BlockImageDiff has three versions. Only the incremental OTAs generated
with the latest version (3) can be re-applied to the system that's
already on the target build. Otherwise, operations like move will make
unconditional changes and damage the system. During the verification
phase, abort the OTA update if BlockImageDiff is less than 3 and it
doesn't match the checksum of the source build.
Change-Id: Ic630346eab2a993a84d0aeaacd7167ef62cc24f6
(cherry picked from commit daebaa6ed3)
This will only be used when the block file format is at least
version 3. For V1/V2 (L, L MR1) block versions, fall back to
the old range_sha1 check.
Bug: 19357591
Change-Id: I7cb178b70d48ec3c98cdb88ed1c94cf7797a01d0
(cherry picked from commit cad78c12fb)
BlockImageDiff has three versions. Only the incremental OTAs generated
with the latest version (3) can be re-applied to the system that's
already on the target build. Otherwise, operations like move will make
unconditional changes and damage the system. During the verification
phase, abort the OTA update if BlockImageDiff is less than 3 and it
doesn't match the checksum of the source build.
Change-Id: I3a776495b69e1d174fcb01b10e40c0e912914fd8
Add source and target block hashes as parameters to transfer list
commands that copy or patch data to a partition. This allows the
updater to verify the status of each command in the transfer list
and makes resuming block based OTAs possible. Due to the changes,
update the transfer list version to 3.
Needs matching changes from
I1e752464134aeb2d396946348e6041acabe13942
Bug: 18262110
Change-Id: Ia5c56379f570047f10f0aa7373a1025439495c98
(cherry picked from commit cac671a9d1)
Python 2.7's zipfile implementation wrongly thinks that zip64 is
required for files larger than 2GiB. We can work around this by
adjusting their limit. Note that `zipfile.writestr()` will not work
for strings larger than 2GiB. The Python interpreter sometimes rejects
strings that large (though it isn't clear to me exactly what
circumstances cause this). `zipfile.write()` must be used directly to
work around this.
This mess can be avoided if we port to python3.
Bug: 18015246
Change-Id: I8a476d99c5efdef6ea408373b706e9fbd3a798be
Add source and target block hashes as parameters to transfer list
commands that copy or patch data to a partition. This allows the
updater to verify the status of each command in the transfer list
and makes resuming block based OTAs possible. Due to the changes,
update the transfer list version to 3.
Needs matching changes from
I1e752464134aeb2d396946348e6041acabe13942
Bug: 18262110
Change-Id: Ia5c56379f570047f10f0aa7373a1025439495c98
Change boot, recovery, and verity metadata signing keys to use the
same PKCS8 / X.509 PEM format as the other signing keys, and update
build scripts to use correct arguments for the updated signing
tools.
Bug: 15984840
Bug: 18120110
Change-Id: I23ed5a004ecdad6cf7696487935ad5031eb8adf8
(cherry picked from commit 72d90eb189)
Generate version 2 of the block_image_update transfer list format.
This improves patch size by a different strategy for dealing with
out-of-order transfers. If transfer A must be done before transfer B
due to B overwriting A's source but we want to do B before A, we
resolve the conflict by:
- before B is executed, we save ("stash") the overlapping region (ie
the blocks B will overwrite that A wants to read)
- when A is executed, it will read those parts of source data from
the stash rather than from the image.
This reverses the ordering constraint; with these additions now B
*must* go before A. The implementation of the stash is left up to the
code that executes the transfer list to apply the patch; it could hold
stashed data in RAM or on a scratch disk such as /cache, if available.
The code retains the ability to build a version 1 block image patch;
it's needed for processing older target-files.
Change-Id: Ia9aa0bd45d5dc3ef7c5835e483b1b2ead10135fe
When generating incrementals for the system and vendor partitions,
check the first block (which contains the superblock) of the partition
to see if it's what we expect. If this check fails, give an explicit
log message about the partition having been remounted R/W (the most
likely explanation) and the need to flash to get OTAs working again.
Bug: 17393999
Change-Id: Ifd2132b428dbc4907527291712690204a3664ac0
Move BlockDifference into common and make its script generation code
more complete, so that it can be use by releasetools.py to do diffs on
baseband images.
Bug: 16984795
Change-Id: Iba9afc1c7755458ce47468b5170672612b2cb4b3
Replace the xdelta/xz-based block OTA generation with a new system
based on the existing bsdiff/imgdiff tools.
Bug: 16984795
Change-Id: Ia9732516ffdfc12be86260b2cc4b1dd2d210e886
Now that we're building and saving images in the target_files at build
time, we should use those images instead of rebuilding them.
Bug: 17201052
Change-Id: I459e650f66f1e0bdf01ad54df9e34f36bf2ee899
This ensures that when the verity key is rotated to a release key
both the boot and recovery images will be correctly signed. It does
mean that they will both be signed with the same key for now, but
as that doesn't change the threat model separating them is just a
distant nice-to-have.
Bug: 15725238
Change-Id: I5b75e4346fe0655065643ab553431690cc1a8cb0
The AOSP bootimage format allows the use of a second stage image
however the BuildBootableImage function does not allows the "second"
optional argument. This patch adds the support of this argument.
Bug: 17035158
Change-Id: I8ed9d9e56449945c2d42fc908269921c394f68c0
Signed-off-by: Benoit Fradin <benoit.fradin@intel.com>
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Patrick Tjin <pattjin@google.com>
When making bsdiff/imgdiff patches, give up after 5 minutes. (On
certain large files it can take hours to build a patch, if it ever
even completes.)
Change-Id: I123c06f8194f85f6f4e640f7eb31c7746f76ba4d
- Support TARGET_USERIMAGES_USE_F2FS.
- Support BOARD_USERDATAIMAGE_FILE_SYSTEM_TYPE.
- Support "userdata_fs_type" in the prop dict.
- Update build_image to recognize f2fs and call the correct command.
Change-Id: If31cc8bd235f93a4c7814fab36e6e2d13d3037ad
Signed-off-by: JP Abgrall <jpa@google.com>
Make vendor partition a first-class member of the OTA system (for
target_files that contain a VENDOR/ subdirectory).
Build vendor images in a way that is compatible with block-based OTA.
Support updating the vendor partition in both full and incremental,
block and file OTAs. In most cases this is handled by refactoring the
existing code to handle the system partition to handle either, and
then calling it twice.
Currently we don't support incremental OTAs from a target-files
without a VENDOR subdirectory to one with one, or vice versa. To add
or remove a vendor partition a full OTA will need to be done.
Bug: 15544685
Change-Id: I9cb9a1267060bd9683a9bea19b43a26b5a43800d
img_from_target_files.py just skipps the boot.img and recovery.img since
there is no kernel or recovery.fstab for emulator.
Bug: 15383279
Change-Id: I4035193e6ab933194ff1417dfae4eab963fe5301
A separate OEM file must be specified to provide the expected
values for these properties. The list of properties comes from
the "oem_fingerprint_properties" list in misc_info.txt
Bug: b/13367676
Change-Id: I1a3eaf108492132cf6f595a5d1c9f7e0c3cb3142
The system partitions has regions that we shouldn't write and can't
depend on the contents of. Adds a new script to generate a map of
these regions (using the sparse image as input), and include the map
in the package zip so it can be used when writing or patching the
system partition.
Also fixes a bug where the wrong SELinux file contexts are used when
generating incrementals.
Change-Id: Iaca5b967a3b7d1df843c7c21becc19b3f1633dad
The target_files zip should now contain the recovery-from-boot patch
and the script to install it. This means that sign_target_files_apks,
which generates a signed target_files from an unsigned target_files,
now needs to recompute the patch and script (taking into account the
key replacement, property changes, etc., that it does) so its output
contains the correct patch.
Change-Id: I18afd73864ba5c480b7ec11de19d1f5e7763a8c0
Currently, the "img" zip files generated by the build system lack the
script and data needed to rewrite the recovery partition, while the
"ota" zip files do (when installed).
In order to move towards block-based OTAs, we want the result of
flashing an image and the result of installing the corresponding OTA
package to be identical.
Generate the recovery-from-boot patch and install script as part of
the process of building the target-files. This requires breaking the
code to generate that out of ota_from_target_files into its own tool
that we can run from the Makefile. (ota_from_target_files can still
do this, so it continues to work with older target-files.)
Bug: 12893978
Change-Id: I80e62268840780b81216e548be89b47baf81b4ac
If the target_files zip for the target build contains a
META/releasetools.py (which it has since Nov 2013), prefer that over
using a releasetools.py from the local client.
Explicitly specifying the device-specific extensions path via
command-line options takes priority over both of the above mechanisms.
Change-Id: Ia068b0e2e06ede7da89ebe4315cdec592eb8995e
Revert "Waiting till post MR0 - this impacts signing tools for MR0."
This reverts commit a7b5c4a7dc.
Bug: 11334314
Change-Id: I89f8996161e4258b80bf2d0bc7817f0e8e32df13
Added support to perform a string replace of specified
dev keys with release keys when using the release tool
scripts.
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
(cherry picked from commit 817c574d75)
Change-Id: I51be8d62945436d3f374f51867295c5b792d4b53
Bug: 11334314
The existing logic in common.py breaks string arguments incorrectly:
e.g. --para1 val1 --para2 "val2 is a string" will be output as:
'--para', 'val1, '--para2', 'val2' 'is' 'a' 'string'
This will cause mkbootimg command fails due to the invalid arguments
generated from the wrong parsing.
The patch fixes this issue to get:
'--para', 'val1, '--para2', 'val2 is a string'
Change-Id: Ia34ec357550f11ae9d6adc719d86a0c6a9099fbc
Signed-off-by: Jianxun Zhang <jianxun.zhang@intel.com>
Support using custom mkbootimg to allow boards to specify custom
boot image formats. Also export this as the environment variable
MKBOOTIMG to the *_from_target_files releasetools scripts.
Change-Id: I2084273b1175de097fb7da5c4f2264ea8014d74f
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
Added support to perform a string replace of specified
dev keys with release keys when using the release tool
scripts.
Change-Id: Id0e945b0d62720c41f5ca9764a00de4bcdecaab4
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Details:
* New --signapk_path, --extra_signapk_args, --java_path.
* New --public_key_suffix, --private_key_suffix so you can change the filenames.
* Fixes raising exceptions on error.
Change-Id: I0b7014b6d779d52ae896f95dfecb1bcccf536cf4
(cherry picked from commit a28acc6972)
Details:
* New --signapk_path, --extra_signapk_args, --java_path.
* New --public_key_suffix, --private_key_suffix so you can change the filenames.
* Fixes raising exceptions on error.
Change-Id: I0b7014b6d779d52ae896f95dfecb1bcccf536cf4
Arrange to take $(BOARD_MKBOOTIMG_ARGS) and pass it to all invocations
of mkbootimg from within make, and to store it in the target_files so
it can be used by future invocations of img_from_target_files and
ota_from_target_files.
Bug: 6918260
Change-Id: I7130ac52e96bd51d4d8b80ca036635e1626f01f1
When building a bootable image with mkbootfs, use the set of file
metadata that's stored in the target_files zip (when available),
rather than whatever is built into the mkbootfs binary at the time the
image is built.
Bug: 6435132
Change-Id: If6c59149bdbcc9a67e5ab9161398f355bd1f511d
A block of code that should be evaluated for all
image types was instead only being run for yaffs
partitions.
Change-Id: I83ccbd7fa3c1bc02b9bba0832701ecc258e40a7d
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Bug: 5153694
To build cache.img, set BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE (required,
ext4 only for now), BOARD_CACHEIMAGE_PARTITION_SIZE (optional) in
BoardConfig.mk.
Change-Id: I1d8b91646aa1dba88285e008ad3335768bcbddd2
Gmake in Darwin has file descriptor leak.
In a full build, ota_from_target_files will inherits
more than 2000 open PIPEs from gmake and fails in a call to select.select().
This change fixes the build by closing the PIPEs before doing real work.
Change-Id: Ie7035d7add0b1da3afb6bf9c2009d40f8c7d29b3
img_from_target_files now, with the -z flag, will produce an output
zip with only the bootable partitions (boot and recovery).
img_ and ota_from_target_files can take, instead of a simple
"target_files.zip", a name of the form
"target_files.zip+bootable_images.zip", where the second zip contains
bootable images that should be used instead of building them from the
target_files.zip. (This should be the zip produced by the above -z
flag, perhaps with the images messed with in some way, such as by an
unnamed OEM's extra signature wrapper for their "secure boot"
process.)
Bug: 3391371
Change-Id: Iaf96dfc8f30e806ae342dcf3241566e76ae372d4
Gmake in Darwin has file descriptor leak.
In a full build, ota_from_target_files will inherits
more than 2000 open PIPEs from gmake and fails in a call to select.select().
This change fixes the build by closing the PIPEs before doing real work.
Change-Id: Ife021382198642a97bbbf0b623e4f24f3d86b2b2
Merge commit '8317e66433903badaec8ebd2b9ec2b8153f3d612'
* commit '8317e66433903badaec8ebd2b9ec2b8153f3d612':
make info_dict and GetTypeAndDevice available to device extensions
Include the recovery.fstab file in the recovery image. Remove the
global fs_type and partition_type values from the target-files
key/value dict, and parse the recovery.fstab file instead to find
types for each partition.
(Cherrypicked from gingerbread w/some edits to resolve conflicts.)
Change-Id: Ic3ed85ac5672d8fe20280dacf43d5b82053311bb
Include the recovery.fstab file in the recovery image. Remove the
global fs_type and partition_type values from the target-files
key/value dict, and parse the recovery.fstab file instead to find
types for each partition.
Change-Id: I35ee2dd0989441dc2a704b63c1b32e598049acb5
Instead of separate files for recovery api version, tool extensions,
and mkyaffs2 options, put those all in the generic key-value file.
Change-Id: Ib642311632844d52e4895fd4747093fc7e86232d
Do the yaffs-specific adjustments to image sizes in common.CheckSize,
instead of baking it into the image size stored in the target-files
package. Remove the special fs_type flag and fold it into the
"info_dict" we have for saving key-value pairs from the build system.
Change-Id: I6e63f3330f6277d9a946b22e66cadeb51203ba14
Move the image sizes into a more generic key-value file. Make them
optional. Add additional key/value pairs describing what kind of
filesystem the device uses. Pass new fs-type-related arguments in
edify scripts when mounting and reformatting partitions.
Don't include all the init.*.rc files from the regular system in
recovery -- they aren't needed, and break recovery on some devices.
Change-Id: Ic1c651f754ed00ba1cffe8cf56c43f7f3b0ebfd7
This makes them accessible from device-specific extensions (so they
can be used to send radio images as binary patches, for instance).
Change-Id: I2f2174b93b4265abf9400f9e5a0982caca0771e9
Setting LOCAL_CERTIFICATE to "EXTERNAL" now marks an apk (either a
prebuilt or otherwise) as needing the default test key within the
system, but one that should be signed after the target_files is
produced but before sign_target_files_apks does the rest of the
signing. (We use this to ship apps on the system that are signed by
third parties, like Facebook.)
The check_target_files_signatures determines what key was used to sign
every .apk in a given target_files. It can compare that signature to
that of another target_files (eg, the previous release for that
device) and flag any problems such as .apks signed with a different
key.
Store the location of the releasetools extensions in the target-files
zip, and make ota_from_target_files use that stored location by
default (though it can still be overridden with -s if desired).
When unzipping a target-files which has been signed with OTA key
replacement, you'll get "overwrite this file?" prompts because the key
files appear in the zip files twice. Suppress these prompts.
Many developer phone products don't define PRODUCT_OTA_PUBLIC_KEYS, so
add a default key.
This change doesn't affect device code.
Merge commit 'b6153173952895441e55d0ff6be332bb7c7605e2'
* commit 'b6153173952895441e55d0ff6be332bb7c7605e2':
use the max image sizes from the target files zip
For some time now the build system has included all the max image
sizes in a file in the META directory. Use these instead of needing
to parse the BoardConfig.mk file for the device at the time of
building an image or OTA package.
If we fail to load the device-specific releasetools module (ie, if -s
is specified but the file is missing), issue an error message but
continue without any device-specific code.
If the source target-files zip omits files needed to build the
recovery and/or boot images, leave them out instead of dying with an
error. This lets build like "generic-userdebug" work.
Replace the installation of the "radio image", which is an
HTC-specific notion, with calls to device-specific python modules that
can add whatever additional OTA script commands are necessary. Add
the -s flag to specify the location of the device-specific script
(replacing the unused -s flag in sign_target_files_apks).
The ota and img building scripts contained some hardcoded 'linux-x86'
paths. Remove and replace with a slightly redefined -p option.
Modify Makefile to pass correct -p when building.
Some devices define a BOARD_KERNEL_BASE argument which must be given
as an argument to mkbootimg when building a bootable image. Store the
value of this var (if any) in the target-files zip and use it when
building images.
Make the following things optional:
- kernel command lines for bootable images
- radio images
- bootloader assertions
These are not all (yet?) defined for some new devices.
In python 2.5 and earlier, ZipFile.writestr(filename, data) results in
the file being added to the archive with permissions 000. (See
http://svn.python.org/view?view=rev&revision=65235.) Work around this
by creating a ZipInfo object and setting the permissions explicitly.
Use minigzip (from the zlib distribution, built in the android tree)
to compress images rather than the system install of gzip. This will
let us send useful patches for images since we can make zlib available
in the applypatch program.
Allow the user to set ANDROID_PW_FILE to the name of a file for
storing password keys. When the tools need additional passwords, they
will rewrite this file and invoke the user's editor for the new
passwords to be added. This allows passwords to be reused across
invocations of the signing tools, without making the user reenter them
every time.
Paranoid users can use a file stored in a ramdisk, or not use this
feature at all (the code will prompt for passwords in the ordinary way
when ANDROID_PW_FILE is not set).
The build system now (in donut) produces builds that use the testkey
cert for OTA package verification. Change the app-signing script to
also optionally substitute the "real" cert in both the recovery and
system images. Also fix bug where the build fingerprint and
description were not getting properly updated in the recovery
partition.
building images & OTA packages out of vendor/google.
No device code is touched by this change.
Original author: dougz
Merged from: //branches/cupcake/...
Automated import of CL 144270
