diff options
-rw-r--r-- | Android.mk | 18 | ||||
-rw-r--r-- | bootloader.cpp | 134 | ||||
-rw-r--r-- | bootloader.h | 157 | ||||
-rw-r--r-- | bootloader_message/Android.mk | 24 | ||||
-rw-r--r-- | bootloader_message/bootloader_message.cpp (renamed from uncrypt/bootloader_message_writer.cpp) | 82 | ||||
-rw-r--r-- | bootloader_message/include/bootloader_message/bootloader_message.h | 199 | ||||
-rw-r--r-- | device.cpp | 38 | ||||
-rw-r--r-- | error_code.h | 3 | ||||
-rw-r--r-- | install.cpp | 258 | ||||
-rw-r--r-- | install.h | 17 | ||||
-rw-r--r-- | minui/font_10x18.h | 8 | ||||
-rw-r--r-- | minui/graphics.cpp | 102 | ||||
-rw-r--r-- | minui/minui.h | 16 | ||||
-rw-r--r-- | minzip/SysUtil.cpp | 12 | ||||
-rw-r--r-- | recovery.cpp | 178 | ||||
-rw-r--r-- | screen_ui.cpp | 52 | ||||
-rw-r--r-- | screen_ui.h | 4 | ||||
-rw-r--r-- | uncrypt/Android.mk | 11 | ||||
-rw-r--r-- | uncrypt/include/bootloader_message_writer.h | 35 | ||||
-rw-r--r-- | uncrypt/uncrypt.cpp | 21 | ||||
-rw-r--r-- | update_verifier/Android.mk | 5 | ||||
-rw-r--r-- | update_verifier/update_verifier.cpp | 131 | ||||
-rw-r--r-- | wear_ui.cpp | 12 |
23 files changed, 974 insertions, 543 deletions
diff --git a/Android.mk b/Android.mk index 76e99b6e2..74910a10f 100644 --- a/Android.mk +++ b/Android.mk @@ -41,7 +41,6 @@ include $(CLEAR_VARS) LOCAL_SRC_FILES := \ adb_install.cpp \ asn1_decoder.cpp \ - bootloader.cpp \ device.cpp \ fuse_sdcard_provider.cpp \ install.cpp \ @@ -76,6 +75,7 @@ LOCAL_C_INCLUDES += \ LOCAL_STATIC_LIBRARIES := \ libbatterymonitor \ + libbootloader_message \ libext4_utils_static \ libsparse_static \ libminzip \ @@ -101,6 +101,10 @@ LOCAL_HAL_STATIC_LIBRARIES := libhealthd LOCAL_C_INCLUDES += system/extras/ext4_utils LOCAL_STATIC_LIBRARIES += libext4_utils_static libz +ifeq ($(AB_OTA_UPDATER),true) + LOCAL_CFLAGS += -DAB_OTA_UPDATER=1 +endif + LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/sbin ifeq ($(TARGET_RECOVERY_UI_LIB),) @@ -148,14 +152,16 @@ LOCAL_SRC_FILES := \ LOCAL_STATIC_LIBRARIES := libcrypto_utils libcrypto libbase include $(BUILD_STATIC_LIBRARY) -include $(LOCAL_PATH)/minui/Android.mk \ - $(LOCAL_PATH)/minzip/Android.mk \ +include \ + $(LOCAL_PATH)/applypatch/Android.mk \ + $(LOCAL_PATH)/bootloader_message/Android.mk \ + $(LOCAL_PATH)/edify/Android.mk \ $(LOCAL_PATH)/minadbd/Android.mk \ + $(LOCAL_PATH)/minui/Android.mk \ + $(LOCAL_PATH)/minzip/Android.mk \ + $(LOCAL_PATH)/otafault/Android.mk \ $(LOCAL_PATH)/tests/Android.mk \ $(LOCAL_PATH)/tools/Android.mk \ - $(LOCAL_PATH)/edify/Android.mk \ $(LOCAL_PATH)/uncrypt/Android.mk \ - $(LOCAL_PATH)/otafault/Android.mk \ $(LOCAL_PATH)/updater/Android.mk \ $(LOCAL_PATH)/update_verifier/Android.mk \ - $(LOCAL_PATH)/applypatch/Android.mk diff --git a/bootloader.cpp b/bootloader.cpp deleted file mode 100644 index dad0bab30..000000000 --- a/bootloader.cpp +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (C) 2008 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <errno.h> -#include <fcntl.h> -#include <inttypes.h> -#include <stdio.h> -#include <string.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#include <fs_mgr.h> - -#include <android-base/logging.h> -#include <android-base/unique_fd.h> - -#include "bootloader.h" -#include "roots.h" - -static int get_bootloader_message_block(bootloader_message* out, const Volume* v); -static int set_bootloader_message_block(const bootloader_message* in, const Volume* v); - -int get_bootloader_message(bootloader_message* out) { - Volume* v = volume_for_path("/misc"); - if (v == nullptr) { - LOG(ERROR) << "Cannot load volume /misc!"; - return -1; - } - if (strcmp(v->fs_type, "emmc") == 0) { - return get_bootloader_message_block(out, v); - } - LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\""; - return -1; -} - -int set_bootloader_message(const bootloader_message* in) { - Volume* v = volume_for_path("/misc"); - if (v == nullptr) { - LOG(ERROR) << "Cannot load volume /misc!"; - return -1; - } - if (strcmp(v->fs_type, "emmc") == 0) { - return set_bootloader_message_block(in, v); - } - LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\""; - return -1; -} - -// ------------------------------------ -// for misc partitions on block devices -// ------------------------------------ - -static void wait_for_device(const char* fn) { - int tries = 0; - int ret; - do { - ++tries; - struct stat buf; - ret = stat(fn, &buf); - if (ret == -1) { - printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno)); - sleep(1); - } - } while (ret && tries < 10); - - if (ret) { - printf("failed to stat \"%s\"\n", fn); - } -} - -static int get_bootloader_message_block(bootloader_message* out, - const Volume* v) { - wait_for_device(v->blk_device); - FILE* f = fopen(v->blk_device, "rb"); - if (f == nullptr) { - PLOG(ERROR) << "failed to open \"" << v->blk_device << "\""; - return -1; - } - bootloader_message temp; - int count = fread(&temp, sizeof(temp), 1, f); - if (count != 1) { - PLOG(ERROR) << "failed to read \"" << v->blk_device << "\""; - return -1; - } - if (fclose(f) != 0) { - PLOG(ERROR) << "failed to close \"" << v->blk_device << "\""; - return -1; - } - memcpy(out, &temp, sizeof(temp)); - return 0; -} - -static int set_bootloader_message_block(const bootloader_message* in, - const Volume* v) { - wait_for_device(v->blk_device); - android::base::unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC)); - if (fd == -1) { - PLOG(ERROR) << "failed to open \"" << v->blk_device << "\""; - return -1; - } - - size_t written = 0; - const uint8_t* start = reinterpret_cast<const uint8_t*>(in); - size_t total = sizeof(*in); - while (written < total) { - ssize_t wrote = TEMP_FAILURE_RETRY(write(fd, start + written, total - written)); - if (wrote == -1) { - PLOG(ERROR) << "failed to write " << total << " bytes, " << written - << " bytes written"; - return -1; - } - written += wrote; - } - - if (fsync(fd) == -1) { - PLOG(ERROR) << "failed to fsync \"" << v->blk_device << "\""; - return -1; - } - return 0; -} diff --git a/bootloader.h b/bootloader.h index 1801705fb..9c84a1cf9 100644 --- a/bootloader.h +++ b/bootloader.h @@ -14,158 +14,5 @@ * limitations under the License. */ -#ifndef _RECOVERY_BOOTLOADER_H -#define _RECOVERY_BOOTLOADER_H - -#include <assert.h> - -/* Bootloader Message (2-KiB) - * - * This structure describes the content of a block in flash - * that is used for recovery and the bootloader to talk to - * each other. - * - * The command field is updated by linux when it wants to - * reboot into recovery or to update radio or bootloader firmware. - * It is also updated by the bootloader when firmware update - * is complete (to boot into recovery for any final cleanup) - * - * The status field is written by the bootloader after the - * completion of an "update-radio" or "update-hboot" command. - * - * The recovery field is only written by linux and used - * for the system to send a message to recovery or the - * other way around. - * - * The stage field is written by packages which restart themselves - * multiple times, so that the UI can reflect which invocation of the - * package it is. If the value is of the format "#/#" (eg, "1/3"), - * the UI will add a simple indicator of that status. - * - * We used to have slot_suffix field for A/B boot control metadata in - * this struct, which gets unintentionally cleared by recovery or - * uncrypt. Move it into struct bootloader_message_ab to avoid the - * issue. - */ -struct bootloader_message { - char command[32]; - char status[32]; - char recovery[768]; - - // The 'recovery' field used to be 1024 bytes. It has only ever - // been used to store the recovery command line, so 768 bytes - // should be plenty. We carve off the last 256 bytes to store the - // stage string (for multistage packages) and possible future - // expansion. - char stage[32]; - - // The 'reserved' field used to be 224 bytes when it was initially - // carved off from the 1024-byte recovery field. Bump it up to - // 1184-byte so that the entire bootloader_message struct rounds up - // to 2048-byte. - char reserved[1184]; -}; - -/** - * We must be cautious when changing the bootloader_message struct size, - * because A/B-specific fields may end up with different offsets. - */ -#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) -static_assert(sizeof(struct bootloader_message) == 2048, - "struct bootloader_message size changes, which may break A/B devices"); -#endif - -/** - * The A/B-specific bootloader message structure (4-KiB). - * - * We separate A/B boot control metadata from the regular bootloader - * message struct and keep it here. Everything that's A/B-specific - * stays after struct bootloader_message, which should be managed by - * the A/B-bootloader or boot control HAL. - * - * The slot_suffix field is used for A/B implementations where the - * bootloader does not set the androidboot.ro.boot.slot_suffix kernel - * commandline parameter. This is used by fs_mgr to mount /system and - * other partitions with the slotselect flag set in fstab. A/B - * implementations are free to use all 32 bytes and may store private - * data past the first NUL-byte in this field. It is encouraged, but - * not mandatory, to use 'struct bootloader_control' described below. - */ -struct bootloader_message_ab { - struct bootloader_message message; - char slot_suffix[32]; - - // Round up the entire struct to 4096-byte. - char reserved[2016]; -}; - -/** - * Be cautious about the struct size change, in case we put anything post - * bootloader_message_ab struct (b/29159185). - */ -#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) -static_assert(sizeof(struct bootloader_message_ab) == 4096, - "struct bootloader_message_ab size changes"); -#endif - -#define BOOT_CTRL_MAGIC 0x42414342 /* Bootloader Control AB */ -#define BOOT_CTRL_VERSION 1 - -struct slot_metadata { - // Slot priority with 15 meaning highest priority, 1 lowest - // priority and 0 the slot is unbootable. - uint8_t priority : 4; - // Number of times left attempting to boot this slot. - uint8_t tries_remaining : 3; - // 1 if this slot has booted successfully, 0 otherwise. - uint8_t successful_boot : 1; - // 1 if this slot is corrupted from a dm-verity corruption, 0 - // otherwise. - uint8_t verity_corrupted : 1; - // Reserved for further use. - uint8_t reserved : 7; -} __attribute__((packed)); - -/* Bootloader Control AB - * - * This struct can be used to manage A/B metadata. It is designed to - * be put in the 'slot_suffix' field of the 'bootloader_message' - * structure described above. It is encouraged to use the - * 'bootloader_control' structure to store the A/B metadata, but not - * mandatory. - */ -struct bootloader_control { - // NUL terminated active slot suffix. - char slot_suffix[4]; - // Bootloader Control AB magic number (see BOOT_CTRL_MAGIC). - uint32_t magic; - // Version of struct being used (see BOOT_CTRL_VERSION). - uint8_t version; - // Number of slots being managed. - uint8_t nb_slot : 3; - // Number of times left attempting to boot recovery. - uint8_t recovery_tries_remaining : 3; - // Ensure 4-bytes alignment for slot_info field. - uint8_t reserved0[2]; - // Per-slot information. Up to 4 slots. - struct slot_metadata slot_info[4]; - // Reserved for further use. - uint8_t reserved1[8]; - // CRC32 of all 28 bytes preceding this field (little endian - // format). - uint32_t crc32_le; -} __attribute__((packed)); - -#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) -static_assert(sizeof(struct bootloader_control) == - sizeof(((struct bootloader_message_ab *)0)->slot_suffix), - "struct bootloader_control has wrong size"); -#endif - -/* Read and write the bootloader command from the "misc" partition. - * These return zero on success. - */ -int get_bootloader_message(struct bootloader_message *out); -int set_bootloader_message(const struct bootloader_message *in); - -#endif +// TODO: Remove this file once we remove all places that include this file. +#include "bootloader_message/include/bootloader_message/bootloader_message.h" diff --git a/bootloader_message/Android.mk b/bootloader_message/Android.mk new file mode 100644 index 000000000..815ac67d7 --- /dev/null +++ b/bootloader_message/Android.mk @@ -0,0 +1,24 @@ +# Copyright (C) 2016 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_CLANG := true +LOCAL_SRC_FILES := bootloader_message.cpp +LOCAL_MODULE := libbootloader_message +LOCAL_STATIC_LIBRARIES := libbase libfs_mgr +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +include $(BUILD_STATIC_LIBRARY) diff --git a/uncrypt/bootloader_message_writer.cpp b/bootloader_message/bootloader_message.cpp index 3bb106aa0..9de7dff40 100644 --- a/uncrypt/bootloader_message_writer.cpp +++ b/bootloader_message/bootloader_message.cpp @@ -14,6 +14,8 @@ * limitations under the License. */ +#include <bootloader_message/bootloader_message.h> + #include <errno.h> #include <fcntl.h> #include <string.h> @@ -27,8 +29,6 @@ #include <android-base/unique_fd.h> #include <fs_mgr.h> -#include "bootloader.h" - static struct fstab* read_fstab(std::string* err) { // The fstab path is always "/fstab.${ro.hardware}". std::string fstab_path = "/fstab."; @@ -58,7 +58,57 @@ static std::string get_misc_blk_device(std::string* err) { return record->blk_device; } -static bool write_bootloader_message(const bootloader_message& boot, std::string* err) { +// In recovery mode, recovery can get started and try to access the misc +// device before the kernel has actually created it. +static bool wait_for_device(const std::string& blk_device, std::string* err) { + int tries = 0; + int ret; + err->clear(); + do { + ++tries; + struct stat buf; + ret = stat(blk_device.c_str(), &buf); + if (ret == -1) { + *err += android::base::StringPrintf("failed to stat %s try %d: %s\n", + blk_device.c_str(), tries, strerror(errno)); + sleep(1); + } + } while (ret && tries < 10); + + if (ret) { + *err += android::base::StringPrintf("failed to stat %s\n", blk_device.c_str()); + } + return ret == 0; +} + +static bool read_misc_partition(void* p, size_t size, size_t offset, std::string* err) { + std::string misc_blk_device = get_misc_blk_device(err); + if (misc_blk_device.empty()) { + return false; + } + if (!wait_for_device(misc_blk_device, err)) { + return false; + } + android::base::unique_fd fd(open(misc_blk_device.c_str(), O_RDONLY)); + if (fd.get() == -1) { + *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(), + strerror(errno)); + return false; + } + if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) { + *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(), + strerror(errno)); + return false; + } + if (!android::base::ReadFully(fd.get(), p, size)) { + *err = android::base::StringPrintf("failed to read %s: %s", misc_blk_device.c_str(), + strerror(errno)); + return false; + } + return true; +} + +static bool write_misc_partition(const void* p, size_t size, size_t offset, std::string* err) { std::string misc_blk_device = get_misc_blk_device(err); if (misc_blk_device.empty()) { return false; @@ -69,11 +119,17 @@ static bool write_bootloader_message(const bootloader_message& boot, std::string strerror(errno)); return false; } - if (!android::base::WriteFully(fd.get(), &boot, sizeof(boot))) { + if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) { + *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(), + strerror(errno)); + return false; + } + if (!android::base::WriteFully(fd.get(), p, size)) { *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(), strerror(errno)); return false; } + // TODO: O_SYNC and fsync duplicates each other? if (fsync(fd.get()) == -1) { *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(), @@ -83,6 +139,14 @@ static bool write_bootloader_message(const bootloader_message& boot, std::string return true; } +bool read_bootloader_message(bootloader_message* boot, std::string* err) { + return read_misc_partition(boot, sizeof(*boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err); +} + +bool write_bootloader_message(const bootloader_message& boot, std::string* err) { + return write_misc_partition(&boot, sizeof(boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err); +} + bool clear_bootloader_message(std::string* err) { bootloader_message boot = {}; return write_bootloader_message(boot, err); @@ -101,6 +165,16 @@ bool write_bootloader_message(const std::vector<std::string>& options, std::stri return write_bootloader_message(boot, err); } +bool read_wipe_package(std::string* package_data, size_t size, std::string* err) { + package_data->resize(size); + return read_misc_partition(&(*package_data)[0], size, WIPE_PACKAGE_OFFSET_IN_MISC, err); +} + +bool write_wipe_package(const std::string& package_data, std::string* err) { + return write_misc_partition(package_data.data(), package_data.size(), + WIPE_PACKAGE_OFFSET_IN_MISC, err); +} + extern "C" bool write_bootloader_message(const char* options) { std::string err; return write_bootloader_message({options}, &err); diff --git a/bootloader_message/include/bootloader_message/bootloader_message.h b/bootloader_message/include/bootloader_message/bootloader_message.h new file mode 100644 index 000000000..f343c64ac --- /dev/null +++ b/bootloader_message/include/bootloader_message/bootloader_message.h @@ -0,0 +1,199 @@ +/* + * Copyright (C) 2008 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef _BOOTLOADER_MESSAGE_H +#define _BOOTLOADER_MESSAGE_H + +#include <assert.h> +#include <stddef.h> +#include <stdint.h> + +// Spaces used by misc partition are as below: +// 0 - 2K For bootloader_message +// 2K - 16K Used by Vendor's bootloader (the 2K - 4K range may be optionally used +// as bootloader_message_ab struct) +// 16K - 64K Used by uncrypt and recovery to store wipe_package for A/B devices +// Note that these offsets are admitted by bootloader,recovery and uncrypt, so they +// are not configurable without changing all of them. +static const size_t BOOTLOADER_MESSAGE_OFFSET_IN_MISC = 0; +static const size_t WIPE_PACKAGE_OFFSET_IN_MISC = 16 * 1024; + +/* Bootloader Message (2-KiB) + * + * This structure describes the content of a block in flash + * that is used for recovery and the bootloader to talk to + * each other. + * + * The command field is updated by linux when it wants to + * reboot into recovery or to update radio or bootloader firmware. + * It is also updated by the bootloader when firmware update + * is complete (to boot into recovery for any final cleanup) + * + * The status field is written by the bootloader after the + * completion of an "update-radio" or "update-hboot" command. + * + * The recovery field is only written by linux and used + * for the system to send a message to recovery or the + * other way around. + * + * The stage field is written by packages which restart themselves + * multiple times, so that the UI can reflect which invocation of the + * package it is. If the value is of the format "#/#" (eg, "1/3"), + * the UI will add a simple indicator of that status. + * + * We used to have slot_suffix field for A/B boot control metadata in + * this struct, which gets unintentionally cleared by recovery or + * uncrypt. Move it into struct bootloader_message_ab to avoid the + * issue. + */ +struct bootloader_message { + char command[32]; + char status[32]; + char recovery[768]; + + // The 'recovery' field used to be 1024 bytes. It has only ever + // been used to store the recovery command line, so 768 bytes + // should be plenty. We carve off the last 256 bytes to store the + // stage string (for multistage packages) and possible future + // expansion. + char stage[32]; + + // The 'reserved' field used to be 224 bytes when it was initially + // carved off from the 1024-byte recovery field. Bump it up to + // 1184-byte so that the entire bootloader_message struct rounds up + // to 2048-byte. + char reserved[1184]; +}; + +/** + * We must be cautious when changing the bootloader_message struct size, + * because A/B-specific fields may end up with different offsets. + */ +#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) +static_assert(sizeof(struct bootloader_message) == 2048, + "struct bootloader_message size changes, which may break A/B devices"); +#endif + +/** + * The A/B-specific bootloader message structure (4-KiB). + * + * We separate A/B boot control metadata from the regular bootloader + * message struct and keep it here. Everything that's A/B-specific + * stays after struct bootloader_message, which should be managed by + * the A/B-bootloader or boot control HAL. + * + * The slot_suffix field is used for A/B implementations where the + * bootloader does not set the androidboot.ro.boot.slot_suffix kernel + * commandline parameter. This is used by fs_mgr to mount /system and + * other partitions with the slotselect flag set in fstab. A/B + * implementations are free to use all 32 bytes and may store private + * data past the first NUL-byte in this field. It is encouraged, but + * not mandatory, to use 'struct bootloader_control' described below. + */ +struct bootloader_message_ab { + struct bootloader_message message; + char slot_suffix[32]; + + // Round up the entire struct to 4096-byte. + char reserved[2016]; +}; + +/** + * Be cautious about the struct size change, in case we put anything post + * bootloader_message_ab struct (b/29159185). + */ +#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) +static_assert(sizeof(struct bootloader_message_ab) == 4096, + "struct bootloader_message_ab size changes"); +#endif + +#define BOOT_CTRL_MAGIC 0x42414342 /* Bootloader Control AB */ +#define BOOT_CTRL_VERSION 1 + +struct slot_metadata { + // Slot priority with 15 meaning highest priority, 1 lowest + // priority and 0 the slot is unbootable. + uint8_t priority : 4; + // Number of times left attempting to boot this slot. + uint8_t tries_remaining : 3; + // 1 if this slot has booted successfully, 0 otherwise. + uint8_t successful_boot : 1; + // 1 if this slot is corrupted from a dm-verity corruption, 0 + // otherwise. + uint8_t verity_corrupted : 1; + // Reserved for further use. + uint8_t reserved : 7; +} __attribute__((packed)); + +/* Bootloader Control AB + * + * This struct can be used to manage A/B metadata. It is designed to + * be put in the 'slot_suffix' field of the 'bootloader_message' + * structure described above. It is encouraged to use the + * 'bootloader_control' structure to store the A/B metadata, but not + * mandatory. + */ +struct bootloader_control { + // NUL terminated active slot suffix. + char slot_suffix[4]; + // Bootloader Control AB magic number (see BOOT_CTRL_MAGIC). + uint32_t magic; + // Version of struct being used (see BOOT_CTRL_VERSION). + uint8_t version; + // Number of slots being managed. + uint8_t nb_slot : 3; + // Number of times left attempting to boot recovery. + uint8_t recovery_tries_remaining : 3; + // Ensure 4-bytes alignment for slot_info field. + uint8_t reserved0[2]; + // Per-slot information. Up to 4 slots. + struct slot_metadata slot_info[4]; + // Reserved for further use. + uint8_t reserved1[8]; + // CRC32 of all 28 bytes preceding this field (little endian + // format). + uint32_t crc32_le; +} __attribute__((packed)); + +#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus) +static_assert(sizeof(struct bootloader_control) == + sizeof(((struct bootloader_message_ab *)0)->slot_suffix), + "struct bootloader_control has wrong size"); +#endif + +#ifdef __cplusplus + +#include <string> +#include <vector> + +bool read_bootloader_message(bootloader_message* boot, std::string* err); +bool write_bootloader_message(const bootloader_message& boot, std::string* err); +bool write_bootloader_message(const std::vector<std::string>& options, std::string* err); +bool clear_bootloader_message(std::string* err); + +bool read_wipe_package(std::string* package_data, size_t size, std::string* err); +bool write_wipe_package(const std::string& package_data, std::string* err); + +#else + +#include <stdbool.h> + +// C Interface. +bool write_bootloader_message(const char* options); + +#endif // ifdef __cplusplus + +#endif // _BOOTLOADER_MESSAGE_H diff --git a/device.cpp b/device.cpp index 2465b0778..e717dddf7 100644 --- a/device.cpp +++ b/device.cpp @@ -22,32 +22,42 @@ static const char* MENU_ITEMS[] = { "Apply update from ADB", "Apply update from SD card", "Wipe data/factory reset", +#ifndef AB_OTA_UPDATER "Wipe cache partition", +#endif // !AB_OTA_UPDATER "Mount /system", "View recovery logs", "Run graphics test", "Power off", - NULL + NULL, }; +static const Device::BuiltinAction MENU_ACTIONS[] = { + Device::REBOOT, + Device::REBOOT_BOOTLOADER, + Device::APPLY_ADB_SIDELOAD, + Device::APPLY_SDCARD, + Device::WIPE_DATA, +#ifndef AB_OTA_UPDATER + Device::WIPE_CACHE, +#endif // !AB_OTA_UPDATER + Device::MOUNT_SYSTEM, + Device::VIEW_RECOVERY_LOGS, + Device::RUN_GRAPHICS_TEST, + Device::SHUTDOWN, +}; + +static_assert(sizeof(MENU_ITEMS) / sizeof(MENU_ITEMS[0]) == + sizeof(MENU_ACTIONS) / sizeof(MENU_ACTIONS[0]) + 1, + "MENU_ITEMS and MENU_ACTIONS should have the same length, " + "except for the extra NULL entry in MENU_ITEMS."); + const char* const* Device::GetMenuItems() { return MENU_ITEMS; } Device::BuiltinAction Device::InvokeMenuItem(int menu_position) { - switch (menu_position) { - case 0: return REBOOT; - case 1: return REBOOT_BOOTLOADER; - case 2: return APPLY_ADB_SIDELOAD; - case 3: return APPLY_SDCARD; - case 4: return WIPE_DATA; - case 5: return WIPE_CACHE; - case 6: return MOUNT_SYSTEM; - case 7: return VIEW_RECOVERY_LOGS; - case 8: return RUN_GRAPHICS_TEST; - case 9: return SHUTDOWN; - default: return NO_ACTION; - } + return menu_position < 0 ? NO_ACTION : MENU_ACTIONS[menu_position]; } int Device::HandleMenuKey(int key, int visible) { diff --git a/error_code.h b/error_code.h index 259319ab4..fe38ba476 100644 --- a/error_code.h +++ b/error_code.h @@ -21,7 +21,8 @@ enum ErrorCode { kNoError = -1, kLowBattery = 20, kZipVerificationFailure, - kZipOpenFailure + kZipOpenFailure, + kBootreasonInBlacklist }; enum CauseCode { diff --git a/install.cpp b/install.cpp index 92a62db5f..4a856cd71 100644 --- a/install.cpp +++ b/install.cpp @@ -17,6 +17,7 @@ #include <ctype.h> #include <errno.h> #include <fcntl.h> +#include <inttypes.h> #include <limits.h> #include <string.h> #include <sys/stat.h> @@ -24,12 +25,15 @@ #include <unistd.h> #include <chrono> +#include <limits> +#include <map> #include <string> #include <vector> #include <android-base/parseint.h> #include <android-base/stringprintf.h> #include <android-base/strings.h> +#include <cutils/properties.h> #include <android-base/logging.h> #include "common.h" @@ -45,6 +49,8 @@ extern RecoveryUI* ui; #define ASSUMED_UPDATE_BINARY_NAME "META-INF/com/google/android/update-binary" +static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt"; +static constexpr const char* AB_OTA_PAYLOAD = "payload.bin"; #define PUBLIC_KEYS_FILE "/res/keys" static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata"; @@ -69,20 +75,27 @@ static int parse_build_number(const std::string& str) { return -1; } -// Read the build.version.incremental of src/tgt from the metadata and log it to last_install. -static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) { +bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data) { const ZipEntry* meta_entry = mzFindZipEntry(zip, METADATA_PATH); if (meta_entry == nullptr) { LOG(ERROR) << "Failed to find " << METADATA_PATH << " in update package"; - return; + return false; } - std::string meta_data(meta_entry->uncompLen, '\0'); - if (!mzReadZipEntry(zip, meta_entry, &meta_data[0], meta_entry->uncompLen)) { + meta_data->resize(meta_entry->uncompLen, '\0'); + if (!mzReadZipEntry(zip, meta_entry, &(*meta_data)[0], meta_entry->uncompLen)) { LOG(ERROR) << "Failed to read metadata in update package"; - return; + return false; } + return true; +} +// Read the build.version.incremental of src/tgt from the metadata and log it to last_install. +static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) { + std::string meta_data; + if (!read_metadata_from_package(zip, &meta_data)) { + return; + } // Examples of the pre-build and post-build strings in metadata: // pre-build-incremental=2943039 // post-build-incremental=2951741 @@ -105,17 +118,148 @@ static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& } } -// If the package contains an update binary, extract it and run it. +// Extract the update binary from the open zip archive |zip| located at |path| +// and store into |cmd| the command line that should be called. The |status_fd| +// is the file descriptor the child process should use to report back the +// progress of the update. static int -try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache, - std::vector<std::string>& log_buffer, int retry_count) +update_binary_command(const char* path, ZipArchive* zip, int retry_count, + int status_fd, std::vector<std::string>* cmd); + +#ifdef AB_OTA_UPDATER + +// Parses the metadata of the OTA package in |zip| and checks whether we are +// allowed to accept this A/B package. Downgrading is not allowed unless +// explicitly enabled in the package and only for incremental packages. +static int check_newer_ab_build(ZipArchive* zip) { - read_source_target_build(zip, log_buffer); + std::string metadata_str; + if (!read_metadata_from_package(zip, &metadata_str)) { + return INSTALL_CORRUPT; + } + std::map<std::string, std::string> metadata; + for (const std::string& line : android::base::Split(metadata_str, "\n")) { + size_t eq = line.find('='); + if (eq != std::string::npos) { + metadata[line.substr(0, eq)] = line.substr(eq + 1); + } + } + char value[PROPERTY_VALUE_MAX]; + + property_get("ro.product.device", value, ""); + const std::string& pkg_device = metadata["pre-device"]; + if (pkg_device != value || pkg_device.empty()) { + LOG(ERROR) << "Package is for product " << pkg_device << " but expected " << value; + return INSTALL_ERROR; + } + + // We allow the package to not have any serialno, but if it has a non-empty + // value it should match. + property_get("ro.serialno", value, ""); + const std::string& pkg_serial_no = metadata["serialno"]; + if (!pkg_serial_no.empty() && pkg_serial_no != value) { + LOG(ERROR) << "Package is for serial " << pkg_serial_no; + return INSTALL_ERROR; + } + + if (metadata["ota-type"] != "AB") { + LOG(ERROR) << "Package is not A/B"; + return INSTALL_ERROR; + } + + // Incremental updates should match the current build. + property_get("ro.build.version.incremental", value, ""); + const std::string& pkg_pre_build = metadata["pre-build-incremental"]; + if (!pkg_pre_build.empty() && pkg_pre_build != value) { + LOG(ERROR) << "Package is for source build " << pkg_pre_build << " but expected " << value; + return INSTALL_ERROR; + } + property_get("ro.build.fingerprint", value, ""); + const std::string& pkg_pre_build_fingerprint = metadata["pre-build"]; + if (!pkg_pre_build_fingerprint.empty() && + pkg_pre_build_fingerprint != value) { + LOG(ERROR) << "Package is for source build " << pkg_pre_build_fingerprint + << " but expected " << value; + return INSTALL_ERROR; + } + + // Check for downgrade version. + int64_t build_timestamp = property_get_int64( + "ro.build.date.utc", std::numeric_limits<int64_t>::max()); + int64_t pkg_post_timestamp = 0; + // We allow to full update to the same version we are running, in case there + // is a problem with the current copy of that version. + if (metadata["post-timestamp"].empty() || + !android::base::ParseInt(metadata["post-timestamp"].c_str(), + &pkg_post_timestamp) || + pkg_post_timestamp < build_timestamp) { + if (metadata["ota-downgrade"] != "yes") { + LOG(ERROR) << "Update package is older than the current build, expected a build " + "newer than timestamp " << build_timestamp << " but package has " + "timestamp " << pkg_post_timestamp << " and downgrade not allowed."; + return INSTALL_ERROR; + } + if (pkg_pre_build_fingerprint.empty()) { + LOG(ERROR) << "Downgrade package must have a pre-build version set, not allowed."; + return INSTALL_ERROR; + } + } + + return 0; +} + +static int +update_binary_command(const char* path, ZipArchive* zip, int retry_count, + int status_fd, std::vector<std::string>* cmd) +{ + int ret = check_newer_ab_build(zip); + if (ret) { + return ret; + } + + // For A/B updates we extract the payload properties to a buffer and obtain + // the RAW payload offset in the zip file. + const ZipEntry* properties_entry = + mzFindZipEntry(zip, AB_OTA_PAYLOAD_PROPERTIES); + if (!properties_entry) { + LOG(ERROR) << "Can't find " << AB_OTA_PAYLOAD_PROPERTIES; + return INSTALL_CORRUPT; + } + std::vector<unsigned char> payload_properties( + mzGetZipEntryUncompLen(properties_entry)); + if (!mzExtractZipEntryToBuffer(zip, properties_entry, + payload_properties.data())) { + LOG(ERROR) << "Can't extract " << AB_OTA_PAYLOAD_PROPERTIES; + return INSTALL_CORRUPT; + } + + const ZipEntry* payload_entry = mzFindZipEntry(zip, AB_OTA_PAYLOAD); + if (!payload_entry) { + LOG(ERROR) << "Can't find " << AB_OTA_PAYLOAD; + return INSTALL_CORRUPT; + } + long payload_offset = mzGetZipEntryOffset(payload_entry); + *cmd = { + "/sbin/update_engine_sideload", + android::base::StringPrintf("--payload=file://%s", path), + android::base::StringPrintf("--offset=%ld", payload_offset), + "--headers=" + std::string(payload_properties.begin(), + payload_properties.end()), + android::base::StringPrintf("--status_fd=%d", status_fd), + }; + return 0; +} +#else // !AB_OTA_UPDATER + +static int +update_binary_command(const char* path, ZipArchive* zip, int retry_count, + int status_fd, std::vector<std::string>* cmd) +{ + // On traditional updates we extract the update binary from the package. const ZipEntry* binary_entry = mzFindZipEntry(zip, ASSUMED_UPDATE_BINARY_NAME); if (binary_entry == NULL) { - mzCloseZipArchive(zip); return INSTALL_CORRUPT; } @@ -124,21 +268,47 @@ try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache, int fd = creat(binary, 0755); if (fd < 0) { PLOG(ERROR) << "Can't make " << binary; - mzCloseZipArchive(zip); return INSTALL_ERROR; } bool ok = mzExtractZipEntryToFile(zip, binary_entry, fd); close(fd); - mzCloseZipArchive(zip); if (!ok) { LOG(ERROR) << "Can't copy " << ASSUMED_UPDATE_BINARY_NAME; return INSTALL_ERROR; } + *cmd = { + binary, + EXPAND(RECOVERY_API_VERSION), // defined in Android.mk + std::to_string(status_fd), + path, + }; + if (retry_count > 0) + cmd->push_back("retry"); + return 0; +} +#endif // !AB_OTA_UPDATER + +// If the package contains an update binary, extract it and run it. +static int +try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache, + std::vector<std::string>& log_buffer, int retry_count) +{ + read_source_target_build(zip, log_buffer); + int pipefd[2]; pipe(pipefd); + std::vector<std::string> args; + int ret = update_binary_command(path, zip, retry_count, pipefd[1], &args); + mzCloseZipArchive(zip); + if (ret) { + close(pipefd[0]); + close(pipefd[1]); + return ret; + } + // When executing the update binary contained in the package, the // arguments passed are: // @@ -188,22 +358,19 @@ try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache, // update attempt. // - const char* args[6]; - args[0] = binary; - args[1] = EXPAND(RECOVERY_API_VERSION); // defined in Android.mk - char temp[16]; - snprintf(temp, sizeof(temp), "%d", pipefd[1]); - args[2] = temp; - args[3] = path; - args[4] = retry_count > 0 ? "retry" : NULL; - args[5] = NULL; + // Convert the vector to a NULL-terminated char* array suitable for execv. + const char* chr_args[args.size() + 1]; + chr_args[args.size()] = NULL; + for (size_t i = 0; i < args.size(); i++) { + chr_args[i] = args[i].c_str(); + } pid_t pid = fork(); if (pid == 0) { umask(022); close(pipefd[0]); - execv(binary, const_cast<char**>(args)); - fprintf(stdout, "E:Can't run %s (%s)\n", binary, strerror(errno)); + execv(chr_args[0], const_cast<char**>(chr_args)); + fprintf(stdout, "E:Can't run %s (%s)\n", chr_args[0], strerror(errno)); _exit(-1); } close(pipefd[1]); @@ -299,33 +466,16 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount, return INSTALL_CORRUPT; } - // Load keys. - std::vector<Certificate> loadedKeys; - if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) { - LOG(ERROR) << "Failed to load keys"; - sysReleaseMap(&map); - return INSTALL_CORRUPT; - } - LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE; - // Verify package. - ui->Print("Verifying update package...\n"); - - auto t0 = std::chrono::system_clock::now(); - int err = verify_file(map.addr, map.length, loadedKeys); - std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0; - ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err); - if (err != VERIFY_SUCCESS) { - LOG(ERROR) << "signature verification failed"; + if (!verify_package(map.addr, map.length)) { log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure)); - sysReleaseMap(&map); return INSTALL_CORRUPT; } // Try to open the package. ZipArchive zip; - err = mzOpenZipArchive(map.addr, map.length, &zip); + int err = mzOpenZipArchive(map.addr, map.length, &zip); if (err != 0) { LOG(ERROR) << "Can't open " << path; log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure)); @@ -388,3 +538,25 @@ install_package(const char* path, bool* wipe_cache, const char* install_file, } return result; } + +bool verify_package(const unsigned char* package_data, size_t package_size) { + std::vector<Certificate> loadedKeys; + if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) { + LOG(ERROR) << "Failed to load keys"; + return false; + } + LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE; + + // Verify package. + ui->Print("Verifying update package...\n"); + auto t0 = std::chrono::system_clock::now(); + int err = verify_file(const_cast<unsigned char*>(package_data), package_size, loadedKeys); + std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0; + ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err); + if (err != VERIFY_SUCCESS) { + LOG(ERROR) << "Signature verification failed"; + LOG(ERROR) << "error: " << kZipVerificationFailure; + return false; + } + return true; +} @@ -17,11 +17,10 @@ #ifndef RECOVERY_INSTALL_H_ #define RECOVERY_INSTALL_H_ -#include "common.h" +#include <string> -#ifdef __cplusplus -extern "C" { -#endif +#include "common.h" +#include "minzip/Zip.h" enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED, INSTALL_RETRY }; @@ -31,8 +30,12 @@ enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SK int install_package(const char* root_path, bool* wipe_cache, const char* install_file, bool needs_mount, int retry_count); -#ifdef __cplusplus -} -#endif +// Verify the package by ota keys. Return true if the package is verified successfully, +// otherwise return false. +bool verify_package(const unsigned char* package_data, size_t package_size); + +// Read meta data file of the package, write its content in the string pointed by meta_data. +// Return true if succeed, otherwise return false. +bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data); #endif // RECOVERY_INSTALL_H_ diff --git a/minui/font_10x18.h b/minui/font_10x18.h index 29d705344..30dfb9c56 100644 --- a/minui/font_10x18.h +++ b/minui/font_10x18.h @@ -1,14 +1,14 @@ struct { unsigned width; unsigned height; - unsigned cwidth; - unsigned cheight; + unsigned char_width; + unsigned char_height; unsigned char rundata[2973]; } font = { .width = 960, .height = 18, - .cwidth = 10, - .cheight = 18, + .char_width = 10, + .char_height = 18, .rundata = { 0x7f,0x7f,0x7f,0x7f,0x7f,0x7f,0x7f,0x55,0x82,0x06,0x82,0x02,0x82,0x10,0x82, 0x11,0x83,0x08,0x82,0x0a,0x82,0x04,0x82,0x46,0x82,0x08,0x82,0x07,0x84,0x06, diff --git a/minui/graphics.cpp b/minui/graphics.cpp index c0eea9e38..43ec83f08 100644 --- a/minui/graphics.cpp +++ b/minui/graphics.cpp @@ -35,12 +35,6 @@ #include "minui.h" #include "graphics.h" -struct GRFont { - GRSurface* texture; - int cwidth; - int cheight; -}; - static GRFont* gr_font = NULL; static minui_backend* gr_backend = NULL; @@ -60,15 +54,20 @@ static bool outside(int x, int y) return x < 0 || x >= gr_draw->width || y < 0 || y >= gr_draw->height; } -int gr_measure(const char *s) +const GRFont* gr_sys_font() { - return gr_font->cwidth * strlen(s); + return gr_font; } -void gr_font_size(int *x, int *y) +int gr_measure(const GRFont* font, const char *s) { - *x = gr_font->cwidth; - *y = gr_font->cheight; + return font->char_width * strlen(s); +} + +void gr_font_size(const GRFont* font, int *x, int *y) +{ + *x = font->char_width; + *y = font->char_height; } static void text_blend(unsigned char* src_p, int src_row_bytes, @@ -103,34 +102,32 @@ static void text_blend(unsigned char* src_p, int src_row_bytes, } } -void gr_text(int x, int y, const char *s, bool bold) +void gr_text(const GRFont* font, int x, int y, const char *s, bool bold) { - GRFont* font = gr_font; - if (!font->texture || gr_current_a == 0) return; - bold = bold && (font->texture->height != font->cheight); + bold = bold && (font->texture->height != font->char_height); x += overscan_offset_x; y += overscan_offset_y; unsigned char ch; while ((ch = *s++)) { - if (outside(x, y) || outside(x+font->cwidth-1, y+font->cheight-1)) break; + if (outside(x, y) || outside(x+font->char_width-1, y+font->char_height-1)) break; if (ch < ' ' || ch > '~') { ch = '?'; } - unsigned char* src_p = font->texture->data + ((ch - ' ') * font->cwidth) + - (bold ? font->cheight * font->texture->row_bytes : 0); + unsigned char* src_p = font->texture->data + ((ch - ' ') * font->char_width) + + (bold ? font->char_height * font->texture->row_bytes : 0); unsigned char* dst_p = gr_draw->data + y*gr_draw->row_bytes + x*gr_draw->pixel_bytes; text_blend(src_p, font->texture->row_bytes, dst_p, gr_draw->row_bytes, - font->cwidth, font->cheight); + font->char_width, font->char_height); - x += font->cwidth; + x += font->char_width; } } @@ -267,40 +264,51 @@ unsigned int gr_get_height(GRSurface* surface) { return surface->height; } +int gr_init_font(const char* name, GRFont* dest) { + int res = res_create_alpha_surface(name, &(dest->texture)); + if (res < 0) { + return res; + } + + // The font image should be a 96x2 array of character images. The + // columns are the printable ASCII characters 0x20 - 0x7f. The + // top row is regular text; the bottom row is bold. + dest->char_width = dest->texture->width / 96; + dest->char_height = dest->texture->height / 2; + + return 0; +} + static void gr_init_font(void) { gr_font = reinterpret_cast<GRFont*>(calloc(sizeof(*gr_font), 1)); - int res = res_create_alpha_surface("font", &(gr_font->texture)); + int res = gr_init_font("font", gr_font); if (res == 0) { - // The font image should be a 96x2 array of character images. The - // columns are the printable ASCII characters 0x20 - 0x7f. The - // top row is regular text; the bottom row is bold. - gr_font->cwidth = gr_font->texture->width / 96; - gr_font->cheight = gr_font->texture->height / 2; - } else { - printf("failed to read font: res=%d\n", res); - - // fall back to the compiled-in font. - gr_font->texture = reinterpret_cast<GRSurface*>(malloc(sizeof(*gr_font->texture))); - gr_font->texture->width = font.width; - gr_font->texture->height = font.height; - gr_font->texture->row_bytes = font.width; - gr_font->texture->pixel_bytes = 1; - - unsigned char* bits = reinterpret_cast<unsigned char*>(malloc(font.width * font.height)); - gr_font->texture->data = reinterpret_cast<unsigned char*>(bits); - - unsigned char data; - unsigned char* in = font.rundata; - while((data = *in++)) { - memset(bits, (data & 0x80) ? 255 : 0, data & 0x7f); - bits += (data & 0x7f); - } + return; + } - gr_font->cwidth = font.cwidth; - gr_font->cheight = font.cheight; + printf("failed to read font: res=%d\n", res); + + // fall back to the compiled-in font. + gr_font->texture = reinterpret_cast<GRSurface*>(malloc(sizeof(*gr_font->texture))); + gr_font->texture->width = font.width; + gr_font->texture->height = font.height; + gr_font->texture->row_bytes = font.width; + gr_font->texture->pixel_bytes = 1; + + unsigned char* bits = reinterpret_cast<unsigned char*>(malloc(font.width * font.height)); + gr_font->texture->data = reinterpret_cast<unsigned char*>(bits); + + unsigned char data; + unsigned char* in = font.rundata; + while((data = *in++)) { + memset(bits, (data & 0x80) ? 255 : 0, data & 0x7f); + bits += (data & 0x7f); } + + gr_font->char_width = font.char_width; + gr_font->char_height = font.char_height; } #if 0 diff --git a/minui/minui.h b/minui/minui.h index 5362d3fe3..f6b42c628 100644 --- a/minui/minui.h +++ b/minui/minui.h @@ -33,6 +33,12 @@ struct GRSurface { unsigned char* data; }; +struct GRFont { + GRSurface* texture; + int char_width; + int char_height; +}; + int gr_init(); void gr_exit(); @@ -45,10 +51,14 @@ void gr_fb_blank(bool blank); void gr_clear(); // clear entire surface to current color void gr_color(unsigned char r, unsigned char g, unsigned char b, unsigned char a); void gr_fill(int x1, int y1, int x2, int y2); -void gr_text(int x, int y, const char *s, bool bold); + void gr_texticon(int x, int y, GRSurface* icon); -int gr_measure(const char *s); -void gr_font_size(int *x, int *y); + +const GRFont* gr_sys_font(); +int gr_init_font(const char* name, GRFont* dest); +void gr_text(const GRFont* font, int x, int y, const char *s, bool bold); +int gr_measure(const GRFont* font, const char *s); +void gr_font_size(const GRFont* font, int *x, int *y); void gr_blit(GRSurface* source, int sx, int sy, int w, int h, int dx, int dy); unsigned int gr_get_width(GRSurface* surface); diff --git a/minzip/SysUtil.cpp b/minzip/SysUtil.cpp index 2936c5ca4..4cdd60d9f 100644 --- a/minzip/SysUtil.cpp +++ b/minzip/SysUtil.cpp @@ -118,10 +118,10 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap) break; } size_t length = (end - start) * blksize; - if (end <= start || (end - start) > SIZE_MAX / blksize || length > remaining_size) { - LOG(ERROR) << "unexpected range in block map: " << start << " " << end; - success = false; - break; + if (end <= start || ((end - start) > SIZE_MAX / blksize) || length > remaining_size) { + LOG(ERROR) << "unexpected range in block map: " << start << " " << end; + success = false; + break; } void* addr = mmap64(next, length, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize); @@ -137,8 +137,8 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap) remaining_size -= length; } if (success && remaining_size != 0) { - LOG(ERROR) << "ranges in block map are invalid: remaining_size = " << remaining_size; - success = false; + LOG(ERROR) << "ranges in block map are invalid: remaining_size = " << remaining_size; + success = false; } if (!success) { close(fd); diff --git a/recovery.cpp b/recovery.cpp index aad24644a..d3f9c47ae 100644 --- a/recovery.cpp +++ b/recovery.cpp @@ -46,6 +46,7 @@ #include <android-base/stringprintf.h> #include <android-base/strings.h> #include <android-base/unique_fd.h> +#include <bootloader_message/bootloader_message.h> #include <cutils/android_reboot.h> #include <cutils/properties.h> #include <healthd/BatteryMonitor.h> @@ -54,7 +55,6 @@ #include <selinux/selinux.h> #include "adb_install.h" -#include "bootloader.h" #include "common.h" #include "device.h" #include "error_code.h" @@ -64,6 +64,7 @@ #include "minadbd/minadbd.h" #include "minui/minui.h" #include "minzip/DirUtil.h" +#include "minzip/Zip.h" #include "roots.h" #include "ui.h" #include "screen_ui.h" @@ -84,10 +85,17 @@ static const struct option OPTIONS[] = { { "shutdown_after", no_argument, NULL, 'p' }, { "reason", required_argument, NULL, 'r' }, { "security", no_argument, NULL, 'e'}, - { "brick", no_argument, NULL, 0 }, + { "wipe_ab", no_argument, NULL, 0 }, + { "wipe_package_size", required_argument, NULL, 0 }, { NULL, 0, NULL, 0 }, }; +// More bootreasons can be found in "system/core/bootstat/bootstat.cpp". +static const std::vector<std::string> bootreason_blacklist { + "kernel_panic", + "Panic", +}; + static const char *CACHE_LOG_DIR = "/cache/recovery"; static const char *COMMAND_FILE = "/cache/recovery/command"; static const char *LOG_FILE = "/cache/recovery/log"; @@ -111,7 +119,7 @@ static const int BATTERY_READ_TIMEOUT_IN_SEC = 10; // So we should check battery with a slightly lower limitation. static const int BATTERY_OK_PERCENTAGE = 20; static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15; -constexpr const char* RECOVERY_BRICK = "/etc/recovery.brick"; +constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe"; RecoveryUI* ui = NULL; static const char* locale = "en_US"; @@ -301,9 +309,13 @@ static void redirect_stdio(const char* filename) { // - the contents of COMMAND_FILE (one per line) static void get_args(int *argc, char ***argv) { - struct bootloader_message boot; - memset(&boot, 0, sizeof(boot)); - get_bootloader_message(&boot); // this may fail, leaving a zeroed structure + bootloader_message boot = {}; + std::string err; + if (!read_bootloader_message(&boot, &err)) { + LOG(ERROR) << err; + // If fails, leave a zeroed bootloader_message. + memset(&boot, 0, sizeof(boot)); + } stage = strndup(boot.stage, sizeof(boot.stage)); if (boot.command[0] != 0 && boot.command[0] != 255) { @@ -368,16 +380,20 @@ get_args(int *argc, char ***argv) { strlcat(boot.recovery, (*argv)[i], sizeof(boot.recovery)); strlcat(boot.recovery, "\n", sizeof(boot.recovery)); } - set_bootloader_message(&boot); + if (!write_bootloader_message(boot, &err)) { + LOG(ERROR) << err; + } } static void set_sdcard_update_bootloader_message() { - struct bootloader_message boot; - memset(&boot, 0, sizeof(boot)); + bootloader_message boot = {}; strlcpy(boot.command, "boot-recovery", sizeof(boot.command)); strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery)); - set_bootloader_message(&boot); + std::string err; + if (!write_bootloader_message(boot, &err)) { + LOG(ERROR) << err; + } } // Read from kernel log into buffer and write out to file. @@ -528,9 +544,11 @@ finish_recovery() { copy_logs(); // Reset to normal system boot so recovery won't cycle indefinitely. - struct bootloader_message boot; - memset(&boot, 0, sizeof(boot)); - set_bootloader_message(&boot); + bootloader_message boot = {}; + std::string err; + if (!write_bootloader_message(boot, &err)) { + LOG(ERROR) << err; + } // Remove the command file, so recovery won't repeat indefinitely. if (has_cache) { @@ -898,15 +916,79 @@ static bool secure_wipe_partition(const std::string& partition) { return true; } -// Brick the current device, with a secure wipe of all the partitions in -// RECOVERY_BRICK. -static bool brick_device() { +// Check if the wipe package matches expectation: +// 1. verify the package. +// 2. check metadata (ota-type, pre-device and serial number if having one). +static bool check_wipe_package(size_t wipe_package_size) { + if (wipe_package_size == 0) { + LOG(ERROR) << "wipe_package_size is zero"; + return false; + } + std::string wipe_package; + std::string err_str; + if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) { + PLOG(ERROR) << "Failed to read wipe package"; + return false; + } + if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()), + wipe_package.size())) { + LOG(ERROR) << "Failed to verify package"; + return false; + } + + // Extract metadata + ZipArchive zip; + int err = mzOpenZipArchive(reinterpret_cast<unsigned char*>(&wipe_package[0]), + wipe_package.size(), &zip); + if (err != 0) { + LOG(ERROR) << "Can't open wipe package"; + return false; + } + std::string metadata; + if (!read_metadata_from_package(&zip, &metadata)) { + mzCloseZipArchive(&zip); + return false; + } + mzCloseZipArchive(&zip); + + // Check metadata + std::vector<std::string> lines = android::base::Split(metadata, "\n"); + bool ota_type_matched = false; + bool device_type_matched = false; + bool has_serial_number = false; + bool serial_number_matched = false; + for (const auto& line : lines) { + if (line == "ota-type=BRICK") { + ota_type_matched = true; + } else if (android::base::StartsWith(line, "pre-device=")) { + std::string device_type = line.substr(strlen("pre-device=")); + char real_device_type[PROPERTY_VALUE_MAX]; + property_get("ro.build.product", real_device_type, ""); + device_type_matched = (device_type == real_device_type); + } else if (android::base::StartsWith(line, "serialno=")) { + std::string serial_no = line.substr(strlen("serialno=")); + char real_serial_no[PROPERTY_VALUE_MAX]; + property_get("ro.serialno", real_serial_no, ""); + has_serial_number = true; + serial_number_matched = (serial_no == real_serial_no); + } + } + return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched); +} + +// Wipe the current A/B device, with a secure wipe of all the partitions in +// RECOVERY_WIPE. +static bool wipe_ab_device(size_t wipe_package_size) { ui->SetBackground(RecoveryUI::ERASING); ui->SetProgressType(RecoveryUI::INDETERMINATE); + if (!check_wipe_package(wipe_package_size)) { + LOG(ERROR) << "Failed to verify wipe package"; + return false; + } std::string partition_list; - if (!android::base::ReadFileToString(RECOVERY_BRICK, &partition_list)) { - LOG(ERROR) << "failed to read \"" << RECOVERY_BRICK << "\""; + if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) { + LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\""; return false; } @@ -1314,7 +1396,7 @@ static bool is_battery_ok() { } static void set_retry_bootloader_message(int retry_count, int argc, char** argv) { - struct bootloader_message boot {}; + bootloader_message boot = {}; strlcpy(boot.command, "boot-recovery", sizeof(boot.command)); strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery)); @@ -1333,7 +1415,34 @@ static void set_retry_bootloader_message(int retry_count, int argc, char** argv) snprintf(buffer, sizeof(buffer), "--retry_count=%d\n", retry_count+1); strlcat(boot.recovery, buffer, sizeof(boot.recovery)); } - set_bootloader_message(&boot); + std::string err; + if (!write_bootloader_message(boot, &err)) { + LOG(ERROR) << err; + } +} + +static bool bootreason_in_blacklist() { + char bootreason[PROPERTY_VALUE_MAX]; + if (property_get("ro.boot.bootreason", bootreason, nullptr) > 0) { + for (const auto& str : bootreason_blacklist) { + if (strcasecmp(str.c_str(), bootreason) == 0) { + return true; + } + } + } + return false; +} + +static void log_failure_code(ErrorCode code, const char *update_package) { + FILE* install_log = fopen_path(TEMPORARY_INSTALL_FILE, "w"); + if (install_log != nullptr) { + fprintf(install_log, "%s\n", update_package); + fprintf(install_log, "0\n"); + fprintf(install_log, "error: %d\n", code); + fclose(install_log); + } else { + PLOG(ERROR) << "failed to open last_install"; + } } static ssize_t logbasename( @@ -1431,7 +1540,8 @@ int main(int argc, char **argv) { const char *update_package = NULL; bool should_wipe_data = false; bool should_wipe_cache = false; - bool should_brick = false; + bool should_wipe_ab = false; + size_t wipe_package_size = 0; bool show_text = false; bool sideload = false; bool sideload_auto_reboot = false; @@ -1465,8 +1575,11 @@ int main(int argc, char **argv) { case 'r': reason = optarg; break; case 'e': security_update = true; break; case 0: { - if (strcmp(OPTIONS[option_index].name, "brick") == 0) { - should_brick = true; + if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) { + should_wipe_ab = true; + break; + } else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) { + android::base::ParseUint(optarg, &wipe_package_size); break; } break; @@ -1557,15 +1670,12 @@ int main(int argc, char **argv) { BATTERY_OK_PERCENTAGE); // Log the error code to last_install when installation skips due to // low battery. - FILE* install_log = fopen_path(LAST_INSTALL_FILE, "w"); - if (install_log != nullptr) { - fprintf(install_log, "%s\n", update_package); - fprintf(install_log, "0\n"); - fprintf(install_log, "error: %d\n", kLowBattery); - fclose(install_log); - } else { - PLOG(ERROR) << "failed to open last_install"; - } + log_failure_code(kLowBattery, update_package); + status = INSTALL_SKIPPED; + } else if (bootreason_in_blacklist()) { + // Skip update-on-reboot when bootreason is kernel_panic or similar + ui->Print("bootreason is in the blacklist; skip OTA installation\n"); + log_failure_code(kBootreasonInBlacklist, update_package); status = INSTALL_SKIPPED; } else { status = install_package(update_package, &should_wipe_cache, @@ -1609,8 +1719,8 @@ int main(int argc, char **argv) { if (!wipe_cache(false, device)) { status = INSTALL_ERROR; } - } else if (should_brick) { - if (!brick_device()) { + } else if (should_wipe_ab) { + if (!wipe_ab_device(wipe_package_size)) { status = INSTALL_ERROR; } } else if (sideload) { diff --git a/screen_ui.cpp b/screen_ui.cpp index 79b5466a8..cfaecd922 100644 --- a/screen_ui.cpp +++ b/screen_ui.cpp @@ -106,29 +106,41 @@ int ScreenRecoveryUI::PixelsFromDp(int dp) { // Here's the intended layout: -// | regular large -// ---------+-------------------- -// | 220dp 366dp -// icon | (200dp) (200dp) -// | 68dp 68dp -// text | (14sp) (14sp) -// | 32dp 32dp -// progress | (2dp) (2dp) -// | 194dp 340dp +// | portrait large landscape large +// ---------+------------------------------------------------- +// gap | 220dp 366dp 142dp 284dp +// icon | (200dp) +// gap | 68dp 68dp 56dp 112dp +// text | (14sp) +// gap | 32dp 32dp 26dp 52dp +// progress | (2dp) +// gap | 194dp 340dp 131dp 262dp // Note that "baseline" is actually the *top* of each icon (because that's how our drawing // routines work), so that's the more useful measurement for calling code. +enum Layout { PORTRAIT = 0, PORTRAIT_LARGE = 1, LANDSCAPE = 2, LANDSCAPE_LARGE = 3, LAYOUT_MAX }; +enum Dimension { PROGRESS = 0, TEXT = 1, ICON = 2, DIMENSION_MAX }; +static constexpr int kLayouts[LAYOUT_MAX][DIMENSION_MAX] = { + { 194, 32, 68, }, // PORTRAIT + { 340, 32, 68, }, // PORTRAIT_LARGE + { 131, 26, 56, }, // LANDSCAPE + { 262, 52, 112, }, // LANDSCAPE_LARGE +}; + int ScreenRecoveryUI::GetAnimationBaseline() { - return GetTextBaseline() - PixelsFromDp(68) - gr_get_height(loopFrames[0]); + return GetTextBaseline() - PixelsFromDp(kLayouts[layout_][ICON]) - + gr_get_height(loopFrames[0]); } int ScreenRecoveryUI::GetTextBaseline() { - return GetProgressBaseline() - PixelsFromDp(32) - gr_get_height(installing_text); + return GetProgressBaseline() - PixelsFromDp(kLayouts[layout_][TEXT]) - + gr_get_height(installing_text); } int ScreenRecoveryUI::GetProgressBaseline() { - return gr_fb_height() - PixelsFromDp(is_large_ ? 340 : 194) - gr_get_height(progressBarFill); + return gr_fb_height() - PixelsFromDp(kLayouts[layout_][PROGRESS]) - + gr_get_height(progressBarFill); } // Clear the screen and draw the currently selected background icon (if any). @@ -248,7 +260,7 @@ void ScreenRecoveryUI::DrawHorizontalRule(int* y) { } void ScreenRecoveryUI::DrawTextLine(int x, int* y, const char* line, bool bold) { - gr_text(x, *y, line, bold); + gr_text(gr_sys_font(), x, *y, line, bold); *y += char_height_ + 4; } @@ -304,10 +316,10 @@ void ScreenRecoveryUI::draw_screen_locked() { gr_fill(0, y - 2, gr_fb_width(), y + char_height_ + 2); // Bold white text for the selected item. SetColor(MENU_SEL_FG); - gr_text(4, y, menu_[i], true); + gr_text(gr_sys_font(), 4, y, menu_[i], true); SetColor(MENU); } else { - gr_text(4, y, menu_[i], false); + gr_text(gr_sys_font(), 4, y, menu_[i], false); } y += char_height_ + 4; } @@ -323,7 +335,7 @@ void ScreenRecoveryUI::draw_screen_locked() { for (int ty = gr_fb_height() - char_height_; ty >= y && count < text_rows_; ty -= char_height_, ++count) { - gr_text(0, ty, text_[row], false); + gr_text(gr_sys_font(), 0, ty, text_[row], false); --row; if (row < 0) row = text_rows_ - 1; } @@ -440,9 +452,13 @@ void ScreenRecoveryUI::Init() { gr_init(); density_ = static_cast<float>(property_get_int32("ro.sf.lcd_density", 160)) / 160.f; - is_large_ = gr_fb_height() > PixelsFromDp(800); - gr_font_size(&char_width_, &char_height_); + // Are we portrait or landscape? + layout_ = (gr_fb_width() > gr_fb_height()) ? LANDSCAPE : PORTRAIT; + // Are we the large variant of our base layout? + if (gr_fb_height() > PixelsFromDp(800)) ++layout_; + + gr_font_size(gr_sys_font(), &char_width_, &char_height_); text_rows_ = gr_fb_height() / char_height_; text_cols_ = gr_fb_width() / char_width_; diff --git a/screen_ui.h b/screen_ui.h index 4319b76ce..898775778 100644 --- a/screen_ui.h +++ b/screen_ui.h @@ -77,8 +77,8 @@ class ScreenRecoveryUI : public RecoveryUI { // The scale factor from dp to pixels. 1.0 for mdpi, 4.0 for xxxhdpi. float density_; - // True if we should use the large layout. - bool is_large_; + // The layout to use. + int layout_; GRSurface* error_icon; diff --git a/uncrypt/Android.mk b/uncrypt/Android.mk index 09cfdfca5..bb276edd5 100644 --- a/uncrypt/Android.mk +++ b/uncrypt/Android.mk @@ -15,15 +15,6 @@ LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) -LOCAL_CLANG := true -LOCAL_SRC_FILES := bootloader_message_writer.cpp -LOCAL_MODULE := libbootloader_message_writer -LOCAL_STATIC_LIBRARIES := libbase libfs_mgr -LOCAL_C_INCLUDES := $(LOCAL_PATH)/.. -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include -include $(BUILD_STATIC_LIBRARY) - -include $(CLEAR_VARS) LOCAL_CLANG := true @@ -33,7 +24,7 @@ LOCAL_C_INCLUDES := $(LOCAL_PATH)/.. LOCAL_MODULE := uncrypt -LOCAL_STATIC_LIBRARIES := libbootloader_message_writer libbase \ +LOCAL_STATIC_LIBRARIES := libbootloader_message libbase \ liblog libfs_mgr libcutils \ LOCAL_INIT_RC := uncrypt.rc diff --git a/uncrypt/include/bootloader_message_writer.h b/uncrypt/include/bootloader_message_writer.h deleted file mode 100644 index e0ca3f44a..000000000 --- a/uncrypt/include/bootloader_message_writer.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef BOOTLOADER_MESSAGE_WRITER_H -#define BOOTLOADER_MESSAGE_WRITER_H - -#ifdef __cplusplus -#include <string> -#include <vector> - -bool clear_bootloader_message(std::string* err); - -bool write_bootloader_message(const std::vector<std::string>& options, std::string* err); - -#else -#include <stdbool.h> - -// C Interface. -bool write_bootloader_message(const char* options); -#endif - -#endif // BOOTLOADER_MESSAGE_WRITER_H diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp index 7adf88cac..b7867edc5 100644 --- a/uncrypt/uncrypt.cpp +++ b/uncrypt/uncrypt.cpp @@ -110,7 +110,7 @@ #include <android-base/stringprintf.h> #include <android-base/strings.h> #include <android-base/unique_fd.h> -#include <bootloader_message_writer.h> +#include <bootloader_message/bootloader_message.h> #include <cutils/android_reboot.h> #include <cutils/properties.h> #include <cutils/sockets.h> @@ -498,14 +498,31 @@ static bool setup_bcb(const int socket) { return false; } LOG(INFO) << " received command: [" << content << "] (" << content.size() << ")"; + std::vector<std::string> options = android::base::Split(content, "\n"); + std::string wipe_package; + for (auto& option : options) { + if (android::base::StartsWith(option, "--wipe_package=")) { + std::string path = option.substr(strlen("--wipe_package=")); + if (!android::base::ReadFileToString(path, &wipe_package)) { + PLOG(ERROR) << "failed to read " << path; + return false; + } + option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size()); + } + } // c8. setup the bcb command std::string err; - if (!write_bootloader_message({content}, &err)) { + if (!write_bootloader_message(options, &err)) { LOG(ERROR) << "failed to set bootloader message: " << err; write_status_to_socket(-1, socket); return false; } + if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) { + PLOG(ERROR) << "failed to set wipe package: " << err; + write_status_to_socket(-1, socket); + return false; + } // c10. send "100" status write_status_to_socket(100, socket); return true; diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index ed61c7bcc..2bfd01622 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -18,7 +18,10 @@ include $(CLEAR_VARS) LOCAL_CLANG := true LOCAL_SRC_FILES := update_verifier.cpp + LOCAL_MODULE := update_verifier -LOCAL_SHARED_LIBRARIES := libhardware libbase +LOCAL_SHARED_LIBRARIES := libbase libcutils libhardware liblog + +LOCAL_C_INCLUDES += $(LOCAL_PATH)/.. include $(BUILD_EXECUTABLE) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 0a040c564..93ac605b1 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -22,22 +22,121 @@ * It relies on dm-verity to capture any corruption on the partitions being * verified. dm-verity must be in enforcing mode, so that it will reboot the * device on dm-verity failures. When that happens, the bootloader should - * mark the slot as unbootable and stops trying. We should never see a device - * started in dm-verity logging mode but with isSlotMarkedSuccessful equals to - * 0. + * mark the slot as unbootable and stops trying. Other dm-verity modes ( + * for example, veritymode=EIO) are not accepted and simply lead to a + * verification failure. * * The current slot will be marked as having booted successfully if the * verifier reaches the end after the verification. * - * TODO: The actual verification part will be added later after we have the - * A/B OTA package format in place. */ +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> #include <string.h> +#include <string> +#include <vector> + +#include <android-base/file.h> #include <android-base/logging.h> +#include <android-base/parseint.h> +#include <android-base/strings.h> +#include <android-base/unique_fd.h> +#include <cutils/properties.h> #include <hardware/boot_control.h> +constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; +constexpr int BLOCKSIZE = 4096; + +static bool read_blocks(const std::string& blk_device_prefix, const std::string& range_str) { + char slot_suffix[PROPERTY_VALUE_MAX]; + property_get("ro.boot.slot_suffix", slot_suffix, ""); + std::string blk_device = blk_device_prefix + std::string(slot_suffix); + android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(blk_device.c_str(), O_RDONLY))); + if (fd.get() == -1) { + PLOG(ERROR) << "Error reading partition " << blk_device; + return false; + } + + // For block range string, first integer 'count' equals 2 * total number of valid ranges, + // followed by 'count' number comma separated integers. Every two integers reprensent a + // block range with the first number included in range but second number not included. + // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150). + std::vector<std::string> ranges = android::base::Split(range_str, ","); + size_t range_count; + bool status = android::base::ParseUint(ranges[0].c_str(), &range_count); + if (!status || (range_count == 0) || (range_count % 2 != 0) || + (range_count != ranges.size()-1)) { + LOG(ERROR) << "Error in parsing range string."; + return false; + } + + size_t blk_count = 0; + for (size_t i = 1; i < ranges.size(); i += 2) { + unsigned int range_start, range_end; + bool parse_status = android::base::ParseUint(ranges[i].c_str(), &range_start); + parse_status = parse_status && android::base::ParseUint(ranges[i+1].c_str(), &range_end); + if (!parse_status || range_start >= range_end) { + LOG(ERROR) << "Invalid range pair " << ranges[i] << ", " << ranges[i+1]; + return false; + } + + if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) { + PLOG(ERROR) << "lseek to " << range_start << " failed"; + return false; + } + + size_t size = (range_end - range_start) * BLOCKSIZE; + std::vector<uint8_t> buf(size); + if (!android::base::ReadFully(fd.get(), buf.data(), size)) { + PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; + return false; + } + blk_count += (range_end - range_start); + } + + LOG(INFO) << "Finished reading " << blk_count << " blocks on " << blk_device; + return true; +} + +static bool verify_image(const std::string& care_map_name) { + android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY))); + // If the device is flashed before the current boot, it may not have care_map.txt + // in /data/ota_package. To allow the device to continue booting in this situation, + // we should print a warning and skip the block verification. + if (care_map_fd.get() == -1) { + LOG(WARNING) << "Warning: care map " << care_map_name << " not found."; + return true; + } + // Care map file has four lines (two lines if vendor partition is not present): + // First line has the block device name, e.g./dev/block/.../by-name/system. + // Second line holds all ranges of blocks to verify. + // The next two lines have the same format but for vendor partition. + std::string file_content; + if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) { + LOG(ERROR) << "Error reading care map contents to string."; + return false; + } + + std::vector<std::string> lines; + lines = android::base::Split(android::base::Trim(file_content), "\n"); + if (lines.size() != 2 && lines.size() != 4) { + LOG(ERROR) << "Invalid lines in care_map: found " << lines.size() + << " lines, expecting 2 or 4 lines."; + return false; + } + + for (size_t i = 0; i < lines.size(); i += 2) { + if (!read_blocks(lines[i], lines[i+1])) { + return false; + } + } + + return true; +} + int main(int argc, char** argv) { for (int i = 1; i < argc; i++) { LOG(INFO) << "Started with arg " << i << ": " << argv[i]; @@ -59,12 +158,22 @@ int main(int argc, char** argv) { if (is_successful == 0) { // The current slot has not booted successfully. - - // TODO: Add the actual verification after we have the A/B OTA package - // format in place. - - // TODO: Assert the dm-verity mode. Bootloader should never boot a newly - // flashed slot (isSlotMarkedSuccessful == 0) with dm-verity logging mode. + char verity_mode[PROPERTY_VALUE_MAX]; + if (property_get("ro.boot.veritymode", verity_mode, "") == -1) { + LOG(ERROR) << "Failed to get dm-verity mode."; + return -1; + } else if (strcasecmp(verity_mode, "eio") == 0) { + // We shouldn't see verity in EIO mode if the current slot hasn't booted + // successfully before. Therefore, fail the verification when veritymode=eio. + LOG(ERROR) << "Found dm-verity in EIO mode, skip verification."; + return -1; + } else if (strcmp(verity_mode, "enforcing") != 0) { + LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; + return -1; + } else if (!verify_image(CARE_MAP_FILE)) { + LOG(ERROR) << "Failed to verify all blocks in care map file."; + return -1; + } int ret = module->markBootSuccessful(module); if (ret != 0) { diff --git a/wear_ui.cpp b/wear_ui.cpp index e078134ce..7ca879bcb 100644 --- a/wear_ui.cpp +++ b/wear_ui.cpp @@ -177,7 +177,7 @@ void WearRecoveryUI::draw_screen_locked() // items don't fit on the screen. if (menu_items > menu_end - menu_start) { sprintf(cur_selection_str, "Current item: %d/%d", menu_sel + 1, menu_items); - gr_text(x+4, y, cur_selection_str, 1); + gr_text(gr_sys_font(), x+4, y, cur_selection_str, 1); y += char_height_+4; } @@ -192,10 +192,10 @@ void WearRecoveryUI::draw_screen_locked() gr_fill(x, y-2, gr_fb_width()-x, y+char_height_+2); // white text of selected item SetColor(MENU_SEL_FG); - if (menu[i][0]) gr_text(x+4, y, menu[i], 1); + if (menu[i][0]) gr_text(gr_sys_font(), x+4, y, menu[i], 1); SetColor(MENU); - } else { - if (menu[i][0]) gr_text(x+4, y, menu[i], 0); + } else if (menu[i][0]) { + gr_text(gr_sys_font(), x+4, y, menu[i], 0); } y += char_height_+4; } @@ -216,7 +216,7 @@ void WearRecoveryUI::draw_screen_locked() for (int ty = gr_fb_height() - char_height_ - outer_height; ty > y+2 && count < text_rows; ty -= char_height_, ++count) { - gr_text(x+4, ty, text[row], 0); + gr_text(gr_sys_font(), x+4, ty, text[row], 0); --row; if (row < 0) row = text_rows-1; } @@ -285,7 +285,7 @@ void WearRecoveryUI::Init() { gr_init(); - gr_font_size(&char_width_, &char_height_); + gr_font_size(gr_sys_font(), &char_width_, &char_height_); text_col = text_row = 0; text_rows = (gr_fb_height()) / char_height_; |