summaryrefslogtreecommitdiffstats
path: root/uncrypt/uncrypt.cpp (unfollow)
Commit message (Collapse)AuthorFilesLines
2016-10-19Verify wipe package when wiping A/B device in recovery.Yabin Cui1-1/+18
To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Based on the original cherrypick, this CL also has additional changes to address the LOG statements and libziparchive changes. Bug: 29159185 Test: Build and boot into recovery. Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168 (cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
2016-10-18Create bootloader_message static library.Yabin Cui1-1/+1
bootloader_messages merges bootloader_message_writer and bootloader.cpp, so we can use the same library to manage bootloader_message in normal boot and recovery mode. Bug: 29582118 Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618 (cherry picked from commit 2f272c0551f984e83bc5abaf240e0dddb38a3326)
2016-09-29Report uncrypt errors in detailsTianjie Xu1-23/+12
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit 0c68675f5ae80cd669e0bf014a69689b6fe08eee)
2016-09-29DO NOT MERGE Report uncrypt errors in detailsTianjie Xu1-39/+52
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5 (cherry picked from commit da44cf18f3ce4bbffa85ad0a50bb25e9cb54a86d)
2016-09-27Report uncrypt errors in detailsTianjie Xu1-40/+65
Add the error codes for uncrypt and report the failure details in uncrypt_status. Test: uncrypt_error logs correctly in last_install Bug: 31603820 Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
2016-09-26Switch to <android-base/properties.h>.Elliott Hughes1-7/+7
Bug: http://b/23102347 Test: boot into recovery. Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e Merged-In: Ib2ca560f1312961c21fbaa294bb068de19cb883e
2016-09-24Switch to <android-base/properties.h>.Elliott Hughes1-7/+7
Bug: http://b/23102347 Test: boot into recovery. Change-Id: Ib2ca560f1312961c21fbaa294bb068de19cb883e
2016-09-13save uncrypt status to last_installTianjie Xu1-0/+21
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. (cherry picked from commit fe16b5ccaf80f6e04d5b722c37c1abd70457ad28) Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
2016-09-13save uncrypt status to last_installTianjie Xu1-0/+21
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery reads the file and saves its contents to last_install. Bug: 31383361 Test: Tested on angler and uncrypt_time reports correctly. Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833 Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
2016-09-01Switch recovery to libbase loggingTianjie Xu1-49/+46
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 (cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
2016-09-01Switch recovery to libbase loggingTianjie Xu1-47/+44
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35 Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-09-01Switch recovery to libbase loggingTianjie Xu1-52/+49
Clean up the recovery image and switch to libbase logging. Bug: 28191554 Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
2016-07-01Allow uncrypt to work without socket communicationTianjie Xu1-2/+18
It was inconvenient to uncrypt a update package under adb shell because the uncrypt executable required a socket to start its job. Add a workaround to allow uncrypt executes without socket communication. Test: run uncrypt under adb shell, and the block map generates successfully Bug: 29906218 Change-Id: Ibc328b31636d925dc429ede8dcec7392a721dd53
2016-06-30Create bootloader_message static library.Yabin Cui1-1/+1
bootloader_messages merges bootloader_message_writer and bootloader.cpp, so we can use the same library to manage bootloader_message in normal boot and recovery mode. Bug: 29582118 Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
2016-06-21Verify wipe package when wiping A/B device in recovery.Yabin Cui1-1/+18
To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Bug: 29159185 Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
2016-04-18Fix google-runtime-int warnings.Chih-Hung Hsieh1-2/+3
Bug: 28220065 Change-Id: Ida199c66692a1638be6990d583d2ed42583fb592
2016-04-08uncrypt: split libbootloader_message_writer for reuse.Yabin Cui1-43/+7
init and vold also need to write bootloader message, so split this function from uncrypt into a separate library. Bug: 27176738 Change-Id: If9b0887b4f6ffab6162d9cb47a6ceb7eedd60b4d
2016-03-30uncrypt: remove --read-bcb option.Yabin Cui1-32/+0
Bug: 27897241 Change-Id: I4f52ada58e8f204dba8c974ea0ae03876411ecf0 (cherry picked from commit 61799baba3631f55469d2754542130255ce790cf)
2016-03-30uncrypt: fix call to close().Yabin Cui1-2/+2
Bug: 27897229 Change-Id: Iab5e829af1676f7fcd8a4b00a194aa679ed4e372
2016-03-29uncrypt: remove --read-bcb option.Yabin Cui1-32/+0
Bug: 27897241 Change-Id: I4f52ada58e8f204dba8c974ea0ae03876411ecf0
2016-03-29Fix uncrypt.cpp unique_fd build breakage.Elliott Hughes1-10/+10
Change-Id: I4654f59463d1f3e1f4450e937cd910508b64c157
2016-03-29Switch to <android-base/unique_fd.h>.Elliott Hughes1-51/+52
Change-Id: I13ba3f40bd52b5f3e3fe9002a45a9a8630040129
2016-03-03uncrypt: Communicate via /dev/socket/uncrypt.Tao Bao1-79/+181
We used to rely on files (e.g. /cache/recovery/command and /cache/recovery/uncrypt_status) to communicate between uncrypt and its caller (i.e. system_server). Since A/B devices may not have /cache partitions anymore, we switch to socket communication instead. We will keep the use of /cache/recovery/uncrypt_file to indicate the OTA package to be uncrypt'd though. Because there is existing logic in ShutdownThread.java that depends on the existence of the file to detect pending uncrypt works. This part won't affect A/B devices without /cache partitions, because such devices won't need uncrypt service (i.e the real de-encrypt work) anyway. Bug: 27176738 Change-Id: I481406e09e3ffc7b80f2c9e39003b9fca028742e
2016-02-23uncrypt: Retire pre-recovery service.Tao Bao1-13/+1
The framework CL in [1] removes the use of "pre-recovery" service which is basically to trigger a reboot into the recovery. [1] commit e8a403d57c8ea540f8287cdaee8b90f0cf9626a3 Bug: 26830925 Change-Id: I131f31a228df59e4f9c3024b238bbdee0be2b157
2016-02-03uncrypt: add options to setup bcb and clear bcb.Yabin Cui1-104/+188
Bug: 26696173 Change-Id: I3a612f045aaa9e93e61ae45b05300d02b19bb3ad
2016-02-01uncrypt: generate map file by renaming tmp file.Yabin Cui1-75/+93
Writing map file directly can break consistency in map file if it fails in the middle. Instead, we write a temporary file and rename the temporary file to map file. Bug: 26883096 Change-Id: I5e99e942e1b75e758af5f7a48f8a08a0b0041d6a
2016-01-12uncrypt: avoid use-after-freeDaniel Micay1-3/+4
The `std::string package` variable goes out of scope but the input_path variable is then used to access the memory as it's set to `c_str()`. This was detected via OpenBSD malloc's junk filling feature. Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
2015-12-09uncrypt: Suppress the compiler warnings on LP64.Tao Bao1-10/+12
We have the following warnings when compiling uncrypt on LP64 (e.g. aosp_angler-userdebug). bootable/recovery/uncrypt/uncrypt.cpp:77:53: warning: format specifies type 'long long' but the argument has type 'off64_t' (aka 'long') [-Wformat] ALOGE("error seeking to offset %lld: %s\n", offset, strerror(errno)); ~~~~ ^~~~~~ %ld bootable/recovery/uncrypt/uncrypt.cpp:84:54: warning: format specifies type 'long long' but the argument has type 'unsigned long' [-Wformat] ALOGE("error writing offset %lld: %s\n", (offset + written), strerror(errno)); ~~~~ ^~~~~~~~~~~~~~~~~~ %lu bootable/recovery/uncrypt/uncrypt.cpp:246:16: warning: comparison of integers of different signs: 'size_t' (aka 'unsigned long') and 'off_t' (aka 'long') [-Wsign-compare] while (pos < sb.st_size) { ~~~ ^ ~~~~~~~~~~ According to POSIX spec [1], we have: off_t and blksize_t shall be signed integer types; size_t shall be an unsigned integer type; blksize_t and size_t are no greater than the width of type long. And on Android, we always have a 64-bit st_size from stat(2) (//bionic/libc/include/sys/stat.h). Fix the type and add necessary casts to suppress the warnings. [1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_types.h.html Change-Id: I5d64d5b7919c541441176c364752de047f9ecb20
2015-12-05Track rename from base/ to android-base/.Elliott Hughes1-2/+2
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
2015-11-13We can use fclose directly in std::unique_ptr.Elliott Hughes1-5/+5
It turns out the standard explicitly states that if the pointer is null, the deleter function won't be called. So it doesn't matter that fclose(3) doesn't accept null. Change-Id: I10e6e0d62209ec03ac60e673edd46f32ba279a04
2015-11-04uncrypt: remove O_SYNC to avoid time-out failuresJaegeuk Kim1-1/+1
This patch removes costly O_SYNC flag for encrypted block device. After writing whole decrypted blocks, fsync should guarantee their consistency from further power failures. This patch reduces the elapsed time significantly consumed by upgrading packages on an encrypted partition, so that it could avoid another time-out failures too. Change-Id: I1fb9022c83ecc00bad09d107fc87a6a09babb0ec Signed-off-by: Jaegeuk Kim <jaegeuk@motorola.com>
2015-08-10Use unique_ptr and unique_fd to manager FDs.Tao Bao1-16/+16
Clean up leaky file descriptors in uncrypt/uncrypt.cpp. Add unique_fd for open() and unique_file for fopen() to close FDs on destruction. Bug: 21496020 Change-Id: I0174db0de9d5f59cd43b44757b8ef0f5912c91a2
2015-07-24uncrypt: Support file level encryption.Tao Bao1-1/+1
Bug: 22534003 Change-Id: I2bc22418c416491da573875dce78daed24f2c046 (cherry picked from commit 6e9dda70cb00dd1f1948e071d7df7ca6e2bd8332)
2015-07-17uncrypt: Support file level encryption.Tao Bao1-1/+1
Bug: 22534003 Change-Id: Iaf42a6e5b40cfef904de66e212ae8b77b2953ef7
2015-06-10uncrypt: Write status when it reboots to factory resetTao Bao1-7/+10
When it reboots into recovery for a factory reset, it still needs to write the uncrypt status (-1) to the pipe. Bug: 21511893 (cherry picked from commit 2c2cae8a4a18b85043bb6260a59ac7d1589016bf) Change-Id: Ia5a75c5edf3afbd916153da1b4de4db2f00d0209
2015-06-10Separate uncrypt into two modesTao Bao1-94/+91
uncrypt needs to be triggered to prepare the OTA package before rebooting into the recovery. Separate uncrypt into two modes. In mode 1, it uncrypts the OTA package, but will not reboot the device. In mode 2, it wipes the /misc partition and reboots. Needs matching changes in frameworks/base, system/core and external/sepolicy to work properly. Bug: 20012567 Bug: 20949086 (cherry picked from commit 158e11d6738a751b754d09df7275add589c31191) Change-Id: I349f6d368a0d6f6ee4332831c4cd4075a47426ff
2015-05-29uncrypt: Write status when it reboots to factory resetTao Bao1-7/+10
When it reboots into recovery for a factory reset, it still needs to write the uncrypt status (-1) to the pipe. Bug: 21511893 Change-Id: I1a725820f1e1875146e49b5a6f28af2fbf284fc7
2015-05-28Separate uncrypt into two modesTao Bao1-97/+94
uncrypt needs to be triggered to prepare the OTA package before rebooting into the recovery. Separate uncrypt into two modes. In mode 1, it uncrypts the OTA package, but will not reboot the device. In mode 2, it wipes the /misc partition and reboots. Needs matching changes in frameworks/base, system/core and external/sepolicy to work properly. Bug: 20012567 Bug: 20949086 Change-Id: I14d25cb62770dd405cb56824d05d649c3a94f315
2015-05-27Clean up the sleep()'s after poking init servicesTao Bao1-4/+8
Change-Id: I77564fe5c59e604f1377b278681b7d1bff53a77a
2015-05-06uncrypt: Switch to C++Tao Bao1-41/+39
Also apply some trivial changes like int -> bool and clean-ups. Change-Id: I5c6c42d34965305c394f4f2de78487bd1174992a (cherry picked from commit 381f455cac0905b023dde79625b06c27b6165dd0)
2015-05-06uncrypt: Switch to C++Tao Bao1-467/+0
Also apply some trivial changes like int -> bool and clean-ups. Change-Id: Ic55fc8b82d7e91b321f69d10175be23d5c04eb92
2015-05-06uncrypt: package on non-data partition should follow the right pathTao Bao1-20/+41
Fix the accidental change of behavior in [1]. OTA packages not on /data partition should still go through the path that has validity checks and wipe_misc() steps. [1]: commit eaf33654c1817bd665831a13c5bd0c04daabee02. Change-Id: I3e86e19f06603bfe6ecc691c9aa66a8a8a79c5fb (cherry picked from commit fb4ccef1df4f0bd8fa830c750f2970dd2df9e51b)
2015-05-06uncrypt: package on non-data partition should follow the right pathTao Bao1-20/+41
Fix the accidental change of behavior in [1]. OTA packages not on /data partition should still go through the path that has validity checks and wipe_misc() steps. [1]: commit eaf33654c1817bd665831a13c5bd0c04daabee02. Change-Id: Ice9a049f6259cd2368d2fb95a991f8a6a0120bdd
2015-04-30Check all lseek calls succeed.Elliott Hughes1-8/+12
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek. Bug: http://b/20625546 Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b (cherry picked from commit 7bad7c4646ee8fd8d6e6ed0ffd3ddbb0c1b41a2f)
2015-04-30Check all lseek calls succeed.Elliott Hughes1-8/+12
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek. Bug: http://b/20625546 Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
2015-01-30Add missing includes.Elliott Hughes1-0/+1
Change-Id: I06ea08400efa511e627be37a4fd70fbdfadea2e6
2014-12-29Fix missing #includes in bootable/recovery.Elliott Hughes1-0/+1
Change-Id: I58dfbac6ca1aa80d3659f53a8fad1bbbbdc9b941
2014-12-11Add O_CREAT option for openSungmin Choi1-2/+10
Factory reset fails if there is no file, for example, RECOVERY_COMMAND_FILE_TMP. So create file as adding O_CREAT option if it does not exist. error log: --------- beginning of crash 12-10 02:35:17.190 3059 3059 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x30 in tid 3059 (uncrypt) 12-10 02:35:17.296 766 1528 W NativeCrashListener: Couldn't find ProcessRecord for pid 3059 12-10 02:35:17.296 191 191 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 12-10 02:35:17.296 191 191 E DEBUG : AM write failure (32 / Broken pipe) 12-10 02:35:17.296 191 191 I DEBUG : Build fingerprint: 'Android/aosp_hammerhead/hammerhead:5.1/LMP/hopemini12052127:userdebug/test-keys' 12-10 02:35:17.296 191 191 I DEBUG : Revision: '10' 12-10 02:35:17.297 191 191 I DEBUG : ABI: 'arm' 12-10 02:35:17.297 191 191 I DEBUG : pid: 3059, tid: 3059, name: uncrypt >>> /system/bin/uncrypt <<< 12-10 02:35:17.297 191 191 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x30 12-10 02:35:17.302 191 191 I DEBUG : r0 00000001 r1 be94b690 r2 fffffe90 r3 b6fdbf7c 12-10 02:35:17.302 191 191 I DEBUG : r4 00000000 r5 00000000 r6 b6fd8ca4 r7 be94b67c 12-10 02:35:17.302 191 191 I DEBUG : r8 00000000 r9 ffffffff sl b6ff582b fp be94b68d 12-10 02:35:17.302 191 191 I DEBUG : ip b6fcfd08 sp be94b648 lr b6f98fe5 pc b6f98fe4 cpsr 20070030 12-10 02:35:17.303 191 191 I DEBUG : 12-10 02:35:17.303 191 191 I DEBUG : backtrace: 12-10 02:35:17.303 191 191 I DEBUG : #00 pc 00032fe4 /system/lib/libc.so (fputs+29) 12-10 02:35:17.303 191 191 I DEBUG : #01 pc 000016a1 /system/bin/uncrypt 12-10 02:35:17.303 191 191 I DEBUG : #02 pc 0000114b /system/bin/uncrypt 12-10 02:35:17.303 191 191 I DEBUG : #03 pc 00012df5 /system/lib/libc.so (__libc_init+44) 12-10 02:35:17.303 191 191 I DEBUG : #04 pc 000013cc /system/bin/uncrypt 12-10 02:35:17.325 191 191 I DEBUG : 12-10 02:35:17.325 191 191 I DEBUG : Tombstone written to: /data/tombstones/tombstone_00 Bug: 18709330 Change-Id: Ib5dccdd366e829049938a188ea5f98d9e4e282db
2014-11-22Force write to disk while doing uncryptMichael Runge1-5/+10
This should reduce errors if the device reboots before the blocks are commited to disk. Bug: 18481902 Change-Id: I13cda1c78955e4c83522fbcf87ddb16cc9f97683
2014-09-05create block map for all update packages on /dataDoug Zongker1-12/+9
Always create the block map for packages on /data; don't only look at the encryptable/encrypted flags. Bug: 17395453 Change-Id: Iaa7643a32898328277841e324305b9419a9e071c
2014-08-26open misc device in write-only modeDoug Zongker1-18/+26
Opening the misc block device in read-write mode runs afoul of SELinux, which keeps the wipe code from working. Fix. Also change various things to log to logcat so we can see them happening, for future debugging. Bug: 16715412 Change-Id: Ia14066f0a371cd605fcb544547b58a41acca70b9
2014-08-19clear BCB in misc partition before rebootingDoug Zongker1-3/+43
Something is leaving behind wipe commands in the BCB area of the /misc partition. We don't know what is doing that. It should always be safe to zero out that area from uncrypt, though (because if uncrypt is running then it's got the command we want in the recovery command file rather than the BCB). Bug: 16715412 Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211
2014-08-01only do uncryption on packages in /dataDoug Zongker1-1/+1
If recovery is invoked with a package somewhere other than /data, leave it alone. Change-Id: Ief358b53df467ae24a65e30e7a631da59bf13683
2014-03-19recovery: 64 bit build issuesMark Salyzyn1-3/+3
Change-Id: Ie88c49dea13cce5f4eb428e97f5a0956f2656a30
2014-02-14Fix a crash when going into recovery mode.Maxim Siniavine1-1/+6
When going into recovery mode withoug recovery command file present, uncrypt crashes and the device gets stuck and eventually shuts down. Check that the command file is present before trying to read from it. Change-Id: If0192d597032be0067738e437188d92993ce56f7
2014-01-16program to store unencrypted files in an encrypted filesystemDoug Zongker1-0/+377
uncrypt can read a file on an encrypted filesystem and rewrite it to the same blocks on the underlying (unencrypted) block device. This destroys the contents of the file as far as the encrypted filesystem is concerned, but allows the data to be read without the encryption key if you know which blocks of the raw device to access. uncrypt produces a "block map" file which lists the blocks that contain the file. For unencrypted filesystem, uncrypt will produce the block map without touching the data. Bug: 12188746 Change-Id: Ib7259b9e14dac8af406796b429d58378a00c7c63