We already added support on device to write verity. Flipping a flag in
ota generation tools to enable verity.
Test: th && running OTA repeatedly on bramble
Change-Id: Id1639f644eb8c23f97e171264702a7872f41411a
In aosp/1581143 , we banned generation of SPL downgrade OTAs. However,
caller of OTA script can still force an SPL downgrade OTA by passing
--spl_downgrade flag. If this flag is specified, we propagate it to OTA
metadata so that GOTA server can properly honor this flag.
Test: th
Change-Id: Ic8cdc850d2210f4149ad9121fa4ed2e5a4f59bcc
At the end of OTA generation, we will use some private key to sign the
OTA payload. Since signing happens after the payload is being generated,
if caller passes an incorrect key path, caller won't notice it until 1
hour later when delta_generator finishes. At which point caller has to
staart from scratch, pass in another key path, and wait for an hour.
Let's detect incorrect key path before calling delta_generator, so
caller will get an error message right at beginning.
Test: th
Change-Id: Iefb1e0a9ed86f82664be1675afb84c020ec28fe7
Previously we allow all spl downgrade OTA to generate. But applying such
OTA often causes device to hang and rollback, because keymaster refuses
to attach if it detects spl downgrade. When such error happens, it's
really hard to debug. So instead of debugging a mysterious boot failure,
let''s prevent such OTA from generating in the first place.
Test: th
Bug: 178584781
Change-Id: I8e271862d804e86b16aea70424b4d3e289d43cc9
Test: treehugger, generate an OTA with --disable_verity_computation, serve it to
VABC device. Make sure it works
Change-Id: I0a5f3c018727cb3eed3edd004d60d09d13e34039
When generating a incremental partial OTA, we need to filter out
partitions in ab_partitions which are not in partial list
Test: Generate a partial incremental OTA
Change-Id: Iff7748ce6181a9a231557de0539004211587232c
Cuttlefish doesn't support updatin vendor partition. So in testing we
need to exclude vendor and generate a downgrade partial package.
Test: generate a partial downgrade OTA
Bug: 171999375
Change-Id: I97e450d4063320cf55003a7a5c5ef913c321e067
When generating secondary payload, we exclude many partitions. These
partitions should be excluded from partition timestamps as well.
Bug: 172022126
Test: ota_from_target_files --include_secondary
Change-Id: Ia3121919154181dc882c4694ad2591dcb81e719f
Add a new custom_image option to configure which custom images to use to
update custom partitions in A/B update.
This change also moves oem_settings to common option as A/B update will
use it to set oem properties too.
BUG: 171225290
Test: unittest pass, generate OTAs, flash to devices and check results
Change-Id: I279477d6b2954fb3705d7efede0a8bcd330c108b
Allow the ota generation script to take a list of partitions;
and thus generating a partial ota update package. This allow the
testing of partial update functionality, e.g. system-only updates.
Bug: 170921953
Test: unit tests, generate and apply a partial update on coral with system, system_ext, vbmeta_system
Change-Id: I0d8f93806dfbf7b781ea911117b02fc5c0971434
When opening an zip file through zipfile.ZipFile(), python2 by default
disables zip64 support. To support update files >4GB, we manually add
allowZip64 to override the setting.
Test: generate && serve an OTA
Change-Id: I9645e963ced830cc2d3a4b72bc63b9369a1cefe8
Modules partition is a dynamic read-write partition.
- AVB is not enabled on the partition
- OTA is file-based; see follow up CL for details
- No build prop files; in particular, no build fingerprint
- No fs_config
- No notice files; notice files are included in individual APEXes
Test: build on CF
Bug: 163543381
Change-Id: Ie397b9ec61dfd1c158450d050196024604854d4d
Background in http://go/android-partial-updates. For partial update
(e.g. system-only) or devices with mixed build, the current
fingerprint & device name no longer suffice as the precondition to
install the package.
Therefore, we need to additionally include the per-partition build
props into the ota metadata. We also define a protobuf for the metadata
so it can be extended later. The metadata of the legacy format is also
kept for backward compatibility.
Bug: 151088567
Test: unittest pass, generate an OTA and check the result
Change-Id: I716f7da54a393cd340280dbddc3c92b3460f8ef8
Pylint reports lot of error on ota_utils.py, because some members of
OPTIONS object aren't defined. This CL moves some definition from
ota_from_target_files.py to ota_utils.py to fix these lint errors.
Test: Make an OTA package
Change-Id: I1e9f255d5919712b13329046c72650dfac184701
When calculating the dynamic fingerprints, we need to reopen the
input file if it's a ZipFile. Because the original object has been
closed.
Bug: 152167826
Test: generate an OTA package with zip input and overrides
Change-Id: I623da3cc5fcc91c6230fb5a6e86517ed995913b7
The values of the ro.boot* variables are not part of the image files
and are provided (e.g. by bootloaders) at runtime. Meanwhile, their
values may affect some of the device build properties, as a different
build.prop file can be imported by init during runtime.
This cl adds an option to accepts a list of possible values for some
boot variables. The OTA generation script later use these values to
calculate the alternative runtime fingerprints of the device; and
list the device names and fingerprints in the OTA package's metadata.
The OTA metadata is verified by the OTA server or recovery to ensure
the correct OTA package is used for update. We haven't made any
restrictions on what ro.boot* variables can be used for fingerprint
override. One possible candidate can be the skus listed in
ODM_MANIFEST_SKUS.
Bug: 152167826
Test: unittests pass, generate an OTA file with the new option
Change-Id: I637dea3472354236d2fd1ef0a3306712b3283c29
Whenever a device is retrieved from fstab, wrap it with
add_slot_suffix() if it has slotselect option.
Test: change fstab (changes boot image, which is a static partition),
change system partition (a dynamic partition),
generate incremental OTA with --force_non_ab and apply it on
cuttlefish
Bug: 153581609
Change-Id: Id3f8e4425b65176baf1b0ff1ee07ab3d820a3a7f
(cherry picked from commit ae6e0d5d28)
Merged-In: Id3f8e4425b65176baf1b0ff1ee07ab3d820a3a7f
Force generate a non-A/B update package when requested.
Bug: 154344887
Test: ota_from_target_files.py --force_non_ab ...
Test: apply it as well
Change-Id: I5e81eb161722e07ef50081b6a16685cbc9963ae2
(cherry picked from commit 7169f754cc)
Merged-In: I5e81eb161722e07ef50081b6a16685cbc9963ae2
The secondary payload is used by factory OTA to speed up the first
boot of the device. The payload should only contain bootloaders
images and the precompiled apps in system_other. Remove vendor_boot
to reduce the secondary payload size.
Test: build a package with secondary payload
Change-Id: I3a9f6dda00a5aac038438065e2bc6483d71b5e95
This reverts commit b21e48b499.
In practice, some partners use the 'import' statement to override
the device fingerprint at runtime. The runtime fingerprint will
later add to the metadata of OTA package, so that the OTA server
can deliver the package to corresponding devices correctly.
This CL supports parsing a subset of import statement that the init
process recognizes. And we loose the restriction based on how the
dynamic fingerprint is used in practice. Right now, we only searches
for the override of brand, name and device. And the placeholder
format should be ${placeholder}, with its value supplied by the
script caller.
As part of the implementation, we generate all the possible
combinations of the input boot variables. And recalculate the
fingerprint for each of the combination. Though we load the
build.prop multiple times, the logic is easier to follow. Also,
it's more convenient to enhance the logic if we only want to
allow some of the boot variables combination later.
Bug: 152167826
Change-Id: I4a9fa35c7ac037ff1cf4f9a4bdff602beac3894b
Test: unittests pass
In practice, some partners use the 'import' statement to override
the device fingerprint at runtime. The runtime fingerprint will
later add to the metadata of OTA package, so that the OTA server
can deliver the package to corresponding devices correctly.
This CL supports parsing a subset of import statement that the init
process recognizes. And we loose the restriction based on how the
dynamic fingerprint is used in practice. Right now, we only searches
for the override of brand, name and device. And the placeholder
format should be ${placeholder}, with its value supplied by the
script caller.
As part of the implementation, we generate all the possible
combinations of the input boot variables. And recalculate the
fingerprint for each of the combination. Though we load the
build.prop multiple times, the logic is easier to follow. Also,
it's more convenient to enhance the logic if we only want to
allow some of the boot variables combination later.
Bug: 152167826
Test: unittests pass
Change-Id: Iac093a40dc6f873c5e1858efa44cb2bd6082508a
Problem:
Logical partitions do not update right since commit
f67dd8059d
Generate block based OTA for product partitions
due to the wrong order of parameters. This is logged in
/tmp/recovery.log:
skipping 0 blocks already patched to 202
Bug: 149794632
Change-Id: I92f7a8a226a8a96b892254362d362c515bfb6dc6
In Factory OTA, secondary payload should be generated without
virtual_ab flag set, so that update package generator generates
a regular A/B OTA (with snapshot_enabled set to false), and
OTA client writes system_b without snapshots.
Test: apply secondary OTA
Fixes: 138733621
Change-Id: I05d534a12d4a7891ce5597f3c29e55f5185e5a8d
The signature size is needed during payload hashing and signing.
We used to sign the update_engine's payload with RSA keys only. In
this case, the signature size always equals the key size. But the
assumption is no longer true for EC keys, whose DER-encoded signature
size is a variant with a maximum size.
Therefore, we always give the maximum signature size to the delta
generator, who then add paddings to the real signature if necessary.
The maximum signature size is calculated by calling the delta_generator
with the new option '--calculate_signature_size'. For custom payload
signers, we also deprecate the '--payload_signer_key_size' and replace
it with '--payload_signer_maximum_signature_size'.
The EC key in the test is generated with:
The EC key in the unittest is generated with the command:
openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-key.pem
openssl pkey -in prime256v1-key.pem -out testkey_EC.key
Bug: 141244025
Test: sign and verify a payload
Change-Id: Ife6e269d8aa3d870405aca20086330f1795e167f
There is no change to module functionalities. Testcases are moved around
accordingly.
Bug: 134525174
Test: TreeHugger
Test: lunch a target; atest --host releasetools_test releasetools_py3_test
Change-Id: I7bc8f49cc239e7c6655fe5e375508f01c1743b94
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
This CL additionally removes boot/dtbo/modem/vbmeta_* images out of
secondary payload. We essentially only keep system_other.img and
bootloader images there.
For Pixel devices, this additionally saves ~80MiB (mostly because of
the removal of boot and radio images).
Bug: 140771390
Test: ota_from_target_files \
--include_secondary --skip_postinstall \
-i input-target_files-1.zip \
input-target_files-2.zip \
output-ota.zip
Test: python -m unittest test_ota_from_target_files
Change-Id: If47b27c52b3547a4cc86223a988c53960bc6af40
Kelvin Zhang