Snapuserd daemon parses the merge completion request based on
how the dm-snapshot merge is done. dm-snapshot marks the merge as
complete by zeroing out the metadata viz old-chunk and new-chunk id's.
If we have a sector 0 operation such as copy/replace op,
then old-chunk id will be 0 and new-chunk id will be a non-zero
pseudo number. Once the merge is complete, then old-chunk and new-chunk will be 0.
The problem is that daemon used to track the merge completion just by checking
if old-chunk was non-zero. This check is not sufficient and ends up
tripping the assert in the daemon.
Bug: 178061207
Test: Modify cow_snapuserd_test to test this case and validate the
IO path.
Reported-by: Kelvin Zhang <zhangkelvin@google.com>
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I6603af1c7b55e487dc3aec0c30c0a9dea0fedb56
If a partition shrinks in an update, it must be merged before any other
partitions. Otherwise, a copy operation may source from the tail of the
shrunk partition, which could be overwritten by a merge operation in
another partition.
This patch adds a "MergePhase" indicator to the update status that is
valid only when the state is MERGING. Partitions that shrink are merged
first, and the phase will be FIRST_PHASE. Once ProcessUpdateState() has
determined that all first-phase snapshots are merged, it will switch to
SECOND_PHASE and remaining snapshots can start merging.
Otherwise, there is no change to the merge algorithm. The phase split is
an implementation detail and not exposed to update_engine.
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I06043f8e3b81bdecefb6a4b5944a97b7086eeb49
When a partition shrinks, it is not correct to use the base device as
the "source" device for the new COW format, because we may need to read
blocks that do not exist in the new partition.
To resolve this, we store a copy of the old partition layout in /metadata,
and use it to create a "source" view of the old partition. The new
stacking looks as follows:
partition_b (dm-snapshot):
- partition_b-base (partition_b dm-linear)
- partition_b-cow-user (dm-user + snapuserd):
- partition_b-cow (COW image)
- partition_b-src (partition_a dm-linear)
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I872f271cc1f25cc796b94188fdde247cdc4050b4
VAB has an unused optimization that allows bypassing snapshots for the
area of a partition that grows during an OTA. The code for this is
entirely unused since the optimization was never enabled. The benefits
are marginal, and making it safe is quite complicated. The "new" region
cannot overlap with any region being relinquished by a shrink operation,
without snapshotting the region that would be overwritten. This would be
burdensome to implement and would minimize space savings.
Let's remove the code related to this optimization until we are
confident we can implement it safely in VABC.
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I7d6a68dce57c8a4389ea6bff9f31971276a20db4
Trusty Keymaster will currently disconnect the client on an invalid
message. This includes the newly introduced GET_VERSION2 message.
While in the future we could change this behavior, this is a backcompat
path and so we can't assume a changed Trusty. Reconnect on failed
GET_VERSION2 before attempting version negotiation.
Bug: 177843218
Test: Set PIN on device using older Trusty
Change-Id: Ie60e4aaafa43e375797e6288b97834cac42413f4
The test uses 'external/avb/test/data/testkey_rsa2048.pem' from the
source tree, which is not available when running the test. Copy
the test key with the test case in Android.bp to fix the issue.
Bug: 177906739
Test: atest libvbmeta_test
Change-Id: I528dcdc5b48ed4af36ddd360380eb39631ff4317
Bug: http://b/177693725
fchmod is used to ensure profraw files are readable by all users with
Clang's profile merging.
Test: ensure mediaswcodec doesn't crash in code coverage build.
Change-Id: Ia1e3b5b51c1d2fc86d548cfd066e849b03004731
* changes:
libsnapshot: Fix incorrect CHECK in PerformInitTransition().
libsnapshot: Propagate the compression bit across state changes.
libsnapshot: Adjust partition sizes so tests pass with or without compression.
Sadly, it looks like we do still really use libcutils for some of the
socket functions.
Test: treehugger
Change-Id: Ic71f97507c89b10d2f3b7a2971064a9e6b1d349d
A future early-boot daemon (on-device signing) needs to access
/data/misc before fs-verity keys are locked. Therefore, move the
restorecon of /data up a bit, to make sure the labels are correct. To be
safe, only run it after init_user0, since that function is responsible
for loading DE keys.
Also move early boot keys and fs-verity key locking a bit later, since
the on-device signing daemon needs to use both of these, but it also
needs the restorecon to function correctly.
Bug: 174740982
Test: manual
Change-Id: I9b6e44d9b547d420e1c6ba01fb3d3accc0625e20
This fix is to keep the dm line in the status file and let the
UnmapImageDevice to clean up correctly.
Bug: 171861574
Test: execute following command on a device with a SD card inserted
adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 4294967296
Change-Id: Ia56f8f724f04e7e20586e088c89b62a1068766e4
To support input device lights manager feature in frameworks, provide
sysfs node access to system server process.
Bug: 161633625
Test: atest LightsManagerTest, atest InputDeviceLightsManagerTest
Change-Id: Ic823539e9dd616b6ca4ae803756746e0f5349ec1
The sector count can decrease as the merge progresses, so we only care
that the sector count is less than or equal to the device size.
Bug: N/A
Test: reboot during VABC merge
Change-Id: I1da956456ea28ca0fdfbf9373848987c9f71ff68
This bit was getting lost because InitiateMerge() did not save the
compression bit when overwriting the update state.
Bug: N/A
Test: vts_libsnapshot_test
Test: reboot during merge phase of VABC OTA
Change-Id: I1a2219b501088de352a9c31d4b8b1a3f72d0e159
The pvmfw partition holds the protected VM firmware that is used by
Protected KVM to bootstrap the trust in protected VMs. Teach fastboot
about the partition so it gets flashed with flashall.
pvmfw is an AVB chained partition so is marked as BootCritical to allow
ABL's AVB verification to pass.
Test: tab complete and flashall
Bug: 171280178
Change-Id: Ie4cc478de25a945bc510488d87c2bee3aa5031f2
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.
Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.
Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc
Trusty shared memory now uses dmabuf instead of memfd. Switch the
coverage buffer allocation to use libdmabufheap.
Test: atest libtrusty_coverage_test
Bug: None
Change-Id: I067dd0774d19b42380ce5cb8ceb3541fa77ef9f0
