_sample/tests/Android.bp

Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
    SPDX-license-identifier-OFL
to:
  Android.bp
  Android.mk

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
2021-02-14 10:37:20 -08:00
Tianjie Xu
00e91ff8b9 Revert "Link to libsnapshot_cow everywhere libsnapshot is linked."
Revert submission 1433573-vab-libsnapshot-linkage

Reason for revert: b/169981170, update crash for droidfooders.
Reverted Changes:
Ie75bba98c:Link to libsnapshot_cow where libsnapshot is linke...
Ieedfadc55:libsnapshot: Partially implement OpenSnapshotWrite...
I28a5d4a88:Link to libsnapshot_cow everywhere libsnapshot is ...

Change-Id: I8c774ca4a8dec21dd308694bb8205861a19c3e12
2020-10-03 07:27:00 +00:00
David Anderson
6943dfe9ad Link to libsnapshot_cow everywhere libsnapshot is linked.
Bug: 168554689
Test: recovery builds
Change-Id: I28a5d4a88914b10db1ca8298947afc2314a9ae8a
2020-09-22 15:49:44 -07:00
Yifan Hong
9679aec289 Merge "Add missing dep." am: 29a1d00035 am: 58af72a568
Change-Id: Iabbb842d35f9d1bc6c62db349d7bed4576d02942
2020-04-17 01:21:23 +00:00
Yifan Hong
58af72a568 Merge "Add missing dep." am: 29a1d00035
Change-Id: I8af3f7cf531aba6f32b9082414796c78789b7460
2020-04-17 01:09:10 +00:00
Yifan Hong
acf7d1b1a4 Add missing dep.
libsnapshot_nobinder uses update_metadata-protos. This
used to be optimized out, but now that SnapshotManager is
virtual, CreateUpdateSnapshots can no longer be optimized
out.

Bug: 148956645
Test: compiles
Change-Id: Iab1c9d92de2e558c73cf7da736c543b2ac8c0aa5
2020-04-16 13:13:17 -07:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
4139a30ec5 Merge "Revert "Force package installation with FUSE unless the package stores on device"" into qt-qpr1-dev-plus-aosp 2020-02-13 03:08:09 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Bryan Ferris
7bc9c8297b Merge "Force package installation with FUSE unless the package stores on device" into qt-qpr1-dev-plus-aosp 2020-02-12 23:37:34 +00:00
Automerger Merge Worker
5fa9733f9d Merge "Remove fsck_unshare_blocks." am: 699ea0f325 am: 79ce1d3420 am: ffea0e7333
Change-Id: If590516c09963e73b304cca1b7e07b62271d7c5c
2020-01-28 01:34:15 +00:00
David Anderson
969787cffd Remove fsck_unshare_blocks.
This code is dead. It was briefly used to support "adb remount" with
deduplicated partitions, but was very quickly obsoleted by overlayfs
support. There is no reason to include it anymore.

Bug: N/A
Test: N/A
Change-Id: I4cdcbf66bec80092f954826eaae037934ff37765
2020-01-27 09:30:55 -08:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Automerger Merge Worker
b892a6b788 Merge "Retire the Tron metrics reporting for non-A/B update" am: 6bdacc40ef am: fed0b90045 am: 2cc6f21833
Change-Id: I3cd62f30d3dc8c6e7d7402d5fa0f08c60a3d9b64
2020-01-21 19:46:11 +00:00
Tianjie Xu
eb27bfe1e8 Retire the Tron metrics reporting for non-A/B update
This is part of the effort to remove libmetricslogger in platform.
Remove the reporting since the status from non-A/B update is less
important to us. Plus the gmscore already has a copy of the logic
to parse the contents from last_install and report non-A/B metrics
to the clearcut log.

bug: 147776349
Test: build
Change-Id: I4fc5d58fb616edb3eb1edadf4614d3eca15c7ce1
2020-01-16 15:17:41 -08:00
David Anderson
b72291bd20 Merge "Force merges to complete before wiping data or metadata." am: 8444dec7ac am: bc4b39efff
am: 49c03e1bab

Change-Id: Ibb9a2c341982e8d39a5163e527472b5faf526d73
2019-11-14 20:46:34 -08:00
David Anderson
8444dec7ac Merge "Force merges to complete before wiping data or metadata." 2019-11-15 04:27:59 +00:00
Tom Cherry
a762387a5b Merge "Move init and ueventd scripts from / to /system/etc" into qt-qpr1-dev-plus-aosp
am: e5939e8297

Change-Id: If9b38a494e6385ccd2e5ae31c15d5d429b082efc
2019-11-12 07:57:06 -08:00
David Anderson
89d2d050a0 Force merges to complete before wiping data or metadata.
After an OTA is applied, a wipe in recovery may overwrite components of
dynamic partitions living in userdata. If the OTA has not yet begun
merging, we mark the current slot unbootable. If the OTA has begun
merging, we wait for the merge to complete. This logic is encapsulated
in libsnapshot.

Bug: 139156011
Test: manual test
Change-Id: Id6544a1b8583afcbba11559d46214ec2e68ffa40
2019-11-11 01:02:12 +00:00
Tom Cherry
24dd3146e1 Move init and ueventd scripts from / to /system/etc
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc.  There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.

Bug: 131087886
Bug: 140313207
Test: build/boot + boot to recovery
Merged-In: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
Change-Id: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
2019-11-07 19:38:23 +00:00
Tom Cherry
bcd3f35462 Move init and ueventd scripts from / to /system/etc
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc.  There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.

Bug: 131087886
Bug: 140313207
Test: build/boot + boot to recovery
Merged-In: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
Change-Id: I1fb6690d4302a1884d8521c21a9754b2ca710d5a
2019-11-07 11:29:06 -08:00
Tianjie Xu
b8ba2fa86e Merge "Force package installation with FUSE unless the package stores on device" 2019-10-16 22:20:27 +00:00
Tianjie Xu
58a27693b2 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2019-10-16 11:35:17 -07:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
xunchang
316e971746 Move wipe cache|data to libinstall
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.

The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.

Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
2019-04-15 12:22:11 -07:00
xunchang
34690ced91 Add socket communication between recovery and minadbd
This cl adds a socket pair to support the communication between recovery
and minadbd. Therefore, minadbd will be able to issue multiple commands
to recovery and get back the status of each command.

This cl also switches the adb sideload from the recovery menu to use
this protocol; and moves minadbd to a separate binary.

Bug: 130166585
Test: sideload a package
Change-Id: I80d36d5c4e6fe1ae3ea23640907bc50c0dc0d482
2019-04-11 14:23:53 -07:00
Tao Bao
0deed3389b Build libinstall as a static library.
It was once considered to be shared between recovery and minadbd, so
that the latter can start an install on its own. The plan has been
changed, since package install -- including device wipe operations --
could be device-specific, which should be done by recovery only.

This CL moves libinstall back to a static library, which also saves the
overall size (reducing from 140256 + 660576 to 555880 bytes on
aosp_taimen-userdebug).

Bug: 130166585
Test: Run recovery_component_test.
Test: `adb sideload` on taimen.
Change-Id: Ib1f5f79f235df4682c0bd104425c9c122f6091ba
2019-04-08 11:59:48 -07:00
Tao Bao
cecad743c1 libotautil exports libfstab header.
otautil/roots.h includes <fstab/fstab.h>, but users of otautil/roots.h
don't need to explicitly depend on libfstab unless they have a real
need.

Also remove the unneeded include of <fstab/fstab.h> from
fsck_unshare_blocks.cpp.

Test: mmma -j bootable/recovery
Change-Id: Id3dc995a4769e631ab242843ee439bd94b2bf0bc
2019-04-03 11:41:54 -07:00
xunchang
2478885f3c Move install to separate module
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.

Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
2019-03-29 10:27:51 -07:00
Tianjie Xu
8f397309b4 Move librecovery_ui to a sub-directory
This helps to expose librecovery_ui for device specific RecoveryUi.

Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
2019-03-21 10:46:11 -07:00
xunchang
ea2912f187 Create a FuseDataProvider base class
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.

In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.

Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
2019-03-19 11:11:58 -07:00
xunchang
37304f3cc9 Implement FilePackage class
This is another implementation of the Package class. And we will later
need it when reading the package from FUSE.

Bug: 127071893
Test: unit tests pass, sideload a file package on sailfish
Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
2019-03-14 15:35:09 -07:00
xunchang
f07ed2efeb Create a wrapper class for update package
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.

Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
2019-03-11 10:43:52 -07:00
Tom Cherry
72a114a3e1 Add android::fs_mgr namespace for new Fstab code
Also add libfstab dependencies where needed.  Previously the
`typedef struct FstabEntry Volume;` line served to both define a
`struct FstabEntry` as well as alias Volume to it.  With the new
namespace for android::fs_mgr::FstabEntry, `struct FstabEntry` isn't
compatible anymore, so we need to alias Volume to the real
android::fs_mgr::FstabEntry.

In doing so, we need to include <fstab/fstab.h> and this requires
libfstab as a library, which a few modules did not have before.

Test: treehugger
Change-Id: I655209a0efb304b3e0568db0748bd5cf7cecbdb7
2019-01-31 09:00:40 -08:00
Elliott Hughes
31b92a5d75 C++17 is the default now.
Test: builds
Change-Id: I91923da25f470621189589711c50f3d67e435c68
2018-12-03 09:27:17 -08:00
Tianjie Xu
0dd9685311 Load X509 keys from ziparchive
Add a function to parse the zip archive and load the certificate from
all the zip entries with the suffix "x509.pem".

Bug: 116655889
Test: unittests pass
Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
2018-10-18 11:42:01 -07:00
Tianjie Xu
2b1a464a70 Move the parse of last_install to recovery-persist
The recovery-persist used to look for the related recovery logs in
persist storage, and copy them under /data/misc/recovery during the
normal boot process.

As we also want to find out the sideload information from last_install,
it makes more sense to move the parse & report of non-a/b metrics to
recovery-persist. Thus we can avoid the race condition of the file
system between the native code and RecoverySystem.

Bug: 114278989
Test: unit test pass, check the event buffer for metrics report
Change-Id: I32d7b2b831bc74a61a70af9a2f0b8a7e9b3e36ee
2018-09-13 13:27:55 -07:00
Tao Bao
43bfa6e429 Enable c++17 in recovery_defaults.
And add the first few users.

Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ifdf093d011478b6a1dd0405b0ba48c145b509cc8
2018-08-28 10:49:07 -07:00
Tao Bao
7c074d97bd Depend on mke2fs.conf.recovery.
Bug: 112780007
Test: `m dist` along with other changes in the topic. Check the file
      under recovery. Trigger factory reset from recovery UI.
Change-Id: I2fb6954576eefecea60712a21506a2aeb1cecc53
2018-08-21 12:32:03 -07:00
Tao Bao
ef5e38fef0 tests: Move to Android.bp.
Also separate libupdater_defaults out to be shareable.

It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.

Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35
2018-08-14 21:46:45 -07:00
Treehugger Robot
19a5316412 Merge "Add fastboot mode to recovery" 2018-08-14 21:25:50 +00:00
Yifan Hong
ce2f0d85fb Merge "recovery uses IHealth::getService" 2018-08-14 21:06:58 +00:00
Tao Bao
b0f132e244 recovery: Drop the dependency on libcrypto_utils.so and libsparse.so.
They're only needed in past when we statically linked libs that had
dependencies on them. Dropping them doesn't affect the recovery image
size, as there're still other users of the libs. But this would avoid
the false dependencies on them.

Test: `mmma -j bootable/recovery`
Change-Id: Ib43cc42221edde9efea1f12357cfc2f2232ec520
2018-08-13 23:02:17 -07:00
Hridya Valsaraju
20c81b308d Add fastboot mode to recovery
Add a fastboot mode to recovery that can be
entered with command line args or with the ui.

Add usb property triggers to switch between
fastboot and adb configurations.

Allow switching between fastboot and adb through
usb commands by opening a unix socket. adbd/fastbootd
writes to this socket, which interrupts the ui and
switches to the new mode.

Test: Use fastboot mode
Bug: 78793464
Change-Id: I7891bb84427ec734a21a872036629b95ab3fb13c
2018-08-13 21:18:18 -07:00
Yifan Hong
056538c0a9 recovery uses IHealth::getService
recovery is_battery_ok function uses get_health_service(),
which calls IHealth::getService("default") then
IHealth::getService("backup").

- An OEM can provide the default instance by installing
  android.hardware.health@2.0-impl-<device>.so to recovery
  partition.

- If that's not found, the "backup" instance is provided
  to the recovery partition by default.

Test: call is_battery_ok() in recovery, successfully
  get battery information.

Bug: 80132328

Change-Id: Ibfee80636325a07bc20b24d044d007a60b3dd7c2
2018-08-13 16:16:18 -07:00
Tao Bao
7d2a63afe1 Reland "Build and use minadbd as a shared library."
This relands the previously reverted CL in commit
c70446ce7b ("Build and use minadbd as a
shared library."). `recovery` has been built with Soong, so the previous
concern (unintentionally installing `libminadbd_services.so` to normal
system image) no longer holds.

Note that `reocvery` can't use `libminadbd_services.a`, as functions
like `daemon_service_to_fd()` (needed by `libadbd.so`) won't be linked
into `recovery`.

This CL moves the dependency of `libminadbd_services` from `librecovery`
into `recovery`, as only the latter actually relies on it (via
`recovery_main.cpp`). Note that we no longer need to list the transitive
dependency on `libadbd` or `libasyncio`.

Bug: 112494634
Test: `mmma -j bootable/recovery`
Test: Build and boot into recovery with aosp_taimen-userdebug. Verify that
      sideloading keeps working.
Test: `build/soong/build_test.bash --dist`
Change-Id: Ic086470b86d6770bede317e0f5534f608fa7b7d2
2018-08-13 14:09:58 -07:00
Tao Bao
5fc72a103b Build recovery with Soong.
Fixes: 110380063
Test: `mmma -j bootable/recovery` with aosp_taimen-userdebug
Test: Build and boot into recovery on taimen. Check the basic
      functionalities (`Apply update from ADB`, `View recovery logs`,
      `Run graphics test`).
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: Modify `recovery.cpp` locally to trigger the call to
      is_battery_ok(). Check that the battery info is reported
      correctly.
Test: `build/soong/build_test.bash --dist`
Change-Id: I391eb201d57c760e457ba2bf2410ceb72596795c
2018-08-10 14:43:27 -07:00
Tao Bao
818f938188 recovery uses more shared libraries.
Bug: 110380063
Test: `m -j installclean && mmma -j bootable/recovery` with
      aosp_taimen-userdebug
Test: Build (`m -j bootimage`) and boot into recovery. Check that
      `adb sideload` and `Run graphics test` both work.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ie6ed0e7cafa352d5faff9d1b6ccef724a0415e65
2018-08-08 14:26:27 -07:00
Jerry Zhang
152933a28e recovery: Refactor logging code into logging.cpp
Move common logging related functions to
rotate_logs.cpp, and rename that to logging.cpp.

Test: Recovery works
Bug: 78793464
Merged-In: I00f20a79a296680122b8437d54a87897c5cb2fc7
Change-Id: I00f20a79a296680122b8437d54a87897c5cb2fc7
2018-05-07 14:14:17 -07:00