439 lines
19 KiB
Protocol Buffer
439 lines
19 KiB
Protocol Buffer
//
|
|
// Copyright (C) 2010 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
|
|
// Update file format: An update file contains all the operations needed
|
|
// to update a system to a specific version. It can be a full payload which
|
|
// can update from any version, or a delta payload which can only update
|
|
// from a specific version.
|
|
// The update format is represented by this struct pseudocode:
|
|
// struct delta_update_file {
|
|
// char magic[4] = "CrAU";
|
|
// uint64 file_format_version; // payload major version
|
|
// uint64 manifest_size; // Size of protobuf DeltaArchiveManifest
|
|
//
|
|
// // Only present if format_version >= 2:
|
|
// uint32 metadata_signature_size;
|
|
//
|
|
// // The DeltaArchiveManifest protobuf serialized, not compressed.
|
|
// char manifest[manifest_size];
|
|
//
|
|
// // The signature of the metadata (from the beginning of the payload up to
|
|
// // this location, not including the signature itself). This is a serialized
|
|
// // Signatures message.
|
|
// char metadata_signature_message[metadata_signature_size];
|
|
//
|
|
// // Data blobs for files, no specific format. The specific offset
|
|
// // and length of each data blob is recorded in the DeltaArchiveManifest.
|
|
// struct {
|
|
// char data[];
|
|
// } blobs[];
|
|
//
|
|
// // The signature of the entire payload, everything up to this location,
|
|
// // except that metadata_signature_message is skipped to simplify signing
|
|
// // process. These two are not signed:
|
|
// uint64 payload_signatures_message_size;
|
|
// // This is a serialized Signatures message.
|
|
// char payload_signatures_message[payload_signatures_message_size];
|
|
//
|
|
// };
|
|
|
|
// The DeltaArchiveManifest protobuf is an ordered list of InstallOperation
|
|
// objects. These objects are stored in a linear array in the
|
|
// DeltaArchiveManifest. Each operation is applied in order by the client.
|
|
|
|
// The DeltaArchiveManifest also contains the initial and final
|
|
// checksums for the device.
|
|
|
|
// The client will perform each InstallOperation in order, beginning even
|
|
// before the entire delta file is downloaded (but after at least the
|
|
// protobuf is downloaded). The types of operations are explained:
|
|
// - REPLACE: Replace the dst_extents on the drive with the attached data,
|
|
// zero padding out to block size.
|
|
// - REPLACE_BZ: bzip2-uncompress the attached data and write it into
|
|
// dst_extents on the drive, zero padding to block size.
|
|
// - MOVE: Copy the data in src_extents to dst_extents. Extents may overlap,
|
|
// so it may be desirable to read all src_extents data into memory before
|
|
// writing it out. (deprecated)
|
|
// - SOURCE_COPY: Copy the data in src_extents in the old partition to
|
|
// dst_extents in the new partition. There's no overlapping of data because
|
|
// the extents are in different partitions.
|
|
// - BSDIFF: Read src_length bytes from src_extents into memory, perform
|
|
// bspatch with attached data, write new data to dst_extents, zero padding
|
|
// to block size. (deprecated)
|
|
// - SOURCE_BSDIFF: Read the data in src_extents in the old partition, perform
|
|
// bspatch with the attached data and write the new data to dst_extents in the
|
|
// new partition.
|
|
// - ZERO: Write zeros to the destination dst_extents.
|
|
// - DISCARD: Discard the destination dst_extents blocks on the physical medium.
|
|
// the data read from those blocks is undefined.
|
|
// - REPLACE_XZ: Replace the dst_extents with the contents of the attached
|
|
// xz file after decompression. The xz file should only use crc32 or no crc at
|
|
// all to be compatible with xz-embedded.
|
|
// - PUFFDIFF: Read the data in src_extents in the old partition, perform
|
|
// puffpatch with the attached data and write the new data to dst_extents in
|
|
// the new partition.
|
|
//
|
|
// The operations allowed in the payload (supported by the client) depend on the
|
|
// major and minor version. See InstallOperation.Type below for details.
|
|
|
|
syntax = "proto2";
|
|
|
|
package chromeos_update_engine;
|
|
option optimize_for = LITE_RUNTIME;
|
|
|
|
// Data is packed into blocks on disk, always starting from the beginning
|
|
// of the block. If a file's data is too large for one block, it overflows
|
|
// into another block, which may or may not be the following block on the
|
|
// physical partition. An ordered list of extents is another
|
|
// representation of an ordered list of blocks. For example, a file stored
|
|
// in blocks 9, 10, 11, 2, 18, 12 (in that order) would be stored in
|
|
// extents { {9, 3}, {2, 1}, {18, 1}, {12, 1} } (in that order).
|
|
// In general, files are stored sequentially on disk, so it's more efficient
|
|
// to use extents to encode the block lists (this is effectively
|
|
// run-length encoding).
|
|
// A sentinel value (kuint64max) as the start block denotes a sparse-hole
|
|
// in a file whose block-length is specified by num_blocks.
|
|
|
|
message Extent {
|
|
optional uint64 start_block = 1;
|
|
optional uint64 num_blocks = 2;
|
|
}
|
|
|
|
// Signatures: Updates may be signed by the OS vendor. The client verifies
|
|
// an update's signature by hashing the entire download. The section of the
|
|
// download that contains the signature is at the end of the file, so when
|
|
// signing a file, only the part up to the signature part is signed.
|
|
// Then, the client looks inside the download's Signatures message for a
|
|
// Signature message that it knows how to handle. Generally, a client will
|
|
// only know how to handle one type of signature, but an update may contain
|
|
// many signatures to support many different types of client. Then client
|
|
// selects a Signature message and uses that, along with a known public key,
|
|
// to verify the download. The public key is expected to be part of the
|
|
// client.
|
|
|
|
message Signatures {
|
|
message Signature {
|
|
optional uint32 version = 1 [deprecated = true];
|
|
optional bytes data = 2;
|
|
|
|
// The DER encoded signature size of EC keys is nondeterministic for
|
|
// different input of sha256 hash. However, we need the size of the
|
|
// serialized signatures protobuf string to be fixed before signing;
|
|
// because this size is part of the content to be signed. Therefore, we
|
|
// always pad the signature data to the maximum possible signature size of
|
|
// a given key. And the payload verifier will truncate the signature to
|
|
// its correct size based on the value of |unpadded_signature_size|.
|
|
optional fixed32 unpadded_signature_size = 3;
|
|
}
|
|
repeated Signature signatures = 1;
|
|
}
|
|
|
|
message PartitionInfo {
|
|
optional uint64 size = 1;
|
|
optional bytes hash = 2;
|
|
}
|
|
|
|
// Describe an image we are based on in a human friendly way.
|
|
// Examples:
|
|
// dev-channel, x86-alex, 1.2.3, mp-v3
|
|
// nplusone-channel, x86-alex, 1.2.4, mp-v3, dev-channel, 1.2.3
|
|
//
|
|
// All fields will be set, if this message is present.
|
|
message ImageInfo {
|
|
optional string board = 1 [deprecated = true];
|
|
optional string key = 2 [deprecated = true];
|
|
optional string channel = 3 [deprecated = true];
|
|
optional string version = 4 [deprecated = true];
|
|
|
|
// If these values aren't present, they should be assumed to match
|
|
// the equivalent value above. They are normally only different for
|
|
// special image types such as nplusone images.
|
|
optional string build_channel = 5 [deprecated = true];
|
|
optional string build_version = 6 [deprecated = true];
|
|
}
|
|
|
|
message InstallOperation {
|
|
enum Type {
|
|
REPLACE = 0; // Replace destination extents w/ attached data.
|
|
REPLACE_BZ = 1; // Replace destination extents w/ attached bzipped data.
|
|
MOVE = 2 [deprecated = true]; // Move source extents to target extents.
|
|
BSDIFF = 3 [deprecated = true]; // The data is a bsdiff binary diff.
|
|
|
|
// On minor version 2 or newer, these operations are supported:
|
|
SOURCE_COPY = 4; // Copy from source to target partition
|
|
SOURCE_BSDIFF = 5; // Like BSDIFF, but read from source partition
|
|
|
|
// On minor version 3 or newer and on major version 2 or newer, these
|
|
// operations are supported:
|
|
REPLACE_XZ = 8; // Replace destination extents w/ attached xz data.
|
|
|
|
// On minor version 4 or newer, these operations are supported:
|
|
ZERO = 6; // Write zeros in the destination.
|
|
DISCARD = 7; // Discard the destination blocks, reading as undefined.
|
|
BROTLI_BSDIFF = 10; // Like SOURCE_BSDIFF, but compressed with brotli.
|
|
|
|
// On minor version 5 or newer, these operations are supported:
|
|
PUFFDIFF = 9; // The data is in puffdiff format.
|
|
}
|
|
required Type type = 1;
|
|
|
|
// Only minor version 6 or newer support 64 bits |data_offset| and
|
|
// |data_length|, older client will read them as uint32.
|
|
// The offset into the delta file (after the protobuf)
|
|
// where the data (if any) is stored
|
|
optional uint64 data_offset = 2;
|
|
// The length of the data in the delta file
|
|
optional uint64 data_length = 3;
|
|
|
|
// Ordered list of extents that are read from (if any) and written to.
|
|
repeated Extent src_extents = 4;
|
|
// Byte length of src, equal to the number of blocks in src_extents *
|
|
// block_size. It is used for BSDIFF and SOURCE_BSDIFF, because we need to
|
|
// pass that external program the number of bytes to read from the blocks we
|
|
// pass it. This is not used in any other operation.
|
|
optional uint64 src_length = 5;
|
|
|
|
repeated Extent dst_extents = 6;
|
|
// Byte length of dst, equal to the number of blocks in dst_extents *
|
|
// block_size. Used for BSDIFF and SOURCE_BSDIFF, but not in any other
|
|
// operation.
|
|
optional uint64 dst_length = 7;
|
|
|
|
// Optional SHA 256 hash of the blob associated with this operation.
|
|
// This is used as a primary validation for http-based downloads and
|
|
// as a defense-in-depth validation for https-based downloads. If
|
|
// the operation doesn't refer to any blob, this field will have
|
|
// zero bytes.
|
|
optional bytes data_sha256_hash = 8;
|
|
|
|
// Indicates the SHA 256 hash of the source data referenced in src_extents at
|
|
// the time of applying the operation. If present, the update_engine daemon
|
|
// MUST read and verify the source data before applying the operation.
|
|
optional bytes src_sha256_hash = 9;
|
|
}
|
|
|
|
// Hints to VAB snapshot to skip writing some blocks if these blocks are
|
|
// identical to the ones on the source image. The src & dst extents for each
|
|
// CowMergeOperation should be contiguous, and they're a subset of an OTA
|
|
// InstallOperation.
|
|
// During merge time, we need to follow the pre-computed sequence to avoid
|
|
// read after write, similar to the inplace update schema.
|
|
message CowMergeOperation {
|
|
enum Type {
|
|
COW_COPY = 0; // identical blocks
|
|
}
|
|
optional Type type = 1;
|
|
|
|
optional Extent src_extent = 2;
|
|
optional Extent dst_extent = 3;
|
|
}
|
|
|
|
// Describes the update to apply to a single partition.
|
|
message PartitionUpdate {
|
|
// A platform-specific name to identify the partition set being updated. For
|
|
// example, in Chrome OS this could be "ROOT" or "KERNEL".
|
|
required string partition_name = 1;
|
|
|
|
// Whether this partition carries a filesystem with post-install program that
|
|
// must be run to finalize the update process. See also |postinstall_path| and
|
|
// |filesystem_type|.
|
|
optional bool run_postinstall = 2;
|
|
|
|
// The path of the executable program to run during the post-install step,
|
|
// relative to the root of this filesystem. If not set, the default "postinst"
|
|
// will be used. This setting is only used when |run_postinstall| is set and
|
|
// true.
|
|
optional string postinstall_path = 3;
|
|
|
|
// The filesystem type as passed to the mount(2) syscall when mounting the new
|
|
// filesystem to run the post-install program. If not set, a fixed list of
|
|
// filesystems will be attempted. This setting is only used if
|
|
// |run_postinstall| is set and true.
|
|
optional string filesystem_type = 4;
|
|
|
|
// If present, a list of signatures of the new_partition_info.hash signed with
|
|
// different keys. If the update_engine daemon requires vendor-signed images
|
|
// and has its public key installed, one of the signatures should be valid
|
|
// for /postinstall to run.
|
|
repeated Signatures.Signature new_partition_signature = 5;
|
|
|
|
optional PartitionInfo old_partition_info = 6;
|
|
optional PartitionInfo new_partition_info = 7;
|
|
|
|
// The list of operations to be performed to apply this PartitionUpdate. The
|
|
// associated operation blobs (in operations[i].data_offset, data_length)
|
|
// should be stored contiguously and in the same order.
|
|
repeated InstallOperation operations = 8;
|
|
|
|
// Whether a failure in the postinstall step for this partition should be
|
|
// ignored.
|
|
optional bool postinstall_optional = 9;
|
|
|
|
// On minor version 6 or newer, these fields are supported:
|
|
|
|
// The extent for data covered by verity hash tree.
|
|
optional Extent hash_tree_data_extent = 10;
|
|
|
|
// The extent to store verity hash tree.
|
|
optional Extent hash_tree_extent = 11;
|
|
|
|
// The hash algorithm used in verity hash tree.
|
|
optional string hash_tree_algorithm = 12;
|
|
|
|
// The salt used for verity hash tree.
|
|
optional bytes hash_tree_salt = 13;
|
|
|
|
// The extent for data covered by FEC.
|
|
optional Extent fec_data_extent = 14;
|
|
|
|
// The extent to store FEC.
|
|
optional Extent fec_extent = 15;
|
|
|
|
// The number of FEC roots.
|
|
optional uint32 fec_roots = 16 [default = 2];
|
|
|
|
// Per-partition version used for downgrade detection, added
|
|
// as an effort to support partial updates. For most partitions,
|
|
// this is the build timestamp.
|
|
optional string version = 17;
|
|
|
|
// A sorted list of CowMergeOperation. When writing cow, we can choose to
|
|
// skip writing the raw bytes for these extents. During snapshot merge, the
|
|
// bytes will read from the source partitions instead.
|
|
repeated CowMergeOperation merge_operations = 18;
|
|
|
|
// Estimated size for COW image. This is used by libsnapshot
|
|
// as a hint. If set to 0, libsnapshot should use alternative
|
|
// methods for estimating size.
|
|
optional uint64 estimate_cow_size = 19;
|
|
}
|
|
|
|
message DynamicPartitionGroup {
|
|
// Name of the group.
|
|
required string name = 1;
|
|
|
|
// Maximum size of the group. The sum of sizes of all partitions in the group
|
|
// must not exceed the maximum size of the group.
|
|
optional uint64 size = 2;
|
|
|
|
// A list of partitions that belong to the group.
|
|
repeated string partition_names = 3;
|
|
}
|
|
|
|
// Metadata related to all dynamic partitions.
|
|
message DynamicPartitionMetadata {
|
|
// All updatable groups present in |partitions| of this DeltaArchiveManifest.
|
|
// - If an updatable group is on the device but not in the manifest, it is
|
|
// not updated. Hence, the group will not be resized, and partitions cannot
|
|
// be added to or removed from the group.
|
|
// - If an updatable group is in the manifest but not on the device, the group
|
|
// is added to the device.
|
|
repeated DynamicPartitionGroup groups = 1;
|
|
|
|
// Whether dynamic partitions have snapshots during the update. If this is
|
|
// set to true, the update_engine daemon creates snapshots for all dynamic
|
|
// partitions if possible. If this is unset, the update_engine daemon MUST
|
|
// NOT create snapshots for dynamic partitions.
|
|
optional bool snapshot_enabled = 2;
|
|
|
|
// If this is set to false, update_engine should not use VABC regardless. If
|
|
// this is set to true, update_engine may choose to use VABC if device
|
|
// supports it, but not guaranteed.
|
|
// VABC stands for Virtual AB Compression
|
|
optional bool vabc_enabled = 3;
|
|
|
|
// The compression algorithm used by VABC. Available ones are "gz", "brotli".
|
|
// See system/core/fs_mgr/libsnapshot/cow_writer.cpp for available options,
|
|
// as this parameter is ultimated forwarded to libsnapshot's CowWriter
|
|
optional string vabc_compression_param = 4;
|
|
|
|
// COW version used by VABC. The represents the major version in the COW
|
|
// header
|
|
optional uint32 cow_version = 5;
|
|
}
|
|
|
|
// Definition has been duplicated from
|
|
// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
|
|
message ApexInfo {
|
|
optional string package_name = 1;
|
|
optional int64 version = 2;
|
|
optional bool is_compressed = 3;
|
|
optional int64 decompressed_size = 4;
|
|
}
|
|
|
|
// Definition has been duplicated from
|
|
// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
|
|
message ApexMetadata {
|
|
repeated ApexInfo apex_info = 1;
|
|
}
|
|
|
|
message DeltaArchiveManifest {
|
|
// Only present in major version = 1. List of install operations for the
|
|
// kernel and rootfs partitions. For major version = 2 see the |partitions|
|
|
// field.
|
|
repeated InstallOperation install_operations = 1 [deprecated = true];
|
|
repeated InstallOperation kernel_install_operations = 2 [deprecated = true];
|
|
|
|
// (At time of writing) usually 4096
|
|
optional uint32 block_size = 3 [default = 4096];
|
|
|
|
// If signatures are present, the offset into the blobs, generally
|
|
// tacked onto the end of the file, and the length. We use an offset
|
|
// rather than a bool to allow for more flexibility in future file formats.
|
|
// If either is absent, it means signatures aren't supported in this
|
|
// file.
|
|
optional uint64 signatures_offset = 4;
|
|
optional uint64 signatures_size = 5;
|
|
|
|
// Only present in major version = 1. Partition metadata used to validate the
|
|
// update. For major version = 2 see the |partitions| field.
|
|
optional PartitionInfo old_kernel_info = 6 [deprecated = true];
|
|
optional PartitionInfo new_kernel_info = 7 [deprecated = true];
|
|
optional PartitionInfo old_rootfs_info = 8 [deprecated = true];
|
|
optional PartitionInfo new_rootfs_info = 9 [deprecated = true];
|
|
|
|
// old_image_info will only be present for delta images.
|
|
optional ImageInfo old_image_info = 10 [deprecated = true];
|
|
|
|
optional ImageInfo new_image_info = 11 [deprecated = true];
|
|
|
|
// The minor version, also referred as "delta version", of the payload.
|
|
// Minor version 0 is full payload, everything else is delta payload.
|
|
optional uint32 minor_version = 12 [default = 0];
|
|
|
|
// Only present in major version >= 2. List of partitions that will be
|
|
// updated, in the order they will be updated. This field replaces the
|
|
// |install_operations|, |kernel_install_operations| and the
|
|
// |{old,new}_{kernel,rootfs}_info| fields used in major version = 1. This
|
|
// array can have more than two partitions if needed, and they are identified
|
|
// by the partition name.
|
|
repeated PartitionUpdate partitions = 13;
|
|
|
|
// The maximum timestamp of the OS allowed to apply this payload.
|
|
// Can be used to prevent downgrading the OS.
|
|
optional int64 max_timestamp = 14;
|
|
|
|
// Metadata related to all dynamic partitions.
|
|
optional DynamicPartitionMetadata dynamic_partition_metadata = 15;
|
|
|
|
// If the payload only updates a subset of partitions on the device.
|
|
optional bool partial_update = 16;
|
|
|
|
// Information on compressed APEX to figure out how much space is required for
|
|
// their decompression
|
|
repeated ApexInfo apex_info = 17;
|
|
}
|