1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (C) 2017 The Android Open Source Project
4 */
5 #include <common.h>
6 #include <android_ab.h>
7 #include <android_bootloader_message.h>
8 #include <linux/err.h>
9 #include <memalign.h>
10 #include <u-boot/crc.h>
11 #include <u-boot/crc.h>
12
13 /**
14 * Compute the CRC-32 of the bootloader control struct.
15 *
16 * Only the bytes up to the crc32_le field are considered for the CRC-32
17 * calculation.
18 *
19 * @param[in] abc bootloader control block
20 *
21 * @return crc32 sum
22 */
ab_control_compute_crc(struct bootloader_control * abc)23 static uint32_t ab_control_compute_crc(struct bootloader_control *abc)
24 {
25 return crc32(0, (void *)abc, offsetof(typeof(*abc), crc32_le));
26 }
27
28 /**
29 * Initialize bootloader_control to the default value.
30 *
31 * It allows us to boot all slots in order from the first one. This value
32 * should be used when the bootloader message is corrupted, but not when
33 * a valid message indicates that all slots are unbootable.
34 *
35 * @param[in] abc bootloader control block
36 *
37 * @return 0 on success and a negative on error
38 */
ab_control_default(struct bootloader_control * abc)39 static int ab_control_default(struct bootloader_control *abc)
40 {
41 int i;
42 const struct slot_metadata metadata = {
43 .priority = 15,
44 .tries_remaining = 7,
45 .successful_boot = 0,
46 .verity_corrupted = 0,
47 .reserved = 0
48 };
49
50 if (!abc)
51 return -EFAULT;
52
53 memcpy(abc->slot_suffix, "a\0\0\0", 4);
54 abc->magic = BOOT_CTRL_MAGIC;
55 abc->version = BOOT_CTRL_VERSION;
56 abc->nb_slot = NUM_SLOTS;
57 memset(abc->reserved0, 0, sizeof(abc->reserved0));
58 for (i = 0; i < abc->nb_slot; ++i)
59 abc->slot_info[i] = metadata;
60
61 memset(abc->reserved1, 0, sizeof(abc->reserved1));
62 abc->crc32_le = ab_control_compute_crc(abc);
63
64 return 0;
65 }
66
67 /**
68 * Load the boot_control struct from disk into newly allocated memory.
69 *
70 * This function allocates and returns an integer number of disk blocks,
71 * based on the block size of the passed device to help performing a
72 * read-modify-write operation on the boot_control struct.
73 * The boot_control struct offset (2 KiB) must be a multiple of the device
74 * block size, for simplicity.
75 *
76 * @param[in] dev_desc Device where to read the boot_control struct from
77 * @param[in] part_info Partition in 'dev_desc' where to read from, normally
78 * the "misc" partition should be used
79 * @param[out] pointer to pointer to bootloader_control data
80 * @return 0 on success and a negative on error
81 */
ab_control_create_from_disk(struct blk_desc * dev_desc,const disk_partition_t * part_info,struct bootloader_control ** abc)82 static int ab_control_create_from_disk(struct blk_desc *dev_desc,
83 const disk_partition_t *part_info,
84 struct bootloader_control **abc)
85 {
86 ulong abc_offset, abc_blocks, ret;
87
88 abc_offset = offsetof(struct bootloader_message_ab, slot_suffix);
89 if (abc_offset % part_info->blksz) {
90 log_err("ANDROID: Boot control block not block aligned.\n");
91 return -EINVAL;
92 }
93 abc_offset /= part_info->blksz;
94
95 abc_blocks = DIV_ROUND_UP(sizeof(struct bootloader_control),
96 part_info->blksz);
97 if (abc_offset + abc_blocks > part_info->size) {
98 log_err("ANDROID: boot control partition too small. Need at");
99 log_err(" least %lu blocks but have %lu blocks.\n",
100 abc_offset + abc_blocks, part_info->size);
101 return -EINVAL;
102 }
103 *abc = malloc_cache_aligned(abc_blocks * part_info->blksz);
104 if (!*abc)
105 return -ENOMEM;
106
107 ret = blk_dread(dev_desc, part_info->start + abc_offset, abc_blocks,
108 *abc);
109 if (IS_ERR_VALUE(ret)) {
110 log_err("ANDROID: Could not read from boot ctrl partition\n");
111 free(*abc);
112 return -EIO;
113 }
114
115 log_debug("ANDROID: Loaded ABC, %lu blocks\n", abc_blocks);
116
117 return 0;
118 }
119
120 /**
121 * Store the loaded boot_control block.
122 *
123 * Store back to the same location it was read from with
124 * ab_control_create_from_misc().
125 *
126 * @param[in] dev_desc Device where we should write the boot_control struct
127 * @param[in] part_info Partition on the 'dev_desc' where to write
128 * @param[in] abc Pointer to the boot control struct and the extra bytes after
129 * it up to the nearest block boundary
130 * @return 0 on success and a negative on error
131 */
ab_control_store(struct blk_desc * dev_desc,const disk_partition_t * part_info,struct bootloader_control * abc)132 static int ab_control_store(struct blk_desc *dev_desc,
133 const disk_partition_t *part_info,
134 struct bootloader_control *abc)
135 {
136 ulong abc_offset, abc_blocks, ret;
137
138 abc_offset = offsetof(struct bootloader_message_ab, slot_suffix) /
139 part_info->blksz;
140 abc_blocks = DIV_ROUND_UP(sizeof(struct bootloader_control),
141 part_info->blksz);
142 ret = blk_dwrite(dev_desc, part_info->start + abc_offset, abc_blocks,
143 abc);
144 if (IS_ERR_VALUE(ret)) {
145 log_err("ANDROID: Could not write back the misc partition\n");
146 return -EIO;
147 }
148
149 return 0;
150 }
151
152 /**
153 * Compare two slots.
154 *
155 * The function determines slot which is should we boot from among the two.
156 *
157 * @param[in] a The first bootable slot metadata
158 * @param[in] b The second bootable slot metadata
159 * @return Negative if the slot "a" is better, positive of the slot "b" is
160 * better or 0 if they are equally good.
161 */
ab_compare_slots(const struct slot_metadata * a,const struct slot_metadata * b)162 static int ab_compare_slots(const struct slot_metadata *a,
163 const struct slot_metadata *b)
164 {
165 /* Higher priority is better */
166 if (a->priority != b->priority)
167 return b->priority - a->priority;
168
169 /* Higher successful_boot value is better, in case of same priority */
170 if (a->successful_boot != b->successful_boot)
171 return b->successful_boot - a->successful_boot;
172
173 /* Higher tries_remaining is better to ensure round-robin */
174 if (a->tries_remaining != b->tries_remaining)
175 return b->tries_remaining - a->tries_remaining;
176
177 return 0;
178 }
179
ab_select_slot(struct blk_desc * dev_desc,disk_partition_t * part_info)180 int ab_select_slot(struct blk_desc *dev_desc, disk_partition_t *part_info)
181 {
182 struct bootloader_control *abc = NULL;
183 u32 crc32_le;
184 int slot, i, ret;
185 bool store_needed = false;
186 char slot_suffix[4];
187
188 ret = ab_control_create_from_disk(dev_desc, part_info, &abc);
189 if (ret < 0) {
190 /*
191 * This condition represents an actual problem with the code or
192 * the board setup, like an invalid partition information.
193 * Signal a repair mode and do not try to boot from either slot.
194 */
195 return ret;
196 }
197
198 crc32_le = ab_control_compute_crc(abc);
199 if (abc->crc32_le != crc32_le) {
200 log_err("ANDROID: Invalid CRC-32 (expected %.8x, found %.8x),",
201 crc32_le, abc->crc32_le);
202 log_err("re-initializing A/B metadata.\n");
203
204 ret = ab_control_default(abc);
205 if (ret < 0) {
206 free(abc);
207 return -ENODATA;
208 }
209 store_needed = true;
210 }
211
212 if (abc->magic != BOOT_CTRL_MAGIC) {
213 log_err("ANDROID: Unknown A/B metadata: %.8x\n", abc->magic);
214 free(abc);
215 return -ENODATA;
216 }
217
218 if (abc->version > BOOT_CTRL_VERSION) {
219 log_err("ANDROID: Unsupported A/B metadata version: %.8x\n",
220 abc->version);
221 free(abc);
222 return -ENODATA;
223 }
224
225 /*
226 * At this point a valid boot control metadata is stored in abc,
227 * followed by other reserved data in the same block. We select a with
228 * the higher priority slot that
229 * - is not marked as corrupted and
230 * - either has tries_remaining > 0 or successful_boot is true.
231 * If the selected slot has a false successful_boot, we also decrement
232 * the tries_remaining until it eventually becomes unbootable because
233 * tries_remaining reaches 0. This mechanism produces a bootloader
234 * induced rollback, typically right after a failed update.
235 */
236
237 /* Safety check: limit the number of slots. */
238 if (abc->nb_slot > ARRAY_SIZE(abc->slot_info)) {
239 abc->nb_slot = ARRAY_SIZE(abc->slot_info);
240 store_needed = true;
241 }
242
243 slot = -1;
244 for (i = 0; i < abc->nb_slot; ++i) {
245 if (abc->slot_info[i].verity_corrupted ||
246 !abc->slot_info[i].tries_remaining) {
247 log_debug("ANDROID: unbootable slot %d tries: %d, ",
248 i, abc->slot_info[i].tries_remaining);
249 log_debug("corrupt: %d\n",
250 abc->slot_info[i].verity_corrupted);
251 continue;
252 }
253 log_debug("ANDROID: bootable slot %d pri: %d, tries: %d, ",
254 i, abc->slot_info[i].priority,
255 abc->slot_info[i].tries_remaining);
256 log_debug("corrupt: %d, successful: %d\n",
257 abc->slot_info[i].verity_corrupted,
258 abc->slot_info[i].successful_boot);
259
260 if (slot < 0 ||
261 ab_compare_slots(&abc->slot_info[i],
262 &abc->slot_info[slot]) < 0) {
263 slot = i;
264 }
265 }
266
267 if (slot >= 0 && !abc->slot_info[slot].successful_boot) {
268 log_err("ANDROID: Attempting slot %c, tries remaining %d\n",
269 BOOT_SLOT_NAME(slot),
270 abc->slot_info[slot].tries_remaining);
271 abc->slot_info[slot].tries_remaining--;
272 store_needed = true;
273 }
274
275 if (slot >= 0) {
276 /*
277 * Legacy user-space requires this field to be set in the BCB.
278 * Newer releases load this slot suffix from the command line
279 * or the device tree.
280 */
281 memset(slot_suffix, 0, sizeof(slot_suffix));
282 slot_suffix[0] = BOOT_SLOT_NAME(slot);
283 if (memcmp(abc->slot_suffix, slot_suffix,
284 sizeof(slot_suffix))) {
285 memcpy(abc->slot_suffix, slot_suffix,
286 sizeof(slot_suffix));
287 store_needed = true;
288 }
289 }
290
291 if (store_needed) {
292 abc->crc32_le = ab_control_compute_crc(abc);
293 ab_control_store(dev_desc, part_info, abc);
294 }
295 free(abc);
296
297 if (slot < 0)
298 return -EINVAL;
299
300 return slot;
301 }
302