• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1//
2// Copyright (C) 2010 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17// Update file format: An update file contains all the operations needed
18// to update a system to a specific version. It can be a full payload which
19// can update from any version, or a delta payload which can only update
20// from a specific version.
21// The update format is represented by this struct pseudocode:
22// struct delta_update_file {
23//   char magic[4] = "CrAU";
24//   uint64 file_format_version;  // payload major version
25//   uint64 manifest_size;  // Size of protobuf DeltaArchiveManifest
26//
27//   // Only present if format_version >= 2:
28//   uint32 metadata_signature_size;
29//
30//   // The DeltaArchiveManifest protobuf serialized, not compressed.
31//   char manifest[manifest_size];
32//
33//   // The signature of the metadata (from the beginning of the payload up to
34//   // this location, not including the signature itself). This is a serialized
35//   // Signatures message.
36//   char metadata_signature_message[metadata_signature_size];
37//
38//   // Data blobs for files, no specific format. The specific offset
39//   // and length of each data blob is recorded in the DeltaArchiveManifest.
40//   struct {
41//     char data[];
42//   } blobs[];
43//
44//   // The signature of the entire payload, everything up to this location,
45//   // except that metadata_signature_message is skipped to simplify signing
46//   // process. These two are not signed:
47//   uint64 payload_signatures_message_size;
48//   // This is a serialized Signatures message.
49//   char payload_signatures_message[payload_signatures_message_size];
50//
51// };
52
53// The DeltaArchiveManifest protobuf is an ordered list of InstallOperation
54// objects. These objects are stored in a linear array in the
55// DeltaArchiveManifest. Each operation is applied in order by the client.
56
57// The DeltaArchiveManifest also contains the initial and final
58// checksums for the device.
59
60// The client will perform each InstallOperation in order, beginning even
61// before the entire delta file is downloaded (but after at least the
62// protobuf is downloaded). The types of operations are explained:
63// - REPLACE: Replace the dst_extents on the drive with the attached data,
64//   zero padding out to block size.
65// - REPLACE_BZ: bzip2-uncompress the attached data and write it into
66//   dst_extents on the drive, zero padding to block size.
67// - MOVE: Copy the data in src_extents to dst_extents. Extents may overlap,
68//   so it may be desirable to read all src_extents data into memory before
69//   writing it out. (deprecated)
70// - SOURCE_COPY: Copy the data in src_extents in the old partition to
71//   dst_extents in the new partition. There's no overlapping of data because
72//   the extents are in different partitions.
73// - BSDIFF: Read src_length bytes from src_extents into memory, perform
74//   bspatch with attached data, write new data to dst_extents, zero padding
75//   to block size. (deprecated)
76// - SOURCE_BSDIFF: Read the data in src_extents in the old partition, perform
77//   bspatch with the attached data and write the new data to dst_extents in the
78//   new partition.
79// - ZERO: Write zeros to the destination dst_extents.
80// - DISCARD: Discard the destination dst_extents blocks on the physical medium.
81//   the data read from those blocks is undefined.
82// - REPLACE_XZ: Replace the dst_extents with the contents of the attached
83//   xz file after decompression. The xz file should only use crc32 or no crc at
84//   all to be compatible with xz-embedded.
85// - PUFFDIFF: Read the data in src_extents in the old partition, perform
86//   puffpatch with the attached data and write the new data to dst_extents in
87//   the new partition.
88//
89// The operations allowed in the payload (supported by the client) depend on the
90// major and minor version. See InstallOperation.Type below for details.
91
92syntax = "proto2";
93
94package chromeos_update_engine;
95option optimize_for = LITE_RUNTIME;
96
97// Data is packed into blocks on disk, always starting from the beginning
98// of the block. If a file's data is too large for one block, it overflows
99// into another block, which may or may not be the following block on the
100// physical partition. An ordered list of extents is another
101// representation of an ordered list of blocks. For example, a file stored
102// in blocks 9, 10, 11, 2, 18, 12 (in that order) would be stored in
103// extents { {9, 3}, {2, 1}, {18, 1}, {12, 1} } (in that order).
104// In general, files are stored sequentially on disk, so it's more efficient
105// to use extents to encode the block lists (this is effectively
106// run-length encoding).
107// A sentinel value (kuint64max) as the start block denotes a sparse-hole
108// in a file whose block-length is specified by num_blocks.
109
110message Extent {
111  optional uint64 start_block = 1;
112  optional uint64 num_blocks = 2;
113}
114
115// Signatures: Updates may be signed by the OS vendor. The client verifies
116// an update's signature by hashing the entire download. The section of the
117// download that contains the signature is at the end of the file, so when
118// signing a file, only the part up to the signature part is signed.
119// Then, the client looks inside the download's Signatures message for a
120// Signature message that it knows how to handle. Generally, a client will
121// only know how to handle one type of signature, but an update may contain
122// many signatures to support many different types of client. Then client
123// selects a Signature message and uses that, along with a known public key,
124// to verify the download. The public key is expected to be part of the
125// client.
126
127message Signatures {
128  message Signature {
129    optional uint32 version = 1 [deprecated = true];
130    optional bytes data = 2;
131
132    // The DER encoded signature size of EC keys is nondeterministic for
133    // different input of sha256 hash. However, we need the size of the
134    // serialized signatures protobuf string to be fixed before signing;
135    // because this size is part of the content to be signed. Therefore, we
136    // always pad the signature data to the maximum possible signature size of
137    // a given key. And the payload verifier will truncate the signature to
138    // its correct size based on the value of |unpadded_signature_size|.
139    optional fixed32 unpadded_signature_size = 3;
140  }
141  repeated Signature signatures = 1;
142}
143
144message PartitionInfo {
145  optional uint64 size = 1;
146  optional bytes hash = 2;
147}
148
149message InstallOperation {
150  enum Type {
151    REPLACE = 0;     // Replace destination extents w/ attached data.
152    REPLACE_BZ = 1;  // Replace destination extents w/ attached bzipped data.
153    MOVE = 2 [deprecated = true];    // Move source extents to target extents.
154    BSDIFF = 3 [deprecated = true];  // The data is a bsdiff binary diff.
155
156    // On minor version 2 or newer, these operations are supported:
157    SOURCE_COPY = 4;    // Copy from source to target partition
158    SOURCE_BSDIFF = 5;  // Like BSDIFF, but read from source partition
159
160    // On minor version 3 or newer and on major version 2 or newer, these
161    // operations are supported:
162    REPLACE_XZ = 8;  // Replace destination extents w/ attached xz data.
163
164    // On minor version 4 or newer, these operations are supported:
165    ZERO = 6;     // Write zeros in the destination.
166    DISCARD = 7;  // Discard the destination blocks, reading as undefined.
167    BROTLI_BSDIFF = 10;  // Like SOURCE_BSDIFF, but compressed with brotli.
168
169    // On minor version 5 or newer, these operations are supported:
170    PUFFDIFF = 9;  // The data is in puffdiff format.
171
172    // On minor version 8 or newer, these operations are supported:
173    ZUCCHINI = 11;
174
175    // On minor version 9 or newer, these operations are supported:
176    LZ4DIFF_BSDIFF = 12;
177    LZ4DIFF_PUFFDIFF = 13;
178  }
179  required Type type = 1;
180
181  // Only minor version 6 or newer support 64 bits |data_offset| and
182  // |data_length|, older client will read them as uint32.
183  // The offset into the delta file (after the protobuf)
184  // where the data (if any) is stored
185  optional uint64 data_offset = 2;
186  // The length of the data in the delta file
187  optional uint64 data_length = 3;
188
189  // Ordered list of extents that are read from (if any) and written to.
190  repeated Extent src_extents = 4;
191  // Byte length of src, equal to the number of blocks in src_extents *
192  // block_size. It is used for BSDIFF and SOURCE_BSDIFF, because we need to
193  // pass that external program the number of bytes to read from the blocks we
194  // pass it.  This is not used in any other operation.
195  optional uint64 src_length = 5;
196
197  repeated Extent dst_extents = 6;
198  // Byte length of dst, equal to the number of blocks in dst_extents *
199  // block_size. Used for BSDIFF and SOURCE_BSDIFF, but not in any other
200  // operation.
201  optional uint64 dst_length = 7;
202
203  // Optional SHA 256 hash of the blob associated with this operation.
204  // This is used as a primary validation for http-based downloads and
205  // as a defense-in-depth validation for https-based downloads. If
206  // the operation doesn't refer to any blob, this field will have
207  // zero bytes.
208  optional bytes data_sha256_hash = 8;
209
210  // Indicates the SHA 256 hash of the source data referenced in src_extents at
211  // the time of applying the operation. If present, the update_engine daemon
212  // MUST read and verify the source data before applying the operation.
213  optional bytes src_sha256_hash = 9;
214}
215
216// Hints to VAB snapshot to skip writing some blocks if these blocks are
217// identical to the ones on the source image. The src & dst extents for each
218// CowMergeOperation should be contiguous, and they're a subset of an OTA
219// InstallOperation.
220// During merge time, we need to follow the pre-computed sequence to avoid
221// read after write, similar to the inplace update schema.
222message CowMergeOperation {
223  enum Type {
224    COW_COPY = 0;     // identical blocks
225    COW_XOR = 1;      // used when src/dst blocks are highly similar
226    COW_REPLACE = 2;  // Raw replace operation
227  }
228  optional Type type = 1;
229
230  optional Extent src_extent = 2;
231  optional Extent dst_extent = 3;
232  // For COW_XOR, source location might be unaligned, so this field is in range
233  // [0, block_size), representing how much should the src_extent shift toward
234  // larger block number. If this field is non-zero, then src_extent will
235  // include 1 extra block in the end, as the merge op actually references the
236  // first |src_offset| bytes of that extra block. For example, if |dst_extent|
237  // is [10, 15], |src_offset| is 500, then src_extent might look like [25, 31].
238  // Note that |src_extent| contains 1 extra block than the |dst_extent|.
239  optional uint32 src_offset = 4;
240}
241
242// Describes the update to apply to a single partition.
243message PartitionUpdate {
244  // A platform-specific name to identify the partition set being updated. For
245  // example, in Chrome OS this could be "ROOT" or "KERNEL".
246  required string partition_name = 1;
247
248  // Whether this partition carries a filesystem with post-install program that
249  // must be run to finalize the update process. See also |postinstall_path| and
250  // |filesystem_type|.
251  optional bool run_postinstall = 2;
252
253  // The path of the executable program to run during the post-install step,
254  // relative to the root of this filesystem. If not set, the default "postinst"
255  // will be used. This setting is only used when |run_postinstall| is set and
256  // true.
257  optional string postinstall_path = 3;
258
259  // The filesystem type as passed to the mount(2) syscall when mounting the new
260  // filesystem to run the post-install program. If not set, a fixed list of
261  // filesystems will be attempted. This setting is only used if
262  // |run_postinstall| is set and true.
263  optional string filesystem_type = 4;
264
265  // If present, a list of signatures of the new_partition_info.hash signed with
266  // different keys. If the update_engine daemon requires vendor-signed images
267  // and has its public key installed, one of the signatures should be valid
268  // for /postinstall to run.
269  repeated Signatures.Signature new_partition_signature = 5;
270
271  optional PartitionInfo old_partition_info = 6;
272  optional PartitionInfo new_partition_info = 7;
273
274  // The list of operations to be performed to apply this PartitionUpdate. The
275  // associated operation blobs (in operations[i].data_offset, data_length)
276  // should be stored contiguously and in the same order.
277  repeated InstallOperation operations = 8;
278
279  // Whether a failure in the postinstall step for this partition should be
280  // ignored.
281  optional bool postinstall_optional = 9;
282
283  // On minor version 6 or newer, these fields are supported:
284
285  // The extent for data covered by verity hash tree.
286  optional Extent hash_tree_data_extent = 10;
287
288  // The extent to store verity hash tree.
289  optional Extent hash_tree_extent = 11;
290
291  // The hash algorithm used in verity hash tree.
292  optional string hash_tree_algorithm = 12;
293
294  // The salt used for verity hash tree.
295  optional bytes hash_tree_salt = 13;
296
297  // The extent for data covered by FEC.
298  optional Extent fec_data_extent = 14;
299
300  // The extent to store FEC.
301  optional Extent fec_extent = 15;
302
303  // The number of FEC roots.
304  optional uint32 fec_roots = 16 [default = 2];
305
306  // Per-partition version used for downgrade detection, added
307  // as an effort to support partial updates. For most partitions,
308  // this is the build timestamp.
309  optional string version = 17;
310
311  // A sorted list of CowMergeOperation. When writing cow, we can choose to
312  // skip writing the raw bytes for these extents. During snapshot merge, the
313  // bytes will read from the source partitions instead.
314  repeated CowMergeOperation merge_operations = 18;
315
316  // Estimated size for COW image. This is used by libsnapshot
317  // as a hint. If set to 0, libsnapshot should use alternative
318  // methods for estimating size.
319  optional uint64 estimate_cow_size = 19;
320}
321
322message DynamicPartitionGroup {
323  // Name of the group.
324  required string name = 1;
325
326  // Maximum size of the group. The sum of sizes of all partitions in the group
327  // must not exceed the maximum size of the group.
328  optional uint64 size = 2;
329
330  // A list of partitions that belong to the group.
331  repeated string partition_names = 3;
332}
333
334// Metadata related to all dynamic partitions.
335message DynamicPartitionMetadata {
336  // All updatable groups present in |partitions| of this DeltaArchiveManifest.
337  // - If an updatable group is on the device but not in the manifest, it is
338  //   not updated. Hence, the group will not be resized, and partitions cannot
339  //   be added to or removed from the group.
340  // - If an updatable group is in the manifest but not on the device, the group
341  //   is added to the device.
342  repeated DynamicPartitionGroup groups = 1;
343
344  // Whether dynamic partitions have snapshots during the update. If this is
345  // set to true, the update_engine daemon creates snapshots for all dynamic
346  // partitions if possible. If this is unset, the update_engine daemon MUST
347  // NOT create snapshots for dynamic partitions.
348  optional bool snapshot_enabled = 2;
349
350  // If this is set to false, update_engine should not use VABC regardless. If
351  // this is set to true, update_engine may choose to use VABC if device
352  // supports it, but not guaranteed.
353  // VABC stands for Virtual AB Compression
354  optional bool vabc_enabled = 3;
355
356  // The compression algorithm used by VABC. Available ones are "gz", "brotli".
357  // See system/core/fs_mgr/libsnapshot/cow_writer.cpp for available options,
358  // as this parameter is ultimated forwarded to libsnapshot's CowWriter
359  optional string vabc_compression_param = 4;
360
361  // COW version used by VABC. The represents the major version in the COW
362  // header
363  optional uint32 cow_version = 5;
364}
365
366// Definition has been duplicated from
367// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
368message ApexInfo {
369  optional string package_name = 1;
370  optional int64 version = 2;
371  optional bool is_compressed = 3;
372  optional int64 decompressed_size = 4;
373}
374
375// Definition has been duplicated from
376// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
377message ApexMetadata {
378  repeated ApexInfo apex_info = 1;
379}
380
381message DeltaArchiveManifest {
382  // Only present in major version = 1. List of install operations for the
383  // kernel and rootfs partitions. For major version = 2 see the |partitions|
384  // field.
385  reserved 1, 2;
386
387  // (At time of writing) usually 4096
388  optional uint32 block_size = 3 [default = 4096];
389
390  // If signatures are present, the offset into the blobs, generally
391  // tacked onto the end of the file, and the length. We use an offset
392  // rather than a bool to allow for more flexibility in future file formats.
393  // If either is absent, it means signatures aren't supported in this
394  // file.
395  optional uint64 signatures_offset = 4;
396  optional uint64 signatures_size = 5;
397
398  // Fields deprecated in major version 2.
399  reserved 6,7,8,9,10,11;
400
401  // The minor version, also referred as "delta version", of the payload.
402  // Minor version 0 is full payload, everything else is delta payload.
403  optional uint32 minor_version = 12 [default = 0];
404
405  // Only present in major version >= 2. List of partitions that will be
406  // updated, in the order they will be updated. This field replaces the
407  // |install_operations|, |kernel_install_operations| and the
408  // |{old,new}_{kernel,rootfs}_info| fields used in major version = 1. This
409  // array can have more than two partitions if needed, and they are identified
410  // by the partition name.
411  repeated PartitionUpdate partitions = 13;
412
413  // The maximum timestamp of the OS allowed to apply this payload.
414  // Can be used to prevent downgrading the OS.
415  optional int64 max_timestamp = 14;
416
417  // Metadata related to all dynamic partitions.
418  optional DynamicPartitionMetadata dynamic_partition_metadata = 15;
419
420  // If the payload only updates a subset of partitions on the device.
421  optional bool partial_update = 16;
422
423  // Information on compressed APEX to figure out how much space is required for
424  // their decompression
425  repeated ApexInfo apex_info = 17;
426}
427