summaryrefslogtreecommitdiffstats
path: root/install/install.cpp (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove support for converting from FDE to FBEEric Biggers2022-03-101-1/+1
| | | | | | | | | | | | | | | | Devices that launched with Android 10 or later require FBE (File Based Encryption) from the beginning, so there's no need to support converting to FBE after the fact anymore. This was only ever a developer option, so it probably wasn't used much. And in any case, it's not used anymore, as isConvertibleToFBE() is hard-coded to return false. Besides the fact that FBE has been required for several releases now, this functionality was only ever available on devices that use FDE (Full Disk Encryption), but FDE support has been removed from Android. Therefore, remove this unused code. Bug: 208476087 Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
* Perform data wipe in recovery if ota package has powerwash setKelvin Zhang2022-02-151-13/+38
| | | | | | | | | | | | | | | Normally, if an ota package has --wipe_user_data flag, we set bootloader parameter --wipe_data, so that next boot into bootloader will wipe userdata. But this doesn't work in recovery, likely because after recovery we don't reboot to bootloader, but directly boot into android. Therefore perform data reset in recovery if the OTA package has POWERWASH flag. Bug: 203507329 Test: apply an OTA pkg with --wipe_user_data, verify that data wipe happened Change-Id: Icca4a5f74246bde44a5fd589395404c9f57867ee
* Move package verifier from libinstall to libotautilJacky Liu2021-12-221-2/+2
| | | | | | | | So it can be used by device-specific codes. Bug: 184693830 Test: m; atest recovery_unit_test Change-Id: I5885334c1bd04214c9cc295f2337306261a1735c
* Check SPL downgrade before install OTA in recoveryKelvin Zhang2021-05-171-0/+7
| | | | | | | | | | | | | | | | | | Applying an SPL downgrade package can cause boot failures (/data failed to decrypt). Today's ota_from_target_files tool already try to prevent this. But Packages generated using older tools are still around. Add check in recovery to prevent such OTA package from installing. Test: th Test: Sideload an OTA with newer SPL, make sure check passes Test; Sideload an OTA with older SPL, make sure check fails Bug: 186581246 Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
* Check for overflow before allocating memory fore decompression.Kelvin Zhang2020-09-181-1/+7
| | | | | | | | On 32bit devices, an ZipEntry64 may have size > 2^32, we should check for such cases before attempting to allocate memory. Test: mm -j Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
* Switch to zip64 in recoveryKelvin Zhang2020-09-161-4/+4
| | | | | | | | | There's already library support for zip64 in libziparchive. We just need to start using the new APIs. Bug: 167951876 Test: Sideload a large ota package in recovery Change-Id: I652741965f28de079d873c6822317ee9fa855201
* Add recovery support of dynamic fingerprintsKelvin Zhang2020-06-291-3/+23
| | | | | | | | | | | | After http://go/aog/1306461, the metadata in the OTA package can have multiple fingerprints or device names e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro This CL updates recovery code to recognize them Test: Added unit tests for this Bug: 159850736 Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
* Detect non-A/B vs. A/B packages correctly. am: f2af5629d2Yifan Hong2020-05-201-8/+19
|\ | | | | | | Change-Id: I7e5e67f90fbc49fbc99e1e251c06ceaa93f6c2d9
| * Detect non-A/B vs. A/B packages correctly.Yifan Hong2020-05-201-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check the package metadata to determine whether this is an A/B or non-A/B update package. This is more accurate. Also checks ro.virtual_ab.allow_non_ab flag. This is useful for continuously supporting (and testing) non-A/B. Bug: 153581609 Test: apply non-A/B update on cuttlefish Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667 (cherry picked from commit 2a4afd29a15522ccf3d8ca902214e68445bcac81) Merged-In: I629a533a67966d46d9cd87a59c6b9af26daf1667
* | Force off-device package installation with FUSETianjie Xu2020-02-131-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_unit_test - no new failures Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5 Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
* | Revert "Force package installation with FUSE unless the package stores on device"Raman Tenneti2020-02-131-47/+0
| | | | | | | | | | | | | | | | | | | | This reverts commit 5e6c4e9a91674826bf11cab604250b41a9326fd8. Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error. Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420 Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031 Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
* | Force package installation with FUSE unless the package stores on deviceTianjie Xu2020-01-221-0/+47
|/ | | | | | | | | | | | | | | | | | | | | | | | The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_component_test - all passing Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
* Delete VINTF compatibility check during OTA.Yifan Hong2019-12-181-81/+0
| | | | | | Test: sideload OTA Bug: 139300422 Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
* otautil: Factor out the utils that're private to recovery.Tao Bao2019-10-021-2/+2
| | | | | | | | | | | A number of utility functions are intended for serving recovery's own use. Exposing them via libotautil (which is a static lib) would pass the dependencies onto libotautil's users (e.g. recovery image, updater, host simulator, device-specific recovery UI/updater extensions etc). This CL finds a new home for the utils that are private to recovery. Test: mmma bootable/recovery Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
* Clean up some global variables in common.hTianjie Xu2019-07-241-1/+4
| | | | | | | | | | | | | | Some global variables are only used for recovery.cpp and recovery_main.cpp, remove them from common.h and handle their usage accordingly. Variables include: static constexpr int kRecoveryApiVersion; extern struct selabel_handle* sehandle; extern RecoveryUI* ui; extern bool has_cache; bool is_ro_debuggable(); Test: unit tests pass, boot into recovery mode and run graphic tests Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
* Merge "InstallPackage now takes a package as parameter"Tianjie Xu2019-06-141-43/+32
|\
| * InstallPackage now takes a package as parameterTianjie Xu2019-06-131-43/+32
| | | | | | | | | | | | | | | | | | Therefore InstallPackage() doesn't need to worry about the details of a given Package. Bug: 127071893 Test: run update from /bin/recovery --update_package=@path, sideload a package Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
* | Use the new ziparchive Next std::string_view overload.Elliott Hughes2019-06-121-1/+1
|/ | | | | | Bug: http://b/129068177 Test: treehugger Change-Id: Ieec83126e36b330da33092a172e365376cd04dfe
* Move off the Next ZipString overload.Elliott Hughes2019-05-231-2/+2
| | | | | | Bug: http://b/129068177 Test: treehugger Change-Id: I3c8f70b0d8cc5dc6b3b4439dbe0b9a5bd85003c4
* Track libziparchive API change.Elliott Hughes2019-05-091-1/+1
| | | | | | Bug: http://b/129068177 Test: treehugger Change-Id: I618bbcf38914dd81e042e0cfd1976ff26274dc30
* Track libziparchive API change.Elliott Hughes2019-05-061-10/+5
| | | | | | Bug: http://b/129068177 Test: treehugger Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
* install: Install functions return InstallResult.Tao Bao2019-04-301-13/+14
| | | | | | Test: `atest recovery_unit_test recovery_component_test` Test: Sideload a package on taimen. Change-Id: I2d42f55a89931ee495ea5c5d9e6b5ee1058e8e52
* install: Return bool for a few check functions.Tao Bao2019-04-301-33/+31
| | | | | | | | | | | | | | | The results from these functions have boolean semantics. They're returning `int` prior to this CL, with some of them mixing 0 and InstallResult. Note that SetUpNonAbUpdateCommands() was returning INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way. This CL changes them to return bool instead. Test: `mmma -j bootable/recovery` Test: TreeHugger Test: Sideload on taimen. Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
* Move wipe cache|data to libinstallxunchang2019-04-151-5/+13
| | | | | | | | | | | | | | | Therefore, libinstall becomes the sole owner to handle the request from minadbd service. The change also includes 1. move logging.cpp out of librecovery 2. drop the dependency on common.h 3. now it's more sensible to move the wipe_cache as part of install_package. move the wipe_cache to the end of the function. Bug: 130166585 Test: wipe data and cache from menu Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
* Move install to separate modulexunchang2019-03-291-0/+730
Build libinstall as a shared library. Also drop the dependency on the global variables in common.h. Test: unit tests pass, sideload an OTA Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0