| Commit message (Collapse) | Author | Files | Lines |
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
|
|
This reverts commit 5e6c4e9a91674826bf11cab604250b41a9326fd8.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
|
|
This library is empty, and its functionality has moved
into libbinder/libhwbinder.
Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
Test: sideload OTA
Bug: 139300422
Change-Id: I3369b69242ccd7a64540a0c2d754a5d6fc50d072
|
|
Bug: 146456667
Change-Id: I839223d8fbc365fd3271634143b117604f6aa879
|
|
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.
We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.
Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
|
|
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
|
|
Bug: 134560109
Test: Run recovery_unit_test.
Change-Id: Ibbcdcfd507fa23657ee7ff677208b0003ec382ba
|
|
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
|
|
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
|
|
Bug: 141272654
Test: TreeHugger (recovery_unit_test no longer fails)
Change-Id: I47cbee274e659e3d90be5a77b215466d2973c7d6
|
|
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md
Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.
Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
|
|
No longer needed.
Bug: 135558503
Test: build only
Change-Id: Ia1257513c6276cdb01604fbedb411e7412d02b84
|
|
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.
Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.
Test: run simulation, run unit tests
Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
|
|
Stop building libimgpatch as it's merely a subset of libapplypatch.
Test: unit tests pass
Change-Id: I0735ec053344404434a50e53a36e3f55964c2e4f
|
|
Stop building libimgdiff on device because we are only running
patching there.
Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
|
|
Make sure the simulator succeeds executing common non-A/B update
functions.
Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
|
|
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
|
|
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.
Bug: 131911365
Test: unit tests pass
Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
|
|
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.
Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
|
|
This class adds a wrapper to the runtime dependent functions. Therefore,
the behavior of update on device stays the same, while simulators can
have their own implementations. Also change the caller side of the
registered updater functions to call these runtime wrappers.
Bug: 131911365
Test: unit tests pass, sideload an update on cuttlefish
Change-Id: Ib3ab67132991d67fc132f27120e4152439d16ac5
|
|
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).
Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF
Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
the call finishes successfully. Then check the contents written to
/misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
Merged-In: I79548fc63fc79b705a0320868690569c3106949f
(cherry picked from commit 7ae01698424cc3adf635c324961b1405594f5156)
|
|
bootloader_message.h currently divides /misc into four segments. The
space between 2K and 16K is reserved for vendor use (e.g. bootloader
persists flags). This CL adds a vendor tool "misc_writer", to allow
writing data to the vendor space in /misc, before getting a dedicated
HAL for accessing /misc partition (b/131775112).
Targets need to explicitly include the module, then invoke the
executable to write data. For example, the following command will write
3-byte data ("0xABCDEF") to offset 4 in vendor space (i.e. 2048 + 4 in
/misc).
$ /vendor/bin/misc_writer --vendor-space-offset 4 --hex-string 0xABCDEF
Bug: 132906936
Test: Run recovery_unit_test on crosshatch.
Test: Call the command via init.hardware.rc on crosshatch. Check that
the call finishes successfully. Then check the contents written to
/misc (`dd bs=1 skip=2048 if=/dev/block/sda2 count=32 | xxd`).
Change-Id: I79548fc63fc79b705a0320868690569c3106949f
|
|
The UpdaterInfo class is merely a collection of pointers and POD types.
We can replace it with a Updater class that has the ownership of the
resources. This also makes this class extensible as we plan to add more
functionality in the host simulator.
Bug: 131911365
Test: unit tests pass, run an update on cuttlefish and check last_install
Change-Id: I07ca5963bbee8ae3cb85ccc184464910aa73d4e4
|
|
Bug: http://b/129068177
Test: treehugger
Change-Id: Ie5b2b0cff087f2e9e65a4e77c187e3173357f3ad
|
|
Adds a fuse data provider that parses the metadata from a block map,
reads the data from the given ranges of the block device; and provides
the data to the fuse.
Bug: 127071893
Test: unit tests pass, install a package from block map
Change-Id: Ie9925ee9144e98642505b3f5e1a4a186d2b21ed0
|
|
The results from these functions have boolean semantics. They're
returning `int` prior to this CL, with some of them mixing 0 and
InstallResult. Note that SetUpNonAbUpdateCommands() was returning
INSTALL_CORRUPT / INSTALL_ERROR / 0 prior to this change, but all the
callers handle INSTALL_CORRUPT and INSTALL_ERROR the same way.
This CL changes them to return bool instead.
Test: `mmma -j bootable/recovery`
Test: TreeHugger
Test: Sideload on taimen.
Change-Id: Ic1b5dbf79aaca68b53ab8ea2c8ba3d19f988c571
|
|
Most of the tests in component/ are in fact unit tests. And it doesn't
look practically beneficial to distinguish between the two:
- They have the same test setup;
- We always run both (recovery_unit_test and recovery_component_test)
at the same time;
- Breaking any of them would be equally bad.
This CL merges the tests in recovery_component_test into
recovery_unit_test to save the effort to maintain both.
Test: Run recovery_unit_test on marlin (via `adb sync data`).
Test: `atest recovery_unit_test`
Change-Id: I93ff32e7219cd83425a4bcfe5613978a8dd48d75
|
|
Prior to this CL, GetWipePartitionList was declared in install.h
(libinstall) but defined in recovery.cpp (librecovery). This CL
addresses the issue by refactoring wipe-device related functions into
install/wipe_device.cpp.
Test: atest recovery_component_test
Change-Id: I7ebe04ccfda3d793e085403560a0a202752d9ee3
|
|
This leaves the FD implementation details to subclasses. In particular,
it allows minadbd to do additional works with the FD after sideloading.
Bug: 128415917
Test: atest recovery_component_test
Test: atest minadbd_test
Test: Sideload package on taimen.
Change-Id: I106bbaad05201227bbc5fe28890bbbb06fdcb67e
Merged-In: I106bbaad05201227bbc5fe28890bbbb06fdcb67e
(cherry picked from commit 2be9737cf449dd0650c85ee5168d09b12d386077)
|
|
Also remove the AndroidTest.xml file, which is no longer needed (the
`data` property in Android.bp takes care of that). The AndroidTest.xml
file would otherwise block `atest recovery_host_test` from running.
Test: TreeHugger; check the test result.
Change-Id: If545878a1f3ae627986e19a94b42162f133b9098
|
|
The legacy png files have an empty line in the end. And the recovery
used to match any missing locale, e.g. "he" with that line and gets an
empty image.
Since the empty image is barely useful, we should just error out and
fall back to the default locale.
This reversed the unit test check added in d17a6885253da909e376ba5ca5084f5281f3557c
Bug: 128934634
Test: run locale test with "he" and legacy images, recovery reports
error and doesn't crash even without default locale fall back
Change-Id: Ibdb7dd0b42348de5e392c834cce67ff02be85c24
|
|
This leaves the FD implementation details to subclasses. In particular,
it allows minadbd to do additional works with the FD after sideloading.
Bug: 128415917
Test: atest recovery_component_test
Test: atest minadbd_test
Test: Sideload package on taimen.
Change-Id: I106bbaad05201227bbc5fe28890bbbb06fdcb67e
|
|
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
|
|
The RSA_verify sitll works for 4096 bits keys. And we just
need to loose the check on modulus.
Sample commands to generate the key & package:
1. openssl genrsa -out keypair.pem 4096
2. openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt \
-in keypair.pem -out private.pk8
3. openssl req -new -x509 -key keypair.pem -out public.x509.pem \
-days 365
4. java -Djava.library.path=prebuilts/sdk/tools/linux/lib64 -jar \
prebuilts/sdk/tools/lib/signapk.jar -w public.x509.pem private.pk8 \
unsigned.zip signed.zip
Bug: 129163830
Test: unit tests pass
Change-Id: I5a5ff539c9ff1955c02ec2ce4b17563cb92808a4
|
|
We will reuse them to implement the fuse provider from block maps.
Test: unit tests pass, sideload an OTA
Change-Id: Iaa409d19569c4ccc0bb24e12518044fcddb45c69
|
|
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c8b92671ea5ebb4eeff00757fcee187)
|
|
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
|
|
It's no longer needed with the newly added FuseDataProvider class. Also
cleans up the parameters for run_fuse_sideload.
Bug: 127071893
Test: unit tests pass, run a sideload
Change-Id: I1ccd6798d187cfc6ac9f559ffb3f3edf08dad55c
|
|
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.
In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.
Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
|
|
This is another implementation of the Package class. And we will later
need it when reading the package from FUSE.
Bug: 127071893
Test: unit tests pass, sideload a file package on sailfish
Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
|
|
We have already switched to the protobuf format for new builds, and
the downgrade packages will require a data wipe. So it should be safe
to drop the support for text format.
This also helps to save the issue when users sideload a package with a
pending OTA, because the new CareMap contains the fingerprint of the
intended build.
Bug: 128536706
Test: unit tests pass, run update_verifier with legacy CareMap
Change-Id: I1c4d0e54ec591f16cc0a65dac76767725ff9e7c4
(cherry picked from commit aaa6103ae72985d061432745e668df9ca29d6ac2)
|
|
We have already switched to the protobuf format for new builds, and
the downgrade packages will require a data wipe. So it should be safe
to drop the support for text format.
This also helps to save the issue when users sideload a package with a
pending OTA, because the new CareMap contains the fingerprint of the
intended build.
Bug: 128536706
Test: unit tests pass, run update_verifier with legacy CareMap
Change-Id: I1c4d0e54ec591f16cc0a65dac76767725ff9e7c4
|
|
The wipe package used to open the zip file directly from the content
string. Switch to use the interface from the new package class instead.
Bug: 127071893
Test: unit tests pass
Change-Id: I990e7f00c5148710722d17140bab2e343eea3b6b
|
|
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.
Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
|
|
This gives us finer control over the partitions to wipe on the host
side.
Bug: 127492427
Test: unit tests pass, install a wipe package on sailfish
Change-Id: I612f8bac743a310f28e365b490ef388b278cfccb
|
|
The intended string constructor is supposed be
basic_string(size_type count, CharT ch). But the parameter is
accidentally reversed when calling the constructor in install_test.
Test: A failed unit test pass
Change-Id: Id9765bfa7d2368ff0d7fbeea45c9c8357864e060
|
|
This reverts commit 9ce1d14ef621459a4ac62ee1bda0b9f51cfa4c38.
Reason for revert: AOSP is fixed with new vendor image
Change-Id: Ie5a9748acdae22a2b9862cb2ecedda7031f77264
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
|
|
This reverts commit 62d0c7873cf81d63078b932edd23ae78677408cd.
Reason for revert: Broke AOSP
Change-Id: I88ef00ebce797f7fdca3678ab93fcae364453a8c
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
|
|
Because set_sched_policy is moved into libprocessgroup an additional
dependency is requred for recovery_component_test to build.
Exempt-From-Owner-Approval: janitorial
Bug: 111307099
Test: builds, boots
Merged-In: I7cf75e473ee1e2837940606c71d15be26db0c3f2
Change-Id: I7cf75e473ee1e2837940606c71d15be26db0c3f2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
|
|
Because set_sched_policy is moved into libprocessgroup an additional
dependency is requred for recovery_component_test to build.
Exempt-From-Owner-Approval: janitorial
Bug: 111307099
Test: builds, boots
Change-Id: I7cf75e473ee1e2837940606c71d15be26db0c3f2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
|
|
Move some mounting functionalities to libfs_mgr.
Test: run recovery tests
Bug: 118634720
Bug: 113182233
Change-Id: Ie59376664a744992429f0262ec96d13a1aed30f9
|
|
Seems they're racing with SurfaceFlinger in acquiring the display, which
occasionally takes down the device and leads to test failures.
Bug: 120601844
Test: Run recovery_unit_test on marlin. ScreenRecoveryUITest not
triggered.
Change-Id: I80b21595247a87fc1f2f95aa68df59f58bdf0257
|
|
GRSurface::Create() doesn't need to rely on caller specifying the buffer
size, as it can compute that info based on the given args.
This CL also uses `size_t` for all the parameters in
GRSurface::Create().
Test: Run recovery_unit_test on marlin.
Test: Build and boot into blueline recovery. `Run graphics test`.
Test: Build and boot into blueline charger mode.
Change-Id: Idec9381079196abf13553a475006fefcfca10950
|
|
This is a bug introduced while refactoring init_display_surface(), in
[1]. As a result, user of res_create_multi_display_surface(), which is
effectively `charger` right now, crashes due to buffer overrun.
This CL fixes the wrong arg and adds a sanity test for
res_create_multi_display_surface(). The testdata (battery_scale.png) is
copied from system/core/healthd/images/battery_scale.png.
[1] commit 44820ac1e31ffa029ab5baa71238a11b6db3e6cc.
Bug: 119122296
Test: Run recovery_unit_test on marlin.
Test: Build and boot into charger mode on blueline. Verify that
`charger` no longer crashes.
Change-Id: Ib6d083e1512a9c3c6eb63874d26d22658921d693
|
|
We can adjust the image width with respect to the maximum width of the
wrapped text. This will remove some black margins and reduce the final
size of the images, especially for those with short strings, e.g.
"recovery_error".
Also, add an option to centrally align the text; and fix a boundary
check in the recovery resource test.
Bug: 74397117
Test: Generate and check the image
Change-Id: Ib6cf61a9c99c4aeede16751dc0adfa23ce3f5424
|
|
Test: compile
Bug: 119313545
Change-Id: I664fb32522d01909c603d7b903475c4e9aea9223
|
|
Bug: http://b/119560349
Bug: http://b/112277682
Currently, any binary links in a PGO-enabled static library also needs
to opt into PGO. With b/119560349, this should be done automatically by
the build system. Until then, use the non-PGO version of libhwbinder in
recovery_component_test.
Test: m ANDROID_PGO_INSTRUMENT=all
Change-Id: Ic6e44c1cb6d6f13e60e11a46fd7e5ef54238942b
|
|
For any patching command, the resulting data should always exactly fill
up the given target range.
Test: Run recovery_component_test on marlin.
Change-Id: Ib3cc1fc5c11094e2eab3fe370753db51c7c4135c
|
|
Test: Run recovery_unit_test on marlin.
Test: `Run graphics test` on marlin.
Change-Id: I8239c3d9fb288f80ee11f615402768ff8ef8ecd0
|
|
testdata/jarsigned.zip and testdata/unsigned.zip became dead since
commit 432918603f57de5a3acc6da9ff613d21c857d9fd ("Refactor existing
tests to use gtest").
testdata/patch.bsdiff became dead when applypatch/applypatch.sh was
deleted (commit c3ef089dfac921ef6ca04d5341a4035e8c4feb51).
Test: Run recovery_unit_test and recovery_component_test.
Change-Id: Ie1a7f8850878593fcb7d4554759a539271ffb207
|
|
Test: Run recovery_component_test on marlin.
Change-Id: If23baf42aeacb48500edabc2eadd2e7119a848da
|
|
Clone() allows duplicating the image that's stored in the GRSurface.
Test: Run recovery_unit_test.
Change-Id: Ia50d507c6200f2de5f17143775de805247a60e1f
|
|
Test: Run recovery_unit_test on marlin.
Change-Id: I93ec6df8c056b2c485200822f18db0b852595242
|
|
This prepares for the removal of the default and copy ctors, by making
GRSurface::Create() as the only way to get GRSurface instances.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Change-Id: I0c34c3f3967e252deb020907c83acbac8a8f36b9
|
|
The two functions check_wipe_package() and check_newer_ab_build() were
using the same flow; and checked the same device properties against the
metadata file in the package. These properties include: ota_type,
pre-device, and serial number.
Therefore, we can consolidate the checks to a single function; and
continue to check the fingerprint and timestamp only for AB updates.
This change also addresses the need to accept multiple serial number in
the wipe package.
Bug: 118401208
Test: unit tests pass
Change-Id: Ia6bc48fb6effcae059a2ff2cf71764b4136b4c00
|
|
Consolidate them into a static function.
Test: unit tests pass
Change-Id: If05b62215940b221fc499d779eedc5079f68a060
|
|
This function is used to parse the result of dumpKeys. It's no longer
needed as we are now parsing the public keys from the zipfile.
Bug: 116655889
Test: unit tests pass
Change-Id: I817906e451664058c644f4329ff499bbe4587ebb
|
|
For RSA keys, check if it has a 2048 bits modulus, and its public
exponent is 3 or 65537. For EC keys, check if the field size is 256
bits for its curve.
Bug: 116655889
Test: unit tests pass
Change-Id: I5c00f4d2b61c98c434f0b49db232155d5d0770ec
|
|
This fixes the build error as the initializer list no longer work
without the proper constructor for c++ class.
Bug: 74397117
Test: unit tests pass
Change-Id: If3ff508a1a01ad5326413dab8e05bacae8a946c8
|
|
These functions take the given GRSurface instances as inputs, which
shouldn't be altered.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test.
Test: `Run graphics test` on marlin.
Change-Id: I51bf408e85faae2b497d4f148ab1dec22dd16c93
|
|
This CL adds GRSurface::Create() and dtor for managing the allocated
memory in GRSurface class. It also adds GRSurface::data() that hides the
underlying implementation, with both of const and non-const overloads.
This allows `const GRSurface&` to be more useful - previously it only
ensured a const member variable of `data`, instead of a read-only buffer
it points to.
It also marks the parameters in gr_texticon() and gr_blit() as const, as
they're incoming source that shouldn't be altered. It corrects the type
of gr_draw, which is the sink to be painted on (an earlier attempt was
made in [1], but didn't get the full picture correctly).
[1] https://android-review.googlesource.com/c/platform/bootable/recovery/+/704757/
Test: mmma -j bootable/recovery
Test: recovery_unit_test on marlin
Test: Run graphics test on marlin (fbdev).
Test: Run graphics test on blueline (drm).
Change-Id: I7904df084cd6c08fa04a9da97d01b4b1a6e3a20c
|
|
Add a function in screenUI to display the pre-generated graphs for
rescue party. If these graphs are not valid, falls back to display
the old text strings.
Right now we haven't generated the localized graphs yet, so the UI
always shows the TextMenu.
Bug: 116655889
Test: check rescue party under recovery
Change-Id: I0558cb536b659cdc25c8b7946d3a39820935b003
|
|
Add a function to parse the zip archive and load the certificate from
all the zip entries with the suffix "x509.pem".
Bug: 116655889
Test: unittests pass
Change-Id: I93bf7aef7462c0623e89fc2d466d7af2d3a758bc
|
|
As we plan to show localized rescue party dialogs under recovery mode
with pre-generated images, it becomes necessary to show the menu headers
and items with images.
This cl converts the menu class to a interface and derived TextMenu &
GraphicMenu classes. And the GraphicMenu uses GRSurfaces* as the menu header
and a list of GRSurfaces* as menu items.
Moreover, factor out the Draw* functions in the ScreenUI into a separate
DrawInterface. Therefore, the Menu class can access these draw functions and
use them to implement the DrawHeaders & DrawItems neatly.
Bug: 74397117
Test: unittests pass, boot into recovery and check menu
Change-Id: I95cee30f3e5eb666eb6fbcdfc873a7260fc177c1
|
|
We used to convert a pem certificate file to some intermediate plain
text format; and parse that format under recovery mode. This is
uncessary since the x509.pem can be directly parsed with openssl
functions.
Add the function to load the public key from one x509.pem file and
corresponding unit tests. And we will add more cls to extract the pem
files from otacert.zip later.
Bug: 116655889
Test: verify package with 5 supported certficate versions
Change-Id: Ibc6c696c534567f005db75143cc4ef8d4bdea6a0
|
|
The update_verifier now compares the fingerprint of a partition before
performing the blocks read. If the fingerprint of the current system property
mismatches the one embedded in the care_map, verification of this partition
will be skipped. This is useful for the possible system only updates in the
future.
Bug: 114778109
Test: unit tests pass
Change-Id: Iea309148a05109b5810dfb533d94260d77ab8540
|
|
dependency."
This reverts commit 26b86bb1dc895881cf507dfab0850c47c68c2779.
Reason for revert: Dependencies which broke tests due to exclusion from
LOCAL_JNI_SHARED_LIBS have been added.
Change-Id: I364acfe8bd0526fb26f69cc29fb3545fc3e79764
|
|
Test: Ran tests.
Change-Id: I5fa99f7b6b03c7b9247b4f340f3df982063b0e3e
|
|
This reverts commit a71c10b46427388932c662ffe59f6513fd5227c0.
Reason for revert: This breaks framework tests and blocks presubmit
Change-Id: Iae94878889c1e71e2da5336fe75af88dfd3bfcfa
|
|
Bug: 110364143
Bug: 114311116
Test: mm -j64
Change-Id: I3b9174443b00ad57be60881736afde7647351bd1
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
|
|
The refactor separates out the parsing of care_map and the actual
verification of the partitions. Moreover, it skips the verification in case
of a format error in the care map.
Also, the parsing of care_map now uses the suffix of the file to
tell if it has the protobuf format or the plain text format.
Bug: 115740187
Test: unit test pass
Change-Id: I7aa32004db02af1deb7bfdc6f5bd7921eb7883e5
|
|
The recovery-persist used to look for the related recovery logs in
persist storage, and copy them under /data/misc/recovery during the
normal boot process.
As we also want to find out the sideload information from last_install,
it makes more sense to move the parse & report of non-a/b metrics to
recovery-persist. Thus we can avoid the race condition of the file
system between the native code and RecoverySystem.
Bug: 114278989
Test: unit test pass, check the event buffer for metrics report
Change-Id: I32d7b2b831bc74a61a70af9a2f0b8a7e9b3e36ee
|
|
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Id72e24dd00eb451565d90cff6e049f4f4b844ea2
|
|
applypatch() was initially designed for file-based OTA, operating on
individual files. It was later extended to allow patching eMMC targets
as a whole, in favor of block-based updates.
As we have deprecated file-based OTA since Oreo, part of the code in
applypatch() has become obsolete. This CL refactors the related
functions, by removing the obsolete logic and focusing on eMMC targets.
Since this CL substantially changes applypatch APIs, it adds new
functions to avoid unintentionally mixing them together. In particular,
it removes `applypatch()`, `applypatch_check()`, `applypatch_flash()`,
and adds `PatchPartition()`, `PatchPartitionCheck()`, `FlashPartition()`
and `CheckPartition()`. It also replaces the old Edify functions
`apply_patch()` and `apply_patch_check()` with `patch_partition()` and
`patch_partition_check()` respectively.
This CL requires matching changes to OTA generation script (in the same
topic).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Test: `m dist` with non-A/B target. Verify
/system/bin/install-recovery.sh on device.
Test: `m dist` with non-A/B target using BOARD_USES_FULL_RECOVERY_IMAGE.
Verify /system/bin/install-recovery.sh on device.
Test: Install an incremental OTA with the new updater and scripts.
Change-Id: Ia34a90114bb227f4216eb478c22dc98c8194cb7f
|
|
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
|
|
They serve the same purpose as {boot,recovery}.img, except that they're
not structured to be imgdiff'd. Remove the two files and replace all the
uses with {boot,recovery}.img instead.
Bug: 110106408
Test: Run recovery_{unit,component}_test on marlin.
Change-Id: I8e71187d5b0c142ad932f33717f6fae364b43abc
|
|
This would be the top-level class that represents and holds the info
parsed from a transfer list file.
Bug: 112151972
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I83b54df9d1411542eeeb8ef4a2db167e97f989c3
|
|
Bug: 112151972
Test: Run recovery_unit_test on marlin.
Change-Id: Ica2a7b3c768f5d8ca5d591a9560bca9f8ed847c5
|
|
recovery_host_test is now excluded from darwin targets as its
dependency libimgdiff is.
Change-Id: I6aa085125109ed2218572df97f35289b71c354ab
|
|
This file was somehow missed when converting from Android.mk to
Android.bp. This CL addresses the issue by picking up all the .cpp files
in the test source dir.
Test: Run recovery_{unit,component}_test on marlin. Check the reported
number of tests (94 for unit test and 157 for component test).
Change-Id: I50435b07fcb8602ef7b3f7e7d3a69e10b6a5932d
|
|
Also separate libupdater_defaults out to be shareable.
It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.
Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35
|
|
Bug: 112494634
Test: Build and boot into recovery image on taimen. Verify that
`Apply updates from ADB` keeps working.
Test: Run recovery_component_test on marlin.
Change-Id: I9ee8834053fda79a4fd77bfa83eab3cc51a90dff
|
|
Add hash_tree_info to represent the hash tree computation arguments in
the transfer commands 'compute_hash_tree'. Also add its parsing code in
the Command class.
Bug: 25170618
Test: unit tests pass
Change-Id: Ie8607968377968e8fb3e58d1af0b8ca315e145be
|
|
recovery is_battery_ok function uses get_health_service(),
which calls IHealth::getService("default") then
IHealth::getService("backup").
- An OEM can provide the default instance by installing
android.hardware.health@2.0-impl-<device>.so to recovery
partition.
- If that's not found, the "backup" instance is provided
to the recovery partition by default.
Test: call is_battery_ok() in recovery, successfully
get battery information.
Bug: 80132328
Change-Id: Ibfee80636325a07bc20b24d044d007a60b3dd7c2
|
|
This relands the previously reverted CL in commit
c70446ce7b4db79f296833b16ce38eb8a01d83df ("Build and use minadbd as a
shared library."). `recovery` has been built with Soong, so the previous
concern (unintentionally installing `libminadbd_services.so` to normal
system image) no longer holds.
Note that `reocvery` can't use `libminadbd_services.a`, as functions
like `daemon_service_to_fd()` (needed by `libadbd.so`) won't be linked
into `recovery`.
This CL moves the dependency of `libminadbd_services` from `librecovery`
into `recovery`, as only the latter actually relies on it (via
`recovery_main.cpp`). Note that we no longer need to list the transitive
dependency on `libadbd` or `libasyncio`.
Bug: 112494634
Test: `mmma -j bootable/recovery`
Test: Build and boot into recovery with aosp_taimen-userdebug. Verify that
sideloading keeps working.
Test: `build/soong/build_test.bash --dist`
Change-Id: Ic086470b86d6770bede317e0f5534f608fa7b7d2
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I2617b87d13c585addf0ed2fbae8c3ce443ea7200
|
|
It doesn't change the functionality of the test, but allows easier
conversion to Soong.
Test: Run recovery_component_test on marlin.
Change-Id: Ic7419dc86c6b220531ae44e49ab4657394a5d7fa
|
|
This reverts commit 4fd4f89591fe826cf26167bccaeb2802f14fbdc8.
The reverted CL has a side effect that unintentionally installs
a copy of libminadbd_services.so to the system image. This breaks the
check with `build/soong/build_test.bash --dist` which detects and
prevents vendor modules from installing files to the system image.
Prior to fully converting `recovery` to be built with Soong, we have to
statically link recovery-specific modules into `recovery`.
Bug: 110380063
Test: `m -j bootimage` with aosp_marlin-userdebug
Test: Run minadbd_test on marlin.
Test: Boot into recovery and verify that sideloading still works.
Test: `build/soong/build_test.bash --dist`
Change-Id: I290d55c82e17aa60a5afdf2ff7f896afc4dae8b3
|
|
The former `minadbd` module is now built as a shared library
(`libminadbd_services.so`) that serves sideloading under recovery, with
a dynamic dependency on `libadbd.so`.
This allows sharing and reusing libadbd code on device (both of `adbd`
and `recovery` now uses `libadbd.so`). As a result, it reduces the size
of `recovery` binary from 1407360-byte to (1272880 + 33032)-byte
(aosp_marlin-userdebug).
Bug: 78793464
Test: `m -j bootimage` with aosp_marlin-userdebug
Test: Run minadbd_test on marlin.
Test: Boot into recovery and verify that sideloading still works.
Change-Id: I6c2bc3d351d5af71220a9b9f956c8c039e52c781
|
|
We used to statically link the device-specific recovery UI extension
(`TARGET_RECOVERY_UI_LIB`) into `recovery`. Such a logic can't be easily
migrated to Soong, as modules specified by `TARGET_RECOVERY_UI_LIB` may
not be built with Soong.
Instead of porting all the device-specific codes over, this CL builds
and installs the UI lib as a shared library with Android.mk. `recovery`
dlopen(3)'s and dlsym(3)'s `make_device` to invoke the device-specific
UI lib on start.
Note that in order to make dlopen(3) actually working, we have to switch
`recovery` to be dynamically linked (we will make the move later
anyway).
Bug: 110380063
Test: Build and boot into marlin recovery image. Check that
device-specific recovery UI is successfully loaded.
Change-Id: Ia9861c7559a95f3f50676534540c0cb87cae4574
|
|
The new command is part of the transfer.list and allows us to compute the hash
tree on non-ab devices.
The required arguments for the hash_tree computation are:
hash_tree_ranges
source_ranges
hash_algorithm
salt_hex
root_hash
Bug: 25170618
Test: unit tests pass; run simulator with compute_hash_tree
Change-Id: I8ff0d582cc8adabb8a060db7845f38b35b28e62c
|
|
Normally calling a UI method will block
indefinitely until the UI is actually
used. This creates a method to interrupt
the UI, causing waitKey to return -2. This
in turn, will cause ShowMenu to return -2.
This allows switching between recovery and
fastbootd via usb commands.
Test: adb shell /data/nativetest64/recovery_unit_test/recovery_unit_test
Bug: 78793464
Change-Id: I4c6c9aa18d79070877841a5c9818acf723fa6096
|
|
Switching to the protobuf format helps to make the care_map more
extensible. As we have such plans in the future, add the support to
parse the protobuf message in the update_verifier.
Bug: 77867897
Test: unit tests pass, update_verifier successfully verifies a care_map.pb
Change-Id: I9fe83cb4dd3cc8d6fd0260f2a47338fe142d3938
|
|
This reverts commit c936a6961940a15f7f95befcf35425bad8fa4f7c.
Reason for revert: b/111734137
Change-Id: Ie9c1fdc75d6e87dba7019c4e6d1799af25c2f94a
|
|
This applies to the standalone applypatch executable
(/system/bin/applypatch on device). This executable is only used when
installing (via patching or flashing) a recovery image on non-A/B
device.
This CL removes the support for patching non-eMMC targets from
applypatch that has been deprecated as part of file-based OTA. For
patching eMMC targets, it also drops the support for accepting multiple
patches (not useful, since the source file must be fixed).
This CL needs the matching change in the same topic, which writes the
script of "/system/bin/install-recovery.sh". Note that this CL doesn't
chanage the applypatch API signatures, in order to minimize the CL size.
*BEFORE*
usage: /system/bin/applypatch [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> [<src-sha1>:<patch> ...]
or /system/bin/applypatch -c <file> [<sha1> ...]
or /system/bin/applypatch -l
Filenames may be of the form
EMMC:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...
to specify reading from or writing to an EMMC partition.
*AFTER*
Usage:
check mode
applypatch --check EMMC:<target-file>:<target-size>:<target-sha1>
flash mode
applypatch --flash <source-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
patch mode
applypatch [--bonus <bonus-file>]
--patch <patch-file>
--target EMMC:<target-file>:<target-size>:<target-sha1>
--source EMMC:<source-file>:<source-size>:<source-sha1>
show license
applypatch --license
Bug: 110106408
Test: Run recovery_component_test and recovery_unit_test on marlin.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh.
Verify that it installs recovery image successfully.
Test: Build a non-A/B target that has /system/bin/install-recovery.sh in
flashing mode. Verify that it installs recovery image successfully.
Change-Id: I71f9a71fb457e6f663e0b5511946949e65b4b78c
|
|
Test: compiles
Bug: 78793464
Change-Id: Iff64bc1a597e70f749a9d825f7d386baa427be3d
Merged-In: Iff64bc1a597e70f749a9d825f7d386baa427be3d
(cherry picked from commit 92969c49dce519803ed0a1986781c474b1bbc82f)
|
|
Test: compiles
Bug: 78793464
Change-Id: Iff64bc1a597e70f749a9d825f7d386baa427be3d
|
|
The getopt_long(3) implementation in Android (upstream freebsd) expects
a null-terminated array while parsing long options with required args.
if (long_options[match].has_arg == required_argument) {
optarg = nargv[optind++];
}
...
if (long_options[match].has_arg == required_argument && optarg == NULL) {
return (BADARG);
}
This seems to make sense in practice, as getopt(3) takes the first two
arguments of argc and argv that are "as passed to the main() function on
program invocation", and both of C and C++ spec say "the value of
argv[argc] shall be 0".
Prior to the CL, we may run into undefined behavior on malformed input
command line (e.g. missing arg for an option that requires one). This CL
fixes the issue by always appending a nullptr to the argument list (but
without counting that into argc).
Test: Build and boot into recovery with commands.
Change-Id: Ic6c37548f4db2f30aeabd40f387ca916eeca5392
|
|
TemporaryDir only deletes empty dirs (not done by its dtor because it
tries to keep the temporary files available on error exit).
Also change FreeCacheTest::MockFreeSpaceChecker to be static.
Test: Run recovery_unit_test on marlin. Check /data/local/tmp post-run.
Change-Id: I1bd54eb840e3094b4f22ee84c059eec2998773bf
|
|
Prior to this CL, FreeSpaceForFile() was returning `size_t`, which may
overflow on ILP32 when called on a partition with 4GiB+ free space.
Additionally, it was returning static_cast<size_t>(-1) on error, but the
caller in freecache.cpp didn't check for that.
This CL changes its return type to `int64_t`, and moves the function
into freecache.cpp since there's no external caller.
Test: Run recovery_unit_test on marlin.
Test: Code search shows no external user of FreeSpaceForFile().
Change-Id: I00f501a057726e1f1ab69f367c46c77b30f2d774
|
|
We already know the flakiness happens in bspatch, and the issue is
tracked in b/80193170.
Bug: 67849209
Test: unit tests pass
Change-Id: Ib4772b8f2f0225125096fe7407d083b5bb542cfb
|
|
It used to return a Value blob to be consumed by sha1_check() (which has
been deprecated). Currently there's no other generic updater function
that works with BLOB Values. This CL changes read_file() to return a
string Value to make it more useful (e.g. allowing equality check).
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: Iba986ba649030112babefe898f26aa9ffe69eeb7
|
|
Also simplify the helper function expect() in {edify,updater}_test.cpp.
Test: Run recovery_component_test on marlin.
Change-Id: If54febba4b5013f6d71546318a1ca6b635204ac8
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_component_test and recovery_unit_test on marlin.
Change-Id: I4b240e3e771c387b9694be9c0f2f74e0265ab4cb
|
|
Also fix an error-pone behavior in previous code when verifying an eMMC
target. As long as it loads the partition content successfully according
to the SHAs embedded in the filename, it shouldn't further check against
the SHAs given in the second argument. Because the loaded contents
relate to a specific partition size.
For example:
apply_patch_check(
"EMMC:/boot.img:src_size:src_hash:tgt_size:tgt_hash",
"src_hash");
Assume "/boot.img" already has the desired hash of "tgt_hash", the
previous code would give wrong verification result. The issue can be
addressed by additionally listing "tgt_hash" as one of the desired SHAs
(or by applying this CL).
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I8daafdbecd083f687e24d563ab089caa25667633
|
|
The matching edify function has been removed from EdifyGenerator [1]. In
theory device-specific releasetools script may still use this function,
but it no longer looks useful. Because a) we should use range_sha1()
when asserting the SHA-1 hash of a block device; b) we should look into
the contents when asserting a text file.
[1] https://android-review.googlesource.com/c/platform/build/+/714104
Test: Run recovery_component_test on marlin.
Test: Code search shows no active user.
Change-Id: Id39439101534fb89cf8c5cea80a4b758c8a1a60d
|
|
This will be used for testing purpose only, replacing the previously
used "fail", to intentionally abort an update.
As we're separating the logic between commands parsing and execution,
"abort" needs to be considered as a valid command during the parsing.
Test: recovery_unit_test and recovery_component_test on marlin.
Change-Id: I47c41c423e62c41cc8515fd92f3c5959be08da02
|
|
... into unit/applypatch_test.cpp. And rename the file to
component/applypatch_modes_test.cpp.
Bug: 110106408
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ic23c4f054baa2fa0d5e8ea2fcffd22572f1f112e
|
|
Additionally checks for excess args when parsing ERASE, FREE, NEW, STASH
and ZERO. Note that the check for MOVE, BSDIFF, IMGDIFF has been covered
in Command::ParseTargetInfoAndSourceInfo.
Test: Run recovery_unit_test on marlin.
Change-Id: Ic8bc9b7a8dcf98f1f8db2e259607564508726857
|
|
The added codes are not used in the updater yet. The switch will happen
in subsequent CLs.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: I1ae8a233280f02c2171b43ef028bdccdacb39c59
|
|
This shortens the gap between A/B and non-A/B builds, by replacing the
dependency on build-time flag with runtime detection instead. It also
allows building and testing both paths regardless of the target OTA
type.
The size increase to /sbin/recovery looks negligible (< 0.01%).
- marlin: increased from 2084928 to 2085024;
- angler: increased from 2084776 to 2084896.
Test: Run recovery_component_test on angler and marlin.
Test: Sideload an A/B OTA package on marlin.
Test: Sideload a non-A/B OTA package on angler.
Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
|
|
It addresses the ScreenRecoveryUITest failures on gce targets which
don't have any graphics backend. Probing for all backend devices in
tests could work, but would duplicate codes. This CL relies on the
result of gr_init().
As a side effect, it may give false negatives if gr_init() is supposed
to work but silently broken. But such issues are beyond
ScreenRecoveryUITest's concern, which should be captured by the tests
for minui or graphics backends instead.
Fixes: 79616356
Test: Run recovery_unit_test on marlin.
Test: Run recovery_unit_test on gce.
Change-Id: I121aacc61c8a614447509506057ecfd8d86163e4
|
|
Test: recovery_component_test on marlin.
Change-Id: I2ac2bd47469d1aec8a97a8c4ed0fe80ffd65c95b
|
|
The threads in RecoveryUI only get initialized if their Init()s finish
successfully.
Test: recovery_unit_test on marlin.
Change-Id: Ic4b62300a3cbd47887d9f4a90dc26f8a7deab616
|
|
As warned below (while running the test), the default death test style
(i.e. "fast") doesn't work well in a threaded context, which causes test
flakiness (timeout or early exit).
[WARNING] external/googletest/googletest/src/gtest-death-test.cc:836:: Death tests use fork(), which is unsafe particularly in a threaded context. For this test, Google Test detected 3 threads.
This CL specifies the death test styles to be "threadsafe" for the
following death tests.
- RangeSetTest.GetBlockNumber
- RangeSetTest.file_range
- ScreenRecoveryUITest.LoadAnimation_MissingAnimation
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin. Test passes and the above
warning is gone.
Change-Id: I245bbc09286702d5cb326f878c4391e842b66cc5
|
|
This is a stress test that instantiates multiple testcases that
interrupt a BBOTA update at every transfer command. Each testcase
asserts the last_command_file after the interruption, verifies the
update resumability, then resumes the update and asserts the updated
image.
The transfer list in the testcase covers most of the transfer commands
(stash/free/move/bsdiff/zero/new), as well as some special pattern like
having duplicate stash ids.
This CL also addresses one issue in the updater code, by resetting the
stash_map before each run. The stash map should be valid only per
block_image_verify/block_image_update run. Having leftover may cause
issue in subsequent runs, in particular when calling block_image_verify
after a previous run of block_image_{update,verify}.
Test: Run recovery_component_test on marlin.
Change-Id: I6f9a0368d194a754ce41a9c9819c6d5be2657248
|
|
Move the commands map parsing out of PerformBlockImageUpdate(), as this
can be done more easily by the caller.
The goal (not done in this CL) is to decouple command parsing logic from
the performers. This allows (a) focusing on the command logic in the
performer; and (b) extending BBOTA commands syntax separately.
Test: Run recovery_unit_test and recovery_component_test.
Change-Id: Ife202398a7660b152d84a3ba17b90f93d19c55f2
|
|
Otherwise tests may interfere with each other by using the same / default
location.
Test: Run recovery_component_test on marlin.
Change-Id: I6b0455489f2fdce819009964dd92bfd9bfeb06ef
|
|
The imgpatch will fail on empty deflates because the bspatch won't call
the sink function if the target length is zero.
Instead of compressing an empty string, it's cleaner to not generate such
empty deflate chunks in the patch. Therefore, we can just convert the
chunk type to raw if the target length is smaller than the patch data.
Also adjust some unit tests and add the testdata gzipped_source &
gzipped_target. These two files are ~1K each and are generated by
gzipping two slightly different regular files.
Bug: 79265132
Test: unit tests pass, imgpatch applys successfully on the given src/tgt
Change-Id: I6bfff3251918137f6762a6f9e9551642371a1124
|
|
Move the common codes into RunBlockImageUpdate(). Also clean up the
partition updated marker after running each test.
Test: Run recovery_component_test on marlin.
Change-Id: Id4302e4da4c664231b737a1e83d2e164ef58ed97
|
|
Test: Build and boot into recovery on walleye. Check the long press
detection; `Run graphics test`.
Change-Id: Ic3e9b0652fc3ff6fb3ad118df5ebb9bb4abda2cd
|
|
Move most source files into librecovery so they become testable. Only
recovery_main.cpp and logging.cpp are built into recovery module, as
they perform one-time setup (e.g. setting up logger).
Test: `mmma -j bootable/recovery` with
aosp_{angler,bullhead,fugu,dragon,marlin}-userdebug
Test: recovery_host_test; recovery_unit_test; recovery_component_test;
recovery_manual_test
Test: Build and boot into recovery image on angler.
Change-Id: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
Merged-In: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
|
|
Move most source files into librecovery so they become testable. Only
recovery_main.cpp and logging.cpp are built into recovery module, as
they perform one-time setup (e.g. setting up logger).
Test: `mmma -j bootable/recovery` with
aosp_{angler,bullhead,fugu,dragon,marlin}-userdebug
Test: recovery_host_test; recovery_unit_test; recovery_component_test;
recovery_manual_test
Test: Build and boot into recovery image on angler.
Change-Id: Ic4444f87a2f123557c71085f81dc2b2764c05ed8
(cherry picked from commit bf4c006d7bc8a4517c82399bbffd9cb09971c0b4)
|
|
Also add tests for LoadAnimation that cover the change.
Test: Run `recovery_unit_test` on marlin.
Change-Id: I0380a5cdd0d85d55baecf7759eb647b6a9f3a085
|
|
Reorder librecovery and librecovery_ui, so that librecovery stays closer
to recovery (in preparation for later changes that move more files
between the two). For the libraries in LOCAL_STATIC_LIBRARIES, reorder
them based on the dependency - local modules coming first, with external
libraries near the end. Sort the local / external modules, unless a
specific order is needed.
In tests/Android.mk, split the monolithic list of LOCAL_STATIC_LIBRARIES
based on modules. This makes adding / finding libraries easier.
There's no functionality in this CL.
Test: mmma -j bootable/recovery
Change-Id: I6836be574df565001ae9cd3d466a2b6460d90d08
|
|
The CL in [1] moved android.os.RecoverySystem to send the locale
argument in well-formed BCP 47 language tags (e.g. "en-US" instead of
"en_US"), with the matching changes to recovery code in [2]. However,
the one in ScreenRecoveryUI::SetLocale() was missed, which broke RTL
locale detection when using new format.
[1] commit 38715228 in platform/frameworks/base
[2] commit 2078b22e in platform/bootable/recovery
Test: Set the locale to "ar-EG". `Run graphics test` under recovery.
Check the progress bar.
Test: Run recovery_unit_test on marlin.
Change-Id: I7c7f5e0725bfb096109c7192c19f3f008e8e47e3
|
|
In order to support that, this CL adds Paths::set_resource_dir() to
override the default resource dir ("/res/images/") that's only available
under recovery. Note that since there're external modules depending on
libminui, it adds a separate function of res_set_resource_dir(), instead
of requiring the dependency on libotautil for everyone.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Change-Id: I0a7dcf4476808bea9e634eaffc9676f6cbaf92b7
|
|
Test: mmma -j bootable/recovery
Change-Id: I32ab98549e91f993364306e4a88dc654221b3869
|
|
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Test: Build and boot into recovery image on angler. Check the UI that
shows menu ('View recovery log', 'Wipe data', 'Run locale test').
Test: Start recovery with '--prompt_and_wipe_data'. Check the UI.
Change-Id: If8a4209e0bb4ca64f719f9f9465d3b3589a69cdc
|
|
Since we instantiate a Menu object each time for a given set of
header/items, we don't have a use case of re-populating an existing Menu
with different data (which is what Menu::Start() does).
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Test: Build and boot into recovery image on angler. Check the UI.
Change-Id: Iaa2ba9d406ebd74c015e43198c17c5335b38df53
|
|
Export its header (mounts.h) from there, and drop the dot dot dependency
from libupdater / updater.
Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: Ic26a6b9b78a34dbe1f178b138f3abaafffbec44c
|
|
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
|
|
Dump the SHA1 of the uncompressed data in applypatch to confirm if we
are at least doing the bspatch part correctly. (I expect so since the actual
length of the uncompressed data matches the expected length).
Also try to decompress the deflate chunk inside the recovery image for
these two flacky tests. In theory, there shouldn't be randomness in
zlib; so we would know if we process the data wrongly if the deflate fails
to decompress.
Bug: 67849209
Test: recovery_component_test
Change-Id: Id947522153b1eeb0d10d161298a96fb045f92018
|
|
The apply patch test should have a deterministic way to append patch
data. Add debug logs to dump the length and SHA1 of each step to further
track down the flakiness.
Also redirect the debug logging to stdout in case the logcat becomes too
chatty.
Bug: 67849209
Test: Run recovery_component_test
Change-Id: I42bafef2d9dee599719ae57840b3d8c00d243ebd
|
|
This allows the update_verifier in a general system image to work across
devices that have different verified boot versions (i.e. not supported /
verified boot 1.0 / verified boot 2.0 / disabled).
Bug: 78283982
Test: Run recovery_component_test on both of marlin and walleye.
Test: Generate an OTA that has this CL. Install this OTA and check the
update_verifier log during the post-reboot verification, on both
of marlin (VB 1.0) and walleye (VB 2.0).
Test: Build and flash walleye image with verified boot disabled. Check
that update_verifier marks the slot as successfully booted.
Change-Id: I828d87d59f911786531f774ffcf9b2ad7c2ca007
|
|
After splitting the previously flaky
ApplyPatchModesTest#PatchModeEmmcTarget tests,
PatchModeEmmcTargetWithMultiplePatches now becomes the sole victim. This
CL dumps additional info to narrow down the cause.
Bug: 67849209
Test: `recovery_component_test` on marlin.
Test: It dumps additional info after using corrupt bonus.file.
Change-Id: Ic5436de457cc882a51d03f49d5cee70077f7d3df
|
|
Although the tests were initially written for checking the validity of
the text images, it doesn't hurt to run them continuously as part of the
component test (recovery_manual_test requires reboots during the run,
due to the nature of the tests of recovery-{refresh,persist}). This also
allows detecting breaking changes to libminui or libpng.
There's a catch that the ResourcesTest won't be triggered via `atest`,
as the res-* testdata won't be picked up via AndroidTest.xml. Explored
a few options but not addressing that in this CL:
- `atest` is not fully working in AOSP yet (missing support in
tools/tradefederation/core/atest/atest.py).
- `atest` doesn't allow specifying the testdata with path in the 'push'
option.
- It won't fail the test run though, as ResourcesTest will skip the
tests automatically when it finds no text image file.
- APCT and manual `adb sync data` are not affected, and I don't see an
active user of `atest` other than a tool for manual test invocation.
- Unrelated to this CL, `atest` doesn't seem to work well with
recovery_component_test or recovery_unit_test while we have both of
them in one AndroidTest.xml. It randomly triggers only one of them,
despite of the given test name. When splitting AndroidTest.xml into
two, it tends to pick up the wrong testdata subdir and gives wrong
results.
Test: Run recovery_manual_test and recovery_component_test on marlin.
Change-Id: I3a237499a7770356e14085674bc8b9cb4551db85
|
|
As a private header for testing purpose. PngHandler additionally loads a
given filename if the one with '/res/images' prefix is not available. It
also provides color_type/bit_depth that are parsed from the PNG file.
This allows reusing the same code for the ResourcesTest (renamed from
ResourceTest).
Test: Run recovery_manual_test on marlin.
Change-Id: I3f939d79a1cb1b83a899847dbe2d51bde15d16d8
|
|
We set the limit of the max stash size to 80% of cache size. But the
cache space can still be insufficient for the update if the log files
occupy a large chunk of /cache. So remove the old logs for now to make
room for the update.
Bug: 77528881
Test: unit tests pass
Change-Id: Ia8bcb0ace11f8164ad9290bfb360e08e31d282cb
|
|
Also push the testdata in AndroidTest.xml for `atest`.
LOCAL_TEST_DATA was added in commit [1], which ships testdata next to
native tests.
With this CL,
1) manually sync-ing via `adb sync` and running tests with `adb shell`
keep working.
2) both of 32- and 64-bit recovery_{unit,component}_test now work in
APCT continuous tests. Note that 64-bit tests were failing
previously in APCT, due to missing testdata.
3) `atest recovery_unit_test` works, as the testdata gets pushed to
/data/local/tmp.
[1] commit d07ba4e2a625a8f000d042c1953adb612bccbbe2 in
https://android-review.googlesource.com/c/platform/build/+/312567.
Bug: 77320514
Test: Build recovery_{unit,component,manual}_test. Setup the test via
`adb sync data`. Run both of 32- and 64-bit versions on device.
Test: Build and run recovery_host_test on host, for both of 32- and
64-bit versions.
Test: `atest recovery_component_test`
Change-Id: Ie54037726043a3a659a80030b83db1f8c1de318d
|
|
Also consolidate the duplicate codes to draw the menu in ScreenRecoveryUI
and WearRecoveryUI. This helps us to support text icons as menu in the
future.
Bug: 74397117
Test: Check the menu under recovery on bullhead and a wear device.
Change-Id: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
Merged-In: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
|
|
Also consolidate the duplicate codes to draw the menu in ScreenRecoveryUI
and WearRecoveryUI. This helps us to support text icons as menu in the
future.
Bug: 74397117
Test: Check the menu under recovery on bullhead and a wear device.
Change-Id: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
(cherry picked from commit 2b3f80068ece1040ba7c923afe1e70b705535ad5)
|
|
Also consolidate the duplicate codes to draw the menu in ScreenRecoveryUI
and WearRecoveryUI. This helps us to support text icons as menu in the
future.
Bug: 74397117
Test: Check the menu under recovery on bullhead and a wear device.
Change-Id: Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b
(cherry picked from commit Iba9b646c3828670f0e78a7e07d1a94a44e96bb0b)
|
|
We have added the support for building /product partition in build
system (the CL in [1]), where /product is an optional partition that
contains system files. This CL adds the matching support if /product
needs to be verified during A/B OTA (i.e. listed in care_map file).
[1]: commit b7735d81054002961b681f4bdf296d4de2701135,
https://android-review.googlesource.com/c/platform/build/+/598454
Bug: 63974895
Test: Run update_verifier test on walleye.
Change-Id: Ia1c35e9583b8e66c98a4495b1f81a5ea7e65036f
(cherry picked from commit ec2e8c6c1ef3cbafa129ade95abca3203e062b5f)
|
|
We have added the support for building /product partition in build
system (the CL in [1]), where /product is an optional partition that
contains system files. This CL adds the matching support if /product
needs to be verified during A/B OTA (i.e. listed in care_map file).
[1]: commit b7735d81054002961b681f4bdf296d4de2701135,
https://android-review.googlesource.com/c/platform/build/+/598454
Bug: 63974895
Test: Run update_verifier test on walleye.
Change-Id: Ia1c35e9583b8e66c98a4495b1f81a5ea7e65036f
|
|
We have been seeing flakiness in continuous test, but unable to
reproduce locally. Break it down into smaller units to narrow down the
cause.
Bug: 67849209
Test: Run recovery_component_test on marlin.
Change-Id: Ia24b0c5d137bad27d502575fcd18d3ca9c9828b6
|
|
/system/bin/applypatch on device is expected to work with bsdiff based
recovery-from-boot patch automatically. Adding a test to ensure that's
always the case.
Bug: 72731506
Test: Run recovery_component_test on marlin.
Change-Id: I56283cd3ce7cf0215cc3bb3619b206fa01d552c4
Merged-In: I56283cd3ce7cf0215cc3bb3619b206fa01d552c4
(cherry picked from commit d612b23dfd58dbe5059ba53d8fd13cbb343b177c)
|
|
introduced as a depedency to libvintf.
Test: builds
Bug: 73556059
Change-Id: Ia51ba81ef462879481dcacb80d9ea9ea35e8b0bb
Merged-In: Ia51ba81ef462879481dcacb80d9ea9ea35e8b0bb
|
|
/system/bin/applypatch on device is expected to work with bsdiff based
recovery-from-boot patch automatically. Adding a test to ensure that's
always the case.
Bug: 72731506
Test: Run recovery_component_test on marlin.
Change-Id: I56283cd3ce7cf0215cc3bb3619b206fa01d552c4
|
|
introduced as a depedency to libvintf.
Test: builds
Bug: 73556059
Change-Id: Ia51ba81ef462879481dcacb80d9ea9ea35e8b0bb
|
|
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.
In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.
Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
|
|
In the split mode of imgdiff, we used to assume that the size of a split
target chunk is always greater than the blocksize i.e. 4096. This may
lead to the following assertion failure:
I0221 04:57:33.451323 818464 common.py:205 imgdiff F 02-21 04:57:33 821203 821203 imgdiff.cpp:999]
Check failed: tgt_size >= BLOCK_SIZE (tgt_size=476, BLOCK_SIZE=4096)
This CL removes the assumption and handles the edge cases.
Test: generate and verify the incremental update for TFs in the bug; unit test passes
Bug: 73757557
Bug: 73711365
Change-Id: Iadbb4ee658995f5856cd488f3793980881a59620
|
|
When performing an update, save the index and cmdline of the current
command into the last command file if this command writes to the stash
either explicitly of implicitly. This mitigates the overhead to update
the last command file for every command. I ran a simple test on angler
and the time to update 1000 times is ~2.3 seconds.
Upon resuming an update, read the saved index first; then
1. In verification mode, check if all commands before the saved index
have already produced the expected target blocks. If not, delete the
last command file so that we will later resume the update from the
start of the transfer list.
2. In update mode, skip all commands before the saved index. Therefore,
we can avoid deleting stashes with duplicate id unintentionally;
and also speed up the update.
If an update succeeds or is unresumable, delete the last command file.
Bug: 69858743
Test: Unittest passed, apply a failed update with invalid cmd on angler
and check the last_command content, apply a failed update with invalid
source hash and last_command is deleted.
Change-Id: Ib60ba1e3c6d111d9f33097759b17dbcef97a37bf
|
|
Bug: N/A
Test: builds
Change-Id: I5183ec8133f5dc9a81a438223c6d3d2ea11ef0ec
|
|
Prior to this CL, the block verification works were assigned based on
the pattern of the ranges, which could lead to unbalanced workloads. This
CL adds RangeSet::Split() and moves update_verifier over.
a) For the following care_map.txt on walleye:
system
20,0,347,348,540,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,524289,524291,524292,524348,529059
vendor
8,0,120,135,32770,32831,94564,98304,98306
Measured the time costs prior to and with this CL with the following
script.
$ cat test_update_verifier.sh
#!/bin/sh
adb shell stop
adb shell "cp /data/local/tmp/care_map.txt /data/ota_package/"
for i in $(seq 1 50)
do
echo "Iteration: $i"
adb shell "bootctl set-active-boot-slot 0"
adb shell "echo 3 > /proc/sys/vm/drop_caches"
adb shell "time /data/local/tmp/update_verifier"
sleep 3
done
Without this CL, the average time cost is 5.66s, while with the CL it's
reduced to 3.2s.
b) For the following care_map.txt, measured the performance on marlin:
system
18,0,271,286,457,8350,32770,33022,98306,98558,163842,164094,196609,204800,229378,229630,294914,295166,501547
vendor
10,0,42,44,85,2408,32770,32806,32807,36902,74242
It takes 12.9s and 5.6s without and with the CL respectively.
Fixes: 68553827
Test: recovery_unit_test
Test: Flash new build and trigger update_verifier. Check the balanced
block verification.
Change-Id: I5fa4bf09a84e6b9b0975ee5f522724464181333f
|
|
We used to CHECK and abort on parsing errors. While it works fine for
the updater use case (because recovery starts updater in a forked
process and collects the process exit code), it's difficult for other
clients to use RangeSet as a library (e.g. update_verifier).
This CL switches the aborts to returning empty RangeSet instead. Callers
need to check the parsing results explicitly.
The CL also separates RangeSet::PushBack() into a function, and moves
SortedRangeSet::Clear() into RangeSet.
Test: recovery_unit_test
Test: Sideload an OTA package with the new updater on angler.
Test: Sideload an OTA package with injected range string errors. The
updater aborts from the explicit checks.
Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
|
|
This CL mainly changes:
a) moving the interface in struct provider_vtab to std::function;
b) code cleanup, such as moving the declaration closer to the uses,
using explicit type conversion.
Test: recovery_component_test
Test: minadbd_test
Test: Sideload a package on marlin.
Change-Id: Id0e3c70f1ada54a4cd985b54c84438c23ed4687e
|
|
We encountered segfaults in Imgdiff host tests due to the failure to
reset states of getopt. The problem can be solved by switching to use
bionic's gtest where a new process is forked for each test.
Also modify the recovery_component_test to make sure it runs in parallel.
Changes include:
1. Merge the writes to misc partition into one single test.
2. Change the hard coded location "/cache/saved.file" into a configurable
variable.
Bug: 67849209
Test: recovery tests pass
Change-Id: I165d313f32b83393fb7922c5078636ac40b50bc2
|
|
~TemporaryDir() calls rmdir(2) directly, which works with empty
directories only.
Test: Run recovery_host_test; No leftover on host.
Test; Run recovery_component_test on marlin; No leftover on device.
Change-Id: Ib510efb16eeda61b34161e2b386499e6cb79a4ca
|
|
Bug: 34220646
Test: mma
Change-Id: If00285943fff8226f1bc7239db5570a277739904
|
|
As we construct the deflate entries of the target zip file with
random data, the total size of the zip file may vary from case
to case. This leads to occasional failures in the split test for
deflate large apk files. This CL fixes the issue by adding two static
zip files in the testdata instead of generating them dynamically.
Bug: 67849209
Test: run the deflate_large_test repeatedly
Change-Id: Iaeffad9205adefa10c9f62f9f088c33c4360a650
|
|
To avoid closing the same FD twice.
Test: recovery_component_test && recovery_host_test
Change-Id: I95195be8109101081410e9224efda535b2560e72
|
|
bsdiff interface is changing such that it hides the suffix array
pointer from the public interface. This allows to use a different
suffix array data size depending on the input size, running much faster
in the normal case.
Bug: 34220646
Test: `make checkbuild`; Ran an incremental update generation on a non-A/B device.
Change-Id: I78e766da56cf28bc7774b8c8e58527bc11d919fb
|
|
The thread to receive new data may still be alive after we exit
PerformBlockImageUpdate() upon failures. This caused memory corruption
when we run the unittest repeatedly. Set the receiver_available flag
to false and make sure the receiver exits when the update fails.
Bug: 65430057
Test: unittests passed with tsan
Change-Id: Icb232d13fb96c78262249ffbd29cdbe5b77f1fce
|
|
Since it has grown much larger, users of the header shouldn't compile
and carry their full copies.
Also add missing header includes in imgdiff.cpp and imgdiff_test.cpp.
Test: mmma bootable/recovery
Test: recovery_unit_test; recovery_component_test; recovery_host_test
Change-Id: I88ca54171765e5606ab0d61580fbc1ada578fd7d
|
|
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from
applypatch modules.
Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
|
|
This reverts commit 26436d6d6010d5323349af7e119ff8f34f85c40c to re-land
"Move error_code.h into otautil.".
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
This CL needs to land with device-specific module changes (e.g. adding
the dependency on libotautil).
Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
|
|
This reverts commit 623fe7e701d5d0fb17082d1ced14498af1b44e5b.
Reason for revert: Need to address device-specific modules.
Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
|
|
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
Test: mmma bootable/recovery
Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
|
|
Commit d80a99883d5ae2b117c54f076fe1df7eae86d2f8 has explanation of
potential issues.
Test: mmma bootable/recovery
Change-Id: I25ca9920952b7bbdd8a661d9dc90962431410bc4
|
|
Add a mandatory option in imgdiff to write the split info (i.e.
patch_size, tgt_size, src_ranges) to file when handling large apks.
Therefore, the caller of imgdiff can create split transfers based on
the info.
Bug: 63542719
Test: unit tests pass
Change-Id: I853d55d1f999fd576474faa81077f7307f4d856d
|
|
Test: unit tests pass
Change-Id: If884e805ccd4df73671ab3436eb90860786ff6c9
|
|
Otherwise the test may fail after a large number of iterations due to
file open failure.
Bug: 65430057
Test: run recovery_component_test on sailfish for 2000 iterations.
Change-Id: I0d456284d6064467038911d63eade95740cbec2c
|
|
Due to the cache size limit for OTA generation, we used to split large
zip files linearly into pieces and do bsdiff on them. As a result, i) we
lose the advantage of imgdiff; ii) if there's an accidental order change
of some huge files inside the zip, we'll create an insanely large patch.
This patch splits the src&tgt more smartly based on the zip entry_name.
If the entry_name is empty or no matching source is found for a target
chunk, we'll skip adding its source and later do a bsdiff against the
whole split source image (this rarely happens in our use cases except
for the metadata inside a ziparchive).
After the split, the target pieces are continuous and block aligned,
while the sources pieces are mutually exclusive. (Some of the source
blocks may not be used if there's no matching entry_name in the target.)
Then we will generate patches accordingly between each split image
pairs.
Afterwards, if we apply imgpatch to each pair of split source/target
images and add up the patched result, we can get back the original
target image.
For example:
Input: [src_image, tgt_image]
Split: [src-0,tgt-0; src-1,tgt-1, src-2,tgt-2]
Diff: [ patch-0; patch-1; patch-2]
Patch: [(src-0,patch-0)=tgt-0; (src-1,patch-1)=tgt-1;
(src-2,patch-2)=tgt-2;]
Append: [tgt-0 + tgt-1 + tgt-2 = tgt_image]
Peformance:
For the small package in b/34220646, we decrease the patch size of
chrome.apk dramatically from 30M to 400K due to the order change of
two big .so files.
On two versions of angler, I also observe decent patch size decrease.
For chrome.apk, we reduced the size from 5.9M to 3.2M; and for
vevlet.apk from 8.0M to 6.5M.
Bug: 34220646
Test: recovery component test && apply imgdiff & imgpatch on two
chrome.apk
Change-Id: I145d802984fa805efbbac9d01a2e64d82ef9728b
|
|
Turn on -Wall for all modules. Also remove the obsolete file_cmp() in
apply_patch test and now() in wear_ui.
The only exception is lib_edify due to the unused functions in the
intermediate cpp files generated from the lex files. It will be handled
in a seperate CL.
Bug: 64939312
Test: mma, unit tests pass
Change-Id: Ic53f76b60b6401ab20db3d98130d674c08e3702f
|
|
The metadata file now can have multiple serial numbers in the format:
serialno=serialno1|serialno2|serialno3 ...
Verifier will pass the check if the device serial number matches any of
these numbers.
Bug: 64802465
Test: Create a metadata file with 1000 numbers and sideload in sailfish.
The checker detects both match and mismatch cases.
Change-Id: I3f12b75e15f4179df260778e37f4563d65db0fa8
|
|
1. Move the declaration of the Image classes to the header file to make
testing easier.
2. Also move rangeset.h to bootable/recovery to allow access in imgdiff.
Test: recovery component test
Change-Id: I68a863e60a3f2e7ae46ee48f48eb15391f5f4330
|
|
It fails to build recovery_component_test with the following errors:
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::hidl_string(android::hardware::hidl_string const&)'
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::operator=(android::hardware::hidl_string
const&)'
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::~hidl_string()'
libupdate_verifier includes <android/hardware/boot/1.0/IBootControl.h>,
which includes the 'types.h' above. In 'types.h', it defines struct
CommandResult that's using android::hardware::hidl_string.
Since libhidlbase doesn't have a static library target, remove
'LOCAL_FORCE_STATIC_EXECUTABLE := true', which isn't required for
running tests.
Test: mmma -j bootable/recovery
Bug: 64538692
Change-Id: Iaa7c08adc241128d787274fcaea9b363e7ff93f4
(cherry picked from commit 102016ce1fe62190ace7016f2e7484b37f6391ea)
|
|
It fails to build recovery_component_test with the following errors:
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::hidl_string(android::hardware::hidl_string const&)'
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::operator=(android::hardware::hidl_string
const&)'
out/soong/.intermediates/hardware/interfaces/boot/1.0/android.hardware.boot@1.0_genc++_headers/gen/android/hardware/boot/1.0/types.h:14:
error: undefined reference to 'android::hardware::hidl_string::~hidl_string()'
libupdate_verifier includes <android/hardware/boot/1.0/IBootControl.h>,
which includes the 'types.h' above. In 'types.h', it defines struct
CommandResult that's using android::hardware::hidl_string.
Since libhidlbase doesn't have a static library target, remove
'LOCAL_FORCE_STATIC_EXECUTABLE := true', which isn't required for
running tests.
Test: mmma -j bootable/recovery
Bug: 64538692
Change-Id: Iaa7c08adc241128d787274fcaea9b363e7ff93f4
|
|
This is useful in imgdiff to maintain the block ranges of
splitted source image.
Bug: 34220646
Test: mma && unit tests pass
Change-Id: I6427f2ea50f0e3b0aa3dd01880ec0206679b7429
|
|
- Changed to std::string based implementation (mostly moved from the
former make_parents() in updater/install.cpp);
- Removed the timestamp parameter, which is only neeed by file-based OTA;
- Changed the type of mode from int to mode_t;
- Renamed dirCreateHierarchy() to mkdir_recursively().
Test: recovery_unit_test passes.
Test: No external user of dirCreateHierarchy() in code search.
Change-Id: I71f8c4b29bab625513bbc3af6d0d1ecdc3a2719a
|
|
This function has become obsolete since we've removed file-based OTA
support (it was needed by 'delete_recursive' edify function earlier).
Test: mmma -j bootable/recovery
Test: Code search shows no active user of the function.
Change-Id: If6faaa759d4c849b79acba4e6adb82baadc89f7a
|
|
This is to cover the code added by commit
5a1dee01df3af346729b5791606b72d59b8e9815, where an O update_verifier
should not reject N care_map.txt.
Bug: 63544345
Test: recovery_component_test passes on marlin.
Change-Id: Ia944e16cba3cc635098b3ffd92842d725b570fec
(cherry picked from commit c319613e06f996aed32da3a1c3e93bf9b04ffa95)
|
|
This is to cover the code added by commit
5a1dee01df3af346729b5791606b72d59b8e9815, where an O update_verifier
should not reject N care_map.txt.
Bug: 63544345
Test: recovery_component_test passes on marlin.
Change-Id: Ia944e16cba3cc635098b3ffd92842d725b570fec
|
|
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.
Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.
Also reduce the test data size to 100 blocks to avoid the test timeout.
Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.
Change-Id: Id429b2c2f31951897961525609fa12c3657216b7
(cherry picked from commit 6ed175d5412deeaec9691f85757e45452407b8e3)
|
|
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.
Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.
Also reduce the test data size to 100 blocks to avoid the test timeout.
Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.
Change-Id: I9442f2536b74e48dbf7eeb062a8539c82c6dab47
|
|
Add the O_CLOEXEC or 'e' accordingly.
Bug: 63510015
Test: recovery tests pass
Change-Id: I7094bcc6af22c9687eb535116b2ca6a59178b303
|
|
Add a new writer that can decode the brotli-compressed system/vendor
new data stored in the OTA zip.
Brotli generally gives better compression rate at the cost of slightly
increased time consumption. The patch.dat is already compressed
by BZ; so there's no point to further compress it.
For the given 1.9G bullhead system image:
Size: 875M -> 787M; ~10% reduction of package size.
Time: 147s -> 153s; ~4% increase of the block_image_update execution time.
(I guess I/O takes much longer time than decompression.)
Also it takes 4 minutes to compress the system image on my local
machine, 3 more minutes than zip.
Test: recovery tests pass && apply a full OTA with brotli compressed
system/vendor.new.dat on bullhead
Change-Id: I232335ebf662a9c55579ca073ad45265700a621e
|
|
In a rare case, a random chunk will pass both the gzip header check
and the inflation process; but fail the uncompressed length check in the
footer. This leads to a imgdiff failure. So, we should treat this chunk
as 'normal' instead of 'inflated' while generating the patch.
Bug: 63334984
Test: imgdiff generates patch successfully on previous failing images.
Change-Id: Ice84f22d3653bce9756bda91e70528c0d2f264a0
|
|
package_extract_dir() was removed in go/aog/402383, and the
corresponding UpdaterTest should be removed as well.
Bug: 62918308
Test: mma && code search
Change-Id: Ibe9c473a5d41d2fa4d26abca5684e71b104891b0
|
|
When using AVB, PRODUCT_SUPPORTS_VERITY is not set so check for
BOARD_ENABLE_AVB as well. Also AVB sets up the root filesystem as
'vroot' so map that to 'system' since this is what is
expected. Managed to test at least that the code is at least compiled
in:
$ fastboot --set-active=_a
Setting current slot to 'a'...
OKAY [ 0.023s]
finished. total time: 0.023s
$ fastboot reboot
rebooting...
finished. total time: 0.050s
$ adb wait-for-device
$ adb logcat |grep update_verifier
03-04 05:28:56.773 630 630 I /system/bin/update_verifier: Started with arg 1: nonencrypted
03-04 05:28:56.776 630 630 I /system/bin/update_verifier: Booting slot 0: isSlotMarkedSuccessful=0
03-04 05:28:56.776 630 630 W /system/bin/update_verifier: Failed to open /data/ota_package/care_map.txt: No such file or directory
03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Marked slot 0 as booted successfully.
03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Leaving update_verifier.
Bug: 62464819
Test: Manually tested on device using AVB bootloader.
Merged-In: I13c0fe1cc5d0f397e36f5e62fcc05c8dfee5fd85
Change-Id: I2834b17688053411e7b904e31df9c83bf904cd56
|
|
When using AVB, PRODUCT_SUPPORTS_VERITY is not set so check for
BOARD_ENABLE_AVB as well. Also AVB sets up the root filesystem as
'vroot' so map that to 'system' since this is what is
expected. Managed to test at least that the code is at least compiled
in:
$ fastboot --set-active=_a
Setting current slot to 'a'...
OKAY [ 0.023s]
finished. total time: 0.023s
$ fastboot reboot
rebooting...
finished. total time: 0.050s
$ adb wait-for-device
$ adb logcat |grep update_verifier
03-04 05:28:56.773 630 630 I /system/bin/update_verifier: Started with arg 1: nonencrypted
03-04 05:28:56.776 630 630 I /system/bin/update_verifier: Booting slot 0: isSlotMarkedSuccessful=0
03-04 05:28:56.776 630 630 W /system/bin/update_verifier: Failed to open /data/ota_package/care_map.txt: No such file or directory
03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Marked slot 0 as booted successfully.
03-04 05:28:56.788 630 630 I /system/bin/update_verifier: Leaving update_verifier.
Bug: None
Test: Manually tested on device using AVB bootloader.
Change-Id: I13c0fe1cc5d0f397e36f5e62fcc05c8dfee5fd85
|
|
It's only used by file-based OTA which has been deprecated for O.
Test: mma
Change-Id: I439c93155ca94554d827142c99aa6c0845cc7561
|
|
This will help us to identify the patch corruption.
Meanwhile fix a wrong size parameter passed to bspatch.
(patch->data.size() into patch->data.size() - patch_offset).
Also remove the only usage of "ApplyBSDiffPatchMem()" and inline its
Sink function for simplicity.
Bug: 37855643
Test: Prints SHA1 for corrupted patch in imgdiff_test.
Change-Id: Ibf2db8c08b0ded1409bb7c91a3547a6bf99c601d
|
|
This allows writing native tests for non-A/B update_binary_command().
Prior to this CL, it was extracting the updater to a hard-coded
location (/tmp/update_binary) that's not available under the test
environment.
Test: recovery_component_test on angler and marlin respectively.
Test: Sideload OTA packages on angler and marlin respectively.
Change-Id: I78b9cc211d90c0a16a84e94e339b65759300e2a8
|
|
run_fuse_sideload() is passing the block size as the max_read
option, so it will only handle a request that involves at most two
blocks at a time. However, the minimal allowed value was set to 1024
prior to this CL, which is inconsistent with the kernel code
(fs/fuse/inode.c) that sets it to the greater of 4096 and the passed-in
max_read option. This would fail the calls with a block size / max_read
less than 4096 due to the wrongly computed block indices.
Note that we didn't observe real issue in practice, because we have been
using 64 KiB block sizes for both of adb and sdcard sideload calls. The
issue only shows up in my local CL (to come later) that uses 1024 block
size in run_fuse_sideload() tests.
Test: recovery_component_test
Test: adb sideload with the new recovery image on angler
Change-Id: Id9f0cfea13d0d193dcb7cd41a1553a23739545f2
|
|
Test: recovery_component_test
Test: recovery_unit_test
Test: Apply an OTA on angler.
Change-Id: I7170f03e4ce1fe06184ca1d7bcce0a695f33ac4d
|
|
Enable -Wall and expose verify_image() for testing purpose.
Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: I1ee1db2a775bafdc1112e25a1bc7194d8d6aee4f
|
|
The SpaceMode (applypatch -s) was used in amend script (cupcake) only,
which has been removed since commit
9ce2ebf5d300eba5f6086583b0941ef68a3e4b42 (platform/build). The later
(and current) edify script uses apply_patch_space().
Note that other modes (PatchMode, CheckMode) of applypatch executable
are mostly used by install-recovery.sh script.
Test: No active user of "applypatch -s".
Test: recovery_component_test
Change-Id: I1d689b7fedd3884077e88ed1d6c22f7a2198859d
|
|
This now covers the actual calls to libvintf, and asserts we're getting
identical results through verify_package_compatibility() and by calling
libvintf directly.
We were missing the coverage and introduced the double free bug (fixed
by commit f978278995d02a58e311fe017bdbb2c3702dd3bc).
Bug: 37413730
Test: recovery_component_test passes.
Test: recovery_component_test fails w/o commit
f978278995d02a58e311fe017bdbb2c3702dd3bc.
Change-Id: If5195ea1c583fd7c440a1de289da82145e80e23c
(cherry picked from commit f2784b6a43e54ed67bc30ac456f66f11bd16bc74)
|
|
ApplyPatchFullTest and ApplyPatchDoubleCacheTest were used for defining
testcases for file-based OTA. The testcases have already been removed by
commit 40e144dae877654f75e65242535036058ea48f58. This CL removes the
obsolete class defnitions.
Bug: 37559618
Test: recovery_component_test on angler and marlin respectively.
Change-Id: I3f4f1dfc8580cf010365e671de256f68bbc0d99a
|
|
This now covers the actual calls to libvintf, and asserts we're getting
identical results through verify_package_compatibility() and by calling
libvintf directly.
We were missing the coverage and introduced the double free bug (fixed
by commit f978278995d02a58e311fe017bdbb2c3702dd3bc).
Bug: 37413730
Test: recovery_component_test passes.
Test: recovery_component_test fails w/o commit
f978278995d02a58e311fe017bdbb2c3702dd3bc.
Change-Id: If5195ea1c583fd7c440a1de289da82145e80e23c
|
|
The libvintf API has landed. Hook up to do the actual verification.
Bug: 36597505
Test: recovery_component_test
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that contain dummy compatibility entries.
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that don't contain any compatibility entries.
Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f
(cherry picked from commit da320ac6ab53395ddff3cc08b88a61f977ed939a)
|
|
The libvintf API has landed. Hook up to do the actual verification.
Bug: 36597505
Test: recovery_component_test
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that contain dummy compatibility entries.
Test: m recoveryimage; adb sideload on angler and sailfish, with
packages that don't contain any compatibility entries.
Change-Id: Idbd6f5aaef605ca51b20e667505d686de5ac781f
|
|
Test: recovery_component_test
Change-Id: I672a6a4f101c72e82b9f25f165dccd1c9520627b
|
|
Expose update_binary_command() through private/install.h for testing
purpose.
Also make minor clean-ups to install.cpp: a) adding more verbose logging
on ExtractToMemory failures; b) update_binary_command() taking
std::string instead of const char*; c) moving a few macro and global
constants into update_binary_command().
Bug: 37300957
Test: recovery_component_test on marlin
Test: Build new recovery and adb sideload on angler and sailfish.
Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
Merged-In: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
(cherry picked from commit bc4b1fe4c4305ebf0fbfc891b9b508c14b5c8ef8)
|
|
Expose update_binary_command() through private/install.h for testing
purpose.
Also make minor clean-ups to install.cpp: a) adding more verbose logging
on ExtractToMemory failures; b) update_binary_command() taking
std::string instead of const char*; c) moving a few macro and global
constants into update_binary_command().
Bug: 37300957
Test: recovery_component_test on marlin
Test: Build new recovery and adb sideload on angler and sailfish.
Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
|
|
verify_package_compatibility() is added to parse the compatibility entry
(compatibility.zip) in a given OTA package. If entry is present, the
information is sent to libvintf to check the compatibility.
This CL doesn't actually call libvintf, since the API there is not
available yet.
Bug: 36597505
Test: Doesn't break the install with existing packages (i.e. w/o the
compatibility entry).
Test: recovery_component_test
Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596
(cherry picked from commit 62e0bc7586077b3bde82759fb34b51b982cea20f)
|
|
verify_package_compatibility() is added to parse the compatibility entry
(compatibility.zip) in a given OTA package. If entry is present, the
information is sent to libvintf to check the compatibility.
This CL doesn't actually call libvintf, since the API there is not
available yet.
Bug: 36597505
Test: Doesn't break the install with existing packages (i.e. w/o the
compatibility entry).
Test: recovery_component_test
Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596
|
|
Right now the update stuck in a deadlock if there's less new data than
expection. Add some checkers and abort the update if such case happens.
Also add a corresponding test.
Bug: 36787146
Test: update aborts correctly on bullhead && recovery_component_test passes
Change-Id: I914e4a2a4cf157b99ef2fc65bd21c6981e38ca47
|
|
Since commit fb00d82f32446804f7149bc6846dcc580cf0db1d has added
get_bootloader_message_blk_device() as an API, switch the tests-local
implementation to it.
Test: recovery_component_test on angler.
Test: recovery_component_test on a local build that doesn't have /misc.
Change-Id: I4f5f542cb9ef58292c587a677da73d8822db7262
|
|
This CL makes the following changes to RangeSet:
- Uses std::pair<size_t, size_t> to represent a Range;
- Uses std::vector<Range> to represent a RangeSet;
- Provides const iterators (forward and reverse);
- Provides const accessor;
- 'blocks()' returns the number of blocks (formerly 'size');
- 'size()' returns the number of Range's (formerly 'count').
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ia1fbb343370a152e1f7aa050cf914c2da09b1396
|
|
Also move RangeSet into a header file to make it testable, and add unit
tests.
In RangeSet::Parse() (the former parse_range()), use libbase logging to
do assertions. This has the same effect as the previous
exit(EXIT_FAILURE) to terminate the updater process and abort an update.
The difference lies in the exit status code (i.e. WEXITSTATUS(status) in
install.cpp), which changes from 1 (i.e. EXIT_FAILURE) to 0.
Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ie8393c78b0d8ae0fd5f0ca0646d871308d71fff0
|
|
Per the comment in build/make/core/base_rules.mk:
Ninja has an implicit dependency on the command being run, and kati will
regenerate the ninja manifest if any read makefile changes, so there is no
need to have dependencies on makefiles.
Test: mmma bootable/recovery
Change-Id: I27b97df10d40f39ad966be70b33811175a665439
|
|
Design doc:
Generalized Suites & the Unification of APCT & CTS Workflows Design/Roadmap
https://docs.google.com/document/d/1eabK3srlBLouMiBMrNP3xJPiRRdcoCquNxC8gBWPvx8/edit#heading=h.78vup5eivwzo
Details about test configs changes are tracked in doc
https://docs.google.com/document/d/1EWUjJ7fjy8ge_Nk0YQbFdRp8DSHo3z6GU0R8jLgrAcw/edit#
Bug: 35882476
Test: local test
Change-Id: I51e1b410536469d254ae7a353bc61a7df06c8324
|
|
Test: mmma bootable/recovery
Change-Id: I909164fed84fb17a7e1cb2427cb88208a69dc052
|
|
am: 5ec12126f0
Change-Id: Ia6b861c91958d3be23a4a7456d6d5d8e4a1607c8
(cherry picked from commit 9166f66eee883d6d6cc280a6c355e5528bb4a3f0)
|
|
Also factor out the common parts in {setup,clear}_bcb into a separate
function.
Test: recovery_component_test
Change-Id: I7b95cced925c8135e020dcb791ca2425d4f28449
|
|
Test: mmma bootable/recovery system/update_engine
Test: recovery_component_test
Change-Id: I93c2caa87bf94a53509bb37f98f2c02bcadb6f5c
|
|
Mostly for applypatch family APIs like ApplyBSDiffPatch() and
ApplyImagePatch(). Changing to size_t doesn't indicate they would
necessarily work with very large size_t (e.g. > ssize_t), just
similar to write(2). But otherwise accepting negative length doesn't
make much sense.
Also change the return type of SinkFn from ssize_t to size_t. Callers
tell a successful sink by comparing the number of written bytes against
the desired value. Negative return values like -1 are not needed. This
also makes it consistent with bsdiff::bspatch interface.
Test: recovery_component_test
Test: Apply an incremental with the new updater.
Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
|
|
For the BadPackage tests from VerifierTest: one alters the footer, and
the other alters the metadata. Move the two tests to be based on
otasigned_v3.zip (they're based on otasigned_v1.zip previously). Also
construct the testdata files dynamically (to save the space and for
better readability).
Test: recovery_component_test
Change-Id: I7604d563f8b4fa0c55fec8730c063384158e3abc
(cherry picked from commit 217d9f98595076f344746bffdafb4314191f3e1b)
|
|
For the BadPackage tests from VerifierTest: one alters the footer, and
the other alters the metadata. Move the two tests to be based on
otasigned_v3.zip (they're based on otasigned_v1.zip previously). Also
construct the testdata files dynamically (to save the space and for
better readability).
Test: recovery_component_test
Change-Id: I7604d563f8b4fa0c55fec8730c063384158e3abc
|
|
Test: Observe the same failure with recovery_component_test ("signature
start: 65535 is larger than comment size: 0").
Change-Id: I98c357b5df2fa4caa9d8eed63af2e945ed99f18a
|
|
Switch the locale header in the png files from Locale.toString() to
Locale.toLanguageTag(). For example, en_US --> en-us and sr__#Latn
--> sr-Latn. Also clean up recovery a bit to expect the new locale
format.
Bug: 35215015
Test: sr-Latn shows correctly under graphic tests && recovery tests pass
Change-Id: Ic62bab7756cdc6e5f98f26076f7c2dd046f811db
|
|
It's valid to provide only 1 argument to apply_patch_check(). We
shouldn't fail the argument parsing.
Bug: 36541737
Test: recovery_component_test passes.
Test: recovery_component_test captures the failure without the fix.
Test: The previously failed update applies successfully.
Change-Id: Iee4c54ed33b877fc4885945b085341ec5c64f663
|
|
And switch them to std::vector & std::unique_ptr
Bug: 32117870
Test: recovery tests passed on sailfish
Change-Id: I5a45951c4bdf895be311d6d760e52e7a1b0798c3
|
|
Test: mmma bootable/recovery
Test: recovery_unit_test passes.
Test: recovery_component_test passes.
Change-Id: If0bf25993158eaebeedff55ba4f4dd0f6e5f937d
|
|
We should not touch any data while verifying packages (or parsing the
in-memory ASN.1 structures).
Test: mmma bootable/recovery
Test: recovery_component_test passes.
Test: recovery_unit_test passes.
Change-Id: Ie990662c6451ec066a1807b3081c9296afbdb0bf
|
|
Test: recovery_component_test passes.
Change-Id: I6276b59981c87c50736d69d4af7647c8ed892965
|
|
A follow-up to commit 5e535014dd7961fbf812abeaa27f3339775031f1.
Also clean up Android.mk, since libverifier no longer needs anything
from libminui.
Test: mmma bootable/recovery
Test: recovery_component_test passes.
Change-Id: I1c11e4bbeef67ca34a2054debf1f5b280d509217
|
|
verify_file() has a dependency on the global variable of 'ui' for
posting the verification progress, which requires the users of
libverifier to provide a UI instance.
This CL adds an optional argument to verify_file() so that it can
post the progress through the provided callback function. As a result,
we can drop the MockUI class in verifier_test.cpp.
Test: recovery_component_test passes.
Test: verify_file() posts progress update when installing an OTA.
Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
(cherry picked from commit 5e535014dd7961fbf812abeaa27f3339775031f1)
|
|
verify_file() has a dependency on the global variable of 'ui' for
posting the verification progress, which requires the users of
libverifier to provide a UI instance.
This CL adds an optional argument to verify_file() so that it can
post the progress through the provided callback function. As a result,
we can drop the MockUI class in verifier_test.cpp.
Test: recovery_component_test passes.
Test: verify_file() posts progress update when installing an OTA.
Change-Id: I8b87d0f0d99777ea755d33d6dbbe2b6d44243bf1
|
|
Add the following tests:
stash src
bspatch stashed_src tgt
free stashed_src
(expected a successful update)
stash src
free stashed_src
fail_the_update
(expected stashed_src freed)
Bug: 36242722
Test: Test identified unfreed stashes correctly.
Change-Id: I5a136e8dc31774367972fbfe8c63cbc1ddb3a113
|
|
Also remove the utils in applypatch and replace them with the
corresponding libbase functions.
Test: recovery tests pass.
Change-Id: I77254c141bd3e7d3d6894c23b60e866009516f81
|
|
Patching regular files is used in file-based OTA only, which has become
obsolete.
Bug: 35853185
Test: Apply an incremental that patches the boot.img.
Test: /system/bin/install-recovery.sh works.
Test: recovery_component_test passes.
Change-Id: Id44e42c4bc63f2162ecc8a6df1cb528b7ae6b0a9
|
|
This CL removes the updater support for delete(), symlink(), rename(),
set_metadata() and set_metadata_recursive(). Such functions have been
removed from the generation script in commit
f388104eaacd05cfa075d6478369e1d0df5ddbf3 (platform/build).
Note: This CL also removes delete_recursive() which seems to have never
been supported in generation script.
Bug: 35853185
Test: recovery_component_test passes.
Change-Id: I51e1ec946fa73761118fa1eaa082423df6d588e9
|
|
The fstab settings of early-mounted partitions (e.g., /vendor) will be in
kernel device tree. Switch to the new API to get the whole settings with
those in device tree:
fs_mgr_read_fstab_with_dt("/etc/recovery.fstab")
The original default /fstab.{ro.hardware} might be moved to
/vendor/etc/. or /odm/etc/. Use another new API to get the default fstab
instead of using the hard-coded /fstab.{ro.hardware}. This API also
includes the settings from device tree:
fs_mgr_read_fstab_default()
Bug: 35811655
Test: boot sailfish recovery
Change-Id: Iaa56ac7f7b4c4dfc7180c65f03e9a37b94f1de09
|
|
Put ImageChunk and some helper functions into a class. Also switch to
using std::vector instead of malloc.
Bug: 18606652
Test: imgdiff_test passed on host. Also generate a complete incremental OTA package.
The file content is the same and time consumption is similar.
Change-Id: Id603ada4e130ef521218400761a119001a86ca79
|
|
The test should not clear bcb during teardown on devices without
/misc.
Bug: 35712836
Test: The test tears down without errors after /misc removed from the fstab.
Change-Id: I42df89feb18fac5a435cd17eef97a6bad0f44545
|
|
FUSE FS is required in recovery sideload functionalites.
This CL is to add a native test to flag when FUSE is not
supported in the device kernel.
Bug: 35768196
Test: mma, run recovery_component_test on marlin and pass all
Change-Id: I43b6dbee658010df56ba4d4b0e91baa7fd1c4480
|
|
Skip these two tests if /misc partition is not found in fstab.
Bug: 35712836
Test: Both test skip correctly if there's no /misc in fstab.${hardware}.
Change-Id: I38417a8677030229a335e43eaef85ae70c4e0845
|
|
Now ApplyBSDiffPatch() will stream the output to sink as we go instead
of sinking everything at the end.
Test: recovery_host_test
Bug: 26982501
Change-Id: I05b6ed40d45e4b1b19ae72784cf705b731b976e3
|
|
Bug: 34220783
Test: make checkbuild
Change-Id: Iceea20e440a4bb6a3b254486a65a86401a2241ef
|
|
match_locale() will return false for empty locale string in the PNG
file. Also add a manual test to validate if a PNG file is qualified to
use under recovery.
Bug: 34054052
Test: recovery_manual_test catches invalid PNG files successfully & Locale_test passed
Change-Id: Id7e2136e1d8abf20da15825aa7901effbced8b03
|
|
Bug: 34220783
Change-Id: I358f931f0b29f5bd526e1475180e477e2e90b936
|
|
Bug: 34220783
Change-Id: I34ccc3b11da0d1b48805967ad75b9ddade569930
|
|
Test: recovery_component_test passes.
Change-Id: I4f00d0171cf86699e9ce747d07d7d44a01906e81
|
|
UI text is broken (doesn't show any text during FDR) due to commit
d530449e54bd327e9c26209ffa0490c6508afe6c, which reordered the calls to
RecoveryUI::SetLocale() and RecoveryUI::Init().
Because Init() uses the locale info to load the localized texts (from
images), the locale must be set prior to that via SetLocale(). This CL
refactors Init() to take the locale parameter, and removes the odd
SetLocale() API.
Bug: 34029338
Test: 'Run graphics test' under recovery.
Change-Id: I620394a3d4e3705e9af5a1f6299285d143ae1b01
|
|
When the input image ends with the magic value sequence of 0x1f, 0x8b,
0x0b (optionally with 0x00), the image parsing code will be stuck in an
infinite loop.
Test: recovery_component_test passes.
Change-Id: Ie3629dfdc41360387b19cc3e0359c95ae4fb998e
|
|
Test: recovery_unit_test passes.
Change-Id: I764c56404c7ccdd57ae5486c946fbc9ac6ae7bc9
|
|
Test: recovery_unit_test passes.
Change-Id: I8ad364e88aaee31579ed7206aad8e5620518d797
|
|
Although O_RDONLY gives the same value as F_OK (0), it's not the right
friend of access(2).
Also clean up the temporary files from ZipTest (TemporaryDir doesn't
like non-empty directory).
Test: recovery_unit_test passes and has no leftover.
Change-Id: I66b90e43c0954c89ce08b36b9e2b4e84183b28f5
|
|
Factor out libimgdiff static library for testing purpose.
This CL adds the imgdiff tests on host and on target both (similar to
libimgpatch). In practice, we only need imgdiff binary on host, and
libimgpatch on target. But they should build and pass tests on both
platforms.
Test: recovery_host_test passes; recovery_component_test passes.
Change-Id: I0eafb7faf727cdf70066310e845af6ee245d4f60
|
|
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
|
|
This is a retry of commit 7e31f421a514da09b90e46dbd642a5e9b16e0003.
Commit bd56f1590c967205dc45eb2ec298aa8d2aacb740 switches to calling
write_bootloader_message(<options>) in get_args(), which
unintentionally resets the stage field thus breaks two-step OTAs.
This CL adds update_bootloader_message(<options>), which only sets
the command field (to "boot-recovery") and the recovery field (with
the specified options).
Bug: 33534933
Test: Apply a two-step package.
Test: recovery_component_test passes.
Change-Id: Ie0b1ed4053d2d3c97d9cb84310d616b28fcfc72e
|
|
Test: recovery_component_test passes.
Change-Id: Ib9aa2ffd6b018546223c76b7424f4ba355f5b088
|
|
Bug: http://b/33534933
Test: recovery_component_test passes (and fails on buggy build due to
the CL in [1]).
[1]: commit 7e31f421a514da09b90e46dbd642a5e9b16e0003
Change-Id: I120498048ec1db8f9fcbb3cf135c05d3a48cfcdf
|
|
This allows recovery to work on devices without screen.
The stub recovery UI does nothing except print to stdout.
Test: write 'recovery\n--wipe_data\n--reason=wipe_data_from_ota\n'
to misc and boot to recovery on a device without screen.
Bug: 33175036
Change-Id: Icde698aa2e2e29f4b3d0532dfd3c6a939ac2bc63
|
|
There're two types of targets in applypatch: regular files and EMMC
targets. We have two sets of functions to handle them respectively.
This CL adds testcases to use "EMMC:filename:size:sha1" as the target
name, which triggers the code path for patching EMMC targets.
Bug: 33034669
Test: recovery_component_test passes.
Change-Id: I8f10c6c8d2c1fb083f06a83de91d9e23cb41fb6d
|
|
Add read_bootloader_message_from() and write_bootloader_message_to() to
allow specifying the BCB device (/misc).
Also add testcases for set_stage() and get_stage().
Test: recovery_component_test passes.
Test: Build a recovery image and apply a two-step OTA package.
Change-Id: If5ab06a1aaaea168d2a9e5dd63c07c0a3190e4ae
|
|
Test: recovery_component_test passes.
Change-Id: I3af4707bc42c7331ca961be8b967a53de82ea25b
|
|
write_value(value, filename) writes 'value' to 'filename'. It can be
used to tune device settings when applying an OTA package. For example,
write_value("960000", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq").
Bug: 32463933
Test: recovery_component_test passes.
Test: Apply an OTA package that contains a call to write_value(), and
check the result.
Change-Id: Ib009ecb8a45a94353f10c59e2383fe1f49796e35
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
(cherry picked from commit ef0eb3b01b66fbbc97908667a3dd1e02d710cbb7)
|
|
'bool success = ExtractEntryToFile()' gives opposite result. Fix the
issue and add testcases.
Change the one-argument version of package_extract_file() to explicitly
abort for non-existent zip entry. Note that this is NOT changing the
behavior. Prior to this CL, it aborts from Evaluate() function, by
giving a general cause code. Now it returns kPackageExtractFileFailure.
BUg: 32903624
Test: recovery_component_test works.
Change-Id: I7a273e9c0d9aaaf8c472b2c778f7b8d90362c24f
|
|
Clean up SymlinkFn() a bit. Also clean up the temp files created when
running the tests; otherwise non-empty TemporaryDir won't be removed.
Test: recovery_component_test passes.
Change-Id: Id3844abebd168c40125c4dcec54e6ef680a83c3a
|
|
Move recovery-refresh/persist tests out because these tests need special
steps to run. Also switch the constants to std::string.
Test: recovery_manual_test passed on an A/B device
Change-Id: I60b3ec6f094044945c3aafc1fae540896a6ddea6
|
|
Switch to use const std::string; and add corresponding tests.
Bug: 32649858
Test: Component tests pass
Change-Id: I640f3ec81f1481fa91aa310f8d4d96dac9649cb9
|
|
Add unit testcases for sysMapFile().
Test: recovery_unit_test passes.
Test: Build and use the new recovery image to sideload a package.
Test: Build and use the new recovery image to install an update.
Change-Id: I77d8f1ea151ab513865d992c256ba93a1fcb51a4
(cherry picked from commit c3292f3fcbb3cd608cc19b7459751fa5bb64ab84)
|
|
Add unit testcases for sysMapFile().
Test: recovery_unit_test passes.
Test: Build and use the new recovery image to sideload a package.
Test: Build and use the new recovery image to install an update.
Change-Id: I77d8f1ea151ab513865d992c256ba93a1fcb51a4
|
|
It's accidentally broken when refactoring the testdata path. Also clean
up the testcase a bit by simplying the file reading.
Test: recovery_unit_test passes.
Change-Id: I592a1cf5a4eb9a7a5f4eecbc6426baeedeb02781
|
|
Test: recovery_component_test passes.
Change-Id: Iba5a0fdf6c79e2bed6b30b8fc19a306c1ab29d8a
|
|
Also add a testcase for delete() function.
Test: recovery_component_test passes.
Change-Id: I064d1ad4693c3ed339d0a69eabadd08a61a2ea86
|
|
Also add a testcase for file_getprop().
Test: recovery_component_test passes.
Change-Id: I8eb2f9a5702b43997ac9f4b29665eea087b1c146
|
|
continuous_native_tests expects the testdata under DATA/ in
continuous_native_tests.zip. This CL packs a copy of the testdata into
continuous_native_tests.zip as DATA/nativetest/recovery/testdata (via
LOCAL_PICKUP_FILES).
This CL also removes the extra copy for nativetest64. Testdata will
always stay at /data/nativetest/recovery/testdata, even for 64-bit
version. Otherwise we will unnecessarily get four copies (two for data/
and another two for DATA/).
Bug: 32123241
Test: mmma bootable/recovery && adb sync data. On bullhead,
/data/nativetest/recovery_component_test/recovery_component_test works;
/data/nativetest64/recovery_component_test/recovery_component_test works.
Test: m continuous_native_test; DATA/nativetest/recovery/testdata exists.
Change-Id: Ifefa0309de7af23c77654e8e450848ca2da218c2
|
|
Refactor applypatch/main.cpp into libapplypatch_modes so that we can add
testcases.
Some changes to applypatch/main.cpp:
- Replace char** argv with const char**;
- Use android::base::Split() to split ":";
- Use android::base::ParseUInt().
Bug: 32383590
Test: Unit tests pass, install-recovery.sh works.
Change-Id: I44e7bfa5ab717d439ea1d0ee9ddb7b2c40bb95a4
|
|
Test: Unit tests and install-recovery.sh pass on angler and dragon.
Change-Id: I328e6554edca667cf850f5584ebf1ac211e3d4d1
|
|
We currently only copy the testdata to
$(TARGET_OUT_DATA_NATIVE_TESTS)/recovery, which fails the tests
generated for 2nd arch (TARGET_2ND_ARCH). For example, on angler
/data/nativetest/recovery_component_test/recovery_component_test fails
due to missing testdata.
Bug: 32123241
Test: Both of /data/nativetest/recovery... and /data/nativetest64/recovery...
work on angler.
Change-Id: Ib76264b4408d01c08b2619c8ac84b2476ea5a8bc
|
|
If no sha1 is specified, applypatch_check should pass as long as
the file content loads successfully. Add a unit case acccordingly.
Test: Unit tests passed
Bug: 32243751
Change-Id: I8c013be67c197d2935e11cf6acc59fb9b943cfd9
|
|
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
|
|
Changing the field of 'Value' in edify to std::string from char*.
Meanwhile cleaning up the users of 'Value' and switching them to
cpp style.
Test: compontent tests passed.
Bug: 31713288
Change-Id: Iec5a7d601b1e4ca40935bf1c70d325dafecec235
|
|
- Remove dead declarations in expr.h: SetError(), GetError(),
ClearError().
- Remove the declaration of Build() out of expr.h.
- Use std::unordered_map to implement RegisterFunction() and
FindFunction(); kill FinishRegistration().
- Add a testcase for calling unknown functions.
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I9af6825ae677f92b22d716a4a5682f58522af03b
|
|
Also add a testcase for sha1_check().
Test: mmma bootable/recovery; recovery_component_test passes.
Change-Id: I4d06d551a771aec84e460148544f68b247a7e721
|
|
So that we can write native tests for updater functions. This CL adds a
testcase for getprop() function.
Test: mmma bootable/recovery; Run recovery_component_test on device.
Change-Id: Iff4c1ff63c5c71aded2f9686fed6b71cc298c228
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
(cherry picked from commit 59dcb9cbea8fb70ab933fd10d35582b08cd13f37)
|
|
This way we kill a few strdup() and free() calls.
Test: 1. recovery_component_test still passes;
2. Applying an update with the new updater works;
3. The error code in a script with abort("E310: xyz") is recorded into
last_install correctly.
Change-Id: Ibda4da5937346e058a0d7cc81764d6f02920010a
|
|
private/android_logger.h contains all we need.
Test: compile
Bug: 26552300
Bug: 31289077
Bug: 31456426
Change-Id: I6714d730372dc81f784e7f9dfee8a33848643a5d
|
|
Now they live in tests/component/edify_test.cpp.
Also rename edify/main.cpp to edify/edify_parser.cpp. It becomes a
host-side debugging tool that validates the input edify script. However,
it supports edify builtin functions only and doesn't recognize the ones
defined via updater.
Test: recovery_component_test passes on device.
Change-Id: Ib94a787bf15098a9cc078d256b6a6dc96ff12b2e
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
(cherry picked from commit 7aa88748f6ec4e53333d1a15747bc44826ccc410)
|
|
Also remove the 0xff comparison when validating the bootloader
message fields. As the fields won't be erased to 0xff after we
remove the MTD support.
Bug: 28202046
Test: The recovery folder compiles for aosp_x86-eng
Change-Id: Ibb30ea1b2b28676fb08c7e92a1e5f7b6ef3247ab
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
(cherry picked from commit 747781433fb01f745529c7e9dd97c5599070ad0d)
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
* Use const reference type for read-only parameters.
Bug: 30407689
* Use faster overloaded string find function.
Bug: 30411878
* Add parentheses around macro parameters.
Bug: 28705665
Test: build with WITH_TIDY=1
Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
|
|
Bug: http://b/30708454
Change-Id: I7a5048beff1d8b783a9683dcb4a79606a77f20ee
|
|
A Certificate is a pair of an RSAPublicKey and a particular hash. So v1
and v3 differ in the hash algorithm (SHA-1 vs SHA-256), similarly for
v2 and v4.
In verifier testcases, we used to load v1/v2 keys with an explicit
argument of "sha256" to test the v3/v4 keys. This CL switches to loading
v3/v4 keys directly and lets load_keys() to handle that, which is the
actual flow we use in practice.
Also remove the "fallback to v1 key" in the testcases, which is not the
actual behavior.
Bug: 30415901
Test: Run the verifier_test component test on device.
Change-Id: I3a2baa64826f1b6c4c367a560090df384c4521bb
|
|
Track the change in commit 63a319201fc0f5c34c1c62b446527e06f57f8d40 and
fix builds.
Bug: http://b/29250988
Change-Id: Iad5be953e102020931649629afc980d585ed2931
(cherry picked from commit ab2fb94bf48483d761ba3aa85e0acf851895566f)
|
|
Track the change in commit 63a319201fc0f5c34c1c62b446527e06f57f8d40 and
fix builds.
Bug: http://b/29250988
Change-Id: Iad5be953e102020931649629afc980d585ed2931
(cherry picked from commit ab2fb94bf48483d761ba3aa85e0acf851895566f)
|
|
Track the change in commit 63a319201fc0f5c34c1c62b446527e06f57f8d40 and
fix builds.
Bug: http://b/29250988
Change-Id: Iad5be953e102020931649629afc980d585ed2931
|
|
Add a new command "--security" to boot commands. If this command is
observed as part of BCB, choose a different background text picture
for installing stage in recovery UI. As a result, users will see
"installing security update" instead of "installing system update"
when applying a security update package.
Bug: 27837319
Change-Id: I2e2253a124993ecc24804fa1ee0b918ac96837c5
|
|
matches_locale was expecting input locale string to have at most one
underscore; as a result "zh_CN_#Hans" ignores "zh_CN" and matches into
"zh". Fix the match function and add unit tests.
Bug: 27837319
Change-Id: I4e8a66f91cae6ac2a46b6bf21f670d5ea564c7c8
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.
Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
|
|
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
|
(cherry-pick from commit a4f701af93a5a739f34823cde0c493dfbc63537a)
- Add call to __android_log_pmsg_file_write for recovery logging.
- Add call to refresh pmsg if we reboot back into recovery and then
allow overwrite of those logs.
- Add a new one-time executable recovery-refresh that refreshes pmsg
in post-fs phase of init. We rely on pmsg eventually scrolling off
to age the content after recovery-persist has done its job.
- Add a new one-time executable recovery-persist that transfers from
pmsg to /data/misc/recovery/ directory if /cache is not mounted
in post-fs-data phase of init.
- Build and appropriately trigger the above two as required if
BOARD_CACHEIMAGE_PARTITION_SIZE is undefined.
- Add some simple unit tests
NB: Test failure is expected on systems that do not deliver either
the recovery-persist or recovery-refresh executables, e.g. systems
with /cache. Tests also require a timely reboot sequence of test
to truly verify, tests provide guidance on stderr to direct.
Bug: 27176738
Change-Id: I17bb95980234984f6b2087fd5941b0a3126b706b
|
|
- Add call to __android_log_pmsg_file_write for recovery logging.
- Add call to refresh pmsg if we reboot back into recovery and then
allow overwrite of those logs.
- Add a new one-time executable recovery-refresh that refreshes pmsg
in post-fs phase of init. We rely on pmsg eventually scrolling off
to age the content after recovery-persist has done its job.
- Add a new one-time executable recovery-persist that transfers from
pmsg to /data/misc/recovery/ directory if /cache is not mounted
in post-fs-data phase of init.
- Build and appropriately trigger the above two as required if
BOARD_CACHEIMAGE_PARTITION_SIZE is undefined.
- Add some simple unit tests
NB: Test failure is expected on systems that do not deliver either
the recovery-persist or recovery-refresh executables, e.g. systems
with /cache. Tests also require a timely reboot sequence of test
to truly verify, tests provide guidance on stderr to direct.
Bug: 27176738
Change-Id: I17bb95980234984f6b2087fd5941b0a3126b706b
|
|
Bug: 27135282
Change-Id: If53682b591397ddfdb84860a3779b612904d4489
|
|
Change-Id: I7ffba0be5a6befc875ce59b51a008c1892e7d34b
|
|
Test data needs to go outside the gtest module.
Change-Id: Ic444ca838cbafa651ec97ff8730129da84fafc09
|
|
Change-Id: I51fec30114c0a31efc9c2ac8472654baf8bb3e84
|
|
Bug: 26962907
Change-Id: I5f80636af1740badeff7d08193f08e23f4e4fee1
|
|
And a few trival fixes to suppress warnings.
Change-Id: Id28e3581aaca4bda59826afa80c0c1cdfb0442fc
(cherry picked from commit 80e46e08de5f65702fa7f7cd3ef83f905d919bbc)
|
|
And a few trival fixes to suppress warnings.
Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
|
|
Global variables kill.
No need to manually link gtest, and that causes problems with
libc++.
Change-Id: If804cdd436cf1addfa9a777708efbc37c27770b6
|
|
This adds support for key version 5 which is an EC key using the NIST
P-256 curve parameters. OTAs may be signed with these keys using the
ECDSA signature algorithm with SHA-256.
Change-Id: Id88672a3deb70681c78d5ea0d739e10f839e4567
|