Commit graph

51 commits

Author SHA1 Message Date
faqiang.zhu
dd20dc3128 Do not reboot with commit failure when ext4 userdata is wiped
When userdata partition is the type of ext4, checkpoint and metadata
encryption are enabled, boot up the images, if the slot currently
in use is not marked as "successful" and userdata is wiped, a reboot
will be triggered because of "Checkpoint commit failed"

In this patch, do not create checkpoint when the preceding condition
occurs, otherwise "dm-default-key" sits below "dm-bow".

Because cp_needsCheckpoint(), cp_prepareCheckpoint() and cp_commitChanges()
are always executed when the system boots up, and now there is a condition
that BOW device is not created while the slot in use is not marked as
"successful", set "isBow" to be "false" if BOW state fails to be set to
1, if "isBow" is false, then there is no need to commit the checkpoint,
and the system won't automatically reboot.

Bug: 193457319
Test: i.MX 8M Plus EVK, images flashed to board, misc and userdata
      partitions are wiped, checkpoint and metadata encryption are
      enabled for ext4 userdata partition.
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Change-Id: I4ad47a9504f1be0407f0fd196001a0e96919be33
2023-01-04 21:06:00 +00:00
Kelvin Zhang
dec03ab380 Convert vold to new BootControl client
Test: th
Bug: 227536004
Change-Id: Ia2f8b51d6d3175999b2434454f0ee4e14bde934e
2022-06-22 15:14:55 -07:00
Eric Biggers
019d5163cc IdleMaint: use fstab_default from VoldUtil
vold already reads the default fstab into memory when starting up, and
the default fstab isn't allowed to change later.  So in IdleMaint.cpp,
just use 'fstab_default' instead of reading it again.

This also has the advantage that fstab entries for "logical partitions"
now get a properly updated blk_device, which is needed in order to start
using blk_device to exclude virtual filesystems in addFromFstab().

Change-Id: Id6457a2b7972d01dde4bca0c5f2da86374d930af
2020-10-15 16:54:38 -07:00
David Anderson
23850d30f6 Add an isCheckpointing() binder call for adb remount.
This is needed so "adb remount" can avoid writing to /data during a
checkpoint.

Bug: 157540389
Test: manual test
Change-Id: I33a691da3b99343acfc1e8ddf68a14504c3bfbe1
2020-06-10 23:52:25 -07:00
Qilin Tan
5d0aaaf8e0 Fix the overflow issue in Checkpoint
When the partition is f2fs and the OS is 32bit, the data.f_bavail and
data.f_frsize are 32 bits in size. The product of them is also 32 bits
in size. If the available size of storage is greater than 4G, the
product may be greater than the unsigned long max value. If the product
is overflow and less than 100M. The UDC feature will be disabled.

There is also an overflow for std::strtoul when the variable content
is a very big number(more the unsigned long max value).

To avoid the overflow:
1. convert the variable data.f_bavvail to uint64_t and then compute the
multiplication.
2. use std::strtoull replace to std::strtoul.

Bug: 147118861
Change-Id: I60172ae4cb7c997e2ad4a36583be74736c25e565
2020-01-03 08:12:03 +00:00
Tianjie Xu
09de0ff8d6 Clear the warm_reset flag after boot is successful
The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. After the slot has been marked as boot successful, we can drop
the warm_reset flag to avoid the performance overhead on the next
reboot.

Bug: 143489994
Test: check the property is set to 0 by vold
Change-Id: If7c922f40bcf9a6f7894af0a334ab23d88d40d17
2019-11-15 14:06:02 -08:00
Paul Lawrence
4c757fb6cc Make sure CtsCheckpointTestCases passes
Bug: 141639903
Bug: 141499347
Test: Cts test CtsCheckpointTestCases passes
Change-Id: Id5e9c0df969340e0b8f08436daa027614c45b380
2019-10-23 09:40:45 -07:00
Nikita Ioffe
a5798fc115 vold: implement resetCheckpoint
It will be used by userspace reboot to reset checkpoint state, to make
sure that when /data is remounted, it will be remounted in checkpointing
if a checkpoint was requested beforee userspace reboot.

Test: /system/bin/vdc startCheckpoint 1
      /system/bin/vdc needsCheckpoint (returns 0)
      /system/bin/vdc resetCheckpoint
      /system/bin/vdc needsCheckpoint (returns 1)

Bug: 135984674
Change-Id: Ia29238686289b4eed93e2fb936a8b3d894b94dc9
2019-10-12 00:43:04 +01:00
Paul Lawrence
9a6d1f73e5 Fix crash in mainline
Current behavior:

Assume not checkpointing
cp_startCheckpoint creates the file in metadata
cp_needsCheckpoint will now set isCheckpointing to true
cp_commitCheckpoint will now think there is a checkpoint, and try to
commit it. This will fail on ext4 and it will return false, leading to
bad things.

cp_startCheckpoint is called when staging an apex module for update.
After this point, several things could go wrong:

If a keystore key is deleted, it calls cp_needsCheckpoint to see if the
delete should be deferred until cp_commitCheckpoint. The delete will now
be deferred, meaning that this key will never be deleted, using up the
key sots in trustzone

If a trim is scheduled through idle maintenance, this also calls
cp_needsCheckpoint, so the trims will not occur.

If either of these happens before a system crash, the device will not
recover since the system calls commitCheckpoint which will now crash.

When the system then goes on to reboot, the checkpoint will not be
triggered, since the commitCheckpoint call will have deleted the
checkpoint flag file before crashing.

Bug: 138952436
Test: vdc checkpoint startCheckpoint 5
      vdc checkpoint needsCheckpoint
      vdc checkpoint commitChanges
      stop;start

      commitChanges fails, then device loops

      After applying this test, commitChanges succeeds and device does
      not loop

Change-Id: I135099625f77344d1f8d2e8688735871c44ef2f5
2019-08-26 15:23:14 -07:00
Paul Lawrence
1d57f686a3 Fix race condition is commitCheckpoint
If cp_commitCheckpoint is called twice at the same time, the second call
to setBowState will fail.

Add lock to remove possibility, and protect all uses of isCheckpointing

Bug: 138952436
Test: Boots after flashing in checkpoint mode
Change-Id: I131298adc506c3c176774d15e642b13d5f991087
2019-08-22 09:55:32 -07:00
Treehugger Robot
5bcfb5bf45 Merge "Add property to prevent commit for Vts test" 2019-06-27 22:39:57 +00:00
Paul Lawrence
236e5e800e Make ext4 userdata checkpoints work with metadata encryption
When both ext4 user data checkpoints and metadata encryption are
enabled, we are creating two stacked dm devices. This had not been
properly thought through or debugged.

Test: Enable metadata encryption on taimen (add
keydirectory=/metadata/vold/metadata_encryption to flags for userdata in
fstab.hardware)
    Unfortunately metadata is not wiped by fastboot -w, so it is
    necessary to rm metadata/vold -rf whenever you wipe data.
    fastboot flashall -w works
    fastboot reboot -w works
    A normal boot works
    Disable checkpoint commits with
    setprop persist.vold.dont_commit_checkpoint 1
    vdc checkpoint startCheckpoint 10
    adb reboot
    wait for device to fully boot then
    adb reboot
    Wait for device to fully boot then
    adb logcat -d | grep Checkpoint shows the rollback in the logs

    This tests encryption on top of checkpoints with commit, encryption
    without checkpoints, and rollback, which seems to be the key cases.

Bug: 135905679
Change-Id: I8365a40298b752af4bb10d00d9ff58ce04beab1f
2019-06-26 15:19:24 -07:00
Paul Lawrence
a7972dc732 Add property to prevent commit for Vts test
Old approach (do not start class main) does not work because when
testings userdebug GSI on user system, adb does not start until the
framework starts.

Bug: 134126407
Test: Test passes with userdebug GSI on user Taimen
Merged-in: I20441964dbc7b6ad5b445fa17a1374c1282bbbd8
Change-Id: I20441964dbc7b6ad5b445fa17a1374c1282bbbd8
2019-06-13 16:07:11 -07:00
Paul Lawrence
c2a145ff33 Fail startCheckpoint if checkpoints not supported
Bug: 131815738
Test: vdc checkpoint startCheckpoint 2 succeeds on blueline
      It fails with a modified fstab with no checkpoint=fs flag

Change-Id: I6d55810a1f711a670f18fbd10d8779c15f4e3cba
2019-05-15 10:16:15 -07:00
Paul Lawrence
82b3505e2e Use correct Statuses from Checkpoint code
Bug: 130190815
Test: Added fake error to code and checked correct error was caught
Change-Id: If9ab9357f0f961607e15a4ba18d9d85bc9923019
2019-04-19 14:50:59 -07:00
Sandeep Patil
f8da61f26a Add visible logs about fstrim run for block based checkpoints
Bug: 120095226
Test: Tested by forcing /data/system/last-fstrim last modified time back
      2 years & manually trigger checkpoint using 'vdc checkpoint startCheckpoint 1'

Change-Id: I0cb8b6a85ae787e1ba2cdd7998a46942ca69760f
Merged-In: I0cb8b6a85ae787e1ba2cdd7998a46942ca69760f
Signed-off-by: Sandeep Patil <sspatil@google.com>
2019-04-17 12:55:58 -07:00
Nick Kralevich
a59868d6de Merge "vold: cleanups for O_CLOEXEC tidy checks." 2019-03-30 01:27:38 +00:00
Nick Kralevich
e7e89acbc8 vold: cleanups for O_CLOEXEC tidy checks.
Bug: 129350825
Test: compiles and boots
Change-Id: I83a484ca15df1b757b670008f15af5504bc94df1
2019-03-29 16:04:47 -07:00
Paul Lawrence
e81f4c1945 Fix checkpoint on Taimen
Bug: 129494872
Test: VtsKernelCheckpointTest runs and passes
Change-Id: Ib2de866db7c847d569789d1aa6cdbad7c3ee7ff4
2019-03-29 13:22:19 -07:00
Bernie Innocenti
ebe293ab54 Fix bogus error checking on unique_fd
The expression "!fd" calls the implicit conversion to int, but comparing
the raw fd against 0 does not work, since open() and other POSIX calls
returning a file descriptor use -1 to signal an error.

Test: m vold
Change-Id: I0847c276f39cb9dd09c7ffb96951276113418fc8
2019-03-28 15:54:52 +09:00
Daniel Rosenberg
b7dddd0a7e Switch Checkpoint health sleep time to ms.
This changes the property from microsecond to milliseconds, as we don't
need that sort of precision here. Also switches from using ulseep, which
has been removed from POSIX, to nanosleep.

Test: Builds, Boots, Times
Change-Id: Iefbaf8489ba05d8d688542fd7d4305efb980e701
2019-03-27 00:22:34 +00:00
Satoshi Futenma
18d10d4c15 Fixed min_free_bytes prop name and usleep time default
Test: check build

Bug: 129299864
Change-Id: Iab6a01d15185dd19604cd8d3d7ea4efc2b020e34
2019-03-27 00:12:39 +00:00
Daniel Rosenberg
8daeec05e8 Add health check to checkpointing
Take action if we are running out of checkpoint space.
Configurable via ro.sys properties.
ro.sys.cp_usleeptime = Time to sleep between checks
ro.sys.cp_min_free_bytes = Min free space to act on
ro.sys.cp_commit_on_full = action to take. Either commits or reboots to
                           continue attempt without checkpoint, or retry
			   and eventually abort OTA

Test: Trigger a checkpoint and fill the disk.
Bug: 119769392
Change-Id: I977cc03b7aef9320d661c8a0d716f8a1ef0be347
2019-03-21 13:33:49 -07:00
Daniel Rosenberg
a59e4396a4 Change abortChanges to take a message and bool
abortChanges will attempt to pass a reboot message, and will only reboot
if the device is currently checkpointing. Additionally, it can opt to
attempt to prevent future attempts. This only works for non-bootloader
controlled updates. Failures are ignored, as it will always reboot the
device. In the unlikely event of such a failure, the device will
continue to retry as though you did not ask to prevent future attempts.

Test: vdc checkpoint abortChanges abort_retry_test 1
      vdc checkpoint abortChanges abort_noretry_test 0

Change-Id: I7b6214765a1faaf4fd193c73331696b53ae572d2
2019-03-21 13:33:49 -07:00
Daniel Rosenberg
84203c1e24 Make needsCheckpoint cover whole session
This makes needCheckpoint return true when the device will or is using
checkpointing.

Test: vdc checkpoint startCheckpoint 1
      reboot
      vdc checkpoint needsCheckpoint
      should return 1 before and after data mounts, and 0 once the
      checkpoint has been committed

Change-Id: Ib57f4461d837f41a8110ed318168165a684d913a
2019-03-21 13:33:49 -07:00
Paul Lawrence
c5c79c5679 Add vdc checkpoint supportsBlockCheckpoint
Also add vdc checkpoint supportsFileCheckpoint
This is to allow tests to be specific to supported checkpoint mode.

Test: Built on Taimen and Crosshatch, made sure both new functions work
as expected

Change-Id: I0eab7453b13c0a2e31840ef9ad24a692cec55b00
2019-03-18 13:40:00 -07:00
Daniel Rosenberg
5298593b1b Make Checkpoint restore resume safe
This allows us to resume rolling back in the event of an unexpected
shutdown during the restore process. We save  progress after we process
each log sector, and whenever restarting the current log sector would
result in invalid data.

Test: Run restore, interrupt it, and attempt to resume
Change-Id: I91cf0defb0d22fc5afdb9debc2963c956e9e171c
2019-03-07 13:58:49 -08:00
Daniel Rosenberg
dda598103d Add vdc checkpoint restoreCheckpointPart
Restores the first n entries of a checkpoint. Allows automated testing
of interrupted restores.

Test: vdc checkpoint restoreCheckpoint [device] [n]
Change-Id: I47570e8eba0bc3c6549a04a33600df05d393990b
2019-03-07 13:58:49 -08:00
Daniel Rosenberg
8271ae986e Switch Checkpoint Restore code to c style File ops
In preparation for restore code, we need to guarantee fsync happens.
Switch over to fd based operations to prepare for that.

Test: Successfully restores device over reboots
Change-Id: Ic9901779e8a4258bf8090d6a62fa9829e343fd39
2019-03-06 22:05:09 -08:00
Paul Lawrence
d41a939d51 Make restore validation fast by using a map
Test: Successfully restores device over reboots
Change-Id: I4f1c5bbe6c07697a925a1a4efb92aefd15b61332
2019-02-28 09:49:54 -08:00
Treehugger Robot
2268c285a5 Merge "Do not trim unless we are actually checkpointing" 2019-02-20 12:09:31 +00:00
Paul Lawrence
db08694bb1 Do not trim unless we are actually checkpointing
I'm not convinced this explains the full regression, but it's a
worthwhile fix anyway.

Bug: 124774357
Test: Booted in checkpoint mode and non checkpoint mode

Change-Id: I6e0e1e59e27bd127feac218fff7d88bb3570b530
2019-02-19 14:41:53 -08:00
Paul Lawrence
f507768981 Support header versioning in dm-bow
Test: Make sure still boots, restores
Change-Id: I903f58cb22472dbbbbb4c27ed1d88ed1f7c7dc5d
2019-02-08 08:43:40 -08:00
Paul Lawrence
4f13a90a58 Suport variable blocksizes in dm-bow restore
Test: Test that restore still works
Change-Id: I7259e3efd1cd0ee13c74336a7e53158b6bceed57
2019-02-08 08:43:40 -08:00
Daniel Rosenberg
886915bb6f Mark A/B Boot success before committing checkpoint
This marks the slot as successful within commitChanges, increasing the
available roll back window significantly.

Test: When taking an update on a checkpoint enabled device, it
      marks the slot as successful just before committing the
      checkpoint. Visible in logs as call to vdc commitChanges,
      followed by "Marked slot as booted succesfully."
Bug: 123260515
Change-Id: If71fcde57b3bdee2cfaabb590f123a2d00da3228
2019-02-05 16:56:55 -08:00
Daniel Rosenberg
253b44ea6d Use global default_fstab instead of re-reading
VoldUtils already has a pre-parsed fstab. Use it instead.

Test: Checkpoint functions continue to work
Change-Id: I96cbab467a7b809c92c4f6cdf7a06abca8c5aa5e
2019-02-01 19:41:46 -08:00
Tom Cherry
4c5bde2b92 Move over to the C++ Fstab class
Test: build and boot
Change-Id: Id3850c9c133f6644073a2439368501253a2a94a9
2019-01-31 12:34:39 -08:00
Treehugger Robot
aaac873faf Merge "Preserve options on remount in commitChanges" 2019-01-25 04:26:17 +00:00
Daniel Rosenberg
14ca4acd86 Preserve options on remount in commitChanges
Copy the existing mount options when remounting f2fs for checkpointing
mode.

Bug: 123376509
Test: Boot with checkpointing, and ensure entries match fstab
Change-Id: If022d9872a44657b550ab892259230805716dc77
2019-01-24 18:26:53 -08:00
Daniel Rosenberg
9b667fbe41 Add supportsCheckpoint
This returns true if any entries in the fstab have checkpoint=
set.

Test: Call vdc checkpoint supportsCheckpoint. Should return 1
      iff an fstab entry has checkpoint=fs or checkpoint=block set
Bug: 111020314

Change-Id: Ic79bc96ded4da6605f73992dcff542e7cb50d705
2019-01-22 17:58:03 -08:00
Paul Lawrence
27691c2883 Checkpoints: Support validation and roll forward on fail
Test: Rolls backward, and if you hexedit a BOW page, rolls forward
Change-Id: If99a6c3a3bc3f615bd1445f5af14ea490a58e053
2019-01-16 14:14:48 -08:00
Greg Kaiser
8859c9c9e7 Checkpoint: Assure proper buffer alignment
We have a char buffer on the stack, which we then cast to a
struct, and then proceed to access elements in the struct.
This is not safe across all platforms, as some platforms
may require a certain alignment for members of the struct.
We fix this by assuring an appropriate alignment for our
char buffer.

We also use C++ casting, and rename our buffer to differenciate
it from the other 'buffer' variable in this function.

Test: TreeHugger
Change-Id: I8254cb6b8124e394bd805afd1ccca0faedb27ffa
2018-12-20 10:38:31 -08:00
Daniel Rosenberg
ffa1bb0370 Add property for checkpointing
We set a property when we commit a chackpoint to signal
to anyone who wants to do post commit cleanup.

Test: Boot to homescreen and check getprop for vold.checkpoint_committed
Bug: 111020314
Change-Id: Idf35e3abf9d24eb40c6926a30a8403064c05e10a
2018-12-14 14:55:16 -08:00
Daniel Rosenberg
4b86df1426 Fix error reporting in cp_commitChanges
Only trys to commit if necessary, and reports errors
if commiting fails. RemoveFileIfExists returns true on
success.

Test: vdc checkpoint startCheckpoint, reboot, and then
      vdc checkpoint commitChanges
Bug: 111020314

Change-Id: Ie1b3e49beb3ca04f2881fcc595882c607368b477
2018-11-19 23:47:03 +00:00
Daniel Rosenberg
73680ec382 Switch to exceptions for most cp calls
This switches the checkpoint calls that don't need to return a value
to return 0 on success, and an error on failure. This will be transalted
to exceptions for java binder users. needsCheckpoint and needsRollback
still return a boolean value.

Test: vdc setCheckpoint 2 then reboot 3 times checking state
Bug: 112901762
Change-Id: Idd3b5e6036631562a86d5123f533b86cf3bd6032
Merged-In: Idd3b5e6036631562a86d5123f533b86cf3bd6032
2018-10-16 20:06:47 +00:00
Daniel Rosenberg
80d1ca5600 Handle retry count
Test: vdc setCheckpoint 2 then reboot 3 times checking state
Bug: 112901762
Change-Id: I85a71d059bca27b76175b9bd8465cc453f0ddb8d
2018-10-15 22:13:41 +00:00
Daniel Rosenberg
ba1752008d Merge "Add checkpointing support for A/B updates" 2018-10-05 01:31:18 +00:00
Daniel Rosenberg
d399249855 Add checkpointing support for A/B updates
This adds implicit rollback support during A/B style updates.
If you explicitly start a checkpoint with -1, needsRollback will
trigger if the update fails, and should be used if any additional
cleanup is needed that is not covered by A/B itself.

Test: All Checkpoint tests pass
Bug: 111020314
Change-Id: I88b4a1098c6bac4dc1438a54c8a8f59577a6c17b
2018-10-03 15:39:25 -07:00
Paul Lawrence
2040089ab0 Use unique points for fstab
Test: Checkpoint test script runs and passes
Change-Id: I13005da22aef5fda3d1e0941949db02ff0ff0870
2018-10-03 14:19:31 -07:00
Paul Lawrence
1abb2fe278 Make checkpointing work on ext4
Test: All tests pass
Change-Id: I2a6cdf1edfe752f4633e1931e75d18659653938c
2018-10-03 09:15:27 -07:00