android_bootable_recovery - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	Force package installation with FUSE unless the package stores on device	Tianjie Xu	2020-01-21	1	-0/+28
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_component_test - all passing Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
*	Move install to separate module	xunchang	2019-03-29	1	-2/+2
\| \| \| \| \| \| \| \|	Build libinstall as a shared library. Also drop the dependency on the global variables in common.h. Test: unit tests pass, sideload an OTA Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
*	Use the package class for wipe packages	xunchang	2019-03-12	1	-1/+4
\| \| \| \| \| \| \| \| \|	The wipe package used to open the zip file directly from the content string. Switch to use the interface from the new package class instead. Bug: 127071893 Test: unit tests pass Change-Id: I990e7f00c5148710722d17140bab2e343eea3b6b
*	Add a new entry in wipe package to list all wipe partitions	xunchang	2019-03-06	1	-0/+23
\| \| \| \| \| \| \| \| \|	This gives us finer control over the partitions to wipe on the host side. Bug: 127492427 Test: unit tests pass, install a wipe package on sailfish Change-Id: I612f8bac743a310f28e365b490ef388b278cfccb
*	Recovery test: Fix an parameter issue in string construction	xunchang	2019-02-05	1	-2/+2
\| \| \| \| \| \| \| \| \|	The intended string constructor is supposed be basic_string(size_type count, CharT ch). But the parameter is accidentally reversed when calling the constructor in install_test. Test: A failed unit test pass Change-Id: Id9765bfa7d2368ff0d7fbeea45c9c8357864e060
*	switch to using android-base/file.h instead of android-base/test_utils.h	Mark Salyzyn	2018-11-14	1	-1/+0
\| \| \| \| \| \|	Test: compile Bug: 119313545 Change-Id: I664fb32522d01909c603d7b903475c4e9aea9223
*	Refactor the code to check the metadata	Tianjie Xu	2018-10-31	1	-16/+264
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The two functions check_wipe_package() and check_newer_ab_build() were using the same flow; and checked the same device properties against the metadata file in the package. These properties include: ota_type, pre-device, and serial number. Therefore, we can consolidate the checks to a single function; and continue to check the fingerprint and timestamp only for AB updates. This change also addresses the need to accept multiple serial number in the wipe package. Bug: 118401208 Test: unit tests pass Change-Id: Ia6bc48fb6effcae059a2ff2cf71764b4136b4c00
*	Clean up the zipfile creation in InstallTest	Tianjie Xu	2018-10-29	1	-99/+40
\| \| \| \| \| \| \|	Consolidate them into a static function. Test: unit tests pass Change-Id: If05b62215940b221fc499d779eedc5079f68a060
*	Track the change to update_engine_sideload path.	Tao Bao	2018-08-14	1	-1/+1
\| \| \| \| \| \| \| \| \|	Bug: 112494634 Test: Build and boot into recovery image on taimen. Verify that `Apply updates from ADB` keeps working. Test: Run recovery_component_test on marlin. Change-Id: I9ee8834053fda79a4fd77bfa83eab3cc51a90dff
*	Drop the dependency on AB_OTA_UPDATER flag.	Tao Bao	2018-06-19	1	-89/+85
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This shortens the gap between A/B and non-A/B builds, by replacing the dependency on build-time flag with runtime detection instead. It also allows building and testing both paths regardless of the target OTA type. The size increase to /sbin/recovery looks negligible (< 0.01%). - marlin: increased from 2084928 to 2085024; - angler: increased from 2084776 to 2084896. Test: Run recovery_component_test on angler and marlin. Test: Sideload an A/B OTA package on marlin. Test: Sideload a non-A/B OTA package on angler. Change-Id: I1d927d1ede9713fb42f73b4fe324aa5705ee6f99
*	tests: Take the ownership of the FD when calling fdopen.	Tao Bao	2017-10-26	1	-13/+13
\| \| \| \| \| \| \|	To avoid closing the same FD twice. Test: recovery_component_test && recovery_host_test Change-Id: I95195be8109101081410e9224efda535b2560e72
*	Allow comparison against multi serial nums for A/B package	Tianjie Xu	2017-08-22	1	-13/+58
\| \| \| \| \| \| \| \| \| \| \| \| \|	The metadata file now can have multiple serial numbers in the format: serialno=serialno1\|serialno2\|serialno3 ... Verifier will pass the check if the device serial number matches any of these numbers. Bug: 64802465 Test: Create a metadata file with 1000 numbers and sideload in sailfish. The checker detects both match and mismatch cases. Change-Id: I3f12b75e15f4179df260778e37f4563d65db0fa8
*	Add a binary path param to update_binary_command().	Tao Bao	2017-05-08	1	-10/+74
\| \| \| \| \| \| \| \| \| \| \|	This allows writing native tests for non-A/B update_binary_command(). Prior to this CL, it was extracting the updater to a hard-coded location (/tmp/update_binary) that's not available under the test environment. Test: recovery_component_test on angler and marlin respectively. Test: Sideload OTA packages on angler and marlin respectively. Change-Id: I78b9cc211d90c0a16a84e94e339b65759300e2a8
*	Add more tests for verify_package_compatibility().	Tao Bao	2017-04-19	1	-0/+84
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This now covers the actual calls to libvintf, and asserts we're getting identical results through verify_package_compatibility() and by calling libvintf directly. We were missing the coverage and introduced the double free bug (fixed by commit f978278995d02a58e311fe017bdbb2c3702dd3bc). Bug: 37413730 Test: recovery_component_test passes. Test: recovery_component_test fails w/o commit f978278995d02a58e311fe017bdbb2c3702dd3bc. Change-Id: If5195ea1c583fd7c440a1de289da82145e80e23c
*	Add tests for read_metadata_from_package().	Tao Bao	2017-04-18	1	-0/+50
\| \| \| \| \|	Test: recovery_component_test Change-Id: I672a6a4f101c72e82b9f25f165dccd1c9520627b
*	Add tests for update_binary_command().	Tao Bao	2017-04-17	1	-0/+87
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Expose update_binary_command() through private/install.h for testing purpose. Also make minor clean-ups to install.cpp: a) adding more verbose logging on ExtractToMemory failures; b) update_binary_command() taking std::string instead of const char*; c) moving a few macro and global constants into update_binary_command(). Bug: 37300957 Test: recovery_component_test on marlin Test: Build new recovery and adb sideload on angler and sailfish. Change-Id: Ib2d9068af3fee038f01c90940ccaeb0a7da374fc
*	Verify the package compatibility with libvintf.	Tao Bao	2017-04-12	1	-0/+57
	verify_package_compatibility() is added to parse the compatibility entry (compatibility.zip) in a given OTA package. If entry is present, the information is sent to libvintf to check the compatibility. This CL doesn't actually call libvintf, since the API there is not available yet. Bug: 36597505 Test: Doesn't break the install with existing packages (i.e. w/o the compatibility entry). Test: recovery_component_test Change-Id: I3903ffa5f6ba33a5c0d761602ade6290c6752596 (cherry picked from commit 62e0bc7586077b3bde82759fb34b51b982cea20f)