1 //
2 // Copyright (C) 2010 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_
18 #define UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_
19 
20 #include <inttypes.h>
21 
22 #include <string>
23 #include <vector>
24 
25 #include <base/time/time.h>
26 #include <brillo/secure_blob.h>
27 #include <google/protobuf/repeated_field.h>
28 #include <gtest/gtest_prod.h>  // for FRIEND_TEST
29 
30 #include "update_engine/common/hash_calculator.h"
31 #include "update_engine/common/platform_constants.h"
32 #include "update_engine/payload_consumer/file_descriptor.h"
33 #include "update_engine/payload_consumer/file_writer.h"
34 #include "update_engine/payload_consumer/install_plan.h"
35 #include "update_engine/update_metadata.pb.h"
36 
37 namespace chromeos_update_engine {
38 
39 class DownloadActionDelegate;
40 class BootControlInterface;
41 class HardwareInterface;
42 class PrefsInterface;
43 
44 // This class performs the actions in a delta update synchronously. The delta
45 // update itself should be passed in in chunks as it is received.
46 
47 class DeltaPerformer : public FileWriter {
48  public:
49   enum MetadataParseResult {
50     kMetadataParseSuccess,
51     kMetadataParseError,
52     kMetadataParseInsufficientData,
53   };
54 
55   static const uint64_t kDeltaVersionOffset;
56   static const uint64_t kDeltaVersionSize;
57   static const uint64_t kDeltaManifestSizeOffset;
58   static const uint64_t kDeltaManifestSizeSize;
59   static const uint64_t kDeltaMetadataSignatureSizeSize;
60   static const uint64_t kMaxPayloadHeaderSize;
61   static const uint64_t kSupportedMajorPayloadVersion;
62   static const uint32_t kSupportedMinorPayloadVersion;
63 
64   // Defines the granularity of progress logging in terms of how many "completed
65   // chunks" we want to report at the most.
66   static const unsigned kProgressLogMaxChunks;
67   // Defines a timeout since the last progress was logged after which we want to
68   // force another log message (even if the current chunk was not completed).
69   static const unsigned kProgressLogTimeoutSeconds;
70   // These define the relative weights (0-100) we give to the different work
71   // components associated with an update when computing an overall progress.
72   // Currently they include the download progress and the number of completed
73   // operations. They must add up to one hundred (100).
74   static const unsigned kProgressDownloadWeight;
75   static const unsigned kProgressOperationsWeight;
76 
DeltaPerformer(PrefsInterface * prefs,BootControlInterface * boot_control,HardwareInterface * hardware,DownloadActionDelegate * download_delegate,InstallPlan * install_plan)77   DeltaPerformer(PrefsInterface* prefs,
78                  BootControlInterface* boot_control,
79                  HardwareInterface* hardware,
80                  DownloadActionDelegate* download_delegate,
81                  InstallPlan* install_plan)
82       : prefs_(prefs),
83         boot_control_(boot_control),
84         hardware_(hardware),
85         download_delegate_(download_delegate),
86         install_plan_(install_plan) {}
87 
88   // FileWriter's Write implementation where caller doesn't care about
89   // error codes.
Write(const void * bytes,size_t count)90   bool Write(const void* bytes, size_t count) override {
91     ErrorCode error;
92     return Write(bytes, count, &error);
93   }
94 
95   // FileWriter's Write implementation that returns a more specific |error| code
96   // in case of failures in Write operation.
97   bool Write(const void* bytes, size_t count, ErrorCode *error) override;
98 
99   // Wrapper around close. Returns 0 on success or -errno on error.
100   // Closes both 'path' given to Open() and the kernel path.
101   int Close() override;
102 
103   // Open the target and source (if delta payload) file descriptors for the
104   // |current_partition_|. The manifest needs to be already parsed for this to
105   // work. Returns whether the required file descriptors were successfully open.
106   bool OpenCurrentPartition();
107 
108   // Closes the current partition file descriptors if open. Returns 0 on success
109   // or -errno on error.
110   int CloseCurrentPartition();
111 
112   // Returns |true| only if the manifest has been processed and it's valid.
113   bool IsManifestValid();
114 
115   // Verifies the downloaded payload against the signed hash included in the
116   // payload, against the update check hash (which is in base64 format)  and
117   // size using the public key and returns ErrorCode::kSuccess on success, an
118   // error code on failure.  This method should be called after closing the
119   // stream. Note this method skips the signed hash check if the public key is
120   // unavailable; it returns ErrorCode::kSignedDeltaPayloadExpectedError if the
121   // public key is available but the delta payload doesn't include a signature.
122   ErrorCode VerifyPayload(const std::string& update_check_response_hash,
123                           const uint64_t update_check_response_size);
124 
125   // Converts an ordered collection of Extent objects which contain data of
126   // length full_length to a comma-separated string. For each Extent, the
127   // string will have the start offset and then the length in bytes.
128   // The length value of the last extent in the string may be short, since
129   // the full length of all extents in the string is capped to full_length.
130   // Also, an extent starting at kSparseHole, appears as -1 in the string.
131   // For example, if the Extents are {1, 1}, {4, 2}, {kSparseHole, 1},
132   // {0, 1}, block_size is 4096, and full_length is 5 * block_size - 13,
133   // the resulting string will be: "4096:4096,16384:8192,-1:4096,0:4083"
134   static bool ExtentsToBsdiffPositionsString(
135       const google::protobuf::RepeatedPtrField<Extent>& extents,
136       uint64_t block_size,
137       uint64_t full_length,
138       std::string* positions_string);
139 
140   // Returns true if a previous update attempt can be continued based on the
141   // persistent preferences and the new update check response hash.
142   static bool CanResumeUpdate(PrefsInterface* prefs,
143                               std::string update_check_response_hash);
144 
145   // Resets the persistent update progress state to indicate that an update
146   // can't be resumed. Performs a quick update-in-progress reset if |quick| is
147   // true, otherwise resets all progress-related update state. Returns true on
148   // success, false otherwise.
149   static bool ResetUpdateProgress(PrefsInterface* prefs, bool quick);
150 
151   // Attempts to parse the update metadata starting from the beginning of
152   // |payload|. On success, returns kMetadataParseSuccess. Returns
153   // kMetadataParseInsufficientData if more data is needed to parse the complete
154   // metadata. Returns kMetadataParseError if the metadata can't be parsed given
155   // the payload.
156   MetadataParseResult ParsePayloadMetadata(const brillo::Blob& payload,
157                                            ErrorCode* error);
158 
set_public_key_path(const std::string & public_key_path)159   void set_public_key_path(const std::string& public_key_path) {
160     public_key_path_ = public_key_path;
161   }
162 
163   // Set |*out_offset| to the byte offset where the size of the metadata signature
164   // is stored in a payload. Return true on success, if this field is not
165   // present in the payload, return false.
166   bool GetMetadataSignatureSizeOffset(uint64_t* out_offset) const;
167 
168   // Set |*out_offset| to the byte offset at which the manifest protobuf begins
169   // in a payload. Return true on success, false if the offset is unknown.
170   bool GetManifestOffset(uint64_t* out_offset) const;
171 
172   // Returns the size of the payload metadata, which includes the payload header
173   // and the manifest. If the header was not yet parsed, returns zero.
174   uint64_t GetMetadataSize() const;
175 
176   // If the manifest was successfully parsed, copies it to |*out_manifest_p|.
177   // Returns true on success.
178   bool GetManifest(DeltaArchiveManifest* out_manifest_p) const;
179 
180   // Return true if header parsing is finished and no errors occurred.
181   bool IsHeaderParsed() const;
182 
183   // Returns the major payload version. If the version was not yet parsed,
184   // returns zero.
185   uint64_t GetMajorVersion() const;
186 
187   // Returns the delta minor version. If this value is defined in the manifest,
188   // it returns that value, otherwise it returns the default value.
189   uint32_t GetMinorVersion() const;
190 
191  private:
192   friend class DeltaPerformerTest;
193   friend class DeltaPerformerIntegrationTest;
194   FRIEND_TEST(DeltaPerformerTest, BrilloMetadataSignatureSizeTest);
195   FRIEND_TEST(DeltaPerformerTest, BrilloVerifyMetadataSignatureTest);
196   FRIEND_TEST(DeltaPerformerTest, UsePublicKeyFromResponse);
197 
198   // Parse and move the update instructions of all partitions into our local
199   // |partitions_| variable based on the version of the payload. Requires the
200   // manifest to be parsed and valid.
201   bool ParseManifestPartitions(ErrorCode* error);
202 
203   // Appends up to |*count_p| bytes from |*bytes_p| to |buffer_|, but only to
204   // the extent that the size of |buffer_| does not exceed |max|. Advances
205   // |*cbytes_p| and decreases |*count_p| by the actual number of bytes copied,
206   // and returns this number.
207   size_t CopyDataToBuffer(const char** bytes_p, size_t* count_p, size_t max);
208 
209   // If |op_result| is false, emits an error message using |op_type_name| and
210   // sets |*error| accordingly. Otherwise does nothing. Returns |op_result|.
211   bool HandleOpResult(bool op_result, const char* op_type_name,
212                       ErrorCode* error);
213 
214   // Logs the progress of downloading/applying an update.
215   void LogProgress(const char* message_prefix);
216 
217   // Update overall progress metrics, log as necessary.
218   void UpdateOverallProgress(bool force_log, const char* message_prefix);
219 
220   // Verifies that the expected source partition hashes (if present) match the
221   // hashes for the current partitions. Returns true if there are no expected
222   // hashes in the payload (e.g., if it's a new-style full update) or if the
223   // hashes match; returns false otherwise.
224   bool VerifySourcePartitions();
225 
226   // Returns true if enough of the delta file has been passed via Write()
227   // to be able to perform a given install operation.
228   bool CanPerformInstallOperation(const InstallOperation& operation);
229 
230   // Checks the integrity of the payload manifest. Returns true upon success,
231   // false otherwise.
232   ErrorCode ValidateManifest();
233 
234   // Validates that the hash of the blobs corresponding to the given |operation|
235   // matches what's specified in the manifest in the payload.
236   // Returns ErrorCode::kSuccess on match or a suitable error code otherwise.
237   ErrorCode ValidateOperationHash(const InstallOperation& operation);
238 
239   // Given the |payload|, verifies that the signed hash of its metadata matches
240   // what's specified in the install plan from Omaha (if present) or the
241   // metadata signature in payload itself (if present). Returns
242   // ErrorCode::kSuccess on match or a suitable error code otherwise. This
243   // method must be called before any part of the metadata is parsed so that a
244   // man-in-the-middle attack on the SSL connection to the payload server
245   // doesn't exploit any vulnerability in the code that parses the protocol
246   // buffer.
247   ErrorCode ValidateMetadataSignature(const brillo::Blob& payload);
248 
249   // Returns true on success.
250   bool PerformInstallOperation(const InstallOperation& operation);
251 
252   // These perform a specific type of operation and return true on success.
253   bool PerformReplaceOperation(const InstallOperation& operation);
254   bool PerformZeroOrDiscardOperation(const InstallOperation& operation);
255   bool PerformMoveOperation(const InstallOperation& operation);
256   bool PerformBsdiffOperation(const InstallOperation& operation);
257   bool PerformSourceCopyOperation(const InstallOperation& operation);
258   bool PerformSourceBsdiffOperation(const InstallOperation& operation);
259 
260   // Extracts the payload signature message from the blob on the |operation| if
261   // the offset matches the one specified by the manifest. Returns whether the
262   // signature was extracted.
263   bool ExtractSignatureMessageFromOperation(const InstallOperation& operation);
264 
265   // Extracts the payload signature message from the current |buffer_| if the
266   // offset matches the one specified by the manifest. Returns whether the
267   // signature was extracted.
268   bool ExtractSignatureMessage();
269 
270   // Updates the payload hash calculator with the bytes in |buffer_|, also
271   // updates the signed hash calculator with the first |signed_hash_buffer_size|
272   // bytes in |buffer_|. Then discard the content, ensuring that memory is being
273   // deallocated. If |do_advance_offset|, advances the internal offset counter
274   // accordingly.
275   void DiscardBuffer(bool do_advance_offset, size_t signed_hash_buffer_size);
276 
277   // Checkpoints the update progress into persistent storage to allow this
278   // update attempt to be resumed after reboot.
279   bool CheckpointUpdateProgress();
280 
281   // Primes the required update state. Returns true if the update state was
282   // successfully initialized to a saved resume state or if the update is a new
283   // update. Returns false otherwise.
284   bool PrimeUpdateState();
285 
286   // If the Omaha response contains a public RSA key and we're allowed
287   // to use it (e.g. if we're in developer mode), extract the key from
288   // the response and store it in a temporary file and return true. In
289   // the affirmative the path to the temporary file is stored in
290   // |out_tmp_key| and it is the responsibility of the caller to clean
291   // it up.
292   bool GetPublicKeyFromResponse(base::FilePath *out_tmp_key);
293 
294   // Update Engine preference store.
295   PrefsInterface* prefs_;
296 
297   // BootControl and Hardware interface references.
298   BootControlInterface* boot_control_;
299   HardwareInterface* hardware_;
300 
301   // The DownloadActionDelegate instance monitoring the DownloadAction, or a
302   // nullptr if not used.
303   DownloadActionDelegate* download_delegate_;
304 
305   // Install Plan based on Omaha Response.
306   InstallPlan* install_plan_;
307 
308   // File descriptor of the source partition. Only set while updating a
309   // partition when using a delta payload.
310   FileDescriptorPtr source_fd_{nullptr};
311 
312   // File descriptor of the target partition. Only set while performing the
313   // operations of a given partition.
314   FileDescriptorPtr target_fd_{nullptr};
315 
316   // Paths the |source_fd_| and |target_fd_| refer to.
317   std::string source_path_;
318   std::string target_path_;
319 
320   // Parsed manifest. Set after enough bytes to parse the manifest were
321   // downloaded.
322   DeltaArchiveManifest manifest_;
323   bool manifest_parsed_{false};
324   bool manifest_valid_{false};
325   uint64_t metadata_size_{0};
326   uint64_t manifest_size_{0};
327   uint32_t metadata_signature_size_{0};
328   uint64_t major_payload_version_{0};
329 
330   // Accumulated number of operations per partition. The i-th element is the
331   // sum of the number of operations for all the partitions from 0 to i
332   // inclusive. Valid when |manifest_valid_| is true.
333   std::vector<size_t> acc_num_operations_;
334 
335   // The total operations in a payload. Valid when |manifest_valid_| is true,
336   // otherwise 0.
337   size_t num_total_operations_{0};
338 
339   // The list of partitions to update as found in the manifest major version 2.
340   // When parsing an older manifest format, the information is converted over to
341   // this format instead.
342   std::vector<PartitionUpdate> partitions_;
343 
344   // Index in the list of partitions (|partitions_| member) of the current
345   // partition being processed.
346   size_t current_partition_{0};
347 
348   // Index of the next operation to perform in the manifest. The index is linear
349   // on the total number of operation on the manifest.
350   size_t next_operation_num_{0};
351 
352   // A buffer used for accumulating downloaded data. Initially, it stores the
353   // payload metadata; once that's downloaded and parsed, it stores data for the
354   // next update operation.
355   brillo::Blob buffer_;
356   // Offset of buffer_ in the binary blobs section of the update.
357   uint64_t buffer_offset_{0};
358 
359   // Last |buffer_offset_| value updated as part of the progress update.
360   uint64_t last_updated_buffer_offset_{std::numeric_limits<uint64_t>::max()};
361 
362   // The block size (parsed from the manifest).
363   uint32_t block_size_{0};
364 
365   // Calculates the whole payload file hash, including headers and signatures.
366   HashCalculator payload_hash_calculator_;
367 
368   // Calculates the hash of the portion of the payload signed by the payload
369   // signature. This hash skips the metadata signature portion, located after
370   // the metadata and doesn't include the payload signature itself.
371   HashCalculator signed_hash_calculator_;
372 
373   // Signatures message blob extracted directly from the payload.
374   brillo::Blob signatures_message_data_;
375 
376   // The public key to be used. Provided as a member so that tests can
377   // override with test keys.
378   std::string public_key_path_{constants::kUpdatePayloadPublicKeyPath};
379 
380   // The number of bytes received so far, used for progress tracking.
381   size_t total_bytes_received_{0};
382 
383   // An overall progress counter, which should reflect both download progress
384   // and the ratio of applied operations. Range is 0-100.
385   unsigned overall_progress_{0};
386 
387   // The last progress chunk recorded.
388   unsigned last_progress_chunk_{0};
389 
390   // The timeout after which we should force emitting a progress log (constant),
391   // and the actual point in time for the next forced log to be emitted.
392   const base::TimeDelta forced_progress_log_wait_{
393       base::TimeDelta::FromSeconds(kProgressLogTimeoutSeconds)};
394   base::Time forced_progress_log_time_;
395 
396   // The payload major payload version supported by DeltaPerformer.
397   uint64_t supported_major_version_{kSupportedMajorPayloadVersion};
398 
399   // The delta minor payload version supported by DeltaPerformer.
400   uint32_t supported_minor_version_{kSupportedMinorPayloadVersion};
401 
402   DISALLOW_COPY_AND_ASSIGN(DeltaPerformer);
403 };
404 
405 }  // namespace chromeos_update_engine
406 
407 #endif  // UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_
408