In two-step OTAs, we write recovery image to /boot as the first step so
that we can reboot from there and install a new recovery image to
/recovery. However, bootloader will show "Your device is corrupt"
message when booting /boot with the recovery image. Because the recovery
image encodes the path of "/recovery" as part of the signature metadata,
which fails the verified boot.
This CL generates a special "recovery-two-step.img" in addition to the
regular recovery.img. This image encodes "/boot" when being signed,
which will be flashed to /boot at stage 1/3 in a two-step OTA.
Here are the desired changes:
- 'IMAGES/recovery-two-step.img' exists in target_files.zip for non-A/B
targets (e.g. bullhead). The image should not exist for targets that
don't have a recovery partition (e.g. A/B devices like sailfish).
- <device>-img.zip should not contain 'recovery-two-step.img'.
- Nothing should change when building non-two-step OTAs. For two-step
OTAs, 'recovery-two-step.img' should be included in the OTA package;
'updater-script' should flash this image to /boot at stage 1/3.
- When building a two-step OTA with an input TF.zip that doesn't have
IMAGES/recovery-two-step.img, it should use the existing
IMAGES/recovery.img instead.
Bug: 32986477
Test: Tested the steps above on bullhead and sailfish.
Change-Id: I34e6c599bcf2011d4cd5c926999418b3975d6d0f
Currently, whether contains patch or verbatim, compute with file size
and patch size.
But ota file must be compressed with zip, so it should be better with
compressed size than uncompressed.
Test: aosp_shamu-user build without proprietary blobs between MOB30P and NRD90S
$ du -k ota_shamu_old.zip ota_shamu_new.zip
217252 ota_shamu_old.zip
216520 ota_shamu_new.zip
Change-Id: If68cb1fbe2f7815067451915a0dcfe93ea5ba8d6
Signed-off-by: YOUNG HO CHA <ganadist@gmail.com>
We should disable using imgdiff if *any* of the source and target
partitions uses squashfs.
Bug: 30004734
Test: Create an incremental with two builds with one of them uses squashfs.
Change-Id: I826cd13d7b852c548e4b45e61f5ae00f6407cac3
(cherry picked from commit f8acad1480)
We use imgdiff to handle files in zip format (e.g. jar/zip/apk) for
higher compression ratio.
For system/vendor in squashfs, a) all files are compressed in LZ4
format; b) we use 4096-byte block size in their sparse images, but the
files in squashfs may not be laid out as 4K-aligned. So the blocks for
a given file as listed in block map may not form a valid zip file, which
may fail the patch generation with imgdiff.
Disable using imgdiff for squashfs images, and use bsdiff instead.
Bug: 22322817
Change-Id: Ie76aa4cece5c9d38cb1d1a34c505a4a8f37512d3
(cherry picked from commit 293fd135c7)
Generate a new file containing care_data of system (and vendor)
partition, and add it under META/ of target file package. For
A/B update, copy this file to OTA package for later use by
update_verifier.
Bug: 27175949
Change-Id: I90bb972703afaeb94bc3efe718fd81b1cfbcabcc
We should disable using imgdiff if *any* of the source and target
partitions uses squashfs.
Bug: 30004734
Test: Create an incremental with two builds with one of them uses squashfs.
Change-Id: I826cd13d7b852c548e4b45e61f5ae00f6407cac3
For A/B OTAs, by default it calls 'openssl pkeyutl' to sign the payload
and metadata with the package private key. If the private key cannot be
accessed directly, a payload signer that knows how to do that should be
supplied via "--payload_signer <signer>".
The signer will be called with "-inkey <path_to_private_key>",
"-in <input_file>" and "-out <output_file>" parameters.
Test: Use a dummy signer, call 'ota_from_target_files.py --payload_signer <signer> <target_files.zip> <ota.zip>' and verify the signatures in the generated package.
Bug: 28701652
Change-Id: I26cfdd3fdba6fc90799221741b75426988e46fd3
(cherry picked from commit dea0f8bfed)
For A/B OTAs, by default it calls 'openssl pkeyutl' to sign the payload
and metadata with the package private key. If the private key cannot be
accessed directly, a payload signer that knows how to do that should be
supplied via "--payload_signer <signer>".
The signer will be called with "-inkey <path_to_private_key>",
"-in <input_file>" and "-out <output_file>" parameters.
Test: Use a dummy signer, call 'ota_from_target_files.py --payload_signer <signer> <target_files.zip> <ota.zip>' and verify the signatures in the generated package.
Bug: 28701652
Change-Id: I26cfdd3fdba6fc90799221741b75426988e46fd3
update_engine now accepts POWERWASH=1 to schedule a factory reset in
the post-install phase. Hook up with the --wipe_user_data flag in the
OTA script.
Bug: 28700985
Change-Id: Ie73876a61db90d124d2af588d674757376e9aabc
(cherry picked from commit 38ca0be399)
update_engine now accepts POWERWASH=1 to schedule a factory reset in
the post-install phase. Hook up with the --wipe_user_data flag in the
OTA script.
Bug: 28700985
Change-Id: Ie73876a61db90d124d2af588d674757376e9aabc
We use imgdiff to handle files in zip format (e.g. jar/zip/apk) for
higher compression ratio.
For system/vendor in squashfs, a) all files are compressed in LZ4
format; b) we use 4096-byte block size in their sparse images, but the
files in squashfs may not be laid out as 4K-aligned. So the blocks for
a given file as listed in block map may not form a valid zip file, which
may fail the patch generation with imgdiff.
Disable using imgdiff for squashfs images, and use bsdiff instead.
Bug: 22322817
Change-Id: Ie76aa4cece5c9d38cb1d1a34c505a4a8f37512d3
This patch uses subprocess.communicate instead of subprocess.wait to
prevent deadlock if any of the child processes outputs too much data,
and redirects the subprocess output to stdout when running in verbose
mode.
With this patch `ota_from_target_files -v` prints the delta_generator
output in stdout, and no output if '-v' is not passed.
Bug: None
TEST=ota_from_target_files -v ...
Change-Id: Id66e4f3360a6f91d61a3ce96d53afbccdaa19da5
Add the build property "build.version.incremental" of the source (if
present) and target files to the metadata of the ota update package.
Example of metadata:
....
post-build-incremental=2951741
post-timestamp=1465345123
pre-build-incremental=2943039
pre-device=bullhead
...
Bug: 28658632
Change-Id: I889e8ccf39633b1b35590751001a42d1b05d5514
am: 21528c5
* commit '21528c5e053e28cd52d603eded53ffaf36d22637':
releasetools: Only verify the blocks to be touched.
Change-Id: I053c7da789c44916456109c5153f6628fe38c849
For incremental BBOTAs, we used to verify the integrity of all the
blocks in the source partition. In order to reduce the time cost under
recovery, this CL changes to only verify the blocks that will be touched
in the given OTA package (BBOTA >= 3 only). This is a trade-off between
performance and reliability.
Bug: 27813356
Change-Id: I3975ae6f461f0f7e58d24f1df7df46a449d2988b
(cherry picked from commit d522bdc9ed)
For incremental BBOTAs, we used to verify the integrity of all the
blocks in the source partition. In order to reduce the time cost under
recovery, this CL changes to only verify the blocks that will be touched
in the given OTA package (BBOTA >= 3 only). This is a trade-off between
performance and reliability.
Bug: 27813356
Change-Id: I3975ae6f461f0f7e58d24f1df7df46a449d2988b
This CL fixes the bug in [1] (copy-paste error) and reenables it.
We need to handle a special case that an OTA goes from a source build
without OEM properties to a target build with those properties (or vice
versa). Add support in OTA scripts to deal the case properly, by a)
using two oem_props variables to handle source and target builds
respectively; b) adjusting the fingerprint/thumbprint assertions to
allow a mix of both.
[1] commit c086370440
Change-Id: I98118d77d5a0ff694fa1ee33602b5ee5e048599b
We used to use the update-binary from the target build when creating
incremental OTAs. But for downgrade OTAs, we should use the one in the
source build instead, which is actually newer.
Bug: 27556903
Change-Id: Ib6415729b979dbffdebdda24902f7f560942801a
(cherry picked from commit 4996cf03d2)
We used to use the update-binary from the target build when creating
incremental OTAs. But for downgrade OTAs, we should use the one in the
source build instead, which is actually newer.
Bug: 27556903
Change-Id: Ib6415729b979dbffdebdda24902f7f560942801a
Add --downgrade flag to ota_from_target_files.py script. It allows
generating an incremental OTA that updates from a newer build to an
older one (based on timestamp comparison). "post-timestamp" line in the
metadata file will be replaced by "ota-downgrade=yes". A data wipe will
always be enforced, so "ota-wipe=yes" will also be included in the
metadata file.
Bug: 26883782
Change-Id: Iaa05f662d948b7ab632a9fbb7051cc3f8bf68c21
(cherry picked from commit 5d1825664a)
We need to handle a special case that an OTA goes from a source build
without OEM properties to a target build with those properties (or vice
versa). Add support in OTA scripts to deal the case properly, by a)
using two oem_props variables to handle source and target builds
respectively; b) adjusting the fingerprint/thumbprint assertions to
allow a mix of both.
Change-Id: Ib517c366730b967a974c89528df9d42887c92ec2
The CL in [1] added support for --oem_no_mount. It missed one place that
guards the OEM mounting.
[1] commit 8608cde944
Change-Id: I6ecaa94cd0866e0fd4fc88cb0aa3ebf55cde2968
Tao Bao