Currently, init can create logical partitions by hardcoding them in
fs_mgr or by specifying them in device-tree. This change allows init to
also create logical partitions by using liblp, which stores partition
tables in a physical partition. The current name for this partition is
"android".
Two aspects of this code will change long-term. One, the prototype code
using device-tree will be deleted once fastboot supports logical
partitions. Two, libdm will obsolete most of the code in
fs_mgr_dm_linear.cpp. For now however we preserve how the prototype code
functions and we layer liblp on top of the existing dm_linear logic.
Bug: 79173901
Test: N/A
Change-Id: If014a109da78fa12269bf0df0dda39028ac2d1aa
This adds an API to fs_mgr for reading dm-linear tables out of device trees
and issuing device-mapper ioctls. The device tree code will be
implemented separately. The dm-linear structures in fs_mgr are organized
assuming we may want to pull them from sources other than DT (for
example, text files, binary blobs, or something hardcoded for testing).
File systems which are mounted from these logical partitions have
specific fstab requirements. The block device must be a partition name,
and if Verified Boot is used, that name must match the vbmeta partition name.
Second, the entry must have the "logical" fs_mgr flag. Example fstab
entry:
vendor /vendor ext4 ro wait,logical
Example fstab entry in device tree:
vendor {
compatible = "android,fstab";
dev = "vendor";
type = "ext4";
mnt_flags = "ro";
fs_mgr_flags = "wait,slotselect,avb,logical";
};
Bug: 78914864
Test: N/A
Change-Id: I4d8878ea8858f26310119616cadc3ee0dd08566c
fs_mgr isn't usable by C now as we've migrated all fs_mgr clients in AOSP
to CPP. Removing the support for C clients.
Bug: 67024518
Bug: 67444051
Test: boot sailfish
Change-Id: Iac57f51eb6a524c6dcdc625c83af75602b4f9b3b
Test: I solemnly swear I tested this conflict resolution.
Merged-In: If8fc73e4ae4c2f8281c41a12f1c18079aab8baa2
Change-Id: Iadfcd7e75044d62f2015dc62c69ee68869b40cd7
libfstab is a subset of libfs_mgr, intended for vendors to use. It
exposes APIs for reading fstab. Note this 'visible to vendor' does not
mean that the API should be stable forever. The API can be changed in
later releases of Android, ,but the newer Android must not cause
run-time error when there is an older version of this static library
being used somewhere.
Bug: 62990533
Test: BOARD_VNDK_VERSION=current m -j libfstab.vendor
Change-Id: I371174fa1f6b4de6d6dd437b84ce4ed1e8740672
Merged-In: If8fc73e4ae4c2f8281c41a12f1c18079aab8baa2
The generic system.img released from project Treble can't contain any verity
metadata (e.g., vboot 1.0, AVB, or any other implementation) because it's
*generic*. To make any device can boot with it, `avbctl disable-verification`
is introduced to set a new flag AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED
in the top-level vbmeta to disable the entire AVB verification process. This
should be done prior to flash the generic system.img. See the following link
for details:
https://android-review.googlesource.com/#/c/418399/
This CL checks whether AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED is
set in the top-level vbmeta. When set, skip verifying the vbmeta structs
against androidboot.vbmeta.{hash_alg, size, digest} because it will be
absent in kernel cmdline. Also, only top-level vbmeta struct is read then
returned by libavb in this case.
Note that another flag AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED, usually
set by `adb disable-verity`, is used to signal fs_mgr to skip setting up
dm-verity, but libavb still verifies all vbmeta structs. fs_mgr will
also verify all vbmeta structs against androidboot.vbmeta.{hash_alg,
size, digest} from kernel cmdline as well.
Also rename SetUpAvb() to SetUpAvbHashtree() to better fit its usage.
This function will return kDisabled when any of the above two flags is set.
Finally, regardless of which flag is set or not set, we still only allow two
return values from avb_slot_verify():
- AVB_SLOT_VERIFY_RESULT_OK: it's still possible to get this value
when any of these flags are set in build time. e.g.,
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2
- AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: in most cases we should
get this value, because the flags are likely set at run time.
Bug: 62523303
Test: boot device with 'avbctl disable-verification'.
Test: boot device with 'avbctl enable-verification'.
Test: boot device with 'adb disable-verity'.
Test: boot device with 'adb enable-verity'.
Test: build image with BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2, then boot device.
repeat the above steps to boot device again.
Change-Id: Ie8436f3e0e82c78490208f3b85eac5238a9fdfdb
In case of non-secure builds (eng variant) fs_mgr_setup_verity() skips
verity checks regardless of fstab options. This is slightly different
than 'adb disable-verity' where it would first read the verity metadata
to check if verity is disabled.
So, this change adds a new return value of FS_MGR_SETUP_VERITY_SKIPPED
instead of piggy backing on the FS_MGR_SETUP_VERITY_DISABLED.
Bug: 62864413
Test: Boot sailfish
Change-Id: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Signed-off-by: Sandeep Patil <sspatil@google.com>
Current first stage mount for AVB requires specifying a common prefix of
by-name symlink for all AVB partitions. It limits all AVB partitions to be on
the same block device.
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name" <-- *removing this*
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
For normal mount with AVB, it extracts the by-name prefix of /misc
partition and use it as the prefix for all other partitions:
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/misc ->
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a
Fix this by adding an internal map in FsManagerAvbOps to record the mapping
from partition name to its by-name symlink:
ByNameSymlinkMap["vendor_a"] = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a"
Two overloaded factory methods are then provided for FsManagerAvbUniquePtr:
- FsManagerAvbUniquePtr Open(ByNameSymlinkMap&& by_name_symlink_map):
for first stage mount, where the by-name symlink map will be
constructed externally, from the uevents processed by init, before
invoking this factory method.
- FsManagerAvbUniquePtr Open(const fstab& fstab): for normal mount,
where the by-name symlink map will be constructed from the input fstab
internally.
Bug: 37552224
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Test: normal mount /vendor with vboot 2.0 (AVB)
Change-Id: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
Current AVB flow in fs_mgr doesn't allow verification error even if the
device is unlocked. This makes first stage mount fail when the device
is flashed with a different-sized boot.img because there is verification
error (HASH_MISMATCH) for the boot partition.
Fix this by allowing verification error only when the device is
unlocked. Whether to enable dm-verity for HASHTREE partitions is still
controlled by the HASHTREE_DISABLED flag in the top-level vbmeta.
Bug: 37985430
Test: First stage mount /vendor with AVB on a device.
Check dm-verity is enabled on /vendor.
Test: Unlock device, flash a different-sized boot.img. Boot device and check
dm-verity is still enabled on /vendor.
Test: First stage mount /vendor with AVB on a device with HASHTREE_DISABLED
is set on the top-level vbmeta, check dm-verity is not enable on /vendor.
Change-Id: I709431bc1c37e4f86133d171cee8e90621cdb857
- Returns FS_MGR_MNTALL_FAIL for failure paths in fs_mgr_mount_all()
- Removes the 'goto out' in fs_mgr_do_mount() as there is nothing to do in
the 'out' label now. Also removes the "ret = FS_MGR_DOMNT_FAILED;" and
just return FS_MGR_DOMNT_FAILED directly for the default failure path.
- Changes some LERROR to PERROR
Test: Use fs_mgr_do_mount() to mount /system with AVB
Change-Id: I126a0124a5c9d61302f40ab9db16989500d9777e
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
Several changes in this CL:
- Moves class FsManagerAvbHandle to public API
- Adds a parameter 'wait_for_verity_dev' for FsManagerAvbHandle::SetUpAvb()
to allow not to wait for verity device gets created
- Adds FsManagerAvbHandle::AvbHashtreeDisabled() to query whether AVB is disabled
- Adds fs_mgr_is_avb() to query whether a fstab_rec has MF_AVB flag
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I89c43ca574ae632db8a700fc2590a1f80212c993
The function returns "_a" or "_b" based on two possible values in
kernel cmdline:
- androidboot.slot = a or b OR
- androidboot.slot_suffix = _a or _b
Bug: 33254008
Bug: 36533366
Test: boot sailfish
Change-Id: Ia0a524e4145ebf61af5821f42ecad212c95ed748
Currently there is no client requires fs_mgr_read_fstab_with_dt() so
remove this API. Devices with fstab entries in device tree should use
fs_mgr_read_fstab_default() to get default fstab, or just use
fs_mgr_read_fstab_dt() to get those in device tree.
Bug: 35811655
Test: normal boot sailfish
Test: run factory data reset in sailfish
Test: recovery boot sailfish
Test: adb sideload in sailfish
Change-Id: I1579d81cea7366cf3867cfe5ad56feb36cbb7246
With the early mount support in init, fstab entries of verified partitions
(e.g., /system, /vendor) will be moved into device tree in kernel image.
Those early mount fstab entries will be removed from the fstab file to
prevent duplicated and/or inconsistent settings.
This change adds a new function: fs_mgr_read_fstab_with_dt(), to return
the combined results from both places. It also removes
fs_mgr_read_fstab_file() from the public APIs and makes it as an
internal function.
Bug: 35811655
Test: early mount /vendor with dm-verity on sailfish
Change-Id: I2fba3614685bf9f852a789cda6f53013e2164e60
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
While technically possible, the verification at boot basically will
block init for as long as the entire partition is read while nothing
else is running. Disallow that as this is not going to be used anywhere.
Bug: 27805372
Test: boot angler with verifyatboot fs_mgr option for early mounted
vendor partition. That resulted in a panic() as expected.
Change-Id: I9da5caa163cae8bce6dbfb630f0ed5605ea044a0
Signed-off-by: Sandeep Patil <sspatil@google.com>
Consequently this removes the 'early' version of the exact same API.
This is to be used by early mount code where we need to do
1. setup verity
2. create verity device
3. mount partition
as separate steps since that happens during init first stage.
b/27805372
Test: Boot sailfish successfully
Change-Id: I01abecfdfa210d3e240a291ddcb3d2e9ed39ede6
Signed-off-by: Sandeep Patil <sspatil@google.com>
This is to be used in early mount case where we will have a fully
prepared fstab_rec. fs_mgr_do_mount() does a lot more checks and
spends time preparing verity / avb devices before it does the actual
mount.
b/33254008
Test: Boot sailfish
Change-Id: I4481b5af8d900c8b7e3355b7513c325d8f2ecff2
Signed-off-by: Sandeep Patil <sspatil@google.com>
This is done by parsing 'androidboot.fstab=<fstab>' kernel cmdline
option to get the fstab file that *only* specifies partitions to be
mounted early (i.e. in init's first stage).
Note that, the same fstab file may not be used as an argument to
mount_all later in the boot as that will cause fs_mgr to fail with
EBUSY.
TODO:
- Possibly add a new mount_mode so the same fstab can be used for
early_mount, 'mount_all --early/--late' etc.
- Add support for dm-verity enabled partitions to mount early.
- Add support for getting fstab arguments through DT instead of kernel
cmdline.
Bug: 27805372
Test:
Boot angler by passing a seperate fstab file using the kernel
cmdline option to mount vendor partition early, remove the vendor
partition entry from the main fstab file for the test.
Boot sailfish by passing a seperate fstab entry via device tree
to mount vendor partition early. Remove vendor partition entry from
the main fstab file for the test
Change-Id: I18785b893c54c8cee960ab44d5e8f83e5d624aa8
Signed-off-by: Sandeep Patil <sspatil@google.com>
Make the fs_mgr changes needed to support specifying aes-256-heh
filenames encryption. To do this, extend the "fileencryption" fstab
option to have the syntax
fileencryption=contents_encryption_mode[:filenames_encryption_mode].
The previous filenames encryption mode, aes-256-cts, remains supported
and will be used by default if no mode is explicitly specified.
For consistency, also make "aes-256-xts" an alias for the "software"
contents encryption mode.
Bug: 34712722
Change-Id: I74c0f5fe7cddde7055d7b031d96a2916ca611eb7
When doing a factory reset in recovery, flash erase & logical block
sizes are needed for tuning the parameters of the new userdata image.
Add flags to allow this information to be stored in recovery.fstab
Test: Factory reset marlin & confirm userdata is rebuilt correctly
Bug: 33243520
Change-Id: I6c4414d4e9026be4a3646523656ac151e93015e7
Signed-off-by: Connor O'Brien <connoro@google.com>
Pointer from strdup is lost hence triggers mem leak warning from
clang, since ptr returned from basename may not point to start of
duplicated string any more.
Switch to use gnu version of basename which doesn't modify input
string so that strdup is no longer necessary.
Bug: 27126348
Test: compile
Change-Id: I937a68c01c223230932c932bffdd35da6503c3c4
To support upcoming disk usage calculation optimizations, this change
adds a new 'quota' mount flag. As part of mounting an ext4 device,
we now enable/disable the quota feature using tune2fs to match the
requested value in the fstab.
When changing the quota status, we force a fsck pass on the device
before actually mounting it to prime the quota data structures which
are stored in hidden inodes.
Changing quota state and priming the data structures needs to happen
before we actually mount the device, so fs_mgr is the best place to
place this logic.
Test: builds, boots, enables and disables quota
Bug: 27948817
Change-Id: I7ccbf97cbc4a679bdd7a31a77be4b99aa9a88e66
These reserved blocks used to root or claim to CAP_SYS_RESOURCES process.
Change-Id: I4893bdb08399bf31a7640d4a63f4952cd636576f
Merged-In: I4893bdb08399bf31a7640d4a63f4952cd636576f
Signed-off-by: liminghao <liminghao@xiaomi.com>
