DSU slotting support is added in Android R, so
android::gsi::GetActiveDsu() is guaranteed to fail if DSU guest system
is S and host is Q.
In that case, just assume the the DSU slot to be "dsu".
Bug: 172541102
Bug: 168571434
Test: Boot GSI S on Q pixel with DSU
Change-Id: I96e191907ce2fedf8c22b7887e930a7c455eb593
This will be used by payload_generator to estimate the COW size without
using extra storage space.
Bug: 168554689
Test: cow_api_test, ota_from_target_files
Change-Id: I095c809e7d81eff5321b86f4c6bdfb6e9467e84e
* changes:
libsnapshot: Implement MapAllSnapshots and UnmapAllSnapshots.
Start snapuserd if needed as soon as possible during second-stage init.
libsnapshot: Add support for first-to-second-stage transitions of snapuserd.
There may be some use cases that it needs to write string to a
file. This patch support write "Value" to "FilePath", where
both parameters could use special string "<uid>" and "<pid>" to
represent actual uid and pid.
Bug: 170507963
Test: function works
Change-Id: I543846f523518a9bcb3dd1b3437163a1b3157d95
This changes labels to belong at the end of the set of ops that they
refer to. We only sync after writing a label, or the footer, saving the
cost of syncing after ever op.
Change-Id: Iee9dd69132b8e3321eccfe1e43fa0c072a94d3bd
Bug: 172026020
Test: cow_api_test
A few values in the footer were being set inconsistently. We weren't
verifying them, so it didn't matter. This adds verification and sets
them properly.
Change-Id: I669a03a6e1e87ace31775aba5b67dde9b6e5ecf5
Bug: 168829493
Test: cow_api_test
A few minor issues snuck through code review.
Removed a debug line in cow_api_test to persist file.
Removed unused function declaration for cow writer
Switched PLOG to LOG where no errno exists.
Change-Id: Ibb774d6de518fc2a8746e4b9eefc3655c9973c30
Bug: 168554689
Test: cow_api_test
It turns out that I had originally written the test with a local
patch applied that forces TCF0 to SYNC, so it was testing for the
wrong tagged_addr_ctrl value. Fix it.
Bug: 135772972
Change-Id: Ibb9b25e5f5635372ad5de7825c31d7264ff02590
* changes:
trusty: fuzz: dump trusty kernel logs on crash
trusty: Add corpus for gatekeeper fuzzer
trusty: Fuzzer for Gatekeeper TA
trusty: fuzz: Helper library
When Virtual A/B Compression is enabled, the manifest contains the
predicted COW size. Use this instead of the algorithm based on the
kernel COW format.
Bug: 168554689
Test: vts_libsnapshot_test
Change-Id: I545679b4834957ff80a930d91cb44afbadebb66c
snapuserd is used as a user-space block device implementation during
Virtual A/B Compression-enabled updates. It has to be started in
first-stage init, so that updated partitions can be mounted.
Once init reaches second-stage, and sepolicy is loaded, we want to
re-launch snapuserd at the correct privilege level. We accomplish this
by rebuilding the device-mapper tables of each block device, which
allows us to re-bind the kernel driver to a new instance of snapuserd.
After this, the old daemon can be shut down.
Ideally this transition happens as soon as possible, before any .rc
scripts are run. This minimizes the amount of time the original
snapuserd is running, as well as any ambiguity about which instance of
snapuserd is the correct one.
The original daemon is sent a SIGTERM signal once the transition is
complete. The pid is stored in an environment variable to make this
possible (these details are implemented in libsnapshot).
Bug: 168259959
Test: manual test
Change-Id: Ife9518e502ce02f11ec54e7f3e6adc6f04d94133
This patch introduces the fundamentals needed to support booting off
dm-user. First, a method has been added to start snapuserd in
first-stage init. It simply forks and execs, creates a specially named
first-stage socket, then waits for requests.
Next, a new method has been added to SnapshotManager to perform a
second-stage handoff. This works by first launching a second copy of
snapuserd using init's normal service management functionality. The new
snapuserd runs alongside the original, but has correct privileges and a
correct selinux context. Next, we inspect each COW device, and if its
table uses dm-user, we replace the table with a renamed control
device. The new control device is bound to the new snapuserd.
device-mapper guarantees that such a table swap is safe. It flushes I/O
to the old table and then replaces it with the new table. Once the new
table is in place, the old dm-user control devices are automatically
destroyed. Thus, once all dm-user devices has been transitioned, the
first-stage daemon is idle and can gracefully exit.
This patch does not modify init. A few changes will be needed on top of
this patch:
(1) CreateLogicalAndSnapshotPartitions will need further changes to
start the first-stage daemon and track its pid. Additionally, it will
need to ensure the named socket file is deleted, so there is no further
IPC allowed after partitions are completed.
(2) init will need to propagate the pid to second-stage init so the
process can be killed (or signalled).
(3) first-stage snapuserd will need to gracefully exit once it has no
active handler threads.
(4) second-stage init will need to invoke the transition helper on
SnapshotMaanager, ideally as soon as feasible.
Bug: 168259959
Test: manual test
Change-Id: I54dec2edf85ed95f11ab4518eb3d7dbaf0bdcbfd
Adds an Abort() function to the fuzzer utils library that grabs and
prints the relevant trusty kernel logs before exiting the fuzzer.
Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
When the userdata is mounted, its result will be stored and return.
But the result is not stored when the userdata is mounted with
metadata encryption. Store the result of metadata encryption mount.
Bug: 172180818
Test: run cts-on-gsi -m CtsUserspaceRebootHostSideTestCases
Change-Id: I88b1b4f6a2b1ed81773e18243cb6c46244dc1ba5
On devices without a dedicated recovery partition, it is possible that
e2fsck exists in /system/bin, not /first_stage_ramdisk/system/bin, if
it is using generic ramdisk. When force_normal_boot, /system/bin/e2fsck
would not exist during first stage mount.
In this case, move /first_stage_ramdisk/system/bin/e2fsck to
/system/bin/e2fsck before switching root into /first_stage_ramdisk.
Abort if the operation fails.
On devices launching with R, e2fsck should already exist in the correct
place, so skip moving if force_normal_boot and
/first_stage_ramdisk/system/bin/e2fsck already exists.
On devices launching before R, it is possible that /system/bin/e2fsck
does not exist. Skip moving if force_normal_boot and /system/bin/e2fsck
does not exist.
Fixes: 171326057
Test: boot with GKI and move_recover_resources_to_vendor_boot, and
check serial output
Change-Id: I8008a4cad54c7c74a84cbcabe56723bf0e193025
Some functionality based on eBPF attached to tracepoints (gpu memory
accounting and time-in-state) rely on newer devices running with
"disabled" perf_event_paranoid controls as a result of the kernel having
LSM hooks in the perf_event_open syscall instead. This is tested
for, and set up by init via the sys.init.perf_lsm_hooks sysprop.
Development devices that boot into permissive mode still want the
eBPF-based functionality to work, but end up with a paranoid value that
disallows the syscall, as the LSM hook test expects to observe a SELinux
denial (which doesn't happen due to permissiveness).
As a pragmatic way of achieving the paranoid value override, we pretend
that the hook test has succeeded if we detect permissive SELinux during
second-stage init. It'd be nicer if we had a sysprop to reflect the
device's on-boot status of SELinux, but it's not worth adding for this
case.
BYPASS_INCLUSIVE_LANGUAGE_REASON=technical term
Bug: 170674916
Tested: booted crosshatch-userdebug with permissive kernel cmdline,
confirmed that the log message from the new codepath was present
in logcat, sysprop is 1, and paranoid is -1.
Change-Id: I9df5da2076cdbd777d35e50e8cd7a483ec85e20a
* changes:
libprocessgroup_headers: make vendor_ramdisk_available.
libdebuggerd_handler_fallback: make vendor_ramdisk_available.
libcutils: make vendor_ramdisk_available.
libpropertyinfoparser: make vendor_ramdisk_available.
For devices using utilclamp create cpu controller hierarchy. Do not
remove schedtune hierarchy yet because init.rc is generic and should
work with devices which still use schedtune.
Bug: 170507876
Test: cpuctl groups worked
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8494b0b64336e0c882847d555c262814bef2ffa1
