| Age | Commit message (Collapse) | Author |
|---|
|
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1706025
Change-Id: I6863bafcb02dd5940c15debb640bda1cdeb8ed67
|
|
8660347589 am: 5d4aeec7ed am: d121fd12e1
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1704505
Change-Id: Ie9f24b576b5ef3e20b8c8f107a44a3687f5cc622
|
|
am: 5dd1de1828
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1696829
Change-Id: I9844ed5f37225a8f5e21673a26558b36947210c0
|
|
Test: th
Change-Id: I57a36f8f6254d3e57a4787f1a7d3cc3368bbd7a7
|
|
Old behavior:
When update_engine starts up after device take OTA and reboot, if
device booted into a different build(check build fingerprint),
ResetStatus().
When we apply a self-ota, device will boot into the same build, so
ResetStatus() is never called. If we apply the same OTA at this point,
this OTA will be treated as a "resume", and will fail to install because
we never call libsnapshot's API to allocate snapshot for new update.
Changed to ResetStatus() if boot slot changed, or build fingerprint
changed.
Bug: 185019674
Test: apply self-full OTA, reboot, repeat 2 times.
Change-Id: Idcc29dc1c02f3b9b2c84ed1978abedb651a3875a
|
|
Old behavior:
Read partition, for each block:
Update hasher
Update verity writer
before reading hashtree/verity:
write hashtree/verity to disk
Read the last verity blocks.
Finalize hasher, verity hashes.
The old bahvior tries to minimize fs read by only read once and feed
data to hasher and verity writer. However, in VABC, reading/writing are
handled very differently. Read can be done via regular fd, but writes
must go through special COW API. As we have seen in b/186196758, using
COW API in filesystem hashing can lead to inconsistent read and boot
failure. Therefore, we've decided to write verity first using COW API,
then read/hash partition using regular fd. This does mean that we need
to read everything twice, but we think this is a worth while tradeoff.
As verity writes can take 5 minutes, but reading the entire partition
again only takes <10 seconds.
New behavior:
Read partition, for each block:
Update verity writer
Finalize verity writer, write verity to disk
launch snapuserd, open a regular fd.
Read partition, for each block:
Update hasher
Finaliaze hasher, verity hashes.
Test: th
Test: Manual testing on pixel of the following scenario:
1. Verity enabled, VABC enabled, pause/resume multiple times
2. Verity disabled, VABC enabled, pause/resume multiple times
3. Verity Enabled, VABC enabled, pause/resume multiple times
Bug: 186196758
Change-Id: I2477c2dc4da5b921e84b48a54d0d8a877c1a52ef
|
|
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1686865
Change-Id: I3012b932910d78275c91559a3b3ddcb1032746e3
|
|
6180c7600f am: e0042ab207
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1696827
Change-Id: I12b69e04373607aa62057503a71def4a07afe1dc
|
|
If update_engine opens CowWriterFileDescriptor w/o writing anything,
data past the resume label is readable while fd is open, but will
be discarded once the fd is closed. Such "phantom read" causes
inconsistency. This CL contains two changes to address the above bug:
1. When device reboots after update, all I/O are served by snapuserd.
update_engine should use snapuserd for verification to emulate bahvior
of device after reboot.
2. When a CowWriterFd is opened, don't call Finalize() if no verity is
written. Since past-the-end data is discarded when we call Finalize()
Test: th
Bug: 186196758
Change-Id: Ia1d31b671c16fded7319677fe0397f1288457201
|
|
When postinstall_mount_device is initially introduced, it's only
intended to be used by postinstall action, hence the name. Now we plan
to use it for fs verification purpose as well, rename for better
clarity.
Test: th
Change-Id: Iff996f2f513bb44694e39d758a69851793b9a565
|
|
am: 4df6448026
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1664859
Change-Id: I7be0c55b85153a148fff0ea93ba893563108d094
|
|
We had a severe bug in CleanupPreviousUpdateAction, undetected for a
while. Added unittest to cover the bug so we don't regress.
Bug: 169436297
Bug: 178637306
Test: th
Change-Id: I40fc97a5c771ec001896ecd8f6d46b551cc7724c
|
|
c154fdaedb
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1656387
Change-Id: I35c6cdc5ed2d295e25c4279041a9dc6f70fdf485
|
|
Test: th
Change-Id: Ide00028036b8b382a233b52716795a5c5c8da4e6
|
|
We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.
The sample_images were updated to manually add a selinux label for
testing FS contexts.
Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967
Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
Merged-In: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
|
|
|
|
We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.
The sample_images were updated to manually add a selinux label for
testing FS contexts.
Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967
Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
|
|
We can return a FileDescriptor object, which encapsulates logic needed
to write to a COW. This way, filesystem verfication action can use the
turend value directly for computing verity and hash the partition.
Test: th
Change-Id: Iafe9699ef0cc15961641fc94f8ad2820230a56e1
|
|
Bug: 172911822
Test: atest ApexHandlerAndroidTest (checked that file was created)
Change-Id: I8024695ebba1a9c1796c05b27a0eec3da3b3d1bc
|
|
When DynamicPartitionControlAndroid is constructed, it initializes both
source and target slot to -1. These values get updated during
PreparePartitionsForUpdate call. And we only
PreparePartitionsForUpdate() when applying an OTA or applocating space
for an OTA(not when verifying OTA metadata). Which means if
VerifyPayloadApplicable() is called before any call two other APIs, we
could be using an "Uninitialiazed" dynamic partition control.
To mitigate this problem, we pass in source_slot at ctor of
DynamicPartitionControl, also make IsDynamicPartition() api take in a
slot number to avoid reading uninitialized member fields.
Bug: 181643302
Test: apply an OTA, abort, restart update_engine, verify a payload
Change-Id: I9a8a0fe8a9aca48e91241e15bdec33a1c1228553
|
|
CowOperationConvert class already assumes that all merge operations are
CowCopy, as we currently don't have any other CowOp types. For safety,
skip all CowOps which are not CowCopy, in case we want to add other
types in the future.
Test: th
Change-Id: I7455f23e0e128b713fc22798ec1f2cbd918ae4d0
|
|
For first version, we let update_engine compute size requirements by
adding up decompressed sizes. Then update_engine creates a file at a
fixed path and write 0s to that file to reserve space.
Test: treehugger, serve an OTA, make sure /data/apex/ota_reserved is present
Bug: 172911822
Change-Id: I2f44289711b1daa064af8ead66cc1293dad89dc7
|
|
Test: th
Change-Id: Ia04f92d46da34fcd28d7e97c24b6e02fd676e1c7
|
|
If a slot doesn't support dynamic partitions, it's impossible to list
dynamic partitions on that slot. And we should just fall back to the
regular A/B in this case.
Bug: 180025432
Test: apply a retrofit package
Change-Id: I16c457b591e8c1d0cf1077a7be50dd9d8f61b8eb
|
|
target_files contain META/apex_info.pb, which contains metadata about
compressed apexes. Extract this file from target_file.zip, and pass it
to delta_generator. delta_generator will then copy these data to
update_metadata
Test: generate an OTA, make sure a device running an older build can
install the OTA
Bug: 172911822
Change-Id: If0e185a32262a849d533c3316ffdf205cb6628b6
|
|
Test: TH
Bug: 178732971
Change-Id: If434927b7abdecb8093db1462dae196cd744331a
|
|
This function returns whether Virtual A/B
compression is enabled for the ongoing update.
Test: TH
Bug: 178732971
Change-Id: I781802443afd1d8deac046a8da198658220f7ba0
|
|
This reverts commit 4e5da3e9d7459e3d983db943ebf3cb4c36af9c60.
Reason for revert: b/178908708
Change-Id: I616da64ffda5b94044f3493861d6d01aebfaad61
|
|
target_files contain META/apex_info.pb, which contains metadata about
compressed apexes. Extract this file from target_file.zip, and pass it
to delta_generator. delta_generator will then copy these data to
update_metadata
Test: generate an OTA
Bug: 172911822
Change-Id: Ia4babb9e711a92f2b78ef8e1dd6ad35d0a2bb5a8
|
|
We want to improve the security of the keystore encryption key for resume
on reboot. One AI is to create the key with the vbmeta digest of the
next slot to boot into. After reboot, the decryption will fail if
ro.boot.vbmeta.digest of the new slot doesn't match the calculated value
before reboot.
Since update_engine manages the slot switch, let it calculate the digest
as well.
Bug: 177625570
Test: do a update, check that the sysprop is set.
Change-Id: I74b20fca72f6946d980b93d76990f1c8b8f246a9
|
|
Test: treehugger
Bug: 176087961
Change-Id: I00fa7b5ba508a31162a986f50034ceeb34becbfd
|
|
If you pass in a static string literal like "Hello World!", then with
parameter type of const string& you need to construct a new string
object, requiring a copy. It will also require a copy if your data is in
another container, for example std::vector<char> . In update_engine, we
store manifest bytes in std::vector, and sometimes we want to save that
manifest to disk. This CL can help us reduce copy of the manifest(up to
2MB).
Test: treehugger
Change-Id: I70feb4c0673c174fd47f02c4bd41994f74cda743
|
|
Test: treehuggre
Change-Id: I03f69b7add96eaa481b1152a1425f4cb669d1113
|
|
Add a unittest that generates a valid manifest, signed with unittest
keys. Then assert that download action can load the cached manifest
correctly.
Since the unittest keys are RSA keys, we add support for RSA keys to
payload_verifier
Test: treehugger
Change-Id: Iebf4bd740ad2c18f4e71527eeee4c12e3f8e7dea
|
|
Test: treehugger
Bug: 175042161
Change-Id: I580ec94f0b336f4ad2cb706da531668718554e1d
|
|
Test: treehugger
Bug: 174112589
Change-Id: If95893569ab41d1806f266aa269722b403a50fa4
|
|
Test: treehugger
Change-Id: I4984f03fa95a753fb17779451eb458f177432d4f
|
|
The style guide does not allow a global object with non-trivial dtor. It
can cause hidden problems and it has caused issue this CL is
fixing (look at the attached bug). Instead of keeping the ownership of
the SystemState in global, we can keep the ownership in the high level
object DaemonChromeOS and keep a global static pointer to it so it can
easily be accessed by SystemState::Get().
BUG=b:174212887
TEST=cros_workon_make --board reef --test update_engine
TEST=cros deploy + stop update-engine -> The update_engine did not crash anymore.
Change-Id: I442f4220bfd8586c59fcdfd7d699776362143467
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2566875
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Commit-Queue: Amin Hassani <ahassani@chromium.org>
|
|
base::DeleteFile(const FilePath& path, bool recursive) would be
deprecated in next libchrome uprev.
BUG=chromium:1144735
TEST=cros_run_unit_tests --board=eve --packages update_engine
Change-Id: Iaeac97f533a156c2c29f7ba53755664d6591b0a1
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2543515
Tested-by: Grace Cham <hscham@chromium.org>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Hidehiko Abe <hidehiko@chromium.org>
Commit-Queue: Grace Cham <hscham@chromium.org>
|
|
There is no need to pass the Pref class around (at least not in cros)
since we have the SystemState as the global context and we can get the
pref from there.
BUG=b:171829801
TEST=cros_workon_make --board reef --test update_engine
Change-Id: I9f5fb8a118fab2ef0e188c42f746dafb1094972c
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2548740
Tested-by: Amin Hassani <ahassani@chromium.org>
Commit-Queue: Jae Hoon Kim <kimjae@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
|
|
No need to pass clock and fake clock anywhere anymore. This CL makes it
to just use those objects available from SystemState and
FakeSystemState.
BUG=b:171829801
TEST=cros_workon_make --board reef --test update_engine
Change-Id: I9a3cf6dd2057620c11b862d3317b83489c76f3ca
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2546625
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Commit-Queue: Jae Hoon Kim <kimjae@chromium.org>
|
|
With VABC, we no longer need to map all partitions before
reading/writing, so don't try to map them.
1. modify GetPartitionDevice to return empty path for target partitions
on VABC
2. Add a separate GetMountableTargetDevice for obtaining a mountable
device path, specifically for postinstall
Test: treehugger
Change-Id: Ib1f608914fc49c677ce7389140ca79b028171191
|
|
These objects are available thorugh SystemState. No need to keep pointer
to them in various classes (OmahaRequestBuilderXml in this case). This
makes testing/debugging easier because there will be one central
location for getting pointers to these values.
BUG=b:171829801
TEST=cros_workon_make --board reef --test update_engine
Change-Id: I02a36afdc7dcb00e02b1a61263141745afc7fb26
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2543814
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Commit-Queue: Amin Hassani <ahassani@chromium.org>
|
|
During FileSystemVerify stage, update_engine needs to read from source
or target partition to verify hashes && write verity. Previously we use
brillow's file stream to implement async reads. WIth Virtual AB
Compression, reading from target partition must go through libsnapshot's
interface(FileDescriptorPtr). So we replace brillo::FileStream with
FileDescriptorPtr for ease of integrating with VABC.
Test: serve an OTA update, verify: slot switch resume, regular resume
Change-Id: Id8531757468f60e3e21667b7761b83f7c2af2dbf
|
|
Test: treehugger
Change-Id: I655e4d6114a25c58857679985cd5e08581c0faab
|
|
Test: treehugger
Change-Id: I393fc36372f9e979da1a6c7e49c7782a7372a5b9
|
|
SystemState is supposed to be a global context and is used lamost
everywhere. So instead of passing it to functions and keeping multiple
pointers to it, its better to do what we did in dlcservice and make it a
singleton class with a getter that can be get from everywhere.
BUG=b:171829801
TEST=unittests
Change-Id: I3b2de9394b7769b3911195ca52d61dbe49afd4dd
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2521792
Commit-Queue: Amin Hassani <ahassani@chromium.org>
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
|
|
This reverts commit 24599af599acf74b71a555a8eeb827bedcd672b5.
Reason for revert: b/173009837
Test: 1. update_device.py ota.zip
--extra-headers="SWITCH_SLOT_ON_REBOOT=0"
2. update_device.py ota.zip
3. Verity that 2 did not re-start the entire update, only fs
verification and postinstall may re-run.
Bug: 173009837
Change-Id: Ia31025ebc68a5e6a72d7a0919994d614213270d1
|
|
Store the unique fp value from response into prefs. Value is later sent
to Omaha to determine if there is a subsequent update available
while the system is waiting to be rebooted.
BUG=b:161259884
TEST=cros_workon_make --board=hatch --test update_engine
Change-Id: Ie37aa5da3cd8a0820e633f5ef426fb50e8a02838
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2491618
Tested-by: Vyshu Khota <vyshu@google.com>
Commit-Queue: Vyshu Khota <vyshu@google.com>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
|
|
It seems like UpdateAttempter is the best option for implementation of
DaemonStateInterface. SystemState should only be doing state keeping not
doing these startup logics.
BUG=b:171829801
TEST=unittests
TEST=CQ passes
Change-Id: I47ec50107ffbeb544e061f39c900a1559f2cdcab
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2519843
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Commit-Queue: Jae Hoon Kim <kimjae@chromium.org>
|
