| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Applying an SPL downgrade package can cause boot failures
(/data failed to decrypt). Today's ota_from_target_files
tool already try to prevent this. But Packages generated
using older tools are still around.
Add check in recovery to prevent such OTA package from
installing.
Test: th
Test: Sideload an OTA with newer SPL, make sure check passes
Test; Sideload an OTA with older SPL, make sure check fails
Bug: 186581246
Bug: 188575410
cherry-picked from aosp/1708986
cherry-picked from commit: 33c62fc4b81b93b29c7a94fba20ab56d7f5f6bd7
Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
|
|
Applying an SPL downgrade package can cause boot failures
(/data failed to decrypt). Today's ota_from_target_files
tool already try to prevent this. But Packages generated
using older tools are still around.
Add check in recovery to prevent such OTA package from
installing.
Test: th
Test: Sideload an OTA with newer SPL, make sure check passes
Test; Sideload an OTA with older SPL, make sure check fails
Bug: 186581246
Change-Id: Icffe8097521c511e151af023a443ccbb4b59e22c
|
|
Right now the "Erasing" animation displays after the merge step
during the FDR process; and the merge can take 3-4 minutes. The
users maybe confused about the blank screen and forcefully
reboot the device.
Bug: 181636823
Test: add sleep merge, check the animation displays correctly.
Change-Id: Ib23b1ed3a84e95640271a429c51a3d3c142dc404
|
|
Added SPDX-license-identifier-Apache-2.0 to:
applypatch/Android.bp
bootloader_message/Android.bp
edify/Android.bp
fuse_sideload/Android.bp
install/Android.bp
minadbd/Android.bp
minui/Android.bp
otautil/Android.bp
recovery_ui/Android.bp
recovery_utils/Android.bp
tests/Android.bp
tools/image_generator/Android.bp
tools/recovery_l10n/Android.bp
uncrypt/Android.bp
update_verifier/Android.bp
updater/Android.bp
updater/Android.mk
updater_sample/Android.bp
updater_sample/tests/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-MIT
SPDX-license-identifier-OFL
to:
Android.bp
Android.mk
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I3da761b525452838977297f773974000d4de7bd6
|
|
New() should be used instead of NewForFirstStageMount().
Bug: 168258606
Test: data wipe with VABC merge in progress
Change-Id: Idf2b01a504b577766da303091721764242e99a69
|
|
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.
Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
|
|
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
|
|
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro
This CL updates recovery code to recognize them
Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
|
|
Check the package metadata to determine whether this is an
A/B or non-A/B update package. This is more accurate.
Also checks ro.virtual_ab.allow_non_ab flag. This is useful for
continuously supporting (and testing) non-A/B.
Bug: 153581609
Test: apply non-A/B update on cuttlefish
Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667
(cherry picked from commit 2a4afd29a15522ccf3d8ca902214e68445bcac81)
Merged-In: I629a533a67966d46d9cd87a59c6b9af26daf1667
|
|
Check the package metadata to determine whether this is an
A/B or non-A/B update package. This is more accurate.
Also checks ro.virtual_ab.allow_non_ab flag. This is useful for
continuously supporting (and testing) non-A/B.
Bug: 153581609
Test: apply non-A/B update on cuttlefish
Change-Id: I629a533a67966d46d9cd87a59c6b9af26daf1667
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
|
|
This reverts commit 5e6c4e9a91674826bf11cab604250b41a9326fd8.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
|
|
Mounting /system in Virtual A/B devices may require the creation of the
associated snapshot devices.
This patch performs all the required initializations prior to attempting
the mount of /system.
Bug: 139157327
Test: manual /system partition mount on VAB device during OTA
Depends-on: I7337bdd38d7016d12d3ee42be1c7893b10e9116d
Change-Id: I71a9dfc57e1a1354f1f1edc5d287aca93c0c8924
Signed-off-by: Alessio Balsini <balsini@google.com>
|
|
After an OTA is applied, a wipe in recovery may overwrite components of
dynamic partitions living in userdata. If the OTA has not yet begun
merging, we mark the current slot unbootable. If the OTA has begun
merging, we wait for the merge to complete. This logic is encapsulated
in libsnapshot.
Bug: 139156011
Test: manual test
Change-Id: Id6544a1b8583afcbba11559d46214ec2e68ffa40
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
|
|
Test: mmma bootable/recovery
Change-Id: I503e942b23cc51024aa752c1eb3db5455a44a9d1
|
|
Since this was combined into libhidlbase.
Bug: 135686713
Test: build only (libhidltransport is empty)
Change-Id: I253e50726967044714275ab995fb8a8a57bcde36
|
|
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();
Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
|
|
We start minadbd and rescue services in two processes. In particular,
minadbd handles the requests from host, then communicates with rescue
service to do install/wipe works. When resuce service doesn't see any
request in a pre-defined timeout (currently 300s), rescue service will
exit to avoid endless waiting.
This CL changes minadbd to additionally send a no-op command to rescue
service as a heartbeat signal, so that host side can finish
time-consuming operations (e.g. downloading over network) while keeping
rescue service alive.
Bug: 136457446
Test: Enter resuce mode on blueline. Send `adb rescue getprop
ro.build.fingerprint` and check that rescue service doesn't exit.
Test: Stop sending the getprop command. Check that rescue service exits
after 300s.
Change-Id: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
Merged-In: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
(cherry picked from commit 2223e6a9f8bf24b023e8ae3103b50c37def3147e)
(cherry picked from commit 0bbb2ed53eb4dc4ae8d447062482f9eda5ef9a91)
(cherry picked from commit dd0158ac6016f2853d1af336e345980e06144abd)
|
|
We start minadbd and rescue services in two processes. In particular,
minadbd handles the requests from host, then communicates with rescue
service to do install/wipe works. When resuce service doesn't see any
request in a pre-defined timeout (currently 300s), rescue service will
exit to avoid endless waiting.
This CL changes minadbd to additionally send a no-op command to rescue
service as a heartbeat signal, so that host side can finish
time-consuming operations (e.g. downloading over network) while keeping
rescue service alive.
Bug: 136457446
Test: Enter resuce mode on blueline. Send `adb rescue getprop
ro.build.fingerprint` and check that rescue service doesn't exit.
Test: Stop sending the getprop command. Check that rescue service exits
after 300s.
Change-Id: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
Merged-In: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
(cherry picked from commit 2223e6a9f8bf24b023e8ae3103b50c37def3147e)
(cherry picked from commit 0bbb2ed53eb4dc4ae8d447062482f9eda5ef9a91)
|
|
We start minadbd and rescue services in two processes. In particular,
minadbd handles the requests from host, then communicates with rescue
service to do install/wipe works. When resuce service doesn't see any
request in a pre-defined timeout (currently 300s), rescue service will
exit to avoid endless waiting.
This CL changes minadbd to additionally send a no-op command to rescue
service as a heartbeat signal, so that host side can finish
time-consuming operations (e.g. downloading over network) while keeping
rescue service alive.
Bug: 136457446
Test: Enter resuce mode on blueline. Send `adb rescue getprop
ro.build.fingerprint` and check that rescue service doesn't exit.
Test: Stop sending the getprop command. Check that rescue service exits
after 300s.
Change-Id: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
Merged-In: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
(cherry picked from commit 2223e6a9f8bf24b023e8ae3103b50c37def3147e)
|
|
We may fail to memory map the package on 32 bit builds for packages with
2GiB+ size. This cl tries to install the package with fuse when memory map
fails in such cases.
Bug: 127071893
Test: build 32 bit version sailfish, push package and block.map, reboot into recovery with
the corresponding update_package argument.
Change-Id: I5dae4f3e27ccaf8d64ff3657d36f0e75db2330b0
|
|
We start minadbd and rescue services in two processes. In particular,
minadbd handles the requests from host, then communicates with rescue
service to do install/wipe works. When resuce service doesn't see any
request in a pre-defined timeout (currently 300s), rescue service will
exit to avoid endless waiting.
This CL changes minadbd to additionally send a no-op command to rescue
service as a heartbeat signal, so that host side can finish
time-consuming operations (e.g. downloading over network) while keeping
rescue service alive.
Bug: 136457446
Test: Enter resuce mode on blueline. Send `adb rescue getprop
ro.build.fingerprint` and check that rescue service doesn't exit.
Test: Stop sending the getprop command. Check that rescue service exits
after 300s.
Change-Id: Ib9d5ed710cfa94ecfe6cf393a71a0b67b2539531
|
|
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
|
|
Therefore InstallPackage() doesn't need to worry about the details of a
given Package.
Bug: 127071893
Test: run update from /bin/recovery --update_package=@path, sideload a package
Change-Id: I0caa36785b43924f884ee398e7ea640d7472a92e
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: Ieec83126e36b330da33092a172e365376cd04dfe
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: I3c8f70b0d8cc5dc6b3b4439dbe0b9a5bd85003c4
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: I618bbcf38914dd81e042e0cfd1976ff26274dc30
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
|
|
Test: `atest recovery_unit_test recovery_component_test`
Test: Sideload a package on taimen.
Change-Id: I2d42f55a89931ee495ea5c5d9e6b5ee1058e8e52
|
|
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult. Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.
This CL changes them to return bool instead.
Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
|
|
Bug: 131037235
Test: unit tests pass, run `adb rescue wipe`
Change-Id: I22668f2c98fe2d9195d2561f961c28a7c08e712c
(cherry picked from commit fedeef6f6d1f7b8f1e5a8b9e77f8dc21ef6b3c95)
|
|
bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.
This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.
It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.
Bug: 128505466
Bug: 128415917
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
Merged-In: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
(cherry picked from commit d9cb014d431fee946308bdb8979c8e8fa74b582f)
|
|
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.
Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
|
|
Bug: 128415917
Test: Run the following commands under sideload and rescue modes
respectively.
$ adb reboot
$ adb reboot bootloader
$ adb reboot recovery
$ adb reboot rescue
$ adb reboot invalid
Change-Id: I84daf63e3360b7b4a0af5e055149a4f54e10ba90
Merged-In: I84daf63e3360b7b4a0af5e055149a4f54e10ba90
(cherry picked from commit 10f441a9dbb91be3124f455439631abcf8e96cde)
|
|
Only enabled on debuggable builds.
Bug: 128415917
Test: Sideload package on taimen.
Test: Choose "Enter rescue" from recovery UI.
Change-Id: I913dbdbcffd3179e6fa72ca862f74ca8f1364b02
Merged-In: I913dbdbcffd3179e6fa72ca862f74ca8f1364b02
(cherry picked from commit c6dc325e88a25201aa3856e6532c3ed14203a376)
|
|
Bug: 131037235
Test: unit tests pass, run `adb rescue wipe`
Change-Id: I22668f2c98fe2d9195d2561f961c28a7c08e712c
|
|
bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.
This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.
It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.
Bug: 128505466
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
|
|
Bug: 128415917
Test: Run the following commands under sideload and rescue modes
respectively.
$ adb reboot
$ adb reboot bootloader
$ adb reboot recovery
$ adb reboot rescue
$ adb reboot invalid
Change-Id: I84daf63e3360b7b4a0af5e055149a4f54e10ba90
|
|
Only enabled on debuggable builds.
Bug: 128415917
Test: Sideload package on taimen.
Test: Choose "Enter rescue" from recovery UI.
Change-Id: I913dbdbcffd3179e6fa72ca862f74ca8f1364b02
|
|
We perform these steps to perserve the recovery logs when wiping
/cache partition. Move them to logging.cpp to keep the actually
EraseVolume function concise.
Bug: 130166585
Test: unit tests pass, mount cache and check last log after cache
Change-Id: Idc52833817a446f3a0148a3dd2112f911c9ef48d
(cherry picked from commit 2239b9e4dd08e307ad74dc44b597fd53d2d17de8)
|
|
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
(cherry picked from commit 316e9717461890dd319dc370970069fe4532a561)
|
|
This cl adds a socket pair to support the communication between recovery
and minadbd. Therefore, minadbd will be able to issue multiple commands
to recovery and get back the status of each command.
This cl also switches the adb sideload from the recovery menu to use
this protocol; and moves minadbd to a separate binary.
Bug: 130166585
Test: sideload a package
Change-Id: I80d36d5c4e6fe1ae3ea23640907bc50c0dc0d482
(cherry picked from commit 34690ced91e22f5d9b5dd19c33b11c8e0b4bafa0)
|
|
It was once considered to be shared between recovery and minadbd, so
that the latter can start an install on its own. The plan has been
changed, since package install -- including device wipe operations --
could be device-specific, which should be done by recovery only.
This CL moves libinstall back to a static library, which also saves the
overall size (reducing from 140256 + 660576 to 555880 bytes on
aosp_taimen-userdebug).
Bug: 130166585
Test: Run recovery_component_test.
Test: `adb sideload` on taimen.
Change-Id: Ib1f5f79f235df4682c0bd104425c9c122f6091ba
|
|
We perform these steps to perserve the recovery logs when wiping
/cache partition. Move them to logging.cpp to keep the actually
EraseVolume function concise.
Bug: 130166585
Test: unit tests pass, mount cache and check last log after cache
Change-Id: Idc52833817a446f3a0148a3dd2112f911c9ef48d
|
|
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
|
|
This cl adds a socket pair to support the communication between recovery
and minadbd. Therefore, minadbd will be able to issue multiple commands
to recovery and get back the status of each command.
This cl also switches the adb sideload from the recovery menu to use
this protocol; and moves minadbd to a separate binary.
Bug: 130166585
Test: sideload a package
Change-Id: I80d36d5c4e6fe1ae3ea23640907bc50c0dc0d482
|
|
It was once considered to be shared between recovery and minadbd, so
that the latter can start an install on its own. The plan has been
changed, since package install -- including device wipe operations --
could be device-specific, which should be done by recovery only.
This CL moves libinstall back to a static library, which also saves the
overall size (reducing from 140256 + 660576 to 555880 bytes on
aosp_taimen-userdebug).
Bug: 130166585
Test: Run recovery_component_test.
Test: `adb sideload` on taimen.
Change-Id: Ib1f5f79f235df4682c0bd104425c9c122f6091ba
|
|
otautil/roots.h includes <fstab/fstab.h>, but users of otautil/roots.h
don't need to explicitly depend on libfstab unless they have a real
need.
Also remove the unneeded include of <fstab/fstab.h> from
fsck_unshare_blocks.cpp.
Test: mmma -j bootable/recovery
Change-Id: Id3dc995a4769e631ab242843ee439bd94b2bf0bc
|
|
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
|
