This method was designed for a single-super model, and now needs to
change to accomodate two super partitions (system_a and system_b, for
retrofitting).
NewForUpdate is supposed to transition metadata from one block device
to the next for updates. For normal devices this is a no-op, since
metadata only exists on one partition (super). For retrofit devices,
metadata exists on system_a and system_b. This has two implications.
First, any references to the source slot must be rewritten. For example
"vendor_b" must become "vendor_a". However this is not true of partition
names. Partitions/extents are cleared in the updated metadata since they
no longer have any meaning (the block device list has been
rewritten). We also clear groups since they are re-added during OTA.
The reason we have to do this rewriting is that slot suffixes are
automatically applied in ReadMetadata. We do not have access to the
original unsuffixed metadata that was written by the initial OTA.
This was a conscious design decision, since it localizes retrofitting
idiosyncracies to just a few places (ReadMetadata, NewForUpdate, and
fastbootd), minimizing the number of external callers that have to
understand auto-slot-suffixing.
It would be arguably cleaner if retrofit metadata was always serialized
*without* slot suffixes, thereby making NewForUpdate a no-op. However
this would necessitate changes to the API elsewhere. The functions that
read partition names would have to take a slot suffix, and this would
further complicate MetadataBuilder and fastbootd. Another solution would
be to augment LpMetadata to retain unsuffixed information, but this is
probably not worthwhile given that retrofitting is intended to be
surgical, and will have a shorter lifespan than the non-retrofit case.
Bug: 116802789
Test: liblp_test gtest
Change-Id: I33596d92b38c47bc70bc0aa37ed04f6f0b9d4b6f
Retrofit devices will have two super partitions, spanning the A and B
slots separately. By design an OTA will never cause "A" or "B"
partitions to be assigned to the wrong super. However, the same is not
true of fastbootd, where it is possible to flash the inactive slot. We
do not want, for example, logical "system_a" flashing to super_b.
When interacting with partitions, fastbootd now extracts the slot suffix
from a GetSuperSlotSuffix() helper. On retrofit devices, if the partition
name has a slot, that slot will override FastbootDevice::GetCurrentSlot.
This forces partitions in the inactive slot to be assigned to the correct
super.
There are two consequences of this. First, partitions with no slot
suffix will default to the current slot. That means it is possible to
wind up with two "scratch" partitions, if "adb remount" is used on both
the "A" and "B" slots. However, only the active slot's "scratch" will be
visible to the user (either through adb or fastboot).
Second, if one slot does not have dynamic partitions, flashing will
default to fixed partitions. For example, if the A slot is logical and B
is not, flashing "system_a" will be logical and "system_b" will be
fixed. This works no matter which slot is active. We do not try to
upgrade the inactive slot to dynamic partitions.
Bug: 116802789
Test: fastboot set_active a
fastboot flashall # dynamic partitions
fastboot getvar is-logical:system_a # true
fastboot getvar is-logical:system_b # false
fastboot set_active b
fastboot flashall --skip-secondary
fastboot getvar is-logical:system_a # true
fastboot getvar is-logical:system_b # true
Booting both slots works.
Change-Id: Ib3c91944aaee1a96b2f5ad69c90e215bd6c5a2e8
On retrofit devices, it is easy to accidentally overwrite
system/vendor/product by flashing system in the bootloader. The reason
is that GPT system_a is really the super partition, and the bootloader
doesn't know it.
Addressing this in bootloaders would require two separate commands: one
that rejects flashing system/vendor/product, and another for
expert/factory use that would allow direct flashing.
This patch introduces protection into the host fastboot tool instead.
It's not mutually exclusive with bootloader changes; having protection
in the host tool affords us better and consistent UI. However it does
rely on users having newer builds.
With this change, the following will not work in the bootloader:
fastboot flash system # or vendor, product, etc
The message is the same whether or not the device is a retrofit. To
continue anyway, you can do:
fastboot flash --force system
If we decide on bootloader protection as well, the --force flag can be
re-used.
Bug: 119689480
Test: fastboot flash system # disallowed in bootloader, allowed in fastbootd
fastboot flash --force system # allowed in bootloader
Change-Id: I0861e3f28a15be925886d5c30c7ebd4b20c477cf
This is needed for update_engine to properly clean old partitions on
retrofit devices.
Bug: 119687874
Test: liblp_test gtest
Change-Id: Ida9483ad3c127e357f45789540ebbedc9d3d3883
lpmake should be using the intermediates directory for temporary work
rather than /tmp. Add ability to respect TMPDIR environment as
inherited from TemporaryFile.
Bug: 119313545
Test: manual test
Change-Id: I1a0317538875ee37fb4066602ff7a75e4658d74b
This adds a new MetadataBuilder constructor, NewForUpdate, that can be
used by update_engine to simplify upgrading metadata. It is safe to call
whether or not the device is a retrofit. If the metadata has block
devices assigned to a specific slot, and that slot matches the slot
suffix, it will ensure that an equivalent entry exists for the alternate
slot.
Thus, if the source slot is _a and the target slot is _b, and the
metadata has "system_a" as a block device but not "system_b", this will
automatically add "system_b" as a block device.
Bug: 116802789
Test: liblp_test gtest
Change-Id: Ie89d4dbf4c708b5705e658220227ebf33fcb1930
These broke after recent changes to use IPartitionOpener in more places.
The io_tests must now give block device info to TestPartitionOpener.
Bug: N/A
Test: liblp_test gtest
Change-Id: I0a6505c7223e74507dc13184069fdc34bb6b81e4
On retrofit devices, we need images that can be flashed in the
bootloader for the component "super"partitions. This change rewrites
SparseBuilder so that it generates one sparse image per block device,
and now handles partitions that span across multiple block devices.
A new API function has been added to write the set of sparse images to
an output folder.
Bug: 118887112
Test: manual test, flash split images
Change-Id: Iff56efdcb7bdfd5bc8dd7ff44e8234e091ac2346
On retrofit devices, an OTA package or super_empty.img won't know which
slot it applies to. This is not an issue on devices shipping with
dynamic partitions, since they ship on the "a" slot.
To work around this, partitions and block devices can be flagged as
"auto-slot-suffixed". This indicates that ReadMetadata should
automatically append a slot suffix before returning the metadata. This
flag is added by MetadataBuilder when requested, and will be enabled via
lpmake separately.
After ReadMetadata has applied slot suffixes, it takes care to remove
the slot-suffix flag. This prevents the suffix from being applied twice,
if for example the metadata is then imported into a MetadataBuilder.
Bug: 116802789
Test: liblp_test gtest
retrofit device boots
Change-Id: Ic7de06d31253a8d5b8d15c0d936175ca2939f857
This patch adds a new variable, "super-partition-name", to query the
name of the super partition (with a slot suffix if it has one). The
fastboot flashing tool has been updated to query this variable.
Since the super partition name can no longer be determined without
fastbootd, the presence of super_empty.img is used to test for
dynamic partition support rather than the presence of a super partition.
Bug: 116802789
Test: fastboot flashall on retrofit device
Change-Id: If830768eba6de7f31ac3183c64167fae973c77a4
When updating the super partition, attempt to preserve partitions from
the other slot. If any partition can't be preserved, fail and require a
wipe (-w) to proceed. This allows two bootable builds to be flashed to
both slots.
The preserve operation can fail if the metadata is not compatible with
the old partition layout. For example, if the partition references a
group that no longer exists, or a group changed its capacity, or the
metadata's block device list or list contents changed.
Bug: N/A
Test: liblp_test gtest
fastboot flashall --skip-secondary
Change-Id: I53fdd29bc1f0ef132005a93d3cf1cdcd7f2fc05f
This patch adds another uevent-regeneration pass to the first stage
mount. When the super partition spans multiple block devices, we need
/dev/block/by-name symlinks to have been created before we begin mapping
dynamic partitions.
Bug: 116802789
Test: retrofit device boots
Change-Id: I00bb277e1d81385a457c5b4205a95d8fbe365bb2
Although metadata is only stored on the first block device, we ideally
want to validate all the block devices before flashing. This patch does
that and in the process converts ValidateAndSerializeMetadata to use
IPartitionOpener.
Bug: 116802789
Test: manual test
liblp_test gtest
Change-Id: I3f24cfc6f5607309dc3cded0423326c5ba293d26
This patch allows the block device table in LpMetadataHeader to contain
additional partitions. MetadataBuilder can now resize partitions such
that are allocated across block devices as needed, however, it attempts
to minimize this by grouping free regions by device.
Bug: 116802789
Test: liblp_test gtests
device with super partition flashes and boots
Change-Id: I9cf74c8925faf154703eeba2a26546a152efcaa2
This change introduces an IPartitionOpener abstraction. Methods that
interact with live metadata, such as ReadMetadata, UpdatePartitionTable,
and FlashPartitionTable, now require an IPartitionOpener object. Its
purpose is dependency injection: it will make these methods much easier
to test when the super partition spans multiple block devices.
All non-test consumers should be using PartitionOpener, and as such,
some helper methods have been added that automatically create one.
Bug: 116802789
Test: liblp_test gtest
device with super partition boots
Change-Id: I76725a5830ef643c5007c152c00ccaad8085151f
This patch removes the alignment, block device size, and starting sector
fields from LpGeometry into a new LpMetadataBlockDevice struct. The
metadata now contains a table of these structs, and the table will have
exactly one entry representing the super partition.
This refactoring will make it easier to have logical partitions span
multiple physical partitions. When that happens, the table will be
allowed to have more than one entry, and the first entry of the table
will be considered the "root" of the super partition.
Bug: 116802789
Test: liblp_test gtest
device with logical partitions flashes and boots
Change-Id: I97f23beac0363182cb6ae78ba2595860950afcf0
These will help update_engine clear the target slot before applying an OTA.
Bug: 117182932
Test: liblp_test gtest
Change-Id: I6ad370e617f22f2098245a0028a93488f9ac8674
In preparation for supporting multiple block devices, this factors out
the free-list calculation for resizing partitions.
Additionally, it fixes a bug where space in between the first usable
sector and the first extent wasn't added to the free list.
Bug: 116802789
Test: liblp_test gtest
Change-Id: I965760eef0176020e9a5691ce1be2c8b5e0c8bc8
Align the first usable sector to the logical block size, if no other
alignment was specified. This fixes a bunch of warnings during certain
gtests (ones with unaligned metadata sizes). The warnings were coming
from MetadataBuilder::GrowPartition() which expects the first sector
to always be block-aligned.
Bug: 116802789
Test: liblp_test gtest
Change-Id: I8dcf502aa4c2ba0674c5b4dcb77a274f300ff0a3
Traditionally the first 512 bytes of a partition can be interpreted as
an MBR. To prevent any compatibility issues, we explicitly zero the
first 4096 bytes of the super partition (one logical block, on most
systems).
Bug: 116802789
Test: liblp_test gtest
device with super partition flashes and boots
Change-Id: I29688ca75dbb52442f1464e8ab35893678a4f79e
The group_indices variable was intended to facilitate this, but I forgot
to actually use it.
Bug: 116817738
Test: lpmake, lpdump super_empty.img
Change-Id: Ia0da50b56b6c09e277324ec9d7aea6ce48fdc10a
Now that backup metadata is stored at the start of the super partition,
this field is no longer needed. In actuality, it was not needed even
before then: both it and first_logical_sector exist for convenience,
since they can be re-derived at any time given an LpMetadataGeometry.
Bug: 116802789
Test: liblp_test gtest
device with dynamic partitions flashes and boots
Change-Id: I259a443097e689a0a9db7f822bbf1a52d40076dc
There's no reason to do this, since the fields are already in
LpMetadataGeometry. Removing this also simplifies multiple-block-device
support.
Bug: 116802789
Test: liblp_test gtest
Change-Id: Ib244a98fdd9d36c94a2dffd81bef68a1d5644ab9
Previously, metadata backups were stored at the end of the partition to
make them easy to locate. On older devices where the super partition
could span system/vendor partitions, we may want to leave the end of
each partition free to store an AVB footer. To allow this, we now store
geometry and metadata backups near the start of the partition instead.
They are still positioned at a fixed offset.
Bug: 116802789
Test: device boots after flashing new metadata
Change-Id: Ib173f251a4a13e290adcc4ac5cfbeb030eacda30
Note that this moves SparseBuilder into images.h, and splits
ReadLogicalPartitionGeometry into componenet methods for better
testability.
Bug: 116802789
Test: liblp_test gtest
Change-Id: Ib41a46b633c71623c136a10fcc8017e4de20884c
This patch introduces a new "groups" table in the super partition
metadata. Each entry denotes a named partition group with a maximum
size. All partitions now belong to a group, and the total size of
partitions in a group must not exceed its maximum size. This is enforced
by MetadataBuilder.
There is also a "default" group with no size restriction. This is used
for one-off partitions that aren't restricted by updates, for example,
the scratch partition for overlayfs, or partitions created through
fastbootd.
Bug: 116817738
Test: liblp gtest
Change-Id: I7049ffd35d326e41e25d01b1748cb53a584783a7
If a device has logical partitions but does not use a partition called
"super", we will need this to be configurable. Note that the "slot"
argument is currently unused, but will be necessary for update_engine if
there are A and B super partitions.
Bug: 116608795
Test: super partition works
Change-Id: Ieb548a158faeb423f3561230f26d582325efbc6b
MetadataBuilder::AllocatableSpace() represents the total space
available. Adding MetadataBuilder::UsedSpace() to represent the
space used by the existing set of partitions. This will allow a
caller to predict if a partition can be resized (Grown), or to
create a partition to use up the free space (i.e. scratch).
Test: gTest liblp.UseAllDiskSpace
Bug: 109821005
Change-Id: Iae487d869fe18310c76b48c4281f1d6c1ee333cd
Move test to verify we can't read unwritten metadata from
liblp.UpdateAnyMetadataSlot to liblp.CreateFakeDisk.
Test: gTest liblpg_test
Bug: 109821005
Change-Id: I4714c949e2b2d9de6444996a2af2992a821c4a85
