Move merge_status from bootloader_control_ab, which is in vendor space,
to a new generic AOSP struct in system space. This will allow more
devices to share the same HAL implementation.
This patch also changes libboot_control to compensate for merge_status
moving out of vendor space. The reference HAL library now also provides
separate helper functions for managing the merge status, so devices
using a custom boot control HAL can still take advantage of the new misc
implementation.
Bug: 139156011
Test: manual test
Change-Id: I5cd824e25f9d07aad1476301def5cdc3f506b029
We used to set sys.usb.config to adb in the init script. And the purpose
is to start adbd. This is a duplicate of code because we always check and
reset the usb config in recovery_main.
Test: check adbd starts
Change-Id: I6e2842ff8aebf6ccf3bd3f2ae85323899a2b9de4
This reduces the wipe space from 32K to 16K. The wipe space is now
at the 16K-32K region. The 32K-64K region is now "system space", to
complement the vendor space, for generic AOSP usage.
Bug: 139156011
Test: manual test
Change-Id: I1474bfa65a5f21049ab64ec0aee2f4585b55f60f
During automatic tests, we sometimes want to reboot the device out of
the rescue party remotely. And per http://go/recovery-adb-access, one
option is to start adbd in user build if the device has an unlocked
bootloader. This should not add more surface of attack. Because verified
boot is off with the unlocked bootloader, and the user can always flash
a custom recovery image that always starts adbd.
Bug: 141247819
Test: check adbd doesn't start in user build, unlock bootloader, and
check adbd starts.
Change-Id: I851746245f862cb4dfb01e6c3ad035f2c9f9ccec
am: 450fdc6943 -s ours
am skip reason: change_id Ifc73de385b7d857e8d0ceb20ff7275ba27bb200c with SHA1 cf6b4dce12 is in history
Change-Id: I60ba22e7886673d4ac45e3f7d12f48a9c2565686
am: 341e99e9b4 -s ours
am skip reason: change_id Ifc73de385b7d857e8d0ceb20ff7275ba27bb200c with SHA1 cf6b4dce12 is in history
Change-Id: I47843f764156112cfe2ff164c98186ca4a773d7d
am: 5854abbb43 -s ours
am skip reason: change_id Ifc73de385b7d857e8d0ceb20ff7275ba27bb200c with SHA1 cf6b4dce12 is in history
Change-Id: Idc3f78654c812b946011f2b7b9dc179536108c94
am: c73a97c6ee -s ours
am skip reason: change_id Ifc73de385b7d857e8d0ceb20ff7275ba27bb200c with SHA1 cf6b4dce12 is in history
Change-Id: Ib87c586d8c444dbc786556c2e1e32c1eaa6f0c3f
required doesn't propagate from apexes, so we need a separate phony
target to track adbd's dependenecies.
Test: m
Change-Id: I13977d1376de63839bf182d2cfa56b5c6c63aba9
`misc_device_` is a std::string, so it allocates and manages its own
memory. Hence, the strdup here is immediately leaked.
Caught by the static analyzer
Bug: None
Test: TreeHugger
Change-Id: Iffb1ff60f6087e470a0979d202150567272e8b1c
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f