fstab_rec.fs_options might be nullptr when printing error message.
Use android::base::StringPrintf() to '(null)' when needed.
Bug: 37759782
Test: Boot device and manaully trigger the output
Change-Id: I1bdf4ba57331aaea9dd5e790f6bf9d9b8bdc8b53
AVB is going to support different modes to handle dm-verity errors.
See the following CL for more details:
- https://android-review.googlesource.com/#/c/392873/
The verity mode is controlled by bootloader through androidboot.veritymode in
kernel command line. fs_mgr should read the value from there and specify the
corresponding flag when loading dm-verity table into kernel.
Also removes some unused #include libraries.
Bug: 38157502
Test: Manually tested different dm verity modes:
- "restart_on_corruption" (androidboot.veritymode=enforcing)
- "ignore_corruption" (androidboot.veritymode=logging)
- None, default mode is EIO in kernel (androidboot.veritymode=eio)
Change-Id: I80e1e817a148b54fb67ba58112d376dc2cf37c98
In https://android-review.googlesource.com/#/c/392873/ we slightly
changed the libavb API. This CL updates fs_mgr to use the new API.
Bug: 38157502
Test: Manually tested.
Change-Id: Ia3371e11fcd81fcc1d147f030cd62af67943aad5
Current first stage mount for AVB requires specifying a common prefix of
by-name symlink for all AVB partitions. It limits all AVB partitions to be on
the same block device.
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name" <-- *removing this*
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
For normal mount with AVB, it extracts the by-name prefix of /misc
partition and use it as the prefix for all other partitions:
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/misc ->
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a
Fix this by adding an internal map in FsManagerAvbOps to record the mapping
from partition name to its by-name symlink:
ByNameSymlinkMap["vendor_a"] = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a"
Two overloaded factory methods are then provided for FsManagerAvbUniquePtr:
- FsManagerAvbUniquePtr Open(ByNameSymlinkMap&& by_name_symlink_map):
for first stage mount, where the by-name symlink map will be
constructed externally, from the uevents processed by init, before
invoking this factory method.
- FsManagerAvbUniquePtr Open(const fstab& fstab): for normal mount,
where the by-name symlink map will be constructed from the input fstab
internally.
Bug: 37552224
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Test: normal mount /vendor with vboot 2.0 (AVB)
Change-Id: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
Should set verity mode to VERITY_MODE_DEFAULT when
androidboot.veritymode=enforcing.
Bug: 38103331
Test: `adb shell getprop partition.system.verified` returns 2 when veritymode=enforcing
Test: `adb shell getprop partition.vendor.verified` returns 2 when veritymode=enforcing
Change-Id: I2f34eb6509f91989ce726e540cf2c0d353347ede
Current AVB flow in fs_mgr doesn't allow verification error even if the
device is unlocked. This makes first stage mount fail when the device
is flashed with a different-sized boot.img because there is verification
error (HASH_MISMATCH) for the boot partition.
Fix this by allowing verification error only when the device is
unlocked. Whether to enable dm-verity for HASHTREE partitions is still
controlled by the HASHTREE_DISABLED flag in the top-level vbmeta.
Bug: 37985430
Test: First stage mount /vendor with AVB on a device.
Check dm-verity is enabled on /vendor.
Test: Unlock device, flash a different-sized boot.img. Boot device and check
dm-verity is still enabled on /vendor.
Test: First stage mount /vendor with AVB on a device with HASHTREE_DISABLED
is set on the top-level vbmeta, check dm-verity is not enable on /vendor.
Change-Id: I709431bc1c37e4f86133d171cee8e90621cdb857
- It was using blk dev name from fstab and quota / super block check was always
failing for FDE
bug: 37913441
Test: reboot and confirm quota
Change-Id: I8a9e890ef2787f2959e6a0225c6b21d35602f19e
This ensures that future operations (e.g. function pointers in the
AvbOps struct) added to AvbOps are set to NULL.
Bug: 37709309
Test: Manually tested on UEFI-based bootloader.
Change-Id: If83ea57b7abad94e472768c594efa210e3351a4d
- Returns FS_MGR_MNTALL_FAIL for failure paths in fs_mgr_mount_all()
- Removes the 'goto out' in fs_mgr_do_mount() as there is nothing to do in
the 'out' label now. Also removes the "ret = FS_MGR_DOMNT_FAILED;" and
just return FS_MGR_DOMNT_FAILED directly for the default failure path.
- Changes some LERROR to PERROR
Test: Use fs_mgr_do_mount() to mount /system with AVB
Change-Id: I126a0124a5c9d61302f40ab9db16989500d9777e
In a A/B device, system partition is mounted by kernel as root.
In vboot 1.0, the dm device name of system partition is "system" with
the following configuration in kernel command line:
- dm="system none ro,0 1 android-verity /dev/sda34"
In AVB, the dm device name is switched to vroot as:
- dm="1 vroot none ro 1,0 5201456 verity 1 ..."
When sending ioctl DM_TABLE_STATUS to query status, we should use "vroot" as the
dm device name for AVB. But still pass "system" for the callback function to set
property [partition.system.verified] instead of [partition.vroot.verified].
Bug: 36900078
Test: Use AVB to mount system in a A/B device, checks the property exists
[partition.system.verified]
Test: Use vboot 1.0 to mount system in a A/B device, checks the property exists
[partition.system.verified]
Test: Checks 'adb remount' will output warning message:
- dm_verity is enabled on the system and vendor partitions.
- Use "adb disable-verity" to disable verity.
Change-Id: Iaee7eb2b00b03729bc07fa24f1b449488716d2ea
The new changes to slotselect() call makes it try to find the
"slot" config before trying "slot_suffix" and that causes fs_mgr to
print the needless error and spam the kernel logs for no reason.
Remove the print.
Test: Builds for sailfish
Change-Id: I020575d70f4cd6e137e82c127b5d5234d709d0e3
Signed-off-by: Sandeep Patil <sspatil@google.com>
- Do not use -f if it was cleanly shutdown.
- For unclean shutdown or other operation failures like
mount, tune2fs failure, run full check.
- Still old image will run full check once in 5 reboots
while new image will not run full check unless something
fails.
- Add retry for final mount. If mount fails once, run full fsck
once and try again.
bug: 32246772
bug: 35366616
Test: many reboots
Change-Id: I86949732ffe1955636ac179d553c91e52910f73e
- moved __android_log_is_debuggable to a new public header
(log_properties.h)
- vendor version of sched_policy uses ALOG* instead SLOG*
Test: (sanity) liblog-unit-tests
Test: (sanity) libcutils_test (noting b/b/32972117, two tests continue
to fail)
Test: system/core as a whole makes with BOARD_VNDK_VERSION := current
now with no problems.
Test: boots/works on internal marlin
Bug: 33241851
(cherry picked from commit 1f83aa424f)
Merged-In: I5bc1f348dc0f0c8814bec5b5c3d2c52c825ab640
Change-Id: I5bc1f348dc0f0c8814bec5b5c3d2c52c825ab640
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
- mount, e2fsck, tune2fs will all fail if magic number does not match.
- mismatch always happen for FDE and is wasting boot-up time to try
all and fail always.
- skip mount steps if it has invalid magic number and do not record
fs_stat either.
- For ext4 fs with corrupt superblock, e2fsck refuses to do anything if
superblock magic is invalid. So simply running e2fsck does not help
anyway.
bug: 36231950
Test: reboot ane check fs_mgr log from dmesg
Change-Id: I9ad9e0cd30fd074b3bbf8f450bd401b133d5771a
Several changes in this CL:
- Moves class FsManagerAvbHandle to public API
- Adds a parameter 'wait_for_verity_dev' for FsManagerAvbHandle::SetUpAvb()
to allow not to wait for verity device gets created
- Adds FsManagerAvbHandle::AvbHashtreeDisabled() to query whether AVB is disabled
- Adds fs_mgr_is_avb() to query whether a fstab_rec has MF_AVB flag
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I89c43ca574ae632db8a700fc2590a1f80212c993
Adds two classes FsManagerAvbhandle and FsManagerAvbVerifier to replace the
following functions or struct:
- fs_mgr_load_vbmeta_images() -> FsManagerAvbhandle::Open()
- fs_mgr_unload_vbmeta_images() -> deleted
- fs_mgr_setup_avb() -> FsManagerAvbhandle::SetUpAvb()
- androidboot_vbmeta -> FsManagerAvbVerifier
- load_vbmeta_prop() -> FsManagerAvbVerifier::Create()
- verify_vbmeta_images() -> FsManagerAvbVerifier::VerifyVbmetaImages()
And only invokes FsManagerAvbhandle::Open() when there is a fstab entry having
'avb' flag (need HASHTREE descriptor). fs_mgr_is_avb_used() can be
removed as it only checks system property "ro.boot.vbmeta.hash_alg" to
decide whether vbmeta needs to be loaded, which might not be accurate.
For example, there are only HASH descriptors in the verified chain but
no HASHTREE descriptors. In this case, the fs_mgr doesn't have to do
anything because it only takes care of HASHTREE descriptors.
Also adds a new class FsManagerAvbOps to provide the C++ binding
FsManagerAvbOps::AvbSlotVerify() for libavb->avb_slot_verify().
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I8fe15ba01c277152630a2a5c1c5c7f25fbf34030
The function returns "_a" or "_b" based on two possible values in
kernel cmdline:
- androidboot.slot = a or b OR
- androidboot.slot_suffix = _a or _b
Bug: 33254008
Bug: 36533366
Test: boot sailfish
Change-Id: Ia0a524e4145ebf61af5821f42ecad212c95ed748
- Old tool will set it to 10 while mke2fs will set it to -1.
- For now, only tag it.
- TODO: possibly add different policy per image tool version.
bug: 32246772
Test: check dmesg after reboot
Change-Id: Ib763f8ba64957412d2b02a9d6e3fc2bfcf55851e
fs_mgr_avb_ops->read_from_partition() relies on the by-name prefix to
get the device file when reading a partition. Previously we store the
fstab struct and use fs_mgr_get_entry_for_mount_point() for every read.
It's better to do that once and store the by-name prefix for later use.
Bug: 33254008
Test: test AVB on bullhead
Change-Id: Ie999851b529f984e29ccbf39fb52a8220056fe0c
get_hashtree_descriptor() currently restricts HASHTREE descriptor to be
either in /vbmeta or in the same partition for dm-verity setup.
Also allows it to be from /boot partition because the top-level vbmeta
might be appended at /boot in legacy devices without /vbmeta.
Bug: 35880930
Test: test AVB on bullhead with top-level vbmeta being at /boot
Change-Id: I1ebd16a3c9f17bced6055146e8843b5918a737eb
Currently there is no client requires fs_mgr_read_fstab_with_dt() so
remove this API. Devices with fstab entries in device tree should use
fs_mgr_read_fstab_default() to get default fstab, or just use
fs_mgr_read_fstab_dt() to get those in device tree.
Bug: 35811655
Test: normal boot sailfish
Test: run factory data reset in sailfish
Test: recovery boot sailfish
Test: adb sideload in sailfish
Change-Id: I1579d81cea7366cf3867cfe5ad56feb36cbb7246
fs_mgr might try to get a non-existing config through fs_mgr_get_boot_config()
on a device (e.g., for backward compatibility). Lower the log level to INFO
so it won't appear on the recovery screen.
Bug: 35811655
Test: recovery boot sailfish
Change-Id: I81497259aff3691740170abeef932d363b52be35
recovery boot: /etc/recovery.fstab
normal boot: use the first one found by the order:
/odm/etc/fstab.{hardware} ->
/vendor/etc/fstab.{hardware} ->
/fstab.{hardware}
Bug: 35811655
Bug: 36637553
Test: Sideload OTA installation in sailfish
Change-Id: I3e260e077afa5a37fb65246246c824e9379e68c8
fs_mgr_get_boot_config() returns true/false but the return value check
in current fs_mgr_avb is for 0/1. This was introduced during a refactoring.
Check true/false for the return value.
Bug: 33254008
Test: manual test AVB on bullhead
Change-Id: I72c366627214df4a99c4d9cf1eb577e94f7afb31
avb_ops->read_from_partition() should return
AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if the requested partition does
not exist. Then libavb will try to load top-level vbmeta from /boot partition.
Two related changes in external/avb:
https://android-review.googlesource.com/#/c/344907/https://android-review.googlesource.com/#/c/348731/
Bug: 35880930
Test: test AVB on bullhead with top-level vbmeta being at /boot
Change-Id: I80355ba5ae4d29a6f102714cd2f7c2550b238f27
androidboot.slot_suffix is being deprecated for a androidboot.slot.
Bootloader must pass slot used to boot into the androidboot.slot which
does not include the '_' character
Test: boot android
Bug: 36533366
Change-Id: I6137bd08418f67a88120c8609eda10b2ada4607d
Signed-off-by: Fernando Lugo <flugo@google.com>
Right now all platforms supporting A/B have not fixed
androidboot.slot_suffix kernel command line parameter. To avoid breaking
all those platform allow using legacy support bootloaders get fixed.
Bug: 36533366
Test: boot
Change-Id: I0ad349f262d0b7f4897f3e184cb053b1440b2d5b
Signed-off-by: Fernando Lugo <flugo@google.com>
In the new A/B partition support suffixes don't have "_". So, fix fs_mgr
code that assumes it has "_"
Bug: 36533366
Test: boot
Change-Id: I0f528cf1e8fecacb1b4ae34f6dc42e18ebe777bb
Signed-off-by: Fernando Lugo <flugo@google.com>
Devices having no early mount enabled won't have fstab in device tree.
Lower the log level to INFO when fstab is absent there.
Bug: 35811655
Test: boot into recovery mode in a device without fstab in dt
Change-Id: I4b1e0e6554f50b8118770d00aa8f54be86aca858
mount_with_alternatives should set errno to match the 1st mount failure.
Bug: N/A
Test: run `fs_mgr -a <fake_fstab>` and check dmesg log
Change-Id: If4148d327f75c659b843e95f85568ea49c5d0180
Signed-off-by: NIEJuhu <niejuhu@xiaomi.com>
fstab contains device- and soc- specific content that should reside in
/odm or /vendor partition. This change searches the fstab.${ro.hardware}
file from /odm/etc, /vendor/etc and /, then use the first one found.
Bug: 35811655
Test: boot sailfish
Change-Id: I82f89b41a849faedb64072a7cfc52d7424e1aaa1
With the early mount support in init, fstab entries of verified partitions
(e.g., /system, /vendor) will be moved into device tree in kernel image.
Those early mount fstab entries will be removed from the fstab file to
prevent duplicated and/or inconsistent settings.
This change adds a new function: fs_mgr_read_fstab_with_dt(), to return
the combined results from both places. It also removes
fs_mgr_read_fstab_file() from the public APIs and makes it as an
internal function.
Bug: 35811655
Test: early mount /vendor with dm-verity on sailfish
Change-Id: I2fba3614685bf9f852a789cda6f53013e2164e60
- This is to collect data to understand if e2fsck -f option
can be dropped wholly based on information from fs.
- Ideally e2fsck should not fix fs if it was clean shutdown
or if it is not enabling quota.
- The log is added to /dev/fscklogs/log and other system components
can collect it later.
TODO: add mechanism to distinguish old vs new fs generation tool.
bug: 32246772
Test: reboot and check saved logs under different shutdown conditions (clean, non-clean)
Change-Id: Id00fad4c5f8ebbb9f9908164a1026e415df06721
To start Treble VTS test, a single AOSP system.img will be flashed onto
the device. The size of AOSP system.img might be different than the
system partition size on device, making locating verity metadata fail
(at the last fixed size of the partition).
This change allows disabling dm-verity on system partition when the
device is unlocked (orange device state) with invalid metadata.
BUG: 35603549
Test: Boot bullhead with a different-sized system.img, checks verity is
not enabled via:
"adb shell getprop | grep partition.system.verified"
Change-Id: Id89d023e82c78ff1902ab7a528431cf7f65e49ad
During early mount property area is not initialized, and as a result an
'eng' build will always incorrectly be detected as a 'secure' build by
early mount code path resulting into verity error and consequent boot
loop.
The change here makes sure the is_device_secure() check works with /
without properties based on the 'eng' build based build flag so the
early mount code works fine both ways.
Bug: 35791581
Bug: 27805372
Test: Boot sailfish-{eng,userdebug} builds successfully w/ early
mount enabled
Change-Id: Icd101ccad56b669f49b60bbb3005d5be9f53b02b
Signed-off-by: Sandeep Patil <sspatil@google.com>
If Device tree values are read for comparison, they produce false
negatives with std::strings due to trailing '\0'. This change
consolidates the triming of trailing null into a single helper function
to be used everywhere fs_mgr reads DT values for comparison or other
reasons where it wishes to have the trailing null trimmed.
b/27805372
Test: Boot sailfish w/ early mount /vendor
Change-Id: If71efc830dc440323df764c7461867e71ed6515b
Signed-off-by: Sandeep Patil <sspatil@google.com>
Fixes the compatible check in fs_mgr_boot_config by consolidating the
check in a single privately exported function within fs_mgr (i.e.
is_dt_compatible()).
b/27805372
Test: Boot sailfish w/ early mount
Change-Id: Ie2d1646b81cf9eba8d16828ca8cf2c75156c294c
Signed-off-by: Sandeep Patil <sspatil@google.com>
