delta_performer.cc revision 5b91c6b141970c2b0095775a61e3f941417aa1ff
1// 2// Copyright (C) 2012 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17#include "update_engine/payload_consumer/delta_performer.h" 18 19#include <endian.h> 20#include <errno.h> 21#include <linux/fs.h> 22 23#include <algorithm> 24#include <cstring> 25#include <memory> 26#include <string> 27#include <vector> 28 29#include <applypatch/imgpatch.h> 30#include <base/files/file_util.h> 31#include <base/format_macros.h> 32#include <base/strings/string_number_conversions.h> 33#include <base/strings/string_util.h> 34#include <base/strings/stringprintf.h> 35#include <brillo/data_encoding.h> 36#include <brillo/make_unique_ptr.h> 37#include <google/protobuf/repeated_field.h> 38 39#include "update_engine/common/constants.h" 40#include "update_engine/common/hardware_interface.h" 41#include "update_engine/common/prefs_interface.h" 42#include "update_engine/common/subprocess.h" 43#include "update_engine/common/terminator.h" 44#include "update_engine/payload_consumer/bzip_extent_writer.h" 45#include "update_engine/payload_consumer/download_action.h" 46#include "update_engine/payload_consumer/extent_writer.h" 47#if USE_MTD 48#include "update_engine/payload_consumer/mtd_file_descriptor.h" 49#endif 50#include "update_engine/payload_consumer/payload_constants.h" 51#include "update_engine/payload_consumer/payload_verifier.h" 52#include "update_engine/payload_consumer/xz_extent_writer.h" 53 54using google::protobuf::RepeatedPtrField; 55using std::min; 56using std::string; 57using std::vector; 58 59namespace chromeos_update_engine { 60 61const uint64_t DeltaPerformer::kDeltaVersionOffset = sizeof(kDeltaMagic); 62const uint64_t DeltaPerformer::kDeltaVersionSize = 8; 63const uint64_t DeltaPerformer::kDeltaManifestSizeOffset = 64 kDeltaVersionOffset + kDeltaVersionSize; 65const uint64_t DeltaPerformer::kDeltaManifestSizeSize = 8; 66const uint64_t DeltaPerformer::kDeltaMetadataSignatureSizeSize = 4; 67const uint64_t DeltaPerformer::kMaxPayloadHeaderSize = 24; 68const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2; 69const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 3; 70 71const unsigned DeltaPerformer::kProgressLogMaxChunks = 10; 72const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30; 73const unsigned DeltaPerformer::kProgressDownloadWeight = 50; 74const unsigned DeltaPerformer::kProgressOperationsWeight = 50; 75 76namespace { 77const int kUpdateStateOperationInvalid = -1; 78const int kMaxResumedUpdateFailures = 10; 79#if USE_MTD 80const int kUbiVolumeAttachTimeout = 5 * 60; 81#endif 82 83FileDescriptorPtr CreateFileDescriptor(const char* path) { 84 FileDescriptorPtr ret; 85#if USE_MTD 86 if (strstr(path, "/dev/ubi") == path) { 87 if (!UbiFileDescriptor::IsUbi(path)) { 88 // The volume might not have been attached at boot time. 89 int volume_no; 90 if (utils::SplitPartitionName(path, nullptr, &volume_no)) { 91 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout); 92 } 93 } 94 if (UbiFileDescriptor::IsUbi(path)) { 95 LOG(INFO) << path << " is a UBI device."; 96 ret.reset(new UbiFileDescriptor); 97 } 98 } else if (MtdFileDescriptor::IsMtd(path)) { 99 LOG(INFO) << path << " is an MTD device."; 100 ret.reset(new MtdFileDescriptor); 101 } else { 102 LOG(INFO) << path << " is not an MTD nor a UBI device."; 103#endif 104 ret.reset(new EintrSafeFileDescriptor); 105#if USE_MTD 106 } 107#endif 108 return ret; 109} 110 111// Opens path for read/write. On success returns an open FileDescriptor 112// and sets *err to 0. On failure, sets *err to errno and returns nullptr. 113FileDescriptorPtr OpenFile(const char* path, int mode, int* err) { 114 // Try to mark the block device read-only based on the mode. Ignore any 115 // failure since this won't work when passing regular files. 116 utils::SetBlockDeviceReadOnly(path, (mode & O_ACCMODE) == O_RDONLY); 117 118 FileDescriptorPtr fd = CreateFileDescriptor(path); 119#if USE_MTD 120 // On NAND devices, we can either read, or write, but not both. So here we 121 // use O_WRONLY. 122 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) { 123 mode = O_WRONLY; 124 } 125#endif 126 if (!fd->Open(path, mode, 000)) { 127 *err = errno; 128 PLOG(ERROR) << "Unable to open file " << path; 129 return nullptr; 130 } 131 *err = 0; 132 return fd; 133} 134 135// Discard the tail of the block device referenced by |fd|, from the offset 136// |data_size| until the end of the block device. Returns whether the data was 137// discarded. 138bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) { 139 uint64_t part_size = fd->BlockDevSize(); 140 if (!part_size || part_size <= data_size) 141 return false; 142 143 struct blkioctl_request { 144 int number; 145 const char* name; 146 }; 147 const vector<blkioctl_request> blkioctl_requests = { 148 {BLKSECDISCARD, "BLKSECDISCARD"}, 149 {BLKDISCARD, "BLKDISCARD"}, 150#ifdef BLKZEROOUT 151 {BLKZEROOUT, "BLKZEROOUT"}, 152#endif 153 }; 154 for (const auto& req : blkioctl_requests) { 155 int error = 0; 156 if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) && 157 error == 0) { 158 return true; 159 } 160 LOG(WARNING) << "Error discarding the last " 161 << (part_size - data_size) / 1024 << " KiB using ioctl(" 162 << req.name << ")"; 163 } 164 return false; 165} 166 167} // namespace 168 169 170// Computes the ratio of |part| and |total|, scaled to |norm|, using integer 171// arithmetic. 172static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) { 173 return part * norm / total; 174} 175 176void DeltaPerformer::LogProgress(const char* message_prefix) { 177 // Format operations total count and percentage. 178 string total_operations_str("?"); 179 string completed_percentage_str(""); 180 if (num_total_operations_) { 181 total_operations_str = std::to_string(num_total_operations_); 182 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 183 completed_percentage_str = 184 base::StringPrintf(" (%" PRIu64 "%%)", 185 IntRatio(next_operation_num_, num_total_operations_, 186 100)); 187 } 188 189 // Format download total count and percentage. 190 size_t payload_size = install_plan_->payload_size; 191 string payload_size_str("?"); 192 string downloaded_percentage_str(""); 193 if (payload_size) { 194 payload_size_str = std::to_string(payload_size); 195 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 196 downloaded_percentage_str = 197 base::StringPrintf(" (%" PRIu64 "%%)", 198 IntRatio(total_bytes_received_, payload_size, 100)); 199 } 200 201 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_ 202 << "/" << total_operations_str << " operations" 203 << completed_percentage_str << ", " << total_bytes_received_ 204 << "/" << payload_size_str << " bytes downloaded" 205 << downloaded_percentage_str << ", overall progress " 206 << overall_progress_ << "%"; 207} 208 209void DeltaPerformer::UpdateOverallProgress(bool force_log, 210 const char* message_prefix) { 211 // Compute our download and overall progress. 212 unsigned new_overall_progress = 0; 213 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100, 214 "Progress weights don't add up"); 215 // Only consider download progress if its total size is known; otherwise 216 // adjust the operations weight to compensate for the absence of download 217 // progress. Also, make sure to cap the download portion at 218 // kProgressDownloadWeight, in case we end up downloading more than we 219 // initially expected (this indicates a problem, but could generally happen). 220 // TODO(garnold) the correction of operations weight when we do not have the 221 // total payload size, as well as the conditional guard below, should both be 222 // eliminated once we ensure that the payload_size in the install plan is 223 // always given and is non-zero. This currently isn't the case during unit 224 // tests (see chromium-os:37969). 225 size_t payload_size = install_plan_->payload_size; 226 unsigned actual_operations_weight = kProgressOperationsWeight; 227 if (payload_size) 228 new_overall_progress += min( 229 static_cast<unsigned>(IntRatio(total_bytes_received_, payload_size, 230 kProgressDownloadWeight)), 231 kProgressDownloadWeight); 232 else 233 actual_operations_weight += kProgressDownloadWeight; 234 235 // Only add completed operations if their total number is known; we definitely 236 // expect an update to have at least one operation, so the expectation is that 237 // this will eventually reach |actual_operations_weight|. 238 if (num_total_operations_) 239 new_overall_progress += IntRatio(next_operation_num_, num_total_operations_, 240 actual_operations_weight); 241 242 // Progress ratio cannot recede, unless our assumptions about the total 243 // payload size, total number of operations, or the monotonicity of progress 244 // is breached. 245 if (new_overall_progress < overall_progress_) { 246 LOG(WARNING) << "progress counter receded from " << overall_progress_ 247 << "% down to " << new_overall_progress << "%; this is a bug"; 248 force_log = true; 249 } 250 overall_progress_ = new_overall_progress; 251 252 // Update chunk index, log as needed: if forced by called, or we completed a 253 // progress chunk, or a timeout has expired. 254 base::Time curr_time = base::Time::Now(); 255 unsigned curr_progress_chunk = 256 overall_progress_ * kProgressLogMaxChunks / 100; 257 if (force_log || curr_progress_chunk > last_progress_chunk_ || 258 curr_time > forced_progress_log_time_) { 259 forced_progress_log_time_ = curr_time + forced_progress_log_wait_; 260 LogProgress(message_prefix); 261 } 262 last_progress_chunk_ = curr_progress_chunk; 263} 264 265 266size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p, size_t* count_p, 267 size_t max) { 268 const size_t count = *count_p; 269 if (!count) 270 return 0; // Special case shortcut. 271 size_t read_len = min(count, max - buffer_.size()); 272 const char* bytes_start = *bytes_p; 273 const char* bytes_end = bytes_start + read_len; 274 buffer_.insert(buffer_.end(), bytes_start, bytes_end); 275 *bytes_p = bytes_end; 276 *count_p = count - read_len; 277 return read_len; 278} 279 280 281bool DeltaPerformer::HandleOpResult(bool op_result, const char* op_type_name, 282 ErrorCode* error) { 283 if (op_result) 284 return true; 285 286 size_t partition_first_op_num = 287 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0; 288 LOG(ERROR) << "Failed to perform " << op_type_name << " operation " 289 << next_operation_num_ << ", which is the operation " 290 << next_operation_num_ - partition_first_op_num 291 << " in partition \"" 292 << partitions_[current_partition_].partition_name() << "\""; 293 if (*error == ErrorCode::kSuccess) 294 *error = ErrorCode::kDownloadOperationExecutionError; 295 return false; 296} 297 298int DeltaPerformer::Close() { 299 int err = -CloseCurrentPartition(); 300 LOG_IF(ERROR, !payload_hash_calculator_.Finalize() || 301 !signed_hash_calculator_.Finalize()) 302 << "Unable to finalize the hash."; 303 if (!buffer_.empty()) { 304 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes"; 305 if (err >= 0) 306 err = 1; 307 } 308 return -err; 309} 310 311int DeltaPerformer::CloseCurrentPartition() { 312 int err = 0; 313 if (source_fd_ && !source_fd_->Close()) { 314 err = errno; 315 PLOG(ERROR) << "Error closing source partition"; 316 if (!err) 317 err = 1; 318 } 319 source_fd_.reset(); 320 source_path_.clear(); 321 322 if (target_fd_ && !target_fd_->Close()) { 323 err = errno; 324 PLOG(ERROR) << "Error closing target partition"; 325 if (!err) 326 err = 1; 327 } 328 target_fd_.reset(); 329 target_path_.clear(); 330 return -err; 331} 332 333bool DeltaPerformer::OpenCurrentPartition() { 334 if (current_partition_ >= partitions_.size()) 335 return false; 336 337 const PartitionUpdate& partition = partitions_[current_partition_]; 338 // Open source fds if we have a delta payload with minor version >= 2. 339 if (install_plan_->payload_type == InstallPayloadType::kDelta && 340 GetMinorVersion() != kInPlaceMinorPayloadVersion) { 341 source_path_ = install_plan_->partitions[current_partition_].source_path; 342 int err; 343 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, &err); 344 if (!source_fd_) { 345 LOG(ERROR) << "Unable to open source partition " 346 << partition.partition_name() << " on slot " 347 << BootControlInterface::SlotName(install_plan_->source_slot) 348 << ", file " << source_path_; 349 return false; 350 } 351 } 352 353 target_path_ = install_plan_->partitions[current_partition_].target_path; 354 int err; 355 target_fd_ = OpenFile(target_path_.c_str(), O_RDWR, &err); 356 if (!target_fd_) { 357 LOG(ERROR) << "Unable to open target partition " 358 << partition.partition_name() << " on slot " 359 << BootControlInterface::SlotName(install_plan_->target_slot) 360 << ", file " << target_path_; 361 return false; 362 } 363 364 LOG(INFO) << "Applying " << partition.operations().size() 365 << " operations to partition \"" << partition.partition_name() 366 << "\""; 367 368 // Discard the end of the partition, but ignore failures. 369 DiscardPartitionTail( 370 target_fd_, install_plan_->partitions[current_partition_].target_size); 371 372 return true; 373} 374 375namespace { 376 377void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) { 378 string sha256 = brillo::data_encoding::Base64Encode(info.hash()); 379 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256 380 << " size: " << info.size(); 381} 382 383void LogPartitionInfo(const vector<PartitionUpdate>& partitions) { 384 for (const PartitionUpdate& partition : partitions) { 385 LogPartitionInfoHash(partition.old_partition_info(), 386 "old " + partition.partition_name()); 387 LogPartitionInfoHash(partition.new_partition_info(), 388 "new " + partition.partition_name()); 389 } 390} 391 392} // namespace 393 394bool DeltaPerformer::GetMetadataSignatureSizeOffset( 395 uint64_t* out_offset) const { 396 if (GetMajorVersion() == kBrilloMajorPayloadVersion) { 397 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize; 398 return true; 399 } 400 return false; 401} 402 403bool DeltaPerformer::GetManifestOffset(uint64_t* out_offset) const { 404 // Actual manifest begins right after the manifest size field or 405 // metadata signature size field if major version >= 2. 406 if (major_payload_version_ == kChromeOSMajorPayloadVersion) { 407 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize; 408 return true; 409 } 410 if (major_payload_version_ == kBrilloMajorPayloadVersion) { 411 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize + 412 kDeltaMetadataSignatureSizeSize; 413 return true; 414 } 415 LOG(ERROR) << "Unknown major payload version: " << major_payload_version_; 416 return false; 417} 418 419uint64_t DeltaPerformer::GetMetadataSize() const { 420 return metadata_size_; 421} 422 423uint64_t DeltaPerformer::GetMajorVersion() const { 424 return major_payload_version_; 425} 426 427uint32_t DeltaPerformer::GetMinorVersion() const { 428 if (manifest_.has_minor_version()) { 429 return manifest_.minor_version(); 430 } else { 431 return install_plan_->payload_type == InstallPayloadType::kDelta 432 ? kSupportedMinorPayloadVersion 433 : kFullPayloadMinorVersion; 434 } 435} 436 437bool DeltaPerformer::GetManifest(DeltaArchiveManifest* out_manifest_p) const { 438 if (!manifest_parsed_) 439 return false; 440 *out_manifest_p = manifest_; 441 return true; 442} 443 444bool DeltaPerformer::IsHeaderParsed() const { 445 return metadata_size_ != 0; 446} 447 448DeltaPerformer::MetadataParseResult DeltaPerformer::ParsePayloadMetadata( 449 const brillo::Blob& payload, ErrorCode* error) { 450 *error = ErrorCode::kSuccess; 451 uint64_t manifest_offset; 452 453 if (!IsHeaderParsed()) { 454 // Ensure we have data to cover the major payload version. 455 if (payload.size() < kDeltaManifestSizeOffset) 456 return kMetadataParseInsufficientData; 457 458 // Validate the magic string. 459 if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) { 460 LOG(ERROR) << "Bad payload format -- invalid delta magic."; 461 *error = ErrorCode::kDownloadInvalidMetadataMagicString; 462 return kMetadataParseError; 463 } 464 465 // Extract the payload version from the metadata. 466 static_assert(sizeof(major_payload_version_) == kDeltaVersionSize, 467 "Major payload version size mismatch"); 468 memcpy(&major_payload_version_, 469 &payload[kDeltaVersionOffset], 470 kDeltaVersionSize); 471 // switch big endian to host 472 major_payload_version_ = be64toh(major_payload_version_); 473 474 if (major_payload_version_ != supported_major_version_ && 475 major_payload_version_ != kChromeOSMajorPayloadVersion) { 476 LOG(ERROR) << "Bad payload format -- unsupported payload version: " 477 << major_payload_version_; 478 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 479 return kMetadataParseError; 480 } 481 482 // Get the manifest offset now that we have payload version. 483 if (!GetManifestOffset(&manifest_offset)) { 484 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 485 return kMetadataParseError; 486 } 487 // Check again with the manifest offset. 488 if (payload.size() < manifest_offset) 489 return kMetadataParseInsufficientData; 490 491 // Next, parse the manifest size. 492 static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize, 493 "manifest_size size mismatch"); 494 memcpy(&manifest_size_, 495 &payload[kDeltaManifestSizeOffset], 496 kDeltaManifestSizeSize); 497 manifest_size_ = be64toh(manifest_size_); // switch big endian to host 498 499 if (GetMajorVersion() == kBrilloMajorPayloadVersion) { 500 // Parse the metadata signature size. 501 static_assert(sizeof(metadata_signature_size_) == 502 kDeltaMetadataSignatureSizeSize, 503 "metadata_signature_size size mismatch"); 504 uint64_t metadata_signature_size_offset; 505 if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) { 506 *error = ErrorCode::kError; 507 return kMetadataParseError; 508 } 509 memcpy(&metadata_signature_size_, 510 &payload[metadata_signature_size_offset], 511 kDeltaMetadataSignatureSizeSize); 512 metadata_signature_size_ = be32toh(metadata_signature_size_); 513 } 514 515 // If the metadata size is present in install plan, check for it immediately 516 // even before waiting for that many number of bytes to be downloaded in the 517 // payload. This will prevent any attack which relies on us downloading data 518 // beyond the expected metadata size. 519 metadata_size_ = manifest_offset + manifest_size_; 520 if (install_plan_->hash_checks_mandatory) { 521 if (install_plan_->metadata_size != metadata_size_) { 522 LOG(ERROR) << "Mandatory metadata size in Omaha response (" 523 << install_plan_->metadata_size 524 << ") is missing/incorrect, actual = " << metadata_size_; 525 *error = ErrorCode::kDownloadInvalidMetadataSize; 526 return kMetadataParseError; 527 } 528 } 529 } 530 531 // Now that we have validated the metadata size, we should wait for the full 532 // metadata and its signature (if exist) to be read in before we can parse it. 533 if (payload.size() < metadata_size_ + metadata_signature_size_) 534 return kMetadataParseInsufficientData; 535 536 // Log whether we validated the size or simply trusting what's in the payload 537 // here. This is logged here (after we received the full metadata data) so 538 // that we just log once (instead of logging n times) if it takes n 539 // DeltaPerformer::Write calls to download the full manifest. 540 if (install_plan_->metadata_size == metadata_size_) { 541 LOG(INFO) << "Manifest size in payload matches expected value from Omaha"; 542 } else { 543 // For mandatory-cases, we'd have already returned a kMetadataParseError 544 // above. We'll be here only for non-mandatory cases. Just send a UMA stat. 545 LOG(WARNING) << "Ignoring missing/incorrect metadata size (" 546 << install_plan_->metadata_size 547 << ") in Omaha response as validation is not mandatory. " 548 << "Trusting metadata size in payload = " << metadata_size_; 549 } 550 551 // We have the full metadata in |payload|. Verify its integrity 552 // and authenticity based on the information we have in Omaha response. 553 *error = ValidateMetadataSignature(payload); 554 if (*error != ErrorCode::kSuccess) { 555 if (install_plan_->hash_checks_mandatory) { 556 // The autoupdate_CatchBadSignatures test checks for this string 557 // in log-files. Keep in sync. 558 LOG(ERROR) << "Mandatory metadata signature validation failed"; 559 return kMetadataParseError; 560 } 561 562 // For non-mandatory cases, just send a UMA stat. 563 LOG(WARNING) << "Ignoring metadata signature validation failures"; 564 *error = ErrorCode::kSuccess; 565 } 566 567 if (!GetManifestOffset(&manifest_offset)) { 568 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 569 return kMetadataParseError; 570 } 571 // The payload metadata is deemed valid, it's safe to parse the protobuf. 572 if (!manifest_.ParseFromArray(&payload[manifest_offset], manifest_size_)) { 573 LOG(ERROR) << "Unable to parse manifest in update file."; 574 *error = ErrorCode::kDownloadManifestParseError; 575 return kMetadataParseError; 576 } 577 578 manifest_parsed_ = true; 579 return kMetadataParseSuccess; 580} 581 582// Wrapper around write. Returns true if all requested bytes 583// were written, or false on any error, regardless of progress 584// and stores an action exit code in |error|. 585bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode *error) { 586 *error = ErrorCode::kSuccess; 587 588 const char* c_bytes = reinterpret_cast<const char*>(bytes); 589 590 // Update the total byte downloaded count and the progress logs. 591 total_bytes_received_ += count; 592 UpdateOverallProgress(false, "Completed "); 593 594 while (!manifest_valid_) { 595 // Read data up to the needed limit; this is either maximium payload header 596 // size, or the full metadata size (once it becomes known). 597 const bool do_read_header = !IsHeaderParsed(); 598 CopyDataToBuffer(&c_bytes, &count, 599 (do_read_header ? kMaxPayloadHeaderSize : 600 metadata_size_ + metadata_signature_size_)); 601 602 MetadataParseResult result = ParsePayloadMetadata(buffer_, error); 603 if (result == kMetadataParseError) 604 return false; 605 if (result == kMetadataParseInsufficientData) { 606 // If we just processed the header, make an attempt on the manifest. 607 if (do_read_header && IsHeaderParsed()) 608 continue; 609 610 return true; 611 } 612 613 // Checks the integrity of the payload manifest. 614 if ((*error = ValidateManifest()) != ErrorCode::kSuccess) 615 return false; 616 manifest_valid_ = true; 617 618 // Clear the download buffer. 619 DiscardBuffer(false, metadata_size_); 620 621 // This populates |partitions_| and the |install_plan.partitions| with the 622 // list of partitions from the manifest. 623 if (!ParseManifestPartitions(error)) 624 return false; 625 626 num_total_operations_ = 0; 627 for (const auto& partition : partitions_) { 628 num_total_operations_ += partition.operations_size(); 629 acc_num_operations_.push_back(num_total_operations_); 630 } 631 632 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestMetadataSize, 633 metadata_size_)) 634 << "Unable to save the manifest metadata size."; 635 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestSignatureSize, 636 metadata_signature_size_)) 637 << "Unable to save the manifest signature size."; 638 639 if (!PrimeUpdateState()) { 640 *error = ErrorCode::kDownloadStateInitializationError; 641 LOG(ERROR) << "Unable to prime the update state."; 642 return false; 643 } 644 645 if (!OpenCurrentPartition()) { 646 *error = ErrorCode::kInstallDeviceOpenError; 647 return false; 648 } 649 650 if (next_operation_num_ > 0) 651 UpdateOverallProgress(true, "Resuming after "); 652 LOG(INFO) << "Starting to apply update payload operations"; 653 } 654 655 while (next_operation_num_ < num_total_operations_) { 656 // Check if we should cancel the current attempt for any reason. 657 // In this case, *error will have already been populated with the reason 658 // why we're canceling. 659 if (download_delegate_ && download_delegate_->ShouldCancel(error)) 660 return false; 661 662 // We know there are more operations to perform because we didn't reach the 663 // |num_total_operations_| limit yet. 664 while (next_operation_num_ >= acc_num_operations_[current_partition_]) { 665 CloseCurrentPartition(); 666 current_partition_++; 667 if (!OpenCurrentPartition()) { 668 *error = ErrorCode::kInstallDeviceOpenError; 669 return false; 670 } 671 } 672 const size_t partition_operation_num = next_operation_num_ - ( 673 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0); 674 675 const InstallOperation& op = 676 partitions_[current_partition_].operations(partition_operation_num); 677 678 CopyDataToBuffer(&c_bytes, &count, op.data_length()); 679 680 // Check whether we received all of the next operation's data payload. 681 if (!CanPerformInstallOperation(op)) 682 return true; 683 684 // Validate the operation only if the metadata signature is present. 685 // Otherwise, keep the old behavior. This serves as a knob to disable 686 // the validation logic in case we find some regression after rollout. 687 // NOTE: If hash checks are mandatory and if metadata_signature is empty, 688 // we would have already failed in ParsePayloadMetadata method and thus not 689 // even be here. So no need to handle that case again here. 690 if (!install_plan_->metadata_signature.empty()) { 691 // Note: Validate must be called only if CanPerformInstallOperation is 692 // called. Otherwise, we might be failing operations before even if there 693 // isn't sufficient data to compute the proper hash. 694 *error = ValidateOperationHash(op); 695 if (*error != ErrorCode::kSuccess) { 696 if (install_plan_->hash_checks_mandatory) { 697 LOG(ERROR) << "Mandatory operation hash check failed"; 698 return false; 699 } 700 701 // For non-mandatory cases, just send a UMA stat. 702 LOG(WARNING) << "Ignoring operation validation errors"; 703 *error = ErrorCode::kSuccess; 704 } 705 } 706 707 // Makes sure we unblock exit when this operation completes. 708 ScopedTerminatorExitUnblocker exit_unblocker = 709 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug. 710 711 bool op_result; 712 switch (op.type()) { 713 case InstallOperation::REPLACE: 714 case InstallOperation::REPLACE_BZ: 715 case InstallOperation::REPLACE_XZ: 716 op_result = PerformReplaceOperation(op); 717 break; 718 case InstallOperation::ZERO: 719 case InstallOperation::DISCARD: 720 op_result = PerformZeroOrDiscardOperation(op); 721 break; 722 case InstallOperation::MOVE: 723 op_result = PerformMoveOperation(op); 724 break; 725 case InstallOperation::BSDIFF: 726 op_result = PerformBsdiffOperation(op); 727 break; 728 case InstallOperation::SOURCE_COPY: 729 op_result = PerformSourceCopyOperation(op, error); 730 break; 731 case InstallOperation::SOURCE_BSDIFF: 732 op_result = PerformSourceBsdiffOperation(op, error); 733 break; 734 case InstallOperation::IMGDIFF: 735 op_result = PerformImgdiffOperation(op, error); 736 break; 737 default: 738 op_result = false; 739 } 740 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error)) 741 return false; 742 743 next_operation_num_++; 744 UpdateOverallProgress(false, "Completed "); 745 CheckpointUpdateProgress(); 746 } 747 748 // In major version 2, we don't add dummy operation to the payload. 749 // If we already extracted the signature we should skip this step. 750 if (major_payload_version_ == kBrilloMajorPayloadVersion && 751 manifest_.has_signatures_offset() && manifest_.has_signatures_size() && 752 signatures_message_data_.empty()) { 753 if (manifest_.signatures_offset() != buffer_offset_) { 754 LOG(ERROR) << "Payload signatures offset points to blob offset " 755 << manifest_.signatures_offset() 756 << " but signatures are expected at offset " 757 << buffer_offset_; 758 *error = ErrorCode::kDownloadPayloadVerificationError; 759 return false; 760 } 761 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size()); 762 // Needs more data to cover entire signature. 763 if (buffer_.size() < manifest_.signatures_size()) 764 return true; 765 if (!ExtractSignatureMessage()) { 766 LOG(ERROR) << "Extract payload signature failed."; 767 *error = ErrorCode::kDownloadPayloadVerificationError; 768 return false; 769 } 770 DiscardBuffer(true, 0); 771 // Since we extracted the SignatureMessage we need to advance the 772 // checkpoint, otherwise we would reload the signature and try to extract 773 // it again. 774 CheckpointUpdateProgress(); 775 } 776 777 return true; 778} 779 780bool DeltaPerformer::IsManifestValid() { 781 return manifest_valid_; 782} 783 784bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) { 785 if (major_payload_version_ == kBrilloMajorPayloadVersion) { 786 partitions_.clear(); 787 for (const PartitionUpdate& partition : manifest_.partitions()) { 788 partitions_.push_back(partition); 789 } 790 manifest_.clear_partitions(); 791 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) { 792 LOG(INFO) << "Converting update information from old format."; 793 PartitionUpdate root_part; 794 root_part.set_partition_name(kLegacyPartitionNameRoot); 795#ifdef __ANDROID__ 796 LOG(WARNING) << "Legacy payload major version provided to an Android " 797 "build. Assuming no post-install. Please use major version " 798 "2 or newer."; 799 root_part.set_run_postinstall(false); 800#else 801 root_part.set_run_postinstall(true); 802#endif // __ANDROID__ 803 if (manifest_.has_old_rootfs_info()) { 804 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info(); 805 manifest_.clear_old_rootfs_info(); 806 } 807 if (manifest_.has_new_rootfs_info()) { 808 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info(); 809 manifest_.clear_new_rootfs_info(); 810 } 811 *root_part.mutable_operations() = manifest_.install_operations(); 812 manifest_.clear_install_operations(); 813 partitions_.push_back(std::move(root_part)); 814 815 PartitionUpdate kern_part; 816 kern_part.set_partition_name(kLegacyPartitionNameKernel); 817 kern_part.set_run_postinstall(false); 818 if (manifest_.has_old_kernel_info()) { 819 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info(); 820 manifest_.clear_old_kernel_info(); 821 } 822 if (manifest_.has_new_kernel_info()) { 823 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info(); 824 manifest_.clear_new_kernel_info(); 825 } 826 *kern_part.mutable_operations() = manifest_.kernel_install_operations(); 827 manifest_.clear_kernel_install_operations(); 828 partitions_.push_back(std::move(kern_part)); 829 } 830 831 // Fill in the InstallPlan::partitions based on the partitions from the 832 // payload. 833 install_plan_->partitions.clear(); 834 for (const auto& partition : partitions_) { 835 InstallPlan::Partition install_part; 836 install_part.name = partition.partition_name(); 837 install_part.run_postinstall = 838 partition.has_run_postinstall() && partition.run_postinstall(); 839 if (install_part.run_postinstall) { 840 install_part.postinstall_path = 841 (partition.has_postinstall_path() ? partition.postinstall_path() 842 : kPostinstallDefaultScript); 843 install_part.filesystem_type = partition.filesystem_type(); 844 install_part.postinstall_optional = partition.postinstall_optional(); 845 } 846 847 if (partition.has_old_partition_info()) { 848 const PartitionInfo& info = partition.old_partition_info(); 849 install_part.source_size = info.size(); 850 install_part.source_hash.assign(info.hash().begin(), info.hash().end()); 851 } 852 853 if (!partition.has_new_partition_info()) { 854 LOG(ERROR) << "Unable to get new partition hash info on partition " 855 << install_part.name << "."; 856 *error = ErrorCode::kDownloadNewPartitionInfoError; 857 return false; 858 } 859 const PartitionInfo& info = partition.new_partition_info(); 860 install_part.target_size = info.size(); 861 install_part.target_hash.assign(info.hash().begin(), info.hash().end()); 862 863 install_plan_->partitions.push_back(install_part); 864 } 865 866 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) { 867 LOG(ERROR) << "Unable to determine all the partition devices."; 868 *error = ErrorCode::kInstallDeviceOpenError; 869 return false; 870 } 871 LogPartitionInfo(partitions_); 872 return true; 873} 874 875bool DeltaPerformer::CanPerformInstallOperation( 876 const chromeos_update_engine::InstallOperation& operation) { 877 // If we don't have a data blob we can apply it right away. 878 if (!operation.has_data_offset() && !operation.has_data_length()) 879 return true; 880 881 // See if we have the entire data blob in the buffer 882 if (operation.data_offset() < buffer_offset_) { 883 LOG(ERROR) << "we threw away data it seems?"; 884 return false; 885 } 886 887 return (operation.data_offset() + operation.data_length() <= 888 buffer_offset_ + buffer_.size()); 889} 890 891bool DeltaPerformer::PerformReplaceOperation( 892 const InstallOperation& operation) { 893 CHECK(operation.type() == InstallOperation::REPLACE || 894 operation.type() == InstallOperation::REPLACE_BZ || 895 operation.type() == InstallOperation::REPLACE_XZ); 896 897 // Since we delete data off the beginning of the buffer as we use it, 898 // the data we need should be exactly at the beginning of the buffer. 899 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 900 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 901 902 // Extract the signature message if it's in this operation. 903 if (ExtractSignatureMessageFromOperation(operation)) { 904 // If this is dummy replace operation, we ignore it after extracting the 905 // signature. 906 DiscardBuffer(true, 0); 907 return true; 908 } 909 910 // Setup the ExtentWriter stack based on the operation type. 911 std::unique_ptr<ExtentWriter> writer = 912 brillo::make_unique_ptr(new ZeroPadExtentWriter( 913 brillo::make_unique_ptr(new DirectExtentWriter()))); 914 915 if (operation.type() == InstallOperation::REPLACE_BZ) { 916 writer.reset(new BzipExtentWriter(std::move(writer))); 917 } else if (operation.type() == InstallOperation::REPLACE_XZ) { 918 writer.reset(new XzExtentWriter(std::move(writer))); 919 } 920 921 // Create a vector of extents to pass to the ExtentWriter. 922 vector<Extent> extents; 923 for (int i = 0; i < operation.dst_extents_size(); i++) { 924 extents.push_back(operation.dst_extents(i)); 925 } 926 927 TEST_AND_RETURN_FALSE(writer->Init(target_fd_, extents, block_size_)); 928 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length())); 929 TEST_AND_RETURN_FALSE(writer->End()); 930 931 // Update buffer 932 DiscardBuffer(true, buffer_.size()); 933 return true; 934} 935 936bool DeltaPerformer::PerformZeroOrDiscardOperation( 937 const InstallOperation& operation) { 938 CHECK(operation.type() == InstallOperation::DISCARD || 939 operation.type() == InstallOperation::ZERO); 940 941 // These operations have no blob. 942 TEST_AND_RETURN_FALSE(!operation.has_data_offset()); 943 TEST_AND_RETURN_FALSE(!operation.has_data_length()); 944 945#ifdef BLKZEROOUT 946 bool attempt_ioctl = true; 947 int request = 948 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD); 949#else // !defined(BLKZEROOUT) 950 bool attempt_ioctl = false; 951 int request = 0; 952#endif // !defined(BLKZEROOUT) 953 954 brillo::Blob zeros; 955 for (const Extent& extent : operation.dst_extents()) { 956 const uint64_t start = extent.start_block() * block_size_; 957 const uint64_t length = extent.num_blocks() * block_size_; 958 if (attempt_ioctl) { 959 int result = 0; 960 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0) 961 continue; 962 attempt_ioctl = false; 963 zeros.resize(16 * block_size_); 964 } 965 // In case of failure, we fall back to writing 0 to the selected region. 966 for (uint64_t offset = 0; offset < length; offset += zeros.size()) { 967 uint64_t chunk_length = min(length - offset, 968 static_cast<uint64_t>(zeros.size())); 969 TEST_AND_RETURN_FALSE( 970 utils::PWriteAll(target_fd_, zeros.data(), chunk_length, start + offset)); 971 } 972 } 973 return true; 974} 975 976bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) { 977 // Calculate buffer size. Note, this function doesn't do a sliding 978 // window to copy in case the source and destination blocks overlap. 979 // If we wanted to do a sliding window, we could program the server 980 // to generate deltas that effectively did a sliding window. 981 982 uint64_t blocks_to_read = 0; 983 for (int i = 0; i < operation.src_extents_size(); i++) 984 blocks_to_read += operation.src_extents(i).num_blocks(); 985 986 uint64_t blocks_to_write = 0; 987 for (int i = 0; i < operation.dst_extents_size(); i++) 988 blocks_to_write += operation.dst_extents(i).num_blocks(); 989 990 DCHECK_EQ(blocks_to_write, blocks_to_read); 991 brillo::Blob buf(blocks_to_write * block_size_); 992 993 // Read in bytes. 994 ssize_t bytes_read = 0; 995 for (int i = 0; i < operation.src_extents_size(); i++) { 996 ssize_t bytes_read_this_iteration = 0; 997 const Extent& extent = operation.src_extents(i); 998 const size_t bytes = extent.num_blocks() * block_size_; 999 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 1000 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_, 1001 &buf[bytes_read], 1002 bytes, 1003 extent.start_block() * block_size_, 1004 &bytes_read_this_iteration)); 1005 TEST_AND_RETURN_FALSE( 1006 bytes_read_this_iteration == static_cast<ssize_t>(bytes)); 1007 bytes_read += bytes_read_this_iteration; 1008 } 1009 1010 // Write bytes out. 1011 ssize_t bytes_written = 0; 1012 for (int i = 0; i < operation.dst_extents_size(); i++) { 1013 const Extent& extent = operation.dst_extents(i); 1014 const size_t bytes = extent.num_blocks() * block_size_; 1015 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 1016 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_, 1017 &buf[bytes_written], 1018 bytes, 1019 extent.start_block() * block_size_)); 1020 bytes_written += bytes; 1021 } 1022 DCHECK_EQ(bytes_written, bytes_read); 1023 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size())); 1024 return true; 1025} 1026 1027namespace { 1028 1029// Takes |extents| and fills an empty vector |blocks| with a block index for 1030// each block in |extents|. For example, [(3, 2), (8, 1)] would give [3, 4, 8]. 1031void ExtentsToBlocks(const RepeatedPtrField<Extent>& extents, 1032 vector<uint64_t>* blocks) { 1033 for (const Extent& ext : extents) { 1034 for (uint64_t j = 0; j < ext.num_blocks(); j++) 1035 blocks->push_back(ext.start_block() + j); 1036 } 1037} 1038 1039// Takes |extents| and returns the number of blocks in those extents. 1040uint64_t GetBlockCount(const RepeatedPtrField<Extent>& extents) { 1041 uint64_t sum = 0; 1042 for (const Extent& ext : extents) { 1043 sum += ext.num_blocks(); 1044 } 1045 return sum; 1046} 1047 1048// Compare |calculated_hash| with source hash in |operation|, return false and 1049// dump hash and set |error| if don't match. 1050bool ValidateSourceHash(const brillo::Blob& calculated_hash, 1051 const InstallOperation& operation, 1052 ErrorCode* error) { 1053 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(), 1054 operation.src_sha256_hash().end()); 1055 if (calculated_hash != expected_source_hash) { 1056 LOG(ERROR) << "The hash of the source data on disk for this operation " 1057 << "doesn't match the expected value. This could mean that the " 1058 << "delta update payload was targeted for another version, or " 1059 << "that the source partition was modified after it was " 1060 << "installed, for example, by mounting a filesystem."; 1061 LOG(ERROR) << "Expected: sha256|hex = " 1062 << base::HexEncode(expected_source_hash.data(), 1063 expected_source_hash.size()); 1064 LOG(ERROR) << "Calculated: sha256|hex = " 1065 << base::HexEncode(calculated_hash.data(), 1066 calculated_hash.size()); 1067 1068 vector<string> source_extents; 1069 for (const Extent& ext : operation.src_extents()) { 1070 source_extents.push_back( 1071 base::StringPrintf("%" PRIu64 ":%" PRIu64, 1072 static_cast<uint64_t>(ext.start_block()), 1073 static_cast<uint64_t>(ext.num_blocks()))); 1074 } 1075 LOG(ERROR) << "Operation source (offset:size) in blocks: " 1076 << base::JoinString(source_extents, ","); 1077 1078 *error = ErrorCode::kDownloadStateInitializationError; 1079 return false; 1080 } 1081 return true; 1082} 1083 1084} // namespace 1085 1086bool DeltaPerformer::PerformSourceCopyOperation( 1087 const InstallOperation& operation, ErrorCode* error) { 1088 if (operation.has_src_length()) 1089 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1090 if (operation.has_dst_length()) 1091 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1092 1093 uint64_t blocks_to_read = GetBlockCount(operation.src_extents()); 1094 uint64_t blocks_to_write = GetBlockCount(operation.dst_extents()); 1095 TEST_AND_RETURN_FALSE(blocks_to_write == blocks_to_read); 1096 1097 // Create vectors of all the individual src/dst blocks. 1098 vector<uint64_t> src_blocks; 1099 vector<uint64_t> dst_blocks; 1100 ExtentsToBlocks(operation.src_extents(), &src_blocks); 1101 ExtentsToBlocks(operation.dst_extents(), &dst_blocks); 1102 DCHECK_EQ(src_blocks.size(), blocks_to_read); 1103 DCHECK_EQ(src_blocks.size(), dst_blocks.size()); 1104 1105 brillo::Blob buf(block_size_); 1106 ssize_t bytes_read = 0; 1107 HashCalculator source_hasher; 1108 // Read/write one block at a time. 1109 for (uint64_t i = 0; i < blocks_to_read; i++) { 1110 ssize_t bytes_read_this_iteration = 0; 1111 uint64_t src_block = src_blocks[i]; 1112 uint64_t dst_block = dst_blocks[i]; 1113 1114 // Read in bytes. 1115 TEST_AND_RETURN_FALSE( 1116 utils::PReadAll(source_fd_, 1117 buf.data(), 1118 block_size_, 1119 src_block * block_size_, 1120 &bytes_read_this_iteration)); 1121 1122 // Write bytes out. 1123 TEST_AND_RETURN_FALSE( 1124 utils::PWriteAll(target_fd_, 1125 buf.data(), 1126 block_size_, 1127 dst_block * block_size_)); 1128 1129 bytes_read += bytes_read_this_iteration; 1130 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == 1131 static_cast<ssize_t>(block_size_)); 1132 1133 if (operation.has_src_sha256_hash()) 1134 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), buf.size())); 1135 } 1136 1137 if (operation.has_src_sha256_hash()) { 1138 TEST_AND_RETURN_FALSE(source_hasher.Finalize()); 1139 TEST_AND_RETURN_FALSE( 1140 ValidateSourceHash(source_hasher.raw_hash(), operation, error)); 1141 } 1142 1143 DCHECK_EQ(bytes_read, static_cast<ssize_t>(blocks_to_read * block_size_)); 1144 return true; 1145} 1146 1147bool DeltaPerformer::ExtentsToBsdiffPositionsString( 1148 const RepeatedPtrField<Extent>& extents, 1149 uint64_t block_size, 1150 uint64_t full_length, 1151 string* positions_string) { 1152 string ret; 1153 uint64_t length = 0; 1154 for (const Extent& extent : extents) { 1155 int64_t start = extent.start_block() * block_size; 1156 uint64_t this_length = 1157 min(full_length - length, 1158 static_cast<uint64_t>(extent.num_blocks()) * block_size); 1159 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length); 1160 length += this_length; 1161 } 1162 TEST_AND_RETURN_FALSE(length == full_length); 1163 if (!ret.empty()) 1164 ret.resize(ret.size() - 1); // Strip trailing comma off 1165 *positions_string = ret; 1166 return true; 1167} 1168 1169bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) { 1170 // Since we delete data off the beginning of the buffer as we use it, 1171 // the data we need should be exactly at the beginning of the buffer. 1172 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1173 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1174 1175 string input_positions; 1176 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(), 1177 block_size_, 1178 operation.src_length(), 1179 &input_positions)); 1180 string output_positions; 1181 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(), 1182 block_size_, 1183 operation.dst_length(), 1184 &output_positions)); 1185 1186 string temp_filename; 1187 TEST_AND_RETURN_FALSE(utils::MakeTempFile("au_patch.XXXXXX", 1188 &temp_filename, 1189 nullptr)); 1190 ScopedPathUnlinker path_unlinker(temp_filename); 1191 { 1192 int fd = open(temp_filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644); 1193 ScopedFdCloser fd_closer(&fd); 1194 TEST_AND_RETURN_FALSE( 1195 utils::WriteAll(fd, buffer_.data(), operation.data_length())); 1196 } 1197 1198 // Update the buffer to release the patch data memory as soon as the patch 1199 // file is written out. 1200 DiscardBuffer(true, buffer_.size()); 1201 1202 vector<string> cmd{kBspatchPath, target_path_, target_path_, temp_filename, 1203 input_positions, output_positions}; 1204 1205 int return_code = 0; 1206 TEST_AND_RETURN_FALSE( 1207 Subprocess::SynchronousExecFlags(cmd, Subprocess::kSearchPath, 1208 &return_code, nullptr)); 1209 TEST_AND_RETURN_FALSE(return_code == 0); 1210 1211 if (operation.dst_length() % block_size_) { 1212 // Zero out rest of final block. 1213 // TODO(adlr): build this into bspatch; it's more efficient that way. 1214 const Extent& last_extent = 1215 operation.dst_extents(operation.dst_extents_size() - 1); 1216 const uint64_t end_byte = 1217 (last_extent.start_block() + last_extent.num_blocks()) * block_size_; 1218 const uint64_t begin_byte = 1219 end_byte - (block_size_ - operation.dst_length() % block_size_); 1220 brillo::Blob zeros(end_byte - begin_byte); 1221 TEST_AND_RETURN_FALSE( 1222 utils::PWriteAll(target_fd_, zeros.data(), end_byte - begin_byte, begin_byte)); 1223 } 1224 return true; 1225} 1226 1227bool DeltaPerformer::PerformSourceBsdiffOperation( 1228 const InstallOperation& operation, ErrorCode* error) { 1229 // Since we delete data off the beginning of the buffer as we use it, 1230 // the data we need should be exactly at the beginning of the buffer. 1231 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1232 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1233 if (operation.has_src_length()) 1234 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1235 if (operation.has_dst_length()) 1236 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1237 1238 if (operation.has_src_sha256_hash()) { 1239 HashCalculator source_hasher; 1240 const uint64_t kMaxBlocksToRead = 512; // 2MB if block size is 4KB 1241 brillo::Blob buf(kMaxBlocksToRead * block_size_); 1242 for (const Extent& extent : operation.src_extents()) { 1243 for (uint64_t i = 0; i < extent.num_blocks(); i += kMaxBlocksToRead) { 1244 uint64_t blocks_to_read = min( 1245 kMaxBlocksToRead, static_cast<uint64_t>(extent.num_blocks()) - i); 1246 ssize_t bytes_to_read = blocks_to_read * block_size_; 1247 ssize_t bytes_read_this_iteration = 0; 1248 TEST_AND_RETURN_FALSE( 1249 utils::PReadAll(source_fd_, buf.data(), bytes_to_read, 1250 (extent.start_block() + i) * block_size_, 1251 &bytes_read_this_iteration)); 1252 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == bytes_to_read); 1253 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), bytes_to_read)); 1254 } 1255 } 1256 TEST_AND_RETURN_FALSE(source_hasher.Finalize()); 1257 TEST_AND_RETURN_FALSE( 1258 ValidateSourceHash(source_hasher.raw_hash(), operation, error)); 1259 } 1260 1261 string input_positions; 1262 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(), 1263 block_size_, 1264 operation.src_length(), 1265 &input_positions)); 1266 string output_positions; 1267 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(), 1268 block_size_, 1269 operation.dst_length(), 1270 &output_positions)); 1271 1272 string temp_filename; 1273 TEST_AND_RETURN_FALSE(utils::MakeTempFile("au_patch.XXXXXX", 1274 &temp_filename, 1275 nullptr)); 1276 ScopedPathUnlinker path_unlinker(temp_filename); 1277 { 1278 int fd = open(temp_filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644); 1279 ScopedFdCloser fd_closer(&fd); 1280 TEST_AND_RETURN_FALSE( 1281 utils::WriteAll(fd, buffer_.data(), operation.data_length())); 1282 } 1283 1284 // Update the buffer to release the patch data memory as soon as the patch 1285 // file is written out. 1286 DiscardBuffer(true, buffer_.size()); 1287 1288 vector<string> cmd{kBspatchPath, source_path_, target_path_, temp_filename, 1289 input_positions, output_positions}; 1290 1291 int return_code = 0; 1292 TEST_AND_RETURN_FALSE( 1293 Subprocess::SynchronousExecFlags(cmd, Subprocess::kSearchPath, 1294 &return_code, nullptr)); 1295 TEST_AND_RETURN_FALSE(return_code == 0); 1296 return true; 1297} 1298 1299bool DeltaPerformer::PerformImgdiffOperation(const InstallOperation& operation, 1300 ErrorCode* error) { 1301 // Since we delete data off the beginning of the buffer as we use it, 1302 // the data we need should be exactly at the beginning of the buffer. 1303 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1304 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1305 1306 uint64_t src_blocks = GetBlockCount(operation.src_extents()); 1307 brillo::Blob src_data(src_blocks * block_size_); 1308 1309 ssize_t bytes_read = 0; 1310 for (const Extent& extent : operation.src_extents()) { 1311 ssize_t bytes_read_this_iteration = 0; 1312 ssize_t bytes_to_read = extent.num_blocks() * block_size_; 1313 TEST_AND_RETURN_FALSE(utils::PReadAll(source_fd_, 1314 &src_data[bytes_read], 1315 bytes_to_read, 1316 extent.start_block() * block_size_, 1317 &bytes_read_this_iteration)); 1318 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == bytes_to_read); 1319 bytes_read += bytes_read_this_iteration; 1320 } 1321 1322 if (operation.has_src_sha256_hash()) { 1323 brillo::Blob src_hash; 1324 TEST_AND_RETURN_FALSE(HashCalculator::RawHashOfData(src_data, &src_hash)); 1325 TEST_AND_RETURN_FALSE(ValidateSourceHash(src_hash, operation, error)); 1326 } 1327 1328 vector<Extent> target_extents(operation.dst_extents().begin(), 1329 operation.dst_extents().end()); 1330 DirectExtentWriter writer; 1331 TEST_AND_RETURN_FALSE(writer.Init(target_fd_, target_extents, block_size_)); 1332 TEST_AND_RETURN_FALSE( 1333 ApplyImagePatch(src_data.data(), 1334 src_data.size(), 1335 buffer_.data(), 1336 operation.data_length(), 1337 [](const unsigned char* data, ssize_t len, void* token) { 1338 return reinterpret_cast<ExtentWriter*>(token) 1339 ->Write(data, len) 1340 ? len 1341 : 0; 1342 }, 1343 &writer) == 0); 1344 TEST_AND_RETURN_FALSE(writer.End()); 1345 1346 DiscardBuffer(true, buffer_.size()); 1347 return true; 1348} 1349 1350bool DeltaPerformer::ExtractSignatureMessageFromOperation( 1351 const InstallOperation& operation) { 1352 if (operation.type() != InstallOperation::REPLACE || 1353 !manifest_.has_signatures_offset() || 1354 manifest_.signatures_offset() != operation.data_offset()) { 1355 return false; 1356 } 1357 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() && 1358 manifest_.signatures_size() == operation.data_length()); 1359 TEST_AND_RETURN_FALSE(ExtractSignatureMessage()); 1360 return true; 1361} 1362 1363bool DeltaPerformer::ExtractSignatureMessage() { 1364 TEST_AND_RETURN_FALSE(signatures_message_data_.empty()); 1365 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset()); 1366 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size()); 1367 signatures_message_data_.assign( 1368 buffer_.begin(), 1369 buffer_.begin() + manifest_.signatures_size()); 1370 1371 // Save the signature blob because if the update is interrupted after the 1372 // download phase we don't go through this path anymore. Some alternatives to 1373 // consider: 1374 // 1375 // 1. On resume, re-download the signature blob from the server and re-verify 1376 // it. 1377 // 1378 // 2. Verify the signature as soon as it's received and don't checkpoint the 1379 // blob and the signed sha-256 context. 1380 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignatureBlob, 1381 string(signatures_message_data_.begin(), 1382 signatures_message_data_.end()))) 1383 << "Unable to store the signature blob."; 1384 1385 LOG(INFO) << "Extracted signature data of size " 1386 << manifest_.signatures_size() << " at " 1387 << manifest_.signatures_offset(); 1388 return true; 1389} 1390 1391bool DeltaPerformer::GetPublicKeyFromResponse(base::FilePath *out_tmp_key) { 1392 if (hardware_->IsOfficialBuild() || 1393 utils::FileExists(public_key_path_.c_str()) || 1394 install_plan_->public_key_rsa.empty()) 1395 return false; 1396 1397 if (!utils::DecodeAndStoreBase64String(install_plan_->public_key_rsa, 1398 out_tmp_key)) 1399 return false; 1400 1401 return true; 1402} 1403 1404ErrorCode DeltaPerformer::ValidateMetadataSignature( 1405 const brillo::Blob& payload) { 1406 if (payload.size() < metadata_size_ + metadata_signature_size_) 1407 return ErrorCode::kDownloadMetadataSignatureError; 1408 1409 brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob; 1410 if (!install_plan_->metadata_signature.empty()) { 1411 // Convert base64-encoded signature to raw bytes. 1412 if (!brillo::data_encoding::Base64Decode( 1413 install_plan_->metadata_signature, &metadata_signature_blob)) { 1414 LOG(ERROR) << "Unable to decode base64 metadata signature: " 1415 << install_plan_->metadata_signature; 1416 return ErrorCode::kDownloadMetadataSignatureError; 1417 } 1418 } else if (major_payload_version_ == kBrilloMajorPayloadVersion) { 1419 metadata_signature_protobuf_blob.assign(payload.begin() + metadata_size_, 1420 payload.begin() + metadata_size_ + 1421 metadata_signature_size_); 1422 } 1423 1424 if (metadata_signature_blob.empty() && 1425 metadata_signature_protobuf_blob.empty()) { 1426 if (install_plan_->hash_checks_mandatory) { 1427 LOG(ERROR) << "Missing mandatory metadata signature in both Omaha " 1428 << "response and payload."; 1429 return ErrorCode::kDownloadMetadataSignatureMissingError; 1430 } 1431 1432 LOG(WARNING) << "Cannot validate metadata as the signature is empty"; 1433 return ErrorCode::kSuccess; 1434 } 1435 1436 // See if we should use the public RSA key in the Omaha response. 1437 base::FilePath path_to_public_key(public_key_path_); 1438 base::FilePath tmp_key; 1439 if (GetPublicKeyFromResponse(&tmp_key)) 1440 path_to_public_key = tmp_key; 1441 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 1442 if (tmp_key.empty()) 1443 tmp_key_remover.set_should_remove(false); 1444 1445 LOG(INFO) << "Verifying metadata hash signature using public key: " 1446 << path_to_public_key.value(); 1447 1448 HashCalculator metadata_hasher; 1449 metadata_hasher.Update(payload.data(), metadata_size_); 1450 if (!metadata_hasher.Finalize()) { 1451 LOG(ERROR) << "Unable to compute actual hash of manifest"; 1452 return ErrorCode::kDownloadMetadataSignatureVerificationError; 1453 } 1454 1455 brillo::Blob calculated_metadata_hash = metadata_hasher.raw_hash(); 1456 PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash); 1457 if (calculated_metadata_hash.empty()) { 1458 LOG(ERROR) << "Computed actual hash of metadata is empty."; 1459 return ErrorCode::kDownloadMetadataSignatureVerificationError; 1460 } 1461 1462 if (!metadata_signature_blob.empty()) { 1463 brillo::Blob expected_metadata_hash; 1464 if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob, 1465 path_to_public_key.value(), 1466 &expected_metadata_hash)) { 1467 LOG(ERROR) << "Unable to compute expected hash from metadata signature"; 1468 return ErrorCode::kDownloadMetadataSignatureError; 1469 } 1470 if (calculated_metadata_hash != expected_metadata_hash) { 1471 LOG(ERROR) << "Manifest hash verification failed. Expected hash = "; 1472 utils::HexDumpVector(expected_metadata_hash); 1473 LOG(ERROR) << "Calculated hash = "; 1474 utils::HexDumpVector(calculated_metadata_hash); 1475 return ErrorCode::kDownloadMetadataSignatureMismatch; 1476 } 1477 } else { 1478 if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob, 1479 path_to_public_key.value(), 1480 calculated_metadata_hash)) { 1481 LOG(ERROR) << "Manifest hash verification failed."; 1482 return ErrorCode::kDownloadMetadataSignatureMismatch; 1483 } 1484 } 1485 1486 // The autoupdate_CatchBadSignatures test checks for this string in 1487 // log-files. Keep in sync. 1488 LOG(INFO) << "Metadata hash signature matches value in Omaha response."; 1489 return ErrorCode::kSuccess; 1490} 1491 1492ErrorCode DeltaPerformer::ValidateManifest() { 1493 // Perform assorted checks to sanity check the manifest, make sure it 1494 // matches data from other sources, and that it is a supported version. 1495 1496 bool has_old_fields = 1497 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info()); 1498 for (const PartitionUpdate& partition : manifest_.partitions()) { 1499 has_old_fields = has_old_fields || partition.has_old_partition_info(); 1500 } 1501 1502 // The presence of an old partition hash is the sole indicator for a delta 1503 // update. 1504 InstallPayloadType actual_payload_type = 1505 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull; 1506 1507 if (install_plan_->payload_type == InstallPayloadType::kUnknown) { 1508 LOG(INFO) << "Detected a '" 1509 << InstallPayloadTypeToString(actual_payload_type) 1510 << "' payload."; 1511 install_plan_->payload_type = actual_payload_type; 1512 } else if (install_plan_->payload_type != actual_payload_type) { 1513 LOG(ERROR) << "InstallPlan expected a '" 1514 << InstallPayloadTypeToString(install_plan_->payload_type) 1515 << "' payload but the downloaded manifest contains a '" 1516 << InstallPayloadTypeToString(actual_payload_type) 1517 << "' payload."; 1518 return ErrorCode::kPayloadMismatchedType; 1519 } 1520 1521 // Check that the minor version is compatible. 1522 if (actual_payload_type == InstallPayloadType::kFull) { 1523 if (manifest_.minor_version() != kFullPayloadMinorVersion) { 1524 LOG(ERROR) << "Manifest contains minor version " 1525 << manifest_.minor_version() 1526 << ", but all full payloads should have version " 1527 << kFullPayloadMinorVersion << "."; 1528 return ErrorCode::kUnsupportedMinorPayloadVersion; 1529 } 1530 } else { 1531 if (manifest_.minor_version() != supported_minor_version_) { 1532 LOG(ERROR) << "Manifest contains minor version " 1533 << manifest_.minor_version() 1534 << " not the supported " 1535 << supported_minor_version_; 1536 return ErrorCode::kUnsupportedMinorPayloadVersion; 1537 } 1538 } 1539 1540 if (major_payload_version_ != kChromeOSMajorPayloadVersion) { 1541 if (manifest_.has_old_rootfs_info() || 1542 manifest_.has_new_rootfs_info() || 1543 manifest_.has_old_kernel_info() || 1544 manifest_.has_new_kernel_info() || 1545 manifest_.install_operations_size() != 0 || 1546 manifest_.kernel_install_operations_size() != 0) { 1547 LOG(ERROR) << "Manifest contains deprecated field only supported in " 1548 << "major payload version 1, but the payload major version is " 1549 << major_payload_version_; 1550 return ErrorCode::kPayloadMismatchedType; 1551 } 1552 } 1553 1554 // TODO(garnold) we should be adding more and more manifest checks, such as 1555 // partition boundaries etc (see chromium-os:37661). 1556 1557 return ErrorCode::kSuccess; 1558} 1559 1560ErrorCode DeltaPerformer::ValidateOperationHash( 1561 const InstallOperation& operation) { 1562 if (!operation.data_sha256_hash().size()) { 1563 if (!operation.data_length()) { 1564 // Operations that do not have any data blob won't have any operation hash 1565 // either. So, these operations are always considered validated since the 1566 // metadata that contains all the non-data-blob portions of the operation 1567 // has already been validated. This is true for both HTTP and HTTPS cases. 1568 return ErrorCode::kSuccess; 1569 } 1570 1571 // No hash is present for an operation that has data blobs. This shouldn't 1572 // happen normally for any client that has this code, because the 1573 // corresponding update should have been produced with the operation 1574 // hashes. So if it happens it means either we've turned operation hash 1575 // generation off in DeltaDiffGenerator or it's a regression of some sort. 1576 // One caveat though: The last operation is a dummy signature operation 1577 // that doesn't have a hash at the time the manifest is created. So we 1578 // should not complaint about that operation. This operation can be 1579 // recognized by the fact that it's offset is mentioned in the manifest. 1580 if (manifest_.signatures_offset() && 1581 manifest_.signatures_offset() == operation.data_offset()) { 1582 LOG(INFO) << "Skipping hash verification for signature operation " 1583 << next_operation_num_ + 1; 1584 } else { 1585 if (install_plan_->hash_checks_mandatory) { 1586 LOG(ERROR) << "Missing mandatory operation hash for operation " 1587 << next_operation_num_ + 1; 1588 return ErrorCode::kDownloadOperationHashMissingError; 1589 } 1590 1591 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1 1592 << " as there's no operation hash in manifest"; 1593 } 1594 return ErrorCode::kSuccess; 1595 } 1596 1597 brillo::Blob expected_op_hash; 1598 expected_op_hash.assign(operation.data_sha256_hash().data(), 1599 (operation.data_sha256_hash().data() + 1600 operation.data_sha256_hash().size())); 1601 1602 HashCalculator operation_hasher; 1603 operation_hasher.Update(buffer_.data(), operation.data_length()); 1604 if (!operation_hasher.Finalize()) { 1605 LOG(ERROR) << "Unable to compute actual hash of operation " 1606 << next_operation_num_; 1607 return ErrorCode::kDownloadOperationHashVerificationError; 1608 } 1609 1610 brillo::Blob calculated_op_hash = operation_hasher.raw_hash(); 1611 if (calculated_op_hash != expected_op_hash) { 1612 LOG(ERROR) << "Hash verification failed for operation " 1613 << next_operation_num_ << ". Expected hash = "; 1614 utils::HexDumpVector(expected_op_hash); 1615 LOG(ERROR) << "Calculated hash over " << operation.data_length() 1616 << " bytes at offset: " << operation.data_offset() << " = "; 1617 utils::HexDumpVector(calculated_op_hash); 1618 return ErrorCode::kDownloadOperationHashMismatch; 1619 } 1620 1621 return ErrorCode::kSuccess; 1622} 1623 1624#define TEST_AND_RETURN_VAL(_retval, _condition) \ 1625 do { \ 1626 if (!(_condition)) { \ 1627 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \ 1628 return _retval; \ 1629 } \ 1630 } while (0); 1631 1632ErrorCode DeltaPerformer::VerifyPayload( 1633 const string& update_check_response_hash, 1634 const uint64_t update_check_response_size) { 1635 1636 // See if we should use the public RSA key in the Omaha response. 1637 base::FilePath path_to_public_key(public_key_path_); 1638 base::FilePath tmp_key; 1639 if (GetPublicKeyFromResponse(&tmp_key)) 1640 path_to_public_key = tmp_key; 1641 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 1642 if (tmp_key.empty()) 1643 tmp_key_remover.set_should_remove(false); 1644 1645 LOG(INFO) << "Verifying payload using public key: " 1646 << path_to_public_key.value(); 1647 1648 // Verifies the download size. 1649 TEST_AND_RETURN_VAL(ErrorCode::kPayloadSizeMismatchError, 1650 update_check_response_size == 1651 metadata_size_ + metadata_signature_size_ + 1652 buffer_offset_); 1653 1654 // Verifies the payload hash. 1655 const string& payload_hash_data = payload_hash_calculator_.hash(); 1656 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError, 1657 !payload_hash_data.empty()); 1658 TEST_AND_RETURN_VAL(ErrorCode::kPayloadHashMismatchError, 1659 payload_hash_data == update_check_response_hash); 1660 1661 // Verifies the signed payload hash. 1662 if (!utils::FileExists(path_to_public_key.value().c_str())) { 1663 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; 1664 return ErrorCode::kSuccess; 1665 } 1666 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError, 1667 !signatures_message_data_.empty()); 1668 brillo::Blob hash_data = signed_hash_calculator_.raw_hash(); 1669 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1670 PayloadVerifier::PadRSA2048SHA256Hash(&hash_data)); 1671 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1672 !hash_data.empty()); 1673 1674 if (!PayloadVerifier::VerifySignature( 1675 signatures_message_data_, path_to_public_key.value(), hash_data)) { 1676 // The autoupdate_CatchBadSignatures test checks for this string 1677 // in log-files. Keep in sync. 1678 LOG(ERROR) << "Public key verification failed, thus update failed."; 1679 return ErrorCode::kDownloadPayloadPubKeyVerificationError; 1680 } 1681 1682 LOG(INFO) << "Payload hash matches value in payload."; 1683 1684 // At this point, we are guaranteed to have downloaded a full payload, i.e 1685 // the one whose size matches the size mentioned in Omaha response. If any 1686 // errors happen after this, it's likely a problem with the payload itself or 1687 // the state of the system and not a problem with the URL or network. So, 1688 // indicate that to the download delegate so that AU can backoff 1689 // appropriately. 1690 if (download_delegate_) 1691 download_delegate_->DownloadComplete(); 1692 1693 return ErrorCode::kSuccess; 1694} 1695 1696void DeltaPerformer::DiscardBuffer(bool do_advance_offset, 1697 size_t signed_hash_buffer_size) { 1698 // Update the buffer offset. 1699 if (do_advance_offset) 1700 buffer_offset_ += buffer_.size(); 1701 1702 // Hash the content. 1703 payload_hash_calculator_.Update(buffer_.data(), buffer_.size()); 1704 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size); 1705 1706 // Swap content with an empty vector to ensure that all memory is released. 1707 brillo::Blob().swap(buffer_); 1708} 1709 1710bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs, 1711 const string& update_check_response_hash) { 1712 int64_t next_operation = kUpdateStateOperationInvalid; 1713 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) && 1714 next_operation != kUpdateStateOperationInvalid && 1715 next_operation > 0)) 1716 return false; 1717 1718 string interrupted_hash; 1719 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) && 1720 !interrupted_hash.empty() && 1721 interrupted_hash == update_check_response_hash)) 1722 return false; 1723 1724 int64_t resumed_update_failures; 1725 // Note that storing this value is optional, but if it is there it should not 1726 // be more than the limit. 1727 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) && 1728 resumed_update_failures > kMaxResumedUpdateFailures) 1729 return false; 1730 1731 // Sanity check the rest. 1732 int64_t next_data_offset = -1; 1733 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) && 1734 next_data_offset >= 0)) 1735 return false; 1736 1737 string sha256_context; 1738 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) && 1739 !sha256_context.empty())) 1740 return false; 1741 1742 int64_t manifest_metadata_size = 0; 1743 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) && 1744 manifest_metadata_size > 0)) 1745 return false; 1746 1747 int64_t manifest_signature_size = 0; 1748 if (!(prefs->GetInt64(kPrefsManifestSignatureSize, 1749 &manifest_signature_size) && 1750 manifest_signature_size >= 0)) 1751 return false; 1752 1753 return true; 1754} 1755 1756bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) { 1757 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation, 1758 kUpdateStateOperationInvalid)); 1759 if (!quick) { 1760 prefs->SetString(kPrefsUpdateCheckResponseHash, ""); 1761 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1); 1762 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0); 1763 prefs->SetString(kPrefsUpdateStateSHA256Context, ""); 1764 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, ""); 1765 prefs->SetString(kPrefsUpdateStateSignatureBlob, ""); 1766 prefs->SetInt64(kPrefsManifestMetadataSize, -1); 1767 prefs->SetInt64(kPrefsManifestSignatureSize, -1); 1768 prefs->SetInt64(kPrefsResumedUpdateFailures, 0); 1769 } 1770 return true; 1771} 1772 1773bool DeltaPerformer::CheckpointUpdateProgress() { 1774 Terminator::set_exit_blocked(true); 1775 if (last_updated_buffer_offset_ != buffer_offset_) { 1776 // Resets the progress in case we die in the middle of the state update. 1777 ResetUpdateProgress(prefs_, true); 1778 TEST_AND_RETURN_FALSE( 1779 prefs_->SetString(kPrefsUpdateStateSHA256Context, 1780 payload_hash_calculator_.GetContext())); 1781 TEST_AND_RETURN_FALSE( 1782 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, 1783 signed_hash_calculator_.GetContext())); 1784 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataOffset, 1785 buffer_offset_)); 1786 last_updated_buffer_offset_ = buffer_offset_; 1787 1788 if (next_operation_num_ < num_total_operations_) { 1789 size_t partition_index = current_partition_; 1790 while (next_operation_num_ >= acc_num_operations_[partition_index]) 1791 partition_index++; 1792 const size_t partition_operation_num = next_operation_num_ - ( 1793 partition_index ? acc_num_operations_[partition_index - 1] : 0); 1794 const InstallOperation& op = 1795 partitions_[partition_index].operations(partition_operation_num); 1796 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1797 op.data_length())); 1798 } else { 1799 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1800 0)); 1801 } 1802 } 1803 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextOperation, 1804 next_operation_num_)); 1805 return true; 1806} 1807 1808bool DeltaPerformer::PrimeUpdateState() { 1809 CHECK(manifest_valid_); 1810 block_size_ = manifest_.block_size(); 1811 1812 int64_t next_operation = kUpdateStateOperationInvalid; 1813 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) || 1814 next_operation == kUpdateStateOperationInvalid || 1815 next_operation <= 0) { 1816 // Initiating a new update, no more state needs to be initialized. 1817 return true; 1818 } 1819 next_operation_num_ = next_operation; 1820 1821 // Resuming an update -- load the rest of the update state. 1822 int64_t next_data_offset = -1; 1823 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsUpdateStateNextDataOffset, 1824 &next_data_offset) && 1825 next_data_offset >= 0); 1826 buffer_offset_ = next_data_offset; 1827 1828 // The signed hash context and the signature blob may be empty if the 1829 // interrupted update didn't reach the signature. 1830 string signed_hash_context; 1831 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context, 1832 &signed_hash_context)) { 1833 TEST_AND_RETURN_FALSE( 1834 signed_hash_calculator_.SetContext(signed_hash_context)); 1835 } 1836 1837 string signature_blob; 1838 if (prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signature_blob)) { 1839 signatures_message_data_.assign(signature_blob.begin(), 1840 signature_blob.end()); 1841 } 1842 1843 string hash_context; 1844 TEST_AND_RETURN_FALSE(prefs_->GetString(kPrefsUpdateStateSHA256Context, 1845 &hash_context) && 1846 payload_hash_calculator_.SetContext(hash_context)); 1847 1848 int64_t manifest_metadata_size = 0; 1849 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsManifestMetadataSize, 1850 &manifest_metadata_size) && 1851 manifest_metadata_size > 0); 1852 metadata_size_ = manifest_metadata_size; 1853 1854 int64_t manifest_signature_size = 0; 1855 TEST_AND_RETURN_FALSE( 1856 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) && 1857 manifest_signature_size >= 0); 1858 metadata_signature_size_ = manifest_signature_size; 1859 1860 // Advance the download progress to reflect what doesn't need to be 1861 // re-downloaded. 1862 total_bytes_received_ += buffer_offset_; 1863 1864 // Speculatively count the resume as a failure. 1865 int64_t resumed_update_failures; 1866 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { 1867 resumed_update_failures++; 1868 } else { 1869 resumed_update_failures = 1; 1870 } 1871 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); 1872 return true; 1873} 1874 1875} // namespace chromeos_update_engine 1876