1 //
2 // Copyright (C) 2012 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/payload_consumer/delta_performer.h"
18
19 #include <endian.h>
20 #include <errno.h>
21 #include <linux/fs.h>
22
23 #include <algorithm>
24 #include <cstring>
25 #include <memory>
26 #include <string>
27 #include <vector>
28
29 #include <base/files/file_util.h>
30 #include <base/format_macros.h>
31 #include <base/strings/string_number_conversions.h>
32 #include <base/strings/string_util.h>
33 #include <base/strings/stringprintf.h>
34 #include <brillo/data_encoding.h>
35 #include <brillo/make_unique_ptr.h>
36 #include <bsdiff/bspatch.h>
37 #include <google/protobuf/repeated_field.h>
38
39 #include "update_engine/common/constants.h"
40 #include "update_engine/common/hardware_interface.h"
41 #include "update_engine/common/prefs_interface.h"
42 #include "update_engine/common/subprocess.h"
43 #include "update_engine/common/terminator.h"
44 #include "update_engine/payload_consumer/bzip_extent_writer.h"
45 #include "update_engine/payload_consumer/download_action.h"
46 #include "update_engine/payload_consumer/extent_writer.h"
47 #if USE_MTD
48 #include "update_engine/payload_consumer/mtd_file_descriptor.h"
49 #endif
50 #include "update_engine/payload_consumer/payload_constants.h"
51 #include "update_engine/payload_consumer/payload_verifier.h"
52 #include "update_engine/payload_consumer/xz_extent_writer.h"
53
54 using google::protobuf::RepeatedPtrField;
55 using std::min;
56 using std::string;
57 using std::vector;
58
59 namespace chromeos_update_engine {
60
61 const uint64_t DeltaPerformer::kDeltaVersionOffset = sizeof(kDeltaMagic);
62 const uint64_t DeltaPerformer::kDeltaVersionSize = 8;
63 const uint64_t DeltaPerformer::kDeltaManifestSizeOffset =
64 kDeltaVersionOffset + kDeltaVersionSize;
65 const uint64_t DeltaPerformer::kDeltaManifestSizeSize = 8;
66 const uint64_t DeltaPerformer::kDeltaMetadataSignatureSizeSize = 4;
67 const uint64_t DeltaPerformer::kMaxPayloadHeaderSize = 24;
68 const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2;
69 const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 3;
70
71 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10;
72 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30;
73 const unsigned DeltaPerformer::kProgressDownloadWeight = 50;
74 const unsigned DeltaPerformer::kProgressOperationsWeight = 50;
75
76 namespace {
77 const int kUpdateStateOperationInvalid = -1;
78 const int kMaxResumedUpdateFailures = 10;
79 #if USE_MTD
80 const int kUbiVolumeAttachTimeout = 5 * 60;
81 #endif
82
CreateFileDescriptor(const char * path)83 FileDescriptorPtr CreateFileDescriptor(const char* path) {
84 FileDescriptorPtr ret;
85 #if USE_MTD
86 if (strstr(path, "/dev/ubi") == path) {
87 if (!UbiFileDescriptor::IsUbi(path)) {
88 // The volume might not have been attached at boot time.
89 int volume_no;
90 if (utils::SplitPartitionName(path, nullptr, &volume_no)) {
91 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout);
92 }
93 }
94 if (UbiFileDescriptor::IsUbi(path)) {
95 LOG(INFO) << path << " is a UBI device.";
96 ret.reset(new UbiFileDescriptor);
97 }
98 } else if (MtdFileDescriptor::IsMtd(path)) {
99 LOG(INFO) << path << " is an MTD device.";
100 ret.reset(new MtdFileDescriptor);
101 } else {
102 LOG(INFO) << path << " is not an MTD nor a UBI device.";
103 #endif
104 ret.reset(new EintrSafeFileDescriptor);
105 #if USE_MTD
106 }
107 #endif
108 return ret;
109 }
110
111 // Opens path for read/write. On success returns an open FileDescriptor
112 // and sets *err to 0. On failure, sets *err to errno and returns nullptr.
OpenFile(const char * path,int mode,int * err)113 FileDescriptorPtr OpenFile(const char* path, int mode, int* err) {
114 // Try to mark the block device read-only based on the mode. Ignore any
115 // failure since this won't work when passing regular files.
116 utils::SetBlockDeviceReadOnly(path, (mode & O_ACCMODE) == O_RDONLY);
117
118 FileDescriptorPtr fd = CreateFileDescriptor(path);
119 #if USE_MTD
120 // On NAND devices, we can either read, or write, but not both. So here we
121 // use O_WRONLY.
122 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) {
123 mode = O_WRONLY;
124 }
125 #endif
126 if (!fd->Open(path, mode, 000)) {
127 *err = errno;
128 PLOG(ERROR) << "Unable to open file " << path;
129 return nullptr;
130 }
131 *err = 0;
132 return fd;
133 }
134
135 // Discard the tail of the block device referenced by |fd|, from the offset
136 // |data_size| until the end of the block device. Returns whether the data was
137 // discarded.
DiscardPartitionTail(const FileDescriptorPtr & fd,uint64_t data_size)138 bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) {
139 uint64_t part_size = fd->BlockDevSize();
140 if (!part_size || part_size <= data_size)
141 return false;
142
143 struct blkioctl_request {
144 int number;
145 const char* name;
146 };
147 const vector<blkioctl_request> blkioctl_requests = {
148 {BLKDISCARD, "BLKDISCARD"},
149 {BLKSECDISCARD, "BLKSECDISCARD"},
150 #ifdef BLKZEROOUT
151 {BLKZEROOUT, "BLKZEROOUT"},
152 #endif
153 };
154 for (const auto& req : blkioctl_requests) {
155 int error = 0;
156 if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) &&
157 error == 0) {
158 return true;
159 }
160 LOG(WARNING) << "Error discarding the last "
161 << (part_size - data_size) / 1024 << " KiB using ioctl("
162 << req.name << ")";
163 }
164 return false;
165 }
166
167 } // namespace
168
169
170 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer
171 // arithmetic.
IntRatio(uint64_t part,uint64_t total,uint64_t norm)172 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) {
173 return part * norm / total;
174 }
175
LogProgress(const char * message_prefix)176 void DeltaPerformer::LogProgress(const char* message_prefix) {
177 // Format operations total count and percentage.
178 string total_operations_str("?");
179 string completed_percentage_str("");
180 if (num_total_operations_) {
181 total_operations_str = std::to_string(num_total_operations_);
182 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
183 completed_percentage_str =
184 base::StringPrintf(" (%" PRIu64 "%%)",
185 IntRatio(next_operation_num_, num_total_operations_,
186 100));
187 }
188
189 // Format download total count and percentage.
190 size_t payload_size = payload_->size;
191 string payload_size_str("?");
192 string downloaded_percentage_str("");
193 if (payload_size) {
194 payload_size_str = std::to_string(payload_size);
195 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
196 downloaded_percentage_str =
197 base::StringPrintf(" (%" PRIu64 "%%)",
198 IntRatio(total_bytes_received_, payload_size, 100));
199 }
200
201 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_
202 << "/" << total_operations_str << " operations"
203 << completed_percentage_str << ", " << total_bytes_received_
204 << "/" << payload_size_str << " bytes downloaded"
205 << downloaded_percentage_str << ", overall progress "
206 << overall_progress_ << "%";
207 }
208
UpdateOverallProgress(bool force_log,const char * message_prefix)209 void DeltaPerformer::UpdateOverallProgress(bool force_log,
210 const char* message_prefix) {
211 // Compute our download and overall progress.
212 unsigned new_overall_progress = 0;
213 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100,
214 "Progress weights don't add up");
215 // Only consider download progress if its total size is known; otherwise
216 // adjust the operations weight to compensate for the absence of download
217 // progress. Also, make sure to cap the download portion at
218 // kProgressDownloadWeight, in case we end up downloading more than we
219 // initially expected (this indicates a problem, but could generally happen).
220 // TODO(garnold) the correction of operations weight when we do not have the
221 // total payload size, as well as the conditional guard below, should both be
222 // eliminated once we ensure that the payload_size in the install plan is
223 // always given and is non-zero. This currently isn't the case during unit
224 // tests (see chromium-os:37969).
225 size_t payload_size = payload_->size;
226 unsigned actual_operations_weight = kProgressOperationsWeight;
227 if (payload_size)
228 new_overall_progress += min(
229 static_cast<unsigned>(IntRatio(total_bytes_received_, payload_size,
230 kProgressDownloadWeight)),
231 kProgressDownloadWeight);
232 else
233 actual_operations_weight += kProgressDownloadWeight;
234
235 // Only add completed operations if their total number is known; we definitely
236 // expect an update to have at least one operation, so the expectation is that
237 // this will eventually reach |actual_operations_weight|.
238 if (num_total_operations_)
239 new_overall_progress += IntRatio(next_operation_num_, num_total_operations_,
240 actual_operations_weight);
241
242 // Progress ratio cannot recede, unless our assumptions about the total
243 // payload size, total number of operations, or the monotonicity of progress
244 // is breached.
245 if (new_overall_progress < overall_progress_) {
246 LOG(WARNING) << "progress counter receded from " << overall_progress_
247 << "% down to " << new_overall_progress << "%; this is a bug";
248 force_log = true;
249 }
250 overall_progress_ = new_overall_progress;
251
252 // Update chunk index, log as needed: if forced by called, or we completed a
253 // progress chunk, or a timeout has expired.
254 base::Time curr_time = base::Time::Now();
255 unsigned curr_progress_chunk =
256 overall_progress_ * kProgressLogMaxChunks / 100;
257 if (force_log || curr_progress_chunk > last_progress_chunk_ ||
258 curr_time > forced_progress_log_time_) {
259 forced_progress_log_time_ = curr_time + forced_progress_log_wait_;
260 LogProgress(message_prefix);
261 }
262 last_progress_chunk_ = curr_progress_chunk;
263 }
264
265
CopyDataToBuffer(const char ** bytes_p,size_t * count_p,size_t max)266 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p, size_t* count_p,
267 size_t max) {
268 const size_t count = *count_p;
269 if (!count)
270 return 0; // Special case shortcut.
271 size_t read_len = min(count, max - buffer_.size());
272 const char* bytes_start = *bytes_p;
273 const char* bytes_end = bytes_start + read_len;
274 buffer_.insert(buffer_.end(), bytes_start, bytes_end);
275 *bytes_p = bytes_end;
276 *count_p = count - read_len;
277 return read_len;
278 }
279
280
HandleOpResult(bool op_result,const char * op_type_name,ErrorCode * error)281 bool DeltaPerformer::HandleOpResult(bool op_result, const char* op_type_name,
282 ErrorCode* error) {
283 if (op_result)
284 return true;
285
286 size_t partition_first_op_num =
287 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0;
288 LOG(ERROR) << "Failed to perform " << op_type_name << " operation "
289 << next_operation_num_ << ", which is the operation "
290 << next_operation_num_ - partition_first_op_num
291 << " in partition \""
292 << partitions_[current_partition_].partition_name() << "\"";
293 if (*error == ErrorCode::kSuccess)
294 *error = ErrorCode::kDownloadOperationExecutionError;
295 return false;
296 }
297
Close()298 int DeltaPerformer::Close() {
299 int err = -CloseCurrentPartition();
300 LOG_IF(ERROR, !payload_hash_calculator_.Finalize() ||
301 !signed_hash_calculator_.Finalize())
302 << "Unable to finalize the hash.";
303 if (!buffer_.empty()) {
304 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes";
305 if (err >= 0)
306 err = 1;
307 }
308 return -err;
309 }
310
CloseCurrentPartition()311 int DeltaPerformer::CloseCurrentPartition() {
312 int err = 0;
313 if (source_fd_ && !source_fd_->Close()) {
314 err = errno;
315 PLOG(ERROR) << "Error closing source partition";
316 if (!err)
317 err = 1;
318 }
319 source_fd_.reset();
320 source_path_.clear();
321
322 if (target_fd_ && !target_fd_->Close()) {
323 err = errno;
324 PLOG(ERROR) << "Error closing target partition";
325 if (!err)
326 err = 1;
327 }
328 target_fd_.reset();
329 target_path_.clear();
330 return -err;
331 }
332
OpenCurrentPartition()333 bool DeltaPerformer::OpenCurrentPartition() {
334 if (current_partition_ >= partitions_.size())
335 return false;
336
337 const PartitionUpdate& partition = partitions_[current_partition_];
338 size_t num_previous_partitions =
339 install_plan_->partitions.size() - partitions_.size();
340 const InstallPlan::Partition& install_part =
341 install_plan_->partitions[num_previous_partitions + current_partition_];
342 // Open source fds if we have a delta payload with minor version >= 2.
343 if (payload_->type == InstallPayloadType::kDelta &&
344 GetMinorVersion() != kInPlaceMinorPayloadVersion) {
345 source_path_ = install_part.source_path;
346 int err;
347 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, &err);
348 if (!source_fd_) {
349 LOG(ERROR) << "Unable to open source partition "
350 << partition.partition_name() << " on slot "
351 << BootControlInterface::SlotName(install_plan_->source_slot)
352 << ", file " << source_path_;
353 return false;
354 }
355 }
356
357 target_path_ = install_part.target_path;
358 int err;
359 target_fd_ = OpenFile(target_path_.c_str(), O_RDWR, &err);
360 if (!target_fd_) {
361 LOG(ERROR) << "Unable to open target partition "
362 << partition.partition_name() << " on slot "
363 << BootControlInterface::SlotName(install_plan_->target_slot)
364 << ", file " << target_path_;
365 return false;
366 }
367
368 LOG(INFO) << "Applying " << partition.operations().size()
369 << " operations to partition \"" << partition.partition_name()
370 << "\"";
371
372 // Discard the end of the partition, but ignore failures.
373 DiscardPartitionTail(target_fd_, install_part.target_size);
374
375 return true;
376 }
377
378 namespace {
379
LogPartitionInfoHash(const PartitionInfo & info,const string & tag)380 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) {
381 string sha256 = brillo::data_encoding::Base64Encode(info.hash());
382 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256
383 << " size: " << info.size();
384 }
385
LogPartitionInfo(const vector<PartitionUpdate> & partitions)386 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) {
387 for (const PartitionUpdate& partition : partitions) {
388 LogPartitionInfoHash(partition.old_partition_info(),
389 "old " + partition.partition_name());
390 LogPartitionInfoHash(partition.new_partition_info(),
391 "new " + partition.partition_name());
392 }
393 }
394
395 } // namespace
396
GetMetadataSignatureSizeOffset(uint64_t * out_offset) const397 bool DeltaPerformer::GetMetadataSignatureSizeOffset(
398 uint64_t* out_offset) const {
399 if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
400 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
401 return true;
402 }
403 return false;
404 }
405
GetManifestOffset(uint64_t * out_offset) const406 bool DeltaPerformer::GetManifestOffset(uint64_t* out_offset) const {
407 // Actual manifest begins right after the manifest size field or
408 // metadata signature size field if major version >= 2.
409 if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
410 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
411 return true;
412 }
413 if (major_payload_version_ == kBrilloMajorPayloadVersion) {
414 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
415 kDeltaMetadataSignatureSizeSize;
416 return true;
417 }
418 LOG(ERROR) << "Unknown major payload version: " << major_payload_version_;
419 return false;
420 }
421
GetMetadataSize() const422 uint64_t DeltaPerformer::GetMetadataSize() const {
423 return metadata_size_;
424 }
425
GetMajorVersion() const426 uint64_t DeltaPerformer::GetMajorVersion() const {
427 return major_payload_version_;
428 }
429
GetMinorVersion() const430 uint32_t DeltaPerformer::GetMinorVersion() const {
431 if (manifest_.has_minor_version()) {
432 return manifest_.minor_version();
433 } else {
434 return payload_->type == InstallPayloadType::kDelta
435 ? kSupportedMinorPayloadVersion
436 : kFullPayloadMinorVersion;
437 }
438 }
439
GetManifest(DeltaArchiveManifest * out_manifest_p) const440 bool DeltaPerformer::GetManifest(DeltaArchiveManifest* out_manifest_p) const {
441 if (!manifest_parsed_)
442 return false;
443 *out_manifest_p = manifest_;
444 return true;
445 }
446
IsHeaderParsed() const447 bool DeltaPerformer::IsHeaderParsed() const {
448 return metadata_size_ != 0;
449 }
450
ParsePayloadMetadata(const brillo::Blob & payload,ErrorCode * error)451 DeltaPerformer::MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
452 const brillo::Blob& payload, ErrorCode* error) {
453 *error = ErrorCode::kSuccess;
454 uint64_t manifest_offset;
455
456 if (!IsHeaderParsed()) {
457 // Ensure we have data to cover the major payload version.
458 if (payload.size() < kDeltaManifestSizeOffset)
459 return kMetadataParseInsufficientData;
460
461 // Validate the magic string.
462 if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
463 LOG(ERROR) << "Bad payload format -- invalid delta magic.";
464 *error = ErrorCode::kDownloadInvalidMetadataMagicString;
465 return kMetadataParseError;
466 }
467
468 // Extract the payload version from the metadata.
469 static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
470 "Major payload version size mismatch");
471 memcpy(&major_payload_version_,
472 &payload[kDeltaVersionOffset],
473 kDeltaVersionSize);
474 // switch big endian to host
475 major_payload_version_ = be64toh(major_payload_version_);
476
477 if (major_payload_version_ != supported_major_version_ &&
478 major_payload_version_ != kChromeOSMajorPayloadVersion) {
479 LOG(ERROR) << "Bad payload format -- unsupported payload version: "
480 << major_payload_version_;
481 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
482 return kMetadataParseError;
483 }
484
485 // Get the manifest offset now that we have payload version.
486 if (!GetManifestOffset(&manifest_offset)) {
487 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
488 return kMetadataParseError;
489 }
490 // Check again with the manifest offset.
491 if (payload.size() < manifest_offset)
492 return kMetadataParseInsufficientData;
493
494 // Next, parse the manifest size.
495 static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
496 "manifest_size size mismatch");
497 memcpy(&manifest_size_,
498 &payload[kDeltaManifestSizeOffset],
499 kDeltaManifestSizeSize);
500 manifest_size_ = be64toh(manifest_size_); // switch big endian to host
501
502 if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
503 // Parse the metadata signature size.
504 static_assert(sizeof(metadata_signature_size_) ==
505 kDeltaMetadataSignatureSizeSize,
506 "metadata_signature_size size mismatch");
507 uint64_t metadata_signature_size_offset;
508 if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) {
509 *error = ErrorCode::kError;
510 return kMetadataParseError;
511 }
512 memcpy(&metadata_signature_size_,
513 &payload[metadata_signature_size_offset],
514 kDeltaMetadataSignatureSizeSize);
515 metadata_signature_size_ = be32toh(metadata_signature_size_);
516 }
517
518 // If the metadata size is present in install plan, check for it immediately
519 // even before waiting for that many number of bytes to be downloaded in the
520 // payload. This will prevent any attack which relies on us downloading data
521 // beyond the expected metadata size.
522 metadata_size_ = manifest_offset + manifest_size_;
523 if (install_plan_->hash_checks_mandatory) {
524 if (payload_->metadata_size != metadata_size_) {
525 LOG(ERROR) << "Mandatory metadata size in Omaha response ("
526 << payload_->metadata_size
527 << ") is missing/incorrect, actual = " << metadata_size_;
528 *error = ErrorCode::kDownloadInvalidMetadataSize;
529 return kMetadataParseError;
530 }
531 }
532 }
533
534 // Now that we have validated the metadata size, we should wait for the full
535 // metadata and its signature (if exist) to be read in before we can parse it.
536 if (payload.size() < metadata_size_ + metadata_signature_size_)
537 return kMetadataParseInsufficientData;
538
539 // Log whether we validated the size or simply trusting what's in the payload
540 // here. This is logged here (after we received the full metadata data) so
541 // that we just log once (instead of logging n times) if it takes n
542 // DeltaPerformer::Write calls to download the full manifest.
543 if (payload_->metadata_size == metadata_size_) {
544 LOG(INFO) << "Manifest size in payload matches expected value from Omaha";
545 } else {
546 // For mandatory-cases, we'd have already returned a kMetadataParseError
547 // above. We'll be here only for non-mandatory cases. Just send a UMA stat.
548 LOG(WARNING) << "Ignoring missing/incorrect metadata size ("
549 << payload_->metadata_size
550 << ") in Omaha response as validation is not mandatory. "
551 << "Trusting metadata size in payload = " << metadata_size_;
552 }
553
554 // We have the full metadata in |payload|. Verify its integrity
555 // and authenticity based on the information we have in Omaha response.
556 *error = ValidateMetadataSignature(payload);
557 if (*error != ErrorCode::kSuccess) {
558 if (install_plan_->hash_checks_mandatory) {
559 // The autoupdate_CatchBadSignatures test checks for this string
560 // in log-files. Keep in sync.
561 LOG(ERROR) << "Mandatory metadata signature validation failed";
562 return kMetadataParseError;
563 }
564
565 // For non-mandatory cases, just send a UMA stat.
566 LOG(WARNING) << "Ignoring metadata signature validation failures";
567 *error = ErrorCode::kSuccess;
568 }
569
570 if (!GetManifestOffset(&manifest_offset)) {
571 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
572 return kMetadataParseError;
573 }
574 // The payload metadata is deemed valid, it's safe to parse the protobuf.
575 if (!manifest_.ParseFromArray(&payload[manifest_offset], manifest_size_)) {
576 LOG(ERROR) << "Unable to parse manifest in update file.";
577 *error = ErrorCode::kDownloadManifestParseError;
578 return kMetadataParseError;
579 }
580
581 manifest_parsed_ = true;
582 return kMetadataParseSuccess;
583 }
584
585 // Wrapper around write. Returns true if all requested bytes
586 // were written, or false on any error, regardless of progress
587 // and stores an action exit code in |error|.
Write(const void * bytes,size_t count,ErrorCode * error)588 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode *error) {
589 *error = ErrorCode::kSuccess;
590
591 const char* c_bytes = reinterpret_cast<const char*>(bytes);
592
593 // Update the total byte downloaded count and the progress logs.
594 total_bytes_received_ += count;
595 UpdateOverallProgress(false, "Completed ");
596
597 while (!manifest_valid_) {
598 // Read data up to the needed limit; this is either maximium payload header
599 // size, or the full metadata size (once it becomes known).
600 const bool do_read_header = !IsHeaderParsed();
601 CopyDataToBuffer(&c_bytes, &count,
602 (do_read_header ? kMaxPayloadHeaderSize :
603 metadata_size_ + metadata_signature_size_));
604
605 MetadataParseResult result = ParsePayloadMetadata(buffer_, error);
606 if (result == kMetadataParseError)
607 return false;
608 if (result == kMetadataParseInsufficientData) {
609 // If we just processed the header, make an attempt on the manifest.
610 if (do_read_header && IsHeaderParsed())
611 continue;
612
613 return true;
614 }
615
616 // Checks the integrity of the payload manifest.
617 if ((*error = ValidateManifest()) != ErrorCode::kSuccess)
618 return false;
619 manifest_valid_ = true;
620
621 // Clear the download buffer.
622 DiscardBuffer(false, metadata_size_);
623
624 // This populates |partitions_| and the |install_plan.partitions| with the
625 // list of partitions from the manifest.
626 if (!ParseManifestPartitions(error))
627 return false;
628
629 // |install_plan.partitions| was filled in, nothing need to be done here if
630 // the payload was already applied, returns false to terminate http fetcher,
631 // but keep |error| as ErrorCode::kSuccess.
632 if (payload_->already_applied)
633 return false;
634
635 num_total_operations_ = 0;
636 for (const auto& partition : partitions_) {
637 num_total_operations_ += partition.operations_size();
638 acc_num_operations_.push_back(num_total_operations_);
639 }
640
641 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestMetadataSize,
642 metadata_size_))
643 << "Unable to save the manifest metadata size.";
644 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestSignatureSize,
645 metadata_signature_size_))
646 << "Unable to save the manifest signature size.";
647
648 if (!PrimeUpdateState()) {
649 *error = ErrorCode::kDownloadStateInitializationError;
650 LOG(ERROR) << "Unable to prime the update state.";
651 return false;
652 }
653
654 if (!OpenCurrentPartition()) {
655 *error = ErrorCode::kInstallDeviceOpenError;
656 return false;
657 }
658
659 if (next_operation_num_ > 0)
660 UpdateOverallProgress(true, "Resuming after ");
661 LOG(INFO) << "Starting to apply update payload operations";
662 }
663
664 while (next_operation_num_ < num_total_operations_) {
665 // Check if we should cancel the current attempt for any reason.
666 // In this case, *error will have already been populated with the reason
667 // why we're canceling.
668 if (download_delegate_ && download_delegate_->ShouldCancel(error))
669 return false;
670
671 // We know there are more operations to perform because we didn't reach the
672 // |num_total_operations_| limit yet.
673 while (next_operation_num_ >= acc_num_operations_[current_partition_]) {
674 CloseCurrentPartition();
675 current_partition_++;
676 if (!OpenCurrentPartition()) {
677 *error = ErrorCode::kInstallDeviceOpenError;
678 return false;
679 }
680 }
681 const size_t partition_operation_num = next_operation_num_ - (
682 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0);
683
684 const InstallOperation& op =
685 partitions_[current_partition_].operations(partition_operation_num);
686
687 CopyDataToBuffer(&c_bytes, &count, op.data_length());
688
689 // Check whether we received all of the next operation's data payload.
690 if (!CanPerformInstallOperation(op))
691 return true;
692
693 // Validate the operation only if the metadata signature is present.
694 // Otherwise, keep the old behavior. This serves as a knob to disable
695 // the validation logic in case we find some regression after rollout.
696 // NOTE: If hash checks are mandatory and if metadata_signature is empty,
697 // we would have already failed in ParsePayloadMetadata method and thus not
698 // even be here. So no need to handle that case again here.
699 if (!payload_->metadata_signature.empty()) {
700 // Note: Validate must be called only if CanPerformInstallOperation is
701 // called. Otherwise, we might be failing operations before even if there
702 // isn't sufficient data to compute the proper hash.
703 *error = ValidateOperationHash(op);
704 if (*error != ErrorCode::kSuccess) {
705 if (install_plan_->hash_checks_mandatory) {
706 LOG(ERROR) << "Mandatory operation hash check failed";
707 return false;
708 }
709
710 // For non-mandatory cases, just send a UMA stat.
711 LOG(WARNING) << "Ignoring operation validation errors";
712 *error = ErrorCode::kSuccess;
713 }
714 }
715
716 // Makes sure we unblock exit when this operation completes.
717 ScopedTerminatorExitUnblocker exit_unblocker =
718 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug.
719
720 bool op_result;
721 switch (op.type()) {
722 case InstallOperation::REPLACE:
723 case InstallOperation::REPLACE_BZ:
724 case InstallOperation::REPLACE_XZ:
725 op_result = PerformReplaceOperation(op);
726 break;
727 case InstallOperation::ZERO:
728 case InstallOperation::DISCARD:
729 op_result = PerformZeroOrDiscardOperation(op);
730 break;
731 case InstallOperation::MOVE:
732 op_result = PerformMoveOperation(op);
733 break;
734 case InstallOperation::BSDIFF:
735 op_result = PerformBsdiffOperation(op);
736 break;
737 case InstallOperation::SOURCE_COPY:
738 op_result = PerformSourceCopyOperation(op, error);
739 break;
740 case InstallOperation::SOURCE_BSDIFF:
741 op_result = PerformSourceBsdiffOperation(op, error);
742 break;
743 case InstallOperation::IMGDIFF:
744 // TODO(deymo): Replace with PUFFIN operation.
745 op_result = false;
746 break;
747 default:
748 op_result = false;
749 }
750 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error))
751 return false;
752
753 next_operation_num_++;
754 UpdateOverallProgress(false, "Completed ");
755 CheckpointUpdateProgress();
756 }
757
758 // In major version 2, we don't add dummy operation to the payload.
759 // If we already extracted the signature we should skip this step.
760 if (major_payload_version_ == kBrilloMajorPayloadVersion &&
761 manifest_.has_signatures_offset() && manifest_.has_signatures_size() &&
762 signatures_message_data_.empty()) {
763 if (manifest_.signatures_offset() != buffer_offset_) {
764 LOG(ERROR) << "Payload signatures offset points to blob offset "
765 << manifest_.signatures_offset()
766 << " but signatures are expected at offset "
767 << buffer_offset_;
768 *error = ErrorCode::kDownloadPayloadVerificationError;
769 return false;
770 }
771 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size());
772 // Needs more data to cover entire signature.
773 if (buffer_.size() < manifest_.signatures_size())
774 return true;
775 if (!ExtractSignatureMessage()) {
776 LOG(ERROR) << "Extract payload signature failed.";
777 *error = ErrorCode::kDownloadPayloadVerificationError;
778 return false;
779 }
780 DiscardBuffer(true, 0);
781 // Since we extracted the SignatureMessage we need to advance the
782 // checkpoint, otherwise we would reload the signature and try to extract
783 // it again.
784 CheckpointUpdateProgress();
785 }
786
787 return true;
788 }
789
IsManifestValid()790 bool DeltaPerformer::IsManifestValid() {
791 return manifest_valid_;
792 }
793
ParseManifestPartitions(ErrorCode * error)794 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) {
795 if (major_payload_version_ == kBrilloMajorPayloadVersion) {
796 partitions_.clear();
797 for (const PartitionUpdate& partition : manifest_.partitions()) {
798 partitions_.push_back(partition);
799 }
800 manifest_.clear_partitions();
801 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
802 LOG(INFO) << "Converting update information from old format.";
803 PartitionUpdate root_part;
804 root_part.set_partition_name(kLegacyPartitionNameRoot);
805 #ifdef __ANDROID__
806 LOG(WARNING) << "Legacy payload major version provided to an Android "
807 "build. Assuming no post-install. Please use major version "
808 "2 or newer.";
809 root_part.set_run_postinstall(false);
810 #else
811 root_part.set_run_postinstall(true);
812 #endif // __ANDROID__
813 if (manifest_.has_old_rootfs_info()) {
814 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info();
815 manifest_.clear_old_rootfs_info();
816 }
817 if (manifest_.has_new_rootfs_info()) {
818 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info();
819 manifest_.clear_new_rootfs_info();
820 }
821 *root_part.mutable_operations() = manifest_.install_operations();
822 manifest_.clear_install_operations();
823 partitions_.push_back(std::move(root_part));
824
825 PartitionUpdate kern_part;
826 kern_part.set_partition_name(kLegacyPartitionNameKernel);
827 kern_part.set_run_postinstall(false);
828 if (manifest_.has_old_kernel_info()) {
829 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info();
830 manifest_.clear_old_kernel_info();
831 }
832 if (manifest_.has_new_kernel_info()) {
833 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info();
834 manifest_.clear_new_kernel_info();
835 }
836 *kern_part.mutable_operations() = manifest_.kernel_install_operations();
837 manifest_.clear_kernel_install_operations();
838 partitions_.push_back(std::move(kern_part));
839 }
840
841 // Fill in the InstallPlan::partitions based on the partitions from the
842 // payload.
843 for (const auto& partition : partitions_) {
844 InstallPlan::Partition install_part;
845 install_part.name = partition.partition_name();
846 install_part.run_postinstall =
847 partition.has_run_postinstall() && partition.run_postinstall();
848 if (install_part.run_postinstall) {
849 install_part.postinstall_path =
850 (partition.has_postinstall_path() ? partition.postinstall_path()
851 : kPostinstallDefaultScript);
852 install_part.filesystem_type = partition.filesystem_type();
853 install_part.postinstall_optional = partition.postinstall_optional();
854 }
855
856 if (partition.has_old_partition_info()) {
857 const PartitionInfo& info = partition.old_partition_info();
858 install_part.source_size = info.size();
859 install_part.source_hash.assign(info.hash().begin(), info.hash().end());
860 }
861
862 if (!partition.has_new_partition_info()) {
863 LOG(ERROR) << "Unable to get new partition hash info on partition "
864 << install_part.name << ".";
865 *error = ErrorCode::kDownloadNewPartitionInfoError;
866 return false;
867 }
868 const PartitionInfo& info = partition.new_partition_info();
869 install_part.target_size = info.size();
870 install_part.target_hash.assign(info.hash().begin(), info.hash().end());
871
872 install_plan_->partitions.push_back(install_part);
873 }
874
875 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) {
876 LOG(ERROR) << "Unable to determine all the partition devices.";
877 *error = ErrorCode::kInstallDeviceOpenError;
878 return false;
879 }
880 LogPartitionInfo(partitions_);
881 return true;
882 }
883
CanPerformInstallOperation(const chromeos_update_engine::InstallOperation & operation)884 bool DeltaPerformer::CanPerformInstallOperation(
885 const chromeos_update_engine::InstallOperation& operation) {
886 // If we don't have a data blob we can apply it right away.
887 if (!operation.has_data_offset() && !operation.has_data_length())
888 return true;
889
890 // See if we have the entire data blob in the buffer
891 if (operation.data_offset() < buffer_offset_) {
892 LOG(ERROR) << "we threw away data it seems?";
893 return false;
894 }
895
896 return (operation.data_offset() + operation.data_length() <=
897 buffer_offset_ + buffer_.size());
898 }
899
PerformReplaceOperation(const InstallOperation & operation)900 bool DeltaPerformer::PerformReplaceOperation(
901 const InstallOperation& operation) {
902 CHECK(operation.type() == InstallOperation::REPLACE ||
903 operation.type() == InstallOperation::REPLACE_BZ ||
904 operation.type() == InstallOperation::REPLACE_XZ);
905
906 // Since we delete data off the beginning of the buffer as we use it,
907 // the data we need should be exactly at the beginning of the buffer.
908 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
909 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
910
911 // Extract the signature message if it's in this operation.
912 if (ExtractSignatureMessageFromOperation(operation)) {
913 // If this is dummy replace operation, we ignore it after extracting the
914 // signature.
915 DiscardBuffer(true, 0);
916 return true;
917 }
918
919 // Setup the ExtentWriter stack based on the operation type.
920 std::unique_ptr<ExtentWriter> writer =
921 brillo::make_unique_ptr(new ZeroPadExtentWriter(
922 brillo::make_unique_ptr(new DirectExtentWriter())));
923
924 if (operation.type() == InstallOperation::REPLACE_BZ) {
925 writer.reset(new BzipExtentWriter(std::move(writer)));
926 } else if (operation.type() == InstallOperation::REPLACE_XZ) {
927 writer.reset(new XzExtentWriter(std::move(writer)));
928 }
929
930 // Create a vector of extents to pass to the ExtentWriter.
931 vector<Extent> extents;
932 for (int i = 0; i < operation.dst_extents_size(); i++) {
933 extents.push_back(operation.dst_extents(i));
934 }
935
936 TEST_AND_RETURN_FALSE(writer->Init(target_fd_, extents, block_size_));
937 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length()));
938 TEST_AND_RETURN_FALSE(writer->End());
939
940 // Update buffer
941 DiscardBuffer(true, buffer_.size());
942 return true;
943 }
944
PerformZeroOrDiscardOperation(const InstallOperation & operation)945 bool DeltaPerformer::PerformZeroOrDiscardOperation(
946 const InstallOperation& operation) {
947 CHECK(operation.type() == InstallOperation::DISCARD ||
948 operation.type() == InstallOperation::ZERO);
949
950 // These operations have no blob.
951 TEST_AND_RETURN_FALSE(!operation.has_data_offset());
952 TEST_AND_RETURN_FALSE(!operation.has_data_length());
953
954 #ifdef BLKZEROOUT
955 bool attempt_ioctl = true;
956 int request =
957 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD);
958 #else // !defined(BLKZEROOUT)
959 bool attempt_ioctl = false;
960 int request = 0;
961 #endif // !defined(BLKZEROOUT)
962
963 brillo::Blob zeros;
964 for (const Extent& extent : operation.dst_extents()) {
965 const uint64_t start = extent.start_block() * block_size_;
966 const uint64_t length = extent.num_blocks() * block_size_;
967 if (attempt_ioctl) {
968 int result = 0;
969 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0)
970 continue;
971 attempt_ioctl = false;
972 zeros.resize(16 * block_size_);
973 }
974 // In case of failure, we fall back to writing 0 to the selected region.
975 for (uint64_t offset = 0; offset < length; offset += zeros.size()) {
976 uint64_t chunk_length = min(length - offset,
977 static_cast<uint64_t>(zeros.size()));
978 TEST_AND_RETURN_FALSE(
979 utils::PWriteAll(target_fd_, zeros.data(), chunk_length, start + offset));
980 }
981 }
982 return true;
983 }
984
PerformMoveOperation(const InstallOperation & operation)985 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) {
986 // Calculate buffer size. Note, this function doesn't do a sliding
987 // window to copy in case the source and destination blocks overlap.
988 // If we wanted to do a sliding window, we could program the server
989 // to generate deltas that effectively did a sliding window.
990
991 uint64_t blocks_to_read = 0;
992 for (int i = 0; i < operation.src_extents_size(); i++)
993 blocks_to_read += operation.src_extents(i).num_blocks();
994
995 uint64_t blocks_to_write = 0;
996 for (int i = 0; i < operation.dst_extents_size(); i++)
997 blocks_to_write += operation.dst_extents(i).num_blocks();
998
999 DCHECK_EQ(blocks_to_write, blocks_to_read);
1000 brillo::Blob buf(blocks_to_write * block_size_);
1001
1002 // Read in bytes.
1003 ssize_t bytes_read = 0;
1004 for (int i = 0; i < operation.src_extents_size(); i++) {
1005 ssize_t bytes_read_this_iteration = 0;
1006 const Extent& extent = operation.src_extents(i);
1007 const size_t bytes = extent.num_blocks() * block_size_;
1008 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1009 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_,
1010 &buf[bytes_read],
1011 bytes,
1012 extent.start_block() * block_size_,
1013 &bytes_read_this_iteration));
1014 TEST_AND_RETURN_FALSE(
1015 bytes_read_this_iteration == static_cast<ssize_t>(bytes));
1016 bytes_read += bytes_read_this_iteration;
1017 }
1018
1019 // Write bytes out.
1020 ssize_t bytes_written = 0;
1021 for (int i = 0; i < operation.dst_extents_size(); i++) {
1022 const Extent& extent = operation.dst_extents(i);
1023 const size_t bytes = extent.num_blocks() * block_size_;
1024 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
1025 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_,
1026 &buf[bytes_written],
1027 bytes,
1028 extent.start_block() * block_size_));
1029 bytes_written += bytes;
1030 }
1031 DCHECK_EQ(bytes_written, bytes_read);
1032 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size()));
1033 return true;
1034 }
1035
1036 namespace {
1037
1038 // Takes |extents| and fills an empty vector |blocks| with a block index for
1039 // each block in |extents|. For example, [(3, 2), (8, 1)] would give [3, 4, 8].
ExtentsToBlocks(const RepeatedPtrField<Extent> & extents,vector<uint64_t> * blocks)1040 void ExtentsToBlocks(const RepeatedPtrField<Extent>& extents,
1041 vector<uint64_t>* blocks) {
1042 for (const Extent& ext : extents) {
1043 for (uint64_t j = 0; j < ext.num_blocks(); j++)
1044 blocks->push_back(ext.start_block() + j);
1045 }
1046 }
1047
1048 // Takes |extents| and returns the number of blocks in those extents.
GetBlockCount(const RepeatedPtrField<Extent> & extents)1049 uint64_t GetBlockCount(const RepeatedPtrField<Extent>& extents) {
1050 uint64_t sum = 0;
1051 for (const Extent& ext : extents) {
1052 sum += ext.num_blocks();
1053 }
1054 return sum;
1055 }
1056
1057 // Compare |calculated_hash| with source hash in |operation|, return false and
1058 // dump hash and set |error| if don't match.
ValidateSourceHash(const brillo::Blob & calculated_hash,const InstallOperation & operation,ErrorCode * error)1059 bool ValidateSourceHash(const brillo::Blob& calculated_hash,
1060 const InstallOperation& operation,
1061 ErrorCode* error) {
1062 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1063 operation.src_sha256_hash().end());
1064 if (calculated_hash != expected_source_hash) {
1065 LOG(ERROR) << "The hash of the source data on disk for this operation "
1066 << "doesn't match the expected value. This could mean that the "
1067 << "delta update payload was targeted for another version, or "
1068 << "that the source partition was modified after it was "
1069 << "installed, for example, by mounting a filesystem.";
1070 LOG(ERROR) << "Expected: sha256|hex = "
1071 << base::HexEncode(expected_source_hash.data(),
1072 expected_source_hash.size());
1073 LOG(ERROR) << "Calculated: sha256|hex = "
1074 << base::HexEncode(calculated_hash.data(),
1075 calculated_hash.size());
1076
1077 vector<string> source_extents;
1078 for (const Extent& ext : operation.src_extents()) {
1079 source_extents.push_back(
1080 base::StringPrintf("%" PRIu64 ":%" PRIu64,
1081 static_cast<uint64_t>(ext.start_block()),
1082 static_cast<uint64_t>(ext.num_blocks())));
1083 }
1084 LOG(ERROR) << "Operation source (offset:size) in blocks: "
1085 << base::JoinString(source_extents, ",");
1086
1087 *error = ErrorCode::kDownloadStateInitializationError;
1088 return false;
1089 }
1090 return true;
1091 }
1092
1093 } // namespace
1094
PerformSourceCopyOperation(const InstallOperation & operation,ErrorCode * error)1095 bool DeltaPerformer::PerformSourceCopyOperation(
1096 const InstallOperation& operation, ErrorCode* error) {
1097 if (operation.has_src_length())
1098 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1099 if (operation.has_dst_length())
1100 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1101
1102 uint64_t blocks_to_read = GetBlockCount(operation.src_extents());
1103 uint64_t blocks_to_write = GetBlockCount(operation.dst_extents());
1104 TEST_AND_RETURN_FALSE(blocks_to_write == blocks_to_read);
1105
1106 // Create vectors of all the individual src/dst blocks.
1107 vector<uint64_t> src_blocks;
1108 vector<uint64_t> dst_blocks;
1109 ExtentsToBlocks(operation.src_extents(), &src_blocks);
1110 ExtentsToBlocks(operation.dst_extents(), &dst_blocks);
1111 DCHECK_EQ(src_blocks.size(), blocks_to_read);
1112 DCHECK_EQ(src_blocks.size(), dst_blocks.size());
1113
1114 brillo::Blob buf(block_size_);
1115 ssize_t bytes_read = 0;
1116 HashCalculator source_hasher;
1117 // Read/write one block at a time.
1118 for (uint64_t i = 0; i < blocks_to_read; i++) {
1119 ssize_t bytes_read_this_iteration = 0;
1120 uint64_t src_block = src_blocks[i];
1121 uint64_t dst_block = dst_blocks[i];
1122
1123 // Read in bytes.
1124 TEST_AND_RETURN_FALSE(
1125 utils::PReadAll(source_fd_,
1126 buf.data(),
1127 block_size_,
1128 src_block * block_size_,
1129 &bytes_read_this_iteration));
1130
1131 // Write bytes out.
1132 TEST_AND_RETURN_FALSE(
1133 utils::PWriteAll(target_fd_,
1134 buf.data(),
1135 block_size_,
1136 dst_block * block_size_));
1137
1138 bytes_read += bytes_read_this_iteration;
1139 TEST_AND_RETURN_FALSE(bytes_read_this_iteration ==
1140 static_cast<ssize_t>(block_size_));
1141
1142 if (operation.has_src_sha256_hash())
1143 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), buf.size()));
1144 }
1145
1146 if (operation.has_src_sha256_hash()) {
1147 TEST_AND_RETURN_FALSE(source_hasher.Finalize());
1148 TEST_AND_RETURN_FALSE(
1149 ValidateSourceHash(source_hasher.raw_hash(), operation, error));
1150 }
1151
1152 DCHECK_EQ(bytes_read, static_cast<ssize_t>(blocks_to_read * block_size_));
1153 return true;
1154 }
1155
ExtentsToBsdiffPositionsString(const RepeatedPtrField<Extent> & extents,uint64_t block_size,uint64_t full_length,string * positions_string)1156 bool DeltaPerformer::ExtentsToBsdiffPositionsString(
1157 const RepeatedPtrField<Extent>& extents,
1158 uint64_t block_size,
1159 uint64_t full_length,
1160 string* positions_string) {
1161 string ret;
1162 uint64_t length = 0;
1163 for (const Extent& extent : extents) {
1164 int64_t start = extent.start_block() * block_size;
1165 uint64_t this_length =
1166 min(full_length - length,
1167 static_cast<uint64_t>(extent.num_blocks()) * block_size);
1168 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length);
1169 length += this_length;
1170 }
1171 TEST_AND_RETURN_FALSE(length == full_length);
1172 if (!ret.empty())
1173 ret.resize(ret.size() - 1); // Strip trailing comma off
1174 *positions_string = ret;
1175 return true;
1176 }
1177
PerformBsdiffOperation(const InstallOperation & operation)1178 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) {
1179 // Since we delete data off the beginning of the buffer as we use it,
1180 // the data we need should be exactly at the beginning of the buffer.
1181 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1182 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1183
1184 string input_positions;
1185 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1186 block_size_,
1187 operation.src_length(),
1188 &input_positions));
1189 string output_positions;
1190 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1191 block_size_,
1192 operation.dst_length(),
1193 &output_positions));
1194
1195 TEST_AND_RETURN_FALSE(bsdiff::bspatch(target_path_.c_str(),
1196 target_path_.c_str(),
1197 buffer_.data(),
1198 buffer_.size(),
1199 input_positions.c_str(),
1200 output_positions.c_str()) == 0);
1201 DiscardBuffer(true, buffer_.size());
1202
1203 if (operation.dst_length() % block_size_) {
1204 // Zero out rest of final block.
1205 // TODO(adlr): build this into bspatch; it's more efficient that way.
1206 const Extent& last_extent =
1207 operation.dst_extents(operation.dst_extents_size() - 1);
1208 const uint64_t end_byte =
1209 (last_extent.start_block() + last_extent.num_blocks()) * block_size_;
1210 const uint64_t begin_byte =
1211 end_byte - (block_size_ - operation.dst_length() % block_size_);
1212 brillo::Blob zeros(end_byte - begin_byte);
1213 TEST_AND_RETURN_FALSE(
1214 utils::PWriteAll(target_fd_, zeros.data(), end_byte - begin_byte, begin_byte));
1215 }
1216 return true;
1217 }
1218
PerformSourceBsdiffOperation(const InstallOperation & operation,ErrorCode * error)1219 bool DeltaPerformer::PerformSourceBsdiffOperation(
1220 const InstallOperation& operation, ErrorCode* error) {
1221 // Since we delete data off the beginning of the buffer as we use it,
1222 // the data we need should be exactly at the beginning of the buffer.
1223 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1224 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1225 if (operation.has_src_length())
1226 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1227 if (operation.has_dst_length())
1228 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1229
1230 if (operation.has_src_sha256_hash()) {
1231 HashCalculator source_hasher;
1232 const uint64_t kMaxBlocksToRead = 512; // 2MB if block size is 4KB
1233 brillo::Blob buf(kMaxBlocksToRead * block_size_);
1234 for (const Extent& extent : operation.src_extents()) {
1235 for (uint64_t i = 0; i < extent.num_blocks(); i += kMaxBlocksToRead) {
1236 uint64_t blocks_to_read = min(
1237 kMaxBlocksToRead, static_cast<uint64_t>(extent.num_blocks()) - i);
1238 ssize_t bytes_to_read = blocks_to_read * block_size_;
1239 ssize_t bytes_read_this_iteration = 0;
1240 TEST_AND_RETURN_FALSE(
1241 utils::PReadAll(source_fd_, buf.data(), bytes_to_read,
1242 (extent.start_block() + i) * block_size_,
1243 &bytes_read_this_iteration));
1244 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == bytes_to_read);
1245 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), bytes_to_read));
1246 }
1247 }
1248 TEST_AND_RETURN_FALSE(source_hasher.Finalize());
1249 TEST_AND_RETURN_FALSE(
1250 ValidateSourceHash(source_hasher.raw_hash(), operation, error));
1251 }
1252
1253 string input_positions;
1254 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1255 block_size_,
1256 operation.src_length(),
1257 &input_positions));
1258 string output_positions;
1259 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1260 block_size_,
1261 operation.dst_length(),
1262 &output_positions));
1263
1264 TEST_AND_RETURN_FALSE(bsdiff::bspatch(source_path_.c_str(),
1265 target_path_.c_str(),
1266 buffer_.data(),
1267 buffer_.size(),
1268 input_positions.c_str(),
1269 output_positions.c_str()) == 0);
1270 DiscardBuffer(true, buffer_.size());
1271 return true;
1272 }
1273
ExtractSignatureMessageFromOperation(const InstallOperation & operation)1274 bool DeltaPerformer::ExtractSignatureMessageFromOperation(
1275 const InstallOperation& operation) {
1276 if (operation.type() != InstallOperation::REPLACE ||
1277 !manifest_.has_signatures_offset() ||
1278 manifest_.signatures_offset() != operation.data_offset()) {
1279 return false;
1280 }
1281 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() &&
1282 manifest_.signatures_size() == operation.data_length());
1283 TEST_AND_RETURN_FALSE(ExtractSignatureMessage());
1284 return true;
1285 }
1286
ExtractSignatureMessage()1287 bool DeltaPerformer::ExtractSignatureMessage() {
1288 TEST_AND_RETURN_FALSE(signatures_message_data_.empty());
1289 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset());
1290 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size());
1291 signatures_message_data_.assign(
1292 buffer_.begin(),
1293 buffer_.begin() + manifest_.signatures_size());
1294
1295 // Save the signature blob because if the update is interrupted after the
1296 // download phase we don't go through this path anymore. Some alternatives to
1297 // consider:
1298 //
1299 // 1. On resume, re-download the signature blob from the server and re-verify
1300 // it.
1301 //
1302 // 2. Verify the signature as soon as it's received and don't checkpoint the
1303 // blob and the signed sha-256 context.
1304 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignatureBlob,
1305 string(signatures_message_data_.begin(),
1306 signatures_message_data_.end())))
1307 << "Unable to store the signature blob.";
1308
1309 LOG(INFO) << "Extracted signature data of size "
1310 << manifest_.signatures_size() << " at "
1311 << manifest_.signatures_offset();
1312 return true;
1313 }
1314
GetPublicKeyFromResponse(base::FilePath * out_tmp_key)1315 bool DeltaPerformer::GetPublicKeyFromResponse(base::FilePath *out_tmp_key) {
1316 if (hardware_->IsOfficialBuild() ||
1317 utils::FileExists(public_key_path_.c_str()) ||
1318 install_plan_->public_key_rsa.empty())
1319 return false;
1320
1321 if (!utils::DecodeAndStoreBase64String(install_plan_->public_key_rsa,
1322 out_tmp_key))
1323 return false;
1324
1325 return true;
1326 }
1327
ValidateMetadataSignature(const brillo::Blob & payload)1328 ErrorCode DeltaPerformer::ValidateMetadataSignature(
1329 const brillo::Blob& payload) {
1330 if (payload.size() < metadata_size_ + metadata_signature_size_)
1331 return ErrorCode::kDownloadMetadataSignatureError;
1332
1333 brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
1334 if (!payload_->metadata_signature.empty()) {
1335 // Convert base64-encoded signature to raw bytes.
1336 if (!brillo::data_encoding::Base64Decode(payload_->metadata_signature,
1337 &metadata_signature_blob)) {
1338 LOG(ERROR) << "Unable to decode base64 metadata signature: "
1339 << payload_->metadata_signature;
1340 return ErrorCode::kDownloadMetadataSignatureError;
1341 }
1342 } else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
1343 metadata_signature_protobuf_blob.assign(
1344 payload.begin() + metadata_size_,
1345 payload.begin() + metadata_size_ + metadata_signature_size_);
1346 }
1347
1348 if (metadata_signature_blob.empty() &&
1349 metadata_signature_protobuf_blob.empty()) {
1350 if (install_plan_->hash_checks_mandatory) {
1351 LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
1352 << "response and payload.";
1353 return ErrorCode::kDownloadMetadataSignatureMissingError;
1354 }
1355
1356 LOG(WARNING) << "Cannot validate metadata as the signature is empty";
1357 return ErrorCode::kSuccess;
1358 }
1359
1360 // See if we should use the public RSA key in the Omaha response.
1361 base::FilePath path_to_public_key(public_key_path_);
1362 base::FilePath tmp_key;
1363 if (GetPublicKeyFromResponse(&tmp_key))
1364 path_to_public_key = tmp_key;
1365 ScopedPathUnlinker tmp_key_remover(tmp_key.value());
1366 if (tmp_key.empty())
1367 tmp_key_remover.set_should_remove(false);
1368
1369 LOG(INFO) << "Verifying metadata hash signature using public key: "
1370 << path_to_public_key.value();
1371
1372 brillo::Blob calculated_metadata_hash;
1373 if (!HashCalculator::RawHashOfBytes(
1374 payload.data(), metadata_size_, &calculated_metadata_hash)) {
1375 LOG(ERROR) << "Unable to compute actual hash of manifest";
1376 return ErrorCode::kDownloadMetadataSignatureVerificationError;
1377 }
1378
1379 PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash);
1380 if (calculated_metadata_hash.empty()) {
1381 LOG(ERROR) << "Computed actual hash of metadata is empty.";
1382 return ErrorCode::kDownloadMetadataSignatureVerificationError;
1383 }
1384
1385 if (!metadata_signature_blob.empty()) {
1386 brillo::Blob expected_metadata_hash;
1387 if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob,
1388 path_to_public_key.value(),
1389 &expected_metadata_hash)) {
1390 LOG(ERROR) << "Unable to compute expected hash from metadata signature";
1391 return ErrorCode::kDownloadMetadataSignatureError;
1392 }
1393 if (calculated_metadata_hash != expected_metadata_hash) {
1394 LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
1395 utils::HexDumpVector(expected_metadata_hash);
1396 LOG(ERROR) << "Calculated hash = ";
1397 utils::HexDumpVector(calculated_metadata_hash);
1398 return ErrorCode::kDownloadMetadataSignatureMismatch;
1399 }
1400 } else {
1401 if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
1402 path_to_public_key.value(),
1403 calculated_metadata_hash)) {
1404 LOG(ERROR) << "Manifest hash verification failed.";
1405 return ErrorCode::kDownloadMetadataSignatureMismatch;
1406 }
1407 }
1408
1409 // The autoupdate_CatchBadSignatures test checks for this string in
1410 // log-files. Keep in sync.
1411 LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
1412 return ErrorCode::kSuccess;
1413 }
1414
ValidateManifest()1415 ErrorCode DeltaPerformer::ValidateManifest() {
1416 // Perform assorted checks to sanity check the manifest, make sure it
1417 // matches data from other sources, and that it is a supported version.
1418
1419 bool has_old_fields =
1420 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info());
1421 for (const PartitionUpdate& partition : manifest_.partitions()) {
1422 has_old_fields = has_old_fields || partition.has_old_partition_info();
1423 }
1424
1425 // The presence of an old partition hash is the sole indicator for a delta
1426 // update.
1427 InstallPayloadType actual_payload_type =
1428 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull;
1429
1430 if (payload_->type == InstallPayloadType::kUnknown) {
1431 LOG(INFO) << "Detected a '"
1432 << InstallPayloadTypeToString(actual_payload_type)
1433 << "' payload.";
1434 payload_->type = actual_payload_type;
1435 } else if (payload_->type != actual_payload_type) {
1436 LOG(ERROR) << "InstallPlan expected a '"
1437 << InstallPayloadTypeToString(payload_->type)
1438 << "' payload but the downloaded manifest contains a '"
1439 << InstallPayloadTypeToString(actual_payload_type)
1440 << "' payload.";
1441 return ErrorCode::kPayloadMismatchedType;
1442 }
1443
1444 // Check that the minor version is compatible.
1445 if (actual_payload_type == InstallPayloadType::kFull) {
1446 if (manifest_.minor_version() != kFullPayloadMinorVersion) {
1447 LOG(ERROR) << "Manifest contains minor version "
1448 << manifest_.minor_version()
1449 << ", but all full payloads should have version "
1450 << kFullPayloadMinorVersion << ".";
1451 return ErrorCode::kUnsupportedMinorPayloadVersion;
1452 }
1453 } else {
1454 if (manifest_.minor_version() != supported_minor_version_) {
1455 LOG(ERROR) << "Manifest contains minor version "
1456 << manifest_.minor_version()
1457 << " not the supported "
1458 << supported_minor_version_;
1459 return ErrorCode::kUnsupportedMinorPayloadVersion;
1460 }
1461 }
1462
1463 if (major_payload_version_ != kChromeOSMajorPayloadVersion) {
1464 if (manifest_.has_old_rootfs_info() ||
1465 manifest_.has_new_rootfs_info() ||
1466 manifest_.has_old_kernel_info() ||
1467 manifest_.has_new_kernel_info() ||
1468 manifest_.install_operations_size() != 0 ||
1469 manifest_.kernel_install_operations_size() != 0) {
1470 LOG(ERROR) << "Manifest contains deprecated field only supported in "
1471 << "major payload version 1, but the payload major version is "
1472 << major_payload_version_;
1473 return ErrorCode::kPayloadMismatchedType;
1474 }
1475 }
1476
1477 if (manifest_.max_timestamp() < hardware_->GetBuildTimestamp()) {
1478 LOG(ERROR) << "The current OS build timestamp ("
1479 << hardware_->GetBuildTimestamp()
1480 << ") is newer than the maximum timestamp in the manifest ("
1481 << manifest_.max_timestamp() << ")";
1482 return ErrorCode::kPayloadTimestampError;
1483 }
1484
1485 // TODO(garnold) we should be adding more and more manifest checks, such as
1486 // partition boundaries etc (see chromium-os:37661).
1487
1488 return ErrorCode::kSuccess;
1489 }
1490
ValidateOperationHash(const InstallOperation & operation)1491 ErrorCode DeltaPerformer::ValidateOperationHash(
1492 const InstallOperation& operation) {
1493 if (!operation.data_sha256_hash().size()) {
1494 if (!operation.data_length()) {
1495 // Operations that do not have any data blob won't have any operation hash
1496 // either. So, these operations are always considered validated since the
1497 // metadata that contains all the non-data-blob portions of the operation
1498 // has already been validated. This is true for both HTTP and HTTPS cases.
1499 return ErrorCode::kSuccess;
1500 }
1501
1502 // No hash is present for an operation that has data blobs. This shouldn't
1503 // happen normally for any client that has this code, because the
1504 // corresponding update should have been produced with the operation
1505 // hashes. So if it happens it means either we've turned operation hash
1506 // generation off in DeltaDiffGenerator or it's a regression of some sort.
1507 // One caveat though: The last operation is a dummy signature operation
1508 // that doesn't have a hash at the time the manifest is created. So we
1509 // should not complaint about that operation. This operation can be
1510 // recognized by the fact that it's offset is mentioned in the manifest.
1511 if (manifest_.signatures_offset() &&
1512 manifest_.signatures_offset() == operation.data_offset()) {
1513 LOG(INFO) << "Skipping hash verification for signature operation "
1514 << next_operation_num_ + 1;
1515 } else {
1516 if (install_plan_->hash_checks_mandatory) {
1517 LOG(ERROR) << "Missing mandatory operation hash for operation "
1518 << next_operation_num_ + 1;
1519 return ErrorCode::kDownloadOperationHashMissingError;
1520 }
1521
1522 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1
1523 << " as there's no operation hash in manifest";
1524 }
1525 return ErrorCode::kSuccess;
1526 }
1527
1528 brillo::Blob expected_op_hash;
1529 expected_op_hash.assign(operation.data_sha256_hash().data(),
1530 (operation.data_sha256_hash().data() +
1531 operation.data_sha256_hash().size()));
1532
1533 brillo::Blob calculated_op_hash;
1534 if (!HashCalculator::RawHashOfBytes(
1535 buffer_.data(), operation.data_length(), &calculated_op_hash)) {
1536 LOG(ERROR) << "Unable to compute actual hash of operation "
1537 << next_operation_num_;
1538 return ErrorCode::kDownloadOperationHashVerificationError;
1539 }
1540
1541 if (calculated_op_hash != expected_op_hash) {
1542 LOG(ERROR) << "Hash verification failed for operation "
1543 << next_operation_num_ << ". Expected hash = ";
1544 utils::HexDumpVector(expected_op_hash);
1545 LOG(ERROR) << "Calculated hash over " << operation.data_length()
1546 << " bytes at offset: " << operation.data_offset() << " = ";
1547 utils::HexDumpVector(calculated_op_hash);
1548 return ErrorCode::kDownloadOperationHashMismatch;
1549 }
1550
1551 return ErrorCode::kSuccess;
1552 }
1553
1554 #define TEST_AND_RETURN_VAL(_retval, _condition) \
1555 do { \
1556 if (!(_condition)) { \
1557 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \
1558 return _retval; \
1559 } \
1560 } while (0);
1561
VerifyPayload(const brillo::Blob & update_check_response_hash,const uint64_t update_check_response_size)1562 ErrorCode DeltaPerformer::VerifyPayload(
1563 const brillo::Blob& update_check_response_hash,
1564 const uint64_t update_check_response_size) {
1565
1566 // See if we should use the public RSA key in the Omaha response.
1567 base::FilePath path_to_public_key(public_key_path_);
1568 base::FilePath tmp_key;
1569 if (GetPublicKeyFromResponse(&tmp_key))
1570 path_to_public_key = tmp_key;
1571 ScopedPathUnlinker tmp_key_remover(tmp_key.value());
1572 if (tmp_key.empty())
1573 tmp_key_remover.set_should_remove(false);
1574
1575 LOG(INFO) << "Verifying payload using public key: "
1576 << path_to_public_key.value();
1577
1578 // Verifies the download size.
1579 TEST_AND_RETURN_VAL(ErrorCode::kPayloadSizeMismatchError,
1580 update_check_response_size ==
1581 metadata_size_ + metadata_signature_size_ +
1582 buffer_offset_);
1583
1584 // Verifies the payload hash.
1585 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError,
1586 !payload_hash_calculator_.raw_hash().empty());
1587 TEST_AND_RETURN_VAL(
1588 ErrorCode::kPayloadHashMismatchError,
1589 payload_hash_calculator_.raw_hash() == update_check_response_hash);
1590
1591 // Verifies the signed payload hash.
1592 if (!utils::FileExists(path_to_public_key.value().c_str())) {
1593 LOG(WARNING) << "Not verifying signed delta payload -- missing public key.";
1594 return ErrorCode::kSuccess;
1595 }
1596 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError,
1597 !signatures_message_data_.empty());
1598 brillo::Blob hash_data = signed_hash_calculator_.raw_hash();
1599 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1600 PayloadVerifier::PadRSA2048SHA256Hash(&hash_data));
1601 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1602 !hash_data.empty());
1603
1604 if (!PayloadVerifier::VerifySignature(
1605 signatures_message_data_, path_to_public_key.value(), hash_data)) {
1606 // The autoupdate_CatchBadSignatures test checks for this string
1607 // in log-files. Keep in sync.
1608 LOG(ERROR) << "Public key verification failed, thus update failed.";
1609 return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1610 }
1611
1612 LOG(INFO) << "Payload hash matches value in payload.";
1613
1614 // At this point, we are guaranteed to have downloaded a full payload, i.e
1615 // the one whose size matches the size mentioned in Omaha response. If any
1616 // errors happen after this, it's likely a problem with the payload itself or
1617 // the state of the system and not a problem with the URL or network. So,
1618 // indicate that to the download delegate so that AU can backoff
1619 // appropriately.
1620 if (download_delegate_)
1621 download_delegate_->DownloadComplete();
1622
1623 return ErrorCode::kSuccess;
1624 }
1625
DiscardBuffer(bool do_advance_offset,size_t signed_hash_buffer_size)1626 void DeltaPerformer::DiscardBuffer(bool do_advance_offset,
1627 size_t signed_hash_buffer_size) {
1628 // Update the buffer offset.
1629 if (do_advance_offset)
1630 buffer_offset_ += buffer_.size();
1631
1632 // Hash the content.
1633 payload_hash_calculator_.Update(buffer_.data(), buffer_.size());
1634 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size);
1635
1636 // Swap content with an empty vector to ensure that all memory is released.
1637 brillo::Blob().swap(buffer_);
1638 }
1639
CanResumeUpdate(PrefsInterface * prefs,const string & update_check_response_hash)1640 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs,
1641 const string& update_check_response_hash) {
1642 int64_t next_operation = kUpdateStateOperationInvalid;
1643 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) &&
1644 next_operation != kUpdateStateOperationInvalid &&
1645 next_operation > 0))
1646 return false;
1647
1648 string interrupted_hash;
1649 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) &&
1650 !interrupted_hash.empty() &&
1651 interrupted_hash == update_check_response_hash))
1652 return false;
1653
1654 int64_t resumed_update_failures;
1655 // Note that storing this value is optional, but if it is there it should not
1656 // be more than the limit.
1657 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) &&
1658 resumed_update_failures > kMaxResumedUpdateFailures)
1659 return false;
1660
1661 // Sanity check the rest.
1662 int64_t next_data_offset = -1;
1663 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1664 next_data_offset >= 0))
1665 return false;
1666
1667 string sha256_context;
1668 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) &&
1669 !sha256_context.empty()))
1670 return false;
1671
1672 int64_t manifest_metadata_size = 0;
1673 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1674 manifest_metadata_size > 0))
1675 return false;
1676
1677 int64_t manifest_signature_size = 0;
1678 if (!(prefs->GetInt64(kPrefsManifestSignatureSize,
1679 &manifest_signature_size) &&
1680 manifest_signature_size >= 0))
1681 return false;
1682
1683 return true;
1684 }
1685
ResetUpdateProgress(PrefsInterface * prefs,bool quick)1686 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) {
1687 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation,
1688 kUpdateStateOperationInvalid));
1689 if (!quick) {
1690 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1);
1691 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0);
1692 prefs->SetString(kPrefsUpdateStateSHA256Context, "");
1693 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, "");
1694 prefs->SetString(kPrefsUpdateStateSignatureBlob, "");
1695 prefs->SetInt64(kPrefsManifestMetadataSize, -1);
1696 prefs->SetInt64(kPrefsManifestSignatureSize, -1);
1697 prefs->SetInt64(kPrefsResumedUpdateFailures, 0);
1698 }
1699 return true;
1700 }
1701
CheckpointUpdateProgress()1702 bool DeltaPerformer::CheckpointUpdateProgress() {
1703 Terminator::set_exit_blocked(true);
1704 if (last_updated_buffer_offset_ != buffer_offset_) {
1705 // Resets the progress in case we die in the middle of the state update.
1706 ResetUpdateProgress(prefs_, true);
1707 TEST_AND_RETURN_FALSE(
1708 prefs_->SetString(kPrefsUpdateStateSHA256Context,
1709 payload_hash_calculator_.GetContext()));
1710 TEST_AND_RETURN_FALSE(
1711 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context,
1712 signed_hash_calculator_.GetContext()));
1713 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataOffset,
1714 buffer_offset_));
1715 last_updated_buffer_offset_ = buffer_offset_;
1716
1717 if (next_operation_num_ < num_total_operations_) {
1718 size_t partition_index = current_partition_;
1719 while (next_operation_num_ >= acc_num_operations_[partition_index])
1720 partition_index++;
1721 const size_t partition_operation_num = next_operation_num_ - (
1722 partition_index ? acc_num_operations_[partition_index - 1] : 0);
1723 const InstallOperation& op =
1724 partitions_[partition_index].operations(partition_operation_num);
1725 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength,
1726 op.data_length()));
1727 } else {
1728 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength,
1729 0));
1730 }
1731 }
1732 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextOperation,
1733 next_operation_num_));
1734 return true;
1735 }
1736
PrimeUpdateState()1737 bool DeltaPerformer::PrimeUpdateState() {
1738 CHECK(manifest_valid_);
1739 block_size_ = manifest_.block_size();
1740
1741 int64_t next_operation = kUpdateStateOperationInvalid;
1742 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) ||
1743 next_operation == kUpdateStateOperationInvalid ||
1744 next_operation <= 0) {
1745 // Initiating a new update, no more state needs to be initialized.
1746 return true;
1747 }
1748 next_operation_num_ = next_operation;
1749
1750 // Resuming an update -- load the rest of the update state.
1751 int64_t next_data_offset = -1;
1752 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsUpdateStateNextDataOffset,
1753 &next_data_offset) &&
1754 next_data_offset >= 0);
1755 buffer_offset_ = next_data_offset;
1756
1757 // The signed hash context and the signature blob may be empty if the
1758 // interrupted update didn't reach the signature.
1759 string signed_hash_context;
1760 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context,
1761 &signed_hash_context)) {
1762 TEST_AND_RETURN_FALSE(
1763 signed_hash_calculator_.SetContext(signed_hash_context));
1764 }
1765
1766 string signature_blob;
1767 if (prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signature_blob)) {
1768 signatures_message_data_.assign(signature_blob.begin(),
1769 signature_blob.end());
1770 }
1771
1772 string hash_context;
1773 TEST_AND_RETURN_FALSE(prefs_->GetString(kPrefsUpdateStateSHA256Context,
1774 &hash_context) &&
1775 payload_hash_calculator_.SetContext(hash_context));
1776
1777 int64_t manifest_metadata_size = 0;
1778 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsManifestMetadataSize,
1779 &manifest_metadata_size) &&
1780 manifest_metadata_size > 0);
1781 metadata_size_ = manifest_metadata_size;
1782
1783 int64_t manifest_signature_size = 0;
1784 TEST_AND_RETURN_FALSE(
1785 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) &&
1786 manifest_signature_size >= 0);
1787 metadata_signature_size_ = manifest_signature_size;
1788
1789 // Advance the download progress to reflect what doesn't need to be
1790 // re-downloaded.
1791 total_bytes_received_ += buffer_offset_;
1792
1793 // Speculatively count the resume as a failure.
1794 int64_t resumed_update_failures;
1795 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) {
1796 resumed_update_failures++;
1797 } else {
1798 resumed_update_failures = 1;
1799 }
1800 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures);
1801 return true;
1802 }
1803
1804 } // namespace chromeos_update_engine
1805