• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 // Copyright (C) 2012 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "update_engine/payload_consumer/delta_performer.h"
18 
19 #include <errno.h>
20 #include <linux/fs.h>
21 
22 #include <algorithm>
23 #include <cstring>
24 #include <map>
25 #include <memory>
26 #include <string>
27 #include <utility>
28 #include <vector>
29 
30 #include <base/files/file_util.h>
31 #include <base/format_macros.h>
32 #include <base/metrics/histogram_macros.h>
33 #include <base/strings/string_number_conversions.h>
34 #include <base/strings/string_util.h>
35 #include <base/strings/stringprintf.h>
36 #include <base/time/time.h>
37 #include <brillo/data_encoding.h>
38 #include <bsdiff/bspatch.h>
39 #include <google/protobuf/repeated_field.h>
40 #include <puffin/puffpatch.h>
41 
42 #include "update_engine/common/constants.h"
43 #include "update_engine/common/hardware_interface.h"
44 #include "update_engine/common/prefs_interface.h"
45 #include "update_engine/common/subprocess.h"
46 #include "update_engine/common/terminator.h"
47 #include "update_engine/payload_consumer/bzip_extent_writer.h"
48 #include "update_engine/payload_consumer/cached_file_descriptor.h"
49 #include "update_engine/payload_consumer/download_action.h"
50 #include "update_engine/payload_consumer/extent_reader.h"
51 #include "update_engine/payload_consumer/extent_writer.h"
52 #if USE_FEC
53 #include "update_engine/payload_consumer/fec_file_descriptor.h"
54 #endif  // USE_FEC
55 #include "update_engine/payload_consumer/file_descriptor_utils.h"
56 #include "update_engine/payload_consumer/mount_history.h"
57 #if USE_MTD
58 #include "update_engine/payload_consumer/mtd_file_descriptor.h"
59 #endif  // USE_MTD
60 #include "update_engine/payload_consumer/payload_constants.h"
61 #include "update_engine/payload_consumer/payload_verifier.h"
62 #include "update_engine/payload_consumer/xz_extent_writer.h"
63 
64 using google::protobuf::RepeatedPtrField;
65 using std::min;
66 using std::string;
67 using std::vector;
68 
69 namespace chromeos_update_engine {
70 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10;
71 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30;
72 const unsigned DeltaPerformer::kProgressDownloadWeight = 50;
73 const unsigned DeltaPerformer::kProgressOperationsWeight = 50;
74 const uint64_t DeltaPerformer::kCheckpointFrequencySeconds = 1;
75 
76 namespace {
77 const int kUpdateStateOperationInvalid = -1;
78 const int kMaxResumedUpdateFailures = 10;
79 #if USE_MTD
80 const int kUbiVolumeAttachTimeout = 5 * 60;
81 #endif
82 
83 const uint64_t kCacheSize = 1024 * 1024;  // 1MB
84 
CreateFileDescriptor(const char * path)85 FileDescriptorPtr CreateFileDescriptor(const char* path) {
86   FileDescriptorPtr ret;
87 #if USE_MTD
88   if (strstr(path, "/dev/ubi") == path) {
89     if (!UbiFileDescriptor::IsUbi(path)) {
90       // The volume might not have been attached at boot time.
91       int volume_no;
92       if (utils::SplitPartitionName(path, nullptr, &volume_no)) {
93         utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout);
94       }
95     }
96     if (UbiFileDescriptor::IsUbi(path)) {
97       LOG(INFO) << path << " is a UBI device.";
98       ret.reset(new UbiFileDescriptor);
99     }
100   } else if (MtdFileDescriptor::IsMtd(path)) {
101     LOG(INFO) << path << " is an MTD device.";
102     ret.reset(new MtdFileDescriptor);
103   } else {
104     LOG(INFO) << path << " is not an MTD nor a UBI device.";
105 #endif
106     ret.reset(new EintrSafeFileDescriptor);
107 #if USE_MTD
108   }
109 #endif
110   return ret;
111 }
112 
113 // Opens path for read/write. On success returns an open FileDescriptor
114 // and sets *err to 0. On failure, sets *err to errno and returns nullptr.
OpenFile(const char * path,int mode,bool cache_writes,int * err)115 FileDescriptorPtr OpenFile(const char* path,
116                            int mode,
117                            bool cache_writes,
118                            int* err) {
119   // Try to mark the block device read-only based on the mode. Ignore any
120   // failure since this won't work when passing regular files.
121   bool read_only = (mode & O_ACCMODE) == O_RDONLY;
122   utils::SetBlockDeviceReadOnly(path, read_only);
123 
124   FileDescriptorPtr fd = CreateFileDescriptor(path);
125   if (cache_writes && !read_only) {
126     fd = FileDescriptorPtr(new CachedFileDescriptor(fd, kCacheSize));
127     LOG(INFO) << "Caching writes.";
128   }
129 #if USE_MTD
130   // On NAND devices, we can either read, or write, but not both. So here we
131   // use O_WRONLY.
132   if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) {
133     mode = O_WRONLY;
134   }
135 #endif
136   if (!fd->Open(path, mode, 000)) {
137     *err = errno;
138     PLOG(ERROR) << "Unable to open file " << path;
139     return nullptr;
140   }
141   *err = 0;
142   return fd;
143 }
144 
145 // Discard the tail of the block device referenced by |fd|, from the offset
146 // |data_size| until the end of the block device. Returns whether the data was
147 // discarded.
DiscardPartitionTail(const FileDescriptorPtr & fd,uint64_t data_size)148 bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) {
149   uint64_t part_size = fd->BlockDevSize();
150   if (!part_size || part_size <= data_size)
151     return false;
152 
153   struct blkioctl_request {
154     int number;
155     const char* name;
156   };
157   const vector<blkioctl_request> blkioctl_requests = {
158       {BLKDISCARD, "BLKDISCARD"},
159       {BLKSECDISCARD, "BLKSECDISCARD"},
160 #ifdef BLKZEROOUT
161       {BLKZEROOUT, "BLKZEROOUT"},
162 #endif
163   };
164   for (const auto& req : blkioctl_requests) {
165     int error = 0;
166     if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) &&
167         error == 0) {
168       return true;
169     }
170     LOG(WARNING) << "Error discarding the last "
171                  << (part_size - data_size) / 1024 << " KiB using ioctl("
172                  << req.name << ")";
173   }
174   return false;
175 }
176 
177 }  // namespace
178 
179 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer
180 // arithmetic.
IntRatio(uint64_t part,uint64_t total,uint64_t norm)181 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) {
182   return part * norm / total;
183 }
184 
LogProgress(const char * message_prefix)185 void DeltaPerformer::LogProgress(const char* message_prefix) {
186   // Format operations total count and percentage.
187   string total_operations_str("?");
188   string completed_percentage_str("");
189   if (num_total_operations_) {
190     total_operations_str = std::to_string(num_total_operations_);
191     // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
192     completed_percentage_str = base::StringPrintf(
193         " (%" PRIu64 "%%)",
194         IntRatio(next_operation_num_, num_total_operations_, 100));
195   }
196 
197   // Format download total count and percentage.
198   size_t payload_size = payload_->size;
199   string payload_size_str("?");
200   string downloaded_percentage_str("");
201   if (payload_size) {
202     payload_size_str = std::to_string(payload_size);
203     // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
204     downloaded_percentage_str = base::StringPrintf(
205         " (%" PRIu64 "%%)", IntRatio(total_bytes_received_, payload_size, 100));
206   }
207 
208   LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_
209             << "/" << total_operations_str << " operations"
210             << completed_percentage_str << ", " << total_bytes_received_ << "/"
211             << payload_size_str << " bytes downloaded"
212             << downloaded_percentage_str << ", overall progress "
213             << overall_progress_ << "%";
214 }
215 
UpdateOverallProgress(bool force_log,const char * message_prefix)216 void DeltaPerformer::UpdateOverallProgress(bool force_log,
217                                            const char* message_prefix) {
218   // Compute our download and overall progress.
219   unsigned new_overall_progress = 0;
220   static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100,
221                 "Progress weights don't add up");
222   // Only consider download progress if its total size is known; otherwise
223   // adjust the operations weight to compensate for the absence of download
224   // progress. Also, make sure to cap the download portion at
225   // kProgressDownloadWeight, in case we end up downloading more than we
226   // initially expected (this indicates a problem, but could generally happen).
227   // TODO(garnold) the correction of operations weight when we do not have the
228   // total payload size, as well as the conditional guard below, should both be
229   // eliminated once we ensure that the payload_size in the install plan is
230   // always given and is non-zero. This currently isn't the case during unit
231   // tests (see chromium-os:37969).
232   size_t payload_size = payload_->size;
233   unsigned actual_operations_weight = kProgressOperationsWeight;
234   if (payload_size)
235     new_overall_progress +=
236         min(static_cast<unsigned>(IntRatio(
237                 total_bytes_received_, payload_size, kProgressDownloadWeight)),
238             kProgressDownloadWeight);
239   else
240     actual_operations_weight += kProgressDownloadWeight;
241 
242   // Only add completed operations if their total number is known; we definitely
243   // expect an update to have at least one operation, so the expectation is that
244   // this will eventually reach |actual_operations_weight|.
245   if (num_total_operations_)
246     new_overall_progress += IntRatio(
247         next_operation_num_, num_total_operations_, actual_operations_weight);
248 
249   // Progress ratio cannot recede, unless our assumptions about the total
250   // payload size, total number of operations, or the monotonicity of progress
251   // is breached.
252   if (new_overall_progress < overall_progress_) {
253     LOG(WARNING) << "progress counter receded from " << overall_progress_
254                  << "% down to " << new_overall_progress << "%; this is a bug";
255     force_log = true;
256   }
257   overall_progress_ = new_overall_progress;
258 
259   // Update chunk index, log as needed: if forced by called, or we completed a
260   // progress chunk, or a timeout has expired.
261   base::TimeTicks curr_time = base::TimeTicks::Now();
262   unsigned curr_progress_chunk =
263       overall_progress_ * kProgressLogMaxChunks / 100;
264   if (force_log || curr_progress_chunk > last_progress_chunk_ ||
265       curr_time > forced_progress_log_time_) {
266     forced_progress_log_time_ = curr_time + forced_progress_log_wait_;
267     LogProgress(message_prefix);
268   }
269   last_progress_chunk_ = curr_progress_chunk;
270 }
271 
CopyDataToBuffer(const char ** bytes_p,size_t * count_p,size_t max)272 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p,
273                                         size_t* count_p,
274                                         size_t max) {
275   const size_t count = *count_p;
276   if (!count)
277     return 0;  // Special case shortcut.
278   size_t read_len = min(count, max - buffer_.size());
279   const char* bytes_start = *bytes_p;
280   const char* bytes_end = bytes_start + read_len;
281   buffer_.reserve(max);
282   buffer_.insert(buffer_.end(), bytes_start, bytes_end);
283   *bytes_p = bytes_end;
284   *count_p = count - read_len;
285   return read_len;
286 }
287 
HandleOpResult(bool op_result,const char * op_type_name,ErrorCode * error)288 bool DeltaPerformer::HandleOpResult(bool op_result,
289                                     const char* op_type_name,
290                                     ErrorCode* error) {
291   if (op_result)
292     return true;
293 
294   size_t partition_first_op_num =
295       current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0;
296   LOG(ERROR) << "Failed to perform " << op_type_name << " operation "
297              << next_operation_num_ << ", which is the operation "
298              << next_operation_num_ - partition_first_op_num
299              << " in partition \""
300              << partitions_[current_partition_].partition_name() << "\"";
301   if (*error == ErrorCode::kSuccess)
302     *error = ErrorCode::kDownloadOperationExecutionError;
303   return false;
304 }
305 
Close()306 int DeltaPerformer::Close() {
307   int err = -CloseCurrentPartition();
308   LOG_IF(ERROR,
309          !payload_hash_calculator_.Finalize() ||
310              !signed_hash_calculator_.Finalize())
311       << "Unable to finalize the hash.";
312   if (!buffer_.empty()) {
313     LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes";
314     if (err >= 0)
315       err = 1;
316   }
317   return -err;
318 }
319 
CloseCurrentPartition()320 int DeltaPerformer::CloseCurrentPartition() {
321   int err = 0;
322   if (source_fd_ && !source_fd_->Close()) {
323     err = errno;
324     PLOG(ERROR) << "Error closing source partition";
325     if (!err)
326       err = 1;
327   }
328   source_fd_.reset();
329   if (source_ecc_fd_ && !source_ecc_fd_->Close()) {
330     err = errno;
331     PLOG(ERROR) << "Error closing ECC source partition";
332     if (!err)
333       err = 1;
334   }
335   source_ecc_fd_.reset();
336   source_ecc_open_failure_ = false;
337   source_path_.clear();
338 
339   if (target_fd_ && !target_fd_->Close()) {
340     err = errno;
341     PLOG(ERROR) << "Error closing target partition";
342     if (!err)
343       err = 1;
344   }
345   target_fd_.reset();
346   target_path_.clear();
347   return -err;
348 }
349 
OpenCurrentPartition()350 bool DeltaPerformer::OpenCurrentPartition() {
351   if (current_partition_ >= partitions_.size())
352     return false;
353 
354   const PartitionUpdate& partition = partitions_[current_partition_];
355   size_t num_previous_partitions =
356       install_plan_->partitions.size() - partitions_.size();
357   const InstallPlan::Partition& install_part =
358       install_plan_->partitions[num_previous_partitions + current_partition_];
359   // Open source fds if we have a delta payload with minor version >= 2.
360   if (payload_->type == InstallPayloadType::kDelta &&
361       GetMinorVersion() != kInPlaceMinorPayloadVersion &&
362       // With dynamic partitions we could create a new partition in a
363       // delta payload, and we shouldn't open source partition in that case.
364       install_part.source_size > 0) {
365     source_path_ = install_part.source_path;
366     int err;
367     source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, false, &err);
368     if (!source_fd_) {
369       LOG(ERROR) << "Unable to open source partition "
370                  << partition.partition_name() << " on slot "
371                  << BootControlInterface::SlotName(install_plan_->source_slot)
372                  << ", file " << source_path_;
373       return false;
374     }
375   }
376 
377   target_path_ = install_part.target_path;
378   int err;
379 
380   int flags = O_RDWR;
381   if (!interactive_)
382     flags |= O_DSYNC;
383 
384   LOG(INFO) << "Opening " << target_path_ << " partition with"
385             << (interactive_ ? "out" : "") << " O_DSYNC";
386 
387   target_fd_ = OpenFile(target_path_.c_str(), flags, true, &err);
388   if (!target_fd_) {
389     LOG(ERROR) << "Unable to open target partition "
390                << partition.partition_name() << " on slot "
391                << BootControlInterface::SlotName(install_plan_->target_slot)
392                << ", file " << target_path_;
393     return false;
394   }
395 
396   LOG(INFO) << "Applying " << partition.operations().size()
397             << " operations to partition \"" << partition.partition_name()
398             << "\"";
399 
400   // Discard the end of the partition, but ignore failures.
401   DiscardPartitionTail(target_fd_, install_part.target_size);
402 
403   return true;
404 }
405 
OpenCurrentECCPartition()406 bool DeltaPerformer::OpenCurrentECCPartition() {
407   if (source_ecc_fd_)
408     return true;
409 
410   if (source_ecc_open_failure_)
411     return false;
412 
413   if (current_partition_ >= partitions_.size())
414     return false;
415 
416   // No support for ECC in minor version 1 or full payloads.
417   if (payload_->type == InstallPayloadType::kFull ||
418       GetMinorVersion() == kInPlaceMinorPayloadVersion)
419     return false;
420 
421 #if USE_FEC
422   const PartitionUpdate& partition = partitions_[current_partition_];
423   size_t num_previous_partitions =
424       install_plan_->partitions.size() - partitions_.size();
425   const InstallPlan::Partition& install_part =
426       install_plan_->partitions[num_previous_partitions + current_partition_];
427   string path = install_part.source_path;
428   FileDescriptorPtr fd(new FecFileDescriptor());
429   if (!fd->Open(path.c_str(), O_RDONLY, 0)) {
430     PLOG(ERROR) << "Unable to open ECC source partition "
431                 << partition.partition_name() << " on slot "
432                 << BootControlInterface::SlotName(install_plan_->source_slot)
433                 << ", file " << path;
434     source_ecc_open_failure_ = true;
435     return false;
436   }
437   source_ecc_fd_ = fd;
438 #else
439   // No support for ECC compiled.
440   source_ecc_open_failure_ = true;
441 #endif  // USE_FEC
442 
443   return !source_ecc_open_failure_;
444 }
445 
446 namespace {
447 
LogPartitionInfoHash(const PartitionInfo & info,const string & tag)448 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) {
449   string sha256 = brillo::data_encoding::Base64Encode(info.hash());
450   LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256
451             << " size: " << info.size();
452 }
453 
LogPartitionInfo(const vector<PartitionUpdate> & partitions)454 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) {
455   for (const PartitionUpdate& partition : partitions) {
456     if (partition.has_old_partition_info()) {
457       LogPartitionInfoHash(partition.old_partition_info(),
458                            "old " + partition.partition_name());
459     }
460     LogPartitionInfoHash(partition.new_partition_info(),
461                          "new " + partition.partition_name());
462   }
463 }
464 
465 }  // namespace
466 
GetMinorVersion() const467 uint32_t DeltaPerformer::GetMinorVersion() const {
468   if (manifest_.has_minor_version()) {
469     return manifest_.minor_version();
470   }
471   return payload_->type == InstallPayloadType::kDelta
472              ? kMaxSupportedMinorPayloadVersion
473              : kFullPayloadMinorVersion;
474 }
475 
IsHeaderParsed() const476 bool DeltaPerformer::IsHeaderParsed() const {
477   return metadata_size_ != 0;
478 }
479 
ParsePayloadMetadata(const brillo::Blob & payload,ErrorCode * error)480 MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
481     const brillo::Blob& payload, ErrorCode* error) {
482   *error = ErrorCode::kSuccess;
483 
484   if (!IsHeaderParsed()) {
485     MetadataParseResult result =
486         payload_metadata_.ParsePayloadHeader(payload, error);
487     if (result != MetadataParseResult::kSuccess)
488       return result;
489 
490     metadata_size_ = payload_metadata_.GetMetadataSize();
491     metadata_signature_size_ = payload_metadata_.GetMetadataSignatureSize();
492     major_payload_version_ = payload_metadata_.GetMajorVersion();
493 
494     // If the metadata size is present in install plan, check for it immediately
495     // even before waiting for that many number of bytes to be downloaded in the
496     // payload. This will prevent any attack which relies on us downloading data
497     // beyond the expected metadata size.
498     if (install_plan_->hash_checks_mandatory) {
499       if (payload_->metadata_size != metadata_size_) {
500         LOG(ERROR) << "Mandatory metadata size in Omaha response ("
501                    << payload_->metadata_size
502                    << ") is missing/incorrect, actual = " << metadata_size_;
503         *error = ErrorCode::kDownloadInvalidMetadataSize;
504         return MetadataParseResult::kError;
505       }
506     }
507   }
508 
509   // Now that we have validated the metadata size, we should wait for the full
510   // metadata and its signature (if exist) to be read in before we can parse it.
511   if (payload.size() < metadata_size_ + metadata_signature_size_)
512     return MetadataParseResult::kInsufficientData;
513 
514   // Log whether we validated the size or simply trusting what's in the payload
515   // here. This is logged here (after we received the full metadata data) so
516   // that we just log once (instead of logging n times) if it takes n
517   // DeltaPerformer::Write calls to download the full manifest.
518   if (payload_->metadata_size == metadata_size_) {
519     LOG(INFO) << "Manifest size in payload matches expected value from Omaha";
520   } else {
521     // For mandatory-cases, we'd have already returned a kMetadataParseError
522     // above. We'll be here only for non-mandatory cases. Just send a UMA stat.
523     LOG(WARNING) << "Ignoring missing/incorrect metadata size ("
524                  << payload_->metadata_size
525                  << ") in Omaha response as validation is not mandatory. "
526                  << "Trusting metadata size in payload = " << metadata_size_;
527   }
528 
529   string public_key;
530   if (!GetPublicKey(&public_key)) {
531     LOG(ERROR) << "Failed to get public key.";
532     *error = ErrorCode::kDownloadMetadataSignatureVerificationError;
533     return MetadataParseResult::kError;
534   }
535 
536   // We have the full metadata in |payload|. Verify its integrity
537   // and authenticity based on the information we have in Omaha response.
538   *error = payload_metadata_.ValidateMetadataSignature(
539       payload, payload_->metadata_signature, public_key);
540   if (*error != ErrorCode::kSuccess) {
541     if (install_plan_->hash_checks_mandatory) {
542       // The autoupdate_CatchBadSignatures test checks for this string
543       // in log-files. Keep in sync.
544       LOG(ERROR) << "Mandatory metadata signature validation failed";
545       return MetadataParseResult::kError;
546     }
547 
548     // For non-mandatory cases, just send a UMA stat.
549     LOG(WARNING) << "Ignoring metadata signature validation failures";
550     *error = ErrorCode::kSuccess;
551   }
552 
553   // The payload metadata is deemed valid, it's safe to parse the protobuf.
554   if (!payload_metadata_.GetManifest(payload, &manifest_)) {
555     LOG(ERROR) << "Unable to parse manifest in update file.";
556     *error = ErrorCode::kDownloadManifestParseError;
557     return MetadataParseResult::kError;
558   }
559 
560   manifest_parsed_ = true;
561   return MetadataParseResult::kSuccess;
562 }
563 
564 #define OP_DURATION_HISTOGRAM(_op_name, _start_time)                         \
565   LOCAL_HISTOGRAM_CUSTOM_TIMES(                                              \
566       "UpdateEngine.DownloadAction.InstallOperation::" _op_name ".Duration", \
567       base::TimeTicks::Now() - _start_time,                                  \
568       base::TimeDelta::FromMilliseconds(10),                                 \
569       base::TimeDelta::FromMinutes(5),                                       \
570       20);
571 
572 // Wrapper around write. Returns true if all requested bytes
573 // were written, or false on any error, regardless of progress
574 // and stores an action exit code in |error|.
Write(const void * bytes,size_t count,ErrorCode * error)575 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode* error) {
576   *error = ErrorCode::kSuccess;
577   const char* c_bytes = reinterpret_cast<const char*>(bytes);
578 
579   // Update the total byte downloaded count and the progress logs.
580   total_bytes_received_ += count;
581   UpdateOverallProgress(false, "Completed ");
582 
583   while (!manifest_valid_) {
584     // Read data up to the needed limit; this is either maximium payload header
585     // size, or the full metadata size (once it becomes known).
586     const bool do_read_header = !IsHeaderParsed();
587     CopyDataToBuffer(
588         &c_bytes,
589         &count,
590         (do_read_header ? kMaxPayloadHeaderSize
591                         : metadata_size_ + metadata_signature_size_));
592 
593     MetadataParseResult result = ParsePayloadMetadata(buffer_, error);
594     if (result == MetadataParseResult::kError)
595       return false;
596     if (result == MetadataParseResult::kInsufficientData) {
597       // If we just processed the header, make an attempt on the manifest.
598       if (do_read_header && IsHeaderParsed())
599         continue;
600 
601       return true;
602     }
603 
604     // Checks the integrity of the payload manifest.
605     if ((*error = ValidateManifest()) != ErrorCode::kSuccess)
606       return false;
607     manifest_valid_ = true;
608 
609     // Clear the download buffer.
610     DiscardBuffer(false, metadata_size_);
611 
612     block_size_ = manifest_.block_size();
613 
614     // This populates |partitions_| and the |install_plan.partitions| with the
615     // list of partitions from the manifest.
616     if (!ParseManifestPartitions(error))
617       return false;
618 
619     // |install_plan.partitions| was filled in, nothing need to be done here if
620     // the payload was already applied, returns false to terminate http fetcher,
621     // but keep |error| as ErrorCode::kSuccess.
622     if (payload_->already_applied)
623       return false;
624 
625     num_total_operations_ = 0;
626     for (const auto& partition : partitions_) {
627       num_total_operations_ += partition.operations_size();
628       acc_num_operations_.push_back(num_total_operations_);
629     }
630 
631     LOG_IF(WARNING,
632            !prefs_->SetInt64(kPrefsManifestMetadataSize, metadata_size_))
633         << "Unable to save the manifest metadata size.";
634     LOG_IF(WARNING,
635            !prefs_->SetInt64(kPrefsManifestSignatureSize,
636                              metadata_signature_size_))
637         << "Unable to save the manifest signature size.";
638 
639     if (!PrimeUpdateState()) {
640       *error = ErrorCode::kDownloadStateInitializationError;
641       LOG(ERROR) << "Unable to prime the update state.";
642       return false;
643     }
644 
645     if (next_operation_num_ < acc_num_operations_[current_partition_]) {
646       if (!OpenCurrentPartition()) {
647         *error = ErrorCode::kInstallDeviceOpenError;
648         return false;
649       }
650     }
651 
652     if (next_operation_num_ > 0)
653       UpdateOverallProgress(true, "Resuming after ");
654     LOG(INFO) << "Starting to apply update payload operations";
655   }
656 
657   while (next_operation_num_ < num_total_operations_) {
658     // Check if we should cancel the current attempt for any reason.
659     // In this case, *error will have already been populated with the reason
660     // why we're canceling.
661     if (download_delegate_ && download_delegate_->ShouldCancel(error))
662       return false;
663 
664     // We know there are more operations to perform because we didn't reach the
665     // |num_total_operations_| limit yet.
666     if (next_operation_num_ >= acc_num_operations_[current_partition_]) {
667       CloseCurrentPartition();
668       // Skip until there are operations for current_partition_.
669       while (next_operation_num_ >= acc_num_operations_[current_partition_]) {
670         current_partition_++;
671       }
672       if (!OpenCurrentPartition()) {
673         *error = ErrorCode::kInstallDeviceOpenError;
674         return false;
675       }
676     }
677     const size_t partition_operation_num =
678         next_operation_num_ -
679         (current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0);
680 
681     const InstallOperation& op =
682         partitions_[current_partition_].operations(partition_operation_num);
683 
684     CopyDataToBuffer(&c_bytes, &count, op.data_length());
685 
686     // Check whether we received all of the next operation's data payload.
687     if (!CanPerformInstallOperation(op))
688       return true;
689 
690     // Validate the operation only if the metadata signature is present.
691     // Otherwise, keep the old behavior. This serves as a knob to disable
692     // the validation logic in case we find some regression after rollout.
693     // NOTE: If hash checks are mandatory and if metadata_signature is empty,
694     // we would have already failed in ParsePayloadMetadata method and thus not
695     // even be here. So no need to handle that case again here.
696     if (!payload_->metadata_signature.empty()) {
697       // Note: Validate must be called only if CanPerformInstallOperation is
698       // called. Otherwise, we might be failing operations before even if there
699       // isn't sufficient data to compute the proper hash.
700       *error = ValidateOperationHash(op);
701       if (*error != ErrorCode::kSuccess) {
702         if (install_plan_->hash_checks_mandatory) {
703           LOG(ERROR) << "Mandatory operation hash check failed";
704           return false;
705         }
706 
707         // For non-mandatory cases, just send a UMA stat.
708         LOG(WARNING) << "Ignoring operation validation errors";
709         *error = ErrorCode::kSuccess;
710       }
711     }
712 
713     // Makes sure we unblock exit when this operation completes.
714     ScopedTerminatorExitUnblocker exit_unblocker =
715         ScopedTerminatorExitUnblocker();  // Avoids a compiler unused var bug.
716 
717     base::TimeTicks op_start_time = base::TimeTicks::Now();
718 
719     bool op_result;
720     switch (op.type()) {
721       case InstallOperation::REPLACE:
722       case InstallOperation::REPLACE_BZ:
723       case InstallOperation::REPLACE_XZ:
724         op_result = PerformReplaceOperation(op);
725         OP_DURATION_HISTOGRAM("REPLACE", op_start_time);
726         break;
727       case InstallOperation::ZERO:
728       case InstallOperation::DISCARD:
729         op_result = PerformZeroOrDiscardOperation(op);
730         OP_DURATION_HISTOGRAM("ZERO_OR_DISCARD", op_start_time);
731         break;
732       case InstallOperation::MOVE:
733         op_result = PerformMoveOperation(op);
734         OP_DURATION_HISTOGRAM("MOVE", op_start_time);
735         break;
736       case InstallOperation::BSDIFF:
737         op_result = PerformBsdiffOperation(op);
738         OP_DURATION_HISTOGRAM("BSDIFF", op_start_time);
739         break;
740       case InstallOperation::SOURCE_COPY:
741         op_result = PerformSourceCopyOperation(op, error);
742         OP_DURATION_HISTOGRAM("SOURCE_COPY", op_start_time);
743         break;
744       case InstallOperation::SOURCE_BSDIFF:
745       case InstallOperation::BROTLI_BSDIFF:
746         op_result = PerformSourceBsdiffOperation(op, error);
747         OP_DURATION_HISTOGRAM("SOURCE_BSDIFF", op_start_time);
748         break;
749       case InstallOperation::PUFFDIFF:
750         op_result = PerformPuffDiffOperation(op, error);
751         OP_DURATION_HISTOGRAM("PUFFDIFF", op_start_time);
752         break;
753       default:
754         op_result = false;
755     }
756     if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error))
757       return false;
758 
759     if (!target_fd_->Flush()) {
760       return false;
761     }
762 
763     next_operation_num_++;
764     UpdateOverallProgress(false, "Completed ");
765     CheckpointUpdateProgress(false);
766   }
767 
768   // In major version 2, we don't add dummy operation to the payload.
769   // If we already extracted the signature we should skip this step.
770   if (major_payload_version_ == kBrilloMajorPayloadVersion &&
771       manifest_.has_signatures_offset() && manifest_.has_signatures_size() &&
772       signatures_message_data_.empty()) {
773     if (manifest_.signatures_offset() != buffer_offset_) {
774       LOG(ERROR) << "Payload signatures offset points to blob offset "
775                  << manifest_.signatures_offset()
776                  << " but signatures are expected at offset " << buffer_offset_;
777       *error = ErrorCode::kDownloadPayloadVerificationError;
778       return false;
779     }
780     CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size());
781     // Needs more data to cover entire signature.
782     if (buffer_.size() < manifest_.signatures_size())
783       return true;
784     if (!ExtractSignatureMessage()) {
785       LOG(ERROR) << "Extract payload signature failed.";
786       *error = ErrorCode::kDownloadPayloadVerificationError;
787       return false;
788     }
789     DiscardBuffer(true, 0);
790     // Since we extracted the SignatureMessage we need to advance the
791     // checkpoint, otherwise we would reload the signature and try to extract
792     // it again.
793     // This is the last checkpoint for an update, force this checkpoint to be
794     // saved.
795     CheckpointUpdateProgress(true);
796   }
797 
798   return true;
799 }
800 
IsManifestValid()801 bool DeltaPerformer::IsManifestValid() {
802   return manifest_valid_;
803 }
804 
ParseManifestPartitions(ErrorCode * error)805 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) {
806   if (major_payload_version_ == kBrilloMajorPayloadVersion) {
807     partitions_.clear();
808     for (const PartitionUpdate& partition : manifest_.partitions()) {
809       partitions_.push_back(partition);
810     }
811     manifest_.clear_partitions();
812   } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
813     LOG(INFO) << "Converting update information from old format.";
814     PartitionUpdate root_part;
815     root_part.set_partition_name(kPartitionNameRoot);
816 #ifdef __ANDROID__
817     LOG(WARNING) << "Legacy payload major version provided to an Android "
818                     "build. Assuming no post-install. Please use major version "
819                     "2 or newer.";
820     root_part.set_run_postinstall(false);
821 #else
822     root_part.set_run_postinstall(true);
823 #endif  // __ANDROID__
824     if (manifest_.has_old_rootfs_info()) {
825       *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info();
826       manifest_.clear_old_rootfs_info();
827     }
828     if (manifest_.has_new_rootfs_info()) {
829       *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info();
830       manifest_.clear_new_rootfs_info();
831     }
832     *root_part.mutable_operations() = manifest_.install_operations();
833     manifest_.clear_install_operations();
834     partitions_.push_back(std::move(root_part));
835 
836     PartitionUpdate kern_part;
837     kern_part.set_partition_name(kPartitionNameKernel);
838     kern_part.set_run_postinstall(false);
839     if (manifest_.has_old_kernel_info()) {
840       *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info();
841       manifest_.clear_old_kernel_info();
842     }
843     if (manifest_.has_new_kernel_info()) {
844       *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info();
845       manifest_.clear_new_kernel_info();
846     }
847     *kern_part.mutable_operations() = manifest_.kernel_install_operations();
848     manifest_.clear_kernel_install_operations();
849     partitions_.push_back(std::move(kern_part));
850   }
851 
852   // Fill in the InstallPlan::partitions based on the partitions from the
853   // payload.
854   for (const auto& partition : partitions_) {
855     InstallPlan::Partition install_part;
856     install_part.name = partition.partition_name();
857     install_part.run_postinstall =
858         partition.has_run_postinstall() && partition.run_postinstall();
859     if (install_part.run_postinstall) {
860       install_part.postinstall_path =
861           (partition.has_postinstall_path() ? partition.postinstall_path()
862                                             : kPostinstallDefaultScript);
863       install_part.filesystem_type = partition.filesystem_type();
864       install_part.postinstall_optional = partition.postinstall_optional();
865     }
866 
867     if (partition.has_old_partition_info()) {
868       const PartitionInfo& info = partition.old_partition_info();
869       install_part.source_size = info.size();
870       install_part.source_hash.assign(info.hash().begin(), info.hash().end());
871     }
872 
873     if (!partition.has_new_partition_info()) {
874       LOG(ERROR) << "Unable to get new partition hash info on partition "
875                  << install_part.name << ".";
876       *error = ErrorCode::kDownloadNewPartitionInfoError;
877       return false;
878     }
879     const PartitionInfo& info = partition.new_partition_info();
880     install_part.target_size = info.size();
881     install_part.target_hash.assign(info.hash().begin(), info.hash().end());
882 
883     install_part.block_size = block_size_;
884     if (partition.has_hash_tree_extent()) {
885       Extent extent = partition.hash_tree_data_extent();
886       install_part.hash_tree_data_offset = extent.start_block() * block_size_;
887       install_part.hash_tree_data_size = extent.num_blocks() * block_size_;
888       extent = partition.hash_tree_extent();
889       install_part.hash_tree_offset = extent.start_block() * block_size_;
890       install_part.hash_tree_size = extent.num_blocks() * block_size_;
891       uint64_t hash_tree_data_end =
892           install_part.hash_tree_data_offset + install_part.hash_tree_data_size;
893       if (install_part.hash_tree_offset < hash_tree_data_end) {
894         LOG(ERROR) << "Invalid hash tree extents, hash tree data ends at "
895                    << hash_tree_data_end << ", but hash tree starts at "
896                    << install_part.hash_tree_offset;
897         *error = ErrorCode::kDownloadNewPartitionInfoError;
898         return false;
899       }
900       install_part.hash_tree_algorithm = partition.hash_tree_algorithm();
901       install_part.hash_tree_salt.assign(partition.hash_tree_salt().begin(),
902                                          partition.hash_tree_salt().end());
903     }
904     if (partition.has_fec_extent()) {
905       Extent extent = partition.fec_data_extent();
906       install_part.fec_data_offset = extent.start_block() * block_size_;
907       install_part.fec_data_size = extent.num_blocks() * block_size_;
908       extent = partition.fec_extent();
909       install_part.fec_offset = extent.start_block() * block_size_;
910       install_part.fec_size = extent.num_blocks() * block_size_;
911       uint64_t fec_data_end =
912           install_part.fec_data_offset + install_part.fec_data_size;
913       if (install_part.fec_offset < fec_data_end) {
914         LOG(ERROR) << "Invalid fec extents, fec data ends at " << fec_data_end
915                    << ", but fec starts at " << install_part.fec_offset;
916         *error = ErrorCode::kDownloadNewPartitionInfoError;
917         return false;
918       }
919       install_part.fec_roots = partition.fec_roots();
920     }
921 
922     install_plan_->partitions.push_back(install_part);
923   }
924 
925   if (install_plan_->target_slot != BootControlInterface::kInvalidSlot) {
926     if (!InitPartitionMetadata()) {
927       *error = ErrorCode::kInstallDeviceOpenError;
928       return false;
929     }
930   }
931 
932   if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) {
933     LOG(ERROR) << "Unable to determine all the partition devices.";
934     *error = ErrorCode::kInstallDeviceOpenError;
935     return false;
936   }
937   LogPartitionInfo(partitions_);
938   return true;
939 }
940 
InitPartitionMetadata()941 bool DeltaPerformer::InitPartitionMetadata() {
942   BootControlInterface::PartitionMetadata partition_metadata;
943   if (manifest_.has_dynamic_partition_metadata()) {
944     std::map<string, uint64_t> partition_sizes;
945     for (const auto& partition : install_plan_->partitions) {
946       partition_sizes.emplace(partition.name, partition.target_size);
947     }
948     for (const auto& group : manifest_.dynamic_partition_metadata().groups()) {
949       BootControlInterface::PartitionMetadata::Group e;
950       e.name = group.name();
951       e.size = group.size();
952       for (const auto& partition_name : group.partition_names()) {
953         auto it = partition_sizes.find(partition_name);
954         if (it == partition_sizes.end()) {
955           // TODO(tbao): Support auto-filling partition info for framework-only
956           // OTA.
957           LOG(ERROR) << "dynamic_partition_metadata contains partition "
958                      << partition_name
959                      << " but it is not part of the manifest. "
960                      << "This is not supported.";
961           return false;
962         }
963         e.partitions.push_back({partition_name, it->second});
964       }
965       partition_metadata.groups.push_back(std::move(e));
966     }
967   }
968 
969   bool metadata_updated = false;
970   prefs_->GetBoolean(kPrefsDynamicPartitionMetadataUpdated, &metadata_updated);
971   if (!boot_control_->InitPartitionMetadata(
972           install_plan_->target_slot, partition_metadata, !metadata_updated)) {
973     LOG(ERROR) << "Unable to initialize partition metadata for slot "
974                << BootControlInterface::SlotName(install_plan_->target_slot);
975     return false;
976   }
977   TEST_AND_RETURN_FALSE(
978       prefs_->SetBoolean(kPrefsDynamicPartitionMetadataUpdated, true));
979   LOG(INFO) << "InitPartitionMetadata done.";
980 
981   return true;
982 }
983 
CanPerformInstallOperation(const chromeos_update_engine::InstallOperation & operation)984 bool DeltaPerformer::CanPerformInstallOperation(
985     const chromeos_update_engine::InstallOperation& operation) {
986   // If we don't have a data blob we can apply it right away.
987   if (!operation.has_data_offset() && !operation.has_data_length())
988     return true;
989 
990   // See if we have the entire data blob in the buffer
991   if (operation.data_offset() < buffer_offset_) {
992     LOG(ERROR) << "we threw away data it seems?";
993     return false;
994   }
995 
996   return (operation.data_offset() + operation.data_length() <=
997           buffer_offset_ + buffer_.size());
998 }
999 
PerformReplaceOperation(const InstallOperation & operation)1000 bool DeltaPerformer::PerformReplaceOperation(
1001     const InstallOperation& operation) {
1002   CHECK(operation.type() == InstallOperation::REPLACE ||
1003         operation.type() == InstallOperation::REPLACE_BZ ||
1004         operation.type() == InstallOperation::REPLACE_XZ);
1005 
1006   // Since we delete data off the beginning of the buffer as we use it,
1007   // the data we need should be exactly at the beginning of the buffer.
1008   TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1009   TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1010 
1011   // Extract the signature message if it's in this operation.
1012   if (ExtractSignatureMessageFromOperation(operation)) {
1013     // If this is dummy replace operation, we ignore it after extracting the
1014     // signature.
1015     DiscardBuffer(true, 0);
1016     return true;
1017   }
1018 
1019   // Setup the ExtentWriter stack based on the operation type.
1020   std::unique_ptr<ExtentWriter> writer = std::make_unique<DirectExtentWriter>();
1021 
1022   if (operation.type() == InstallOperation::REPLACE_BZ) {
1023     writer.reset(new BzipExtentWriter(std::move(writer)));
1024   } else if (operation.type() == InstallOperation::REPLACE_XZ) {
1025     writer.reset(new XzExtentWriter(std::move(writer)));
1026   }
1027 
1028   TEST_AND_RETURN_FALSE(
1029       writer->Init(target_fd_, operation.dst_extents(), block_size_));
1030   TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length()));
1031 
1032   // Update buffer
1033   DiscardBuffer(true, buffer_.size());
1034   return true;
1035 }
1036 
PerformZeroOrDiscardOperation(const InstallOperation & operation)1037 bool DeltaPerformer::PerformZeroOrDiscardOperation(
1038     const InstallOperation& operation) {
1039   CHECK(operation.type() == InstallOperation::DISCARD ||
1040         operation.type() == InstallOperation::ZERO);
1041 
1042   // These operations have no blob.
1043   TEST_AND_RETURN_FALSE(!operation.has_data_offset());
1044   TEST_AND_RETURN_FALSE(!operation.has_data_length());
1045 
1046 #ifdef BLKZEROOUT
1047   bool attempt_ioctl = true;
1048   int request =
1049       (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD);
1050 #else   // !defined(BLKZEROOUT)
1051   bool attempt_ioctl = false;
1052   int request = 0;
1053 #endif  // !defined(BLKZEROOUT)
1054 
1055   brillo::Blob zeros;
1056   for (const Extent& extent : operation.dst_extents()) {
1057     const uint64_t start = extent.start_block() * block_size_;
1058     const uint64_t length = extent.num_blocks() * block_size_;
1059     if (attempt_ioctl) {
1060       int result = 0;
1061       if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0)
1062         continue;
1063       attempt_ioctl = false;
1064     }
1065     // In case of failure, we fall back to writing 0 to the selected region.
1066     zeros.resize(16 * block_size_);
1067     for (uint64_t offset = 0; offset < length; offset += zeros.size()) {
1068       uint64_t chunk_length =
1069           min(length - offset, static_cast<uint64_t>(zeros.size()));
1070       TEST_AND_RETURN_FALSE(utils::PWriteAll(
1071           target_fd_, zeros.data(), chunk_length, start + offset));
1072     }
1073   }
1074   return true;
1075 }
1076 
PerformMoveOperation(const InstallOperation & operation)1077 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) {
1078   // Calculate buffer size. Note, this function doesn't do a sliding
1079   // window to copy in case the source and destination blocks overlap.
1080   // If we wanted to do a sliding window, we could program the server
1081   // to generate deltas that effectively did a sliding window.
1082 
1083   uint64_t blocks_to_read = 0;
1084   for (int i = 0; i < operation.src_extents_size(); i++)
1085     blocks_to_read += operation.src_extents(i).num_blocks();
1086 
1087   uint64_t blocks_to_write = 0;
1088   for (int i = 0; i < operation.dst_extents_size(); i++)
1089     blocks_to_write += operation.dst_extents(i).num_blocks();
1090 
1091   DCHECK_EQ(blocks_to_write, blocks_to_read);
1092   brillo::Blob buf(blocks_to_write * block_size_);
1093 
1094   // Read in bytes.
1095   ssize_t bytes_read = 0;
1096   for (int i = 0; i < operation.src_extents_size(); i++) {
1097     ssize_t bytes_read_this_iteration = 0;
1098     const Extent& extent = operation.src_extents(i);
1099     const size_t bytes = extent.num_blocks() * block_size_;
1100     TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1101     TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_,
1102                                           &buf[bytes_read],
1103                                           bytes,
1104                                           extent.start_block() * block_size_,
1105                                           &bytes_read_this_iteration));
1106     TEST_AND_RETURN_FALSE(bytes_read_this_iteration ==
1107                           static_cast<ssize_t>(bytes));
1108     bytes_read += bytes_read_this_iteration;
1109   }
1110 
1111   // Write bytes out.
1112   ssize_t bytes_written = 0;
1113   for (int i = 0; i < operation.dst_extents_size(); i++) {
1114     const Extent& extent = operation.dst_extents(i);
1115     const size_t bytes = extent.num_blocks() * block_size_;
1116     TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1117     TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_,
1118                                            &buf[bytes_written],
1119                                            bytes,
1120                                            extent.start_block() * block_size_));
1121     bytes_written += bytes;
1122   }
1123   DCHECK_EQ(bytes_written, bytes_read);
1124   DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size()));
1125   return true;
1126 }
1127 
ValidateSourceHash(const brillo::Blob & calculated_hash,const InstallOperation & operation,const FileDescriptorPtr source_fd,ErrorCode * error)1128 bool DeltaPerformer::ValidateSourceHash(const brillo::Blob& calculated_hash,
1129                                         const InstallOperation& operation,
1130                                         const FileDescriptorPtr source_fd,
1131                                         ErrorCode* error) {
1132   brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1133                                     operation.src_sha256_hash().end());
1134   if (calculated_hash != expected_source_hash) {
1135     LOG(ERROR) << "The hash of the source data on disk for this operation "
1136                << "doesn't match the expected value. This could mean that the "
1137                << "delta update payload was targeted for another version, or "
1138                << "that the source partition was modified after it was "
1139                << "installed, for example, by mounting a filesystem.";
1140     LOG(ERROR) << "Expected:   sha256|hex = "
1141                << base::HexEncode(expected_source_hash.data(),
1142                                   expected_source_hash.size());
1143     LOG(ERROR) << "Calculated: sha256|hex = "
1144                << base::HexEncode(calculated_hash.data(),
1145                                   calculated_hash.size());
1146 
1147     vector<string> source_extents;
1148     for (const Extent& ext : operation.src_extents()) {
1149       source_extents.push_back(
1150           base::StringPrintf("%" PRIu64 ":%" PRIu64,
1151                              static_cast<uint64_t>(ext.start_block()),
1152                              static_cast<uint64_t>(ext.num_blocks())));
1153     }
1154     LOG(ERROR) << "Operation source (offset:size) in blocks: "
1155                << base::JoinString(source_extents, ",");
1156 
1157     // Log remount history if this device is an ext4 partition.
1158     LogMountHistory(source_fd);
1159 
1160     *error = ErrorCode::kDownloadStateInitializationError;
1161     return false;
1162   }
1163   return true;
1164 }
1165 
PerformSourceCopyOperation(const InstallOperation & operation,ErrorCode * error)1166 bool DeltaPerformer::PerformSourceCopyOperation(
1167     const InstallOperation& operation, ErrorCode* error) {
1168   if (operation.has_src_length())
1169     TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1170   if (operation.has_dst_length())
1171     TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1172 
1173   TEST_AND_RETURN_FALSE(source_fd_ != nullptr);
1174 
1175   if (operation.has_src_sha256_hash()) {
1176     brillo::Blob source_hash;
1177     brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1178                                       operation.src_sha256_hash().end());
1179 
1180     // We fall back to use the error corrected device if the hash of the raw
1181     // device doesn't match or there was an error reading the source partition.
1182     // Note that this code will also fall back if writing the target partition
1183     // fails.
1184     bool read_ok = fd_utils::CopyAndHashExtents(source_fd_,
1185                                                 operation.src_extents(),
1186                                                 target_fd_,
1187                                                 operation.dst_extents(),
1188                                                 block_size_,
1189                                                 &source_hash);
1190     if (read_ok && expected_source_hash == source_hash)
1191       return true;
1192 
1193     if (!OpenCurrentECCPartition()) {
1194       // The following function call will return false since the source hash
1195       // mismatches, but we still want to call it so it prints the appropriate
1196       // log message.
1197       return ValidateSourceHash(source_hash, operation, source_fd_, error);
1198     }
1199 
1200     LOG(WARNING) << "Source hash from RAW device mismatched: found "
1201                  << base::HexEncode(source_hash.data(), source_hash.size())
1202                  << ", expected "
1203                  << base::HexEncode(expected_source_hash.data(),
1204                                     expected_source_hash.size());
1205 
1206     TEST_AND_RETURN_FALSE(fd_utils::CopyAndHashExtents(source_ecc_fd_,
1207                                                        operation.src_extents(),
1208                                                        target_fd_,
1209                                                        operation.dst_extents(),
1210                                                        block_size_,
1211                                                        &source_hash));
1212     TEST_AND_RETURN_FALSE(
1213         ValidateSourceHash(source_hash, operation, source_ecc_fd_, error));
1214     // At this point reading from the the error corrected device worked, but
1215     // reading from the raw device failed, so this is considered a recovered
1216     // failure.
1217     source_ecc_recovered_failures_++;
1218   } else {
1219     // When the operation doesn't include a source hash, we attempt the error
1220     // corrected device first since we can't verify the block in the raw device
1221     // at this point, but we fall back to the raw device since the error
1222     // corrected device can be shorter or not available.
1223     if (OpenCurrentECCPartition() &&
1224         fd_utils::CopyAndHashExtents(source_ecc_fd_,
1225                                      operation.src_extents(),
1226                                      target_fd_,
1227                                      operation.dst_extents(),
1228                                      block_size_,
1229                                      nullptr)) {
1230       return true;
1231     }
1232     TEST_AND_RETURN_FALSE(fd_utils::CopyAndHashExtents(source_fd_,
1233                                                        operation.src_extents(),
1234                                                        target_fd_,
1235                                                        operation.dst_extents(),
1236                                                        block_size_,
1237                                                        nullptr));
1238   }
1239   return true;
1240 }
1241 
ChooseSourceFD(const InstallOperation & operation,ErrorCode * error)1242 FileDescriptorPtr DeltaPerformer::ChooseSourceFD(
1243     const InstallOperation& operation, ErrorCode* error) {
1244   if (source_fd_ == nullptr) {
1245     LOG(ERROR) << "ChooseSourceFD fail: source_fd_ == nullptr";
1246     return nullptr;
1247   }
1248 
1249   if (!operation.has_src_sha256_hash()) {
1250     // When the operation doesn't include a source hash, we attempt the error
1251     // corrected device first since we can't verify the block in the raw device
1252     // at this point, but we first need to make sure all extents are readable
1253     // since the error corrected device can be shorter or not available.
1254     if (OpenCurrentECCPartition() &&
1255         fd_utils::ReadAndHashExtents(
1256             source_ecc_fd_, operation.src_extents(), block_size_, nullptr)) {
1257       return source_ecc_fd_;
1258     }
1259     return source_fd_;
1260   }
1261 
1262   brillo::Blob source_hash;
1263   brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1264                                     operation.src_sha256_hash().end());
1265   if (fd_utils::ReadAndHashExtents(
1266           source_fd_, operation.src_extents(), block_size_, &source_hash) &&
1267       source_hash == expected_source_hash) {
1268     return source_fd_;
1269   }
1270   // We fall back to use the error corrected device if the hash of the raw
1271   // device doesn't match or there was an error reading the source partition.
1272   if (!OpenCurrentECCPartition()) {
1273     // The following function call will return false since the source hash
1274     // mismatches, but we still want to call it so it prints the appropriate
1275     // log message.
1276     ValidateSourceHash(source_hash, operation, source_fd_, error);
1277     return nullptr;
1278   }
1279   LOG(WARNING) << "Source hash from RAW device mismatched: found "
1280                << base::HexEncode(source_hash.data(), source_hash.size())
1281                << ", expected "
1282                << base::HexEncode(expected_source_hash.data(),
1283                                   expected_source_hash.size());
1284 
1285   if (fd_utils::ReadAndHashExtents(
1286           source_ecc_fd_, operation.src_extents(), block_size_, &source_hash) &&
1287       ValidateSourceHash(source_hash, operation, source_ecc_fd_, error)) {
1288     // At this point reading from the the error corrected device worked, but
1289     // reading from the raw device failed, so this is considered a recovered
1290     // failure.
1291     source_ecc_recovered_failures_++;
1292     return source_ecc_fd_;
1293   }
1294   return nullptr;
1295 }
1296 
ExtentsToBsdiffPositionsString(const RepeatedPtrField<Extent> & extents,uint64_t block_size,uint64_t full_length,string * positions_string)1297 bool DeltaPerformer::ExtentsToBsdiffPositionsString(
1298     const RepeatedPtrField<Extent>& extents,
1299     uint64_t block_size,
1300     uint64_t full_length,
1301     string* positions_string) {
1302   string ret;
1303   uint64_t length = 0;
1304   for (const Extent& extent : extents) {
1305     int64_t start = extent.start_block() * block_size;
1306     uint64_t this_length =
1307         min(full_length - length,
1308             static_cast<uint64_t>(extent.num_blocks()) * block_size);
1309     ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length);
1310     length += this_length;
1311   }
1312   TEST_AND_RETURN_FALSE(length == full_length);
1313   if (!ret.empty())
1314     ret.resize(ret.size() - 1);  // Strip trailing comma off
1315   *positions_string = ret;
1316   return true;
1317 }
1318 
PerformBsdiffOperation(const InstallOperation & operation)1319 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) {
1320   // Since we delete data off the beginning of the buffer as we use it,
1321   // the data we need should be exactly at the beginning of the buffer.
1322   TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1323   TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1324 
1325   string input_positions;
1326   TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1327                                                        block_size_,
1328                                                        operation.src_length(),
1329                                                        &input_positions));
1330   string output_positions;
1331   TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1332                                                        block_size_,
1333                                                        operation.dst_length(),
1334                                                        &output_positions));
1335 
1336   TEST_AND_RETURN_FALSE(bsdiff::bspatch(target_path_.c_str(),
1337                                         target_path_.c_str(),
1338                                         buffer_.data(),
1339                                         buffer_.size(),
1340                                         input_positions.c_str(),
1341                                         output_positions.c_str()) == 0);
1342   DiscardBuffer(true, buffer_.size());
1343 
1344   if (operation.dst_length() % block_size_) {
1345     // Zero out rest of final block.
1346     // TODO(adlr): build this into bspatch; it's more efficient that way.
1347     const Extent& last_extent =
1348         operation.dst_extents(operation.dst_extents_size() - 1);
1349     const uint64_t end_byte =
1350         (last_extent.start_block() + last_extent.num_blocks()) * block_size_;
1351     const uint64_t begin_byte =
1352         end_byte - (block_size_ - operation.dst_length() % block_size_);
1353     brillo::Blob zeros(end_byte - begin_byte);
1354     TEST_AND_RETURN_FALSE(utils::PWriteAll(
1355         target_fd_, zeros.data(), end_byte - begin_byte, begin_byte));
1356   }
1357   return true;
1358 }
1359 
1360 namespace {
1361 
1362 class BsdiffExtentFile : public bsdiff::FileInterface {
1363  public:
BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,size_t size)1364   BsdiffExtentFile(std::unique_ptr<ExtentReader> reader, size_t size)
1365       : BsdiffExtentFile(std::move(reader), nullptr, size) {}
BsdiffExtentFile(std::unique_ptr<ExtentWriter> writer,size_t size)1366   BsdiffExtentFile(std::unique_ptr<ExtentWriter> writer, size_t size)
1367       : BsdiffExtentFile(nullptr, std::move(writer), size) {}
1368 
1369   ~BsdiffExtentFile() override = default;
1370 
Read(void * buf,size_t count,size_t * bytes_read)1371   bool Read(void* buf, size_t count, size_t* bytes_read) override {
1372     TEST_AND_RETURN_FALSE(reader_->Read(buf, count));
1373     *bytes_read = count;
1374     offset_ += count;
1375     return true;
1376   }
1377 
Write(const void * buf,size_t count,size_t * bytes_written)1378   bool Write(const void* buf, size_t count, size_t* bytes_written) override {
1379     TEST_AND_RETURN_FALSE(writer_->Write(buf, count));
1380     *bytes_written = count;
1381     offset_ += count;
1382     return true;
1383   }
1384 
Seek(off_t pos)1385   bool Seek(off_t pos) override {
1386     if (reader_ != nullptr) {
1387       TEST_AND_RETURN_FALSE(reader_->Seek(pos));
1388       offset_ = pos;
1389     } else {
1390       // For writes technically there should be no change of position, or it
1391       // should be equivalent of current offset.
1392       TEST_AND_RETURN_FALSE(offset_ == static_cast<uint64_t>(pos));
1393     }
1394     return true;
1395   }
1396 
Close()1397   bool Close() override { return true; }
1398 
GetSize(uint64_t * size)1399   bool GetSize(uint64_t* size) override {
1400     *size = size_;
1401     return true;
1402   }
1403 
1404  private:
BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,std::unique_ptr<ExtentWriter> writer,size_t size)1405   BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,
1406                    std::unique_ptr<ExtentWriter> writer,
1407                    size_t size)
1408       : reader_(std::move(reader)),
1409         writer_(std::move(writer)),
1410         size_(size),
1411         offset_(0) {}
1412 
1413   std::unique_ptr<ExtentReader> reader_;
1414   std::unique_ptr<ExtentWriter> writer_;
1415   uint64_t size_;
1416   uint64_t offset_;
1417 
1418   DISALLOW_COPY_AND_ASSIGN(BsdiffExtentFile);
1419 };
1420 
1421 }  // namespace
1422 
PerformSourceBsdiffOperation(const InstallOperation & operation,ErrorCode * error)1423 bool DeltaPerformer::PerformSourceBsdiffOperation(
1424     const InstallOperation& operation, ErrorCode* error) {
1425   // Since we delete data off the beginning of the buffer as we use it,
1426   // the data we need should be exactly at the beginning of the buffer.
1427   TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1428   TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1429   if (operation.has_src_length())
1430     TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1431   if (operation.has_dst_length())
1432     TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1433 
1434   FileDescriptorPtr source_fd = ChooseSourceFD(operation, error);
1435   TEST_AND_RETURN_FALSE(source_fd != nullptr);
1436 
1437   auto reader = std::make_unique<DirectExtentReader>();
1438   TEST_AND_RETURN_FALSE(
1439       reader->Init(source_fd, operation.src_extents(), block_size_));
1440   auto src_file = std::make_unique<BsdiffExtentFile>(
1441       std::move(reader),
1442       utils::BlocksInExtents(operation.src_extents()) * block_size_);
1443 
1444   auto writer = std::make_unique<DirectExtentWriter>();
1445   TEST_AND_RETURN_FALSE(
1446       writer->Init(target_fd_, operation.dst_extents(), block_size_));
1447   auto dst_file = std::make_unique<BsdiffExtentFile>(
1448       std::move(writer),
1449       utils::BlocksInExtents(operation.dst_extents()) * block_size_);
1450 
1451   TEST_AND_RETURN_FALSE(bsdiff::bspatch(std::move(src_file),
1452                                         std::move(dst_file),
1453                                         buffer_.data(),
1454                                         buffer_.size()) == 0);
1455   DiscardBuffer(true, buffer_.size());
1456   return true;
1457 }
1458 
1459 namespace {
1460 
1461 // A class to be passed to |puffpatch| for reading from |source_fd_| and writing
1462 // into |target_fd_|.
1463 class PuffinExtentStream : public puffin::StreamInterface {
1464  public:
1465   // Constructor for creating a stream for reading from an |ExtentReader|.
PuffinExtentStream(std::unique_ptr<ExtentReader> reader,uint64_t size)1466   PuffinExtentStream(std::unique_ptr<ExtentReader> reader, uint64_t size)
1467       : PuffinExtentStream(std::move(reader), nullptr, size) {}
1468 
1469   // Constructor for creating a stream for writing to an |ExtentWriter|.
PuffinExtentStream(std::unique_ptr<ExtentWriter> writer,uint64_t size)1470   PuffinExtentStream(std::unique_ptr<ExtentWriter> writer, uint64_t size)
1471       : PuffinExtentStream(nullptr, std::move(writer), size) {}
1472 
1473   ~PuffinExtentStream() override = default;
1474 
GetSize(uint64_t * size) const1475   bool GetSize(uint64_t* size) const override {
1476     *size = size_;
1477     return true;
1478   }
1479 
GetOffset(uint64_t * offset) const1480   bool GetOffset(uint64_t* offset) const override {
1481     *offset = offset_;
1482     return true;
1483   }
1484 
Seek(uint64_t offset)1485   bool Seek(uint64_t offset) override {
1486     if (is_read_) {
1487       TEST_AND_RETURN_FALSE(reader_->Seek(offset));
1488       offset_ = offset;
1489     } else {
1490       // For writes technically there should be no change of position, or it
1491       // should equivalent of current offset.
1492       TEST_AND_RETURN_FALSE(offset_ == offset);
1493     }
1494     return true;
1495   }
1496 
Read(void * buffer,size_t count)1497   bool Read(void* buffer, size_t count) override {
1498     TEST_AND_RETURN_FALSE(is_read_);
1499     TEST_AND_RETURN_FALSE(reader_->Read(buffer, count));
1500     offset_ += count;
1501     return true;
1502   }
1503 
Write(const void * buffer,size_t count)1504   bool Write(const void* buffer, size_t count) override {
1505     TEST_AND_RETURN_FALSE(!is_read_);
1506     TEST_AND_RETURN_FALSE(writer_->Write(buffer, count));
1507     offset_ += count;
1508     return true;
1509   }
1510 
Close()1511   bool Close() override { return true; }
1512 
1513  private:
PuffinExtentStream(std::unique_ptr<ExtentReader> reader,std::unique_ptr<ExtentWriter> writer,uint64_t size)1514   PuffinExtentStream(std::unique_ptr<ExtentReader> reader,
1515                      std::unique_ptr<ExtentWriter> writer,
1516                      uint64_t size)
1517       : reader_(std::move(reader)),
1518         writer_(std::move(writer)),
1519         size_(size),
1520         offset_(0),
1521         is_read_(reader_ ? true : false) {}
1522 
1523   std::unique_ptr<ExtentReader> reader_;
1524   std::unique_ptr<ExtentWriter> writer_;
1525   uint64_t size_;
1526   uint64_t offset_;
1527   bool is_read_;
1528 
1529   DISALLOW_COPY_AND_ASSIGN(PuffinExtentStream);
1530 };
1531 
1532 }  // namespace
1533 
PerformPuffDiffOperation(const InstallOperation & operation,ErrorCode * error)1534 bool DeltaPerformer::PerformPuffDiffOperation(const InstallOperation& operation,
1535                                               ErrorCode* error) {
1536   // Since we delete data off the beginning of the buffer as we use it,
1537   // the data we need should be exactly at the beginning of the buffer.
1538   TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1539   TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1540 
1541   FileDescriptorPtr source_fd = ChooseSourceFD(operation, error);
1542   TEST_AND_RETURN_FALSE(source_fd != nullptr);
1543 
1544   auto reader = std::make_unique<DirectExtentReader>();
1545   TEST_AND_RETURN_FALSE(
1546       reader->Init(source_fd, operation.src_extents(), block_size_));
1547   puffin::UniqueStreamPtr src_stream(new PuffinExtentStream(
1548       std::move(reader),
1549       utils::BlocksInExtents(operation.src_extents()) * block_size_));
1550 
1551   auto writer = std::make_unique<DirectExtentWriter>();
1552   TEST_AND_RETURN_FALSE(
1553       writer->Init(target_fd_, operation.dst_extents(), block_size_));
1554   puffin::UniqueStreamPtr dst_stream(new PuffinExtentStream(
1555       std::move(writer),
1556       utils::BlocksInExtents(operation.dst_extents()) * block_size_));
1557 
1558   const size_t kMaxCacheSize = 5 * 1024 * 1024;  // Total 5MB cache.
1559   TEST_AND_RETURN_FALSE(puffin::PuffPatch(std::move(src_stream),
1560                                           std::move(dst_stream),
1561                                           buffer_.data(),
1562                                           buffer_.size(),
1563                                           kMaxCacheSize));
1564   DiscardBuffer(true, buffer_.size());
1565   return true;
1566 }
1567 
ExtractSignatureMessageFromOperation(const InstallOperation & operation)1568 bool DeltaPerformer::ExtractSignatureMessageFromOperation(
1569     const InstallOperation& operation) {
1570   if (operation.type() != InstallOperation::REPLACE ||
1571       !manifest_.has_signatures_offset() ||
1572       manifest_.signatures_offset() != operation.data_offset()) {
1573     return false;
1574   }
1575   TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() &&
1576                         manifest_.signatures_size() == operation.data_length());
1577   TEST_AND_RETURN_FALSE(ExtractSignatureMessage());
1578   return true;
1579 }
1580 
ExtractSignatureMessage()1581 bool DeltaPerformer::ExtractSignatureMessage() {
1582   TEST_AND_RETURN_FALSE(signatures_message_data_.empty());
1583   TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset());
1584   TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size());
1585   signatures_message_data_.assign(
1586       buffer_.begin(), buffer_.begin() + manifest_.signatures_size());
1587 
1588   // Save the signature blob because if the update is interrupted after the
1589   // download phase we don't go through this path anymore. Some alternatives to
1590   // consider:
1591   //
1592   // 1. On resume, re-download the signature blob from the server and re-verify
1593   // it.
1594   //
1595   // 2. Verify the signature as soon as it's received and don't checkpoint the
1596   // blob and the signed sha-256 context.
1597   LOG_IF(WARNING,
1598          !prefs_->SetString(kPrefsUpdateStateSignatureBlob,
1599                             signatures_message_data_))
1600       << "Unable to store the signature blob.";
1601 
1602   LOG(INFO) << "Extracted signature data of size "
1603             << manifest_.signatures_size() << " at "
1604             << manifest_.signatures_offset();
1605   return true;
1606 }
1607 
GetPublicKey(string * out_public_key)1608 bool DeltaPerformer::GetPublicKey(string* out_public_key) {
1609   out_public_key->clear();
1610 
1611   if (utils::FileExists(public_key_path_.c_str())) {
1612     LOG(INFO) << "Verifying using public key: " << public_key_path_;
1613     return utils::ReadFile(public_key_path_, out_public_key);
1614   }
1615 
1616   // If this is an official build then we are not allowed to use public key from
1617   // Omaha response.
1618   if (!hardware_->IsOfficialBuild() && !install_plan_->public_key_rsa.empty()) {
1619     LOG(INFO) << "Verifying using public key from Omaha response.";
1620     return brillo::data_encoding::Base64Decode(install_plan_->public_key_rsa,
1621                                                out_public_key);
1622   }
1623 
1624   return true;
1625 }
1626 
ValidateManifest()1627 ErrorCode DeltaPerformer::ValidateManifest() {
1628   // Perform assorted checks to sanity check the manifest, make sure it
1629   // matches data from other sources, and that it is a supported version.
1630 
1631   bool has_old_fields =
1632       (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info());
1633   for (const PartitionUpdate& partition : manifest_.partitions()) {
1634     has_old_fields = has_old_fields || partition.has_old_partition_info();
1635   }
1636 
1637   // The presence of an old partition hash is the sole indicator for a delta
1638   // update.
1639   InstallPayloadType actual_payload_type =
1640       has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull;
1641 
1642   if (payload_->type == InstallPayloadType::kUnknown) {
1643     LOG(INFO) << "Detected a '"
1644               << InstallPayloadTypeToString(actual_payload_type)
1645               << "' payload.";
1646     payload_->type = actual_payload_type;
1647   } else if (payload_->type != actual_payload_type) {
1648     LOG(ERROR) << "InstallPlan expected a '"
1649                << InstallPayloadTypeToString(payload_->type)
1650                << "' payload but the downloaded manifest contains a '"
1651                << InstallPayloadTypeToString(actual_payload_type)
1652                << "' payload.";
1653     return ErrorCode::kPayloadMismatchedType;
1654   }
1655 
1656   // Check that the minor version is compatible.
1657   if (actual_payload_type == InstallPayloadType::kFull) {
1658     if (manifest_.minor_version() != kFullPayloadMinorVersion) {
1659       LOG(ERROR) << "Manifest contains minor version "
1660                  << manifest_.minor_version()
1661                  << ", but all full payloads should have version "
1662                  << kFullPayloadMinorVersion << ".";
1663       return ErrorCode::kUnsupportedMinorPayloadVersion;
1664     }
1665   } else {
1666     if (manifest_.minor_version() < kMinSupportedMinorPayloadVersion ||
1667         manifest_.minor_version() > kMaxSupportedMinorPayloadVersion) {
1668       LOG(ERROR) << "Manifest contains minor version "
1669                  << manifest_.minor_version()
1670                  << " not in the range of supported minor versions ["
1671                  << kMinSupportedMinorPayloadVersion << ", "
1672                  << kMaxSupportedMinorPayloadVersion << "].";
1673       return ErrorCode::kUnsupportedMinorPayloadVersion;
1674     }
1675   }
1676 
1677   if (major_payload_version_ != kChromeOSMajorPayloadVersion) {
1678     if (manifest_.has_old_rootfs_info() || manifest_.has_new_rootfs_info() ||
1679         manifest_.has_old_kernel_info() || manifest_.has_new_kernel_info() ||
1680         manifest_.install_operations_size() != 0 ||
1681         manifest_.kernel_install_operations_size() != 0) {
1682       LOG(ERROR) << "Manifest contains deprecated field only supported in "
1683                  << "major payload version 1, but the payload major version is "
1684                  << major_payload_version_;
1685       return ErrorCode::kPayloadMismatchedType;
1686     }
1687   }
1688 
1689   if (manifest_.max_timestamp() < hardware_->GetBuildTimestamp()) {
1690     LOG(ERROR) << "The current OS build timestamp ("
1691                << hardware_->GetBuildTimestamp()
1692                << ") is newer than the maximum timestamp in the manifest ("
1693                << manifest_.max_timestamp() << ")";
1694     return ErrorCode::kPayloadTimestampError;
1695   }
1696 
1697   if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
1698     if (manifest_.has_dynamic_partition_metadata()) {
1699       LOG(ERROR)
1700           << "Should not contain dynamic_partition_metadata for major version "
1701           << kChromeOSMajorPayloadVersion
1702           << ". Please use major version 2 or above.";
1703       return ErrorCode::kPayloadMismatchedType;
1704     }
1705   }
1706 
1707   // TODO(garnold) we should be adding more and more manifest checks, such as
1708   // partition boundaries etc (see chromium-os:37661).
1709 
1710   return ErrorCode::kSuccess;
1711 }
1712 
ValidateOperationHash(const InstallOperation & operation)1713 ErrorCode DeltaPerformer::ValidateOperationHash(
1714     const InstallOperation& operation) {
1715   if (!operation.data_sha256_hash().size()) {
1716     if (!operation.data_length()) {
1717       // Operations that do not have any data blob won't have any operation hash
1718       // either. So, these operations are always considered validated since the
1719       // metadata that contains all the non-data-blob portions of the operation
1720       // has already been validated. This is true for both HTTP and HTTPS cases.
1721       return ErrorCode::kSuccess;
1722     }
1723 
1724     // No hash is present for an operation that has data blobs. This shouldn't
1725     // happen normally for any client that has this code, because the
1726     // corresponding update should have been produced with the operation
1727     // hashes. So if it happens it means either we've turned operation hash
1728     // generation off in DeltaDiffGenerator or it's a regression of some sort.
1729     // One caveat though: The last operation is a dummy signature operation
1730     // that doesn't have a hash at the time the manifest is created. So we
1731     // should not complaint about that operation. This operation can be
1732     // recognized by the fact that it's offset is mentioned in the manifest.
1733     if (manifest_.signatures_offset() &&
1734         manifest_.signatures_offset() == operation.data_offset()) {
1735       LOG(INFO) << "Skipping hash verification for signature operation "
1736                 << next_operation_num_ + 1;
1737     } else {
1738       if (install_plan_->hash_checks_mandatory) {
1739         LOG(ERROR) << "Missing mandatory operation hash for operation "
1740                    << next_operation_num_ + 1;
1741         return ErrorCode::kDownloadOperationHashMissingError;
1742       }
1743 
1744       LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1
1745                    << " as there's no operation hash in manifest";
1746     }
1747     return ErrorCode::kSuccess;
1748   }
1749 
1750   brillo::Blob expected_op_hash;
1751   expected_op_hash.assign(operation.data_sha256_hash().data(),
1752                           (operation.data_sha256_hash().data() +
1753                            operation.data_sha256_hash().size()));
1754 
1755   brillo::Blob calculated_op_hash;
1756   if (!HashCalculator::RawHashOfBytes(
1757           buffer_.data(), operation.data_length(), &calculated_op_hash)) {
1758     LOG(ERROR) << "Unable to compute actual hash of operation "
1759                << next_operation_num_;
1760     return ErrorCode::kDownloadOperationHashVerificationError;
1761   }
1762 
1763   if (calculated_op_hash != expected_op_hash) {
1764     LOG(ERROR) << "Hash verification failed for operation "
1765                << next_operation_num_ << ". Expected hash = ";
1766     utils::HexDumpVector(expected_op_hash);
1767     LOG(ERROR) << "Calculated hash over " << operation.data_length()
1768                << " bytes at offset: " << operation.data_offset() << " = ";
1769     utils::HexDumpVector(calculated_op_hash);
1770     return ErrorCode::kDownloadOperationHashMismatch;
1771   }
1772 
1773   return ErrorCode::kSuccess;
1774 }
1775 
1776 #define TEST_AND_RETURN_VAL(_retval, _condition)              \
1777   do {                                                        \
1778     if (!(_condition)) {                                      \
1779       LOG(ERROR) << "VerifyPayload failure: " << #_condition; \
1780       return _retval;                                         \
1781     }                                                         \
1782   } while (0);
1783 
VerifyPayload(const brillo::Blob & update_check_response_hash,const uint64_t update_check_response_size)1784 ErrorCode DeltaPerformer::VerifyPayload(
1785     const brillo::Blob& update_check_response_hash,
1786     const uint64_t update_check_response_size) {
1787   string public_key;
1788   if (!GetPublicKey(&public_key)) {
1789     LOG(ERROR) << "Failed to get public key.";
1790     return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1791   }
1792 
1793   // Verifies the download size.
1794   if (update_check_response_size !=
1795       metadata_size_ + metadata_signature_size_ + buffer_offset_) {
1796     LOG(ERROR) << "update_check_response_size (" << update_check_response_size
1797                << ") doesn't match metadata_size (" << metadata_size_
1798                << ") + metadata_signature_size (" << metadata_signature_size_
1799                << ") + buffer_offset (" << buffer_offset_ << ").";
1800     return ErrorCode::kPayloadSizeMismatchError;
1801   }
1802 
1803   // Verifies the payload hash.
1804   TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError,
1805                       !payload_hash_calculator_.raw_hash().empty());
1806   TEST_AND_RETURN_VAL(
1807       ErrorCode::kPayloadHashMismatchError,
1808       payload_hash_calculator_.raw_hash() == update_check_response_hash);
1809 
1810   // Verifies the signed payload hash.
1811   if (public_key.empty()) {
1812     LOG(WARNING) << "Not verifying signed delta payload -- missing public key.";
1813     return ErrorCode::kSuccess;
1814   }
1815   TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError,
1816                       !signatures_message_data_.empty());
1817   brillo::Blob hash_data = signed_hash_calculator_.raw_hash();
1818   TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1819                       hash_data.size() == kSHA256Size);
1820 
1821   if (!PayloadVerifier::VerifySignature(
1822           signatures_message_data_, public_key, hash_data)) {
1823     // The autoupdate_CatchBadSignatures test checks for this string
1824     // in log-files. Keep in sync.
1825     LOG(ERROR) << "Public key verification failed, thus update failed.";
1826     return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1827   }
1828 
1829   LOG(INFO) << "Payload hash matches value in payload.";
1830   return ErrorCode::kSuccess;
1831 }
1832 
DiscardBuffer(bool do_advance_offset,size_t signed_hash_buffer_size)1833 void DeltaPerformer::DiscardBuffer(bool do_advance_offset,
1834                                    size_t signed_hash_buffer_size) {
1835   // Update the buffer offset.
1836   if (do_advance_offset)
1837     buffer_offset_ += buffer_.size();
1838 
1839   // Hash the content.
1840   payload_hash_calculator_.Update(buffer_.data(), buffer_.size());
1841   signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size);
1842 
1843   // Swap content with an empty vector to ensure that all memory is released.
1844   brillo::Blob().swap(buffer_);
1845 }
1846 
CanResumeUpdate(PrefsInterface * prefs,const string & update_check_response_hash)1847 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs,
1848                                      const string& update_check_response_hash) {
1849   int64_t next_operation = kUpdateStateOperationInvalid;
1850   if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) &&
1851         next_operation != kUpdateStateOperationInvalid && next_operation > 0))
1852     return false;
1853 
1854   string interrupted_hash;
1855   if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) &&
1856         !interrupted_hash.empty() &&
1857         interrupted_hash == update_check_response_hash))
1858     return false;
1859 
1860   int64_t resumed_update_failures;
1861   // Note that storing this value is optional, but if it is there it should not
1862   // be more than the limit.
1863   if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) &&
1864       resumed_update_failures > kMaxResumedUpdateFailures)
1865     return false;
1866 
1867   // Sanity check the rest.
1868   int64_t next_data_offset = -1;
1869   if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1870         next_data_offset >= 0))
1871     return false;
1872 
1873   string sha256_context;
1874   if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) &&
1875         !sha256_context.empty()))
1876     return false;
1877 
1878   int64_t manifest_metadata_size = 0;
1879   if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1880         manifest_metadata_size > 0))
1881     return false;
1882 
1883   int64_t manifest_signature_size = 0;
1884   if (!(prefs->GetInt64(kPrefsManifestSignatureSize,
1885                         &manifest_signature_size) &&
1886         manifest_signature_size >= 0))
1887     return false;
1888 
1889   return true;
1890 }
1891 
ResetUpdateProgress(PrefsInterface * prefs,bool quick)1892 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) {
1893   TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation,
1894                                         kUpdateStateOperationInvalid));
1895   if (!quick) {
1896     prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1);
1897     prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0);
1898     prefs->SetString(kPrefsUpdateStateSHA256Context, "");
1899     prefs->SetString(kPrefsUpdateStateSignedSHA256Context, "");
1900     prefs->SetString(kPrefsUpdateStateSignatureBlob, "");
1901     prefs->SetInt64(kPrefsManifestMetadataSize, -1);
1902     prefs->SetInt64(kPrefsManifestSignatureSize, -1);
1903     prefs->SetInt64(kPrefsResumedUpdateFailures, 0);
1904     prefs->Delete(kPrefsPostInstallSucceeded);
1905     prefs->Delete(kPrefsVerityWritten);
1906     prefs->Delete(kPrefsDynamicPartitionMetadataUpdated);
1907   }
1908   return true;
1909 }
1910 
CheckpointUpdateProgress(bool force)1911 bool DeltaPerformer::CheckpointUpdateProgress(bool force) {
1912   base::TimeTicks curr_time = base::TimeTicks::Now();
1913   if (force || curr_time > update_checkpoint_time_) {
1914     update_checkpoint_time_ = curr_time + update_checkpoint_wait_;
1915   } else {
1916     return false;
1917   }
1918 
1919   Terminator::set_exit_blocked(true);
1920   if (last_updated_buffer_offset_ != buffer_offset_) {
1921     // Resets the progress in case we die in the middle of the state update.
1922     ResetUpdateProgress(prefs_, true);
1923     TEST_AND_RETURN_FALSE(prefs_->SetString(
1924         kPrefsUpdateStateSHA256Context, payload_hash_calculator_.GetContext()));
1925     TEST_AND_RETURN_FALSE(
1926         prefs_->SetString(kPrefsUpdateStateSignedSHA256Context,
1927                           signed_hash_calculator_.GetContext()));
1928     TEST_AND_RETURN_FALSE(
1929         prefs_->SetInt64(kPrefsUpdateStateNextDataOffset, buffer_offset_));
1930     last_updated_buffer_offset_ = buffer_offset_;
1931 
1932     if (next_operation_num_ < num_total_operations_) {
1933       size_t partition_index = current_partition_;
1934       while (next_operation_num_ >= acc_num_operations_[partition_index])
1935         partition_index++;
1936       const size_t partition_operation_num =
1937           next_operation_num_ -
1938           (partition_index ? acc_num_operations_[partition_index - 1] : 0);
1939       const InstallOperation& op =
1940           partitions_[partition_index].operations(partition_operation_num);
1941       TEST_AND_RETURN_FALSE(
1942           prefs_->SetInt64(kPrefsUpdateStateNextDataLength, op.data_length()));
1943     } else {
1944       TEST_AND_RETURN_FALSE(
1945           prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 0));
1946     }
1947   }
1948   TEST_AND_RETURN_FALSE(
1949       prefs_->SetInt64(kPrefsUpdateStateNextOperation, next_operation_num_));
1950   return true;
1951 }
1952 
PrimeUpdateState()1953 bool DeltaPerformer::PrimeUpdateState() {
1954   CHECK(manifest_valid_);
1955 
1956   int64_t next_operation = kUpdateStateOperationInvalid;
1957   if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) ||
1958       next_operation == kUpdateStateOperationInvalid || next_operation <= 0) {
1959     // Initiating a new update, no more state needs to be initialized.
1960     return true;
1961   }
1962   next_operation_num_ = next_operation;
1963 
1964   // Resuming an update -- load the rest of the update state.
1965   int64_t next_data_offset = -1;
1966   TEST_AND_RETURN_FALSE(
1967       prefs_->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1968       next_data_offset >= 0);
1969   buffer_offset_ = next_data_offset;
1970 
1971   // The signed hash context and the signature blob may be empty if the
1972   // interrupted update didn't reach the signature.
1973   string signed_hash_context;
1974   if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context,
1975                         &signed_hash_context)) {
1976     TEST_AND_RETURN_FALSE(
1977         signed_hash_calculator_.SetContext(signed_hash_context));
1978   }
1979 
1980   prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signatures_message_data_);
1981 
1982   string hash_context;
1983   TEST_AND_RETURN_FALSE(
1984       prefs_->GetString(kPrefsUpdateStateSHA256Context, &hash_context) &&
1985       payload_hash_calculator_.SetContext(hash_context));
1986 
1987   int64_t manifest_metadata_size = 0;
1988   TEST_AND_RETURN_FALSE(
1989       prefs_->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1990       manifest_metadata_size > 0);
1991   metadata_size_ = manifest_metadata_size;
1992 
1993   int64_t manifest_signature_size = 0;
1994   TEST_AND_RETURN_FALSE(
1995       prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) &&
1996       manifest_signature_size >= 0);
1997   metadata_signature_size_ = manifest_signature_size;
1998 
1999   // Advance the download progress to reflect what doesn't need to be
2000   // re-downloaded.
2001   total_bytes_received_ += buffer_offset_;
2002 
2003   // Speculatively count the resume as a failure.
2004   int64_t resumed_update_failures;
2005   if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) {
2006     resumed_update_failures++;
2007   } else {
2008     resumed_update_failures = 1;
2009   }
2010   prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures);
2011   return true;
2012 }
2013 
2014 }  // namespace chromeos_update_engine
2015