Commit graph

2376 commits

Author SHA1 Message Date
Paul Lawrence
c5c79c5679 Add vdc checkpoint supportsBlockCheckpoint
Also add vdc checkpoint supportsFileCheckpoint
This is to allow tests to be specific to supported checkpoint mode.

Test: Built on Taimen and Crosshatch, made sure both new functions work
as expected

Change-Id: I0eab7453b13c0a2e31840ef9ad24a692cec55b00
2019-03-18 13:40:00 -07:00
Chris Fries
7573874d3f Merge "Fsync directories before delete key" 2019-03-14 15:19:20 +00:00
Woody Lin
37c82f5c0f Fsync directories before delete key
The boot failure symptom is reproduced on Walleye devices. System boots
up after taking OTA and try to upgrade key, but keymaster returns "failed
to ugprade key". Device reboots to recovery mode because of the failure,
and finally trapped in bootloader screen. Possible scenario is:

(After taking OTA)
vold sends old key and op=UPGRADE to keymaster
keymaster creates and saves new key to RPMB, responses new key to vold
vold saves new key as temp key
vold renames temp key to main key -------------- (1) -- still in cache
vold sends old key and op=DELETE_KEY to keymaster
keymaster removes old key from RPMB ------------ (2) -- write directly to RPMB
==> SYSTEM INTERRUPTED BY CRASH OR SOMETHING; ALL CACHE LOST.
==> System boots up, key in RPMB is deleted but key in storage is old key.

Solution: A Fsync is required between (1) and (2) to cover this case.

Detail analysis: b/124279741#comment21

Bug: 112145641
Bug: 124279741
Test: Insert fault right after deleteKey in vold::begin (KeyStorage.cpp),
      original boot failure symptom is NOT reproducible.
Change-Id: Ib8c349d6d033f86b247f4b35b8354d97cf249d26
2019-03-14 16:48:32 +08:00
Treehugger Robot
027fe9217c Merge "DO NOT MERGE - Skip PPRL.190305.001 into master" 2019-03-11 23:16:31 +00:00
The Android Open Source Project
37c6ce4fb0 DO NOT MERGE - Skip PPRL.190305.001 into master
Bug: 127812889
Change-Id: I5bff7948e2fc254d0595329bd7a7262586de0c32
2019-03-11 14:57:55 -07:00
Treehugger Robot
ee9554b2d9 Merge "Don't unmount /storage for early native processes" 2019-03-09 01:33:40 +00:00
Treehugger Robot
5f01cf3cac Merge changes I91cf0def,I47570e8e
* changes:
  Make Checkpoint restore resume safe
  Add vdc checkpoint restoreCheckpointPart
2019-03-07 23:56:21 +00:00
Daniel Rosenberg
5298593b1b Make Checkpoint restore resume safe
This allows us to resume rolling back in the event of an unexpected
shutdown during the restore process. We save  progress after we process
each log sector, and whenever restarting the current log sector would
result in invalid data.

Test: Run restore, interrupt it, and attempt to resume
Change-Id: I91cf0defb0d22fc5afdb9debc2963c956e9e171c
2019-03-07 13:58:49 -08:00
Daniel Rosenberg
dda598103d Add vdc checkpoint restoreCheckpointPart
Restores the first n entries of a checkpoint. Allows automated testing
of interrupted restores.

Test: vdc checkpoint restoreCheckpoint [device] [n]
Change-Id: I47570e8eba0bc3c6549a04a33600df05d393990b
2019-03-07 13:58:49 -08:00
Daniel Rosenberg
bc1901f8af Merge "Switch Checkpoint Restore code to c style File ops" 2019-03-07 06:10:58 +00:00
Daniel Rosenberg
8271ae986e Switch Checkpoint Restore code to c style File ops
In preparation for restore code, we need to guarantee fsync happens.
Switch over to fd based operations to prepare for that.

Test: Successfully restores device over reboots
Change-Id: Ic9901779e8a4258bf8090d6a62fa9829e343fd39
2019-03-06 22:05:09 -08:00
Jiyong Park
8d21c924d7 Don't unmount /storage for early native processes
Motivation:

Early processes launched before the runtime APEX - that hosts the bionic
libs - is activated can't use the bionic libs from the APEX, but from the
system partition (which we call the bootstrap bionic). Other processes
after the APEX activation should use the bionic libs from the APEX.
In order to let both types of processes to access the bionic libs via
the same standard paths /system/lib/{libc|libdl|libm}.so, some mount
namespace magic is used.

To be specific, when the device boots, the init initially bind-mounts
the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early
processes are then executed with their own mount namespaces (via
unshare(CLONE_NEWNS)). After the runtime APEX is activated, init
bind-mounts the bionic libs in the APEX to the same standard paths.
Processes launched thereafter use the bionic libs from the APEX (which
can be updated.)

Important thing is that, since the propagation type of the mount points
(the standard paths) is 'private', the new bind-mount events for the
updated bionic libs should not affect the early processes. Otherwise,
they would experience sudden change of bionic libs at runtime. However,
other mount/unmounts events outside of the private mount points are
still shared across early/late processes as before. This is made possible
because the propagation type of / is 'shared' .

Problem:

vold uses the equality of the mount namespace to filter-out processes
that share the global mount namespace (the namespace of the init). However,
due to the aforementioned change, the early processes are not filtered
out because they have different mount namespaces. As a result,
umount2("/storage/") is executed on them and this unmount event
becomes visible to the global mount namespace (because as mentioned before /
is 'shared').

Solution:

Fiter-out the early processes by skipping a native (non-Java) process
whose UID is < AID_APP. The former condition is because all early
processes are native ones; i.e., zygote is started after the runtime
APEX is activated. The latter condition is to not filter-out native
processes created locally by apps.

Bug: 120266448
Test: m; device boots

Change-Id: I054deedc4af8421854cf35be84e14995523a259a
2019-03-04 16:22:41 +09:00
Paul Lawrence
decda14f02 Merge "Make restore validation fast by using a map" 2019-03-01 21:19:27 +00:00
Paul Lawrence
d41a939d51 Make restore validation fast by using a map
Test: Successfully restores device over reboots
Change-Id: I4f1c5bbe6c07697a925a1a4efb92aefd15b61332
2019-02-28 09:49:54 -08:00
Treehugger Robot
2268c285a5 Merge "Do not trim unless we are actually checkpointing" 2019-02-20 12:09:31 +00:00
Paul Lawrence
db08694bb1 Do not trim unless we are actually checkpointing
I'm not convinced this explains the full regression, but it's a
worthwhile fix anyway.

Bug: 124774357
Test: Booted in checkpoint mode and non checkpoint mode

Change-Id: I6e0e1e59e27bd127feac218fff7d88bb3570b530
2019-02-19 14:41:53 -08:00
David Anderson
99046b75c4 Merge "Enable metadata encryption for userdata_gsi." 2019-02-14 20:27:05 +00:00
David Anderson
0d71c4b5f7 Enable metadata encryption for userdata_gsi.
When running a live GSI, userdata is a logical partition. If we don't
fix up the fstab we'll derive the underlying block device instead of
the device-mapper node for userdat_gsi, resulting in a corrupt data
partition for both images.

Bug: 123906417
Test: manual test
Change-Id: Ic0101f30504de26e725442da2da3888008c31b63
2019-02-14 08:29:26 -08:00
android-build-team Robot
c03435f532 Snap for 5180536 from 2ab3b948d7 to pi-platform-release
Change-Id: Idc5557adef8d2cbc60a594ab3ea1aa3669140926
2019-02-09 02:36:27 +00:00
Treehugger Robot
96336c716b Merge "Support header versioning in dm-bow" 2019-02-08 21:55:29 +00:00
Treehugger Robot
73c0028901 Merge "Suport variable blocksizes in dm-bow restore" 2019-02-08 21:16:58 +00:00
Paul Lawrence
f507768981 Support header versioning in dm-bow
Test: Make sure still boots, restores
Change-Id: I903f58cb22472dbbbbb4c27ed1d88ed1f7c7dc5d
2019-02-08 08:43:40 -08:00
Paul Lawrence
4f13a90a58 Suport variable blocksizes in dm-bow restore
Test: Test that restore still works
Change-Id: I7259e3efd1cd0ee13c74336a7e53158b6bceed57
2019-02-08 08:43:40 -08:00
Daniel Rosenberg
d6bbe746d7 Merge "Mark A/B Boot success before committing checkpoint" 2019-02-08 01:40:54 +00:00
Treehugger Robot
0fbc5af676 Merge "Fix search for values in blkId output" 2019-02-06 03:19:32 +00:00
Paul Crowley
95abfa0cfd Fix search for values in blkId output
Bug: 122497152
Test: atest tests/Utils_test.cpp
Test: adb shell sm partition disk:7,32 private ; adb logcat -d
Change-Id: Ic7d32bdbc0c55ce1d21f7f9e74c6a6fb3dcf332a
2019-02-05 16:57:40 -08:00
Daniel Rosenberg
886915bb6f Mark A/B Boot success before committing checkpoint
This marks the slot as successful within commitChanges, increasing the
available roll back window significantly.

Test: When taking an update on a checkpoint enabled device, it
      marks the slot as successful just before committing the
      checkpoint. Visible in logs as call to vdc commitChanges,
      followed by "Marked slot as booted succesfully."
Bug: 123260515
Change-Id: If71fcde57b3bdee2cfaabb590f123a2d00da3228
2019-02-05 16:56:55 -08:00
Daniel Rosenberg
64f5e5bb38 Merge "Use global default_fstab instead of re-reading" 2019-02-04 23:14:51 +00:00
Daniel Rosenberg
253b44ea6d Use global default_fstab instead of re-reading
VoldUtils already has a pre-parsed fstab. Use it instead.

Test: Checkpoint functions continue to work
Change-Id: I96cbab467a7b809c92c4f6cdf7a06abca8c5aa5e
2019-02-01 19:41:46 -08:00
Tom Cherry
b6d5cd20d7 Merge "Move over to the C++ Fstab class" 2019-02-01 01:02:50 +00:00
Tom Cherry
4c5bde2b92 Move over to the C++ Fstab class
Test: build and boot
Change-Id: Id3850c9c133f6644073a2439368501253a2a94a9
2019-01-31 12:34:39 -08:00
Treehugger Robot
eb00112e09 Merge "Remove secontext.h, secontext.cpp, hash.h" 2019-01-30 16:29:26 +00:00
LongPing Wei
7f3ab95b8d Remove secontext.h, secontext.cpp, hash.h
cryptfs.cpp and MetadataCrypt.cpp can use android::vold::sFsckContext directly.
hash.h is unuseful.

Test: make
Change-Id: I7acdac97d6ed1c9b2a5dc367fcea8aa2942192e8
2019-01-30 16:28:02 +08:00
Eric Biggers
f028d279ae Merge "cryptfs: improve logging of dm-crypt device creation" 2019-01-29 20:58:29 +00:00
Eric Biggers
e7205eaa44 Merge "cryptfs: round down dm-crypt device size to crypto sector boundary" 2019-01-29 18:30:55 +00:00
Eric Biggers
e1a7e77269 cryptfs: improve logging of dm-crypt device creation
Log the main configuration of the dm-crypt device -- the name, the
cipher, the keysize, the real device, and the length -- in addition to
the extra parameters which we were already logging.

(We can't simply log the actual string passed to the kernel, of course,
 because that includes the key.  So we choose the fields individually.)

Test: booted device configured to use FDE and checked the log message
Change-Id: Ia95de807c4fad68d93b7e7e73508a01e5139dc76
2019-01-25 13:42:07 -08:00
Eric Biggers
ed45ec3ae8 cryptfs: round down dm-crypt device size to crypto sector boundary
This is needed to make adoptable storage volumes work with a 4K crypto
sector size when the block device size is not a multiple of 4K.

It is fine to do this because the filesystem ends on a 4K boundary
anyway and doesn't use any partial block at the end.

Bug: 123375298
Test: booted device configured to use FDE with sector size 4k, ran
      'sm set-virtual-disk true' and formatted the virtual SD card as
      adoptable storage.  Then did the same but with a temporary patch
      that changed kSizeVirtualDisk to be misaligned
Change-Id: I95ee6d7dcaaa8989c674aea9988c09116e830b0c
2019-01-25 13:42:02 -08:00
Treehugger Robot
aaac873faf Merge "Preserve options on remount in commitChanges" 2019-01-25 04:26:17 +00:00
Daniel Rosenberg
14ca4acd86 Preserve options on remount in commitChanges
Copy the existing mount options when remounting f2fs for checkpointing
mode.

Bug: 123376509
Test: Boot with checkpointing, and ensure entries match fstab
Change-Id: If022d9872a44657b550ab892259230805716dc77
2019-01-24 18:26:53 -08:00
Treehugger Robot
9b2b8fd459 Merge "Add supportsCheckpoint" 2019-01-24 06:14:44 +00:00
Daniel Rosenberg
9b667fbe41 Add supportsCheckpoint
This returns true if any entries in the fstab have checkpoint=
set.

Test: Call vdc checkpoint supportsCheckpoint. Should return 1
      iff an fstab entry has checkpoint=fs or checkpoint=block set
Bug: 111020314

Change-Id: Ic79bc96ded4da6605f73992dcff542e7cb50d705
2019-01-22 17:58:03 -08:00
Eric Biggers
f156c40404 Merge "cryptfs: check for errors in create_encrypted_random_key()" 2019-01-22 18:18:18 +00:00
Eric Biggers
a2bd436594 Merge "Utils: correctly handle read() errors in ReadRandomBytes()" 2019-01-22 18:14:49 +00:00
Sudheer Shanka
b9fae464fc Merge "Create new mount directory /mnt/runtime/full." 2019-01-19 00:24:23 +00:00
Sudheer Shanka
dd4bb17343 Create new mount directory /mnt/runtime/full.
This will be used for system internals to access
secondary volumes without having to bypass sdcardfs.

Bug: 121277410
Test: manual
Exempt-From-Owner-Approval: Got approval on internal master
Change-Id: I9b3e33f6c6e426e83469b8030b02d59c02183946
2019-01-18 23:48:45 +00:00
Eric Biggers
3a2f7db477 cryptfs: check for errors in create_encrypted_random_key()
When generating the key and salt we weren't checking for an error
opening or reading from /dev/urandom.  Switch to the helper function
ReadRandomBytes() and start checking for errors.

Test: Booted device with FDE.  As a extra sanity check I also
      temporarily added log messages that dump the key and salt,
      and I verified they still appear random.
Change-Id: I01ccee4f1f9910bf9508c8f02a918157393b0e68
2019-01-18 13:26:08 -08:00
Eric Biggers
0ef7bfd59c Utils: correctly handle read() errors in ReadRandomBytes()
read() returns -1 on error, so we need to use a signed type.

Test: Booted device with FDE
Change-Id: Ib44247c1cdfd38674a7439209e333823f2fb6cf8
2019-01-18 13:24:30 -08:00
Xin Li
9f7aa175a0 Merge "DO NOT MERGE - Skip pie-platform-release (PPRL.190105.001) in master" 2019-01-17 21:19:43 +00:00
Sudheer Shanka
2e9aafb620 Merge "Add UnmountTreeWithPrefix util method." 2019-01-17 18:04:27 +00:00
Annie Meng
625203444b Merge "Create subdirs in system_ce/ for multi-user backup" 2019-01-17 15:29:32 +00:00