On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:
init: First stage mount skipped (missing/incompatible fstab in
device tree)
Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:
https://android-review.googlesource.com/442472https://android-review.googlesource.com/443432https://android-review.googlesource.com/442393https://android-review.googlesource.com/442395
Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).
Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.
With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.
Test: Boot patched sdk_phone_x86-userdebug system image with patched
Goldfish 3.18 x86 kernel in patched Android Emulator, verify
the "init: First stage mount skipped" warning no longer shows
in dmesg.
Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
clang is the default compiler since Android nougat
Test: mma & verified it´s still build with clang
Change-Id: I34adaeef2f6558a09f26027271222bad94780507
Signed-off-by: Lennart Wieboldt <lennart.1997@gmx.de>
* changes:
fastboot: add mke2fs and e2fsdroid to build package
fastboot: call mke2fs tools to generate ext4 image
fs_mgr: call format_f2fs correctly with -f
init: require e2fsdroid and mke2fs when building init
init: rename mke2fs tools with _static suffix
Because full disk encryption make surper block is not except contents. Only
judge the magic number can prevent most of encrypted surper block.
In particular, magic number plaintext may be equal ciphertext. In order to
avoid this situation, we add the judgment of adaptive situation of the
s_rev_level, s_log_block_size and EXT4_INODE_SIZE.
Test: 1. Config fstab,userdata add flags: forceencrypt=footer,reservedsize=128M
2. build a new target files, and flash all image.
3. Config encrypt userdata surperblock,set magic number is 0xEF53
4. reboot system and check log of fs_mgr.
Change-Id: I925584d58f17afabbb3aa91f8be2302518172bb2
Signed-off-by: katao <katao@xiaomi.com>
This patch formats f2fs with -f option.
Change-Id: I3fc415f35d81f22cbf1eadebc619465d36205927
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
(cherry picked from commit 0331c2cf77)
On a A/B device, the image combination in VTS is:
- system.img (userdebug): provided by Google (system as root)
- vendor.img (user): provided by the OEM
The generic system.img provided by Google doesn't have /verity_key.
So verified boot will fail when it tries to verify the signature of
vendor.img. This CL allows signature verification error (including
no verity_key) when the device is unlocked.
This CL also changes the return value to FS_MGR_SETUP_VERITY_SKIPPED when
signature verification failed in logging mode. Otherwise, first stage
mount will fail because it assumes verity device initialization should be
successful when receiving FS_MGR_SETUP_VERITY_SUCCESS.
Bug: 63821912
Test: boot generic system.img on a A/B device
Change-Id: I33e5ef753913ae9f0c8b02c518ae94d4c8505611
Upstream kernels (v4.9+, v4.4.67+) have started to enforce that
encryption policies cannot be set on ext4 directories unless
EXT4_FEATURE_INCOMPAT_ENCRYPT is set in the filesystem superblock, as
was the original design. Since Android's userspace was not setting this
flag, it was not possible to use "file-based encryption" (FBE) on
devices whose kernels enforce this constraint. Fix this by updating
fs_mgr to set the flag if needed, similar to how it enables the quota
feature if needed.
Note that it would, eventually, be simpler to set this flag at mkfs
time. But that seems infeasible for now, given the many different ways
the userdata filesystem can be formatted --- including via 'fastboot',
which I believe is expected to still be compatible with old devices
whose kernel and/or e2fsprogs don't support the 'encrypt' flag.
Bug: 36231741
Change-Id: Ibafb9a7116fc853b62f8ee074a78499399f290a6
There were several duplications in the code that runs before a
filesystem is mounted. This made it difficult to start running tune2fs
to set the encryption feature flag. Refactor to deduplicate the logic,
and improve the log messages.
Bug: 36231741
Change-Id: I90846dad9c5ec85b3c5460615dec4cc19cb7e198
During mount operations, fs_mgr_wait_for_file() is invoked to
ensure the device file exists before starting to mount it. Adding
logs when the wait fails and also skip mounting as it won't be
successful. Also merge fs_mgr_test_access() and wait_for_file()
as fs_mgr_wait_for_file().
Test: Boot device and manually trigger the timeout issue
Test: Check and confirm whether timeout log info is inside ksmg.
Change-Id: Ide6d7fdca41e03e169e4400f91b7dea327985aaf
To boot with generic system.img for project Treble, we should allow no verity
metadata when the device is unlocked. The previous fix checks system property
"ro.boot.flash.locked" but it's unavailable during first stage mount.
This CL checks "androidboot.verifiedbootstate" in kernel command line instead.
Bug: 63268209
Test: boot sailfish without metadata on /vendor
Change-Id: Ifd1dbeb2a2f09cd06903ecdd59bc94b3905a3fbd
Need to know why the mount failed. clang_format adjustment.
Basically change LINFO to PINFO to cause the log message for the mount
report to be accompanied by a strerror(errno) message appended to the
end so that it is clear why the mount was rejected.
Test: manual
Bug: 63100799
Change-Id: Ic958299759befe5d5b11bdc95fea5d64cad86412
libfstab is a subset of libfs_mgr, intended for vendors to use. It
exposes APIs for reading fstab. Note this 'visible to vendor' does not
mean that the API should be stable forever. The API can be changed in
later releases of Android, ,but the newer Android must not cause
run-time error when there is an older version of this static library
being used somewhere.
Bug: 62990533
Test: BOARD_VNDK_VERSION=current m -j libfstab.vendor
Change-Id: I371174fa1f6b4de6d6dd437b84ce4ed1e8740672
Merged-In: If8fc73e4ae4c2f8281c41a12f1c18079aab8baa2
The generic system.img released from project Treble can't contain any verity
metadata (e.g., vboot 1.0, AVB, or any other implementation) because it's
*generic*. To make any device can boot with it, `avbctl disable-verification`
is introduced to set a new flag AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED
in the top-level vbmeta to disable the entire AVB verification process. This
should be done prior to flash the generic system.img. See the following link
for details:
https://android-review.googlesource.com/#/c/418399/
This CL checks whether AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED is
set in the top-level vbmeta. When set, skip verifying the vbmeta structs
against androidboot.vbmeta.{hash_alg, size, digest} because it will be
absent in kernel cmdline. Also, only top-level vbmeta struct is read then
returned by libavb in this case.
Note that another flag AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED, usually
set by `adb disable-verity`, is used to signal fs_mgr to skip setting up
dm-verity, but libavb still verifies all vbmeta structs. fs_mgr will
also verify all vbmeta structs against androidboot.vbmeta.{hash_alg,
size, digest} from kernel cmdline as well.
Also rename SetUpAvb() to SetUpAvbHashtree() to better fit its usage.
This function will return kDisabled when any of the above two flags is set.
Finally, regardless of which flag is set or not set, we still only allow two
return values from avb_slot_verify():
- AVB_SLOT_VERIFY_RESULT_OK: it's still possible to get this value
when any of these flags are set in build time. e.g.,
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2
- AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: in most cases we should
get this value, because the flags are likely set at run time.
Bug: 62523303
Test: boot device with 'avbctl disable-verification'.
Test: boot device with 'avbctl enable-verification'.
Test: boot device with 'adb disable-verity'.
Test: boot device with 'adb enable-verity'.
Test: build image with BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2, then boot device.
repeat the above steps to boot device again.
Change-Id: Ie8436f3e0e82c78490208f3b85eac5238a9fdfdb
In case of non-secure builds (eng variant) fs_mgr_setup_verity() skips
verity checks regardless of fstab options. This is slightly different
than 'adb disable-verity' where it would first read the verity metadata
to check if verity is disabled.
So, this change adds a new return value of FS_MGR_SETUP_VERITY_SKIPPED
instead of piggy backing on the FS_MGR_SETUP_VERITY_DISABLED.
Bug: 62864413
Test: Boot sailfish
Change-Id: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Signed-off-by: Sandeep Patil <sspatil@google.com>
The value of PRODUCT_{SYSTEM,VENDOR}_VERITY_PARTITION will be included
in the verity metadata of an image. For example:
PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
This makes the image cannot be shared for devices with different by-name
prefix:
/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
/dev/block/platform/soc.0/7824900.sdhci/by-name/vendor
This change supports using a generic PRODUCT_{SYSTEM,VENDOR}_VERITY_PARTITION to
build image and replace it with the actual path at run time:
PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/bootdevice/by-name/vendor ==>
/dev/block/platform/soc.0/7824900.sdhci/by-name/vendor
Bug: 62171170
Test: Boot sailfish with PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/bootdevice/by-name/vendor
Change-Id: I2789d2a025e80a628a1b4e7419818065c209fb7f
Current first stage mount only allows three mount points: system, vendor
and/or odm. This was introduced by project Treble to mount those
verified partitions early. However, there might be some other custom
partitions needs to be mounted early as well. This CL removes the
restriction and does first stage mount for whatever specified in
fstab-dt.
Bug: 62423887
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Change-Id: I6c146c64e673c35c2823523ccbde193590430c48
Because the zram_size type is unsigned int.so if ZRAM size great
than 2^31 -1, zram_fp will receive a negtive integer, while the
ZRAM driver only accept natural number.We need to use printf
formatting %u instand of %d.
Test: 1. Config the zramdisk size 2348810240 and build a ramdisk
2. Reflash device and check below command:
$adb shell dumpsys meminfo
$ adb shell cat /sys/block/zram0/disksize
ZRAM info display will be abnormal
3. Config the zramdisk size 2348810240 and apply with this
patch.
4. Retest to step 2 and the ZRAM info will be ok.
Change-Id: I473de33fbd0b66cf13eac3172684e9fef11b6ef0
For an fstab entry in device tree, fs_mgr now honors the status property
as done by linux. i.e. the node (in this case, the fstab entry) is
enabled if status is not set, "ok" or "okay". For every other value, the
node is considered as disabled.
Merged-In: I5ff8f710de2c54afc76b4af28108ca9075357ad1
Bug: 62127741
Test: Test sailfish w/ no status property, result: boots
Test: Test with status = "disabled", result: skips mounting /vendor
Test: Test with status = "ok", result: boots
Change-Id: I5ff8f710de2c54afc76b4af28108ca9075357ad1
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit be4302bf58)
fstab_rec.fs_options might be nullptr when printing error message.
Use android::base::StringPrintf() to '(null)' when needed.
Bug: 37759782
Test: Boot device and manaully trigger the output
Change-Id: I1bdf4ba57331aaea9dd5e790f6bf9d9b8bdc8b53
AVB is going to support different modes to handle dm-verity errors.
See the following CL for more details:
- https://android-review.googlesource.com/#/c/392873/
The verity mode is controlled by bootloader through androidboot.veritymode in
kernel command line. fs_mgr should read the value from there and specify the
corresponding flag when loading dm-verity table into kernel.
Also removes some unused #include libraries.
Bug: 38157502
Test: Manually tested different dm verity modes:
- "restart_on_corruption" (androidboot.veritymode=enforcing)
- "ignore_corruption" (androidboot.veritymode=logging)
- None, default mode is EIO in kernel (androidboot.veritymode=eio)
Change-Id: I80e1e817a148b54fb67ba58112d376dc2cf37c98
In https://android-review.googlesource.com/#/c/392873/ we slightly
changed the libavb API. This CL updates fs_mgr to use the new API.
Bug: 38157502
Test: Manually tested.
Change-Id: Ia3371e11fcd81fcc1d147f030cd62af67943aad5
Current first stage mount for AVB requires specifying a common prefix of
by-name symlink for all AVB partitions. It limits all AVB partitions to be on
the same block device.
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name" <-- *removing this*
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
For normal mount with AVB, it extracts the by-name prefix of /misc
partition and use it as the prefix for all other partitions:
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/misc ->
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a
Fix this by adding an internal map in FsManagerAvbOps to record the mapping
from partition name to its by-name symlink:
ByNameSymlinkMap["vendor_a"] = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a"
Two overloaded factory methods are then provided for FsManagerAvbUniquePtr:
- FsManagerAvbUniquePtr Open(ByNameSymlinkMap&& by_name_symlink_map):
for first stage mount, where the by-name symlink map will be
constructed externally, from the uevents processed by init, before
invoking this factory method.
- FsManagerAvbUniquePtr Open(const fstab& fstab): for normal mount,
where the by-name symlink map will be constructed from the input fstab
internally.
Bug: 37552224
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Test: normal mount /vendor with vboot 2.0 (AVB)
Change-Id: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
Should set verity mode to VERITY_MODE_DEFAULT when
androidboot.veritymode=enforcing.
Bug: 38103331
Test: `adb shell getprop partition.system.verified` returns 2 when veritymode=enforcing
Test: `adb shell getprop partition.vendor.verified` returns 2 when veritymode=enforcing
Change-Id: I2f34eb6509f91989ce726e540cf2c0d353347ede
Current AVB flow in fs_mgr doesn't allow verification error even if the
device is unlocked. This makes first stage mount fail when the device
is flashed with a different-sized boot.img because there is verification
error (HASH_MISMATCH) for the boot partition.
Fix this by allowing verification error only when the device is
unlocked. Whether to enable dm-verity for HASHTREE partitions is still
controlled by the HASHTREE_DISABLED flag in the top-level vbmeta.
Bug: 37985430
Test: First stage mount /vendor with AVB on a device.
Check dm-verity is enabled on /vendor.
Test: Unlock device, flash a different-sized boot.img. Boot device and check
dm-verity is still enabled on /vendor.
Test: First stage mount /vendor with AVB on a device with HASHTREE_DISABLED
is set on the top-level vbmeta, check dm-verity is not enable on /vendor.
Change-Id: I709431bc1c37e4f86133d171cee8e90621cdb857
- It was using blk dev name from fstab and quota / super block check was always
failing for FDE
bug: 37913441
Test: reboot and confirm quota
Change-Id: I8a9e890ef2787f2959e6a0225c6b21d35602f19e
This ensures that future operations (e.g. function pointers in the
AvbOps struct) added to AvbOps are set to NULL.
Bug: 37709309
Test: Manually tested on UEFI-based bootloader.
Change-Id: If83ea57b7abad94e472768c594efa210e3351a4d
- Returns FS_MGR_MNTALL_FAIL for failure paths in fs_mgr_mount_all()
- Removes the 'goto out' in fs_mgr_do_mount() as there is nothing to do in
the 'out' label now. Also removes the "ret = FS_MGR_DOMNT_FAILED;" and
just return FS_MGR_DOMNT_FAILED directly for the default failure path.
- Changes some LERROR to PERROR
Test: Use fs_mgr_do_mount() to mount /system with AVB
Change-Id: I126a0124a5c9d61302f40ab9db16989500d9777e
In a A/B device, system partition is mounted by kernel as root.
In vboot 1.0, the dm device name of system partition is "system" with
the following configuration in kernel command line:
- dm="system none ro,0 1 android-verity /dev/sda34"
In AVB, the dm device name is switched to vroot as:
- dm="1 vroot none ro 1,0 5201456 verity 1 ..."
When sending ioctl DM_TABLE_STATUS to query status, we should use "vroot" as the
dm device name for AVB. But still pass "system" for the callback function to set
property [partition.system.verified] instead of [partition.vroot.verified].
Bug: 36900078
Test: Use AVB to mount system in a A/B device, checks the property exists
[partition.system.verified]
Test: Use vboot 1.0 to mount system in a A/B device, checks the property exists
[partition.system.verified]
Test: Checks 'adb remount' will output warning message:
- dm_verity is enabled on the system and vendor partitions.
- Use "adb disable-verity" to disable verity.
Change-Id: Iaee7eb2b00b03729bc07fa24f1b449488716d2ea
The new changes to slotselect() call makes it try to find the
"slot" config before trying "slot_suffix" and that causes fs_mgr to
print the needless error and spam the kernel logs for no reason.
Remove the print.
Test: Builds for sailfish
Change-Id: I020575d70f4cd6e137e82c127b5d5234d709d0e3
Signed-off-by: Sandeep Patil <sspatil@google.com>
- Do not use -f if it was cleanly shutdown.
- For unclean shutdown or other operation failures like
mount, tune2fs failure, run full check.
- Still old image will run full check once in 5 reboots
while new image will not run full check unless something
fails.
- Add retry for final mount. If mount fails once, run full fsck
once and try again.
bug: 32246772
bug: 35366616
Test: many reboots
Change-Id: I86949732ffe1955636ac179d553c91e52910f73e
- moved __android_log_is_debuggable to a new public header
(log_properties.h)
- vendor version of sched_policy uses ALOG* instead SLOG*
Test: (sanity) liblog-unit-tests
Test: (sanity) libcutils_test (noting b/b/32972117, two tests continue
to fail)
Test: system/core as a whole makes with BOARD_VNDK_VERSION := current
now with no problems.
Test: boots/works on internal marlin
Bug: 33241851
(cherry picked from commit 1f83aa424f)
Merged-In: I5bc1f348dc0f0c8814bec5b5c3d2c52c825ab640
Change-Id: I5bc1f348dc0f0c8814bec5b5c3d2c52c825ab640
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
- mount, e2fsck, tune2fs will all fail if magic number does not match.
- mismatch always happen for FDE and is wasting boot-up time to try
all and fail always.
- skip mount steps if it has invalid magic number and do not record
fs_stat either.
- For ext4 fs with corrupt superblock, e2fsck refuses to do anything if
superblock magic is invalid. So simply running e2fsck does not help
anyway.
bug: 36231950
Test: reboot ane check fs_mgr log from dmesg
Change-Id: I9ad9e0cd30fd074b3bbf8f450bd401b133d5771a
Several changes in this CL:
- Moves class FsManagerAvbHandle to public API
- Adds a parameter 'wait_for_verity_dev' for FsManagerAvbHandle::SetUpAvb()
to allow not to wait for verity device gets created
- Adds FsManagerAvbHandle::AvbHashtreeDisabled() to query whether AVB is disabled
- Adds fs_mgr_is_avb() to query whether a fstab_rec has MF_AVB flag
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I89c43ca574ae632db8a700fc2590a1f80212c993
