When we want to automatically reboot after a sideload, it doesn't make
much sense to try and prompt the user for a reboot into recovery.
Change-Id: Id0195965362b62bf940caba1f83ffe12191a73c6
* android::base::Split already supports multiple separators
* Make FINGERPRING_SEPARATOR a #define so that we can easily
append the other separator. Why even was it ever a char* ?
Note that we cannot directly make FINGERPRINT_SEPARATOR use ':'
as a separator because, as the name suggests, it's also used to
split build fingerprints which include ':' as a valid character.
Change-Id: I101e394d8e9fd7f2cbfcf01314e9bda38146c7d5
Dynamic partitions need special handling:
* Block device path read from fstab is actually
the partition's name
* We need to use BLKROSET ioctl for allowing
write operations
Change-Id: Ib0a018f789716c9fc43db9316d15dbda13991c1e
When wiping /system, the partition isn't actually mounted at /system
or / - it's mounted at /mnt/system. This breaks 'format system' from
recovery if the partition has been mounted.
This patch adds an ensure_volume_unmounted function that finds all
mounts of a given device and unmounts them, meaning the device
can be safely formatted.
Change-Id: Id4f727f845308a89e865f1ba60dc284f5ebc66e1
This allows A/B devices to install legacy (non-payload) style update.zip
packages like our addonsu or gapps.
Do not abort an update if META-INF/com/android/metadata is missing,
instead use it to determine whether the update is an A/B ota or not.
Change-Id: I907a92732470b947de007dde11fb71db64d94c9b
* From android-11, recovery warns the user about the danger of
rebooting after a failed update, but if we didn't even start
the install procedure it doesn't really make much sense.
Change-Id: Ifaf5eae9fe6e1d915a035e2570c22260de59f99b
Only allow test-key OTA to be installed on test-key devices,
and only allow release-key OTA to be installed on release-key devices.
Test: sideload recovery OTA
Bug: 314013134
Change-Id: I6609923929247ab498d3a315637765ae2d1370b0
This CL is created as a best effort to migrate test targets to the new Android ownership model.
It is based on historical data from repository history and insights from git blame.
Given the nature of this effort, there may be instances of incorrect attribution. If you find incorrect or unnecessary
attribution in this CL, please create a new CL to fix that.
For detailed guidelines and further information on the migration please refer to the link below,
go/new-android-ownership-model
Bug: 304529413
Test: N/A
Change-Id: Ia2268756e71b22238b17b21d336f5f7e5bd35b0b
For 16K dev options, we might need to reformat /data partition as ext4
before enabling the feature. Add necessary support to recovery.
Test: Trigger reboot with --wipe_data --reformat_data=ext4, make sure
/data is reformatted with ext4 on next boot
Bug: 293313353
Change-Id: I3cb67a62635a2df578472cd48cf6d2f5e04b5f82
This allows us to erase the system image without resetting the MTE
state. This is useful for TestHarness looking to re-use an MTE enabled
device without incurring an extra reboot to re-enable after reboot.
Bug: 300694575
Change-Id: Ie1ea6891361e561189b9390b97b0b4a4c3a6d7e8
Makes testing easier, brick packaegs can now be tested directly in
recovery w/o having to go through GOTA.
Test: adb sideload brick_ota.zip
Bug: 273561331
Change-Id: I48214dc03e63b69e61fc217bc3f58923bb90a9a6
Devices that launched with Android 10 or later require FBE (File Based
Encryption) from the beginning, so there's no need to support converting
to FBE after the fact anymore. This was only ever a developer option,
so it probably wasn't used much. And in any case, it's not used
anymore, as isConvertibleToFBE() is hard-coded to return false. Besides
the fact that FBE has been required for several releases now, this
functionality was only ever available on devices that use FDE (Full Disk
Encryption), but FDE support has been removed from Android.
Therefore, remove this unused code.
Bug: 208476087
Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
Normally, if an ota package has --wipe_user_data flag, we set bootloader
parameter --wipe_data, so that next boot into bootloader will wipe
userdata. But this doesn't work in recovery, likely because after
recovery we don't reboot to bootloader, but directly boot into android.
Therefore perform data reset in recovery if the OTA package has
POWERWASH flag.
Bug: 203507329
Test: apply an OTA pkg with --wipe_user_data, verify that data wipe
happened
Change-Id: Icca4a5f74246bde44a5fd589395404c9f57867ee
Applying an SPL downgrade package can cause boot failures
(/data failed to decrypt). Today's ota_from_target_files
tool already try to prevent this. But Packages generated
using older tools are still around.
Add check in recovery to prevent such OTA package from
installing.
Test: th
Test: Sideload an OTA with newer SPL, make sure check passes
Test; Sideload an OTA with older SPL, make sure check fails
Bug: 186581246
Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
Right now the "Erasing" animation displays after the merge step
during the FDR process; and the merge can take 3-4 minutes. The
users maybe confused about the blank screen and forcefully
reboot the device.
Bug: 181636823
Test: add sleep merge, check the animation displays correctly.
Change-Id: Ib23b1ed3a84e95640271a429c51a3d3c142dc404
New() should be used instead of NewForFirstStageMount().
Bug: 168258606
Test: data wipe with VABC merge in progress
Change-Id: Idf2b01a504b577766da303091721764242e99a69
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.
Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro
This CL updates recovery code to recognize them
Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
Check the package metadata to determine whether this is an
A/B or non-A/B update package. This is more accurate.
Also checks ro.virtual_ab.allow_non_ab flag. This is useful for
continuously supporting (and testing) non-A/B.
Bug: 153581609
Test: apply non-A/B update on cuttlefish
Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667
(cherry picked from commit 2a4afd29a1)
Merged-In: I629a533a67966d46d9cd87a59c6b9af26daf1667
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.
Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
After an OTA is applied, a wipe in recovery may overwrite components of
dynamic partitions living in userdata. If the OTA has not yet begun
merging, we mark the current slot unbootable. If the OTA has begun
merging, we wait for the merge to complete. This logic is encapsulated
in libsnapshot.
Bug: 139156011
Test: manual test
Change-Id: Id6544a1b8583afcbba11559d46214ec2e68ffa40
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
Since this was combined into libhidlbase.
Bug: 135686713
Test: build only (libhidltransport is empty)
Change-Id: I253e50726967044714275ab995fb8a8a57bcde36
