Merge "Verify wipe package when wiping A/B device in recovery."
This commit is contained in:
Treehugger Robot
Gerrit Code Review
134
bootloader.cpp
134
bootloader.cpp
@@ -1,134 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2008 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <inttypes.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <fs_mgr.h>
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <android-base/unique_fd.h>
|
||||
|
||||
#include "bootloader.h"
|
||||
#include "roots.h"
|
||||
|
||||
static int get_bootloader_message_block(bootloader_message* out, const Volume* v);
|
||||
static int set_bootloader_message_block(const bootloader_message* in, const Volume* v);
|
||||
|
||||
int get_bootloader_message(bootloader_message* out) {
|
||||
Volume* v = volume_for_path("/misc");
|
||||
if (v == nullptr) {
|
||||
LOG(ERROR) << "Cannot load volume /misc!";
|
||||
return -1;
|
||||
}
|
||||
if (strcmp(v->fs_type, "emmc") == 0) {
|
||||
return get_bootloader_message_block(out, v);
|
||||
}
|
||||
LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\"";
|
||||
return -1;
|
||||
}
|
||||
|
||||
int set_bootloader_message(const bootloader_message* in) {
|
||||
Volume* v = volume_for_path("/misc");
|
||||
if (v == nullptr) {
|
||||
LOG(ERROR) << "Cannot load volume /misc!";
|
||||
return -1;
|
||||
}
|
||||
if (strcmp(v->fs_type, "emmc") == 0) {
|
||||
return set_bootloader_message_block(in, v);
|
||||
}
|
||||
LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\"";
|
||||
return -1;
|
||||
}
|
||||
|
||||
// ------------------------------------
|
||||
// for misc partitions on block devices
|
||||
// ------------------------------------
|
||||
|
||||
static void wait_for_device(const char* fn) {
|
||||
int tries = 0;
|
||||
int ret;
|
||||
do {
|
||||
++tries;
|
||||
struct stat buf;
|
||||
ret = stat(fn, &buf);
|
||||
if (ret == -1) {
|
||||
printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno));
|
||||
sleep(1);
|
||||
}
|
||||
} while (ret && tries < 10);
|
||||
|
||||
if (ret) {
|
||||
printf("failed to stat \"%s\"\n", fn);
|
||||
}
|
||||
}
|
||||
|
||||
static int get_bootloader_message_block(bootloader_message* out,
|
||||
const Volume* v) {
|
||||
wait_for_device(v->blk_device);
|
||||
FILE* f = fopen(v->blk_device, "rb");
|
||||
if (f == nullptr) {
|
||||
PLOG(ERROR) << "failed to open \"" << v->blk_device << "\"";
|
||||
return -1;
|
||||
}
|
||||
bootloader_message temp;
|
||||
int count = fread(&temp, sizeof(temp), 1, f);
|
||||
if (count != 1) {
|
||||
PLOG(ERROR) << "failed to read \"" << v->blk_device << "\"";
|
||||
return -1;
|
||||
}
|
||||
if (fclose(f) != 0) {
|
||||
PLOG(ERROR) << "failed to close \"" << v->blk_device << "\"";
|
||||
return -1;
|
||||
}
|
||||
memcpy(out, &temp, sizeof(temp));
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int set_bootloader_message_block(const bootloader_message* in,
|
||||
const Volume* v) {
|
||||
wait_for_device(v->blk_device);
|
||||
android::base::unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC));
|
||||
if (fd == -1) {
|
||||
PLOG(ERROR) << "failed to open \"" << v->blk_device << "\"";
|
||||
return -1;
|
||||
}
|
||||
|
||||
size_t written = 0;
|
||||
const uint8_t* start = reinterpret_cast<const uint8_t*>(in);
|
||||
size_t total = sizeof(*in);
|
||||
while (written < total) {
|
||||
ssize_t wrote = TEMP_FAILURE_RETRY(write(fd, start + written, total - written));
|
||||
if (wrote == -1) {
|
||||
PLOG(ERROR) << "failed to write " << total << " bytes, " << written
|
||||
<< " bytes written";
|
||||
return -1;
|
||||
}
|
||||
written += wrote;
|
||||
}
|
||||
|
||||
if (fsync(fd) == -1) {
|
||||
PLOG(ERROR) << "failed to fsync \"" << v->blk_device << "\"";
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
66
install.cpp
66
install.cpp
@@ -71,22 +71,33 @@ static int parse_build_number(const std::string& str) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
|
||||
static void read_source_target_build(ZipArchiveHandle zip, std::vector<std::string>& log_buffer) {
|
||||
bool read_metadata_from_package(ZipArchiveHandle zip, std::string* meta_data) {
|
||||
ZipString metadata_path(METADATA_PATH);
|
||||
ZipEntry meta_entry;
|
||||
if (meta_data == nullptr) {
|
||||
LOG(ERROR) << "string* meta_data can't be nullptr";
|
||||
return false;
|
||||
}
|
||||
if (FindEntry(zip, metadata_path, &meta_entry) != 0) {
|
||||
LOG(ERROR) << "Failed to find " << METADATA_PATH << " in update package";
|
||||
return;
|
||||
return false;
|
||||
}
|
||||
|
||||
std::string meta_data(meta_entry.uncompressed_length, '\0');
|
||||
if (ExtractToMemory(zip, &meta_entry, reinterpret_cast<uint8_t*>(&meta_data[0]),
|
||||
meta_data->resize(meta_entry.uncompressed_length, '\0');
|
||||
if (ExtractToMemory(zip, &meta_entry, reinterpret_cast<uint8_t*>(&(*meta_data)[0]),
|
||||
meta_entry.uncompressed_length) != 0) {
|
||||
LOG(ERROR) << "Failed to read metadata in update package";
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
|
||||
static void read_source_target_build(ZipArchiveHandle zip, std::vector<std::string>& log_buffer) {
|
||||
std::string meta_data;
|
||||
if (!read_metadata_from_package(zip, &meta_data)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Examples of the pre-build and post-build strings in metadata:
|
||||
// pre-build-incremental=2943039
|
||||
// post-build-incremental=2951741
|
||||
@@ -301,33 +312,16 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount,
|
||||
return INSTALL_CORRUPT;
|
||||
}
|
||||
|
||||
// Load keys.
|
||||
std::vector<Certificate> loadedKeys;
|
||||
if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
|
||||
LOG(ERROR) << "Failed to load keys";
|
||||
sysReleaseMap(&map);
|
||||
return INSTALL_CORRUPT;
|
||||
}
|
||||
LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE;
|
||||
|
||||
// Verify package.
|
||||
ui->Print("Verifying update package...\n");
|
||||
|
||||
auto t0 = std::chrono::system_clock::now();
|
||||
int err = verify_file(map.addr, map.length, loadedKeys);
|
||||
std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
|
||||
ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
|
||||
if (err != VERIFY_SUCCESS) {
|
||||
LOG(ERROR) << "signature verification failed";
|
||||
if (!verify_package(map.addr, map.length)) {
|
||||
log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure));
|
||||
|
||||
sysReleaseMap(&map);
|
||||
return INSTALL_CORRUPT;
|
||||
}
|
||||
|
||||
// Try to open the package.
|
||||
ZipArchiveHandle zip;
|
||||
err = OpenArchiveFromMemory(map.addr, map.length, path, &zip);
|
||||
int err = OpenArchiveFromMemory(map.addr, map.length, path, &zip);
|
||||
if (err != 0) {
|
||||
LOG(ERROR) << "Can't open " << path << " : " << ErrorCodeString(err);
|
||||
log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure));
|
||||
@@ -403,3 +397,25 @@ install_package(const char* path, bool* wipe_cache, const char* install_file,
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
bool verify_package(const unsigned char* package_data, size_t package_size) {
|
||||
std::vector<Certificate> loadedKeys;
|
||||
if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
|
||||
LOG(ERROR) << "Failed to load keys";
|
||||
return false;
|
||||
}
|
||||
LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE;
|
||||
|
||||
// Verify package.
|
||||
ui->Print("Verifying update package...\n");
|
||||
auto t0 = std::chrono::system_clock::now();
|
||||
int err = verify_file(const_cast<unsigned char*>(package_data), package_size, loadedKeys);
|
||||
std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
|
||||
ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
|
||||
if (err != VERIFY_SUCCESS) {
|
||||
LOG(ERROR) << "Signature verification failed";
|
||||
LOG(ERROR) << "error: " << kZipVerificationFailure;
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
17
install.h
17
install.h
@@ -17,11 +17,10 @@
|
||||
#ifndef RECOVERY_INSTALL_H_
|
||||
#define RECOVERY_INSTALL_H_
|
||||
|
||||
#include "common.h"
|
||||
#include <string>
|
||||
#include <ziparchive/zip_archive.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED,
|
||||
INSTALL_RETRY };
|
||||
@@ -31,8 +30,12 @@ enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SK
|
||||
int install_package(const char* root_path, bool* wipe_cache, const char* install_file,
|
||||
bool needs_mount, int retry_count);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
// Verify the package by ota keys. Return true if the package is verified successfully,
|
||||
// otherwise return false.
|
||||
bool verify_package(const unsigned char* package_data, size_t package_size);
|
||||
|
||||
// Read meta data file of the package, write its content in the string pointed by meta_data.
|
||||
// Return true if succeed, otherwise return false.
|
||||
bool read_metadata_from_package(ZipArchiveHandle zip, std::string* meta_data);
|
||||
|
||||
#endif // RECOVERY_INSTALL_H_
|
||||
|
||||
73
recovery.cpp
73
recovery.cpp
@@ -86,6 +86,7 @@ static const struct option OPTIONS[] = {
|
||||
{ "reason", required_argument, NULL, 'r' },
|
||||
{ "security", no_argument, NULL, 'e'},
|
||||
{ "wipe_ab", no_argument, NULL, 0 },
|
||||
{ "wipe_package_size", required_argument, NULL, 0 },
|
||||
{ NULL, 0, NULL, 0 },
|
||||
};
|
||||
|
||||
@@ -902,12 +903,76 @@ static bool secure_wipe_partition(const std::string& partition) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check if the wipe package matches expectation:
|
||||
// 1. verify the package.
|
||||
// 2. check metadata (ota-type, pre-device and serial number if having one).
|
||||
static bool check_wipe_package(size_t wipe_package_size) {
|
||||
if (wipe_package_size == 0) {
|
||||
LOG(ERROR) << "wipe_package_size is zero";
|
||||
return false;
|
||||
}
|
||||
std::string wipe_package;
|
||||
std::string err_str;
|
||||
if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
|
||||
PLOG(ERROR) << "Failed to read wipe package";
|
||||
return false;
|
||||
}
|
||||
if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
|
||||
wipe_package.size())) {
|
||||
LOG(ERROR) << "Failed to verify package";
|
||||
return false;
|
||||
}
|
||||
|
||||
// Extract metadata
|
||||
ZipArchiveHandle zip;
|
||||
int err = OpenArchiveFromMemory(reinterpret_cast<void*>(&wipe_package[0]),
|
||||
wipe_package.size(), "wipe_package", &zip);
|
||||
if (err != 0) {
|
||||
LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err);
|
||||
return false;
|
||||
}
|
||||
std::string metadata;
|
||||
if (!read_metadata_from_package(&zip, &metadata)) {
|
||||
CloseArchive(zip);
|
||||
return false;
|
||||
}
|
||||
CloseArchive(zip);
|
||||
|
||||
// Check metadata
|
||||
std::vector<std::string> lines = android::base::Split(metadata, "\n");
|
||||
bool ota_type_matched = false;
|
||||
bool device_type_matched = false;
|
||||
bool has_serial_number = false;
|
||||
bool serial_number_matched = false;
|
||||
for (const auto& line : lines) {
|
||||
if (line == "ota-type=BRICK") {
|
||||
ota_type_matched = true;
|
||||
} else if (android::base::StartsWith(line, "pre-device=")) {
|
||||
std::string device_type = line.substr(strlen("pre-device="));
|
||||
char real_device_type[PROPERTY_VALUE_MAX];
|
||||
property_get("ro.build.product", real_device_type, "");
|
||||
device_type_matched = (device_type == real_device_type);
|
||||
} else if (android::base::StartsWith(line, "serialno=")) {
|
||||
std::string serial_no = line.substr(strlen("serialno="));
|
||||
char real_serial_no[PROPERTY_VALUE_MAX];
|
||||
property_get("ro.serialno", real_serial_no, "");
|
||||
has_serial_number = true;
|
||||
serial_number_matched = (serial_no == real_serial_no);
|
||||
}
|
||||
}
|
||||
return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
|
||||
}
|
||||
|
||||
// Wipe the current A/B device, with a secure wipe of all the partitions in
|
||||
// RECOVERY_WIPE.
|
||||
static bool wipe_ab_device() {
|
||||
static bool wipe_ab_device(size_t wipe_package_size) {
|
||||
ui->SetBackground(RecoveryUI::ERASING);
|
||||
ui->SetProgressType(RecoveryUI::INDETERMINATE);
|
||||
|
||||
if (!check_wipe_package(wipe_package_size)) {
|
||||
LOG(ERROR) << "Failed to verify wipe package";
|
||||
return false;
|
||||
}
|
||||
std::string partition_list;
|
||||
if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
|
||||
LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\"";
|
||||
@@ -1426,6 +1491,7 @@ int main(int argc, char **argv) {
|
||||
bool should_wipe_data = false;
|
||||
bool should_wipe_cache = false;
|
||||
bool should_wipe_ab = false;
|
||||
size_t wipe_package_size = 0;
|
||||
bool show_text = false;
|
||||
bool sideload = false;
|
||||
bool sideload_auto_reboot = false;
|
||||
@@ -1462,6 +1528,9 @@ int main(int argc, char **argv) {
|
||||
if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) {
|
||||
should_wipe_ab = true;
|
||||
break;
|
||||
} else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) {
|
||||
android::base::ParseUint(optarg, &wipe_package_size);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -1607,7 +1676,7 @@ int main(int argc, char **argv) {
|
||||
status = INSTALL_ERROR;
|
||||
}
|
||||
} else if (should_wipe_ab) {
|
||||
if (!wipe_ab_device()) {
|
||||
if (!wipe_ab_device(wipe_package_size)) {
|
||||
status = INSTALL_ERROR;
|
||||
}
|
||||
} else if (sideload) {
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2016 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef BOOTLOADER_MESSAGE_WRITER_H
|
||||
#define BOOTLOADER_MESSAGE_WRITER_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
#include <string>
|
||||
#include <vector>
|
||||
|
||||
bool clear_bootloader_message(std::string* err);
|
||||
|
||||
bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
|
||||
|
||||
#else
|
||||
#include <stdbool.h>
|
||||
|
||||
// C Interface.
|
||||
bool write_bootloader_message(const char* options);
|
||||
#endif
|
||||
|
||||
#endif // BOOTLOADER_MESSAGE_WRITER_H
|
||||
@@ -528,14 +528,31 @@ static bool setup_bcb(const int socket) {
|
||||
return false;
|
||||
}
|
||||
LOG(INFO) << " received command: [" << content << "] (" << content.size() << ")";
|
||||
std::vector<std::string> options = android::base::Split(content, "\n");
|
||||
std::string wipe_package;
|
||||
for (auto& option : options) {
|
||||
if (android::base::StartsWith(option, "--wipe_package=")) {
|
||||
std::string path = option.substr(strlen("--wipe_package="));
|
||||
if (!android::base::ReadFileToString(path, &wipe_package)) {
|
||||
PLOG(ERROR) << "failed to read " << path;
|
||||
return false;
|
||||
}
|
||||
option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size());
|
||||
}
|
||||
}
|
||||
|
||||
// c8. setup the bcb command
|
||||
std::string err;
|
||||
if (!write_bootloader_message({content}, &err)) {
|
||||
if (!write_bootloader_message(options, &err)) {
|
||||
LOG(ERROR) << "failed to set bootloader message: " << err;
|
||||
write_status_to_socket(-1, socket);
|
||||
return false;
|
||||
}
|
||||
if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) {
|
||||
PLOG(ERROR) << "failed to set wipe package: " << err;
|
||||
write_status_to_socket(-1, socket);
|
||||
return false;
|
||||
}
|
||||
// c10. send "100" status
|
||||
write_status_to_socket(100, socket);
|
||||
return true;
|
||||
|
||||
Reference in New Issue
Block a user