Commit graph

530 commits

Author SHA1 Message Date
Elliott Hughes
6929e4e5dc Fix connect() retry loop.
This would succeed eventually anyway: the first time round the connect() succeeds, returns 0, and we go around the loop again; the second time the connect() fails (because we're already connected), returns -1, and we set success to true and exit the loop. But this means that the intended retry functionality is broken.

Change-Id: If631d59e23b12e9aa952cdb528160b19b9a94b1c
2024-03-19 01:42:58 +00:00
David Anderson
8ee048d750 Update recovery to use Health AIDL HAL V3.
Bug: 309792384
Test: m
Change-Id: I253dbee446c88e6a18718cedec090c3be1b56cfd
2023-11-17 20:39:19 -08:00
Elliott Hughes
da675a945f Use the hermetic gzip instead of minigzip.
Bug: http://b/288169261
Test: treehugger
Change-Id: I7cb3d5468a79faedcae13d75913f11f5a8ea9e80
2023-06-21 10:10:42 -07:00
Jack Wu
6b39dee45d Update health AIDL HAL to V2
Bug: 251425963
Test: Build
Change-Id: I471f8fb9c7eb1044ea0b920d55728613188bfbdf
Signed-off-by: Jack Wu <wjack@google.com>
2022-12-24 13:13:18 +00:00
Kelvin Zhang
9ce95441b2 Fix misconfigured recovery host test
Test: atest recovery_host_test
Bug: 241353143
Change-Id: I13bb9595745f65a63070cf9fe030c9155f75e4d0
2022-08-04 10:05:43 -07:00
Kelvin Zhang
117f263ada Disable flaky recovery test
Non-AB is under-maintained for years. Disable flaky test for now.

Test: th
Bug: 191730720
Change-Id: I3634afe291e717c35216021d69be1d24c5b8e5de
2022-02-24 13:43:16 -08:00
Chih-Hung Hsieh
af6d780eb2 Add timed out test files to tidy_timeout_srcs
* Timed out runs do not show any warning messages.
* These test files cannot finish clang-tidy runs with
  the following settings:
    TIDY_TIMEOUT=90
    WITH_TIDY=1
    CLANG_ANALYZER_CHECKS=1
* When TIDY_TIMEOUT is set, in Android continuous builds,
  tidy_timeout_srcs files will not be compiled by clang-tidy.
  When developers build locally without TIDY_TIMEOUT,
  tidy_timeout_srcs files will be compiled.
* Some of these test modules may be split into smaller ones,
  or disable some time consuming checks, and then
  enable clang-tidy to run within limited time.

Bug: 201099167
Test: make droid tidy-bootable-recovery_subset
Change-Id: I3c4606959ab70e339df201501356b24953d4fb8a
2022-02-17 22:03:12 -08:00
Jacky Liu
068329e977 Move package verifier from libinstall to libotautil
So it can be used by device-specific codes.

Bug: 184693830
Test: m; atest recovery_unit_test
Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
2021-12-22 23:31:08 +08:00
Yifan Hong
67a8fd2175 GetBatteryInfo() also reads AIDL health HAL.
Test: call GetBatteryInfo manually with and without AIDL health HAL
Bug: 170338625
Bug: 177269435
Change-Id: I123739e5bc372d5198fd711f592ceac04d46ab28
2021-12-06 16:53:58 -08:00
Elliott Hughes
a85d7a0936 Use gtest_prod_headers.
Bug: http://b/185916167
Test: treehugger
Change-Id: I3407052df4f12b01acc4a75c6bd0759f7a4b2c4c
2021-04-20 11:58:05 -07:00
Bob Badour
29be3f6ef1 [LSC] Add LOCAL_LICENSE_KINDS to bootable/recovery
Added SPDX-license-identifier-Apache-2.0 to:
  applypatch/Android.bp
  bootloader_message/Android.bp
  edify/Android.bp
  fuse_sideload/Android.bp
  install/Android.bp
  minadbd/Android.bp
  minui/Android.bp
  otautil/Android.bp
  recovery_ui/Android.bp
  recovery_utils/Android.bp
  tests/Android.bp
  tools/image_generator/Android.bp
  tools/recovery_l10n/Android.bp
  uncrypt/Android.bp
  update_verifier/Android.bp
  updater/Android.bp
  updater/Android.mk
  updater_sample/Android.bp
  updater_sample/tests/Android.bp

Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
    SPDX-license-identifier-OFL
to:
  Android.bp
  Android.mk

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
2021-02-14 10:37:20 -08:00
Kelvin Zhang
07ba4483a6 Re-enable failed imgpatch tests
Now we added a libz variant without the offending optimizations,
    re-enable tests.

Test: treehugger
Bug: 177076632
Change-Id: I6969090b2cb4c059d952df7cc034d0ed1ac366b2
2021-01-13 10:10:15 -05:00
Kelvin Zhang
2f2749f213 Switch imgdiff to use libz_stable
libz contain platform dependent optimization flags, and sometimes that
cause reconstruction of blobs to fail. Use libz_stable instead

Bug: 177076632
Test: treehugger

Change-Id: I3a8c1591672537d1c754b2bc5b26f939dd80ed47
2021-01-13 10:10:15 -05:00
Kelvin Zhang
d77e7ea105 Disable failed imgpatch tests
For a proper solution, add a variant of libz which doesn't have platform
dependent optimizations, and make imgdiff use that version.
Test: treehugger
Bug: 177076632

Change-Id: Ia9e926c1adf22d351315eeec5ad1fabc3d48efd5
2021-01-12 14:45:29 -05:00
Will Coster
de455707e6 Add a fuzzer for OTA package verification
This is a pretty simplistic approach, it just shoves random data at the
verifier. The OTA format isn't too complicated so this should hopefully
be sufficient to let the fuzzer exercise the potentially interesting
parsing code.

Test: Let the fuzzer run on device for awhile:
      1) FUZZ=libinstall_verify_package_fuzzer
      2) SANITIZE_TARGET=hwaddress make ${FUZZ}
      3) cd ${ANDROID_PRODUCT_OUT} && adb root && adb sync data
      4) adb shell /data/fuzz/arm64/${FUZZ}/${FUZZ}
Change-Id: Icac6bde017b497d9f92c06191eb29e107ba9c0a7
2020-11-10 14:26:17 -08:00
Tianjie
581a824401 Add test config for recovery_host_test
Bump the timeout as we see some flakiness in b/170178152. The other
part of the config is copied from the auto-generated config in
out/host/linux-x86/testcases/recovery_host_test/recovery_host_test.config

Bug: 170178152
Test: treehugger
Change-Id: Ia84c90ba6a686c47ecc7d8331c7e8c7cb4b78292
2020-10-06 23:31:04 +00:00
Kelvin Zhang
4f81130039 Switch to zip64 in recovery
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.

Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
2020-09-16 14:21:37 -04:00
Tianjie
78d1514173 Update language to comply with Android’s inclusive language guidance
https: //source.android.com/setup/contribute/respectful-code
Bug: 161896447
Test: Unit tests pass
Change-Id: I0f3f0333dbccc94241a096ca5d3d9bc28c281492
2020-07-23 14:02:21 -07:00
Tianjie
1bc976a74e Fix some wording to comply with respectful-code
https: //source.android.com/setup/contribute/respectful-code
Test: Unit tests pass
Change-Id: If447b2cf923f6bc7a3a3fb5f69b9fbc06a200ebb
2020-07-23 13:07:24 -07:00
Kelvin Zhang
e1ae78cd54 Add recovery support of dynamic fingerprints
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro

This CL updates recovery code to recognize them

Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
2020-06-29 16:22:08 -04:00
Automerger Merge Worker
a0df3e3584 Merge "Generate recovery.img for unittest during build time" am: bf885b6b21 am: 616db72209
Change-Id: I264469782af6ffab1c138edc01b577abb5fd2675
2020-02-24 19:14:38 +00:00
Tianjie Xu
fa77ee8470 Generate recovery.img for unittest during build time
The unit tests for imgpatch is comparing the compressed bytes. As
a result, these unit tests will fail with libz change.

Since the recovery image is just a gzipped ramdisk with some wrappings,
we can generate with minigzip it during the build time. This matches
the usage in the real world, where we generate the patch with the host
side libz; and apply the patch with the library on the device.

Bug: 149443852
Test: tests pass on Pixel3
Change-Id: I7885765a161c6bf765671bc55a72cfcaa04b4138
2020-02-20 23:09:44 -08:00
Tianjie Xu
cd8faf7eee Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures

Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 19:16:38 +00:00
Raman Tenneti
4139a30ec5 Merge "Revert "Force package installation with FUSE unless the package stores on device"" into qt-qpr1-dev-plus-aosp 2020-02-13 03:08:09 +00:00
Raman Tenneti
daaacea96e Revert "Force package installation with FUSE unless the package stores on device"
This reverts commit 5e6c4e9a91.

Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420

Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
2020-02-13 03:03:36 +00:00
Bryan Ferris
7bc9c8297b Merge "Force package installation with FUSE unless the package stores on device" into qt-qpr1-dev-plus-aosp 2020-02-12 23:37:34 +00:00
Steven Moreland
c7647926f4 rm libbinderthreadstate
This library is empty, and its functionality has moved
into libbinder/libhwbinder.

Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
2020-02-06 13:28:52 -08:00
Tianjie Xu
5e6c4e9a91 Force package installation with FUSE unless the package stores on device
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
2020-01-22 22:01:46 +00:00
Peter Collingbourne
8b9ac5b83d Merge "Link libvndksupport dynamically instead of statically." 2019-12-19 17:27:37 +00:00
Yifan Hong
c77bb70166 Delete VINTF compatibility check during OTA.
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
2019-12-18 12:14:50 -08:00
Peter Collingbourne
8f2f0d09ea Link libvndksupport dynamically instead of statically.
Bug: 146456667
Change-Id: I839223d8fbc365fd3271634143b117604f6aa879
2019-12-17 17:51:42 -08:00
Tianjie Xu
3d57c84476 Consolidate the vendor space misc usage for Pixels
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.

We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.

Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
2019-11-12 10:53:04 -08:00
Tao Bao
832c9cd24f Refactor battery info querying functions into librecovery_utils.
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
2019-10-02 22:04:25 -07:00
Tao Bao
e3f09a72f5 otautil: Factor out the utils that're private to recovery.
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.

Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
2019-10-02 10:56:46 -07:00
Tao Bao
5234ad466c applypatch: Add backup_source parameter to PatchPartition.
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).

Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.

Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
      is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
2019-09-23 11:26:48 -07:00
Tao Bao
dfb053e815 tests: recovery_unit_test requires root.
Bug: 141272654
Test: TreeHugger (recovery_unit_test no longer fails)
Change-Id: I47cbee274e659e3d90be5a77b215466d2973c7d6
2019-09-19 08:08:54 -07:00
Pete Bentley
189d424ced Link libcrypto dynamically for recovery unit tests.
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md

Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.

Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
2019-09-13 12:18:44 +01:00
Steven Moreland
e4f1a781f5 Remove reference to libhwbinder_noltopgo.
No longer needed.

Bug: 135558503
Test: build only
Change-Id: Ia1257513c6276cdb01604fbedb411e7412d02b84
2019-09-05 14:29:23 -07:00
Tianjie Xu
60b242cfd5 Simulator: add the argument to keep the updated images
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.

Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.

Test: run simulation, run unit tests

Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
2019-07-30 17:11:35 -07:00
Tianjie Xu
45c40ec876 Remove libimgpatch
Stop building libimgpatch as it's merely a subset of libapplypatch.

Test: unit tests pass

Change-Id: I0735ec053344404434a50e53a36e3f55964c2e4f
2019-07-10 12:41:45 -07:00
Tianjie Xu
42d7779caf Build libimgdiff as a host only library
Stop building libimgdiff on device because we are only running
patching there.

Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
2019-06-28 11:04:07 -07:00
Tianjie Xu
c3a161e2b8 Add unit tests for simulator
Make sure the simulator succeeds executing common non-A/B update
functions.

Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
2019-06-27 16:17:05 -07:00
Tianjie Xu
f6158eb918 Support starting fuse from a block map
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.

This is part of the effort to install larger than 2GiB packages on ILP32
devices.

Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.

Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
2019-06-20 13:53:40 -07:00
Tianjie Xu
c1a5e26fd9 Implement an update simulator to verify BB OTA packages on host
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.

Bug: 131911365
Test: unit tests pass

Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
2019-05-28 15:18:25 -07:00
Tianjie Xu
27556d089f Some clean ups to the updater
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.

Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
2019-05-22 14:58:28 -07:00
Tianjie Xu
e7b3c5698e Merge "Add UpdaterRuntime class" 2019-05-21 17:07:30 +00:00
Tianjie Xu
1536db887f Add UpdaterRuntime class
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.

Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
2019-05-20 18:03:27 -07:00
Tao Bao
7ae0169842 Add misc_writer.
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).

Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF

Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
      the call finishes successfully. Then check the contents written to
      /misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
2019-05-20 15:51:26 -07:00
Tianjie Xu
58d59129e1 Add Updater class and remove UpdaterInfo
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.

Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
2019-05-08 23:07:04 -07:00
Elliott Hughes
a86dddbfa5 Track libziparchive API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
2019-05-06 10:28:14 -07:00