Commit graph

45 commits

Author SHA1 Message Date
David Anderson
c52663c4ea Append -verity when looking for verity device-mapper names.
Bug: 123666267
Test: recovery_component_test passes
Change-Id: I9b608b3fbfa14cc45ad0b4de6cb5cecdef983acb
2019-04-01 17:13:11 -07:00
Treehugger Robot
2e6fbfc31e Merge "Update_verifier: Remove the support for legacy text format CareMap" 2019-03-14 11:00:30 +00:00
Tao Bao
c89c394b46 update_verifier: Add some missing #include's.
<stdint.h> for uint8_t; <stdlib.h> for free(3); <thread> for
std::thread.

Test: mmma -j bootable/recovery
Test: Run unit tests on crosshatch.
Change-Id: Id99b29b3d514f4e453983599c8b1aa6b0fab4ef8
2019-03-13 15:45:39 -07:00
xunchang
aaa6103ae7 Update_verifier: Remove the support for legacy text format CareMap
We have already switched to the protobuf format for new builds, and
the downgrade packages will require a data wipe. So it should be safe
to drop the support for text format.

This also helps to save the issue when users sideload a package with a
pending OTA, because the new CareMap contains the fingerprint of the
intended build.

Bug: 128536706
Test: unit tests pass, run update_verifier with legacy CareMap
Change-Id: I1c4d0e54ec591f16cc0a65dac76767725ff9e7c4
2019-03-13 15:24:13 -07:00
Daniel Rosenberg
15f22bddfb Defer marking boot successful when checkpointing
This moves actually marking the slot as successful to a later point
so that on devices with checkpointing enabled we can still roll back to
the previous version if we fail to boot to the point that the checkpoint
is marked as successful.

Test: When taking an update on a checkpoint enabled device, it
      defers marking the slot as successful instead of directly
      marking it. Visible in logs.
Bug: 123260515

Change-Id: I7ed3595c1b0904ddbfe20d1cad4f69ecbf1ea351
2019-02-07 13:26:05 -08:00
Tianjie Xu
9eed65e1db Compare the fingerprint before reading the partition
The update_verifier now compares the fingerprint of a partition before
performing the blocks read. If the fingerprint of the current system property
mismatches the one embedded in the care_map, verification of this partition
will be skipped. This is useful for the possible system only updates in the
future.

Bug: 114778109
Test: unit tests pass
Change-Id: Iea309148a05109b5810dfb533d94260d77ab8540
2018-10-04 16:42:57 -07:00
Tianjie Xu
f595a46735 Enable fingerprint in care_map
Enable the encoding and parsing of the property_id & partition
fingerprint by default; and add a flag "--no_fingerprint" to disable
the fingerprint generation/parsing to convert the legacy care_map.txt

Bug: 114778109
Test: run unittests in add_img_to_target_files
Change-Id: Id4216d5954e78c3a2d8e8bf19342109daf66a528
2018-09-26 20:14:53 -07:00
Tianjie Xu
446b64b659 Refactor update_verifier into a class
The refactor separates out the parsing of care_map and the actual
verification of the partitions. Moreover, it skips the verification in case
of a format error in the care map.

Also, the parsing of care_map now uses the suffix of the file to
tell if it has the protobuf format or the plain text format.

Bug: 115740187
Test: unit test pass
Change-Id: I7aa32004db02af1deb7bfdc6f5bd7921eb7883e5
2018-09-20 15:10:52 -07:00
Tianjie Xu
7e520d24fe Add a python binary to generate the protobuf for care_map
This binary parses the legacy care_map text in the input file and writes
the generated protobuf message into the output file. For test purpose,
it also has a "--parse_proto" option to reverse the process and convert
a protobuf message file into plain text.

The build script will then call the binary to generate the care_map.txt
in the new format.

Bug: 77867897
Test: Run the binary to convert a care_map.txt, run update_verifier
Change-Id: I3ca65e19027404806132aa8d51e9bff766630c99
2018-08-16 15:09:32 -07:00
Tianjie Xu
4d9e62d8a0 Add proto3 support for care_map
Switching to the protobuf format helps to make the care_map more
extensible. As we have such plans in the future, add the support to
parse the protobuf message in the update_verifier.

Bug: 77867897
Test: unit tests pass, update_verifier successfully verifies a care_map.pb
Change-Id: I9fe83cb4dd3cc8d6fd0260f2a47338fe142d3938
2018-07-25 14:15:22 -07:00
Tao Bao
afb9fc29a2 update_verifier: Move to Soong.
Test: mmma -j bootable/recovery
Change-Id: I3a3574c89318304231c01f7633d32ece31df098c
2018-04-20 14:26:38 -07:00
Tao Bao
1cc0351915 Make update_verifier generic across verified boot versions.
This allows the update_verifier in a general system image to work across
devices that have different verified boot versions (i.e. not supported /
verified boot 1.0 / verified boot 2.0 / disabled).

Bug: 78283982
Test: Run recovery_component_test on both of marlin and walleye.
Test: Generate an OTA that has this CL. Install this OTA and check the
      update_verifier log during the post-reboot verification, on both
      of marlin (VB 1.0) and walleye (VB 2.0).
Test: Build and flash walleye image with verified boot disabled. Check
      that update_verifier marks the slot as successfully booted.
Change-Id: I828d87d59f911786531f774ffcf9b2ad7c2ca007
2018-04-20 14:26:38 -07:00
Tao Bao
ec2e8c6c1e update_verifier: Support verifying product partition.
We have added the support for building /product partition in build
system (the CL in [1]), where /product is an optional partition that
contains system files. This CL adds the matching support if /product
needs to be verified during A/B OTA (i.e. listed in care_map file).

[1]: commit b7735d81054002961b681f4bdf296d4de2701135,
https://android-review.googlesource.com/c/platform/build/+/598454

Bug: 63974895
Test: Run update_verifier test on walleye.
Change-Id: Ia1c35e9583b8e66c98a4495b1f81a5ea7e65036f
2018-03-23 11:41:32 -07:00
Isaac Chen
26fd78c024 Let update_verifier work on non-AB update devices
Make update_verifier check if it runs on A/B update devices at the
beginning, and quit immediately if it doesn't, instead of re-boot.

Bug: 70541023
Test: On aosp/master:
    $ lunch aosp_x86_64-userdebug; m -j # boot to home screen
    # On goog/master:
    $ lunch aosp_walleye-userdebug; m -j # boot to home screen

Change-Id: Ib71a3a3b272cfa5dd0b479eaa067eedaec8fde7d
2017-12-14 10:20:07 +08:00
Tao Bao
160514bf2b Load-balancing update_verifier worker threads.
Prior to this CL, the block verification works were assigned based on
the pattern of the ranges, which could lead to unbalanced workloads. This
CL adds RangeSet::Split() and moves update_verifier over.

a) For the following care_map.txt on walleye:
system
20,0,347,348,540,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,524289,524291,524292,524348,529059
vendor
8,0,120,135,32770,32831,94564,98304,98306

Measured the time costs prior to and with this CL with the following
script.

$ cat test_update_verifier.sh
  #!/bin/sh

  adb shell stop
  adb shell "cp /data/local/tmp/care_map.txt /data/ota_package/"
  for i in $(seq 1 50)
  do
    echo "Iteration: $i"
    adb shell "bootctl set-active-boot-slot 0"
    adb shell "echo 3 > /proc/sys/vm/drop_caches"
    adb shell "time /data/local/tmp/update_verifier"
    sleep 3
  done

Without this CL, the average time cost is 5.66s, while with the CL it's
reduced to 3.2s.

b) For the following care_map.txt, measured the performance on marlin:
system
18,0,271,286,457,8350,32770,33022,98306,98558,163842,164094,196609,204800,229378,229630,294914,295166,501547
vendor
10,0,42,44,85,2408,32770,32806,32807,36902,74242

It takes 12.9s and 5.6s without and with the CL respectively.

Fixes: 68553827
Test: recovery_unit_test
Test: Flash new build and trigger update_verifier. Check the balanced
      block verification.
Change-Id: I5fa4bf09a84e6b9b0975ee5f522724464181333f
2017-11-08 23:04:28 -08:00
Tao Bao
6ec94c023e update_verifier: Fix the wrong computation with group_range_count.
'group_range_count' doesn't properly consider the pair-wise range
structure. It may split the ranges into wrong pairs if it evaluates to
an odd number.

For example, for an input range string of "6,0,2,10,12,20,22" with 4
threads, group_range_count becomes 1. It would then try to verify (0,2),
(2,10), (10,12) and (12,20). Note that (2,10) and (12,20) are not valid
ranges to be verified, and with (20,22) uncovered.

Bug: 68343761
Test: Trigger update_verifier verification. Check the number of verified
      blocks against the one in care_map.txt.
Change-Id: I7c5769325d9866be06c45e7dbcc0c8ea266de714
2017-10-29 14:51:25 -07:00
Tianjie Xu
a009ce05e2 update_verifier now logs to kmesg
Set up update_verifier logging to be written to kmsg; because we may
not have Logd during boot time.

Bug: 64713327
Test: logs show up in `adb shell dmesg`
Change-Id: If02f460bda121cd3e9062bc0e08107c6da66492c
2017-08-15 18:57:17 +00:00
Wei Wang
5226f4715d update_verifier: verify blocks in parallel
This CL is to change update_verifier to verify blocks in parallel to
maximize storage bandwidth, it also preallocate the buffer to avoid
vector allocation within reading loop.

Test:
care_map.txt:
system
16,0,517,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,483544,524288,524296
vendor
8,0,119,135,32770,32831,96150,98304,98306

With CL:
init: Service 'update_verifier_nonencrypted' (pid 711) exited with status 0 waiting took 2.978424 seconds

Without CL:
init: Service 'update_verifier_nonencrypted' (pid 695) exited with status 0 waiting took 4.466320 seconds

Bug: 63686531
Test: reboot with manual insert care_map.txt
Change-Id: Idf791865f15f6ff6cad89bf7ff230ee46c6adccc
(cherry picked from commit bd9664b5a0)
2017-08-09 22:59:16 -07:00
David Zeuthen
1a0929cc8a update_verifier: Support androidboot.veritymode being empty or 'disabled'.
Bootloaders using libavb will set androidboot.veritymode=disabled if
the "disable dm-verity" flag has been set. Additionally if the
"disable verification" flag is set androidboot.veritymode will not be
set at all. Handle both cases.

Without this fix we'll end up in a bootloop.

Test: Manually tested on a device using AVB.
Bug: 64315394
Change-Id: I8310849e347248f4a96158838310f688ecef4211
2017-08-08 12:48:43 -04:00
Tao Bao
5a1dee01df update_verifier: Handle legacy care_map.txt gracefully.
update_verifier should be backward compatible to not reject legacy
care_map.txt from old releases, which could otherwise fail to boot into
the new release.

For example, we've changed the care_map format between N and O. An O
update_verifier would fail to work with an N care_map.txt - a) we have
switched update_verifier to read from device mapper in O; b) the last
few blocks that contain metadata can't be read via device mapper. This
could be a result of sideloading an O OTA while the device having a
pending N update.

Bug: 63544345
Test: As follows on sailfish:
 1. Flash the device with this CL;
 2. Put a copy of N care_map.txt at /data/ota_package/. Restore the
    permissions properly ('cache' group);
 3. `adb reboot bootloader`;
 4. `fastboot set_active <current_slot>`
 5. Device boots up into home screen, with a warning in logcat that says
    it has skipped legacy care_map.txt.
Change-Id: I6acc88c9e655a9245e6531f176fef7953953935f
2017-07-21 17:17:03 -07:00
David Zeuthen
8ed9738b62 update_verifier: Support AVB.
When using AVB, PRODUCT_SUPPORTS_VERITY is not set so check for
BOARD_ENABLE_AVB as well. Also AVB sets up the root filesystem as
'vroot' so map that to 'system' since this is what is
expected. Managed to test at least that the code is at least compiled
in:

 $ fastboot --set-active=_a
 Setting current slot to 'a'...
 OKAY [  0.023s]
 finished. total time: 0.023s

 $ fastboot reboot
 rebooting...

 finished. total time: 0.050s

 $ adb wait-for-device

 $ adb logcat |grep update_verifier
 03-04 05:28:56.773   630   630 I /system/bin/update_verifier: Started with arg 1: nonencrypted
 03-04 05:28:56.776   630   630 I /system/bin/update_verifier: Booting slot 0: isSlotMarkedSuccessful=0
 03-04 05:28:56.776   630   630 W /system/bin/update_verifier: Failed to open /data/ota_package/care_map.txt: No such file or directory
 03-04 05:28:56.788   630   630 I /system/bin/update_verifier: Marked slot 0 as booted successfully.
 03-04 05:28:56.788   630   630 I /system/bin/update_verifier: Leaving update_verifier.

Bug: None
Test: Manually tested on device using AVB bootloader.
Change-Id: I13c0fe1cc5d0f397e36f5e62fcc05c8dfee5fd85
2017-05-24 14:14:11 -04:00
Tianjie Xu
8fa8f0b16c Fix potential OOM in update_verifier
Limit the size of each read to 1024 * BLOCKSIZE. (Same as the I/O limit
of each transfer command for block based OTA).

Bug: 37729708
Test: U_V sets slot successfully on sailfish, and it takes about ~20s
(no noticeable time increase)
Change-Id: I7a6cdc744fe4c0760e09e0afed75b89c16d8eac3
2017-04-27 14:22:40 -07:00
Tao Bao
83b0780ddd Separate libupdate_verifier module and add testcases.
Enable -Wall and expose verify_image() for testing purpose.

Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: I1ee1db2a775bafdc1112e25a1bc7194d8d6aee4f
2017-04-27 08:57:23 -07:00
Tianjie Xu
0ad2de5eab Add 'system' to update_verifier's gid
This addresses the denial to /dev/cpuset/tasks:
update_verifier: type=1400 audit(0.0:377): avc: denied { dac_override }
for capability=1 scontext=u:r:update_verifier:s0
tcontext=u:r:update_verifier:s0 tclass=capability permissive=1

update_verifier: type=1400 audit(0.0:378): avc: granted { write } for
name="tasks" dev="cgroup" ino=5 scontext=u:r:update_verifier:s0
tcontext=u:object_r:cgroup:s0 tclass=file

Bug: 37358323
Test: denial message gone after adding system group
Change-Id: I66b4925295a13fbc1c6f26a1bb9bd2f9cebcec3d
2017-04-18 11:34:30 -07:00
Treehugger Robot
310fa65c02 Merge "update_verifier: correct group in rc file" 2017-04-04 01:06:21 +00:00
Tom Cherry
3a8002f8c0 update_verifier: correct group in rc file
update_verifier should be in the cache group, not 'class'.

Also use PLOG instead of LOG if care_map.txt cannot be opened.

Bug: 36818743
Test: boot sailfish
Test: fake OTA on sailfish and verify update_verifier reads care_package
Change-Id: I0ec844cac5ef5c63b18ebee90160854fd84ee829
2017-04-03 16:31:16 -07:00
Wei Wang
a015cd1d7a update_verifier: tweak priority of update_verifier for quick boot
Highest ioprio is 0 for CFQ and we should run update_verifier with that.
Tested on device and showing boottime decreased.

Bug: 36511808
Bug: 36102163
Test: Boot marlin
Change-Id: Iddd925951d976e21014b61e5590bcdae3cea8470
2017-04-03 13:53:49 -07:00
Tianjie Xu
5a176c0d3c Use regular check for partition name instead of CHECK()
Bug: 36260064
Test: Device reboots for invalid care_map.
Change-Id: Id614f0d118fc2b9d9abf24918aa4b4324f4c94e1
2017-03-31 23:54:05 +00:00
Tianjie Xu
21d481c81e Merge "Update_verifier should read blocks in EIO mode" 2017-03-31 22:17:00 +00:00
Tianjie Xu
3958a95f54 Update_verifier should read blocks in EIO mode
Update_verifier will reboot the device if it fails to read some blocks
on the care_map when veritymode=eio. Also make some partition name
changes to match the care_map.txt.

Test: Update_verifier reboots the device after read failures in eio mode.
Change-Id: Icf68e6151dee72f626a9ab72946100cf482a4e6c
2017-03-30 22:11:56 -07:00
Tom Cherry
545317f4fb update_verifier: raise priority and ioprio and start with exec_start
Raise the priority and ioprio of update_verifier and launch with
exec_start.  This saves ~100ms of time before `class_start main` is executed.

Bug: 36511808
Bug: 36102163
Test: Boot bullhead
Test: Verify boottime decrease on sailfish
Change-Id: I944a6c0d4368ead5b99171f49142da2523ed1bdd
2017-03-28 15:55:20 -07:00
Tao Bao
db57f0d7f4 update_verifier: Set the success flag if dm-verity is not enabled.
For devices that are not using dm-verity, update_verifier can't verify
anything, but to mark the successfully booted flag unconditionally.

Test: Successfully-booted flag is set on devices w/o dm-verity.
Test: Successfully-booted flag is set after verification on devices w/
      dm-verity.
Change-Id: I79ab2caec2d4284aad0d66dd161adabebde175b6
2017-03-10 15:16:27 -08:00
Tianjie Xu
b0ac872014 update_verifier should read dm wrapped partition
update_verifier used to read from system_block_device, which bypasses
dm-verity check completely. Switch update_verifier to read the corresponding
'/dev/block/dm-X' instead. U_v gets the verity block device number by
comparing the contents in '/sys/block/dm-X/dm/name'.

Bug: 34391662
Test: update_verifier detects the corrupped blocks and dm-verity trigger the reboot on Sailfish.
Change-Id: Ie5c50c23410bd29fcc6e733ba29cf892e9a07460
2017-01-26 11:08:03 -08:00
Tao Bao
42906e06b3 Merge "update_verifier: Move property_get() to android::base::GetProperty()." 2017-01-24 23:37:22 +00:00
Chris Phoenix
0157c78674 bootctrl HAL uses "default" service name
The getService() and registerAsService() methods of interface objects
now have default parameters of "default" for the service name. HALs
will not have to use any service name unless they want to register
more than one service.

Test: builds; verify HAL still works

In support of b/33844934

Change-Id: I5ce988128b0471384e1472298a0ae383df2b7c3e
Merged-In: I86c44aaaaf663e774c631a469ebf2b81619f89c4
2017-01-20 14:17:10 -08:00
Tao Bao
4f8d217971 update_verifier: Move property_get() to android::base::GetProperty().
Also make minor changes to android::base::ParseUint(), which accepts
std::string now.

Test: Flash an A/B device and make sure update_verifier works (by
      marking the active slot as successfully booted).

Change-Id: Id6e578671cb3c87160c2b6ca717ee618ecf2342a
2017-01-20 12:19:23 -08:00
Connor O'Brien
ad43d2dd30 Switch update verifier to HIDL HAL
Test: UV logs show success in both binderized and passthrough modes.
Bug: 31864052
Change-Id: Ied67a52c458dba7fe600e0fe7eca84db1a9f2587
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-11-21 13:48:42 -08:00
Connor O'Brien
30628db65c Revert "Convert update_verifier to boot HIDL HAL"
This reverts commit f50593c447.

Bug: 32973182
Change-Id: I5b14a812671ea02575cb452242ff1a6f05edb9c1
2016-11-18 20:16:53 +00:00
Connor O'Brien
f50593c447 Convert update_verifier to boot HIDL HAL
Test: Flashed device and confirmed update_verifier runs successfully
Change-Id: I5bce4ece1e3ba98f57299c9cf469a5e2a5226ff2
Merged-In: I5bce4ece1e3ba98f57299c9cf469a5e2a5226ff2
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-11-16 11:07:24 -08:00
Tianjie Xu
d007cf2da2 Touch blocks in care_map in update_verifier
Read all blocks in system and vendor partition during boot time
so that dm-verity could verify this partition is properly flashed.

Bug: 27175949
Change-Id: I38ff7b18ee4f2733e639b89633d36f5ed551c989
Test: mma
(cherry picked from commit 03ca853a1c)
(cherry picked from commit 4bbe0c93c8)
(Fix a typo when comparing the verity mode)
(cherry picked from commit da654af606)
(Skip update verification if care_map is not found)
2016-11-09 20:10:27 +00:00
Tianjie Xu
7aa88748f6 Turn on -Werror for recovery
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.

Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
2016-09-29 19:21:24 -07:00
Tianjie Xu
7b0ad9c638 Switch recovery to libbase logging
Clean up the recovery image and switch to libbase logging.

Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-09-01 18:33:25 +00:00
Tao Bao
612161ef1c update_verifier: Track the API change for isSlotBootable().
[1] added a new API isSlotMarkedSuccessful() to actually query if a
given slot has been marked as successful.

[1]: commit 72c88c915d957bf2eba73950e7f0407b220d1ef4

Change-Id: I9155c9b9233882a295a9a6e607a844d9125e4c56
2015-12-09 14:41:40 -08:00
Tao Bao
740e01e2bd update_verifier: Log to logd instead of kernel log.
logd already gets started before we call update_verifier.

Bug: 26039641
Change-Id: If00669a77bf9a6e5534e33f4e50b42eabba2667a
(cherry picked from commit 45eac58ef1)
2015-12-08 11:24:35 -08:00
Tao Bao
7197ee0e39 Add update_verifier for A/B OTA update.
update_verifier checks the integrity of the updated system and vendor
partitions on the first boot post an A/B OTA update. It marks the
current slot as having booted successfully if it passes the verification.

This CL doesn't perform any actual verification work which will be
addressed in follow-up CLs.

Bug: 26039641
Change-Id: Ia5504ed25b799b48b5886c2fc68073a360127f42
(cherry picked from commit 1171d3a12b)
2015-12-08 11:24:11 -08:00