This allows flame to boot TWRP. Still will need to work on
super partition for vendor and system access.
The plan will be to cherry-pick any updates to android-9.0
through gerrit.twrp.me to this branch as a WIP.
After a reboot function call, we should always wait for it to finish
without executing other instructions.
Bug: 151110322
Test: build
Change-Id: I1dda291a0835ff96df7eaf42eba1a38267a3beeb
(cherry picked from commit 00c4aba9bf428717fc00e26a03e97401eca76ee8)
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This makes the applypatch executable a vendor module.
This change supports making dependencies of the applypatch executable available
to applypatch, which is now on vendor.
Since install-recovery.sh is now a vendor service, we add the
applypatch/vendor_flash_recovery.rc file to /vendor/etc/init to start the
service.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: I01c0800ee6078aa6c9d716d5f154ad2d63c7af84
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
All the active users of mounts.h now live in updater/.
Test: mmma bootable/recovery
Test: Run recovery_unit_test on taimen.
Test: Code search shows no reference to otautil/mounts.h in device dirs.
Change-Id: I6c35d2e403e92a0111102d00aa4773f4f524650e
Commit 0f339e27bb moved part of the mounts
implementation into libfs_mgr. As a result, otautil/roots.cpp no longer
depends on anything in the local otautil/mounts.h.
Test: mmma bootable/recovery
Change-Id: If16c3e19a62933358fb0002a10e8556a99f9d29a
Additionally kill the global variable: reason, stage; move them to a
separate BootState class instead. Vendor specific recovery code will
need to call getters from Device() class to access these variables.
Bug: 137705917
Test: unit tests pass, boot sailfish into recovery, code search and no
code includes common.h in vendor specific recovery.
Change-Id: Ia50a5ea951212c25548562f29cc9cf78505b5e34
Some global variables are only used for recovery.cpp and
recovery_main.cpp, remove them from common.h and handle their usage
accordingly. Variables include:
static constexpr int kRecoveryApiVersion;
extern struct selabel_handle* sehandle;
extern RecoveryUI* ui;
extern bool has_cache;
bool is_ro_debuggable();
Test: unit tests pass, boot into recovery mode and run graphic tests
Change-Id: If83a005786c9b38412731da97aaf85af69a3b917
We may fail to memory map the package on 32 bit builds for packages with
2GiB+ size. This cl tries to install the package with fuse when memory map
fails in such cases.
Bug: 127071893
Test: build 32 bit version sailfish, push package and block.map, reboot into recovery with
the corresponding update_package argument.
Change-Id: I5dae4f3e27ccaf8d64ff3657d36f0e75db2330b0
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.
Bug: 131911365
Test: unit tests pass
Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
shutdown and reboot should have a corresponding sub-reason.
Adding:
"reboot,userrequested,fastboot"
"reboot,userrequested,recovery"
"reboot,userrequested,recovery,ui"
"shutdown,userrequested,fastboot"
"shutdown,userrequested,recovery"
"reboot,unknown#" (Can't happen, debug)
Test: manual, multiple targets, enter recovery, be able to exit recovery
Bug: 133326470
Change-Id: Ibfcb2a23158e8e99922e8053edd815fb592150f2
This reverts commit 6f4e4db4f9.
Reason for revert: Booting out of recovery (choose `Reboot system now`)
on taimen is broken. Device keeps booting back into recovery.
Bug: 133326470
Test: Choose `Reboot system now` from recovery menu. Deivce attempts
normal boot.
Change-Id: I6e85fc248e18953a6fb94513c3abc7e7e0fb0477
shutdown and reboot should have a corresponding sub-reason.
Adding:
"reboot,fastboot_menu"
"reboot,recovery_menu"
"reboot,recovery_ui"
"shutdown,fastboot"
"shutdown,recovery"
"reboot,unknown#"
Test: none
Change-Id: Icf1ab0d462ec2de2272914a36994a095998d6186
Adds a fuse data provider that parses the metadata from a block map,
reads the data from the given ranges of the block device; and provides
the data to the fuse.
Bug: 127071893
Test: unit tests pass, install a package from block map
Change-Id: Ie9925ee9144e98642505b3f5e1a4a186d2b21ed0
Test: Choose `Reboot system now`, `Power off`, `Reboot to bootloader`
from recovery UI respectively.
Test: `adb reboot recovery` while under sideload mode.
Change-Id: I0f3d55b80b472178ea4f6970b29cd9df0778b639
We perform these steps to perserve the recovery logs when wiping
/cache partition. Move them to logging.cpp to keep the actually
EraseVolume function concise.
Bug: 130166585
Test: unit tests pass, mount cache and check last log after cache
Change-Id: Idc52833817a446f3a0148a3dd2112f911c9ef48d
(cherry picked from commit 2239b9e4dd)
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
(cherry picked from commit 316e971746)
We perform these steps to perserve the recovery logs when wiping
/cache partition. Move them to logging.cpp to keep the actually
EraseVolume function concise.
Bug: 130166585
Test: unit tests pass, mount cache and check last log after cache
Change-Id: Idc52833817a446f3a0148a3dd2112f911c9ef48d
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
otautil/roots.h includes <fstab/fstab.h>, but users of otautil/roots.h
don't need to explicitly depend on libfstab unless they have a real
need.
Also remove the unneeded include of <fstab/fstab.h> from
fsck_unshare_blocks.cpp.
Test: mmma -j bootable/recovery
Change-Id: Id3dc995a4769e631ab242843ee439bd94b2bf0bc
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
We will reuse them to implement the fuse provider from block maps.
Test: unit tests pass, sideload an OTA
Change-Id: Iaa409d19569c4ccc0bb24e12518044fcddb45c69
The recovery-persist used to look for the related recovery logs in
persist storage, and copy them under /data/misc/recovery during the
normal boot process.
As we also want to find out the sideload information from last_install,
it makes more sense to move the parse & report of non-a/b metrics to
recovery-persist. Thus we can avoid the race condition of the file
system between the native code and RecoverySystem.
Bug: 114278989
Test: unit test pass, check the event buffer for metrics report
Change-Id: I32d7b2b831bc74a61a70af9a2f0b8a7e9b3e36ee
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
Bug: 110380063
Test: `m -j installclean && mmma -j bootable/recovery` with
aosp_taimen-userdebug
Test: Build (`m -j bootimage`) and boot into recovery. Check that
`adb sideload` and `Run graphics test` both work.
Test: Run recovery_unit_test and recovery_component_test on marlin.
Change-Id: Ie6ed0e7cafa352d5faff9d1b6ccef724a0415e65
The new command is part of the transfer.list and allows us to compute the hash
tree on non-ab devices.
The required arguments for the hash_tree computation are:
hash_tree_ranges
source_ranges
hash_algorithm
salt_hex
root_hash
Bug: 25170618
Test: unit tests pass; run simulator with compute_hash_tree
Change-Id: I8ff0d582cc8adabb8a060db7845f38b35b28e62c
The getopt_long(3) implementation in Android (upstream freebsd) expects
a null-terminated array while parsing long options with required args.
if (long_options[match].has_arg == required_argument) {
optarg = nargv[optind++];
}
...
if (long_options[match].has_arg == required_argument && optarg == NULL) {
return (BADARG);
}
This seems to make sense in practice, as getopt(3) takes the first two
arguments of argc and argv that are "as passed to the main() function on
program invocation", and both of C and C++ spec say "the value of
argv[argc] shall be 0".
Prior to the CL, we may run into undefined behavior on malformed input
command line (e.g. missing arg for an option that requires one). This CL
fixes the issue by always appending a nullptr to the argument list (but
without counting that into argc).
Test: Build and boot into recovery with commands.
Change-Id: Ic6c37548f4db2f30aeabd40f387ca916eeca5392
This shortens the gap between A/B and non-A/B builds, by replacing the
dependency on build-time flag with runtime detection instead. It also
allows building and testing both paths regardless of the target OTA
type.
The size increase to /sbin/recovery looks negligible (< 0.01%).
- marlin: increased from 2084928 to 2085024;
- angler: increased from 2084776 to 2084896.
Test: Run recovery_component_test on angler and marlin.
Test: Sideload an A/B OTA package on marlin.
Test: Sideload a non-A/B OTA package on angler.
Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
In order to support that, this CL adds Paths::set_resource_dir() to
override the default resource dir ("/res/images/") that's only available
under recovery. Note that since there're external modules depending on
libminui, it adds a separate function of res_set_resource_dir(), instead
of requiring the dependency on libotautil for everyone.
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Change-Id: I0a7dcf4476808bea9e634eaffc9676f6cbaf92b7
This breaks the dependency on common.h (which belongs to
recovery/librecovery) from librecovery_ui. reboot() is now owned by
libotautil, which is expected to be a leaf node to be depended on.
With the change, recovery and updater also share the same reboot() code
now.
Test: mmma -j bootable/recovery
Change-Id: I1cc5d702cfe49302048db33d31c9c87ddc97ac71
This avoids unnecessarily breaking mac build.
Test: `mmma -j bootable/recovery` on Linux and macOS.
Change-Id: I1dc00364c895866a4757c2a43beb3432ae1e4113
Export its header (mounts.h) from there, and drop the dot dot dependency
from libupdater / updater.
Test: mmma bootable/recovery
Test: recovery_component_test
Change-Id: Ic26a6b9b78a34dbe1f178b138f3abaafffbec44c
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
We set the limit of the max stash size to 80% of cache size. But the
cache space can still be insufficient for the update if the log files
occupy a large chunk of /cache. So remove the old logs for now to make
room for the update.
Bug: 77528881
Test: unit tests pass
Change-Id: Ia8bcb0ace11f8164ad9290bfb360e08e31d282cb
Otherwise the applypatch executable will fail to back up the source
file to /cache when patching the recovery image.
Bug: 74198354
Test: run applypatch from boot to recovery
(cherry picked from commit b4e3a370bf)
Change-Id: I37b7fd88d66ab49ef953d4b7dca22577bd1472e1
Otherwise the applypatch executable will fail to back up the source
file to /cache when patching the recovery image.
Bug: 74198354
Test: run applypatch from boot to recovery
Change-Id: I6e5b9cd06d6ed0b26066b779a348437ecf984b92
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.
In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.
Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
ZipUtil was deprecated at android-8.1 but it has been still used by
zipwrap. So this patch fixes the missed header file at new android version.
Signed-off-by: Humberto Borba <humberos@gmail.com>
Change-Id: I60bf67292021f3b63fb1ee2b8774303d9300fa12
Prior to this CL, the block verification works were assigned based on
the pattern of the ranges, which could lead to unbalanced workloads. This
CL adds RangeSet::Split() and moves update_verifier over.
a) For the following care_map.txt on walleye:
system
20,0,347,348,540,556,32770,33084,98306,98620,163842,164156,229378,229692,294914,295228,524289,524291,524292,524348,529059
vendor
8,0,120,135,32770,32831,94564,98304,98306
Measured the time costs prior to and with this CL with the following
script.
$ cat test_update_verifier.sh
#!/bin/sh
adb shell stop
adb shell "cp /data/local/tmp/care_map.txt /data/ota_package/"
for i in $(seq 1 50)
do
echo "Iteration: $i"
adb shell "bootctl set-active-boot-slot 0"
adb shell "echo 3 > /proc/sys/vm/drop_caches"
adb shell "time /data/local/tmp/update_verifier"
sleep 3
done
Without this CL, the average time cost is 5.66s, while with the CL it's
reduced to 3.2s.
b) For the following care_map.txt, measured the performance on marlin:
system
18,0,271,286,457,8350,32770,33022,98306,98558,163842,164094,196609,204800,229378,229630,294914,295166,501547
vendor
10,0,42,44,85,2408,32770,32806,32807,36902,74242
It takes 12.9s and 5.6s without and with the CL respectively.
Fixes: 68553827
Test: recovery_unit_test
Test: Flash new build and trigger update_verifier. Check the balanced
block verification.
Change-Id: I5fa4bf09a84e6b9b0975ee5f522724464181333f
We used to CHECK and abort on parsing errors. While it works fine for
the updater use case (because recovery starts updater in a forked
process and collects the process exit code), it's difficult for other
clients to use RangeSet as a library (e.g. update_verifier).
This CL switches the aborts to returning empty RangeSet instead. Callers
need to check the parsing results explicitly.
The CL also separates RangeSet::PushBack() into a function, and moves
SortedRangeSet::Clear() into RangeSet.
Test: recovery_unit_test
Test: Sideload an OTA package with the new updater on angler.
Test: Sideload an OTA package with injected range string errors. The
updater aborts from the explicit checks.
Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
Since it has grown much larger, users of the header shouldn't compile
and carry their full copies.
Also add missing header includes in imgdiff.cpp and imgdiff_test.cpp.
Test: mmma bootable/recovery
Test: recovery_unit_test; recovery_component_test; recovery_host_test
Change-Id: I88ca54171765e5606ab0d61580fbc1ada578fd7d
bigbiff
Tianjie Xu
Bill Peckham
Tao Bao
Mark Salyzyn
Ethan Yonker
Tom Marshall
Humberto Borba