Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
(cherry picked from commit da44cf18f3)
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.
Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.
(cherry picked from commit fe16b5ccaf)
Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.
Bug: 29582118
Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Bug: 29159185
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
init and vold also need to write bootloader message, so
split this function from uncrypt into a separate library.
Bug: 27176738
Change-Id: If9b0887b4f6ffab6162d9cb47a6ceb7eedd60b4d
We used to rely on files (e.g. /cache/recovery/command and
/cache/recovery/uncrypt_status) to communicate between uncrypt and its
caller (i.e. system_server). Since A/B devices may not have /cache
partitions anymore, we switch to socket communication instead.
We will keep the use of /cache/recovery/uncrypt_file to indicate the OTA
package to be uncrypt'd though. Because there is existing logic in
ShutdownThread.java that depends on the existence of the file to
detect pending uncrypt works. This part won't affect A/B devices without
/cache partitions, because such devices won't need uncrypt service (i.e
the real de-encrypt work) anyway.
Bug: 27176738
Change-Id: I481406e09e3ffc7b80f2c9e39003b9fca028742e
The framework CL in [1] removes the use of "pre-recovery" service which
is basically to trigger a reboot into the recovery.
[1] commit e8a403d57c8ea540f8287cdaee8b90f0cf9626a3
Bug: 26830925
Change-Id: I131f31a228df59e4f9c3024b238bbdee0be2b157
Writing map file directly can break consistency in map file if
it fails in the middle. Instead, we write a temporary file and
rename the temporary file to map file.
Bug: 26883096
Change-Id: I5e99e942e1b75e758af5f7a48f8a08a0b0041d6a
The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.
This was detected via OpenBSD malloc's junk filling feature.
Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
We have the following warnings when compiling uncrypt on LP64 (e.g.
aosp_angler-userdebug).
bootable/recovery/uncrypt/uncrypt.cpp:77:53: warning: format specifies type 'long long' but the argument has type 'off64_t' (aka 'long') [-Wformat]
ALOGE("error seeking to offset %lld: %s\n", offset, strerror(errno));
~~~~ ^~~~~~
%ld
bootable/recovery/uncrypt/uncrypt.cpp:84:54: warning: format specifies type 'long long' but the argument has type 'unsigned long' [-Wformat]
ALOGE("error writing offset %lld: %s\n", (offset + written), strerror(errno));
~~~~ ^~~~~~~~~~~~~~~~~~
%lu
bootable/recovery/uncrypt/uncrypt.cpp:246:16: warning: comparison of integers of different signs: 'size_t' (aka 'unsigned long') and 'off_t' (aka 'long') [-Wsign-compare]
while (pos < sb.st_size) {
~~~ ^ ~~~~~~~~~~
According to POSIX spec [1], we have:
off_t and blksize_t shall be signed integer types;
size_t shall be an unsigned integer type;
blksize_t and size_t are no greater than the width of type long.
And on Android, we always have a 64-bit st_size from stat(2)
(//bionic/libc/include/sys/stat.h).
Fix the type and add necessary casts to suppress the warnings.
[1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_types.h.html
Change-Id: I5d64d5b7919c541441176c364752de047f9ecb20
It turns out the standard explicitly states that if the pointer is
null, the deleter function won't be called. So it doesn't matter that
fclose(3) doesn't accept null.
Change-Id: I10e6e0d62209ec03ac60e673edd46f32ba279a04
This patch removes costly O_SYNC flag for encrypted block device.
After writing whole decrypted blocks, fsync should guarantee their consistency
from further power failures.
This patch reduces the elapsed time significantly consumed by upgrading packages
on an encrypted partition, so that it could avoid another time-out failures too.
Change-Id: I1fb9022c83ecc00bad09d107fc87a6a09babb0ec
Signed-off-by: Jaegeuk Kim <jaegeuk@motorola.com>
In order to maintain compatibility with older trees, we now have
minadbd.old and minui.old. I had to use a TARGET_GLOBAL_CFLAG to
handle ifdef issues in minui/minui.d because healthd includes
minui/minui.h and there was no other alternative to make minui.h
compatible with older trees without having to modify healthd rules
which is outside of TWRP.
Note that the new minui does not currently have support for qcom
overlay graphics. Support for this graphics mode will likely be
added in a later patch set. If you are building in a 6.0 tree and
have a device that needs qcom overlay graphics, be warned, as off
mode charging may not work properly. A dead battery in this case
could potentially brick your device if it is unable to charge as
healthd handles charging duties.
Update rules for building toolbox and add rules for making toybox
Use permissive.sh in init.rc which will follow symlinks so we do
not have to worry about what binary is supplying the setenforce
functionality (toolbox, toybox, or busybox).
Fix a few warnings in the main recovery binary source code.
Fix a few includes that were missing that prevented compiling in
6.0
Change-Id: Ia67aa2107d260883da5e365475a19bea538e8b97
Move uncrypt from /init.rc to /system/etc/init/uncrypt.rc using the
LOCAL_INIT_RC mechanism
Bug 23186545
Change-Id: Ib8cb6dffd2212f524298279787fd557bc84aa7b9
Clean up leaky file descriptors in uncrypt/uncrypt.cpp. Add unique_fd
for open() and unique_file for fopen() to close FDs on destruction.
Bug: 21496020
Change-Id: I0174db0de9d5f59cd43b44757b8ef0f5912c91a2
When it reboots into recovery for a factory reset, it still needs to
write the uncrypt status (-1) to the pipe.
Bug: 21511893
(cherry picked from commit 2c2cae8a4a)
Change-Id: Ia5a75c5edf3afbd916153da1b4de4db2f00d0209
uncrypt needs to be triggered to prepare the OTA package before
rebooting into the recovery. Separate uncrypt into two modes. In
mode 1, it uncrypts the OTA package, but will not reboot the
device. In mode 2, it wipes the /misc partition and reboots.
Needs matching changes in frameworks/base, system/core and
external/sepolicy to work properly.
Bug: 20012567
Bug: 20949086
(cherry picked from commit 158e11d673)
Change-Id: I349f6d368a0d6f6ee4332831c4cd4075a47426ff
When it reboots into recovery for a factory reset, it still needs to
write the uncrypt status (-1) to the pipe.
Bug: 21511893
Change-Id: I1a725820f1e1875146e49b5a6f28af2fbf284fc7
uncrypt needs to be triggered to prepare the OTA package before
rebooting into the recovery. Separate uncrypt into two modes. In
mode 1, it uncrypts the OTA package, but will not reboot the
device. In mode 2, it wipes the /misc partition and reboots.
Needs matching changes in frameworks/base, system/core and
external/sepolicy to work properly.
Bug: 20012567
Bug: 20949086
Change-Id: I14d25cb62770dd405cb56824d05d649c3a94f315
Also apply some trivial changes like int -> bool and clean-ups.
Change-Id: I5c6c42d34965305c394f4f2de78487bd1174992a
(cherry picked from commit 381f455cac)
Fix the accidental change of behavior in [1]. OTA packages not on /data
partition should still go through the path that has validity checks and
wipe_misc() steps.
[1]: commit eaf33654c1.
Change-Id: I3e86e19f06603bfe6ecc691c9aa66a8a8a79c5fb
(cherry picked from commit fb4ccef1df)
Fix the accidental change of behavior in [1]. OTA packages not on /data
partition should still go through the path that has validity checks and
wipe_misc() steps.
[1]: commit eaf33654c1.
Change-Id: Ice9a049f6259cd2368d2fb95a991f8a6a0120bdd
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.
Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
(cherry picked from commit 7bad7c4646)
Migrate previous minzip to minzipold replacing the existing
minzipold. This will break compatibility with trees that do not
support selinux (ICS and older). Migrate former verifier files to
verifierold.
Add fuse.h to recovery source because older trees do not have it.
Add LOCAL_MODULE_TAGS where needed for 4.1 tree.
Change-Id: Iade57cb2b0115af7fce9f56aa98636b1744a1ef4
This should reduce errors if the device reboots before the blocks
are commited to disk.
Bug: 18481902
Change-Id: I13cda1c78955e4c83522fbcf87ddb16cc9f97683
This will probably not compile and may need additional work.
For tracking purposes so we know what might still need looking at
as none of this has been compiled and tested, here is a list of
the merge conflicts that I attempted to fix before pushing this
set of changes:
git pull aosp lollipop-release
remote: Finding sources: 100% (992/992)
remote: Total 992 (delta 473), reused 992 (delta 473)
Receiving objects: 100% (992/992), 1.51 MiB | 516.00 KiB/s, done.
Resolving deltas: 100% (473/473), completed with 42 local objects.
From https://android.googlesource.com/platform/bootable/recovery
* branch lollipop-release -> FETCH_HEAD
* [new branch] lollipop-release -> aosp/lollipop-release
Auto-merging verifier_test.cpp
CONFLICT (content): Merge conflict in verifier_test.cpp
Auto-merging verifier.h
CONFLICT (content): Merge conflict in verifier.h
Auto-merging verifier.cpp
CONFLICT (content): Merge conflict in verifier.cpp
Auto-merging updater/updater.c
Auto-merging updater/install.c
CONFLICT (content): Merge conflict in updater/install.c
Auto-merging updater/Android.mk
CONFLICT (content): Merge conflict in updater/Android.mk
Auto-merging uncrypt/Android.mk
CONFLICT (content): Merge conflict in uncrypt/Android.mk
Auto-merging ui.cpp
CONFLICT (content): Merge conflict in ui.cpp
Auto-merging screen_ui.cpp
Auto-merging roots.cpp
CONFLICT (content): Merge conflict in roots.cpp
CONFLICT (rename/delete): res-hdpi/images/progress_fill.png deleted
in HEAD and renamed in cddb68b5ea.
Version cddb68b5ea of
res-hdpi/images/progress_fill.png left in tree.
CONFLICT (rename/delete): res-hdpi/images/progress_empty.png deleted
in HEAD and renamed in cddb68b5ea.
Version cddb68b5ea of
res-hdpi/images/progress_empty.png left in tree.
CONFLICT (rename/delete): res-hdpi/images/icon_error.png deleted
in HEAD and renamed in cddb68b5ea.
Version cddb68b5ea of
res-hdpi/images/icon_error.png left in tree.
Auto-merging recovery.cpp
CONFLICT (content): Merge conflict in recovery.cpp
Auto-merging minui/resources.c
CONFLICT (content): Merge conflict in minui/resources.c
Auto-merging minui/minui.h
CONFLICT (content): Merge conflict in minui/minui.h
Auto-merging minui/graphics.c
CONFLICT (content): Merge conflict in minui/graphics.c
Auto-merging minui/Android.mk
CONFLICT (content): Merge conflict in minui/Android.mk
Removing minelf/Retouch.h
Removing minelf/Retouch.c
Auto-merging minadbd/usb_linux_client.c
CONFLICT (content): Merge conflict in minadbd/usb_linux_client.c
Auto-merging minadbd/adb.h
CONFLICT (content): Merge conflict in minadbd/adb.h
Auto-merging minadbd/adb.c
CONFLICT (content): Merge conflict in minadbd/adb.c
Auto-merging minadbd/Android.mk
CONFLICT (content): Merge conflict in minadbd/Android.mk
Removing make-overlay.py
Auto-merging install.h
CONFLICT (content): Merge conflict in install.h
Auto-merging etc/init.rc
CONFLICT (content): Merge conflict in etc/init.rc
Auto-merging bootloader.h
Auto-merging applypatch/applypatch.c
Auto-merging applypatch/Android.mk
CONFLICT (content): Merge conflict in applypatch/Android.mk
Auto-merging adb_install.cpp
CONFLICT (content): Merge conflict in adb_install.cpp
Auto-merging Android.mk
CONFLICT (content): Merge conflict in Android.mk
Automatic merge failed; fix conflicts and then commit the result.
Change-Id: I3e0e03e48ad8550912111c7a5c9a140ed0267e2c
Always create the block map for packages on /data; don't only look at
the encryptable/encrypted flags.
Bug: 17395453
Change-Id: Iaa7643a32898328277841e324305b9419a9e071c
Opening the misc block device in read-write mode runs afoul of
SELinux, which keeps the wipe code from working. Fix. Also change
various things to log to logcat so we can see them happening, for
future debugging.
Bug: 16715412
Change-Id: Ia14066f0a371cd605fcb544547b58a41acca70b9
Something is leaving behind wipe commands in the BCB area of the /misc
partition. We don't know what is doing that. It should always be
safe to zero out that area from uncrypt, though (because if uncrypt is
running then it's got the command we want in the recovery command file
rather than the BCB).
Bug: 16715412
Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211
