1 //
2 // Copyright (C) 2012 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/payload_consumer/delta_performer.h"
18
19 #include <endian.h>
20 #include <errno.h>
21 #include <linux/fs.h>
22
23 #include <algorithm>
24 #include <cstring>
25 #include <memory>
26 #include <string>
27 #include <vector>
28
29 #include <base/files/file_util.h>
30 #include <base/format_macros.h>
31 #include <base/strings/string_util.h>
32 #include <base/strings/stringprintf.h>
33 #include <brillo/data_encoding.h>
34 #include <brillo/make_unique_ptr.h>
35 #include <google/protobuf/repeated_field.h>
36
37 #include "update_engine/common/constants.h"
38 #include "update_engine/common/hardware_interface.h"
39 #include "update_engine/common/prefs_interface.h"
40 #include "update_engine/common/subprocess.h"
41 #include "update_engine/common/terminator.h"
42 #include "update_engine/payload_consumer/bzip_extent_writer.h"
43 #include "update_engine/payload_consumer/download_action.h"
44 #include "update_engine/payload_consumer/extent_writer.h"
45 #if USE_MTD
46 #include "update_engine/payload_consumer/mtd_file_descriptor.h"
47 #endif
48 #include "update_engine/payload_consumer/payload_constants.h"
49 #include "update_engine/payload_consumer/payload_verifier.h"
50 #include "update_engine/payload_consumer/xz_extent_writer.h"
51
52 using google::protobuf::RepeatedPtrField;
53 using std::min;
54 using std::string;
55 using std::vector;
56
57 namespace chromeos_update_engine {
58
59 const uint64_t DeltaPerformer::kDeltaVersionOffset = sizeof(kDeltaMagic);
60 const uint64_t DeltaPerformer::kDeltaVersionSize = 8;
61 const uint64_t DeltaPerformer::kDeltaManifestSizeOffset =
62 kDeltaVersionOffset + kDeltaVersionSize;
63 const uint64_t DeltaPerformer::kDeltaManifestSizeSize = 8;
64 const uint64_t DeltaPerformer::kDeltaMetadataSignatureSizeSize = 4;
65 const uint64_t DeltaPerformer::kMaxPayloadHeaderSize = 24;
66 const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2;
67 const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 3;
68
69 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10;
70 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30;
71 const unsigned DeltaPerformer::kProgressDownloadWeight = 50;
72 const unsigned DeltaPerformer::kProgressOperationsWeight = 50;
73
74 namespace {
75 const int kUpdateStateOperationInvalid = -1;
76 const int kMaxResumedUpdateFailures = 10;
77 #if USE_MTD
78 const int kUbiVolumeAttachTimeout = 5 * 60;
79 #endif
80
CreateFileDescriptor(const char * path)81 FileDescriptorPtr CreateFileDescriptor(const char* path) {
82 FileDescriptorPtr ret;
83 #if USE_MTD
84 if (strstr(path, "/dev/ubi") == path) {
85 if (!UbiFileDescriptor::IsUbi(path)) {
86 // The volume might not have been attached at boot time.
87 int volume_no;
88 if (utils::SplitPartitionName(path, nullptr, &volume_no)) {
89 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout);
90 }
91 }
92 if (UbiFileDescriptor::IsUbi(path)) {
93 LOG(INFO) << path << " is a UBI device.";
94 ret.reset(new UbiFileDescriptor);
95 }
96 } else if (MtdFileDescriptor::IsMtd(path)) {
97 LOG(INFO) << path << " is an MTD device.";
98 ret.reset(new MtdFileDescriptor);
99 } else {
100 LOG(INFO) << path << " is not an MTD nor a UBI device.";
101 #endif
102 ret.reset(new EintrSafeFileDescriptor);
103 #if USE_MTD
104 }
105 #endif
106 return ret;
107 }
108
109 // Opens path for read/write. On success returns an open FileDescriptor
110 // and sets *err to 0. On failure, sets *err to errno and returns nullptr.
OpenFile(const char * path,int mode,int * err)111 FileDescriptorPtr OpenFile(const char* path, int mode, int* err) {
112 // Try to mark the block device read-only based on the mode. Ignore any
113 // failure since this won't work when passing regular files.
114 utils::SetBlockDeviceReadOnly(path, (mode & O_ACCMODE) == O_RDONLY);
115
116 FileDescriptorPtr fd = CreateFileDescriptor(path);
117 #if USE_MTD
118 // On NAND devices, we can either read, or write, but not both. So here we
119 // use O_WRONLY.
120 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) {
121 mode = O_WRONLY;
122 }
123 #endif
124 if (!fd->Open(path, mode, 000)) {
125 *err = errno;
126 PLOG(ERROR) << "Unable to open file " << path;
127 return nullptr;
128 }
129 *err = 0;
130 return fd;
131 }
132 } // namespace
133
134
135 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer
136 // arithmetic.
IntRatio(uint64_t part,uint64_t total,uint64_t norm)137 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) {
138 return part * norm / total;
139 }
140
LogProgress(const char * message_prefix)141 void DeltaPerformer::LogProgress(const char* message_prefix) {
142 // Format operations total count and percentage.
143 string total_operations_str("?");
144 string completed_percentage_str("");
145 if (num_total_operations_) {
146 total_operations_str = std::to_string(num_total_operations_);
147 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
148 completed_percentage_str =
149 base::StringPrintf(" (%" PRIu64 "%%)",
150 IntRatio(next_operation_num_, num_total_operations_,
151 100));
152 }
153
154 // Format download total count and percentage.
155 size_t payload_size = install_plan_->payload_size;
156 string payload_size_str("?");
157 string downloaded_percentage_str("");
158 if (payload_size) {
159 payload_size_str = std::to_string(payload_size);
160 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting.
161 downloaded_percentage_str =
162 base::StringPrintf(" (%" PRIu64 "%%)",
163 IntRatio(total_bytes_received_, payload_size, 100));
164 }
165
166 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_
167 << "/" << total_operations_str << " operations"
168 << completed_percentage_str << ", " << total_bytes_received_
169 << "/" << payload_size_str << " bytes downloaded"
170 << downloaded_percentage_str << ", overall progress "
171 << overall_progress_ << "%";
172 }
173
UpdateOverallProgress(bool force_log,const char * message_prefix)174 void DeltaPerformer::UpdateOverallProgress(bool force_log,
175 const char* message_prefix) {
176 // Compute our download and overall progress.
177 unsigned new_overall_progress = 0;
178 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100,
179 "Progress weights don't add up");
180 // Only consider download progress if its total size is known; otherwise
181 // adjust the operations weight to compensate for the absence of download
182 // progress. Also, make sure to cap the download portion at
183 // kProgressDownloadWeight, in case we end up downloading more than we
184 // initially expected (this indicates a problem, but could generally happen).
185 // TODO(garnold) the correction of operations weight when we do not have the
186 // total payload size, as well as the conditional guard below, should both be
187 // eliminated once we ensure that the payload_size in the install plan is
188 // always given and is non-zero. This currently isn't the case during unit
189 // tests (see chromium-os:37969).
190 size_t payload_size = install_plan_->payload_size;
191 unsigned actual_operations_weight = kProgressOperationsWeight;
192 if (payload_size)
193 new_overall_progress += min(
194 static_cast<unsigned>(IntRatio(total_bytes_received_, payload_size,
195 kProgressDownloadWeight)),
196 kProgressDownloadWeight);
197 else
198 actual_operations_weight += kProgressDownloadWeight;
199
200 // Only add completed operations if their total number is known; we definitely
201 // expect an update to have at least one operation, so the expectation is that
202 // this will eventually reach |actual_operations_weight|.
203 if (num_total_operations_)
204 new_overall_progress += IntRatio(next_operation_num_, num_total_operations_,
205 actual_operations_weight);
206
207 // Progress ratio cannot recede, unless our assumptions about the total
208 // payload size, total number of operations, or the monotonicity of progress
209 // is breached.
210 if (new_overall_progress < overall_progress_) {
211 LOG(WARNING) << "progress counter receded from " << overall_progress_
212 << "% down to " << new_overall_progress << "%; this is a bug";
213 force_log = true;
214 }
215 overall_progress_ = new_overall_progress;
216
217 // Update chunk index, log as needed: if forced by called, or we completed a
218 // progress chunk, or a timeout has expired.
219 base::Time curr_time = base::Time::Now();
220 unsigned curr_progress_chunk =
221 overall_progress_ * kProgressLogMaxChunks / 100;
222 if (force_log || curr_progress_chunk > last_progress_chunk_ ||
223 curr_time > forced_progress_log_time_) {
224 forced_progress_log_time_ = curr_time + forced_progress_log_wait_;
225 LogProgress(message_prefix);
226 }
227 last_progress_chunk_ = curr_progress_chunk;
228 }
229
230
CopyDataToBuffer(const char ** bytes_p,size_t * count_p,size_t max)231 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p, size_t* count_p,
232 size_t max) {
233 const size_t count = *count_p;
234 if (!count)
235 return 0; // Special case shortcut.
236 size_t read_len = min(count, max - buffer_.size());
237 const char* bytes_start = *bytes_p;
238 const char* bytes_end = bytes_start + read_len;
239 buffer_.insert(buffer_.end(), bytes_start, bytes_end);
240 *bytes_p = bytes_end;
241 *count_p = count - read_len;
242 return read_len;
243 }
244
245
HandleOpResult(bool op_result,const char * op_type_name,ErrorCode * error)246 bool DeltaPerformer::HandleOpResult(bool op_result, const char* op_type_name,
247 ErrorCode* error) {
248 if (op_result)
249 return true;
250
251 LOG(ERROR) << "Failed to perform " << op_type_name << " operation "
252 << next_operation_num_;
253 *error = ErrorCode::kDownloadOperationExecutionError;
254 return false;
255 }
256
Close()257 int DeltaPerformer::Close() {
258 int err = -CloseCurrentPartition();
259 LOG_IF(ERROR, !payload_hash_calculator_.Finalize() ||
260 !signed_hash_calculator_.Finalize())
261 << "Unable to finalize the hash.";
262 if (!buffer_.empty()) {
263 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes";
264 if (err >= 0)
265 err = 1;
266 }
267 return -err;
268 }
269
CloseCurrentPartition()270 int DeltaPerformer::CloseCurrentPartition() {
271 int err = 0;
272 if (source_fd_ && !source_fd_->Close()) {
273 err = errno;
274 PLOG(ERROR) << "Error closing source partition";
275 if (!err)
276 err = 1;
277 }
278 source_fd_.reset();
279 source_path_.clear();
280
281 if (target_fd_ && !target_fd_->Close()) {
282 err = errno;
283 PLOG(ERROR) << "Error closing target partition";
284 if (!err)
285 err = 1;
286 }
287 target_fd_.reset();
288 target_path_.clear();
289 return -err;
290 }
291
OpenCurrentPartition()292 bool DeltaPerformer::OpenCurrentPartition() {
293 if (current_partition_ >= partitions_.size())
294 return false;
295
296 const PartitionUpdate& partition = partitions_[current_partition_];
297 // Open source fds if we have a delta payload with minor version >= 2.
298 if (install_plan_->payload_type == InstallPayloadType::kDelta &&
299 GetMinorVersion() != kInPlaceMinorPayloadVersion) {
300 source_path_ = install_plan_->partitions[current_partition_].source_path;
301 int err;
302 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, &err);
303 if (!source_fd_) {
304 LOG(ERROR) << "Unable to open source partition "
305 << partition.partition_name() << " on slot "
306 << BootControlInterface::SlotName(install_plan_->source_slot)
307 << ", file " << source_path_;
308 return false;
309 }
310 }
311
312 target_path_ = install_plan_->partitions[current_partition_].target_path;
313 int err;
314 target_fd_ = OpenFile(target_path_.c_str(), O_RDWR, &err);
315 if (!target_fd_) {
316 LOG(ERROR) << "Unable to open target partition "
317 << partition.partition_name() << " on slot "
318 << BootControlInterface::SlotName(install_plan_->target_slot)
319 << ", file " << target_path_;
320 return false;
321 }
322 return true;
323 }
324
325 namespace {
326
LogPartitionInfoHash(const PartitionInfo & info,const string & tag)327 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) {
328 string sha256 = brillo::data_encoding::Base64Encode(info.hash());
329 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256
330 << " size: " << info.size();
331 }
332
LogPartitionInfo(const vector<PartitionUpdate> & partitions)333 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) {
334 for (const PartitionUpdate& partition : partitions) {
335 LogPartitionInfoHash(partition.old_partition_info(),
336 "old " + partition.partition_name());
337 LogPartitionInfoHash(partition.new_partition_info(),
338 "new " + partition.partition_name());
339 }
340 }
341
342 } // namespace
343
GetMetadataSignatureSizeOffset(uint64_t * out_offset) const344 bool DeltaPerformer::GetMetadataSignatureSizeOffset(
345 uint64_t* out_offset) const {
346 if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
347 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
348 return true;
349 }
350 return false;
351 }
352
GetManifestOffset(uint64_t * out_offset) const353 bool DeltaPerformer::GetManifestOffset(uint64_t* out_offset) const {
354 // Actual manifest begins right after the manifest size field or
355 // metadata signature size field if major version >= 2.
356 if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
357 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
358 return true;
359 }
360 if (major_payload_version_ == kBrilloMajorPayloadVersion) {
361 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
362 kDeltaMetadataSignatureSizeSize;
363 return true;
364 }
365 LOG(ERROR) << "Unknown major payload version: " << major_payload_version_;
366 return false;
367 }
368
GetMetadataSize() const369 uint64_t DeltaPerformer::GetMetadataSize() const {
370 return metadata_size_;
371 }
372
GetMajorVersion() const373 uint64_t DeltaPerformer::GetMajorVersion() const {
374 return major_payload_version_;
375 }
376
GetMinorVersion() const377 uint32_t DeltaPerformer::GetMinorVersion() const {
378 if (manifest_.has_minor_version()) {
379 return manifest_.minor_version();
380 } else {
381 return install_plan_->payload_type == InstallPayloadType::kDelta
382 ? kSupportedMinorPayloadVersion
383 : kFullPayloadMinorVersion;
384 }
385 }
386
GetManifest(DeltaArchiveManifest * out_manifest_p) const387 bool DeltaPerformer::GetManifest(DeltaArchiveManifest* out_manifest_p) const {
388 if (!manifest_parsed_)
389 return false;
390 *out_manifest_p = manifest_;
391 return true;
392 }
393
IsHeaderParsed() const394 bool DeltaPerformer::IsHeaderParsed() const {
395 return metadata_size_ != 0;
396 }
397
ParsePayloadMetadata(const brillo::Blob & payload,ErrorCode * error)398 DeltaPerformer::MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
399 const brillo::Blob& payload, ErrorCode* error) {
400 *error = ErrorCode::kSuccess;
401 uint64_t manifest_offset;
402
403 if (!IsHeaderParsed()) {
404 // Ensure we have data to cover the major payload version.
405 if (payload.size() < kDeltaManifestSizeOffset)
406 return kMetadataParseInsufficientData;
407
408 // Validate the magic string.
409 if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
410 LOG(ERROR) << "Bad payload format -- invalid delta magic.";
411 *error = ErrorCode::kDownloadInvalidMetadataMagicString;
412 return kMetadataParseError;
413 }
414
415 // Extract the payload version from the metadata.
416 static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
417 "Major payload version size mismatch");
418 memcpy(&major_payload_version_,
419 &payload[kDeltaVersionOffset],
420 kDeltaVersionSize);
421 // switch big endian to host
422 major_payload_version_ = be64toh(major_payload_version_);
423
424 if (major_payload_version_ != supported_major_version_ &&
425 major_payload_version_ != kChromeOSMajorPayloadVersion) {
426 LOG(ERROR) << "Bad payload format -- unsupported payload version: "
427 << major_payload_version_;
428 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
429 return kMetadataParseError;
430 }
431
432 // Get the manifest offset now that we have payload version.
433 if (!GetManifestOffset(&manifest_offset)) {
434 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
435 return kMetadataParseError;
436 }
437 // Check again with the manifest offset.
438 if (payload.size() < manifest_offset)
439 return kMetadataParseInsufficientData;
440
441 // Next, parse the manifest size.
442 static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
443 "manifest_size size mismatch");
444 memcpy(&manifest_size_,
445 &payload[kDeltaManifestSizeOffset],
446 kDeltaManifestSizeSize);
447 manifest_size_ = be64toh(manifest_size_); // switch big endian to host
448
449 if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
450 // Parse the metadata signature size.
451 static_assert(sizeof(metadata_signature_size_) ==
452 kDeltaMetadataSignatureSizeSize,
453 "metadata_signature_size size mismatch");
454 uint64_t metadata_signature_size_offset;
455 if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) {
456 *error = ErrorCode::kError;
457 return kMetadataParseError;
458 }
459 memcpy(&metadata_signature_size_,
460 &payload[metadata_signature_size_offset],
461 kDeltaMetadataSignatureSizeSize);
462 metadata_signature_size_ = be32toh(metadata_signature_size_);
463 }
464
465 // If the metadata size is present in install plan, check for it immediately
466 // even before waiting for that many number of bytes to be downloaded in the
467 // payload. This will prevent any attack which relies on us downloading data
468 // beyond the expected metadata size.
469 metadata_size_ = manifest_offset + manifest_size_;
470 if (install_plan_->hash_checks_mandatory) {
471 if (install_plan_->metadata_size != metadata_size_) {
472 LOG(ERROR) << "Mandatory metadata size in Omaha response ("
473 << install_plan_->metadata_size
474 << ") is missing/incorrect, actual = " << metadata_size_;
475 *error = ErrorCode::kDownloadInvalidMetadataSize;
476 return kMetadataParseError;
477 }
478 }
479 }
480
481 // Now that we have validated the metadata size, we should wait for the full
482 // metadata and its signature (if exist) to be read in before we can parse it.
483 if (payload.size() < metadata_size_ + metadata_signature_size_)
484 return kMetadataParseInsufficientData;
485
486 // Log whether we validated the size or simply trusting what's in the payload
487 // here. This is logged here (after we received the full metadata data) so
488 // that we just log once (instead of logging n times) if it takes n
489 // DeltaPerformer::Write calls to download the full manifest.
490 if (install_plan_->metadata_size == metadata_size_) {
491 LOG(INFO) << "Manifest size in payload matches expected value from Omaha";
492 } else {
493 // For mandatory-cases, we'd have already returned a kMetadataParseError
494 // above. We'll be here only for non-mandatory cases. Just send a UMA stat.
495 LOG(WARNING) << "Ignoring missing/incorrect metadata size ("
496 << install_plan_->metadata_size
497 << ") in Omaha response as validation is not mandatory. "
498 << "Trusting metadata size in payload = " << metadata_size_;
499 }
500
501 // We have the full metadata in |payload|. Verify its integrity
502 // and authenticity based on the information we have in Omaha response.
503 *error = ValidateMetadataSignature(payload);
504 if (*error != ErrorCode::kSuccess) {
505 if (install_plan_->hash_checks_mandatory) {
506 // The autoupdate_CatchBadSignatures test checks for this string
507 // in log-files. Keep in sync.
508 LOG(ERROR) << "Mandatory metadata signature validation failed";
509 return kMetadataParseError;
510 }
511
512 // For non-mandatory cases, just send a UMA stat.
513 LOG(WARNING) << "Ignoring metadata signature validation failures";
514 *error = ErrorCode::kSuccess;
515 }
516
517 if (!GetManifestOffset(&manifest_offset)) {
518 *error = ErrorCode::kUnsupportedMajorPayloadVersion;
519 return kMetadataParseError;
520 }
521 // The payload metadata is deemed valid, it's safe to parse the protobuf.
522 if (!manifest_.ParseFromArray(&payload[manifest_offset], manifest_size_)) {
523 LOG(ERROR) << "Unable to parse manifest in update file.";
524 *error = ErrorCode::kDownloadManifestParseError;
525 return kMetadataParseError;
526 }
527
528 manifest_parsed_ = true;
529 return kMetadataParseSuccess;
530 }
531
532 // Wrapper around write. Returns true if all requested bytes
533 // were written, or false on any error, regardless of progress
534 // and stores an action exit code in |error|.
Write(const void * bytes,size_t count,ErrorCode * error)535 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode *error) {
536 *error = ErrorCode::kSuccess;
537
538 const char* c_bytes = reinterpret_cast<const char*>(bytes);
539
540 // Update the total byte downloaded count and the progress logs.
541 total_bytes_received_ += count;
542 UpdateOverallProgress(false, "Completed ");
543
544 while (!manifest_valid_) {
545 // Read data up to the needed limit; this is either maximium payload header
546 // size, or the full metadata size (once it becomes known).
547 const bool do_read_header = !IsHeaderParsed();
548 CopyDataToBuffer(&c_bytes, &count,
549 (do_read_header ? kMaxPayloadHeaderSize :
550 metadata_size_ + metadata_signature_size_));
551
552 MetadataParseResult result = ParsePayloadMetadata(buffer_, error);
553 if (result == kMetadataParseError)
554 return false;
555 if (result == kMetadataParseInsufficientData) {
556 // If we just processed the header, make an attempt on the manifest.
557 if (do_read_header && IsHeaderParsed())
558 continue;
559
560 return true;
561 }
562
563 // Checks the integrity of the payload manifest.
564 if ((*error = ValidateManifest()) != ErrorCode::kSuccess)
565 return false;
566 manifest_valid_ = true;
567
568 // Clear the download buffer.
569 DiscardBuffer(false, metadata_size_);
570
571 // This populates |partitions_| and the |install_plan.partitions| with the
572 // list of partitions from the manifest.
573 if (!ParseManifestPartitions(error))
574 return false;
575
576 num_total_operations_ = 0;
577 for (const auto& partition : partitions_) {
578 num_total_operations_ += partition.operations_size();
579 acc_num_operations_.push_back(num_total_operations_);
580 }
581
582 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestMetadataSize,
583 metadata_size_))
584 << "Unable to save the manifest metadata size.";
585 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestSignatureSize,
586 metadata_signature_size_))
587 << "Unable to save the manifest signature size.";
588
589 if (!PrimeUpdateState()) {
590 *error = ErrorCode::kDownloadStateInitializationError;
591 LOG(ERROR) << "Unable to prime the update state.";
592 return false;
593 }
594
595 if (!OpenCurrentPartition()) {
596 *error = ErrorCode::kInstallDeviceOpenError;
597 return false;
598 }
599
600 if (next_operation_num_ > 0)
601 UpdateOverallProgress(true, "Resuming after ");
602 LOG(INFO) << "Starting to apply update payload operations";
603 }
604
605 while (next_operation_num_ < num_total_operations_) {
606 // Check if we should cancel the current attempt for any reason.
607 // In this case, *error will have already been populated with the reason
608 // why we're canceling.
609 if (download_delegate_ && download_delegate_->ShouldCancel(error))
610 return false;
611
612 // We know there are more operations to perform because we didn't reach the
613 // |num_total_operations_| limit yet.
614 while (next_operation_num_ >= acc_num_operations_[current_partition_]) {
615 CloseCurrentPartition();
616 current_partition_++;
617 if (!OpenCurrentPartition()) {
618 *error = ErrorCode::kInstallDeviceOpenError;
619 return false;
620 }
621 }
622 const size_t partition_operation_num = next_operation_num_ - (
623 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0);
624
625 const InstallOperation& op =
626 partitions_[current_partition_].operations(partition_operation_num);
627
628 CopyDataToBuffer(&c_bytes, &count, op.data_length());
629
630 // Check whether we received all of the next operation's data payload.
631 if (!CanPerformInstallOperation(op))
632 return true;
633
634 // Validate the operation only if the metadata signature is present.
635 // Otherwise, keep the old behavior. This serves as a knob to disable
636 // the validation logic in case we find some regression after rollout.
637 // NOTE: If hash checks are mandatory and if metadata_signature is empty,
638 // we would have already failed in ParsePayloadMetadata method and thus not
639 // even be here. So no need to handle that case again here.
640 if (!install_plan_->metadata_signature.empty()) {
641 // Note: Validate must be called only if CanPerformInstallOperation is
642 // called. Otherwise, we might be failing operations before even if there
643 // isn't sufficient data to compute the proper hash.
644 *error = ValidateOperationHash(op);
645 if (*error != ErrorCode::kSuccess) {
646 if (install_plan_->hash_checks_mandatory) {
647 LOG(ERROR) << "Mandatory operation hash check failed";
648 return false;
649 }
650
651 // For non-mandatory cases, just send a UMA stat.
652 LOG(WARNING) << "Ignoring operation validation errors";
653 *error = ErrorCode::kSuccess;
654 }
655 }
656
657 // Makes sure we unblock exit when this operation completes.
658 ScopedTerminatorExitUnblocker exit_unblocker =
659 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug.
660
661 bool op_result;
662 switch (op.type()) {
663 case InstallOperation::REPLACE:
664 case InstallOperation::REPLACE_BZ:
665 case InstallOperation::REPLACE_XZ:
666 op_result = PerformReplaceOperation(op);
667 break;
668 case InstallOperation::ZERO:
669 case InstallOperation::DISCARD:
670 op_result = PerformZeroOrDiscardOperation(op);
671 break;
672 case InstallOperation::MOVE:
673 op_result = PerformMoveOperation(op);
674 break;
675 case InstallOperation::BSDIFF:
676 op_result = PerformBsdiffOperation(op);
677 break;
678 case InstallOperation::SOURCE_COPY:
679 op_result = PerformSourceCopyOperation(op);
680 break;
681 case InstallOperation::SOURCE_BSDIFF:
682 op_result = PerformSourceBsdiffOperation(op);
683 break;
684 default:
685 op_result = false;
686 }
687 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error))
688 return false;
689
690 next_operation_num_++;
691 UpdateOverallProgress(false, "Completed ");
692 CheckpointUpdateProgress();
693 }
694
695 // In major version 2, we don't add dummy operation to the payload.
696 // If we already extracted the signature we should skip this step.
697 if (major_payload_version_ == kBrilloMajorPayloadVersion &&
698 manifest_.has_signatures_offset() && manifest_.has_signatures_size() &&
699 signatures_message_data_.empty()) {
700 if (manifest_.signatures_offset() != buffer_offset_) {
701 LOG(ERROR) << "Payload signatures offset points to blob offset "
702 << manifest_.signatures_offset()
703 << " but signatures are expected at offset "
704 << buffer_offset_;
705 *error = ErrorCode::kDownloadPayloadVerificationError;
706 return false;
707 }
708 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size());
709 // Needs more data to cover entire signature.
710 if (buffer_.size() < manifest_.signatures_size())
711 return true;
712 if (!ExtractSignatureMessage()) {
713 LOG(ERROR) << "Extract payload signature failed.";
714 *error = ErrorCode::kDownloadPayloadVerificationError;
715 return false;
716 }
717 DiscardBuffer(true, 0);
718 // Since we extracted the SignatureMessage we need to advance the
719 // checkpoint, otherwise we would reload the signature and try to extract
720 // it again.
721 CheckpointUpdateProgress();
722 }
723
724 return true;
725 }
726
IsManifestValid()727 bool DeltaPerformer::IsManifestValid() {
728 return manifest_valid_;
729 }
730
ParseManifestPartitions(ErrorCode * error)731 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) {
732 if (major_payload_version_ == kBrilloMajorPayloadVersion) {
733 partitions_.clear();
734 for (const PartitionUpdate& partition : manifest_.partitions()) {
735 partitions_.push_back(partition);
736 }
737 manifest_.clear_partitions();
738 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
739 LOG(INFO) << "Converting update information from old format.";
740 PartitionUpdate root_part;
741 root_part.set_partition_name(kLegacyPartitionNameRoot);
742 #ifdef __ANDROID__
743 LOG(WARNING) << "Legacy payload major version provided to an Android "
744 "build. Assuming no post-install. Please use major version "
745 "2 or newer.";
746 root_part.set_run_postinstall(false);
747 #else
748 root_part.set_run_postinstall(true);
749 #endif // __ANDROID__
750 if (manifest_.has_old_rootfs_info()) {
751 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info();
752 manifest_.clear_old_rootfs_info();
753 }
754 if (manifest_.has_new_rootfs_info()) {
755 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info();
756 manifest_.clear_new_rootfs_info();
757 }
758 *root_part.mutable_operations() = manifest_.install_operations();
759 manifest_.clear_install_operations();
760 partitions_.push_back(std::move(root_part));
761
762 PartitionUpdate kern_part;
763 kern_part.set_partition_name(kLegacyPartitionNameKernel);
764 kern_part.set_run_postinstall(false);
765 if (manifest_.has_old_kernel_info()) {
766 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info();
767 manifest_.clear_old_kernel_info();
768 }
769 if (manifest_.has_new_kernel_info()) {
770 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info();
771 manifest_.clear_new_kernel_info();
772 }
773 *kern_part.mutable_operations() = manifest_.kernel_install_operations();
774 manifest_.clear_kernel_install_operations();
775 partitions_.push_back(std::move(kern_part));
776 }
777
778 // TODO(deymo): Remove this block of code once we switched to optional
779 // source partition verification. This list of partitions in the InstallPlan
780 // is initialized with the expected hashes in the payload major version 1,
781 // so we need to check those now if already set. See b/23182225.
782 if (!install_plan_->partitions.empty()) {
783 if (!VerifySourcePartitions()) {
784 *error = ErrorCode::kDownloadStateInitializationError;
785 return false;
786 }
787 }
788
789 // Fill in the InstallPlan::partitions based on the partitions from the
790 // payload.
791 install_plan_->partitions.clear();
792 for (const auto& partition : partitions_) {
793 InstallPlan::Partition install_part;
794 install_part.name = partition.partition_name();
795 install_part.run_postinstall =
796 partition.has_run_postinstall() && partition.run_postinstall();
797 if (install_part.run_postinstall) {
798 install_part.postinstall_path =
799 (partition.has_postinstall_path() ? partition.postinstall_path()
800 : kPostinstallDefaultScript);
801 install_part.filesystem_type = partition.filesystem_type();
802 }
803
804 if (partition.has_old_partition_info()) {
805 const PartitionInfo& info = partition.old_partition_info();
806 install_part.source_size = info.size();
807 install_part.source_hash.assign(info.hash().begin(), info.hash().end());
808 }
809
810 if (!partition.has_new_partition_info()) {
811 LOG(ERROR) << "Unable to get new partition hash info on partition "
812 << install_part.name << ".";
813 *error = ErrorCode::kDownloadNewPartitionInfoError;
814 return false;
815 }
816 const PartitionInfo& info = partition.new_partition_info();
817 install_part.target_size = info.size();
818 install_part.target_hash.assign(info.hash().begin(), info.hash().end());
819
820 install_plan_->partitions.push_back(install_part);
821 }
822
823 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) {
824 LOG(ERROR) << "Unable to determine all the partition devices.";
825 *error = ErrorCode::kInstallDeviceOpenError;
826 return false;
827 }
828 LogPartitionInfo(partitions_);
829 return true;
830 }
831
CanPerformInstallOperation(const chromeos_update_engine::InstallOperation & operation)832 bool DeltaPerformer::CanPerformInstallOperation(
833 const chromeos_update_engine::InstallOperation& operation) {
834 // If we don't have a data blob we can apply it right away.
835 if (!operation.has_data_offset() && !operation.has_data_length())
836 return true;
837
838 // See if we have the entire data blob in the buffer
839 if (operation.data_offset() < buffer_offset_) {
840 LOG(ERROR) << "we threw away data it seems?";
841 return false;
842 }
843
844 return (operation.data_offset() + operation.data_length() <=
845 buffer_offset_ + buffer_.size());
846 }
847
PerformReplaceOperation(const InstallOperation & operation)848 bool DeltaPerformer::PerformReplaceOperation(
849 const InstallOperation& operation) {
850 CHECK(operation.type() == InstallOperation::REPLACE ||
851 operation.type() == InstallOperation::REPLACE_BZ ||
852 operation.type() == InstallOperation::REPLACE_XZ);
853
854 // Since we delete data off the beginning of the buffer as we use it,
855 // the data we need should be exactly at the beginning of the buffer.
856 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
857 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
858
859 // Extract the signature message if it's in this operation.
860 if (ExtractSignatureMessageFromOperation(operation)) {
861 // If this is dummy replace operation, we ignore it after extracting the
862 // signature.
863 DiscardBuffer(true, 0);
864 return true;
865 }
866
867 // Setup the ExtentWriter stack based on the operation type.
868 std::unique_ptr<ExtentWriter> writer =
869 brillo::make_unique_ptr(new ZeroPadExtentWriter(
870 brillo::make_unique_ptr(new DirectExtentWriter())));
871
872 if (operation.type() == InstallOperation::REPLACE_BZ) {
873 writer.reset(new BzipExtentWriter(std::move(writer)));
874 } else if (operation.type() == InstallOperation::REPLACE_XZ) {
875 writer.reset(new XzExtentWriter(std::move(writer)));
876 }
877
878 // Create a vector of extents to pass to the ExtentWriter.
879 vector<Extent> extents;
880 for (int i = 0; i < operation.dst_extents_size(); i++) {
881 extents.push_back(operation.dst_extents(i));
882 }
883
884 TEST_AND_RETURN_FALSE(writer->Init(target_fd_, extents, block_size_));
885 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length()));
886 TEST_AND_RETURN_FALSE(writer->End());
887
888 // Update buffer
889 DiscardBuffer(true, buffer_.size());
890 return true;
891 }
892
PerformZeroOrDiscardOperation(const InstallOperation & operation)893 bool DeltaPerformer::PerformZeroOrDiscardOperation(
894 const InstallOperation& operation) {
895 CHECK(operation.type() == InstallOperation::DISCARD ||
896 operation.type() == InstallOperation::ZERO);
897
898 // These operations have no blob.
899 TEST_AND_RETURN_FALSE(!operation.has_data_offset());
900 TEST_AND_RETURN_FALSE(!operation.has_data_length());
901
902 #ifdef BLKZEROOUT
903 bool attempt_ioctl = true;
904 int request =
905 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD);
906 #else // !defined(BLKZEROOUT)
907 bool attempt_ioctl = false;
908 int request = 0;
909 #endif // !defined(BLKZEROOUT)
910
911 brillo::Blob zeros;
912 for (int i = 0; i < operation.dst_extents_size(); i++) {
913 Extent extent = operation.dst_extents(i);
914 const uint64_t start = extent.start_block() * block_size_;
915 const uint64_t length = extent.num_blocks() * block_size_;
916 if (attempt_ioctl) {
917 int result = 0;
918 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0)
919 continue;
920 attempt_ioctl = false;
921 zeros.resize(16 * block_size_);
922 }
923 // In case of failure, we fall back to writing 0 to the selected region.
924 for (uint64_t offset = 0; offset < length; offset += zeros.size()) {
925 uint64_t chunk_length = min(length - offset,
926 static_cast<uint64_t>(zeros.size()));
927 TEST_AND_RETURN_FALSE(
928 utils::PWriteAll(target_fd_, zeros.data(), chunk_length, start + offset));
929 }
930 }
931 return true;
932 }
933
PerformMoveOperation(const InstallOperation & operation)934 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) {
935 // Calculate buffer size. Note, this function doesn't do a sliding
936 // window to copy in case the source and destination blocks overlap.
937 // If we wanted to do a sliding window, we could program the server
938 // to generate deltas that effectively did a sliding window.
939
940 uint64_t blocks_to_read = 0;
941 for (int i = 0; i < operation.src_extents_size(); i++)
942 blocks_to_read += operation.src_extents(i).num_blocks();
943
944 uint64_t blocks_to_write = 0;
945 for (int i = 0; i < operation.dst_extents_size(); i++)
946 blocks_to_write += operation.dst_extents(i).num_blocks();
947
948 DCHECK_EQ(blocks_to_write, blocks_to_read);
949 brillo::Blob buf(blocks_to_write * block_size_);
950
951 // Read in bytes.
952 ssize_t bytes_read = 0;
953 for (int i = 0; i < operation.src_extents_size(); i++) {
954 ssize_t bytes_read_this_iteration = 0;
955 const Extent& extent = operation.src_extents(i);
956 const size_t bytes = extent.num_blocks() * block_size_;
957 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
958 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_,
959 &buf[bytes_read],
960 bytes,
961 extent.start_block() * block_size_,
962 &bytes_read_this_iteration));
963 TEST_AND_RETURN_FALSE(
964 bytes_read_this_iteration == static_cast<ssize_t>(bytes));
965 bytes_read += bytes_read_this_iteration;
966 }
967
968 // Write bytes out.
969 ssize_t bytes_written = 0;
970 for (int i = 0; i < operation.dst_extents_size(); i++) {
971 const Extent& extent = operation.dst_extents(i);
972 const size_t bytes = extent.num_blocks() * block_size_;
973 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole);
974 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_,
975 &buf[bytes_written],
976 bytes,
977 extent.start_block() * block_size_));
978 bytes_written += bytes;
979 }
980 DCHECK_EQ(bytes_written, bytes_read);
981 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size()));
982 return true;
983 }
984
985 namespace {
986
987 // Takes |extents| and fills an empty vector |blocks| with a block index for
988 // each block in |extents|. For example, [(3, 2), (8, 1)] would give [3, 4, 8].
ExtentsToBlocks(const RepeatedPtrField<Extent> & extents,vector<uint64_t> * blocks)989 void ExtentsToBlocks(const RepeatedPtrField<Extent>& extents,
990 vector<uint64_t>* blocks) {
991 for (Extent ext : extents) {
992 for (uint64_t j = 0; j < ext.num_blocks(); j++)
993 blocks->push_back(ext.start_block() + j);
994 }
995 }
996
997 // Takes |extents| and returns the number of blocks in those extents.
GetBlockCount(const RepeatedPtrField<Extent> & extents)998 uint64_t GetBlockCount(const RepeatedPtrField<Extent>& extents) {
999 uint64_t sum = 0;
1000 for (Extent ext : extents) {
1001 sum += ext.num_blocks();
1002 }
1003 return sum;
1004 }
1005
1006 // Compare |calculated_hash| with source hash in |operation|, return false and
1007 // dump hash if don't match.
ValidateSourceHash(const brillo::Blob & calculated_hash,const InstallOperation & operation)1008 bool ValidateSourceHash(const brillo::Blob& calculated_hash,
1009 const InstallOperation& operation) {
1010 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(),
1011 operation.src_sha256_hash().end());
1012 if (calculated_hash != expected_source_hash) {
1013 LOG(ERROR) << "Hash verification failed. Expected hash = ";
1014 utils::HexDumpVector(expected_source_hash);
1015 LOG(ERROR) << "Calculated hash = ";
1016 utils::HexDumpVector(calculated_hash);
1017 return false;
1018 }
1019 return true;
1020 }
1021
1022 } // namespace
1023
PerformSourceCopyOperation(const InstallOperation & operation)1024 bool DeltaPerformer::PerformSourceCopyOperation(
1025 const InstallOperation& operation) {
1026 if (operation.has_src_length())
1027 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1028 if (operation.has_dst_length())
1029 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1030
1031 uint64_t blocks_to_read = GetBlockCount(operation.src_extents());
1032 uint64_t blocks_to_write = GetBlockCount(operation.dst_extents());
1033 TEST_AND_RETURN_FALSE(blocks_to_write == blocks_to_read);
1034
1035 // Create vectors of all the individual src/dst blocks.
1036 vector<uint64_t> src_blocks;
1037 vector<uint64_t> dst_blocks;
1038 ExtentsToBlocks(operation.src_extents(), &src_blocks);
1039 ExtentsToBlocks(operation.dst_extents(), &dst_blocks);
1040 DCHECK_EQ(src_blocks.size(), blocks_to_read);
1041 DCHECK_EQ(src_blocks.size(), dst_blocks.size());
1042
1043 brillo::Blob buf(block_size_);
1044 ssize_t bytes_read = 0;
1045 HashCalculator source_hasher;
1046 // Read/write one block at a time.
1047 for (uint64_t i = 0; i < blocks_to_read; i++) {
1048 ssize_t bytes_read_this_iteration = 0;
1049 uint64_t src_block = src_blocks[i];
1050 uint64_t dst_block = dst_blocks[i];
1051
1052 // Read in bytes.
1053 TEST_AND_RETURN_FALSE(
1054 utils::PReadAll(source_fd_,
1055 buf.data(),
1056 block_size_,
1057 src_block * block_size_,
1058 &bytes_read_this_iteration));
1059
1060 // Write bytes out.
1061 TEST_AND_RETURN_FALSE(
1062 utils::PWriteAll(target_fd_,
1063 buf.data(),
1064 block_size_,
1065 dst_block * block_size_));
1066
1067 bytes_read += bytes_read_this_iteration;
1068 TEST_AND_RETURN_FALSE(bytes_read_this_iteration ==
1069 static_cast<ssize_t>(block_size_));
1070
1071 if (operation.has_src_sha256_hash())
1072 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), buf.size()));
1073 }
1074
1075 if (operation.has_src_sha256_hash()) {
1076 TEST_AND_RETURN_FALSE(source_hasher.Finalize());
1077 TEST_AND_RETURN_FALSE(
1078 ValidateSourceHash(source_hasher.raw_hash(), operation));
1079 }
1080
1081 DCHECK_EQ(bytes_read, static_cast<ssize_t>(blocks_to_read * block_size_));
1082 return true;
1083 }
1084
ExtentsToBsdiffPositionsString(const RepeatedPtrField<Extent> & extents,uint64_t block_size,uint64_t full_length,string * positions_string)1085 bool DeltaPerformer::ExtentsToBsdiffPositionsString(
1086 const RepeatedPtrField<Extent>& extents,
1087 uint64_t block_size,
1088 uint64_t full_length,
1089 string* positions_string) {
1090 string ret;
1091 uint64_t length = 0;
1092 for (int i = 0; i < extents.size(); i++) {
1093 Extent extent = extents.Get(i);
1094 int64_t start = extent.start_block() * block_size;
1095 uint64_t this_length = min(full_length - length,
1096 extent.num_blocks() * block_size);
1097 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length);
1098 length += this_length;
1099 }
1100 TEST_AND_RETURN_FALSE(length == full_length);
1101 if (!ret.empty())
1102 ret.resize(ret.size() - 1); // Strip trailing comma off
1103 *positions_string = ret;
1104 return true;
1105 }
1106
PerformBsdiffOperation(const InstallOperation & operation)1107 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) {
1108 // Since we delete data off the beginning of the buffer as we use it,
1109 // the data we need should be exactly at the beginning of the buffer.
1110 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1111 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1112
1113 string input_positions;
1114 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1115 block_size_,
1116 operation.src_length(),
1117 &input_positions));
1118 string output_positions;
1119 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1120 block_size_,
1121 operation.dst_length(),
1122 &output_positions));
1123
1124 string temp_filename;
1125 TEST_AND_RETURN_FALSE(utils::MakeTempFile("au_patch.XXXXXX",
1126 &temp_filename,
1127 nullptr));
1128 ScopedPathUnlinker path_unlinker(temp_filename);
1129 {
1130 int fd = open(temp_filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644);
1131 ScopedFdCloser fd_closer(&fd);
1132 TEST_AND_RETURN_FALSE(
1133 utils::WriteAll(fd, buffer_.data(), operation.data_length()));
1134 }
1135
1136 // Update the buffer to release the patch data memory as soon as the patch
1137 // file is written out.
1138 DiscardBuffer(true, buffer_.size());
1139
1140 vector<string> cmd{kBspatchPath, target_path_, target_path_, temp_filename,
1141 input_positions, output_positions};
1142
1143 int return_code = 0;
1144 TEST_AND_RETURN_FALSE(
1145 Subprocess::SynchronousExecFlags(cmd, Subprocess::kSearchPath,
1146 &return_code, nullptr));
1147 TEST_AND_RETURN_FALSE(return_code == 0);
1148
1149 if (operation.dst_length() % block_size_) {
1150 // Zero out rest of final block.
1151 // TODO(adlr): build this into bspatch; it's more efficient that way.
1152 const Extent& last_extent =
1153 operation.dst_extents(operation.dst_extents_size() - 1);
1154 const uint64_t end_byte =
1155 (last_extent.start_block() + last_extent.num_blocks()) * block_size_;
1156 const uint64_t begin_byte =
1157 end_byte - (block_size_ - operation.dst_length() % block_size_);
1158 brillo::Blob zeros(end_byte - begin_byte);
1159 TEST_AND_RETURN_FALSE(
1160 utils::PWriteAll(target_fd_, zeros.data(), end_byte - begin_byte, begin_byte));
1161 }
1162 return true;
1163 }
1164
PerformSourceBsdiffOperation(const InstallOperation & operation)1165 bool DeltaPerformer::PerformSourceBsdiffOperation(
1166 const InstallOperation& operation) {
1167 // Since we delete data off the beginning of the buffer as we use it,
1168 // the data we need should be exactly at the beginning of the buffer.
1169 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset());
1170 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length());
1171 if (operation.has_src_length())
1172 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0);
1173 if (operation.has_dst_length())
1174 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0);
1175
1176 if (operation.has_src_sha256_hash()) {
1177 HashCalculator source_hasher;
1178 const uint64_t kMaxBlocksToRead = 512; // 2MB if block size is 4KB
1179 brillo::Blob buf(kMaxBlocksToRead * block_size_);
1180 for (const Extent& extent : operation.src_extents()) {
1181 for (uint64_t i = 0; i < extent.num_blocks(); i += kMaxBlocksToRead) {
1182 uint64_t blocks_to_read =
1183 min(kMaxBlocksToRead, extent.num_blocks() - i);
1184 ssize_t bytes_to_read = blocks_to_read * block_size_;
1185 ssize_t bytes_read_this_iteration = 0;
1186 TEST_AND_RETURN_FALSE(
1187 utils::PReadAll(source_fd_, buf.data(), bytes_to_read,
1188 (extent.start_block() + i) * block_size_,
1189 &bytes_read_this_iteration));
1190 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == bytes_to_read);
1191 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), bytes_to_read));
1192 }
1193 }
1194 TEST_AND_RETURN_FALSE(source_hasher.Finalize());
1195 TEST_AND_RETURN_FALSE(
1196 ValidateSourceHash(source_hasher.raw_hash(), operation));
1197 }
1198
1199 string input_positions;
1200 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(),
1201 block_size_,
1202 operation.src_length(),
1203 &input_positions));
1204 string output_positions;
1205 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(),
1206 block_size_,
1207 operation.dst_length(),
1208 &output_positions));
1209
1210 string temp_filename;
1211 TEST_AND_RETURN_FALSE(utils::MakeTempFile("au_patch.XXXXXX",
1212 &temp_filename,
1213 nullptr));
1214 ScopedPathUnlinker path_unlinker(temp_filename);
1215 {
1216 int fd = open(temp_filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0644);
1217 ScopedFdCloser fd_closer(&fd);
1218 TEST_AND_RETURN_FALSE(
1219 utils::WriteAll(fd, buffer_.data(), operation.data_length()));
1220 }
1221
1222 // Update the buffer to release the patch data memory as soon as the patch
1223 // file is written out.
1224 DiscardBuffer(true, buffer_.size());
1225
1226 vector<string> cmd{kBspatchPath, source_path_, target_path_, temp_filename,
1227 input_positions, output_positions};
1228
1229 int return_code = 0;
1230 TEST_AND_RETURN_FALSE(
1231 Subprocess::SynchronousExecFlags(cmd, Subprocess::kSearchPath,
1232 &return_code, nullptr));
1233 TEST_AND_RETURN_FALSE(return_code == 0);
1234 return true;
1235 }
1236
ExtractSignatureMessageFromOperation(const InstallOperation & operation)1237 bool DeltaPerformer::ExtractSignatureMessageFromOperation(
1238 const InstallOperation& operation) {
1239 if (operation.type() != InstallOperation::REPLACE ||
1240 !manifest_.has_signatures_offset() ||
1241 manifest_.signatures_offset() != operation.data_offset()) {
1242 return false;
1243 }
1244 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() &&
1245 manifest_.signatures_size() == operation.data_length());
1246 TEST_AND_RETURN_FALSE(ExtractSignatureMessage());
1247 return true;
1248 }
1249
ExtractSignatureMessage()1250 bool DeltaPerformer::ExtractSignatureMessage() {
1251 TEST_AND_RETURN_FALSE(signatures_message_data_.empty());
1252 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset());
1253 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size());
1254 signatures_message_data_.assign(
1255 buffer_.begin(),
1256 buffer_.begin() + manifest_.signatures_size());
1257
1258 // Save the signature blob because if the update is interrupted after the
1259 // download phase we don't go through this path anymore. Some alternatives to
1260 // consider:
1261 //
1262 // 1. On resume, re-download the signature blob from the server and re-verify
1263 // it.
1264 //
1265 // 2. Verify the signature as soon as it's received and don't checkpoint the
1266 // blob and the signed sha-256 context.
1267 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignatureBlob,
1268 string(signatures_message_data_.begin(),
1269 signatures_message_data_.end())))
1270 << "Unable to store the signature blob.";
1271
1272 LOG(INFO) << "Extracted signature data of size "
1273 << manifest_.signatures_size() << " at "
1274 << manifest_.signatures_offset();
1275 return true;
1276 }
1277
GetPublicKeyFromResponse(base::FilePath * out_tmp_key)1278 bool DeltaPerformer::GetPublicKeyFromResponse(base::FilePath *out_tmp_key) {
1279 if (hardware_->IsOfficialBuild() ||
1280 utils::FileExists(public_key_path_.c_str()) ||
1281 install_plan_->public_key_rsa.empty())
1282 return false;
1283
1284 if (!utils::DecodeAndStoreBase64String(install_plan_->public_key_rsa,
1285 out_tmp_key))
1286 return false;
1287
1288 return true;
1289 }
1290
ValidateMetadataSignature(const brillo::Blob & payload)1291 ErrorCode DeltaPerformer::ValidateMetadataSignature(
1292 const brillo::Blob& payload) {
1293 if (payload.size() < metadata_size_ + metadata_signature_size_)
1294 return ErrorCode::kDownloadMetadataSignatureError;
1295
1296 brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
1297 if (!install_plan_->metadata_signature.empty()) {
1298 // Convert base64-encoded signature to raw bytes.
1299 if (!brillo::data_encoding::Base64Decode(
1300 install_plan_->metadata_signature, &metadata_signature_blob)) {
1301 LOG(ERROR) << "Unable to decode base64 metadata signature: "
1302 << install_plan_->metadata_signature;
1303 return ErrorCode::kDownloadMetadataSignatureError;
1304 }
1305 } else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
1306 metadata_signature_protobuf_blob.assign(payload.begin() + metadata_size_,
1307 payload.begin() + metadata_size_ +
1308 metadata_signature_size_);
1309 }
1310
1311 if (metadata_signature_blob.empty() &&
1312 metadata_signature_protobuf_blob.empty()) {
1313 if (install_plan_->hash_checks_mandatory) {
1314 LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
1315 << "response and payload.";
1316 return ErrorCode::kDownloadMetadataSignatureMissingError;
1317 }
1318
1319 LOG(WARNING) << "Cannot validate metadata as the signature is empty";
1320 return ErrorCode::kSuccess;
1321 }
1322
1323 // See if we should use the public RSA key in the Omaha response.
1324 base::FilePath path_to_public_key(public_key_path_);
1325 base::FilePath tmp_key;
1326 if (GetPublicKeyFromResponse(&tmp_key))
1327 path_to_public_key = tmp_key;
1328 ScopedPathUnlinker tmp_key_remover(tmp_key.value());
1329 if (tmp_key.empty())
1330 tmp_key_remover.set_should_remove(false);
1331
1332 LOG(INFO) << "Verifying metadata hash signature using public key: "
1333 << path_to_public_key.value();
1334
1335 HashCalculator metadata_hasher;
1336 metadata_hasher.Update(payload.data(), metadata_size_);
1337 if (!metadata_hasher.Finalize()) {
1338 LOG(ERROR) << "Unable to compute actual hash of manifest";
1339 return ErrorCode::kDownloadMetadataSignatureVerificationError;
1340 }
1341
1342 brillo::Blob calculated_metadata_hash = metadata_hasher.raw_hash();
1343 PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash);
1344 if (calculated_metadata_hash.empty()) {
1345 LOG(ERROR) << "Computed actual hash of metadata is empty.";
1346 return ErrorCode::kDownloadMetadataSignatureVerificationError;
1347 }
1348
1349 if (!metadata_signature_blob.empty()) {
1350 brillo::Blob expected_metadata_hash;
1351 if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob,
1352 path_to_public_key.value(),
1353 &expected_metadata_hash)) {
1354 LOG(ERROR) << "Unable to compute expected hash from metadata signature";
1355 return ErrorCode::kDownloadMetadataSignatureError;
1356 }
1357 if (calculated_metadata_hash != expected_metadata_hash) {
1358 LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
1359 utils::HexDumpVector(expected_metadata_hash);
1360 LOG(ERROR) << "Calculated hash = ";
1361 utils::HexDumpVector(calculated_metadata_hash);
1362 return ErrorCode::kDownloadMetadataSignatureMismatch;
1363 }
1364 } else {
1365 if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
1366 path_to_public_key.value(),
1367 calculated_metadata_hash)) {
1368 LOG(ERROR) << "Manifest hash verification failed.";
1369 return ErrorCode::kDownloadMetadataSignatureMismatch;
1370 }
1371 }
1372
1373 // The autoupdate_CatchBadSignatures test checks for this string in
1374 // log-files. Keep in sync.
1375 LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
1376 return ErrorCode::kSuccess;
1377 }
1378
ValidateManifest()1379 ErrorCode DeltaPerformer::ValidateManifest() {
1380 // Perform assorted checks to sanity check the manifest, make sure it
1381 // matches data from other sources, and that it is a supported version.
1382
1383 bool has_old_fields =
1384 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info());
1385 for (const PartitionUpdate& partition : manifest_.partitions()) {
1386 has_old_fields = has_old_fields || partition.has_old_partition_info();
1387 }
1388
1389 // The presence of an old partition hash is the sole indicator for a delta
1390 // update.
1391 InstallPayloadType actual_payload_type =
1392 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull;
1393
1394 if (install_plan_->payload_type == InstallPayloadType::kUnknown) {
1395 LOG(INFO) << "Detected a '"
1396 << InstallPayloadTypeToString(actual_payload_type)
1397 << "' payload.";
1398 install_plan_->payload_type = actual_payload_type;
1399 } else if (install_plan_->payload_type != actual_payload_type) {
1400 LOG(ERROR) << "InstallPlan expected a '"
1401 << InstallPayloadTypeToString(install_plan_->payload_type)
1402 << "' payload but the downloaded manifest contains a '"
1403 << InstallPayloadTypeToString(actual_payload_type)
1404 << "' payload.";
1405 return ErrorCode::kPayloadMismatchedType;
1406 }
1407
1408 // Check that the minor version is compatible.
1409 if (actual_payload_type == InstallPayloadType::kFull) {
1410 if (manifest_.minor_version() != kFullPayloadMinorVersion) {
1411 LOG(ERROR) << "Manifest contains minor version "
1412 << manifest_.minor_version()
1413 << ", but all full payloads should have version "
1414 << kFullPayloadMinorVersion << ".";
1415 return ErrorCode::kUnsupportedMinorPayloadVersion;
1416 }
1417 } else {
1418 if (manifest_.minor_version() != supported_minor_version_) {
1419 LOG(ERROR) << "Manifest contains minor version "
1420 << manifest_.minor_version()
1421 << " not the supported "
1422 << supported_minor_version_;
1423 return ErrorCode::kUnsupportedMinorPayloadVersion;
1424 }
1425 }
1426
1427 if (major_payload_version_ != kChromeOSMajorPayloadVersion) {
1428 if (manifest_.has_old_rootfs_info() ||
1429 manifest_.has_new_rootfs_info() ||
1430 manifest_.has_old_kernel_info() ||
1431 manifest_.has_new_kernel_info() ||
1432 manifest_.install_operations_size() != 0 ||
1433 manifest_.kernel_install_operations_size() != 0) {
1434 LOG(ERROR) << "Manifest contains deprecated field only supported in "
1435 << "major payload version 1, but the payload major version is "
1436 << major_payload_version_;
1437 return ErrorCode::kPayloadMismatchedType;
1438 }
1439 }
1440
1441 // TODO(garnold) we should be adding more and more manifest checks, such as
1442 // partition boundaries etc (see chromium-os:37661).
1443
1444 return ErrorCode::kSuccess;
1445 }
1446
ValidateOperationHash(const InstallOperation & operation)1447 ErrorCode DeltaPerformer::ValidateOperationHash(
1448 const InstallOperation& operation) {
1449 if (!operation.data_sha256_hash().size()) {
1450 if (!operation.data_length()) {
1451 // Operations that do not have any data blob won't have any operation hash
1452 // either. So, these operations are always considered validated since the
1453 // metadata that contains all the non-data-blob portions of the operation
1454 // has already been validated. This is true for both HTTP and HTTPS cases.
1455 return ErrorCode::kSuccess;
1456 }
1457
1458 // No hash is present for an operation that has data blobs. This shouldn't
1459 // happen normally for any client that has this code, because the
1460 // corresponding update should have been produced with the operation
1461 // hashes. So if it happens it means either we've turned operation hash
1462 // generation off in DeltaDiffGenerator or it's a regression of some sort.
1463 // One caveat though: The last operation is a dummy signature operation
1464 // that doesn't have a hash at the time the manifest is created. So we
1465 // should not complaint about that operation. This operation can be
1466 // recognized by the fact that it's offset is mentioned in the manifest.
1467 if (manifest_.signatures_offset() &&
1468 manifest_.signatures_offset() == operation.data_offset()) {
1469 LOG(INFO) << "Skipping hash verification for signature operation "
1470 << next_operation_num_ + 1;
1471 } else {
1472 if (install_plan_->hash_checks_mandatory) {
1473 LOG(ERROR) << "Missing mandatory operation hash for operation "
1474 << next_operation_num_ + 1;
1475 return ErrorCode::kDownloadOperationHashMissingError;
1476 }
1477
1478 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1
1479 << " as there's no operation hash in manifest";
1480 }
1481 return ErrorCode::kSuccess;
1482 }
1483
1484 brillo::Blob expected_op_hash;
1485 expected_op_hash.assign(operation.data_sha256_hash().data(),
1486 (operation.data_sha256_hash().data() +
1487 operation.data_sha256_hash().size()));
1488
1489 HashCalculator operation_hasher;
1490 operation_hasher.Update(buffer_.data(), operation.data_length());
1491 if (!operation_hasher.Finalize()) {
1492 LOG(ERROR) << "Unable to compute actual hash of operation "
1493 << next_operation_num_;
1494 return ErrorCode::kDownloadOperationHashVerificationError;
1495 }
1496
1497 brillo::Blob calculated_op_hash = operation_hasher.raw_hash();
1498 if (calculated_op_hash != expected_op_hash) {
1499 LOG(ERROR) << "Hash verification failed for operation "
1500 << next_operation_num_ << ". Expected hash = ";
1501 utils::HexDumpVector(expected_op_hash);
1502 LOG(ERROR) << "Calculated hash over " << operation.data_length()
1503 << " bytes at offset: " << operation.data_offset() << " = ";
1504 utils::HexDumpVector(calculated_op_hash);
1505 return ErrorCode::kDownloadOperationHashMismatch;
1506 }
1507
1508 return ErrorCode::kSuccess;
1509 }
1510
1511 #define TEST_AND_RETURN_VAL(_retval, _condition) \
1512 do { \
1513 if (!(_condition)) { \
1514 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \
1515 return _retval; \
1516 } \
1517 } while (0);
1518
VerifyPayload(const string & update_check_response_hash,const uint64_t update_check_response_size)1519 ErrorCode DeltaPerformer::VerifyPayload(
1520 const string& update_check_response_hash,
1521 const uint64_t update_check_response_size) {
1522
1523 // See if we should use the public RSA key in the Omaha response.
1524 base::FilePath path_to_public_key(public_key_path_);
1525 base::FilePath tmp_key;
1526 if (GetPublicKeyFromResponse(&tmp_key))
1527 path_to_public_key = tmp_key;
1528 ScopedPathUnlinker tmp_key_remover(tmp_key.value());
1529 if (tmp_key.empty())
1530 tmp_key_remover.set_should_remove(false);
1531
1532 LOG(INFO) << "Verifying payload using public key: "
1533 << path_to_public_key.value();
1534
1535 // Verifies the download size.
1536 TEST_AND_RETURN_VAL(ErrorCode::kPayloadSizeMismatchError,
1537 update_check_response_size ==
1538 metadata_size_ + metadata_signature_size_ +
1539 buffer_offset_);
1540
1541 // Verifies the payload hash.
1542 const string& payload_hash_data = payload_hash_calculator_.hash();
1543 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError,
1544 !payload_hash_data.empty());
1545 TEST_AND_RETURN_VAL(ErrorCode::kPayloadHashMismatchError,
1546 payload_hash_data == update_check_response_hash);
1547
1548 // Verifies the signed payload hash.
1549 if (!utils::FileExists(path_to_public_key.value().c_str())) {
1550 LOG(WARNING) << "Not verifying signed delta payload -- missing public key.";
1551 return ErrorCode::kSuccess;
1552 }
1553 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError,
1554 !signatures_message_data_.empty());
1555 brillo::Blob hash_data = signed_hash_calculator_.raw_hash();
1556 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1557 PayloadVerifier::PadRSA2048SHA256Hash(&hash_data));
1558 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError,
1559 !hash_data.empty());
1560
1561 if (!PayloadVerifier::VerifySignature(
1562 signatures_message_data_, path_to_public_key.value(), hash_data)) {
1563 // The autoupdate_CatchBadSignatures test checks for this string
1564 // in log-files. Keep in sync.
1565 LOG(ERROR) << "Public key verification failed, thus update failed.";
1566 return ErrorCode::kDownloadPayloadPubKeyVerificationError;
1567 }
1568
1569 LOG(INFO) << "Payload hash matches value in payload.";
1570
1571 // At this point, we are guaranteed to have downloaded a full payload, i.e
1572 // the one whose size matches the size mentioned in Omaha response. If any
1573 // errors happen after this, it's likely a problem with the payload itself or
1574 // the state of the system and not a problem with the URL or network. So,
1575 // indicate that to the download delegate so that AU can backoff
1576 // appropriately.
1577 if (download_delegate_)
1578 download_delegate_->DownloadComplete();
1579
1580 return ErrorCode::kSuccess;
1581 }
1582
1583 namespace {
LogVerifyError(const string & type,const string & device,uint64_t size,const string & local_hash,const string & expected_hash)1584 void LogVerifyError(const string& type,
1585 const string& device,
1586 uint64_t size,
1587 const string& local_hash,
1588 const string& expected_hash) {
1589 LOG(ERROR) << "This is a server-side error due to "
1590 << "mismatched delta update image!";
1591 LOG(ERROR) << "The delta I've been given contains a " << type << " delta "
1592 << "update that must be applied over a " << type << " with "
1593 << "a specific checksum, but the " << type << " we're starting "
1594 << "with doesn't have that checksum! This means that "
1595 << "the delta I've been given doesn't match my existing "
1596 << "system. The " << type << " partition I have has hash: "
1597 << local_hash << " but the update expected me to have "
1598 << expected_hash << " .";
1599 LOG(INFO) << "To get the checksum of the " << type << " partition run this"
1600 "command: dd if=" << device << " bs=1M count=" << size
1601 << " iflag=count_bytes 2>/dev/null | openssl dgst -sha256 -binary "
1602 "| openssl base64";
1603 LOG(INFO) << "To get the checksum of partitions in a bin file, "
1604 << "run: .../src/scripts/sha256_partitions.sh .../file.bin";
1605 }
1606
StringForHashBytes(const void * bytes,size_t size)1607 string StringForHashBytes(const void* bytes, size_t size) {
1608 return brillo::data_encoding::Base64Encode(bytes, size);
1609 }
1610 } // namespace
1611
VerifySourcePartitions()1612 bool DeltaPerformer::VerifySourcePartitions() {
1613 LOG(INFO) << "Verifying source partitions.";
1614 CHECK(manifest_valid_);
1615 CHECK(install_plan_);
1616 if (install_plan_->partitions.size() != partitions_.size()) {
1617 DLOG(ERROR) << "The list of partitions in the InstallPlan doesn't match the "
1618 "list received in the payload. The InstallPlan has "
1619 << install_plan_->partitions.size()
1620 << " partitions while the payload has " << partitions_.size()
1621 << " partitions.";
1622 return false;
1623 }
1624 for (size_t i = 0; i < partitions_.size(); ++i) {
1625 if (partitions_[i].partition_name() != install_plan_->partitions[i].name) {
1626 DLOG(ERROR) << "The InstallPlan's partition " << i << " is \""
1627 << install_plan_->partitions[i].name
1628 << "\" but the payload expects it to be \""
1629 << partitions_[i].partition_name()
1630 << "\". This is an error in the DeltaPerformer setup.";
1631 return false;
1632 }
1633 if (!partitions_[i].has_old_partition_info())
1634 continue;
1635 const PartitionInfo& info = partitions_[i].old_partition_info();
1636 const InstallPlan::Partition& plan_part = install_plan_->partitions[i];
1637 bool valid =
1638 !plan_part.source_hash.empty() &&
1639 plan_part.source_hash.size() == info.hash().size() &&
1640 memcmp(plan_part.source_hash.data(),
1641 info.hash().data(),
1642 plan_part.source_hash.size()) == 0;
1643 if (!valid) {
1644 LogVerifyError(partitions_[i].partition_name(),
1645 plan_part.source_path,
1646 info.hash().size(),
1647 StringForHashBytes(plan_part.source_hash.data(),
1648 plan_part.source_hash.size()),
1649 StringForHashBytes(info.hash().data(),
1650 info.hash().size()));
1651 return false;
1652 }
1653 }
1654 return true;
1655 }
1656
DiscardBuffer(bool do_advance_offset,size_t signed_hash_buffer_size)1657 void DeltaPerformer::DiscardBuffer(bool do_advance_offset,
1658 size_t signed_hash_buffer_size) {
1659 // Update the buffer offset.
1660 if (do_advance_offset)
1661 buffer_offset_ += buffer_.size();
1662
1663 // Hash the content.
1664 payload_hash_calculator_.Update(buffer_.data(), buffer_.size());
1665 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size);
1666
1667 // Swap content with an empty vector to ensure that all memory is released.
1668 brillo::Blob().swap(buffer_);
1669 }
1670
CanResumeUpdate(PrefsInterface * prefs,string update_check_response_hash)1671 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs,
1672 string update_check_response_hash) {
1673 int64_t next_operation = kUpdateStateOperationInvalid;
1674 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) &&
1675 next_operation != kUpdateStateOperationInvalid &&
1676 next_operation > 0))
1677 return false;
1678
1679 string interrupted_hash;
1680 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) &&
1681 !interrupted_hash.empty() &&
1682 interrupted_hash == update_check_response_hash))
1683 return false;
1684
1685 int64_t resumed_update_failures;
1686 // Note that storing this value is optional, but if it is there it should not
1687 // be more than the limit.
1688 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) &&
1689 resumed_update_failures > kMaxResumedUpdateFailures)
1690 return false;
1691
1692 // Sanity check the rest.
1693 int64_t next_data_offset = -1;
1694 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) &&
1695 next_data_offset >= 0))
1696 return false;
1697
1698 string sha256_context;
1699 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) &&
1700 !sha256_context.empty()))
1701 return false;
1702
1703 int64_t manifest_metadata_size = 0;
1704 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) &&
1705 manifest_metadata_size > 0))
1706 return false;
1707
1708 int64_t manifest_signature_size = 0;
1709 if (!(prefs->GetInt64(kPrefsManifestSignatureSize,
1710 &manifest_signature_size) &&
1711 manifest_signature_size >= 0))
1712 return false;
1713
1714 return true;
1715 }
1716
ResetUpdateProgress(PrefsInterface * prefs,bool quick)1717 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) {
1718 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation,
1719 kUpdateStateOperationInvalid));
1720 if (!quick) {
1721 prefs->SetString(kPrefsUpdateCheckResponseHash, "");
1722 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1);
1723 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0);
1724 prefs->SetString(kPrefsUpdateStateSHA256Context, "");
1725 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, "");
1726 prefs->SetString(kPrefsUpdateStateSignatureBlob, "");
1727 prefs->SetInt64(kPrefsManifestMetadataSize, -1);
1728 prefs->SetInt64(kPrefsManifestSignatureSize, -1);
1729 prefs->SetInt64(kPrefsResumedUpdateFailures, 0);
1730 }
1731 return true;
1732 }
1733
CheckpointUpdateProgress()1734 bool DeltaPerformer::CheckpointUpdateProgress() {
1735 Terminator::set_exit_blocked(true);
1736 if (last_updated_buffer_offset_ != buffer_offset_) {
1737 // Resets the progress in case we die in the middle of the state update.
1738 ResetUpdateProgress(prefs_, true);
1739 TEST_AND_RETURN_FALSE(
1740 prefs_->SetString(kPrefsUpdateStateSHA256Context,
1741 payload_hash_calculator_.GetContext()));
1742 TEST_AND_RETURN_FALSE(
1743 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context,
1744 signed_hash_calculator_.GetContext()));
1745 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataOffset,
1746 buffer_offset_));
1747 last_updated_buffer_offset_ = buffer_offset_;
1748
1749 if (next_operation_num_ < num_total_operations_) {
1750 size_t partition_index = current_partition_;
1751 while (next_operation_num_ >= acc_num_operations_[partition_index])
1752 partition_index++;
1753 const size_t partition_operation_num = next_operation_num_ - (
1754 partition_index ? acc_num_operations_[partition_index - 1] : 0);
1755 const InstallOperation& op =
1756 partitions_[partition_index].operations(partition_operation_num);
1757 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength,
1758 op.data_length()));
1759 } else {
1760 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength,
1761 0));
1762 }
1763 }
1764 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextOperation,
1765 next_operation_num_));
1766 return true;
1767 }
1768
PrimeUpdateState()1769 bool DeltaPerformer::PrimeUpdateState() {
1770 CHECK(manifest_valid_);
1771 block_size_ = manifest_.block_size();
1772
1773 int64_t next_operation = kUpdateStateOperationInvalid;
1774 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) ||
1775 next_operation == kUpdateStateOperationInvalid ||
1776 next_operation <= 0) {
1777 // Initiating a new update, no more state needs to be initialized.
1778 return true;
1779 }
1780 next_operation_num_ = next_operation;
1781
1782 // Resuming an update -- load the rest of the update state.
1783 int64_t next_data_offset = -1;
1784 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsUpdateStateNextDataOffset,
1785 &next_data_offset) &&
1786 next_data_offset >= 0);
1787 buffer_offset_ = next_data_offset;
1788
1789 // The signed hash context and the signature blob may be empty if the
1790 // interrupted update didn't reach the signature.
1791 string signed_hash_context;
1792 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context,
1793 &signed_hash_context)) {
1794 TEST_AND_RETURN_FALSE(
1795 signed_hash_calculator_.SetContext(signed_hash_context));
1796 }
1797
1798 string signature_blob;
1799 if (prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signature_blob)) {
1800 signatures_message_data_.assign(signature_blob.begin(),
1801 signature_blob.end());
1802 }
1803
1804 string hash_context;
1805 TEST_AND_RETURN_FALSE(prefs_->GetString(kPrefsUpdateStateSHA256Context,
1806 &hash_context) &&
1807 payload_hash_calculator_.SetContext(hash_context));
1808
1809 int64_t manifest_metadata_size = 0;
1810 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsManifestMetadataSize,
1811 &manifest_metadata_size) &&
1812 manifest_metadata_size > 0);
1813 metadata_size_ = manifest_metadata_size;
1814
1815 int64_t manifest_signature_size = 0;
1816 TEST_AND_RETURN_FALSE(
1817 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) &&
1818 manifest_signature_size >= 0);
1819 metadata_signature_size_ = manifest_signature_size;
1820
1821 // Advance the download progress to reflect what doesn't need to be
1822 // re-downloaded.
1823 total_bytes_received_ += buffer_offset_;
1824
1825 // Speculatively count the resume as a failure.
1826 int64_t resumed_update_failures;
1827 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) {
1828 resumed_update_failures++;
1829 } else {
1830 resumed_update_failures = 1;
1831 }
1832 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures);
1833 return true;
1834 }
1835
1836 } // namespace chromeos_update_engine
1837