Commit graph

49 commits

Author SHA1 Message Date
Bowgo Tsai
d13b6cf29c recovery: replacing fs_mgr_read_fstab() with new fs_mgr APIs
The fstab settings of early-mounted partitions (e.g., /vendor) will be in
kernel device tree. Switch to the new API to get the whole settings with
those in device tree:

    fs_mgr_read_fstab_with_dt("/etc/recovery.fstab")

The original default /fstab.{ro.hardware} might be moved to
/vendor/etc/. or /odm/etc/. Use another new API to get the default fstab
instead of using the hard-coded /fstab.{ro.hardware}. This API also
includes the settings from device tree:

    fs_mgr_read_fstab_default()

Bug: 35811655
Test: boot sailfish recovery
Change-Id: Iaa56ac7f7b4c4dfc7180c65f03e9a37b94f1de09
2017-03-10 17:27:31 +08:00
Tianjie Xu
ceafe69fb8 Merge "Retry ioctl in uncrypt if it returns block# 0" 2017-01-07 01:11:13 +00:00
Tao Bao
1033408801 Add tests for setup-bcb and clear-bcb via uncrypt.
Bug: http://b/33534933
Test: recovery_component_test passes (and fails on buggy build due to
      the CL in [1]).

[1]: commit 7e31f421a5

Change-Id: I120498048ec1db8f9fcbb3cf135c05d3a48cfcdf
2016-12-13 17:46:03 -08:00
Tianjie Xu
bc42603a8d Retry ioctl in uncrypt if it returns block# 0
In some conditions, ioctl(fd, FIBMAP, &block) returns block number 0.This
is a failure to locate the actual block number of the update package and
will result in an invalid block.map. This CL retries ioctl a few times
if it returns block number as 0.

Bug: 31632090
Test: On N9, uncrypt retries ioctl and produces the correct blockmap.
Change-Id: I913f98cf5c112915c2e803d0683db273c89053b6
2016-12-05 11:59:58 -08:00
Tianjie Xu
f2574b8206 Merge "Allow uncrypt to work without socket communication"
am: 4c1f3eda98

Change-Id: I8e86d4201d2fac0293e70df54e0816c96e85a9b7
2016-11-12 01:02:33 +00:00
Tianjie Xu
7ceff3e003 Allow uncrypt to work without socket communication
It was inconvenient to uncrypt a update package under adb shell
because the uncrypt executable required a socket to start its job.
Add a workaround to allow uncrypt executes without socket
communication.

Test: run uncrypt under adb shell, and the block map generates successfully
Bug: 29906218

Change-Id: Ibc328b31636d925dc429ede8dcec7392a721dd53
(cherry picked from commit 28c1e5d3aa)
2016-11-11 13:51:15 -08:00
Yabin Cui
fd99a318fe Verify wipe package when wiping A/B device in recovery.
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.

Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.

Bug: 29159185
Test: Build and boot into recovery.

Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9)
2016-10-19 11:19:15 -07:00
Yabin Cui
8b309f6970 Create bootloader_message static library.
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.

Bug: 29582118

Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
(cherry picked from commit 2f272c0551)
2016-10-18 11:37:05 -07:00
Tianjie Xu
68fc81e860 Report uncrypt errors in details
Add the error codes for uncrypt and report the failure details in
uncrypt_status.

Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
(cherry picked from commit 0c68675f5ae80cd669e0bf014a69689b6fe08eee)
2016-09-29 11:27:46 -07:00
Tianjie Xu
b0d0ee3c7d Merge "Report uncrypt errors in details" am: af8b9363c6 am: 7582609d61
am: fc887a8fba

Change-Id: I5e83be10f4443c8b107821975b3506381fcbdf0c
2016-09-27 21:25:26 +00:00
Tianjie Xu
da44cf18f3 Report uncrypt errors in details
Add the error codes for uncrypt and report the failure details in
uncrypt_status.

Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
2016-09-26 22:48:45 -07:00
Elliott Hughes
130f6c86f5 resolve merge conflicts of d5c7d6b to nyc-mr1-dev-plus-aosp
Change-Id: Ia041044547351a3e65b647bb9913aa18c7d2c97c
2016-09-26 12:53:52 -07:00
Elliott Hughes
cb22040c63 Switch to <android-base/properties.h>.
Bug: http://b/23102347
Test: boot into recovery.
Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
Merged-In: Ib2ca560f1312961c21fbaa294bb068de19cb883e
2016-09-26 09:51:37 -07:00
Tianjie Xu
707583a4ab save uncrypt status to last_install am: e16e799dfd
am: 4769f209dc

Change-Id: Ic9056d4af518df3747743ec6b2886fa437029395
2016-09-13 01:50:40 +00:00
Tianjie Xu
e16e799dfd save uncrypt status to last_install
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.

Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.

(cherry picked from commit fe16b5ccaf)

Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
2016-09-12 16:59:48 -07:00
Tianjie Xu
fe16b5ccaf save uncrypt status to last_install
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.

Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.

Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
2016-09-12 22:55:36 +00:00
Tianjie Xu
c21edd4654 Switch recovery to libbase logging
Clean up the recovery image and switch to libbase logging.

Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
(cherry picked from commit 747781433f)
2016-09-01 14:32:55 -07:00
Tianjie Xu
7b0ad9c638 Switch recovery to libbase logging
Clean up the recovery image and switch to libbase logging.

Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-09-01 18:33:25 +00:00
Yabin Cui
9b15ba8269 resolve merge conflicts of 2f272c0 to nyc-mr1-dev-plus-aosp
Change-Id: I889d94a723415ad2e660b8c99e66935142918bc4
2016-06-30 15:13:12 -07:00
Yabin Cui
2f272c0551 Create bootloader_message static library.
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.

Bug: 29582118

Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
2016-06-30 11:02:38 -07:00
Yabin Cui
bf049bffe2 resolve merge conflicts of ed4c49c to nyc-mr1-dev-plus-aosp
Change-Id: I8788cc80473dc77bfa0cd2682f3acb6e17ac36df
2016-06-21 11:09:38 -07:00
Yabin Cui
6faf0265c9 Verify wipe package when wiping A/B device in recovery.
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.

Bug: 29159185

Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
2016-06-20 18:18:02 -07:00
Chih-hung Hsieh
0231e7016d Merge "Fix google-runtime-int warnings." am: a1f4a1e
am: bcad1d1

* commit 'bcad1d1ced730478c94f951034d252e777661332':
  Fix google-runtime-int warnings.

Change-Id: Ifad31026502e3375f4833899056662da540319b5
2016-04-18 22:34:41 +00:00
Chih-Hung Hsieh
54a2747ef3 Fix google-runtime-int warnings.
Bug: 28220065
Change-Id: Ida199c66692a1638be6990d583d2ed42583fb592
2016-04-18 12:29:30 -07:00
Yabin Cui
49ef1342c1 resolve merge conflicts of a58a6db to nyc-dev-plus-aosp
Change-Id: I6d95fbd33f570d60e2caf42931ef6aa9f2634239
2016-04-08 18:33:01 -07:00
Yabin Cui
a58a6dbe3d uncrypt: split libbootloader_message_writer for reuse.
init and vold also need to write bootloader message, so
split this function from uncrypt into a separate library.

Bug: 27176738
Change-Id: If9b0887b4f6ffab6162d9cb47a6ceb7eedd60b4d
2016-04-08 11:46:56 -07:00
Yabin Cui
6507265906 uncrypt: remove --read-bcb option.
Bug: 27897241
Change-Id: I4f52ada58e8f204dba8c974ea0ae03876411ecf0
(cherry picked from commit 61799baba3)
2016-03-29 18:14:44 -07:00
Yabin Cui
0c39203698 resolve merge conflicts of 61799ba to nyc-dev-plus-aosp
Change-Id: Ib1d0afe9022ec82f05be8b56201e73505160cacc
2016-03-29 16:47:18 -07:00
Yabin Cui
912e87e91d Merge "uncrypt: fix call to close()." into nyc-dev 2016-03-29 22:48:08 +00:00
Yabin Cui
ffa3a1c222 uncrypt: fix call to close().
Bug: 27897229
Change-Id: Iab5e829af1676f7fcd8a4b00a194aa679ed4e372
2016-03-29 15:35:58 -07:00
Yabin Cui
61799baba3 uncrypt: remove --read-bcb option.
Bug: 27897241
Change-Id: I4f52ada58e8f204dba8c974ea0ae03876411ecf0
2016-03-29 14:33:35 -07:00
Elliott Hughes
d6ac68665d Fix uncrypt.cpp unique_fd build breakage.
Change-Id: I4654f59463d1f3e1f4450e937cd910508b64c157
2016-03-29 12:53:36 -07:00
Elliott Hughes
20ab2db8f1 resolve merge conflicts of 5cf4701 to nyc-dev-plus-aosp
Change-Id: Ia69f8b070c05cfe201115de510e3c12e813e38b5
2016-03-29 11:15:47 -07:00
Elliott Hughes
bcabd09293 Switch to <android-base/unique_fd.h>.
Change-Id: I13ba3f40bd52b5f3e3fe9002a45a9a8630040129
2016-03-29 08:18:34 -07:00
Tao Bao
3a2bb594df uncrypt: Communicate via /dev/socket/uncrypt.
We used to rely on files (e.g. /cache/recovery/command and
/cache/recovery/uncrypt_status) to communicate between uncrypt and its
caller (i.e. system_server). Since A/B devices may not have /cache
partitions anymore, we switch to socket communication instead.

We will keep the use of /cache/recovery/uncrypt_file to indicate the OTA
package to be uncrypt'd though. Because there is existing logic in
ShutdownThread.java that depends on the existence of the file to
detect pending uncrypt works. This part won't affect A/B devices without
/cache partitions, because such devices won't need uncrypt service (i.e
the real de-encrypt work) anyway.

Bug: 27176738
Change-Id: I481406e09e3ffc7b80f2c9e39003b9fca028742e
2016-03-02 23:23:32 -08:00
Tao Bao
5b3b373a49 uncrypt: Retire pre-recovery service.
The framework CL in [1] removes the use of "pre-recovery" service which
is basically to trigger a reboot into the recovery.

[1] commit e8a403d57c8ea540f8287cdaee8b90f0cf9626a3

Bug: 26830925
Change-Id: I131f31a228df59e4f9c3024b238bbdee0be2b157
2016-02-22 17:33:41 -08:00
Yabin Cui
2d46da57e1 uncrypt: add options to setup bcb and clear bcb.
Bug: 26696173

Change-Id: I3a612f045aaa9e93e61ae45b05300d02b19bb3ad
2016-02-03 10:43:03 -08:00
Yabin Cui
25dd0386fe uncrypt: generate map file by renaming tmp file.
Writing map file directly can break consistency in map file if
it fails in the middle. Instead, we write a temporary file and
rename the temporary file to map file.

Bug: 26883096
Change-Id: I5e99e942e1b75e758af5f7a48f8a08a0b0041d6a
2016-02-01 14:43:14 -08:00
Daniel Micay
c5631fc096 uncrypt: avoid use-after-free
The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.

This was detected via OpenBSD malloc's junk filling feature.

Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
2016-01-12 14:08:34 -08:00
Tao Bao
b8df5fb90e uncrypt: Suppress the compiler warnings on LP64.
We have the following warnings when compiling uncrypt on LP64 (e.g.
aosp_angler-userdebug).

bootable/recovery/uncrypt/uncrypt.cpp:77:53: warning: format specifies type 'long long' but the argument has type 'off64_t' (aka 'long') [-Wformat]
        ALOGE("error seeking to offset %lld: %s\n", offset, strerror(errno));
                                       ~~~~         ^~~~~~
                                       %ld
bootable/recovery/uncrypt/uncrypt.cpp:84:54: warning: format specifies type 'long long' but the argument has type 'unsigned long' [-Wformat]
            ALOGE("error writing offset %lld: %s\n", (offset + written), strerror(errno));
                                        ~~~~         ^~~~~~~~~~~~~~~~~~
                                        %lu
bootable/recovery/uncrypt/uncrypt.cpp:246:16: warning: comparison of integers of different signs: 'size_t' (aka 'unsigned long') and 'off_t' (aka 'long') [-Wsign-compare]
    while (pos < sb.st_size) {
           ~~~ ^ ~~~~~~~~~~

According to POSIX spec [1], we have:
  off_t and blksize_t shall be signed integer types;
  size_t shall be an unsigned integer type;
  blksize_t and size_t are no greater than the width of type long.

And on Android, we always have a 64-bit st_size from stat(2)
(//bionic/libc/include/sys/stat.h).

Fix the type and add necessary casts to suppress the warnings.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_types.h.html

Change-Id: I5d64d5b7919c541441176c364752de047f9ecb20
2015-12-09 10:45:39 -08:00
Elliott Hughes
4b166f0e69 Track rename from base/ to android-base/.
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
2015-12-04 15:30:20 -08:00
Elliott Hughes
63b089e3aa We can use fclose directly in std::unique_ptr.
It turns out the standard explicitly states that if the pointer is
null, the deleter function won't be called. So it doesn't matter that
fclose(3) doesn't accept null.

Change-Id: I10e6e0d62209ec03ac60e673edd46f32ba279a04
2015-11-12 21:07:55 -08:00
Jaegeuk Kim
cc4e3c6002 uncrypt: remove O_SYNC to avoid time-out failures
This patch removes costly O_SYNC flag for encrypted block device.
After writing whole decrypted blocks, fsync should guarantee their consistency
from further power failures.
This patch reduces the elapsed time significantly consumed by upgrading packages
on an encrypted partition, so that it could avoid another time-out failures too.

Change-Id: I1fb9022c83ecc00bad09d107fc87a6a09babb0ec
Signed-off-by: Jaegeuk Kim <jaegeuk@motorola.com>
2015-11-04 11:43:58 -08:00
Tao Bao
c754792a07 Use unique_ptr and unique_fd to manager FDs.
Clean up leaky file descriptors in uncrypt/uncrypt.cpp. Add unique_fd
for open() and unique_file for fopen() to close FDs on destruction.

Bug: 21496020
Change-Id: I0174db0de9d5f59cd43b44757b8ef0f5912c91a2
2015-08-09 22:35:49 -07:00
Tao Bao
7cf50c60b5 uncrypt: Support file level encryption.
Bug: 22534003
Change-Id: I2bc22418c416491da573875dce78daed24f2c046
(cherry picked from commit 6e9dda70cb)
2015-07-24 11:13:25 -07:00
Tao Bao
ac6aa7ede0 uncrypt: Write status when it reboots to factory reset
When it reboots into recovery for a factory reset, it still needs to
write the uncrypt status (-1) to the pipe.

Bug: 21511893
(cherry picked from commit 2c2cae8a4a)
Change-Id: Ia5a75c5edf3afbd916153da1b4de4db2f00d0209
2015-06-09 15:02:22 -07:00
Tao Bao
383b00d0e4 Separate uncrypt into two modes
uncrypt needs to be triggered to prepare the OTA package before
rebooting into the recovery. Separate uncrypt into two modes. In
mode 1, it uncrypts the OTA package, but will not reboot the
device. In mode 2, it wipes the /misc partition and reboots.

Needs matching changes in frameworks/base, system/core and
external/sepolicy to work properly.

Bug: 20012567
Bug: 20949086
(cherry picked from commit 158e11d673)
Change-Id: I349f6d368a0d6f6ee4332831c4cd4075a47426ff
2015-06-09 15:01:10 -07:00
Tao Bao
752386319c Clean up the sleep()'s after poking init services
Change-Id: I77564fe5c59e604f1377b278681b7d1bff53a77a
2015-05-27 14:48:56 -07:00
Tao Bao
381f455cac uncrypt: Switch to C++
Also apply some trivial changes like int -> bool and clean-ups.

Change-Id: Ic55fc8b82d7e91b321f69d10175be23d5c04eb92
2015-05-06 11:43:11 -07:00
Renamed from uncrypt/uncrypt.c (Browse further)