This is needed for adb remount, to find the scratch device if it is
already mapped. Note that on devices without metadata encryption, this
cannot be done by querying device-mapper, since scratch will be a loop
device.
Bug: 134949511
Test: fiemap_image_test
Change-Id: Ia25d279c6f8a4838be32a8c01aefc67b5ec1e002
ImageManager can map images in recovery, but not delete them, because
/data is not mounted. libsnapshot handles this by storing extra state
files, but this is complex to manage and inconvenient for
fs_mgr_overlayfs.
Instead, this patch introduces two new calls:
- DisableImage(), which indicates the image should not be used. This is
implemented by adding a new DISABLED attribute to
LpPartitionMetadata. CreateLogicalPartitions ignores this flag, and
thus recovery/fastbootd can disable the scratch partition and
communicate that it can be deleted. This cannot be called from binder
since it is intended for recovery/first-stage init only.
- RemoveDisabledImages(), which walks the images for a given folder on
/metadata and deletes any that are disabled. This can be called from
binder.
Note that there is no metadata version bump for this flag. It's
considered to be included in the flag list for minor version 1, and
currently is not used for the actual super partition.
Bug: 134949511
Test: adb remount, fastboot flash system
Test: fiemap_image_test
Change-Id: Iaeca2d1eddb5637dd9a20202cafd11ae60b4d0e3
This eliminates libfiemap as a standalone library and instead bundles it
into libfs_mgr. All consumers of libfiemap need libfs_mgr, and having
them tightly coupled reduces linkage complexity.
When to use libfs_mgr: In recovery, first-stage-init, or when libfiemap
or overlayfs is not used.
When to use libfs_mgr_binder: When not in recovery/first-stage init, and
overlayfs or libfiemap is needed. In this case, IImageManager will proxy
over binder to gsid.
Bug: 134949511
Test: builds, fiemap_writer/image_test passes.
Change-Id: I4c1a5698afdbf9b3bf87accec98254c1fb6f4e0e
Add an API that does not initiate the merge, but only waits for it to
finish. It is different from ProcessUpdateState API in that it also
blocks when state == UNVERIFIED and booting from the new slot.
(ProcessUpdateState immediately returns in this case).
This is useful for android.os.UpdateEngine.CleanupSuccessfulUpdate().
Bug: 138808328
Test: libsnapshot_test
Change-Id: I7cc59fcaf69616e7ec7ebe6101991b5106845b65
Factor out obscure logic that reads boot indicator path.
GetCurrentSlot() returns three states:
- None (read failure)
- Old (before reboot)
- New (after reboot)
Use these "logical" slot values for simpler code.
Test: libsnapshot_test
Change-Id: I1fa2ce4916c5a1652d25682ec1f11e101c858822
A few times we have wanted to stash small bits of information in the
super header, but we haven't had any bits to do so. This patch addresses
future needs in two ways:
1. A "flags" field has been added for miscellanious bits that do not
need a version bump.
2. The header struct has been padded to 256 bytes to allow for future
expansion without complicating the struct-parsing code.
This is the first time we've materially changed the format, so this
patch needs some extra explanation.
In all the places we rely on sizeof(LpMetadataHeader), we now need to
use the |header_size| field instead. To make newer versions of liblp
compatible with older headers, we read the minimum required header size
and fill in the extra bytes as needed. To make the validation and
reading logic more clear, it is now combined into a single function,
ReadMetdataHeader.
MetadataBuilder will still emit 1.0-compatible headers, to avoid
changing the on-disk format of existing devices. The new header will
only be emitted as-needed.
Bug: 134949511
Test: liblp_test gtest
retrofit DAP device boots
launch DAP device boots
Change-Id: I6221123768ff0057a73967ecb2ff9b006c17af88
This is no longer needed now that GetScratchDevice exists. The cache can
go away too, since it only existed to avoid libdm spam. The spam is
avoided by checking GetState before calling GetDmDevicePathByName.
Bug: 134949511
Test: adb remount and adb_remount_test.sh
Change-Id: I9d94e2523af9de394a811d0b398fe20415708a6b
This pulls code for mapping the scratch device into a separate function.
It also avoids implicitly failing by passing an empty device string.
Finally, it calls GetScratchDevice, to remove a caller of the deprecated
method fs_mgr_overlayfs_scratch_device().
Bug: 134949511
Test: adb remount and adb_remount_test.sh
Change-Id: If4a543d3fa26af3f8578ec8b236859c8e4d9bfd8
The prologue of fs_mgr_overlayfs_create_scratch() will implicitly
succeed on physical block devices, and implicitly fail if for some
reason they can't be accessed.
This patch makes the success and failure cases explicit. The logic
specific to DAP has been moved to CreateDynamicScratch.
fs_mgr_overlayfs_create_scratch now calls GetScratchStrategy, and only
calls CreateDynamicScratch for DAP-launch devices. In the case a
physical block device can be used, no action is taken.
Bug: 134949511
Test: adb remount and adb_remount_test.sh
Change-Id: I0af7cda9bc551416c9e2ffca5a36305f89d3bf46
This splits fs_mgr_overlayfs_scratch_device into two new methods. The
first, GetScratchStrategy, returns an enum detailing exactly how the
device will find space for scratch:
- via system_<other>,
- via super_<other>, or
- via a dynamic partition.
The second method, GetScratchDevice, uses the strategy to either return
the underlying block device, or look up a dynamic partition.
fs_mgr_overlayfs_scratch_device will be removed completely in a separate
patch.
Bug: 134949511
Test: adb remount and adb_remount_test.sh
Change-Id: Ic7e3815ada4adaf5fd7c19b84dc22249f3dcc881
To ease on the indentation, this factors the innermost code of
overlayfs_mountall() into a new TryMountScratch() function.
Bug: 134949511
Test: adb remount
Change-Id: I894cbcd17bb6bd64751f235a074fa5ba7ce5157c
Previously the AVB public keys for DSU is hard coded for each key path.
This adds the burden for maintaining the codebase, e.g., need to change
avb_keys each time when any new key is added or some old key is deleted.
With commit Ie74845d8c8e4aa45e8a9e3b862424cec641f8090, it's possible to
load avb keys from a directory. Let's use "/avb" for DSU AVB keys.
Also removing fstab entries that specifying vbmeta_partition. The AVB
keys used in DSU flow should be a separate set from the original
vbmeta.img (or vbmeta_system.img).
The following link has more info about DSU:
https://developer.android.com/topic/dsu
Bug: 141284191
Bug: 144399552
Test: boot a GSI via DSU
Change-Id: I6bc1e068368e64cb0bbf6ef63805444b35a1fdfb
This enables unmounting + remounting of metadata encrypted ext4
userdata. Also added a sysprop to force unmount+remount logic even for
f2fs userdata which comes handy for testing, since we don't have
metadata encrypted ext4 devices to test on.
Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: Icc30f5c99f4d9ee374352610ae17b5d9814f815b
Make sure CoW device doesn't overflow. Otherwise, data previously
written to snapshot device may be overwritten.
This check acts as a safety guard to bug like b/145180464, where
the computed CoW device size is less than required, but cannot be
caught by FilesystemVerifierAction in update_engine.
Note that this is a sanity check. It doesn't prevent the following:
(1) write a snapshot until it overflows
(2) unmap and re-map the snapshot
(3) Call FinishedSnapshotWrites()
When a snapshot is re-mapped, DeviceMapper::GetTableStatus() won't
return "Overflow".
However, update_engine always writes the full hashtree / FEC / etc.
data (outside of |PartitionUpdate.operations|), calls
FinishedSnapshotWrites(), and then writes the checkpoint. If the process
is interrupted, update_engine does the full FilesystemVerifierAction
from the beginning. Snapshots aren't remapped during the process. Hence,
the hypothetical case above won't happen in reality (at time of writing)
until FilesystemVerifierAction is broken down into steps with
checkpoints.
Still, given the above hypothetical case, this function is only served
as a sanity check.
FinishedSnapshotWrites() now requires all snapshots to be mapped before
calling. Hence, tests needs to be fixed:
- For SnapshotTest (that tests SnapshotManager private APIs), map
snapshot before calling FinishedSnapshotWrites().
- Factor out common code in SnapshotTest (PrepareOneSnapshot and
SimulateReboot)
- For SnapshotUpdateTest and children, add MapUpdateSnapshots() helper
and map all snapshots before calling FinishedSnapshotWrites().
Test: libsnapshot_test
Bug: 145180464
Change-Id: I3558dd1615059ba27f369c27af22e3c686e392f7
Hard coding multiple keys in the avb_keys flag isn't flexible and
causes some pains when upgrading an Android codebase.
e.g., from Android 10 to Android 11.
This CL supports specifying a directory for the avb_keys
for fs_mgr to list then use the avb keys under the directory.
Bug: 144399552
Test: config a fstab using avb_keys as a dir to boot
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: Ie74845d8c8e4aa45e8a9e3b862424cec641f8090
Add libsnapshot_test_helpers for update engine tests
to properly set up depended modules.
Test: update_engine_unittests
Test: libsnapshot_test
Change-Id: Idd90a74cd6fb489f6ae14f44493b2288205c4a94
This API is an attempt to consolidate dm-stack unwinding logic
re-implemented in several different places (libfsmgr, libfstab,
libfiemap, etc.).
Test: libdm_test
Bug: 135984674
Change-Id: I9672d4c1e882824ef980667818d4c3aabcb82e1f
In some scenarios (e.g. apexd or userspace reboot), dm-devices are
getting deleted and re-created. Since this operation can be racy (newly
created device can get the same path as the previously deleted one,
resulting in the unexpected ENOENT errors on a system call to the path),
it will be nice to have an API that blocks until ueventd processes
corresponding udev events.
Test: libdm_test
Bug: 143970043
Bug: 122059364
Change-Id: I31a19afd9e245bf5e3554011bdde1c3cc4878f1c
... by writing to a temporary file then rename()'ing it
back.
Test: libsnapshot_test
Bug: 144549076
Change-Id: Ide400aff8d67d56d422d0adea3a4f1673ebc9994
We used to flock() on /metadata/ota/state to ensure
atomic access. However, writing the file itself is
not necessary atomic and may lead to inconsistent
states.
This change redirects flock() to the outer directory, /metadata/ota,
which is very likely to exist (see exception below).
flock() is called on this directory instead of /state. This allows
a follow-up change to turn all writes to the /metadata partition
atomic.
Note: /metadata/ota may not exist during first boot after a flash
with wipe. However, first_stage_init always checks existence of
boot indicator before even trying to flock() (via
IsSnapshotManagerNeeded() and NeedSnapshotsInFirstStageMount()). If
the boot indicator exists, /metadata/ota must exist as well.
Also add tests to ensure LockExclusive() and LockShared() works as
expected.
Test: libsnapshot_test
Test: apply OTA from older build to this, then reboot
Bug: 144549076
Change-Id: Ib4dd9e9be1a43013c328e181b9398ac0b514dbce
Helper function to compare the source and destination extents of a
SOURCE_COPY InstallOperation.
The function returns true iff source and destination are identical with
the use of std::equal().
Bug: 141207436
Test: build
Change-Id: I146aeba1c8ede35f21cfef8e21d4af62274bda84
Signed-off-by: Alessio Balsini <balsini@google.com>
dm-verity and error correction use part of the partitions using these
features to store their data. Their data may be modified during an
update, so the COW device for the dm-snapshot must reserve some extra
space for them.
This patch extends the PartitionCowCreator data structure with the
extra_extents field that will store the (optional) additional extents,
e.g., the hash table extent for dm-verity or the error correction
extent.
Test: incremental OTA apply
Test: libsnapshot_test
Bug: 145180464
Change-Id: I387a6cc8438507ad41a85cc3400241ecaf627b8f
Signed-off-by: Alessio Balsini <balsini@google.com>
The test requires to load and verify vbmeta struct from partitions,
and thus needs adb root.
Bug: None
Test: atest libfs_avb_device_test
Change-Id: I4924d6e41edc78898d9ef9c3d7f52c9066f750b1
