1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "bootcontrolhal"
18
19 #include "BootControl.h"
20
21 #include <android-base/file.h>
22 #include <android-base/unique_fd.h>
23 #include <bootloader_message/bootloader_message.h>
24 #include <cutils/properties.h>
25 #include <libboot_control/libboot_control.h>
26 #include <log/log.h>
27 #include <trusty/tipc.h>
28
29 #include "DevInfo.h"
30 #include "GptUtils.h"
31
32 namespace android {
33 namespace hardware {
34 namespace boot {
35 namespace V1_2 {
36 namespace implementation {
37
38 using android::bootable::GetMiscVirtualAbMergeStatus;
39 using android::bootable::InitMiscVirtualAbMessageIfNeeded;
40 using android::bootable::SetMiscVirtualAbMergeStatus;
41 using android::hardware::boot::V1_0::BoolResult;
42 using android::hardware::boot::V1_0::CommandResult;
43 using android::hardware::boot::V1_1::MergeStatus;
44
45 namespace {
46
47 // clang-format off
48
49 #define BOOT_A_PATH "/dev/block/by-name/boot_a"
50 #define BOOT_B_PATH "/dev/block/by-name/boot_b"
51 #define DEVINFO_PATH "/dev/block/by-name/devinfo"
52
53 #define BLOW_AR_PATH "/sys/kernel/boot_control/blow_ar"
54
55 // slot flags
56 #define AB_ATTR_PRIORITY_SHIFT 52
57 #define AB_ATTR_PRIORITY_MASK (3UL << AB_ATTR_PRIORITY_SHIFT)
58 #define AB_ATTR_ACTIVE_SHIFT 54
59 #define AB_ATTR_ACTIVE (1UL << AB_ATTR_ACTIVE_SHIFT)
60 #define AB_ATTR_RETRY_COUNT_SHIFT (55)
61 #define AB_ATTR_RETRY_COUNT_MASK (7UL << AB_ATTR_RETRY_COUNT_SHIFT)
62 #define AB_ATTR_SUCCESSFUL (1UL << 58)
63 #define AB_ATTR_UNBOOTABLE (1UL << 59)
64
65 #define AB_ATTR_MAX_PRIORITY 3UL
66 #define AB_ATTR_MAX_RETRY_COUNT 3UL
67
68 // clang-format on
69
getDevPath(uint32_t slot)70 static std::string getDevPath(uint32_t slot) {
71 char real_path[PATH_MAX];
72
73 const char *path = slot == 0 ? BOOT_A_PATH : BOOT_B_PATH;
74
75 int ret = readlink(path, real_path, sizeof real_path);
76 if (ret < 0) {
77 ALOGE("readlink failed for boot device %s\n", strerror(errno));
78 return std::string();
79 }
80
81 std::string dp(real_path);
82 // extract /dev/sda.. part
83 return dp.substr(0, sizeof "/dev/block/sdX" - 1);
84 }
85
isSlotFlagSet(uint32_t slot,uint64_t flag)86 static bool isSlotFlagSet(uint32_t slot, uint64_t flag) {
87 std::string dev_path = getDevPath(slot);
88 if (dev_path.empty()) {
89 ALOGI("Could not get device path for slot %d\n", slot);
90 return false;
91 }
92
93 GptUtils gpt(dev_path);
94 if (gpt.Load()) {
95 ALOGI("failed to load gpt data\n");
96 return false;
97 }
98
99 gpt_entry *e = gpt.GetPartitionEntry(slot ? "boot_b" : "boot_a");
100 if (e == nullptr) {
101 ALOGI("failed to get gpt entry\n");
102 return false;
103 }
104
105 return !!(e->attr & flag);
106 }
107
setSlotFlag(uint32_t slot,uint64_t flag)108 static bool setSlotFlag(uint32_t slot, uint64_t flag) {
109 std::string dev_path = getDevPath(slot);
110 if (dev_path.empty()) {
111 ALOGI("Could not get device path for slot %d\n", slot);
112 return false;
113 }
114
115 GptUtils gpt(dev_path);
116 if (gpt.Load()) {
117 ALOGI("failed to load gpt data\n");
118 return false;
119 }
120
121 gpt_entry *e = gpt.GetPartitionEntry(slot ? "boot_b" : "boot_a");
122 if (e == nullptr) {
123 ALOGI("failed to get gpt entry\n");
124 return false;
125 }
126
127 e->attr |= flag;
128 gpt.Sync();
129
130 return true;
131 }
132
133 static bool is_devinfo_valid;
134 static bool is_devinfo_initialized;
135 static std::mutex devinfo_lock;
136 static devinfo_t devinfo;
137
isDevInfoValid()138 static bool isDevInfoValid() {
139 const std::lock_guard<std::mutex> lock(devinfo_lock);
140
141 if (is_devinfo_initialized) {
142 return is_devinfo_valid;
143 }
144
145 is_devinfo_initialized = true;
146
147 android::base::unique_fd fd(open(DEVINFO_PATH, O_RDONLY));
148 android::base::ReadFully(fd, &devinfo, sizeof devinfo);
149
150 if (devinfo.magic != DEVINFO_MAGIC) {
151 return is_devinfo_valid;
152 }
153
154 uint32_t version = ((uint32_t)devinfo.ver_major << 16) | devinfo.ver_minor;
155 // only version 3.3+ supports A/B data
156 if (version >= 0x0003'0003) {
157 is_devinfo_valid = true;
158 }
159
160 return is_devinfo_valid;
161 }
162
DevInfoSync()163 static bool DevInfoSync() {
164 if (!isDevInfoValid()) {
165 return false;
166 }
167
168 android::base::unique_fd fd(open(DEVINFO_PATH, O_WRONLY | O_DSYNC));
169 return android::base::WriteFully(fd, &devinfo, sizeof devinfo);
170 }
171
DevInfoInitSlot(devinfo_ab_slot_data_t & slot_data)172 static void DevInfoInitSlot(devinfo_ab_slot_data_t &slot_data) {
173 slot_data.retry_count = AB_ATTR_MAX_RETRY_COUNT;
174 slot_data.unbootable = 0;
175 slot_data.successful = 0;
176 slot_data.active = 1;
177 slot_data.fastboot_ok = 0;
178 }
179
blow_otp_AR(bool secure)180 static int blow_otp_AR(bool secure) {
181 static const char *dev_name = "/dev/trusty-ipc-dev0";
182 static const char *otp_name = "com.android.trusty.otp_manager.tidl";
183 int fd = 1, ret = 0;
184 uint32_t cmd = secure? OTP_CMD_write_antirbk_secure_ap : OTP_CMD_write_antirbk_non_secure_ap;
185 fd = tipc_connect(dev_name, otp_name);
186 if (fd < 0) {
187 ALOGI("Failed to connect to OTP_MGR ns TA - is it missing?\n");
188 ret = -1;
189 return ret;
190 }
191
192 struct otp_mgr_req_base req = {
193 .command = cmd,
194 .resp_payload_size = 0,
195 };
196 struct iovec iov[] = {
197 {
198 .iov_base = &req,
199 .iov_len = sizeof(req),
200 },
201 };
202
203 int rc = tipc_send(fd, iov, 1, NULL, 0);
204 if (rc != sizeof(req)) {
205 ALOGI("Send fail! %x\n", rc);
206 return rc;
207 }
208
209 struct otp_mgr_rsp_base resp;
210 rc = read(fd, &resp, sizeof(resp));
211 if (rc < 0) {
212 ALOGI("Read fail! %x\n", rc);
213 return rc;
214 }
215
216 if (rc < sizeof(resp)) {
217 ALOGI("Not enough data! %x\n", rc);
218 return -EIO;
219 }
220
221 if (resp.command != (cmd | OTP_RESP_BIT)) {
222 ALOGI("Wrong command! %x\n", resp.command);
223 return -EINVAL;
224 }
225
226 if (resp.result != 0) {
227 fprintf(stderr, "AR writing error! %x\n", resp.result);
228 return -EINVAL;
229 }
230
231 tipc_close(fd);
232 return 0;
233 }
234
blowAR_zuma()235 static bool blowAR_zuma() {
236 int ret = blow_otp_AR(true);
237 if (ret) {
238 ALOGI("Blow secure anti-rollback OTP failed");
239 return false;
240 }
241
242 ret = blow_otp_AR(false);
243 if (ret) {
244 ALOGI("Blow non-secure anti-rollback OTP failed");
245 return false;
246 }
247
248 return true;
249 }
250
blowAR_gs101()251 static bool blowAR_gs101() {
252 android::base::unique_fd fd(open(BLOW_AR_PATH, O_WRONLY | O_DSYNC));
253 return android::base::WriteStringToFd("1", fd);
254 }
255
blowAR()256 static bool blowAR() {
257 char platform[PROPERTY_VALUE_MAX];
258 property_get("ro.boot.hardware.platform", platform, "");
259
260 if (std::string(platform) == "gs101") {
261 return blowAR_gs101();
262 } else if (std::string(platform) == "gs201" || std::string(platform) == "zuma") {
263 return blowAR_zuma();
264 }
265
266 return true;
267 }
268
269 } // namespace
270
271 // Methods from ::android::hardware::boot::V1_0::IBootControl follow.
getNumberSlots()272 Return<uint32_t> BootControl::getNumberSlots() {
273 uint32_t slots = 0;
274
275 if (access(BOOT_A_PATH, F_OK) == 0)
276 slots++;
277
278 if (access(BOOT_B_PATH, F_OK) == 0)
279 slots++;
280
281 return slots;
282 }
283
getCurrentSlot()284 Return<uint32_t> BootControl::getCurrentSlot() {
285 char suffix[PROPERTY_VALUE_MAX];
286 property_get("ro.boot.slot_suffix", suffix, "_a");
287 return std::string(suffix) == "_b" ? 1 : 0;
288 }
289
markBootSuccessful(markBootSuccessful_cb _hidl_cb)290 Return<void> BootControl::markBootSuccessful(markBootSuccessful_cb _hidl_cb) {
291 if (getNumberSlots() == 0) {
292 // no slots, just return true otherwise Android keeps trying
293 _hidl_cb({true, ""});
294 return Void();
295 }
296
297 bool ret;
298 if (isDevInfoValid()) {
299 auto const slot = getCurrentSlot();
300 devinfo.ab_data.slots[slot].successful = 1;
301 ret = DevInfoSync();
302 } else {
303 ret = setSlotFlag(getCurrentSlot(), AB_ATTR_SUCCESSFUL);
304 }
305
306 if (!ret) {
307 _hidl_cb({false, "Failed to set successful flag"});
308 return Void();
309 }
310
311 if (!blowAR()) {
312 ALOGE("Failed to blow anti-rollback counter");
313 // Ignore the error, since ABL will re-trigger it on reboot
314 }
315
316 _hidl_cb({true, ""});
317 return Void();
318 }
319
setActiveBootSlot(uint32_t slot,setActiveBootSlot_cb _hidl_cb)320 Return<void> BootControl::setActiveBootSlot(uint32_t slot, setActiveBootSlot_cb _hidl_cb) {
321 if (slot >= 2) {
322 _hidl_cb({false, "Invalid slot"});
323 return Void();
324 }
325
326 if (isDevInfoValid()) {
327 auto &active_slot_data = devinfo.ab_data.slots[slot];
328 auto &inactive_slot_data = devinfo.ab_data.slots[!slot];
329
330 inactive_slot_data.active = 0;
331 DevInfoInitSlot(active_slot_data);
332
333 if (!DevInfoSync()) {
334 _hidl_cb({false, "Could not update DevInfo data"});
335 return Void();
336 }
337 } else {
338 std::string dev_path = getDevPath(slot);
339 if (dev_path.empty()) {
340 _hidl_cb({false, "Could not get device path for slot"});
341 return Void();
342 }
343
344 GptUtils gpt(dev_path);
345 if (gpt.Load()) {
346 _hidl_cb({false, "failed to load gpt data"});
347 return Void();
348 }
349
350 gpt_entry *active_entry = gpt.GetPartitionEntry(slot == 0 ? "boot_a" : "boot_b");
351 gpt_entry *inactive_entry = gpt.GetPartitionEntry(slot == 0 ? "boot_b" : "boot_a");
352 if (active_entry == nullptr || inactive_entry == nullptr) {
353 _hidl_cb({false, "failed to get entries for boot partitions"});
354 return Void();
355 }
356
357 ALOGV("slot active attributes %lx\n", active_entry->attr);
358 ALOGV("slot inactive attributes %lx\n", inactive_entry->attr);
359
360 // update attributes for active and inactive
361 inactive_entry->attr &= ~AB_ATTR_ACTIVE;
362 active_entry->attr = AB_ATTR_ACTIVE | (AB_ATTR_MAX_PRIORITY << AB_ATTR_PRIORITY_SHIFT) |
363 (AB_ATTR_MAX_RETRY_COUNT << AB_ATTR_RETRY_COUNT_SHIFT);
364 }
365
366 char boot_dev[PROPERTY_VALUE_MAX];
367 property_get("ro.boot.bootdevice", boot_dev, "");
368 if (boot_dev[0] == '\0') {
369 ALOGI("failed to get ro.boot.bootdevice. try ro.boot.boot_devices\n");
370 property_get("ro.boot.boot_devices", boot_dev, "");
371 if (boot_dev[0] == '\0') {
372 _hidl_cb({false, "invalid ro.boot.bootdevice and ro.boot.boot_devices prop"});
373 return Void();
374 }
375 }
376
377 std::string boot_lun_path =
378 std::string("/sys/devices/platform/") + boot_dev + "/pixel/boot_lun_enabled";
379 int fd = open(boot_lun_path.c_str(), O_RDWR | O_DSYNC);
380 if (fd < 0) {
381 // Try old path for kernels < 5.4
382 // TODO: remove once kernel 4.19 support is deprecated
383 std::string boot_lun_path =
384 std::string("/sys/devices/platform/") + boot_dev + "/attributes/boot_lun_enabled";
385 fd = open(boot_lun_path.c_str(), O_RDWR | O_DSYNC);
386 if (fd < 0) {
387 _hidl_cb({false, "failed to open ufs attr boot_lun_enabled"});
388 return Void();
389 }
390 }
391
392 //
393 // bBootLunEn
394 // 0x1 => Boot LU A = enabled, Boot LU B = disable
395 // 0x2 => Boot LU A = disable, Boot LU B = enabled
396 //
397 int ret = android::base::WriteStringToFd(slot == 0 ? "1" : "2", fd);
398 close(fd);
399 if (ret < 0) {
400 _hidl_cb({false, "faied to write boot_lun_enabled attribute"});
401 return Void();
402 }
403
404 _hidl_cb({true, ""});
405 return Void();
406 }
407
setSlotAsUnbootable(uint32_t slot,setSlotAsUnbootable_cb _hidl_cb)408 Return<void> BootControl::setSlotAsUnbootable(uint32_t slot, setSlotAsUnbootable_cb _hidl_cb) {
409 if (slot >= 2) {
410 _hidl_cb({false, "Invalid slot"});
411 return Void();
412 }
413
414 if (isDevInfoValid()) {
415 auto &slot_data = devinfo.ab_data.slots[slot];
416 slot_data.unbootable = 1;
417 if (!DevInfoSync()) {
418 _hidl_cb({false, "Could not update DevInfo data"});
419 return Void();
420 }
421 } else {
422 std::string dev_path = getDevPath(slot);
423 if (dev_path.empty()) {
424 _hidl_cb({false, "Could not get device path for slot"});
425 return Void();
426 }
427
428 GptUtils gpt(dev_path);
429 gpt.Load();
430
431 gpt_entry *e = gpt.GetPartitionEntry(slot ? "boot_b" : "boot_a");
432 e->attr |= AB_ATTR_UNBOOTABLE;
433
434 gpt.Sync();
435 }
436
437 _hidl_cb({true, ""});
438 return Void();
439 }
440
isSlotBootable(uint32_t slot)441 Return<::android::hardware::boot::V1_0::BoolResult> BootControl::isSlotBootable(uint32_t slot) {
442 if (getNumberSlots() == 0)
443 return BoolResult::FALSE;
444 if (slot >= getNumberSlots())
445 return BoolResult::INVALID_SLOT;
446
447 bool unbootable;
448 if (isDevInfoValid()) {
449 auto &slot_data = devinfo.ab_data.slots[slot];
450 unbootable = !!slot_data.unbootable;
451 } else {
452 unbootable = isSlotFlagSet(slot, AB_ATTR_UNBOOTABLE);
453 }
454
455 return unbootable ? BoolResult::FALSE : BoolResult::TRUE;
456 }
457
isSlotMarkedSuccessful(uint32_t slot)458 Return<::android::hardware::boot::V1_0::BoolResult> BootControl::isSlotMarkedSuccessful(
459 uint32_t slot) {
460 if (getNumberSlots() == 0) {
461 // just return true so that we don't we another call trying to mark it as successful
462 // when there is no slots
463 return BoolResult::TRUE;
464 }
465 if (slot >= getNumberSlots())
466 return BoolResult::INVALID_SLOT;
467
468 bool successful;
469 if (isDevInfoValid()) {
470 auto &slot_data = devinfo.ab_data.slots[slot];
471 successful = !!slot_data.successful;
472 } else {
473 successful = isSlotFlagSet(slot, AB_ATTR_SUCCESSFUL);
474 }
475
476 return successful ? BoolResult::TRUE : BoolResult::FALSE;
477 }
478
getSuffix(uint32_t slot,getSuffix_cb _hidl_cb)479 Return<void> BootControl::getSuffix(uint32_t slot, getSuffix_cb _hidl_cb) {
480 _hidl_cb(slot == 0 ? "_a" : slot == 1 ? "_b" : "");
481 return Void();
482 }
483
484 // Methods from ::android::hardware::boot::V1_1::IBootControl follow.
Init()485 bool BootControl::Init() {
486 return InitMiscVirtualAbMessageIfNeeded();
487 }
488
setSnapshotMergeStatus(::android::hardware::boot::V1_1::MergeStatus status)489 Return<bool> BootControl::setSnapshotMergeStatus(
490 ::android::hardware::boot::V1_1::MergeStatus status) {
491 return SetMiscVirtualAbMergeStatus(getCurrentSlot(), status);
492 }
493
getSnapshotMergeStatus()494 Return<::android::hardware::boot::V1_1::MergeStatus> BootControl::getSnapshotMergeStatus() {
495 MergeStatus status;
496 if (!GetMiscVirtualAbMergeStatus(getCurrentSlot(), &status)) {
497 return MergeStatus::UNKNOWN;
498 }
499 return status;
500 }
501
502 // Methods from ::android::hardware::boot::V1_2::IBootControl follow.
getActiveBootSlot()503 Return<uint32_t> BootControl::getActiveBootSlot() {
504 if (getNumberSlots() == 0)
505 return 0;
506
507 if (isDevInfoValid())
508 return devinfo.ab_data.slots[1].active ? 1 : 0;
509 return isSlotFlagSet(1, AB_ATTR_ACTIVE) ? 1 : 0;
510 }
511
512 // Methods from ::android::hidl::base::V1_0::IBase follow.
513
HIDL_FETCH_IBootControl(const char *)514 IBootControl *HIDL_FETCH_IBootControl(const char * /* name */) {
515 auto module = new BootControl();
516
517 module->Init();
518
519 return module;
520 }
521
522 } // namespace implementation
523 } // namespace V1_2
524 } // namespace boot
525 } // namespace hardware
526 } // namespace android
527