Add more checking for fastboot to detect malformed
requests.
Such as checking no control characters in the command
send from host.
Make sure the download command length is eight bytes.
And report FAIL if download length is zero.
Test: adb reboot fastboot
fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid1
fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid2
fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid7
fuzzy_fastboot --gtest_filter=Fuzz.DownloadInvalid8
Bug: 212628476
Change-Id: I750174205377395b5328923fb00462d078f3310d
Allow caller to pass additional flags when opening a partition. Obsolete
usage of boolean read, and make previous callers use O_RDONLY instead.
Explicitly OR (O_EXCL | O_CLOEXEC | O_BINARY) to keep existing design
working as is.
Test: flash locally and reach home screen
Bug: 205151372
Signed-off-by: Konstantin Vyshetsky <vkon@google.com>
Change-Id: I48fbca459a17fcf0b0926ab339585e3bd8e31e35
Do not use the implicit cast from unique_fd to int so
that it is clearer to the reader what the ownership model
is.
Test: pass
Change-Id: I66563eb2bd06f6a712a5afd4c6009f9b25a55de6
The `fastboot fetch` command is a wrapper around
the fetch protocol. It:
- getvar max-fetch-size
- get the size of the partition
- read the data by chunks, chunk size = max-fetch-size.
The name of the partition is passed directly to the device
(with the usual has-slot magic for flashing etc.) If we support
fetching partitions other than vendor_boot in the future, no change
in the driver is needed.
Bug: 173654501
Test: manual
Change-Id: Ie576eea668234df236b096a372e65c5e91c1e48c
SnapshotManager::New() is now preferred in recovery. Previously we used
NewForFirstStageMount(), which is technically incorrect as that enables
code paths specifically for first-stage init.
We also explicitly label the snapuserd context, since rootfs in recovery
has unlabelled files.
Finally, we add a timeout to internal calls to
CreateSnapshotsAndLogicalPartitions. Without this, WaitForDevice() calls
will terminate immediately, which breaks VABC given the more complex
device stacking that is created.
Bug: 168258606
Test: fastboot snapshot-update merge
Change-Id: I3a663b95c0b1eabaf14e6fde409c6902653c3c5e
When Android userdata partition has been erased in fastbootd, call
oem specific API doOemSpecificErase() to wipe other userdata in
device.
If oem doesn't implement this specific API in fastboot_hal lib,
fastbootd will receive 'NOT_SUPPORTED' return status.
Bug: 169173873
Change-Id: I9b6a5a4aaed31d1168e633418b189f9bb6d34d01
When user input fastboot erase userdata, need a follow
up oem command to wipe other user data in device.
We support this new postwipedata command in
"fastboot erase userdata" only.
Bug: 150929955
Change-Id: I9b6a5a4aaed31d1168e633418b189f9bb6d34d01
Ignore-AOSP-First: I9b6a5a4aaed31d1168e633418b189f9bb6d34d01
When merging in recovery, the "imminent data wipe" code was used, which
made the assumption the /metadata and /data state would be zapped. This
caused future OTAs to error because the old snapshots were detected.
This CL allows OTAs to proceed even if unexpected snapshots are present.
It also forces the state to "MergeCompleted" after a merge in recovery,
so that the next normal boot can perform cleanup.
Bug: 155339165
Test: fastboot snapshot-update merge, then take another OTA
vts_libsnapshot_test
Change-Id: Ief6dea3ba76323044e61307272dda320a4494aea
Merged-In: Ief6dea3ba76323044e61307272dda320a4494aea
When merging in recovery, the "imminent data wipe" code was used, which
made the assumption the /metadata and /data state would be zapped. This
caused future OTAs to error because the old snapshots were detected.
This CL allows OTAs to proceed even if unexpected snapshots are present.
It also forces the state to "MergeCompleted" after a merge in recovery,
so that the next normal boot can perform cleanup.
Bug: 155339165
Test: fastboot snapshot-update merge, then take another OTA
vts_libsnapshot_test
Change-Id: Ief6dea3ba76323044e61307272dda320a4494aea
Using FastbootDevice::GetCurrentSlot to get the current slot suffix
instead of reading the same from the device's boot control HAL
is required to account for the prior set_active commands issued via
fastbootd in the same boot.
Test: fuzzy_fastboot
--gtest_filter=Conformance.Slots:Conformance.SetActive --gtest_repeat=10
Bug: 146589281
Change-Id: I2edb0f024d93c2483659623423ef5c69c717c7af
Merged-In: I2edb0f024d93c2483659623423ef5c69c717c7af
Using FastbootDevice::GetCurrentSlot to get the current slot suffix
instead of reading the same from the device's boot control HAL
is required to account for the prior set_active commands issued via
fastbootd in the same boot.
Test: fuzzy_fastboot
--gtest_filter=Conformance.Slots:Conformance.SetActive --gtest_repeat=10
Bug: 146589281
Change-Id: I2edb0f024d93c2483659623423ef5c69c717c7af
Exporting more properties that can be useful for image compatibility
check, prior to run fastboot flash.
Bug: 74445765
Bug: 144473561
Test: fastboot getvar <new variable>
Change-Id: I2ddfa2c1e9e719e05a3a64b9ca1d608957aebf11
fs_mgr_overlayfs needs access to /metadata to tell whether or not the
scratch partition exists on /data.
Bug: 134949511
Test: adb remount, fastboot flash system
Change-Id: I3a09aae495d691e9c1a1e25a8fb3514e355ecd05
CPU ABI info, e.g., arm64-v8a, can be useful to determine image
compatibility, prior to flash. Adding this info in fastbootd.
Bug: 74445765
Test: fastboot getvar cpu-abi # arm64-v8a
Change-Id: Ied494b646c551320295956b7890c0102fdb88382
When a snapshot is applied or is merging, requests to erase or flash
userdata, metadata, or misc must be protected. In addition, the
set_active command must be restricted when a merge is in progress.
In addition, introduce a "snapshot-update merge" command for assisting
with erase requests when a merge is in progress. As in recovery, this
will force a merge to complete.
Bug: 139154945
Test: apply update
fastboot erase userdata
fastboot erase metadata
fastboot erase misc
fastboot set_active
Change-Id: I152446464335c62c39ffb4cc6366be9de19eac30
This introduces two new commands to the fastboot protocol:
- getvar snapshot-update-status - Return "none", "snapshotted", or
"merging" depending on the current status set by the boot control
HAL.
- snapshot-update [cancel] - Cancel any pending snapshot-based updates
via the boot control HAL. After this, the HAL should return
MergeStatus::CANCELLED and "update-merge-status" should be "none".
If no argument is specified, the snapshot-update-status is returned
via an INFO response.
Bootloaders are expected to implement this in a manner consistent with
the boot control HAL.
Fastboot-based tooling should expect wipes of userdata to fail when
update-merge-status returns "merging". Thus, the force flag now cancel
any pending snapshots.
Bug: 139154945
Test: fastboot getvar snapshot-update-status
fastboot snapshot-update cancel
fastboot snapshot-update
Change-Id: Idc423fe7656b212e929e64eb0e6b85b453e0e8dc
When flashing or resizing partitions, remove the
LP_PARTITION_ATTR_UPDATED flag. This will cause first-stage init to skip
any snapshots for that partition, and the backing storage (if any)
will later be reclaimed.
Bug: 139155473
Test: manual test
Change-Id: I3b185f68dfecb5a93636af0b5ae289ead1363fd0
These tend to get manually, so let's promote to actual helpers.
Bug: 134536978
Test: liblp_test gtest
Change-Id: Ifb79c8d6f247cc3f9635bf6adfd1c99907340002
This command erroneously reports that no GSI is installed, because
/metadata is not mounted in recovery. To address this, temporarily mount
/metadata when the gsi command is invoked.
Bug: 122556707
Test: fastboot gsi disable
fastboot gsi wipe
Change-Id: Ib21971b49b46fd580b902ff75f01cfb96192afc0
Note: this only removes the bootable marker, since we're unable to
remove the userdata files within recovery.
Bug: 121210348
Test: fastboot gsi wipe
fastboot gsi disable
Change-Id: I64fe848c787d426ae9d18a1557a9d6b340bfc2cf
Retrofit devices will have two super partitions, spanning the A and B
slots separately. By design an OTA will never cause "A" or "B"
partitions to be assigned to the wrong super. However, the same is not
true of fastbootd, where it is possible to flash the inactive slot. We
do not want, for example, logical "system_a" flashing to super_b.
When interacting with partitions, fastbootd now extracts the slot suffix
from a GetSuperSlotSuffix() helper. On retrofit devices, if the partition
name has a slot, that slot will override FastbootDevice::GetCurrentSlot.
This forces partitions in the inactive slot to be assigned to the correct
super.
There are two consequences of this. First, partitions with no slot
suffix will default to the current slot. That means it is possible to
wind up with two "scratch" partitions, if "adb remount" is used on both
the "A" and "B" slots. However, only the active slot's "scratch" will be
visible to the user (either through adb or fastboot).
Second, if one slot does not have dynamic partitions, flashing will
default to fixed partitions. For example, if the A slot is logical and B
is not, flashing "system_a" will be logical and "system_b" will be
fixed. This works no matter which slot is active. We do not try to
upgrade the inactive slot to dynamic partitions.
Bug: 116802789
Test: fastboot set_active a
fastboot flashall # dynamic partitions
fastboot getvar is-logical:system_a # true
fastboot getvar is-logical:system_b # false
fastboot set_active b
fastboot flashall --skip-secondary
fastboot getvar is-logical:system_a # true
fastboot getvar is-logical:system_b # true
Booting both slots works.
Change-Id: Ib3c91944aaee1a96b2f5ad69c90e215bd6c5a2e8
This patch adds a new variable, "super-partition-name", to query the
name of the super partition (with a slot suffix if it has one). The
fastboot flashing tool has been updated to query this variable.
Since the super partition name can no longer be determined without
fastbootd, the presence of super_empty.img is used to test for
dynamic partition support rather than the presence of a super partition.
Bug: 116802789
Test: fastboot flashall on retrofit device
Change-Id: If830768eba6de7f31ac3183c64167fae973c77a4
Without this, it is much more difficult to ensure that the "a" and "b"
slots are both bootable during development. We already update all
metadata slots for update-super, so we should here as well.
Bug: N/A
Test: fastboot flashall
fastboot set_active other
fastboot flashall
Change-Id: Ib661e35fa89171a68a0b1da195dc5ba0375d72e4
Boot control HAL implementations will return the current boot
slot as the active slot. If a set_active command is issued on another
slot, it should be considered as the new active slot and subsequent
flashes should flash the same.
Test: fastboot set_active "b", fastboot getvar current-slot
Bug: 78793464
Change-Id: Ida3817670de8e74a7d7ae2a905e7ac1756c6bdf1
If a device has logical partitions but does not use a partition called
"super", we will need this to be configurable. Note that the "slot"
argument is currently unused, but will be necessary for update_engine if
there are A and B super partitions.
Bug: 116608795
Test: super partition works
Change-Id: Ieb548a158faeb423f3561230f26d582325efbc6b
