1 //
2 // Copyright (C) 2012 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/payload_consumer/delta_performer.h"
18
19 #include <errno.h>
20 #include <linux/fs.h>
21
22 #include <algorithm>
23 #include <cstring>
24 #include <map>
25 #include <memory>
26 #include <string>
27 #include <utility>
28 #include <vector>
29
30 #include <base/files/file_util.h>
31 #include <base/format_macros.h>
32 #include <base/metrics/histogram_macros.h>
33 #include <base/strings/string_number_conversions.h>
34 #include <base/strings/string_util.h>
35 #include <base/strings/stringprintf.h>
36 #include <base/time/time.h>
37 #include <brillo/data_encoding.h>
38 #include <bsdiff/bspatch.h>
39 #include <google/protobuf/repeated_field.h>
40 #include <puffin/puffpatch.h>
41
42 #include "update_engine/common/constants.h"
43 #include "update_engine/common/hardware_interface.h"
44 #include "update_engine/common/prefs_interface.h"
45 #include "update_engine/common/subprocess.h"
46 #include "update_engine/common/terminator.h"
47 #include "update_engine/payload_consumer/bzip_extent_writer.h"
48 #include "update_engine/payload_consumer/cached_file_descriptor.h"
49 #include "update_engine/payload_consumer/download_action.h"
50 #include "update_engine/payload_consumer/extent_reader.h"
51 #include "update_engine/payload_consumer/extent_writer.h"
52 #if USE_FEC
53 #include "update_engine/payload_consumer/fec_file_descriptor.h"
54 #endif // USE_FEC
55 #include "update_engine/payload_consumer/file_descriptor_utils.h"
56 #include "update_engine/payload_consumer/mount_history.h"
57 #if USE_MTD
58 #include "update_engine/payload_consumer/mtd_file_descriptor.h"
59 #endif // USE_MTD
60 #include "update_engine/payload_consumer/payload_constants.h"
61 #include "update_engine/payload_consumer/payload_verifier.h"
62 #include "update_engine/payload_consumer/xz_extent_writer.h"
63
64 using google::protobuf::RepeatedPtrField;
65 using std::min;
66 using std::string;
67 using std::vector;
68
69 namespace chromeos_update_engine {
70 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10;
71 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30;
72 const unsigned DeltaPerformer::kProgressDownloadWeight = 50;
73 const unsigned DeltaPerformer::kProgressOperationsWeight = 50;
74 const uint64_t DeltaPerformer::kCheckpointFrequencySeconds = 1;
75
76 namespace {
77 const int kUpdateStateOperationInvalid = -1;
78 const int kMaxResumedUpdateFailures = 10;
79 #if USE_MTD
80 const int kUbiVolumeAttachTimeout = 5 * 60;
81 #endif
82
83 const uint64_t kCacheSize = 1024 * 1024; // 1MB
84
CreateFileDescriptor(const char * path)85 FileDescriptorPtr CreateFileDescriptor(const char* path) {
86 FileDescriptorPtr ret;
87 #if USE_MTD
88 if (strstr(path, "/dev/ubi") == path) {
89 if (!UbiFileDescriptor::IsUbi(path)) {
90 // The volume might not have been attached at boot time.
91 int volume_no;
92 if (utils::SplitPartitionName(path, nullptr, &volume_no)) {
93 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout);
94 }
95 }
96 if (UbiFileDescriptor::IsUbi(path)) {
97 LOG(INFO) << path << " is a UBI device.";
98 ret.reset(new UbiFileDescriptor);
99 }
100 } else if (MtdFileDescriptor::IsMtd(path)) {
101 LOG(INFO) << path << " is an MTD device.";
102 ret.reset(new MtdFileDescriptor);
103 } else {
104 LOG(INFO) << path << " is not an MTD nor a UBI device.";
105 #endif
106 ret.reset(new EintrSafeFileDescriptor);
107 #if USE_MTD
108 }
109 #endif
110 return ret;
111 }
112
113 // Opens path for read/write. On success returns an open FileDescriptor
114 // and sets *err to 0. On failure, sets *err to errno and returns nullptr.
OpenFile(const char * path,int mode,bool cache_writes,int * err)115 FileDescriptorPtr OpenFile(const char* path,
116 int mode,
117 bool cache_writes,
118 int* err) {
119 // Try to mark the block device read-only based on the mode. Ignore any
120 // failure since this won't work when passing regular files.
121 bool read_only = (mode & O_ACCMODE) == O_RDONLY;
122 utils::SetBlockDeviceReadOnly(path, read_only);
123
124 FileDescriptorPtr fd = CreateFileDescriptor(path);
125 if (cache_writes && !read_only) {
126 fd = FileDescriptorPtr(new CachedFileDescriptor(fd, kCacheSize));
127 LOG(INFO) << "Caching writes.";
128 }
129 #if USE_MTD
130 // On NAND devices, we can either read, or write, but not both. So here we
131 // use O_WRONLY.
132 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) {
133 mode = O_WRONLY;
134 }
135 #endif
136 if (!fd->Open(path, mode, 000)) {
137 *err = errno;
138 PLOG(ERROR) << "Unable to open file " << path;
139 return nullptr;
140 }
141 *err = 0;
142 return fd;
143 }
144
145 // Discard the tail of the block device referenced by |fd|, from the offset
146 // |data_size| until the end of the block device. Returns whether the data was
147 // discarded.
DiscardPartitionTail(const FileDescriptorPtr & fd,uint64_t data_size)148 bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) {
149 uint64_t part_size = fd->BlockDevSize();
150 if (!part_size || part_size <= data_size)
151 return false;
152
153 struct blkioctl_request {
154 int number;
155 const char* name;
156 };
157 const vector<blkioctl_request> blkioctl_requests = {
158 {BLKDISCARD, "BLKDISCARD"},
159 {BLKSECDISCARD, "BLKSECDISCARD"},
160 #ifdef BLKZEROOUT
161 {BLKZEROOUT, "BLKZEROOUT"},
162 #endif
163 };
164 for (const auto& req : blkioctl_requests) {
165 int error = 0;
166 if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) &&
167 error == 0) {
168 return true;
169 }
170 LOG(WARNING) << "Error discarding the last "
171 << (part_size - data_size) / 1024 << " KiB using ioctl("
172 << req.name << ")";
173 }
174 return false;
175 }
176
177 } // namespace
178
179 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer
180 // arithmetic.
IntRatio(uint64_t part,uint64_t total,uint64_t norm)181 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) {
182 return part * norm / total;
183 }
184
LogProgress(const char * message_prefix)185 void DeltaPerformer::LogProgress(const char* message_prefix) {
186 // Format operations total count and percentage.
187 string total_operations_str("?");
188 string completed_percentage_str("");
189 if (num_total_operations_) {
190 total_operations_str = std::to_string(num_total_operations_);
191 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
192 completed_percentage_str = base::StringPrintf(
193 " (%" PRIu64 "%%)",
194 IntRatio(next_operation_num_, num_total_operations_, 100));
195 }
196
197 // Format download total count and percentage.
198 size_t payload_size = payload_->size;
199 string payload_size_str("?");
200 string downloaded_percentage_str("");
201 if (payload_size) {
202 payload_size_str = std::to_string(payload_size);
203 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
204 downloaded_percentage_str = base::StringPrintf(
205 " (%" PRIu64 "%%)", IntRatio(total_bytes_received_, payload_size, 100));
206 }
207
208 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_
209 << "/" << total_operations_str << " operations"
210 << completed_percentage_str << ", " << total_bytes_received_ << "/"
211 << payload_size_str << " bytes downloaded"
212 << downloaded_percentage_str << ", overall progress "
213 << overall_progress_ << "%";
214 }
215
UpdateOverallProgress(bool force_log,const char * message_prefix)216 void DeltaPerformer::UpdateOverallProgress(bool force_log,
217 const char* message_prefix) {
218 // Compute our download and overall progress.
219 unsigned new_overall_progress = 0;
220 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100,
221 "Progress weights don't add up");
222 // Only consider download progress if its total size is known; otherwise
223 // adjust the operations weight to compensate for the absence of download
224 // progress. Also, make sure to cap the download portion at
225 // kProgressDownloadWeight, in case we end up downloading more than we
226 // initially expected (this indicates a problem, but could generally happen).
227 // TODO(garnold) the correction of operations weight when we do not have the
228 // total payload size, as well as the conditional guard below, should both be
229 // eliminated once we ensure that the payload_size in the install plan is
230 // always given and is non-zero. This currently isn't the case during unit
231 // tests (see chromium-os:37969).
232 size_t payload_size = payload_->size;
233 unsigned actual_operations_weight = kProgressOperationsWeight;
234 if (payload_size)
235 new_overall_progress +=
236 min(static_cast<unsigned>(IntRatio(
237 total_bytes_received_, payload_size, kProgressDownloadWeight)),
238 kProgressDownloadWeight);
239 else
240 actual_operations_weight += kProgressDownloadWeight;
241
242 // Only add completed operations if their total number is known; we definitely
243 // expect an update to have at least one operation, so the expectation is that
244 // this will eventually reach |actual_operations_weight|.
245 if (num_total_operations_)
246 new_overall_progress += IntRatio(
247 next_operation_num_, num_total_operations_, actual_operations_weight);
248
249 // Progress ratio cannot recede, unless our assumptions about the total
250 // payload size, total number of operations, or the monotonicity of progress
251 // is breached.
252 if (new_overall_progress < overall_progress_) {
253 LOG(WARNING) << "progress counter receded from " << overall_progress_
254 << "% down to " << new_overall_progress << "%; this is a bug";
255 force_log = true;
256 }
257 overall_progress_ = new_overall_progress;
258
259 // Update chunk index, log as needed: if forced by called, or we completed a
260 // progress chunk, or a timeout has expired.
261 base::TimeTicks curr_time = base::TimeTicks::Now();
262 unsigned curr_progress_chunk =
263 overall_progress_ * kProgressLogMaxChunks / 100;
264 if (force_log || curr_progress_chunk > last_progress_chunk_ ||
265 curr_time > forced_progress_log_time_) {
266 forced_progress_log_time_ = curr_time + forced_progress_log_wait_;
267 LogProgress(message_prefix);
268 }
269 last_progress_chunk_ = curr_progress_chunk;
270 }
271
CopyDataToBuffer(const char ** bytes_p,size_t * count_p,size_t max)272 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p,
273 size_t* count_p,
274 size_t max) {
275 const size_t count = *count_p;
276 if (!count)
277 return 0; // Special case shortcut.
278 size_t read_len = min(count, max - buffer_.size());
279 const char* bytes_start = *bytes_p;
280 const char* bytes_end = bytes_start + read_len;
281 buffer_.reserve(max);
282 buffer_.insert(buffer_.end(), bytes_start, bytes_end);
283 *bytes_p = bytes_end;
284 *count_p = count - read_len;
285 return read_len;
286 }
287
HandleOpResult(bool op_result,const char * op_type_name,ErrorCode * error)288 bool DeltaPerformer::HandleOpResult(bool op_result,
289 const char* op_type_name,
290 ErrorCode* error) {
291 if (op_result)
292 return true;
293
294 size_t partition_first_op_num =
295 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0;
296 LOG(ERROR) << "Failed to perform " << op_type_name << " operation "
297 << next_operation_num_ << ", which is the operation "
298 << next_operation_num_ - partition_first_op_num
299 << " in partition \""
300 << partitions_[current_partition_].partition_name() << "\"";
301 if (*error == ErrorCode::kSuccess)
302 *error = ErrorCode::kDownloadOperationExecutionError;
303 return false;
304 }
305
Close()306 int DeltaPerformer::Close() {
307 int err = -CloseCurrentPartition();
308 LOG_IF(ERROR,
309 !payload_hash_calculator_.Finalize() ||
310 !signed_hash_calculator_.Finalize())
311 << "Unable to finalize the hash.";
312 if (!buffer_.empty()) {
313 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes";
314 if (err >= 0)
315 err = 1;
316 }
317 return -err;
318 }
319
CloseCurrentPartition()320 int DeltaPerformer::CloseCurrentPartition() {
321 int err = 0;
322 if (source_fd_ && !source_fd_->Close()) {
323 err = errno;
324 PLOG(ERROR) << "Error closing source partition";
325 if (!err)
326 err = 1;
327 }
328 source_fd_.reset();
329 if (source_ecc_fd_ && !source_ecc_fd_->Close()) {
330 err = errno;
331 PLOG(ERROR) << "Error closing ECC source partition";
332 if (!err)
333 err = 1;
334 }
335 source_ecc_fd_.reset();
336 source_ecc_open_failure_ = false;
337 source_path_.clear();
338
339 if (target_fd_ && !target_fd_->Close()) {
340 err = errno;
341 PLOG(ERROR) << "Error closing target partition";
342 if (!err)
343 err = 1;
344 }
345 target_fd_.reset();
346 target_path_.clear();
347 return -err;
348 }
349
OpenCurrentPartition()350 bool DeltaPerformer::OpenCurrentPartition() {
351 if (current_partition_ >= partitions_.size())
352 return false;
353
354 const PartitionUpdate& partition = partitions_[current_partition_];
355 size_t num_previous_partitions =
356 install_plan_->partitions.size() - partitions_.size();
357 const InstallPlan::Partition& install_part =
358 install_plan_->partitions[num_previous_partitions + current_partition_];
359 // Open source fds if we have a delta payload with minor version >= 2.
360 if (payload_->type == InstallPayloadType::kDelta &&
361 GetMinorVersion() != kInPlaceMinorPayloadVersion &&
362 // With dynamic partitions we could create a new partition in a
363 // delta payload, and we shouldn't open source partition in that case.
364 install_part.source_size > 0) {
365 source_path_ = install_part.source_path;
366 int err;
367 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, false, &err);
368 if (!source_fd_) {
369 LOG(ERROR) << "Unable to open source partition "
370 << partition.partition_name() << " on slot "
371 << BootControlInterface::SlotName(install_plan_->source_slot)
372 << ", file " << source_path_;
373 return false;
374 }
375 }
376
377 target_path_ = install_part.target_path;
378 int err;
379
380 int flags = O_RDWR;
381 if (!interactive_)
382 flags |= O_DSYNC;
383
384 LOG(INFO) << "Opening " << target_path_ << " partition with"
385 << (interactive_ ? "out" : "") << " O_DSYNC";
386
387 target_fd_ = OpenFile(target_path_.c_str(), flags, true, &err);
388 if (!target_fd_) {
389 LOG(ERROR) << "Unable to open target partition "
390 << partition.partition_name() << " on slot "
391 << BootControlInterface::SlotName(install_plan_->target_slot)
392 << ", file " << target_path_;
393 return false;
394 }
395
396 LOG(INFO) << "Applying " << partition.operations().size()
397 << " operations to partition \"" << partition.partition_name()
398 << "\"";
399
400 // Discard the end of the partition, but ignore failures.
401 DiscardPartitionTail(target_fd_, install_part.target_size);
402
403 return true;
404 }
405
OpenCurrentECCPartition()406 bool DeltaPerformer::OpenCurrentECCPartition() {
407 if (source_ecc_fd_)
408 return true;
409
410 if (source_ecc_open_failure_)
411 return false;
412
413 if (current_partition_ >= partitions_.size())
414 return false;
415
416 // No support for ECC in minor version 1 or full payloads.
417 if (payload_->type == InstallPayloadType::kFull ||
418 GetMinorVersion() == kInPlaceMinorPayloadVersion)
419 return false;
420
421 #if USE_FEC
422 const PartitionUpdate& partition = partitions_[current_partition_];
423 size_t num_previous_partitions =
424 install_plan_->partitions.size() - partitions_.size();
425 const InstallPlan::Partition& install_part =
426 install_plan_->partitions[num_previous_partitions + current_partition_];
427 string path = install_part.source_path;
428 FileDescriptorPtr fd(new FecFileDescriptor());
429 if (!fd->Open(path.c_str(), O_RDONLY, 0)) {
430 PLOG(ERROR) << "Unable to open ECC source partition "
431 << partition.partition_name() << " on slot "
432 << BootControlInterface::SlotName(install_plan_->source_slot)
433 << ", file " << path;
434 source_ecc_open_failure_ = true;
435 return false;
436 }
437 source_ecc_fd_ = fd;
438 #else
439 // No support for ECC compiled.
440 source_ecc_open_failure_ = true;
441 #endif // USE_FEC
442
443 return !source_ecc_open_failure_;
444 }
445
446 namespace {
447
LogPartitionInfoHash(const PartitionInfo & info,const string & tag)448 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) {
449 string sha256 = brillo::data_encoding::Base64Encode(info.hash());
450 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256
451 << " size: " << info.size();
452 }
453
LogPartitionInfo(const vector<PartitionUpdate> & partitions)454 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) {
455 for (const PartitionUpdate& partition : partitions) {
456 if (partition.has_old_partition_info()) {
457 LogPartitionInfoHash(partition.old_partition_info(),
458 "old " + partition.partition_name());
459 }
460 LogPartitionInfoHash(partition.new_partition_info(),
461 "new " + partition.partition_name());
462 }
463 }
464
465 } // namespace
466
GetMinorVersion() const467 uint32_t DeltaPerformer::GetMinorVersion() const {
468 if (manifest_.has_minor_version()) {
469 return manifest_.minor_version();
470 }
471 return payload_->type == InstallPayloadType::kDelta
472 ? kMaxSupportedMinorPayloadVersion
473 : kFullPayloadMinorVersion;
474 }
475
IsHeaderParsed() const476 bool DeltaPerformer::IsHeaderParsed() const {
477 return metadata_size_ != 0;
478 }
479
ParsePayloadMetadata(const brillo::Blob & payload,ErrorCode * error)480 MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
481 const brillo::Blob& payload, ErrorCode* error) {
482 *error = ErrorCode::kSuccess;
483
484 if (!IsHeaderParsed()) {
485 MetadataParseResult result =
486 payload_metadata_.ParsePayloadHeader(payload, error);
487 if (result != MetadataParseResult::kSuccess)
488 return result;
489
490 metadata_size_ = payload_metadata_.GetMetadataSize();
491 metadata_signature_size_ = payload_metadata_.GetMetadataSignatureSize();
492 major_payload_version_ = payload_metadata_.GetMajorVersion();
493
494 // If the metadata size is present in install plan, check for it immediately
495 // even before waiting for that many number of bytes to be downloaded in the
496 // payload. This will prevent any attack which relies on us downloading data
497 // beyond the expected metadata size.
498 if (install_plan_->hash_checks_mandatory) {
499 if (payload_->metadata_size != metadata_size_) {
500 LOG(ERROR) << "Mandatory metadata size in Omaha response ("
501 << payload_->metadata_size
502 << ") is missing/incorrect, actual = " << metadata_size_;
503 *error = ErrorCode::kDownloadInvalidMetadataSize;
504 return MetadataParseResult::kError;
505 }
506 }
507 }
508
509 // Now that we have validated the metadata size, we should wait for the full
510 // metadata and its signature (if exist) to be read in before we can parse it.
511 if (payload.size() < metadata_size_ + metadata_signature_size_)
512 return MetadataParseResult::kInsufficientData;
513
514 // Log whether we validated the size or simply trusting what's in the payload
515 // here. This is logged here (after we received the full metadata data) so
516 // that we just log once (instead of logging n times) if it takes n
517 // DeltaPerformer::Write calls to download the full manifest.
518 if (payload_->metadata_size == metadata_size_) {
519 LOG(INFO) << "Manifest size in payload matches expected value from Omaha";
520 } else {
521 // For mandatory-cases, we'd have already returned a kMetadataParseError
522 // above. We'll be here only for non-mandatory cases. Just send a UMA stat.
523 LOG(WARNING) << "Ignoring missing/incorrect metadata size ("
524 << payload_->metadata_size
525 << ") in Omaha response as validation is not mandatory. "
526 << "Trusting metadata size in payload = " << metadata_size_;
527 }
528
529 string public_key;
530 if (!GetPublicKey(&public_key)) {
531 LOG(ERROR) << "Failed to get public key.";
532 *error = ErrorCode::kDownloadMetadataSignatureVerificationError;
533 return MetadataParseResult::kError;
534 }
535
536 // We have the full metadata in |payload|. Verify its integrity
537 // and authenticity based on the information we have in Omaha response.
538 *error = payload_metadata_.ValidateMetadataSignature(
539 payload, payload_->metadata_signature, public_key);
540 if (*error != ErrorCode::kSuccess) {
541 if (install_plan_->hash_checks_mandatory) {
542 // The autoupdate_CatchBadSignatures test checks for this string
543 // in log-files. Keep in sync.
544 LOG(ERROR) << "Mandatory metadata signature validation failed";
545 return MetadataParseResult::kError;
546 }
547
548 // For non-mandatory cases, just send a UMA stat.
549 LOG(WARNING) << "Ignoring metadata signature validation failures";
550 *error = ErrorCode::kSuccess;
551 }
552
553 // The payload metadata is deemed valid, it's safe to parse the protobuf.
554 if (!payload_metadata_.GetManifest(payload, &manifest_)) {
555 LOG(ERROR) << "Unable to parse manifest in update file.";
556 *error = ErrorCode::kDownloadManifestParseError;
557 return MetadataParseResult::kError;
558 }
559
560 manifest_parsed_ = true;
561 return MetadataParseResult::kSuccess;
562 }
563
564 #define OP_DURATION_HISTOGRAM(_op_name, _start_time) \
565 LOCAL_HISTOGRAM_CUSTOM_TIMES( \
566 "UpdateEngine.DownloadAction.InstallOperation::" _op_name ".Duration", \
567 base::TimeTicks::Now() - _start_time, \
568 base::TimeDelta::FromMilliseconds(10), \
569 base::TimeDelta::FromMinutes(5), \
570 20);
571
572 // Wrapper around write. Returns true if all requested bytes
573 // were written, or false on any error, regardless of progress
574 // and stores an action exit code in |error|.
Write(const void * bytes,size_t count,ErrorCode * error)575 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode* error) {
576 *error = ErrorCode::kSuccess;
577 const char* c_bytes = reinterpret_cast<const char*>(bytes);
578
579 // Update the total byte downloaded count and the progress logs.
580 total_bytes_received_ += count;
581 UpdateOverallProgress(false, "Completed ");
582
583 while (!manifest_valid_) {
584 // Read data up to the needed limit; this is either maximium payload header
585 // size, or the full metadata size (once it becomes known).
586 const bool do_read_header = !IsHeaderParsed();
587 CopyDataToBuffer(
588 &c_bytes,
589 &count,
590 (do_read_header ? kMaxPayloadHeaderSize
591 : metadata_size_ + metadata_signature_size_));
592
593 MetadataParseResult result = ParsePayloadMetadata(buffer_, error);
594 if (result == MetadataParseResult::kError)
595 return false;
596 if (result == MetadataParseResult::kInsufficientData) {
597 // If we just processed the header, make an attempt on the manifest.
598 if (do_read_header && IsHeaderParsed())
599 continue;
600
601 return true;
602 }
603
604 // Checks the integrity of the payload manifest.
605 if ((*error = ValidateManifest()) != ErrorCode::kSuccess)
606 return false;
607 manifest_valid_ = true;
608
609 // Clear the download buffer.
610 DiscardBuffer(false, metadata_size_);
611
612 block_size_ = manifest_.block_size();
613
614 // This populates |partitions_| and the |install_plan.partitions| with the
615 // list of partitions from the manifest.
616 if (!ParseManifestPartitions(error))
617 return false;
618
619 // |install_plan.partitions| was filled in, nothing need to be done here if
620 // the payload was already applied, returns false to terminate http fetcher,
621 // but keep |error| as ErrorCode::kSuccess.
622 if (payload_->already_applied)
623 return false;
624
625 num_total_operations_ = 0;
626 for (const auto& partition : partitions_) {
627 num_total_operations_ += partition.operations_size();
628 acc_num_operations_.push_back(num_total_operations_);
629 }
630
631 LOG_IF(WARNING,
632 !prefs_->SetInt64(kPrefsManifestMetadataSize, metadata_size_))
633 << "Unable to save the manifest metadata size.";
634 LOG_IF(WARNING,
635 !prefs_->SetInt64(kPrefsManifestSignatureSize,
636 metadata_signature_size_))
637 << "Unable to save the manifest signature size.";
638
639 if (!PrimeUpdateState()) {
640 *error = ErrorCode::kDownloadStateInitializationError;
641 LOG(ERROR) << "Unable to prime the update state.";
642 return false;
643 }
644
645 if (next_operation_num_ < acc_num_operations_[current_partition_]) {
646 if (!OpenCurrentPartition()) {
647 *error = ErrorCode::kInstallDeviceOpenError;
648 return false;
649 }
650 }
651
652 if (next_operation_num_ > 0)
653 UpdateOverallProgress(true, "Resuming after ");
654 LOG(INFO) << "Starting to apply update payload operations";
655 }
656
657 while (next_operation_num_ < num_total_operations_) {
658 // Check if we should cancel the current attempt for any reason.
659 // In this case, *error will have already been populated with the reason
660 // why we're canceling.
661 if (download_delegate_ && download_delegate_->ShouldCancel(error))
662 return false;
663
664 // We know there are more operations to perform because we didn't reach the
665 // |num_total_operations_| limit yet.
666 if (next_operation_num_ >= acc_num_operations_[current_partition_]) {
667 CloseCurrentPartition();
668 // Skip until there are operations for current_partition_.
669 while (next_operation_num_ >= acc_num_operations_[current_partition_]) {
670 current_partition_++;
671 }
672 if (!OpenCurrentPartition()) {
673 *error = ErrorCode::kInstallDeviceOpenError;
674 return false;
675 }
676 }
677 const size_t partition_operation_num =
678 next_operation_num_ -
679 (current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0);
680
681 const InstallOperation& op =
682 partitions_[current_partition_].operations(partition_operation_num);
683
684 CopyDataToBuffer(&c_bytes, &count, op.data_length());
685
686 // Check whether we received all of the next operation's data payload.
687 if (!CanPerformInstallOperation(op))
688 return true;
689
690 // Validate the operation only if the metadata signature is present.
691 // Otherwise, keep the old behavior. This serves as a knob to disable
692 // the validation logic in case we find some regression after rollout.
693 // NOTE: If hash checks are mandatory and if metadata_signature is empty,
694 // we would have already failed in ParsePayloadMetadata method and thus not
695 // even be here. So no need to handle that case again here.
696 if (!payload_->metadata_signature.empty()) {
697 // Note: Validate must be called only if CanPerformInstallOperation is
698 // called. Otherwise, we might be failing operations before even if there
699 // isn't sufficient data to compute the proper hash.
700 *error = ValidateOperationHash(op);
701 if (*error != ErrorCode::kSuccess) {
702 if (install_plan_->hash_checks_mandatory) {
703 LOG(ERROR) << "Mandatory operation hash check failed";
704 return false;
705 }
706
707 // For non-mandatory cases, just send a UMA stat.
708 LOG(WARNING) << "Ignoring operation validation errors";
709 *error = ErrorCode::kSuccess;
710 }
711 }
712
713 // Makes sure we unblock exit when this operation completes.
714 ScopedTerminatorExitUnblocker exit_unblocker =
715 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug.
716
717 base::TimeTicks op_start_time = base::TimeTicks::Now();
718
719 bool op_result;
720 switch (op.type()) {
721 case InstallOperation::REPLACE:
722 case InstallOperation::REPLACE_BZ:
723 case InstallOperation::REPLACE_XZ:
724 op_result = PerformReplaceOperation(op);
725 OP_DURATION_HISTOGRAM("REPLACE", op_start_time);
726 break;
727 case InstallOperation::ZERO:
728 case InstallOperation::DISCARD:
729 op_result = PerformZeroOrDiscardOperation(op);
730 OP_DURATION_HISTOGRAM("ZERO_OR_DISCARD", op_start_time);
731 break;
732 case InstallOperation::MOVE:
733 op_result = PerformMoveOperation(op);
734 OP_DURATION_HISTOGRAM("MOVE", op_start_time);
735 break;
736 case InstallOperation::BSDIFF:
737 op_result = PerformBsdiffOperation(op);
738 OP_DURATION_HISTOGRAM("BSDIFF", op_start_time);
739 break;
740 case InstallOperation::SOURCE_COPY:
741 op_result = PerformSourceCopyOperation(op, error);
742 OP_DURATION_HISTOGRAM("SOURCE_COPY", op_start_time);
743 break;
744 case InstallOperation::SOURCE_BSDIFF:
745 case InstallOperation::BROTLI_BSDIFF:
746 op_result = PerformSourceBsdiffOperation(op, error);
747 OP_DURATION_HISTOGRAM("SOURCE_BSDIFF", op_start_time);
748 break;
749 case InstallOperation::PUFFDIFF:
750 op_result = PerformPuffDiffOperation(op, error);
751 OP_DURATION_HISTOGRAM("PUFFDIFF", op_start_time);
752 break;
753 default:
754 op_result = false;
755 }
756 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error))
757 return false;
758
759 if (!target_fd_->Flush()) {
760 return false;
761 }
762
763 next_operation_num_++;
764 UpdateOverallProgress(false, "Completed ");
765 CheckpointUpdateProgress(false);
766 }
767
768 // In major version 2, we don't add dummy operation to the payload.
769 // If we already extracted the signature we should skip this step.
770 if (major_payload_version_ == kBrilloMajorPayloadVersion &&
771 manifest_.has_signatures_offset() && manifest_.has_signatures_size() &&
772 signatures_message_data_.empty()) {
773 if (manifest_.signatures_offset() != buffer_offset_) {
774 LOG(ERROR) << "Payload signatures offset points to blob offset "
775 << manifest_.signatures_offset()
776 << " but signatures are expected at offset " << buffer_offset_;
777 *error = ErrorCode::kDownloadPayloadVerificationError;
778 return false;
779 }
780 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size());
781 // Needs more data to cover entire signature.
782 if (buffer_.size() < manifest_.signatures_size())
783 return true;
784 if (!ExtractSignatureMessage()) {
785 LOG(ERROR) << "Extract payload signature failed.";
786 *error = ErrorCode::kDownloadPayloadVerificationError;
787 return false;
788 }
789 DiscardBuffer(true, 0);
790 // Since we extracted the SignatureMessage we need to advance the
791 // checkpoint, otherwise we would reload the signature and try to extract
792 // it again.
793 // This is the last checkpoint for an update, force this checkpoint to be
794 // saved.
795 CheckpointUpdateProgress(true);
796 }
797
798 return true;
799 }
800
IsManifestValid()801 bool DeltaPerformer::IsManifestValid() {
802 return manifest_valid_;
803 }
804
ParseManifestPartitions(ErrorCode * error)805 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) {
806 if (major_payload_version_ == kBrilloMajorPayloadVersion) {
807 partitions_.clear();
808 for (const PartitionUpdate& partition : manifest_.partitions()) {
809 partitions_.push_back(partition);
810 }
811 manifest_.clear_partitions();
812 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
813 LOG(INFO) << "Converting update information from old format.";
814 PartitionUpdate root_part;
815 root_part.set_partition_name(kPartitionNameRoot);
816 #ifdef __ANDROID__
817 LOG(WARNING) << "Legacy payload major version provided to an Android "
818 "build. Assuming no post-install. Please use major version "
819 "2 or newer.";
820 root_part.set_run_postinstall(false);
821 #else
822 root_part.set_run_postinstall(true);
823 #endif // __ANDROID__
824 if (manifest_.has_old_rootfs_info()) {
825 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info();
826 manifest_.clear_old_rootfs_info();
827 }
828 if (manifest_.has_new_rootfs_info()) {
829 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info();
830 manifest_.clear_new_rootfs_info();
831 }
832 *root_part.mutable_operations() = manifest_.install_operations();
833 manifest_.clear_install_operations();
834 partitions_.push_back(std::move(root_part));
835
836 PartitionUpdate kern_part;
837 kern_part.set_partition_name(kPartitionNameKernel);
838 kern_part.set_run_postinstall(false);
839 if (manifest_.has_old_kernel_info()) {
840 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info();
841 manifest_.clear_old_kernel_info();
842 }
843 if (manifest_.has_new_kernel_info()) {
844 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info();
845 manifest_.clear_new_kernel_info();
846 }
847 *kern_part.mutable_operations() = manifest_.kernel_install_operations();
848 manifest_.clear_kernel_install_operations();
849 partitions_.push_back(std::move(kern_part));
850 }
851
852 // Fill in the InstallPlan::partitions based on the partitions from the
853 // payload.
854 for (const auto& partition : partitions_) {
855 InstallPlan::Partition install_part;
856 install_part.name = partition.partition_name();
857 install_part.run_postinstall =
858 partition.has_run_postinstall() && partition.run_postinstall();
859 if (install_part.run_postinstall) {
860 install_part.postinstall_path =
861 (partition.has_postinstall_path() ? partition.postinstall_path()
862 : kPostinstallDefaultScript);
863 install_part.filesystem_type = partition.filesystem_type();
864 install_part.postinstall_optional = partition.postinstall_optional();
865 }
866
867 if (partition.has_old_partition_info()) {
868 const PartitionInfo& info = partition.old_partition_info();
869 install_part.source_size = info.size();
870 install_part.source_hash.assign(info.hash().begin(), info.hash().end());
871 }
872
873 if (!partition.has_new_partition_info()) {
874 LOG(ERROR) << "Unable to get new partition hash info on partition "
875 << install_part.name << ".";
876 *error = ErrorCode::kDownloadNewPartitionInfoError;
877 return false;
878 }
879 const PartitionInfo& info = partition.new_partition_info();
880 install_part.target_size = info.size();
881 install_part.target_hash.assign(info.hash().begin(), info.hash().end());
882
883 install_part.block_size = block_size_;
884 if (partition.has_hash_tree_extent()) {
885 Extent extent = partition.hash_tree_data_extent();
886 install_part.hash_tree_data_offset = extent.start_block() * block_size_;
887 install_part.hash_tree_data_size = extent.num_blocks() * block_size_;
888 extent = partition.hash_tree_extent();
889 install_part.hash_tree_offset = extent.start_block() * block_size_;
890 install_part.hash_tree_size = extent.num_blocks() * block_size_;
891 uint64_t hash_tree_data_end =
892 install_part.hash_tree_data_offset + install_part.hash_tree_data_size;
893 if (install_part.hash_tree_offset < hash_tree_data_end) {
894 LOG(ERROR) << "Invalid hash tree extents, hash tree data ends at "
895 << hash_tree_data_end << ", but hash tree starts at "
896 << install_part.hash_tree_offset;
897 *error = ErrorCode::kDownloadNewPartitionInfoError;
898 return false;
899 }
900 install_part.hash_tree_algorithm = partition.hash_tree_algorithm();
901 install_part.hash_tree_salt.assign(partition.hash_tree_salt().begin(),
902 partition.hash_tree_salt().end());
903 }
904 if (partition.has_fec_extent()) {
905 Extent extent = partition.fec_data_extent();
906 install_part.fec_data_offset = extent.start_block() * block_size_;
907 install_part.fec_data_size = extent.num_blocks() * block_size_;
908 extent = partition.fec_extent();
909 install_part.fec_offset = extent.start_block() * block_size_;
910 install_part.fec_size = extent.num_blocks() * block_size_;
911 uint64_t fec_data_end =
912 install_part.fec_data_offset + install_part.fec_data_size;
913 if (install_part.fec_offset < fec_data_end) {
914 LOG(ERROR) << "Invalid fec extents, fec data ends at " << fec_data_end
915 << ", but fec starts at " << install_part.fec_offset;
916 *error = ErrorCode::kDownloadNewPartitionInfoError;
917 return false;
918 }
919 install_part.fec_roots = partition.fec_roots();
920 }
921
922 install_plan_->partitions.push_back(install_part);
923 }
924
925 if (install_plan_->target_slot != BootControlInterface::kInvalidSlot) {
926 if (!InitPartitionMetadata()) {
927 *error = ErrorCode::kInstallDeviceOpenError;
928 return false;
929 }
930 }
931
932 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) {
933 LOG(ERROR) << "Unable to determine all the partition devices.";
934 *error = ErrorCode::kInstallDeviceOpenError;
935 return false;
936 }
937 LogPartitionInfo(partitions_);
938 return true;
939 }
940
InitPartitionMetadata()941 bool DeltaPerformer::InitPartitionMetadata() {
942 BootControlInterface::PartitionMetadata partition_metadata;
943 if (manifest_.has_dynamic_partition_metadata()) {
944 std::map<string, uint64_t> partition_sizes;
945 for (const auto& partition : install_plan_->partitions) {
946 partition_sizes.emplace(partition.name, partition.target_size);
947 }
948 for (const auto& group : manifest_.dynamic_partition_metadata().groups()) {
949 BootControlInterface::PartitionMetadata::Group e;
950 e.name = group.name();
951 e.size = group.size();
952 for (const auto& partition_name : group.partition_names()) {
953 auto it = partition_sizes.find(partition_name);
954 if (it == partition_sizes.end()) {
955 // TODO(tbao): Support auto-filling partition info for framework-only
956 // OTA.
957 LOG(ERROR) << "dynamic_partition_metadata contains partition "
958 << partition_name
959 << " but it is not part of the manifest. "
960 << "This is not supported.";
961 return false;
962 }
963 e.partitions.push_back({partition_name, it->second});
964 }
965 partition_metadata.groups.push_back(std::move(e));
966 }
967 }
968
969 bool metadata_updated = false;
970 prefs_->GetBoolean(kPrefsDynamicPartitionMetadataUpdated, &metadata_updated);
971 if (!boot_control_->InitPartitionMetadata(
972 install_plan_->target_slot, partition_metadata, !metadata_updated)) {
973 LOG(ERROR) << "Unable to initialize partition metadata for slot "
974 << BootControlInterface::SlotName(install_plan_->target_slot);
975 return false;
976 }
977 TEST_AND_RETURN_FALSE(
978 prefs_->SetBoolean(kPrefsDynamicPartitionMetadataUpdated, true));
979 LOG(INFO) << "InitPartitionMetadata done.";
980
981 return true;
982 }
983
CanPerformInstallOperation(const chromeos_update_engine::InstallOperation & operation)984 bool DeltaPerformer::CanPerformInstallOperation(
985 const chromeos_update_engine::InstallOperation& operation) {
986 // If we don't have a data blob we can apply it right away.
987 if (!operation.has_data_offset() && !operation.has_data_length())
988 return true;
989
990 // See if we have the entire data blob in the buffer
991 if (operation.data_offset() < buffer_offset_) {
992 LOG(ERROR) << "we threw away data it seems?";
993 return false;
994 }
995
996 return (operation.data_offset() + operation.data_length() <=
997 buffer_offset_ + buffer_.size());
998 }
999
PerformReplaceOperation(const InstallOperation & operation)1000 bool DeltaPerformer::PerformReplaceOperation(
1001 const InstallOperation& operation) {
1002 CHECK(operation.type() == InstallOperation::REPLACE ||
1003 operation.type() == InstallOperation::REPLACE_BZ ||
1004 operation.type() == InstallOperation::REPLACE_XZ);
1005
1006 // Since we delete data off the beginning of the buffer as we use it,
1007 // the data we need should be exactly at the beginning of the buffer.
1008 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1009 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1010
1011 // Extract the signature message if it's in this operation.
1012 if (ExtractSignatureMessageFromOperation(operation)) {
1013 // If this is dummy replace operation, we ignore it after extracting the
1014 // signature.
1015 DiscardBuffer(true, 0);
1016 return true;
1017 }
1018
1019 // Setup the ExtentWriter stack based on the operation type.
1020 std::unique_ptr<ExtentWriter> writer = std::make_unique<DirectExtentWriter>();
1021
1022 if (operation.type() == InstallOperation::REPLACE_BZ) {
1023 writer.reset(new BzipExtentWriter(std::move(writer)));
1024 } else if (operation.type() == InstallOperation::REPLACE_XZ) {
1025 writer.reset(new XzExtentWriter(std::move(writer)));
1026 }
1027
1028 TEST_AND_RETURN_FALSE(
1029 writer->Init(target_fd_, operation.dst_extents(), block_size_));
1030 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length()));
1031
1032 // Update buffer
1033 DiscardBuffer(true, buffer_.size());
1034 return true;
1035 }
1036
PerformZeroOrDiscardOperation(const InstallOperation & operation)1037 bool DeltaPerformer::PerformZeroOrDiscardOperation(
1038 const InstallOperation& operation) {
1039 CHECK(operation.type() == InstallOperation::DISCARD ||
1040 operation.type() == InstallOperation::ZERO);
1041
1042 // These operations have no blob.
1043 TEST_AND_RETURN_FALSE(!operation.has_data_offset());
1044 TEST_AND_RETURN_FALSE(!operation.has_data_length());
1045
1046 #ifdef BLKZEROOUT
1047 bool attempt_ioctl = true;
1048 int request =
1049 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD);
1050 #else // !defined(BLKZEROOUT)
1051 bool attempt_ioctl = false;
1052 int request = 0;
1053 #endif // !defined(BLKZEROOUT)
1054
1055 brillo::Blob zeros;
1056 for (const Extent& extent : operation.dst_extents()) {
1057 const uint64_t start = extent.start_block() * block_size_;
1058 const uint64_t length = extent.num_blocks() * block_size_;
1059 if (attempt_ioctl) {
1060 int result = 0;
1061 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0)
1062 continue;
1063 attempt_ioctl = false;
1064 }
1065 // In case of failure, we fall back to writing 0 to the selected region.
1066 zeros.resize(16 * block_size_);
1067 for (uint64_t offset = 0; offset < length; offset += zeros.size()) {
1068 uint64_t chunk_length =
1069 min(length - offset, static_cast<uint64_t>(zeros.size()));
1070 TEST_AND_RETURN_FALSE(utils::PWriteAll(
1071 target_fd_, zeros.data(), chunk_length, start + offset));
1072 }
1073 }
1074 return true;
1075 }
1076
PerformMoveOperation(const InstallOperation & operation)1077 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) {
1078 // Calculate buffer size. Note, this function doesn't do a sliding
1079 // window to copy in case the source and destination blocks overlap.
1080 // If we wanted to do a sliding window, we could program the server
1081 // to generate deltas that effectively did a sliding window.
1082
1083 uint64_t blocks_to_read = 0;
1084 for (int i = 0; i < operation.src_extents_size(); i++)
1085 blocks_to_read += operation.src_extents(i).num_blocks();
1086
1087 uint64_t blocks_to_write = 0;
1088 for (int i = 0; i < operation.dst_extents_size(); i++)
1089 blocks_to_write += operation.dst_extents(i).num_blocks();
1090
1091 DCHECK_EQ(blocks_to_write, blocks_to_read);
1092 brillo::Blob buf(blocks_to_write * block_size_);
1093
1094 // Read in bytes.
1095 ssize_t bytes_read = 0;
1096 for (int i = 0; i < operation.src_extents_size(); i++) {
1097 ssize_t bytes_read_this_iteration = 0;
1098 const Extent& extent = operation.src_extents(i);
1099 const size_t bytes = extent.num_blocks() * block_size_;
1100 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1101 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_,
1102 &buf[bytes_read],
1103 bytes,
1104 extent.start_block() * block_size_,
1105 &bytes_read_this_iteration));
1106 TEST_AND_RETURN_FALSE(bytes_read_this_iteration ==
1107 static_cast<ssize_t>(bytes));
1108 bytes_read += bytes_read_this_iteration;
1109 }
1110
1111 // Write bytes out.
1112 ssize_t bytes_written = 0;
1113 for (int i = 0; i < operation.dst_extents_size(); i++) {
1114 const Extent& extent = operation.dst_extents(i);
1115 const size_t bytes = extent.num_blocks() * block_size_;
1116 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1117 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_,
1118 &buf[bytes_written],
1119 bytes,
1120 extent.start_block() * block_size_));
1121 bytes_written += bytes;
1122 }
1123 DCHECK_EQ(bytes_written, bytes_read);
1124 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size()));
1125 return true;
1126 }
1127
ValidateSourceHash(const brillo::Blob & calculated_hash,const InstallOperation & operation,const FileDescriptorPtr source_fd,ErrorCode * error)1128 bool DeltaPerformer::ValidateSourceHash(const brillo::Blob& calculated_hash,
1129 const InstallOperation& operation,
1130 const FileDescriptorPtr source_fd,
1131 ErrorCode* error) {
1132 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1133 operation.src_sha256_hash().end());
1134 if (calculated_hash != expected_source_hash) {
1135 LOG(ERROR) << "The hash of the source data on disk for this operation "
1136 << "doesn't match the expected value. This could mean that the "
1137 << "delta update payload was targeted for another version, or "
1138 << "that the source partition was modified after it was "
1139 << "installed, for example, by mounting a filesystem.";
1140 LOG(ERROR) << "Expected: sha256|hex = "
1141 << base::HexEncode(expected_source_hash.data(),
1142 expected_source_hash.size());
1143 LOG(ERROR) << "Calculated: sha256|hex = "
1144 << base::HexEncode(calculated_hash.data(),
1145 calculated_hash.size());
1146
1147 vector<string> source_extents;
1148 for (const Extent& ext : operation.src_extents()) {
1149 source_extents.push_back(
1150 base::StringPrintf("%" PRIu64 ":%" PRIu64,
1151 static_cast<uint64_t>(ext.start_block()),
1152 static_cast<uint64_t>(ext.num_blocks())));
1153 }
1154 LOG(ERROR) << "Operation source (offset:size) in blocks: "
1155 << base::JoinString(source_extents, ",");
1156
1157 // Log remount history if this device is an ext4 partition.
1158 LogMountHistory(source_fd);
1159
1160 *error = ErrorCode::kDownloadStateInitializationError;
1161 return false;
1162 }
1163 return true;
1164 }
1165
PerformSourceCopyOperation(const InstallOperation & operation,ErrorCode * error)1166 bool DeltaPerformer::PerformSourceCopyOperation(
1167 const InstallOperation& operation, ErrorCode* error) {
1168 if (operation.has_src_length())
1169 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1170 if (operation.has_dst_length())
1171 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1172
1173 TEST_AND_RETURN_FALSE(source_fd_ != nullptr);
1174
1175 if (operation.has_src_sha256_hash()) {
1176 brillo::Blob source_hash;
1177 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1178 operation.src_sha256_hash().end());
1179
1180 // We fall back to use the error corrected device if the hash of the raw
1181 // device doesn't match or there was an error reading the source partition.
1182 // Note that this code will also fall back if writing the target partition
1183 // fails.
1184 bool read_ok = fd_utils::CopyAndHashExtents(source_fd_,
1185 operation.src_extents(),
1186 target_fd_,
1187 operation.dst_extents(),
1188 block_size_,
1189 &source_hash);
1190 if (read_ok && expected_source_hash == source_hash)
1191 return true;
1192
1193 if (!OpenCurrentECCPartition()) {
1194 // The following function call will return false since the source hash
1195 // mismatches, but we still want to call it so it prints the appropriate
1196 // log message.
1197 return ValidateSourceHash(source_hash, operation, source_fd_, error);
1198 }
1199
1200 LOG(WARNING) << "Source hash from RAW device mismatched: found "
1201 << base::HexEncode(source_hash.data(), source_hash.size())
1202 << ", expected "
1203 << base::HexEncode(expected_source_hash.data(),
1204 expected_source_hash.size());
1205
1206 TEST_AND_RETURN_FALSE(fd_utils::CopyAndHashExtents(source_ecc_fd_,
1207 operation.src_extents(),
1208 target_fd_,
1209 operation.dst_extents(),
1210 block_size_,
1211 &source_hash));
1212 TEST_AND_RETURN_FALSE(
1213 ValidateSourceHash(source_hash, operation, source_ecc_fd_, error));
1214 // At this point reading from the the error corrected device worked, but
1215 // reading from the raw device failed, so this is considered a recovered
1216 // failure.
1217 source_ecc_recovered_failures_++;
1218 } else {
1219 // When the operation doesn't include a source hash, we attempt the error
1220 // corrected device first since we can't verify the block in the raw device
1221 // at this point, but we fall back to the raw device since the error
1222 // corrected device can be shorter or not available.
1223 if (OpenCurrentECCPartition() &&
1224 fd_utils::CopyAndHashExtents(source_ecc_fd_,
1225 operation.src_extents(),
1226 target_fd_,
1227 operation.dst_extents(),
1228 block_size_,
1229 nullptr)) {
1230 return true;
1231 }
1232 TEST_AND_RETURN_FALSE(fd_utils::CopyAndHashExtents(source_fd_,
1233 operation.src_extents(),
1234 target_fd_,
1235 operation.dst_extents(),
1236 block_size_,
1237 nullptr));
1238 }
1239 return true;
1240 }
1241
ChooseSourceFD(const InstallOperation & operation,ErrorCode * error)1242 FileDescriptorPtr DeltaPerformer::ChooseSourceFD(
1243 const InstallOperation& operation, ErrorCode* error) {
1244 if (source_fd_ == nullptr) {
1245 LOG(ERROR) << "ChooseSourceFD fail: source_fd_ == nullptr";
1246 return nullptr;
1247 }
1248
1249 if (!operation.has_src_sha256_hash()) {
1250 // When the operation doesn't include a source hash, we attempt the error
1251 // corrected device first since we can't verify the block in the raw device
1252 // at this point, but we first need to make sure all extents are readable
1253 // since the error corrected device can be shorter or not available.
1254 if (OpenCurrentECCPartition() &&
1255 fd_utils::ReadAndHashExtents(
1256 source_ecc_fd_, operation.src_extents(), block_size_, nullptr)) {
1257 return source_ecc_fd_;
1258 }
1259 return source_fd_;
1260 }
1261
1262 brillo::Blob source_hash;
1263 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1264 operation.src_sha256_hash().end());
1265 if (fd_utils::ReadAndHashExtents(
1266 source_fd_, operation.src_extents(), block_size_, &source_hash) &&
1267 source_hash == expected_source_hash) {
1268 return source_fd_;
1269 }
1270 // We fall back to use the error corrected device if the hash of the raw
1271 // device doesn't match or there was an error reading the source partition.
1272 if (!OpenCurrentECCPartition()) {
1273 // The following function call will return false since the source hash
1274 // mismatches, but we still want to call it so it prints the appropriate
1275 // log message.
1276 ValidateSourceHash(source_hash, operation, source_fd_, error);
1277 return nullptr;
1278 }
1279 LOG(WARNING) << "Source hash from RAW device mismatched: found "
1280 << base::HexEncode(source_hash.data(), source_hash.size())
1281 << ", expected "
1282 << base::HexEncode(expected_source_hash.data(),
1283 expected_source_hash.size());
1284
1285 if (fd_utils::ReadAndHashExtents(
1286 source_ecc_fd_, operation.src_extents(), block_size_, &source_hash) &&
1287 ValidateSourceHash(source_hash, operation, source_ecc_fd_, error)) {
1288 // At this point reading from the the error corrected device worked, but
1289 // reading from the raw device failed, so this is considered a recovered
1290 // failure.
1291 source_ecc_recovered_failures_++;
1292 return source_ecc_fd_;
1293 }
1294 return nullptr;
1295 }
1296
ExtentsToBsdiffPositionsString(const RepeatedPtrField<Extent> & extents,uint64_t block_size,uint64_t full_length,string * positions_string)1297 bool DeltaPerformer::ExtentsToBsdiffPositionsString(
1298 const RepeatedPtrField<Extent>& extents,
1299 uint64_t block_size,
1300 uint64_t full_length,
1301 string* positions_string) {
1302 string ret;
1303 uint64_t length = 0;
1304 for (const Extent& extent : extents) {
1305 int64_t start = extent.start_block() * block_size;
1306 uint64_t this_length =
1307 min(full_length - length,
1308 static_cast<uint64_t>(extent.num_blocks()) * block_size);
1309 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length);
1310 length += this_length;
1311 }
1312 TEST_AND_RETURN_FALSE(length == full_length);
1313 if (!ret.empty())
1314 ret.resize(ret.size() - 1); // Strip trailing comma off
1315 *positions_string = ret;
1316 return true;
1317 }
1318
PerformBsdiffOperation(const InstallOperation & operation)1319 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) {
1320 // Since we delete data off the beginning of the buffer as we use it,
1321 // the data we need should be exactly at the beginning of the buffer.
1322 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1323 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1324
1325 string input_positions;
1326 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1327 block_size_,
1328 operation.src_length(),
1329 &input_positions));
1330 string output_positions;
1331 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1332 block_size_,
1333 operation.dst_length(),
1334 &output_positions));
1335
1336 TEST_AND_RETURN_FALSE(bsdiff::bspatch(target_path_.c_str(),
1337 target_path_.c_str(),
1338 buffer_.data(),
1339 buffer_.size(),
1340 input_positions.c_str(),
1341 output_positions.c_str()) == 0);
1342 DiscardBuffer(true, buffer_.size());
1343
1344 if (operation.dst_length() % block_size_) {
1345 // Zero out rest of final block.
1346 // TODO(adlr): build this into bspatch; it's more efficient that way.
1347 const Extent& last_extent =
1348 operation.dst_extents(operation.dst_extents_size() - 1);
1349 const uint64_t end_byte =
1350 (last_extent.start_block() + last_extent.num_blocks()) * block_size_;
1351 const uint64_t begin_byte =
1352 end_byte - (block_size_ - operation.dst_length() % block_size_);
1353 brillo::Blob zeros(end_byte - begin_byte);
1354 TEST_AND_RETURN_FALSE(utils::PWriteAll(
1355 target_fd_, zeros.data(), end_byte - begin_byte, begin_byte));
1356 }
1357 return true;
1358 }
1359
1360 namespace {
1361
1362 class BsdiffExtentFile : public bsdiff::FileInterface {
1363 public:
BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,size_t size)1364 BsdiffExtentFile(std::unique_ptr<ExtentReader> reader, size_t size)
1365 : BsdiffExtentFile(std::move(reader), nullptr, size) {}
BsdiffExtentFile(std::unique_ptr<ExtentWriter> writer,size_t size)1366 BsdiffExtentFile(std::unique_ptr<ExtentWriter> writer, size_t size)
1367 : BsdiffExtentFile(nullptr, std::move(writer), size) {}
1368
1369 ~BsdiffExtentFile() override = default;
1370
Read(void * buf,size_t count,size_t * bytes_read)1371 bool Read(void* buf, size_t count, size_t* bytes_read) override {
1372 TEST_AND_RETURN_FALSE(reader_->Read(buf, count));
1373 *bytes_read = count;
1374 offset_ += count;
1375 return true;
1376 }
1377
Write(const void * buf,size_t count,size_t * bytes_written)1378 bool Write(const void* buf, size_t count, size_t* bytes_written) override {
1379 TEST_AND_RETURN_FALSE(writer_->Write(buf, count));
1380 *bytes_written = count;
1381 offset_ += count;
1382 return true;
1383 }
1384
Seek(off_t pos)1385 bool Seek(off_t pos) override {
1386 if (reader_ != nullptr) {
1387 TEST_AND_RETURN_FALSE(reader_->Seek(pos));
1388 offset_ = pos;
1389 } else {
1390 // For writes technically there should be no change of position, or it
1391 // should be equivalent of current offset.
1392 TEST_AND_RETURN_FALSE(offset_ == static_cast<uint64_t>(pos));
1393 }
1394 return true;
1395 }
1396
Close()1397 bool Close() override { return true; }
1398
GetSize(uint64_t * size)1399 bool GetSize(uint64_t* size) override {
1400 *size = size_;
1401 return true;
1402 }
1403
1404 private:
BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,std::unique_ptr<ExtentWriter> writer,size_t size)1405 BsdiffExtentFile(std::unique_ptr<ExtentReader> reader,
1406 std::unique_ptr<ExtentWriter> writer,
1407 size_t size)
1408 : reader_(std::move(reader)),
1409 writer_(std::move(writer)),
1410 size_(size),
1411 offset_(0) {}
1412
1413 std::unique_ptr<ExtentReader> reader_;
1414 std::unique_ptr<ExtentWriter> writer_;
1415 uint64_t size_;
1416 uint64_t offset_;
1417
1418 DISALLOW_COPY_AND_ASSIGN(BsdiffExtentFile);
1419 };
1420
1421 } // namespace
1422
PerformSourceBsdiffOperation(const InstallOperation & operation,ErrorCode * error)1423 bool DeltaPerformer::PerformSourceBsdiffOperation(
1424 const InstallOperation& operation, ErrorCode* error) {
1425 // Since we delete data off the beginning of the buffer as we use it,
1426 // the data we need should be exactly at the beginning of the buffer.
1427 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1428 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1429 if (operation.has_src_length())
1430 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1431 if (operation.has_dst_length())
1432 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1433
1434 FileDescriptorPtr source_fd = ChooseSourceFD(operation, error);
1435 TEST_AND_RETURN_FALSE(source_fd != nullptr);
1436
1437 auto reader = std::make_unique<DirectExtentReader>();
1438 TEST_AND_RETURN_FALSE(
1439 reader->Init(source_fd, operation.src_extents(), block_size_));
1440 auto src_file = std::make_unique<BsdiffExtentFile>(
1441 std::move(reader),
1442 utils::BlocksInExtents(operation.src_extents()) * block_size_);
1443
1444 auto writer = std::make_unique<DirectExtentWriter>();
1445 TEST_AND_RETURN_FALSE(
1446 writer->Init(target_fd_, operation.dst_extents(), block_size_));
1447 auto dst_file = std::make_unique<BsdiffExtentFile>(
1448 std::move(writer),
1449 utils::BlocksInExtents(operation.dst_extents()) * block_size_);
1450
1451 TEST_AND_RETURN_FALSE(bsdiff::bspatch(std::move(src_file),
1452 std::move(dst_file),
1453 buffer_.data(),
1454 buffer_.size()) == 0);
1455 DiscardBuffer(true, buffer_.size());
1456 return true;
1457 }
1458
1459 namespace {
1460
1461 // A class to be passed to |puffpatch| for reading from |source_fd_| and writing
1462 // into |target_fd_|.
1463 class PuffinExtentStream : public puffin::StreamInterface {
1464 public:
1465 // Constructor for creating a stream for reading from an |ExtentReader|.
PuffinExtentStream(std::unique_ptr<ExtentReader> reader,uint64_t size)1466 PuffinExtentStream(std::unique_ptr<ExtentReader> reader, uint64_t size)
1467 : PuffinExtentStream(std::move(reader), nullptr, size) {}
1468
1469 // Constructor for creating a stream for writing to an |ExtentWriter|.
PuffinExtentStream(std::unique_ptr<ExtentWriter> writer,uint64_t size)1470 PuffinExtentStream(std::unique_ptr<ExtentWriter> writer, uint64_t size)
1471 : PuffinExtentStream(nullptr, std::move(writer), size) {}
1472
1473 ~PuffinExtentStream() override = default;
1474
GetSize(uint64_t * size) const1475 bool GetSize(uint64_t* size) const override {
1476 *size = size_;
1477 return true;
1478 }
1479
GetOffset(uint64_t * offset) const1480 bool GetOffset(uint64_t* offset) const override {
1481 *offset = offset_;
1482 return true;
1483 }
1484
Seek(uint64_t offset)1485 bool Seek(uint64_t offset) override {
1486 if (is_read_) {
1487 TEST_AND_RETURN_FALSE(reader_->Seek(offset));
1488 offset_ = offset;
1489 } else {
1490 // For writes technically there should be no change of position, or it
1491 // should equivalent of current offset.
1492 TEST_AND_RETURN_FALSE(offset_ == offset);
1493 }
1494 return true;
1495 }
1496
Read(void * buffer,size_t count)1497 bool Read(void* buffer, size_t count) override {
1498 TEST_AND_RETURN_FALSE(is_read_);
1499 TEST_AND_RETURN_FALSE(reader_->Read(buffer, count));
1500 offset_ += count;
1501 return true;
1502 }
1503
Write(const void * buffer,size_t count)1504 bool Write(const void* buffer, size_t count) override {
1505 TEST_AND_RETURN_FALSE(!is_read_);
1506 TEST_AND_RETURN_FALSE(writer_->Write(buffer, count));
1507 offset_ += count;
1508 return true;
1509 }
1510
Close()1511 bool Close() override { return true; }
1512
1513 private:
PuffinExtentStream(std::unique_ptr<ExtentReader> reader,std::unique_ptr<ExtentWriter> writer,uint64_t size)1514 PuffinExtentStream(std::unique_ptr<ExtentReader> reader,
1515 std::unique_ptr<ExtentWriter> writer,
1516 uint64_t size)
1517 : reader_(std::move(reader)),
1518 writer_(std::move(writer)),
1519 size_(size),
1520 offset_(0),
1521 is_read_(reader_ ? true : false) {}
1522
1523 std::unique_ptr<ExtentReader> reader_;
1524 std::unique_ptr<ExtentWriter> writer_;
1525 uint64_t size_;
1526 uint64_t offset_;
1527 bool is_read_;
1528
1529 DISALLOW_COPY_AND_ASSIGN(PuffinExtentStream);
1530 };
1531
1532 } // namespace
1533
PerformPuffDiffOperation(const InstallOperation & operation,ErrorCode * error)1534 bool DeltaPerformer::PerformPuffDiffOperation(const InstallOperation& operation,
1535 ErrorCode* error) {
1536 // Since we delete data off the beginning of the buffer as we use it,
1537 // the data we need should be exactly at the beginning of the buffer.
1538 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1539 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1540
1541 FileDescriptorPtr source_fd = ChooseSourceFD(operation, error);
1542 TEST_AND_RETURN_FALSE(source_fd != nullptr);
1543
1544 auto reader = std::make_unique<DirectExtentReader>();
1545 TEST_AND_RETURN_FALSE(
1546 reader->Init(source_fd, operation.src_extents(), block_size_));
1547 puffin::UniqueStreamPtr src_stream(new PuffinExtentStream(
1548 std::move(reader),
1549 utils::BlocksInExtents(operation.src_extents()) * block_size_));
1550
1551 auto writer = std::make_unique<DirectExtentWriter>();
1552 TEST_AND_RETURN_FALSE(
1553 writer->Init(target_fd_, operation.dst_extents(), block_size_));
1554 puffin::UniqueStreamPtr dst_stream(new PuffinExtentStream(
1555 std::move(writer),
1556 utils::BlocksInExtents(operation.dst_extents()) * block_size_));
1557
1558 const size_t kMaxCacheSize = 5 * 1024 * 1024; // Total 5MB cache.
1559 TEST_AND_RETURN_FALSE(puffin::PuffPatch(std::move(src_stream),
1560 std::move(dst_stream),
1561 buffer_.data(),
1562 buffer_.size(),
1563 kMaxCacheSize));
1564 DiscardBuffer(true, buffer_.size());
1565 return true;
1566 }
1567
ExtractSignatureMessageFromOperation(const InstallOperation & operation)1568 bool DeltaPerformer::ExtractSignatureMessageFromOperation(
1569 const InstallOperation& operation) {
1570 if (operation.type() != InstallOperation::REPLACE ||
1571 !manifest_.has_signatures_offset() ||
1572 manifest_.signatures_offset() != operation.data_offset()) {
1573 return false;
1574 }
1575 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() &&
1576 manifest_.signatures_size() == operation.data_length());
1577 TEST_AND_RETURN_FALSE(ExtractSignatureMessage());
1578 return true;
1579 }
1580
ExtractSignatureMessage()1581 bool DeltaPerformer::ExtractSignatureMessage() {
1582 TEST_AND_RETURN_FALSE(signatures_message_data_.empty());
1583 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset());
1584 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size());
1585 signatures_message_data_.assign(
1586 buffer_.begin(), buffer_.begin() + manifest_.signatures_size());
1587
1588 // Save the signature blob because if the update is interrupted after the
1589 // download phase we don't go through this path anymore. Some alternatives to
1590 // consider:
1591 //
1592 // 1. On resume, re-download the signature blob from the server and re-verify
1593 // it.
1594 //
1595 // 2. Verify the signature as soon as it's received and don't checkpoint the
1596 // blob and the signed sha-256 context.
1597 LOG_IF(WARNING,
1598 !prefs_->SetString(kPrefsUpdateStateSignatureBlob,
1599 signatures_message_data_))
1600 << "Unable to store the signature blob.";
1601
1602 LOG(INFO) << "Extracted signature data of size "
1603 << manifest_.signatures_size() << " at "
1604 << manifest_.signatures_offset();
1605 return true;
1606 }
1607
GetPublicKey(string * out_public_key)1608 bool DeltaPerformer::GetPublicKey(string* out_public_key) {
1609 out_public_key->clear();
1610
1611 if (utils::FileExists(public_key_path_.c_str())) {
1612 LOG(INFO) << "Verifying using public key: " << public_key_path_;
1613 return utils::ReadFile(public_key_path_, out_public_key);
1614 }
1615
1616 // If this is an official build then we are not allowed to use public key from
1617 // Omaha response.
1618 if (!hardware_->IsOfficialBuild() && !install_plan_->public_key_rsa.empty()) {
1619 LOG(INFO) << "Verifying using public key from Omaha response.";
1620 return brillo::data_encoding::Base64Decode(install_plan_->public_key_rsa,
1621 out_public_key);
1622 }
1623
1624 return true;
1625 }
1626
ValidateManifest()1627 ErrorCode DeltaPerformer::ValidateManifest() {
1628 // Perform assorted checks to sanity check the manifest, make sure it
1629 // matches data from other sources, and that it is a supported version.
1630
1631 bool has_old_fields =
1632 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info());
1633 for (const PartitionUpdate& partition : manifest_.partitions()) {
1634 has_old_fields = has_old_fields || partition.has_old_partition_info();
1635 }
1636
1637 // The presence of an old partition hash is the sole indicator for a delta
1638 // update.
1639 InstallPayloadType actual_payload_type =
1640 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull;
1641
1642 if (payload_->type == InstallPayloadType::kUnknown) {
1643 LOG(INFO) << "Detected a '"
1644 << InstallPayloadTypeToString(actual_payload_type)
1645 << "' payload.";
1646 payload_->type = actual_payload_type;
1647 } else if (payload_->type != actual_payload_type) {
1648 LOG(ERROR) << "InstallPlan expected a '"
1649 << InstallPayloadTypeToString(payload_->type)
1650 << "' payload but the downloaded manifest contains a '"
1651 << InstallPayloadTypeToString(actual_payload_type)
1652 << "' payload.";
1653 return ErrorCode::kPayloadMismatchedType;
1654 }
1655
1656 // Check that the minor version is compatible.
1657 if (actual_payload_type == InstallPayloadType::kFull) {
1658 if (manifest_.minor_version() != kFullPayloadMinorVersion) {
1659 LOG(ERROR) << "Manifest contains minor version "
1660 << manifest_.minor_version()
1661 << ", but all full payloads should have version "
1662 << kFullPayloadMinorVersion << ".";
1663 return ErrorCode::kUnsupportedMinorPayloadVersion;
1664 }
1665 } else {
1666 if (manifest_.minor_version() < kMinSupportedMinorPayloadVersion ||
1667 manifest_.minor_version() > kMaxSupportedMinorPayloadVersion) {
1668 LOG(ERROR) << "Manifest contains minor version "
1669 << manifest_.minor_version()
1670 << " not in the range of supported minor versions ["
1671 << kMinSupportedMinorPayloadVersion << ", "
1672 << kMaxSupportedMinorPayloadVersion << "].";
1673 return ErrorCode::kUnsupportedMinorPayloadVersion;
1674 }
1675 }
1676
1677 if (major_payload_version_ != kChromeOSMajorPayloadVersion) {
1678 if (manifest_.has_old_rootfs_info() || manifest_.has_new_rootfs_info() ||
1679 manifest_.has_old_kernel_info() || manifest_.has_new_kernel_info() ||
1680 manifest_.install_operations_size() != 0 ||
1681 manifest_.kernel_install_operations_size() != 0) {
1682 LOG(ERROR) << "Manifest contains deprecated field only supported in "
1683 << "major payload version 1, but the payload major version is "
1684 << major_payload_version_;
1685 return ErrorCode::kPayloadMismatchedType;
1686 }
1687 }
1688
1689 if (manifest_.max_timestamp() < hardware_->GetBuildTimestamp()) {
1690 LOG(ERROR) << "The current OS build timestamp ("
1691 << hardware_->GetBuildTimestamp()
1692 << ") is newer than the maximum timestamp in the manifest ("
1693 << manifest_.max_timestamp() << ")";
1694 return ErrorCode::kPayloadTimestampError;
1695 }
1696
1697 if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
1698 if (manifest_.has_dynamic_partition_metadata()) {
1699 LOG(ERROR)
1700 << "Should not contain dynamic_partition_metadata for major version "
1701 << kChromeOSMajorPayloadVersion
1702 << ". Please use major version 2 or above.";
1703 return ErrorCode::kPayloadMismatchedType;
1704 }
1705 }
1706
1707 // TODO(garnold) we should be adding more and more manifest checks, such as
1708 // partition boundaries etc (see chromium-os:37661).
1709
1710 return ErrorCode::kSuccess;
1711 }
1712
ValidateOperationHash(const InstallOperation & operation)1713 ErrorCode DeltaPerformer::ValidateOperationHash(
1714 const InstallOperation& operation) {
1715 if (!operation.data_sha256_hash().size()) {
1716 if (!operation.data_length()) {
1717 // Operations that do not have any data blob won't have any operation hash
1718 // either. So, these operations are always considered validated since the
1719 // metadata that contains all the non-data-blob portions of the operation
1720 // has already been validated. This is true for both HTTP and HTTPS cases.
1721 return ErrorCode::kSuccess;
1722 }
1723
1724 // No hash is present for an operation that has data blobs. This shouldn't
1725 // happen normally for any client that has this code, because the
1726 // corresponding update should have been produced with the operation
1727 // hashes. So if it happens it means either we've turned operation hash
1728 // generation off in DeltaDiffGenerator or it's a regression of some sort.
1729 // One caveat though: The last operation is a dummy signature operation
1730 // that doesn't have a hash at the time the manifest is created. So we
1731 // should not complaint about that operation. This operation can be
1732 // recognized by the fact that it's offset is mentioned in the manifest.
1733 if (manifest_.signatures_offset() &&
1734 manifest_.signatures_offset() == operation.data_offset()) {
1735 LOG(INFO) << "Skipping hash verification for signature operation "
1736 << next_operation_num_ + 1;
1737 } else {
1738 if (install_plan_->hash_checks_mandatory) {
1739 LOG(ERROR) << "Missing mandatory operation hash for operation "
1740 << next_operation_num_ + 1;
1741 return ErrorCode::kDownloadOperationHashMissingError;
1742 }
1743
1744 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1
1745 << " as there's no operation hash in manifest";
1746 }
1747 return ErrorCode::kSuccess;
1748 }
1749
1750 brillo::Blob expected_op_hash;
1751 expected_op_hash.assign(operation.data_sha256_hash().data(),
1752 (operation.data_sha256_hash().data() +
1753 operation.data_sha256_hash().size()));
1754
1755 brillo::Blob calculated_op_hash;
1756 if (!HashCalculator::RawHashOfBytes(
1757 buffer_.data(), operation.data_length(), &calculated_op_hash)) {
1758 LOG(ERROR) << "Unable to compute actual hash of operation "
1759 << next_operation_num_;
1760 return ErrorCode::kDownloadOperationHashVerificationError;
1761 }
1762
1763 if (calculated_op_hash != expected_op_hash) {
1764 LOG(ERROR) << "Hash verification failed for operation "
1765 << next_operation_num_ << ". Expected hash = ";
1766 utils::HexDumpVector(expected_op_hash);
1767 LOG(ERROR) << "Calculated hash over " << operation.data_length()
1768 << " bytes at offset: " << operation.data_offset() << " = ";
1769 utils::HexDumpVector(calculated_op_hash);
1770 return ErrorCode::kDownloadOperationHashMismatch;
1771 }
1772
1773 return ErrorCode::kSuccess;
1774 }
1775
1776 #define TEST_AND_RETURN_VAL(_retval, _condition) \
1777 do { \
1778 if (!(_condition)) { \
1779 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \
1780 return _retval; \
1781 } \
1782 } while (0);
1783
VerifyPayload(const brillo::Blob & update_check_response_hash,const uint64_t update_check_response_size)1784 ErrorCode DeltaPerformer::VerifyPayload(
1785 const brillo::Blob& update_check_response_hash,
1786 const uint64_t update_check_response_size) {
1787 string public_key;
1788 if (!GetPublicKey(&public_key)) {
1789 LOG(ERROR) << "Failed to get public key.";
1790 return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1791 }
1792
1793 // Verifies the download size.
1794 if (update_check_response_size !=
1795 metadata_size_ + metadata_signature_size_ + buffer_offset_) {
1796 LOG(ERROR) << "update_check_response_size (" << update_check_response_size
1797 << ") doesn't match metadata_size (" << metadata_size_
1798 << ") + metadata_signature_size (" << metadata_signature_size_
1799 << ") + buffer_offset (" << buffer_offset_ << ").";
1800 return ErrorCode::kPayloadSizeMismatchError;
1801 }
1802
1803 // Verifies the payload hash.
1804 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError,
1805 !payload_hash_calculator_.raw_hash().empty());
1806 TEST_AND_RETURN_VAL(
1807 ErrorCode::kPayloadHashMismatchError,
1808 payload_hash_calculator_.raw_hash() == update_check_response_hash);
1809
1810 // Verifies the signed payload hash.
1811 if (public_key.empty()) {
1812 LOG(WARNING) << "Not verifying signed delta payload -- missing public key.";
1813 return ErrorCode::kSuccess;
1814 }
1815 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError,
1816 !signatures_message_data_.empty());
1817 brillo::Blob hash_data = signed_hash_calculator_.raw_hash();
1818 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1819 hash_data.size() == kSHA256Size);
1820
1821 if (!PayloadVerifier::VerifySignature(
1822 signatures_message_data_, public_key, hash_data)) {
1823 // The autoupdate_CatchBadSignatures test checks for this string
1824 // in log-files. Keep in sync.
1825 LOG(ERROR) << "Public key verification failed, thus update failed.";
1826 return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1827 }
1828
1829 LOG(INFO) << "Payload hash matches value in payload.";
1830 return ErrorCode::kSuccess;
1831 }
1832
DiscardBuffer(bool do_advance_offset,size_t signed_hash_buffer_size)1833 void DeltaPerformer::DiscardBuffer(bool do_advance_offset,
1834 size_t signed_hash_buffer_size) {
1835 // Update the buffer offset.
1836 if (do_advance_offset)
1837 buffer_offset_ += buffer_.size();
1838
1839 // Hash the content.
1840 payload_hash_calculator_.Update(buffer_.data(), buffer_.size());
1841 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size);
1842
1843 // Swap content with an empty vector to ensure that all memory is released.
1844 brillo::Blob().swap(buffer_);
1845 }
1846
CanResumeUpdate(PrefsInterface * prefs,const string & update_check_response_hash)1847 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs,
1848 const string& update_check_response_hash) {
1849 int64_t next_operation = kUpdateStateOperationInvalid;
1850 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) &&
1851 next_operation != kUpdateStateOperationInvalid && next_operation > 0))
1852 return false;
1853
1854 string interrupted_hash;
1855 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) &&
1856 !interrupted_hash.empty() &&
1857 interrupted_hash == update_check_response_hash))
1858 return false;
1859
1860 int64_t resumed_update_failures;
1861 // Note that storing this value is optional, but if it is there it should not
1862 // be more than the limit.
1863 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) &&
1864 resumed_update_failures > kMaxResumedUpdateFailures)
1865 return false;
1866
1867 // Sanity check the rest.
1868 int64_t next_data_offset = -1;
1869 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1870 next_data_offset >= 0))
1871 return false;
1872
1873 string sha256_context;
1874 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) &&
1875 !sha256_context.empty()))
1876 return false;
1877
1878 int64_t manifest_metadata_size = 0;
1879 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1880 manifest_metadata_size > 0))
1881 return false;
1882
1883 int64_t manifest_signature_size = 0;
1884 if (!(prefs->GetInt64(kPrefsManifestSignatureSize,
1885 &manifest_signature_size) &&
1886 manifest_signature_size >= 0))
1887 return false;
1888
1889 return true;
1890 }
1891
ResetUpdateProgress(PrefsInterface * prefs,bool quick)1892 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) {
1893 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation,
1894 kUpdateStateOperationInvalid));
1895 if (!quick) {
1896 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1);
1897 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0);
1898 prefs->SetString(kPrefsUpdateStateSHA256Context, "");
1899 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, "");
1900 prefs->SetString(kPrefsUpdateStateSignatureBlob, "");
1901 prefs->SetInt64(kPrefsManifestMetadataSize, -1);
1902 prefs->SetInt64(kPrefsManifestSignatureSize, -1);
1903 prefs->SetInt64(kPrefsResumedUpdateFailures, 0);
1904 prefs->Delete(kPrefsPostInstallSucceeded);
1905 prefs->Delete(kPrefsVerityWritten);
1906 prefs->Delete(kPrefsDynamicPartitionMetadataUpdated);
1907 }
1908 return true;
1909 }
1910
CheckpointUpdateProgress(bool force)1911 bool DeltaPerformer::CheckpointUpdateProgress(bool force) {
1912 base::TimeTicks curr_time = base::TimeTicks::Now();
1913 if (force || curr_time > update_checkpoint_time_) {
1914 update_checkpoint_time_ = curr_time + update_checkpoint_wait_;
1915 } else {
1916 return false;
1917 }
1918
1919 Terminator::set_exit_blocked(true);
1920 if (last_updated_buffer_offset_ != buffer_offset_) {
1921 // Resets the progress in case we die in the middle of the state update.
1922 ResetUpdateProgress(prefs_, true);
1923 TEST_AND_RETURN_FALSE(prefs_->SetString(
1924 kPrefsUpdateStateSHA256Context, payload_hash_calculator_.GetContext()));
1925 TEST_AND_RETURN_FALSE(
1926 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context,
1927 signed_hash_calculator_.GetContext()));
1928 TEST_AND_RETURN_FALSE(
1929 prefs_->SetInt64(kPrefsUpdateStateNextDataOffset, buffer_offset_));
1930 last_updated_buffer_offset_ = buffer_offset_;
1931
1932 if (next_operation_num_ < num_total_operations_) {
1933 size_t partition_index = current_partition_;
1934 while (next_operation_num_ >= acc_num_operations_[partition_index])
1935 partition_index++;
1936 const size_t partition_operation_num =
1937 next_operation_num_ -
1938 (partition_index ? acc_num_operations_[partition_index - 1] : 0);
1939 const InstallOperation& op =
1940 partitions_[partition_index].operations(partition_operation_num);
1941 TEST_AND_RETURN_FALSE(
1942 prefs_->SetInt64(kPrefsUpdateStateNextDataLength, op.data_length()));
1943 } else {
1944 TEST_AND_RETURN_FALSE(
1945 prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 0));
1946 }
1947 }
1948 TEST_AND_RETURN_FALSE(
1949 prefs_->SetInt64(kPrefsUpdateStateNextOperation, next_operation_num_));
1950 return true;
1951 }
1952
PrimeUpdateState()1953 bool DeltaPerformer::PrimeUpdateState() {
1954 CHECK(manifest_valid_);
1955
1956 int64_t next_operation = kUpdateStateOperationInvalid;
1957 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) ||
1958 next_operation == kUpdateStateOperationInvalid || next_operation <= 0) {
1959 // Initiating a new update, no more state needs to be initialized.
1960 return true;
1961 }
1962 next_operation_num_ = next_operation;
1963
1964 // Resuming an update -- load the rest of the update state.
1965 int64_t next_data_offset = -1;
1966 TEST_AND_RETURN_FALSE(
1967 prefs_->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1968 next_data_offset >= 0);
1969 buffer_offset_ = next_data_offset;
1970
1971 // The signed hash context and the signature blob may be empty if the
1972 // interrupted update didn't reach the signature.
1973 string signed_hash_context;
1974 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context,
1975 &signed_hash_context)) {
1976 TEST_AND_RETURN_FALSE(
1977 signed_hash_calculator_.SetContext(signed_hash_context));
1978 }
1979
1980 prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signatures_message_data_);
1981
1982 string hash_context;
1983 TEST_AND_RETURN_FALSE(
1984 prefs_->GetString(kPrefsUpdateStateSHA256Context, &hash_context) &&
1985 payload_hash_calculator_.SetContext(hash_context));
1986
1987 int64_t manifest_metadata_size = 0;
1988 TEST_AND_RETURN_FALSE(
1989 prefs_->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1990 manifest_metadata_size > 0);
1991 metadata_size_ = manifest_metadata_size;
1992
1993 int64_t manifest_signature_size = 0;
1994 TEST_AND_RETURN_FALSE(
1995 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) &&
1996 manifest_signature_size >= 0);
1997 metadata_signature_size_ = manifest_signature_size;
1998
1999 // Advance the download progress to reflect what doesn't need to be
2000 // re-downloaded.
2001 total_bytes_received_ += buffer_offset_;
2002
2003 // Speculatively count the resume as a failure.
2004 int64_t resumed_update_failures;
2005 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) {
2006 resumed_update_failures++;
2007 } else {
2008 resumed_update_failures = 1;
2009 }
2010 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures);
2011 return true;
2012 }
2013
2014 } // namespace chromeos_update_engine
2015