The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475)
Starting healthd in early-init can cause SELinux denials if healthd
or any device-specific libraries try to log.
Now healthd is starting at boot as usual service.
Bug: 30292927
Change-Id: I367d022f5885122da49181db3db536012e83f564
Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
(cherry picked from commit da44cf18f3)
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.
Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.
Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
(cherry picked from commit f4885adc18)
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.
Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.
(cherry picked from commit fe16b5ccaf)
Change-Id: Id69681a35c7eb2f0eb21b48e3616dcda82ce41b8
For A/B devices, "view recovery logs" doesn't work due to the lack
of cache partition. To help debugging, we'll show /tmp/recovery.log
instead if /cache is not found.
Change-Id: Idb77c3a4c30388148a210b38d732a7b27e757bba
Test: Tested on an A/B device and /tmp/recovery.log showed up.
Bug: 30905700
(cherry picked from commit a54f75ede8)
This missing header is needed to use PRIu64 macros.
Bug: 27178350
TEST=`mma bootable/recovery` on the failing branch.
Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
This patch enables sideloading an OTA on A/B devices while running from
recovery. Recovery accepts the same OTA package format as recent
versions of GMS, which consists of .zip file with the payload in it.
Bug: 27178350
TEST=`adb sideload` successfully a full OTA (*)
TEST=Failed to take several invalid payloads (wrong product,
fingerprint, update type, serial, etc).
<small>(*) with no postinstall script.</small>
Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
Recently flashed devices may not have care_map.txt in /data/ota_package.
This leads to a failure of update-verifier and prevents boot
success flag from being set. So, we need to skip verification
in case the file is not found.
Error message:
... I update_verifier: Started with arg 1: nonencrypted
... I update_verifier: Booting slot 1: isSlotMarkedSuccessful=0
... E update_verifier: Care map /data/ota_package/care_map.txt not found.
... E update_verifier: Failed to verify all blocks in care map file
Bug: 30156449
Change-Id: Ia15f5f3e7ca2ea6981d49678e799b9f70d134faa
The veritymode string used by the bootloader should be lowercase 'eio'
instead of 'EIO'. Fix the typo and change to strcasecmp.
Bug: 27175949
Change-Id: I376dacc70eef7364e2b9931a7c940adedcdb1929
Read all blocks in system and vendor partition during boot time
so that dm-verity could verify this partition is properly flashed.
Bug: 27175949
Change-Id: I38ff7b18ee4f2733e639b89633d36f5ed551c989
Skip the OTA installation when bootreason is 'kernel_panic',
'Panic' etc.
Change-Id: Ic1202492bffefa1a9d8d0e691b5af979285e552c
Test: On angler, ota installation skips for one bootreason in the blacklist.
Bug: 29978689
Add support for landscape layouts to the existing portrait support.
Bug: http://b/29418855
Test: tested manually with "Run graphics test" on flounder/fugu/ryu.
Change-Id: Ib4a62bf5f2b8a1cef6028a01f05145104660560a
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc2
Bug: 29767315
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
(cherry picked from commit efacd80364)
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.
Bug: 29582118
Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
Increase the number of attempts of an OTA update from 3 to 5 in case
an I/O error happened. This should increase the success rate of the
update.
Bug: 29619468
Change-Id: I88a067d9debd55a07be22ed981f395f6e47ec28f
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Bug: 29159185
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
Check the results from applypatch in PerformCommandDiff; and abort the
update on failure.
Bug:29339536
Change-Id: I5087d79ba532b54250f4c17560524255c8a4fabc
We may have expanded_len == 0 when calling inflate(). After switching to
using std::vector, it passes a nullptr buffer to inflate() and leads to
Z_STREAM_ERROR.
Bug: 29312140
Change-Id: Iab7c6c07a9e8488e844e7cdda76d02bd60d2ea98
Parse the build.version.incremental from the metadata of the update
package; and log it to last_install.
Example:
In metadata we read:
post-build-incremental=2951741
pre-build-incremental=2943039
In last install we log:
source_build: 2943039
target_build: 2951741
Bug: 28658632
Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
am: 7ce287d432
* commit '7ce287d432dd3a4dc8841fc59e11ee1a0b7808a1':
Call ioctl before each write on retry
Change-Id: Iae05ceca190c253d0be3ae9e4054abf4d0dbe751
