This is a pretty simplistic approach, it just shoves random data at the
verifier. The OTA format isn't too complicated so this should hopefully
be sufficient to let the fuzzer exercise the potentially interesting
parsing code.
Test: Let the fuzzer run on device for awhile:
1) FUZZ=libinstall_verify_package_fuzzer
2) SANITIZE_TARGET=hwaddress make ${FUZZ}
3) cd ${ANDROID_PRODUCT_OUT} && adb root && adb sync data
4) adb shell /data/fuzz/arm64/${FUZZ}/${FUZZ}
Change-Id: Icac6bde017b497d9f92c06191eb29e107ba9c0a7
Bump the timeout as we see some flakiness in b/170178152. The other
part of the config is copied from the auto-generated config in
out/host/linux-x86/testcases/recovery_host_test/recovery_host_test.config
Bug: 170178152
Test: treehugger
Change-Id: Ia84c90ba6a686c47ecc7d8331c7e8c7cb4b78292
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro
This CL updates recovery code to recognize them
Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
The unit tests for imgpatch is comparing the compressed bytes. As
a result, these unit tests will fail with libz change.
Since the recovery image is just a gzipped ramdisk with some wrappings,
we can generate with minigzip it during the build time. This matches
the usage in the real world, where we generate the patch with the host
side libz; and apply the patch with the library on the device.
Bug: 149443852
Test: tests pass on Pixel3
Change-Id: I7885765a161c6bf765671bc55a72cfcaa04b4138
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This library is empty, and its functionality has moved
into libbinder/libhwbinder.
Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.
We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.
Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md
Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.
Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.
Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.
Test: run simulation, run unit tests
Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
Stop building libimgdiff on device because we are only running
patching there.
Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
Make sure the simulator succeeds executing common non-A/B update
functions.
Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.
Bug: 131911365
Test: unit tests pass
Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.
Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.
Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).
Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF
Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
the call finishes successfully. Then check the contents written to
/misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.
Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
Adds a fuse data provider that parses the metadata from a block map,
reads the data from the given ranges of the block device; and provides
the data to the fuse.
Bug: 127071893
Test: unit tests pass, install a package from block map
Change-Id: Ie9925ee9144e98642505b3f5e1a4a186d2b21ed0
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult. Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.
This CL changes them to return bool instead.
Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
Most of the tests in component/ are in fact unit tests. And it doesn't
look practically beneficial to distinguish between the two:
- They have the same test setup;
- We always run both (recovery_unit_test and recovery_component_test)
at the same time;
- Breaking any of them would be equally bad.
This CL merges the tests in recovery_component_test into
recovery_unit_test to save the effort to maintain both.
Test: Run recovery_unit_test on marlin (via `adb sync data`).
Test: `atest recovery_unit_test`
Change-Id: I93ff32e7219cd83425a4bcfe5613978a8dd48d75
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.
Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
Also remove the AndroidTest.xml file, which is no longer needed (the
`data` property in Android.bp takes care of that). The AndroidTest.xml
file would otherwise block `atest recovery_host_test` from running.
Test: TreeHugger; check the test result.
Change-Id: If545878a1f3ae627986e19a94b42162f133b9098
The legacy png files have an empty line in the end. And the recovery
used to match any missing locale, e.g. "he" with that line and gets an
empty image.
Since the empty image is barely useful, we should just error out and
fall back to the default locale.
This reversed the unit test check added in d17a688525
Bug: 128934634
Test: run locale test with "he" and legacy images, recovery reports
error and doesn't crash even without default locale fall back
Change-Id: Ibdb7dd0b42348de5e392c834cce67ff02be85c24
This leaves the FD implementation details to subclasses. In particular,
it allows minadbd to do additional works with the FD after sideloading.
Bug: 128415917
Test: atest recovery_component_test
Test: atest minadbd_test
Test: Sideload package on taimen.
Change-Id: I106bbaad05201227bbc5fe28890bbbb06fdcb67e
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
We will reuse them to implement the fuse provider from block maps.
Test: unit tests pass, sideload an OTA
Change-Id: Iaa409d19569c4ccc0bb24e12518044fcddb45c69
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
It's no longer needed with the newly added FuseDataProvider class. Also
cleans up the parameters for run_fuse_sideload.
Bug: 127071893
Test: unit tests pass, run a sideload
Change-Id: I1ccd6798d187cfc6ac9f559ffb3f3edf08dad55c
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.
In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.
Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
