1 // 2 // Copyright (C) 2012 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #include "update_engine/payload_consumer/delta_performer.h" 18 19 #include <endian.h> 20 #include <errno.h> 21 #include <linux/fs.h> 22 23 #include <algorithm> 24 #include <cstring> 25 #include <memory> 26 #include <string> 27 #include <vector> 28 29 #include <base/files/file_util.h> 30 #include <base/format_macros.h> 31 #include <base/strings/string_number_conversions.h> 32 #include <base/strings/string_util.h> 33 #include <base/strings/stringprintf.h> 34 #include <brillo/data_encoding.h> 35 #include <brillo/make_unique_ptr.h> 36 #include <bsdiff/bspatch.h> 37 #include <google/protobuf/repeated_field.h> 38 39 #include "update_engine/common/constants.h" 40 #include "update_engine/common/hardware_interface.h" 41 #include "update_engine/common/prefs_interface.h" 42 #include "update_engine/common/subprocess.h" 43 #include "update_engine/common/terminator.h" 44 #include "update_engine/payload_consumer/bzip_extent_writer.h" 45 #include "update_engine/payload_consumer/download_action.h" 46 #include "update_engine/payload_consumer/extent_writer.h" 47 #if USE_MTD 48 #include "update_engine/payload_consumer/mtd_file_descriptor.h" 49 #endif 50 #include "update_engine/payload_consumer/payload_constants.h" 51 #include "update_engine/payload_consumer/payload_verifier.h" 52 #include "update_engine/payload_consumer/xz_extent_writer.h" 53 54 using google::protobuf::RepeatedPtrField; 55 using std::min; 56 using std::string; 57 using std::vector; 58 59 namespace chromeos_update_engine { 60 61 const uint64_t DeltaPerformer::kDeltaVersionOffset = sizeof(kDeltaMagic); 62 const uint64_t DeltaPerformer::kDeltaVersionSize = 8; 63 const uint64_t DeltaPerformer::kDeltaManifestSizeOffset = 64 kDeltaVersionOffset + kDeltaVersionSize; 65 const uint64_t DeltaPerformer::kDeltaManifestSizeSize = 8; 66 const uint64_t DeltaPerformer::kDeltaMetadataSignatureSizeSize = 4; 67 const uint64_t DeltaPerformer::kMaxPayloadHeaderSize = 24; 68 const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2; 69 const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 3; 70 71 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10; 72 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30; 73 const unsigned DeltaPerformer::kProgressDownloadWeight = 50; 74 const unsigned DeltaPerformer::kProgressOperationsWeight = 50; 75 76 namespace { 77 const int kUpdateStateOperationInvalid = -1; 78 const int kMaxResumedUpdateFailures = 10; 79 #if USE_MTD 80 const int kUbiVolumeAttachTimeout = 5 * 60; 81 #endif 82 83 FileDescriptorPtr CreateFileDescriptor(const char* path) { 84 FileDescriptorPtr ret; 85 #if USE_MTD 86 if (strstr(path, "/dev/ubi") == path) { 87 if (!UbiFileDescriptor::IsUbi(path)) { 88 // The volume might not have been attached at boot time. 89 int volume_no; 90 if (utils::SplitPartitionName(path, nullptr, &volume_no)) { 91 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout); 92 } 93 } 94 if (UbiFileDescriptor::IsUbi(path)) { 95 LOG(INFO) << path << " is a UBI device."; 96 ret.reset(new UbiFileDescriptor); 97 } 98 } else if (MtdFileDescriptor::IsMtd(path)) { 99 LOG(INFO) << path << " is an MTD device."; 100 ret.reset(new MtdFileDescriptor); 101 } else { 102 LOG(INFO) << path << " is not an MTD nor a UBI device."; 103 #endif 104 ret.reset(new EintrSafeFileDescriptor); 105 #if USE_MTD 106 } 107 #endif 108 return ret; 109 } 110 111 // Opens path for read/write. On success returns an open FileDescriptor 112 // and sets *err to 0. On failure, sets *err to errno and returns nullptr. 113 FileDescriptorPtr OpenFile(const char* path, int mode, int* err) { 114 // Try to mark the block device read-only based on the mode. Ignore any 115 // failure since this won't work when passing regular files. 116 utils::SetBlockDeviceReadOnly(path, (mode & O_ACCMODE) == O_RDONLY); 117 118 FileDescriptorPtr fd = CreateFileDescriptor(path); 119 #if USE_MTD 120 // On NAND devices, we can either read, or write, but not both. So here we 121 // use O_WRONLY. 122 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) { 123 mode = O_WRONLY; 124 } 125 #endif 126 if (!fd->Open(path, mode, 000)) { 127 *err = errno; 128 PLOG(ERROR) << "Unable to open file " << path; 129 return nullptr; 130 } 131 *err = 0; 132 return fd; 133 } 134 135 // Discard the tail of the block device referenced by |fd|, from the offset 136 // |data_size| until the end of the block device. Returns whether the data was 137 // discarded. 138 bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) { 139 uint64_t part_size = fd->BlockDevSize(); 140 if (!part_size || part_size <= data_size) 141 return false; 142 143 struct blkioctl_request { 144 int number; 145 const char* name; 146 }; 147 const vector<blkioctl_request> blkioctl_requests = { 148 {BLKDISCARD, "BLKDISCARD"}, 149 {BLKSECDISCARD, "BLKSECDISCARD"}, 150 #ifdef BLKZEROOUT 151 {BLKZEROOUT, "BLKZEROOUT"}, 152 #endif 153 }; 154 for (const auto& req : blkioctl_requests) { 155 int error = 0; 156 if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) && 157 error == 0) { 158 return true; 159 } 160 LOG(WARNING) << "Error discarding the last " 161 << (part_size - data_size) / 1024 << " KiB using ioctl(" 162 << req.name << ")"; 163 } 164 return false; 165 } 166 167 } // namespace 168 169 170 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer 171 // arithmetic. 172 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) { 173 return part * norm / total; 174 } 175 176 void DeltaPerformer::LogProgress(const char* message_prefix) { 177 // Format operations total count and percentage. 178 string total_operations_str("?"); 179 string completed_percentage_str(""); 180 if (num_total_operations_) { 181 total_operations_str = std::to_string(num_total_operations_); 182 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 183 completed_percentage_str = 184 base::StringPrintf(" (%" PRIu64 "%%)", 185 IntRatio(next_operation_num_, num_total_operations_, 186 100)); 187 } 188 189 // Format download total count and percentage. 190 size_t payload_size = payload_->size; 191 string payload_size_str("?"); 192 string downloaded_percentage_str(""); 193 if (payload_size) { 194 payload_size_str = std::to_string(payload_size); 195 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 196 downloaded_percentage_str = 197 base::StringPrintf(" (%" PRIu64 "%%)", 198 IntRatio(total_bytes_received_, payload_size, 100)); 199 } 200 201 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_ 202 << "/" << total_operations_str << " operations" 203 << completed_percentage_str << ", " << total_bytes_received_ 204 << "/" << payload_size_str << " bytes downloaded" 205 << downloaded_percentage_str << ", overall progress " 206 << overall_progress_ << "%"; 207 } 208 209 void DeltaPerformer::UpdateOverallProgress(bool force_log, 210 const char* message_prefix) { 211 // Compute our download and overall progress. 212 unsigned new_overall_progress = 0; 213 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100, 214 "Progress weights don't add up"); 215 // Only consider download progress if its total size is known; otherwise 216 // adjust the operations weight to compensate for the absence of download 217 // progress. Also, make sure to cap the download portion at 218 // kProgressDownloadWeight, in case we end up downloading more than we 219 // initially expected (this indicates a problem, but could generally happen). 220 // TODO(garnold) the correction of operations weight when we do not have the 221 // total payload size, as well as the conditional guard below, should both be 222 // eliminated once we ensure that the payload_size in the install plan is 223 // always given and is non-zero. This currently isn't the case during unit 224 // tests (see chromium-os:37969). 225 size_t payload_size = payload_->size; 226 unsigned actual_operations_weight = kProgressOperationsWeight; 227 if (payload_size) 228 new_overall_progress += min( 229 static_cast<unsigned>(IntRatio(total_bytes_received_, payload_size, 230 kProgressDownloadWeight)), 231 kProgressDownloadWeight); 232 else 233 actual_operations_weight += kProgressDownloadWeight; 234 235 // Only add completed operations if their total number is known; we definitely 236 // expect an update to have at least one operation, so the expectation is that 237 // this will eventually reach |actual_operations_weight|. 238 if (num_total_operations_) 239 new_overall_progress += IntRatio(next_operation_num_, num_total_operations_, 240 actual_operations_weight); 241 242 // Progress ratio cannot recede, unless our assumptions about the total 243 // payload size, total number of operations, or the monotonicity of progress 244 // is breached. 245 if (new_overall_progress < overall_progress_) { 246 LOG(WARNING) << "progress counter receded from " << overall_progress_ 247 << "% down to " << new_overall_progress << "%; this is a bug"; 248 force_log = true; 249 } 250 overall_progress_ = new_overall_progress; 251 252 // Update chunk index, log as needed: if forced by called, or we completed a 253 // progress chunk, or a timeout has expired. 254 base::Time curr_time = base::Time::Now(); 255 unsigned curr_progress_chunk = 256 overall_progress_ * kProgressLogMaxChunks / 100; 257 if (force_log || curr_progress_chunk > last_progress_chunk_ || 258 curr_time > forced_progress_log_time_) { 259 forced_progress_log_time_ = curr_time + forced_progress_log_wait_; 260 LogProgress(message_prefix); 261 } 262 last_progress_chunk_ = curr_progress_chunk; 263 } 264 265 266 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p, size_t* count_p, 267 size_t max) { 268 const size_t count = *count_p; 269 if (!count) 270 return 0; // Special case shortcut. 271 size_t read_len = min(count, max - buffer_.size()); 272 const char* bytes_start = *bytes_p; 273 const char* bytes_end = bytes_start + read_len; 274 buffer_.insert(buffer_.end(), bytes_start, bytes_end); 275 *bytes_p = bytes_end; 276 *count_p = count - read_len; 277 return read_len; 278 } 279 280 281 bool DeltaPerformer::HandleOpResult(bool op_result, const char* op_type_name, 282 ErrorCode* error) { 283 if (op_result) 284 return true; 285 286 size_t partition_first_op_num = 287 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0; 288 LOG(ERROR) << "Failed to perform " << op_type_name << " operation " 289 << next_operation_num_ << ", which is the operation " 290 << next_operation_num_ - partition_first_op_num 291 << " in partition \"" 292 << partitions_[current_partition_].partition_name() << "\""; 293 if (*error == ErrorCode::kSuccess) 294 *error = ErrorCode::kDownloadOperationExecutionError; 295 return false; 296 } 297 298 int DeltaPerformer::Close() { 299 int err = -CloseCurrentPartition(); 300 LOG_IF(ERROR, !payload_hash_calculator_.Finalize() || 301 !signed_hash_calculator_.Finalize()) 302 << "Unable to finalize the hash."; 303 if (!buffer_.empty()) { 304 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes"; 305 if (err >= 0) 306 err = 1; 307 } 308 return -err; 309 } 310 311 int DeltaPerformer::CloseCurrentPartition() { 312 int err = 0; 313 if (source_fd_ && !source_fd_->Close()) { 314 err = errno; 315 PLOG(ERROR) << "Error closing source partition"; 316 if (!err) 317 err = 1; 318 } 319 source_fd_.reset(); 320 source_path_.clear(); 321 322 if (target_fd_ && !target_fd_->Close()) { 323 err = errno; 324 PLOG(ERROR) << "Error closing target partition"; 325 if (!err) 326 err = 1; 327 } 328 target_fd_.reset(); 329 target_path_.clear(); 330 return -err; 331 } 332 333 bool DeltaPerformer::OpenCurrentPartition() { 334 if (current_partition_ >= partitions_.size()) 335 return false; 336 337 const PartitionUpdate& partition = partitions_[current_partition_]; 338 size_t num_previous_partitions = 339 install_plan_->partitions.size() - partitions_.size(); 340 const InstallPlan::Partition& install_part = 341 install_plan_->partitions[num_previous_partitions + current_partition_]; 342 // Open source fds if we have a delta payload with minor version >= 2. 343 if (payload_->type == InstallPayloadType::kDelta && 344 GetMinorVersion() != kInPlaceMinorPayloadVersion) { 345 source_path_ = install_part.source_path; 346 int err; 347 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, &err); 348 if (!source_fd_) { 349 LOG(ERROR) << "Unable to open source partition " 350 << partition.partition_name() << " on slot " 351 << BootControlInterface::SlotName(install_plan_->source_slot) 352 << ", file " << source_path_; 353 return false; 354 } 355 } 356 357 target_path_ = install_part.target_path; 358 int err; 359 target_fd_ = OpenFile(target_path_.c_str(), O_RDWR, &err); 360 if (!target_fd_) { 361 LOG(ERROR) << "Unable to open target partition " 362 << partition.partition_name() << " on slot " 363 << BootControlInterface::SlotName(install_plan_->target_slot) 364 << ", file " << target_path_; 365 return false; 366 } 367 368 LOG(INFO) << "Applying " << partition.operations().size() 369 << " operations to partition \"" << partition.partition_name() 370 << "\""; 371 372 // Discard the end of the partition, but ignore failures. 373 DiscardPartitionTail(target_fd_, install_part.target_size); 374 375 return true; 376 } 377 378 namespace { 379 380 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) { 381 string sha256 = brillo::data_encoding::Base64Encode(info.hash()); 382 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256 383 << " size: " << info.size(); 384 } 385 386 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) { 387 for (const PartitionUpdate& partition : partitions) { 388 LogPartitionInfoHash(partition.old_partition_info(), 389 "old " + partition.partition_name()); 390 LogPartitionInfoHash(partition.new_partition_info(), 391 "new " + partition.partition_name()); 392 } 393 } 394 395 } // namespace 396 397 bool DeltaPerformer::GetMetadataSignatureSizeOffset( 398 uint64_t* out_offset) const { 399 if (GetMajorVersion() == kBrilloMajorPayloadVersion) { 400 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize; 401 return true; 402 } 403 return false; 404 } 405 406 bool DeltaPerformer::GetManifestOffset(uint64_t* out_offset) const { 407 // Actual manifest begins right after the manifest size field or 408 // metadata signature size field if major version >= 2. 409 if (major_payload_version_ == kChromeOSMajorPayloadVersion) { 410 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize; 411 return true; 412 } 413 if (major_payload_version_ == kBrilloMajorPayloadVersion) { 414 *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize + 415 kDeltaMetadataSignatureSizeSize; 416 return true; 417 } 418 LOG(ERROR) << "Unknown major payload version: " << major_payload_version_; 419 return false; 420 } 421 422 uint64_t DeltaPerformer::GetMetadataSize() const { 423 return metadata_size_; 424 } 425 426 uint64_t DeltaPerformer::GetMajorVersion() const { 427 return major_payload_version_; 428 } 429 430 uint32_t DeltaPerformer::GetMinorVersion() const { 431 if (manifest_.has_minor_version()) { 432 return manifest_.minor_version(); 433 } else { 434 return payload_->type == InstallPayloadType::kDelta 435 ? kSupportedMinorPayloadVersion 436 : kFullPayloadMinorVersion; 437 } 438 } 439 440 bool DeltaPerformer::GetManifest(DeltaArchiveManifest* out_manifest_p) const { 441 if (!manifest_parsed_) 442 return false; 443 *out_manifest_p = manifest_; 444 return true; 445 } 446 447 bool DeltaPerformer::IsHeaderParsed() const { 448 return metadata_size_ != 0; 449 } 450 451 DeltaPerformer::MetadataParseResult DeltaPerformer::ParsePayloadMetadata( 452 const brillo::Blob& payload, ErrorCode* error) { 453 *error = ErrorCode::kSuccess; 454 uint64_t manifest_offset; 455 456 if (!IsHeaderParsed()) { 457 // Ensure we have data to cover the major payload version. 458 if (payload.size() < kDeltaManifestSizeOffset) 459 return kMetadataParseInsufficientData; 460 461 // Validate the magic string. 462 if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) { 463 LOG(ERROR) << "Bad payload format -- invalid delta magic."; 464 *error = ErrorCode::kDownloadInvalidMetadataMagicString; 465 return kMetadataParseError; 466 } 467 468 // Extract the payload version from the metadata. 469 static_assert(sizeof(major_payload_version_) == kDeltaVersionSize, 470 "Major payload version size mismatch"); 471 memcpy(&major_payload_version_, 472 &payload[kDeltaVersionOffset], 473 kDeltaVersionSize); 474 // switch big endian to host 475 major_payload_version_ = be64toh(major_payload_version_); 476 477 if (major_payload_version_ != supported_major_version_ && 478 major_payload_version_ != kChromeOSMajorPayloadVersion) { 479 LOG(ERROR) << "Bad payload format -- unsupported payload version: " 480 << major_payload_version_; 481 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 482 return kMetadataParseError; 483 } 484 485 // Get the manifest offset now that we have payload version. 486 if (!GetManifestOffset(&manifest_offset)) { 487 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 488 return kMetadataParseError; 489 } 490 // Check again with the manifest offset. 491 if (payload.size() < manifest_offset) 492 return kMetadataParseInsufficientData; 493 494 // Next, parse the manifest size. 495 static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize, 496 "manifest_size size mismatch"); 497 memcpy(&manifest_size_, 498 &payload[kDeltaManifestSizeOffset], 499 kDeltaManifestSizeSize); 500 manifest_size_ = be64toh(manifest_size_); // switch big endian to host 501 502 if (GetMajorVersion() == kBrilloMajorPayloadVersion) { 503 // Parse the metadata signature size. 504 static_assert(sizeof(metadata_signature_size_) == 505 kDeltaMetadataSignatureSizeSize, 506 "metadata_signature_size size mismatch"); 507 uint64_t metadata_signature_size_offset; 508 if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) { 509 *error = ErrorCode::kError; 510 return kMetadataParseError; 511 } 512 memcpy(&metadata_signature_size_, 513 &payload[metadata_signature_size_offset], 514 kDeltaMetadataSignatureSizeSize); 515 metadata_signature_size_ = be32toh(metadata_signature_size_); 516 } 517 518 // If the metadata size is present in install plan, check for it immediately 519 // even before waiting for that many number of bytes to be downloaded in the 520 // payload. This will prevent any attack which relies on us downloading data 521 // beyond the expected metadata size. 522 metadata_size_ = manifest_offset + manifest_size_; 523 if (install_plan_->hash_checks_mandatory) { 524 if (payload_->metadata_size != metadata_size_) { 525 LOG(ERROR) << "Mandatory metadata size in Omaha response (" 526 << payload_->metadata_size 527 << ") is missing/incorrect, actual = " << metadata_size_; 528 *error = ErrorCode::kDownloadInvalidMetadataSize; 529 return kMetadataParseError; 530 } 531 } 532 } 533 534 // Now that we have validated the metadata size, we should wait for the full 535 // metadata and its signature (if exist) to be read in before we can parse it. 536 if (payload.size() < metadata_size_ + metadata_signature_size_) 537 return kMetadataParseInsufficientData; 538 539 // Log whether we validated the size or simply trusting what's in the payload 540 // here. This is logged here (after we received the full metadata data) so 541 // that we just log once (instead of logging n times) if it takes n 542 // DeltaPerformer::Write calls to download the full manifest. 543 if (payload_->metadata_size == metadata_size_) { 544 LOG(INFO) << "Manifest size in payload matches expected value from Omaha"; 545 } else { 546 // For mandatory-cases, we'd have already returned a kMetadataParseError 547 // above. We'll be here only for non-mandatory cases. Just send a UMA stat. 548 LOG(WARNING) << "Ignoring missing/incorrect metadata size (" 549 << payload_->metadata_size 550 << ") in Omaha response as validation is not mandatory. " 551 << "Trusting metadata size in payload = " << metadata_size_; 552 } 553 554 // We have the full metadata in |payload|. Verify its integrity 555 // and authenticity based on the information we have in Omaha response. 556 *error = ValidateMetadataSignature(payload); 557 if (*error != ErrorCode::kSuccess) { 558 if (install_plan_->hash_checks_mandatory) { 559 // The autoupdate_CatchBadSignatures test checks for this string 560 // in log-files. Keep in sync. 561 LOG(ERROR) << "Mandatory metadata signature validation failed"; 562 return kMetadataParseError; 563 } 564 565 // For non-mandatory cases, just send a UMA stat. 566 LOG(WARNING) << "Ignoring metadata signature validation failures"; 567 *error = ErrorCode::kSuccess; 568 } 569 570 if (!GetManifestOffset(&manifest_offset)) { 571 *error = ErrorCode::kUnsupportedMajorPayloadVersion; 572 return kMetadataParseError; 573 } 574 // The payload metadata is deemed valid, it's safe to parse the protobuf. 575 if (!manifest_.ParseFromArray(&payload[manifest_offset], manifest_size_)) { 576 LOG(ERROR) << "Unable to parse manifest in update file."; 577 *error = ErrorCode::kDownloadManifestParseError; 578 return kMetadataParseError; 579 } 580 581 manifest_parsed_ = true; 582 return kMetadataParseSuccess; 583 } 584 585 // Wrapper around write. Returns true if all requested bytes 586 // were written, or false on any error, regardless of progress 587 // and stores an action exit code in |error|. 588 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode *error) { 589 *error = ErrorCode::kSuccess; 590 591 const char* c_bytes = reinterpret_cast<const char*>(bytes); 592 593 // Update the total byte downloaded count and the progress logs. 594 total_bytes_received_ += count; 595 UpdateOverallProgress(false, "Completed "); 596 597 while (!manifest_valid_) { 598 // Read data up to the needed limit; this is either maximium payload header 599 // size, or the full metadata size (once it becomes known). 600 const bool do_read_header = !IsHeaderParsed(); 601 CopyDataToBuffer(&c_bytes, &count, 602 (do_read_header ? kMaxPayloadHeaderSize : 603 metadata_size_ + metadata_signature_size_)); 604 605 MetadataParseResult result = ParsePayloadMetadata(buffer_, error); 606 if (result == kMetadataParseError) 607 return false; 608 if (result == kMetadataParseInsufficientData) { 609 // If we just processed the header, make an attempt on the manifest. 610 if (do_read_header && IsHeaderParsed()) 611 continue; 612 613 return true; 614 } 615 616 // Checks the integrity of the payload manifest. 617 if ((*error = ValidateManifest()) != ErrorCode::kSuccess) 618 return false; 619 manifest_valid_ = true; 620 621 // Clear the download buffer. 622 DiscardBuffer(false, metadata_size_); 623 624 // This populates |partitions_| and the |install_plan.partitions| with the 625 // list of partitions from the manifest. 626 if (!ParseManifestPartitions(error)) 627 return false; 628 629 // |install_plan.partitions| was filled in, nothing need to be done here if 630 // the payload was already applied, returns false to terminate http fetcher, 631 // but keep |error| as ErrorCode::kSuccess. 632 if (payload_->already_applied) 633 return false; 634 635 num_total_operations_ = 0; 636 for (const auto& partition : partitions_) { 637 num_total_operations_ += partition.operations_size(); 638 acc_num_operations_.push_back(num_total_operations_); 639 } 640 641 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestMetadataSize, 642 metadata_size_)) 643 << "Unable to save the manifest metadata size."; 644 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestSignatureSize, 645 metadata_signature_size_)) 646 << "Unable to save the manifest signature size."; 647 648 if (!PrimeUpdateState()) { 649 *error = ErrorCode::kDownloadStateInitializationError; 650 LOG(ERROR) << "Unable to prime the update state."; 651 return false; 652 } 653 654 if (!OpenCurrentPartition()) { 655 *error = ErrorCode::kInstallDeviceOpenError; 656 return false; 657 } 658 659 if (next_operation_num_ > 0) 660 UpdateOverallProgress(true, "Resuming after "); 661 LOG(INFO) << "Starting to apply update payload operations"; 662 } 663 664 while (next_operation_num_ < num_total_operations_) { 665 // Check if we should cancel the current attempt for any reason. 666 // In this case, *error will have already been populated with the reason 667 // why we're canceling. 668 if (download_delegate_ && download_delegate_->ShouldCancel(error)) 669 return false; 670 671 // We know there are more operations to perform because we didn't reach the 672 // |num_total_operations_| limit yet. 673 while (next_operation_num_ >= acc_num_operations_[current_partition_]) { 674 CloseCurrentPartition(); 675 current_partition_++; 676 if (!OpenCurrentPartition()) { 677 *error = ErrorCode::kInstallDeviceOpenError; 678 return false; 679 } 680 } 681 const size_t partition_operation_num = next_operation_num_ - ( 682 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0); 683 684 const InstallOperation& op = 685 partitions_[current_partition_].operations(partition_operation_num); 686 687 CopyDataToBuffer(&c_bytes, &count, op.data_length()); 688 689 // Check whether we received all of the next operation's data payload. 690 if (!CanPerformInstallOperation(op)) 691 return true; 692 693 // Validate the operation only if the metadata signature is present. 694 // Otherwise, keep the old behavior. This serves as a knob to disable 695 // the validation logic in case we find some regression after rollout. 696 // NOTE: If hash checks are mandatory and if metadata_signature is empty, 697 // we would have already failed in ParsePayloadMetadata method and thus not 698 // even be here. So no need to handle that case again here. 699 if (!payload_->metadata_signature.empty()) { 700 // Note: Validate must be called only if CanPerformInstallOperation is 701 // called. Otherwise, we might be failing operations before even if there 702 // isn't sufficient data to compute the proper hash. 703 *error = ValidateOperationHash(op); 704 if (*error != ErrorCode::kSuccess) { 705 if (install_plan_->hash_checks_mandatory) { 706 LOG(ERROR) << "Mandatory operation hash check failed"; 707 return false; 708 } 709 710 // For non-mandatory cases, just send a UMA stat. 711 LOG(WARNING) << "Ignoring operation validation errors"; 712 *error = ErrorCode::kSuccess; 713 } 714 } 715 716 // Makes sure we unblock exit when this operation completes. 717 ScopedTerminatorExitUnblocker exit_unblocker = 718 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug. 719 720 bool op_result; 721 switch (op.type()) { 722 case InstallOperation::REPLACE: 723 case InstallOperation::REPLACE_BZ: 724 case InstallOperation::REPLACE_XZ: 725 op_result = PerformReplaceOperation(op); 726 break; 727 case InstallOperation::ZERO: 728 case InstallOperation::DISCARD: 729 op_result = PerformZeroOrDiscardOperation(op); 730 break; 731 case InstallOperation::MOVE: 732 op_result = PerformMoveOperation(op); 733 break; 734 case InstallOperation::BSDIFF: 735 op_result = PerformBsdiffOperation(op); 736 break; 737 case InstallOperation::SOURCE_COPY: 738 op_result = PerformSourceCopyOperation(op, error); 739 break; 740 case InstallOperation::SOURCE_BSDIFF: 741 op_result = PerformSourceBsdiffOperation(op, error); 742 break; 743 case InstallOperation::IMGDIFF: 744 // TODO(deymo): Replace with PUFFIN operation. 745 op_result = false; 746 break; 747 default: 748 op_result = false; 749 } 750 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error)) 751 return false; 752 753 next_operation_num_++; 754 UpdateOverallProgress(false, "Completed "); 755 CheckpointUpdateProgress(); 756 } 757 758 // In major version 2, we don't add dummy operation to the payload. 759 // If we already extracted the signature we should skip this step. 760 if (major_payload_version_ == kBrilloMajorPayloadVersion && 761 manifest_.has_signatures_offset() && manifest_.has_signatures_size() && 762 signatures_message_data_.empty()) { 763 if (manifest_.signatures_offset() != buffer_offset_) { 764 LOG(ERROR) << "Payload signatures offset points to blob offset " 765 << manifest_.signatures_offset() 766 << " but signatures are expected at offset " 767 << buffer_offset_; 768 *error = ErrorCode::kDownloadPayloadVerificationError; 769 return false; 770 } 771 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size()); 772 // Needs more data to cover entire signature. 773 if (buffer_.size() < manifest_.signatures_size()) 774 return true; 775 if (!ExtractSignatureMessage()) { 776 LOG(ERROR) << "Extract payload signature failed."; 777 *error = ErrorCode::kDownloadPayloadVerificationError; 778 return false; 779 } 780 DiscardBuffer(true, 0); 781 // Since we extracted the SignatureMessage we need to advance the 782 // checkpoint, otherwise we would reload the signature and try to extract 783 // it again. 784 CheckpointUpdateProgress(); 785 } 786 787 return true; 788 } 789 790 bool DeltaPerformer::IsManifestValid() { 791 return manifest_valid_; 792 } 793 794 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) { 795 if (major_payload_version_ == kBrilloMajorPayloadVersion) { 796 partitions_.clear(); 797 for (const PartitionUpdate& partition : manifest_.partitions()) { 798 partitions_.push_back(partition); 799 } 800 manifest_.clear_partitions(); 801 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) { 802 LOG(INFO) << "Converting update information from old format."; 803 PartitionUpdate root_part; 804 root_part.set_partition_name(kLegacyPartitionNameRoot); 805 #ifdef __ANDROID__ 806 LOG(WARNING) << "Legacy payload major version provided to an Android " 807 "build. Assuming no post-install. Please use major version " 808 "2 or newer."; 809 root_part.set_run_postinstall(false); 810 #else 811 root_part.set_run_postinstall(true); 812 #endif // __ANDROID__ 813 if (manifest_.has_old_rootfs_info()) { 814 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info(); 815 manifest_.clear_old_rootfs_info(); 816 } 817 if (manifest_.has_new_rootfs_info()) { 818 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info(); 819 manifest_.clear_new_rootfs_info(); 820 } 821 *root_part.mutable_operations() = manifest_.install_operations(); 822 manifest_.clear_install_operations(); 823 partitions_.push_back(std::move(root_part)); 824 825 PartitionUpdate kern_part; 826 kern_part.set_partition_name(kLegacyPartitionNameKernel); 827 kern_part.set_run_postinstall(false); 828 if (manifest_.has_old_kernel_info()) { 829 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info(); 830 manifest_.clear_old_kernel_info(); 831 } 832 if (manifest_.has_new_kernel_info()) { 833 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info(); 834 manifest_.clear_new_kernel_info(); 835 } 836 *kern_part.mutable_operations() = manifest_.kernel_install_operations(); 837 manifest_.clear_kernel_install_operations(); 838 partitions_.push_back(std::move(kern_part)); 839 } 840 841 // Fill in the InstallPlan::partitions based on the partitions from the 842 // payload. 843 for (const auto& partition : partitions_) { 844 InstallPlan::Partition install_part; 845 install_part.name = partition.partition_name(); 846 install_part.run_postinstall = 847 partition.has_run_postinstall() && partition.run_postinstall(); 848 if (install_part.run_postinstall) { 849 install_part.postinstall_path = 850 (partition.has_postinstall_path() ? partition.postinstall_path() 851 : kPostinstallDefaultScript); 852 install_part.filesystem_type = partition.filesystem_type(); 853 install_part.postinstall_optional = partition.postinstall_optional(); 854 } 855 856 if (partition.has_old_partition_info()) { 857 const PartitionInfo& info = partition.old_partition_info(); 858 install_part.source_size = info.size(); 859 install_part.source_hash.assign(info.hash().begin(), info.hash().end()); 860 } 861 862 if (!partition.has_new_partition_info()) { 863 LOG(ERROR) << "Unable to get new partition hash info on partition " 864 << install_part.name << "."; 865 *error = ErrorCode::kDownloadNewPartitionInfoError; 866 return false; 867 } 868 const PartitionInfo& info = partition.new_partition_info(); 869 install_part.target_size = info.size(); 870 install_part.target_hash.assign(info.hash().begin(), info.hash().end()); 871 872 install_plan_->partitions.push_back(install_part); 873 } 874 875 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) { 876 LOG(ERROR) << "Unable to determine all the partition devices."; 877 *error = ErrorCode::kInstallDeviceOpenError; 878 return false; 879 } 880 LogPartitionInfo(partitions_); 881 return true; 882 } 883 884 bool DeltaPerformer::CanPerformInstallOperation( 885 const chromeos_update_engine::InstallOperation& operation) { 886 // If we don't have a data blob we can apply it right away. 887 if (!operation.has_data_offset() && !operation.has_data_length()) 888 return true; 889 890 // See if we have the entire data blob in the buffer 891 if (operation.data_offset() < buffer_offset_) { 892 LOG(ERROR) << "we threw away data it seems?"; 893 return false; 894 } 895 896 return (operation.data_offset() + operation.data_length() <= 897 buffer_offset_ + buffer_.size()); 898 } 899 900 bool DeltaPerformer::PerformReplaceOperation( 901 const InstallOperation& operation) { 902 CHECK(operation.type() == InstallOperation::REPLACE || 903 operation.type() == InstallOperation::REPLACE_BZ || 904 operation.type() == InstallOperation::REPLACE_XZ); 905 906 // Since we delete data off the beginning of the buffer as we use it, 907 // the data we need should be exactly at the beginning of the buffer. 908 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 909 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 910 911 // Extract the signature message if it's in this operation. 912 if (ExtractSignatureMessageFromOperation(operation)) { 913 // If this is dummy replace operation, we ignore it after extracting the 914 // signature. 915 DiscardBuffer(true, 0); 916 return true; 917 } 918 919 // Setup the ExtentWriter stack based on the operation type. 920 std::unique_ptr<ExtentWriter> writer = 921 brillo::make_unique_ptr(new ZeroPadExtentWriter( 922 brillo::make_unique_ptr(new DirectExtentWriter()))); 923 924 if (operation.type() == InstallOperation::REPLACE_BZ) { 925 writer.reset(new BzipExtentWriter(std::move(writer))); 926 } else if (operation.type() == InstallOperation::REPLACE_XZ) { 927 writer.reset(new XzExtentWriter(std::move(writer))); 928 } 929 930 // Create a vector of extents to pass to the ExtentWriter. 931 vector<Extent> extents; 932 for (int i = 0; i < operation.dst_extents_size(); i++) { 933 extents.push_back(operation.dst_extents(i)); 934 } 935 936 TEST_AND_RETURN_FALSE(writer->Init(target_fd_, extents, block_size_)); 937 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length())); 938 TEST_AND_RETURN_FALSE(writer->End()); 939 940 // Update buffer 941 DiscardBuffer(true, buffer_.size()); 942 return true; 943 } 944 945 bool DeltaPerformer::PerformZeroOrDiscardOperation( 946 const InstallOperation& operation) { 947 CHECK(operation.type() == InstallOperation::DISCARD || 948 operation.type() == InstallOperation::ZERO); 949 950 // These operations have no blob. 951 TEST_AND_RETURN_FALSE(!operation.has_data_offset()); 952 TEST_AND_RETURN_FALSE(!operation.has_data_length()); 953 954 #ifdef BLKZEROOUT 955 bool attempt_ioctl = true; 956 int request = 957 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD); 958 #else // !defined(BLKZEROOUT) 959 bool attempt_ioctl = false; 960 int request = 0; 961 #endif // !defined(BLKZEROOUT) 962 963 brillo::Blob zeros; 964 for (const Extent& extent : operation.dst_extents()) { 965 const uint64_t start = extent.start_block() * block_size_; 966 const uint64_t length = extent.num_blocks() * block_size_; 967 if (attempt_ioctl) { 968 int result = 0; 969 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0) 970 continue; 971 attempt_ioctl = false; 972 zeros.resize(16 * block_size_); 973 } 974 // In case of failure, we fall back to writing 0 to the selected region. 975 for (uint64_t offset = 0; offset < length; offset += zeros.size()) { 976 uint64_t chunk_length = min(length - offset, 977 static_cast<uint64_t>(zeros.size())); 978 TEST_AND_RETURN_FALSE( 979 utils::PWriteAll(target_fd_, zeros.data(), chunk_length, start + offset)); 980 } 981 } 982 return true; 983 } 984 985 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) { 986 // Calculate buffer size. Note, this function doesn't do a sliding 987 // window to copy in case the source and destination blocks overlap. 988 // If we wanted to do a sliding window, we could program the server 989 // to generate deltas that effectively did a sliding window. 990 991 uint64_t blocks_to_read = 0; 992 for (int i = 0; i < operation.src_extents_size(); i++) 993 blocks_to_read += operation.src_extents(i).num_blocks(); 994 995 uint64_t blocks_to_write = 0; 996 for (int i = 0; i < operation.dst_extents_size(); i++) 997 blocks_to_write += operation.dst_extents(i).num_blocks(); 998 999 DCHECK_EQ(blocks_to_write, blocks_to_read); 1000 brillo::Blob buf(blocks_to_write * block_size_); 1001 1002 // Read in bytes. 1003 ssize_t bytes_read = 0; 1004 for (int i = 0; i < operation.src_extents_size(); i++) { 1005 ssize_t bytes_read_this_iteration = 0; 1006 const Extent& extent = operation.src_extents(i); 1007 const size_t bytes = extent.num_blocks() * block_size_; 1008 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 1009 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_, 1010 &buf[bytes_read], 1011 bytes, 1012 extent.start_block() * block_size_, 1013 &bytes_read_this_iteration)); 1014 TEST_AND_RETURN_FALSE( 1015 bytes_read_this_iteration == static_cast<ssize_t>(bytes)); 1016 bytes_read += bytes_read_this_iteration; 1017 } 1018 1019 // Write bytes out. 1020 ssize_t bytes_written = 0; 1021 for (int i = 0; i < operation.dst_extents_size(); i++) { 1022 const Extent& extent = operation.dst_extents(i); 1023 const size_t bytes = extent.num_blocks() * block_size_; 1024 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 1025 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_, 1026 &buf[bytes_written], 1027 bytes, 1028 extent.start_block() * block_size_)); 1029 bytes_written += bytes; 1030 } 1031 DCHECK_EQ(bytes_written, bytes_read); 1032 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size())); 1033 return true; 1034 } 1035 1036 namespace { 1037 1038 // Takes |extents| and fills an empty vector |blocks| with a block index for 1039 // each block in |extents|. For example, [(3, 2), (8, 1)] would give [3, 4, 8]. 1040 void ExtentsToBlocks(const RepeatedPtrField<Extent>& extents, 1041 vector<uint64_t>* blocks) { 1042 for (const Extent& ext : extents) { 1043 for (uint64_t j = 0; j < ext.num_blocks(); j++) 1044 blocks->push_back(ext.start_block() + j); 1045 } 1046 } 1047 1048 // Takes |extents| and returns the number of blocks in those extents. 1049 uint64_t GetBlockCount(const RepeatedPtrField<Extent>& extents) { 1050 uint64_t sum = 0; 1051 for (const Extent& ext : extents) { 1052 sum += ext.num_blocks(); 1053 } 1054 return sum; 1055 } 1056 1057 // Compare |calculated_hash| with source hash in |operation|, return false and 1058 // dump hash and set |error| if don't match. 1059 bool ValidateSourceHash(const brillo::Blob& calculated_hash, 1060 const InstallOperation& operation, 1061 ErrorCode* error) { 1062 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(), 1063 operation.src_sha256_hash().end()); 1064 if (calculated_hash != expected_source_hash) { 1065 LOG(ERROR) << "The hash of the source data on disk for this operation " 1066 << "doesn't match the expected value. This could mean that the " 1067 << "delta update payload was targeted for another version, or " 1068 << "that the source partition was modified after it was " 1069 << "installed, for example, by mounting a filesystem."; 1070 LOG(ERROR) << "Expected: sha256|hex = " 1071 << base::HexEncode(expected_source_hash.data(), 1072 expected_source_hash.size()); 1073 LOG(ERROR) << "Calculated: sha256|hex = " 1074 << base::HexEncode(calculated_hash.data(), 1075 calculated_hash.size()); 1076 1077 vector<string> source_extents; 1078 for (const Extent& ext : operation.src_extents()) { 1079 source_extents.push_back( 1080 base::StringPrintf("%" PRIu64 ":%" PRIu64, 1081 static_cast<uint64_t>(ext.start_block()), 1082 static_cast<uint64_t>(ext.num_blocks()))); 1083 } 1084 LOG(ERROR) << "Operation source (offset:size) in blocks: " 1085 << base::JoinString(source_extents, ","); 1086 1087 *error = ErrorCode::kDownloadStateInitializationError; 1088 return false; 1089 } 1090 return true; 1091 } 1092 1093 } // namespace 1094 1095 bool DeltaPerformer::PerformSourceCopyOperation( 1096 const InstallOperation& operation, ErrorCode* error) { 1097 if (operation.has_src_length()) 1098 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1099 if (operation.has_dst_length()) 1100 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1101 1102 uint64_t blocks_to_read = GetBlockCount(operation.src_extents()); 1103 uint64_t blocks_to_write = GetBlockCount(operation.dst_extents()); 1104 TEST_AND_RETURN_FALSE(blocks_to_write == blocks_to_read); 1105 1106 // Create vectors of all the individual src/dst blocks. 1107 vector<uint64_t> src_blocks; 1108 vector<uint64_t> dst_blocks; 1109 ExtentsToBlocks(operation.src_extents(), &src_blocks); 1110 ExtentsToBlocks(operation.dst_extents(), &dst_blocks); 1111 DCHECK_EQ(src_blocks.size(), blocks_to_read); 1112 DCHECK_EQ(src_blocks.size(), dst_blocks.size()); 1113 1114 brillo::Blob buf(block_size_); 1115 ssize_t bytes_read = 0; 1116 HashCalculator source_hasher; 1117 // Read/write one block at a time. 1118 for (uint64_t i = 0; i < blocks_to_read; i++) { 1119 ssize_t bytes_read_this_iteration = 0; 1120 uint64_t src_block = src_blocks[i]; 1121 uint64_t dst_block = dst_blocks[i]; 1122 1123 // Read in bytes. 1124 TEST_AND_RETURN_FALSE( 1125 utils::PReadAll(source_fd_, 1126 buf.data(), 1127 block_size_, 1128 src_block * block_size_, 1129 &bytes_read_this_iteration)); 1130 1131 // Write bytes out. 1132 TEST_AND_RETURN_FALSE( 1133 utils::PWriteAll(target_fd_, 1134 buf.data(), 1135 block_size_, 1136 dst_block * block_size_)); 1137 1138 bytes_read += bytes_read_this_iteration; 1139 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == 1140 static_cast<ssize_t>(block_size_)); 1141 1142 if (operation.has_src_sha256_hash()) 1143 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), buf.size())); 1144 } 1145 1146 if (operation.has_src_sha256_hash()) { 1147 TEST_AND_RETURN_FALSE(source_hasher.Finalize()); 1148 TEST_AND_RETURN_FALSE( 1149 ValidateSourceHash(source_hasher.raw_hash(), operation, error)); 1150 } 1151 1152 DCHECK_EQ(bytes_read, static_cast<ssize_t>(blocks_to_read * block_size_)); 1153 return true; 1154 } 1155 1156 bool DeltaPerformer::ExtentsToBsdiffPositionsString( 1157 const RepeatedPtrField<Extent>& extents, 1158 uint64_t block_size, 1159 uint64_t full_length, 1160 string* positions_string) { 1161 string ret; 1162 uint64_t length = 0; 1163 for (const Extent& extent : extents) { 1164 int64_t start = extent.start_block() * block_size; 1165 uint64_t this_length = 1166 min(full_length - length, 1167 static_cast<uint64_t>(extent.num_blocks()) * block_size); 1168 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length); 1169 length += this_length; 1170 } 1171 TEST_AND_RETURN_FALSE(length == full_length); 1172 if (!ret.empty()) 1173 ret.resize(ret.size() - 1); // Strip trailing comma off 1174 *positions_string = ret; 1175 return true; 1176 } 1177 1178 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) { 1179 // Since we delete data off the beginning of the buffer as we use it, 1180 // the data we need should be exactly at the beginning of the buffer. 1181 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1182 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1183 1184 string input_positions; 1185 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(), 1186 block_size_, 1187 operation.src_length(), 1188 &input_positions)); 1189 string output_positions; 1190 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(), 1191 block_size_, 1192 operation.dst_length(), 1193 &output_positions)); 1194 1195 TEST_AND_RETURN_FALSE(bsdiff::bspatch(target_path_.c_str(), 1196 target_path_.c_str(), 1197 buffer_.data(), 1198 buffer_.size(), 1199 input_positions.c_str(), 1200 output_positions.c_str()) == 0); 1201 DiscardBuffer(true, buffer_.size()); 1202 1203 if (operation.dst_length() % block_size_) { 1204 // Zero out rest of final block. 1205 // TODO(adlr): build this into bspatch; it's more efficient that way. 1206 const Extent& last_extent = 1207 operation.dst_extents(operation.dst_extents_size() - 1); 1208 const uint64_t end_byte = 1209 (last_extent.start_block() + last_extent.num_blocks()) * block_size_; 1210 const uint64_t begin_byte = 1211 end_byte - (block_size_ - operation.dst_length() % block_size_); 1212 brillo::Blob zeros(end_byte - begin_byte); 1213 TEST_AND_RETURN_FALSE( 1214 utils::PWriteAll(target_fd_, zeros.data(), end_byte - begin_byte, begin_byte)); 1215 } 1216 return true; 1217 } 1218 1219 bool DeltaPerformer::PerformSourceBsdiffOperation( 1220 const InstallOperation& operation, ErrorCode* error) { 1221 // Since we delete data off the beginning of the buffer as we use it, 1222 // the data we need should be exactly at the beginning of the buffer. 1223 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1224 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1225 if (operation.has_src_length()) 1226 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1227 if (operation.has_dst_length()) 1228 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1229 1230 if (operation.has_src_sha256_hash()) { 1231 HashCalculator source_hasher; 1232 const uint64_t kMaxBlocksToRead = 512; // 2MB if block size is 4KB 1233 brillo::Blob buf(kMaxBlocksToRead * block_size_); 1234 for (const Extent& extent : operation.src_extents()) { 1235 for (uint64_t i = 0; i < extent.num_blocks(); i += kMaxBlocksToRead) { 1236 uint64_t blocks_to_read = min( 1237 kMaxBlocksToRead, static_cast<uint64_t>(extent.num_blocks()) - i); 1238 ssize_t bytes_to_read = blocks_to_read * block_size_; 1239 ssize_t bytes_read_this_iteration = 0; 1240 TEST_AND_RETURN_FALSE( 1241 utils::PReadAll(source_fd_, buf.data(), bytes_to_read, 1242 (extent.start_block() + i) * block_size_, 1243 &bytes_read_this_iteration)); 1244 TEST_AND_RETURN_FALSE(bytes_read_this_iteration == bytes_to_read); 1245 TEST_AND_RETURN_FALSE(source_hasher.Update(buf.data(), bytes_to_read)); 1246 } 1247 } 1248 TEST_AND_RETURN_FALSE(source_hasher.Finalize()); 1249 TEST_AND_RETURN_FALSE( 1250 ValidateSourceHash(source_hasher.raw_hash(), operation, error)); 1251 } 1252 1253 string input_positions; 1254 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(), 1255 block_size_, 1256 operation.src_length(), 1257 &input_positions)); 1258 string output_positions; 1259 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(), 1260 block_size_, 1261 operation.dst_length(), 1262 &output_positions)); 1263 1264 TEST_AND_RETURN_FALSE(bsdiff::bspatch(source_path_.c_str(), 1265 target_path_.c_str(), 1266 buffer_.data(), 1267 buffer_.size(), 1268 input_positions.c_str(), 1269 output_positions.c_str()) == 0); 1270 DiscardBuffer(true, buffer_.size()); 1271 return true; 1272 } 1273 1274 bool DeltaPerformer::ExtractSignatureMessageFromOperation( 1275 const InstallOperation& operation) { 1276 if (operation.type() != InstallOperation::REPLACE || 1277 !manifest_.has_signatures_offset() || 1278 manifest_.signatures_offset() != operation.data_offset()) { 1279 return false; 1280 } 1281 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() && 1282 manifest_.signatures_size() == operation.data_length()); 1283 TEST_AND_RETURN_FALSE(ExtractSignatureMessage()); 1284 return true; 1285 } 1286 1287 bool DeltaPerformer::ExtractSignatureMessage() { 1288 TEST_AND_RETURN_FALSE(signatures_message_data_.empty()); 1289 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset()); 1290 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size()); 1291 signatures_message_data_.assign( 1292 buffer_.begin(), 1293 buffer_.begin() + manifest_.signatures_size()); 1294 1295 // Save the signature blob because if the update is interrupted after the 1296 // download phase we don't go through this path anymore. Some alternatives to 1297 // consider: 1298 // 1299 // 1. On resume, re-download the signature blob from the server and re-verify 1300 // it. 1301 // 1302 // 2. Verify the signature as soon as it's received and don't checkpoint the 1303 // blob and the signed sha-256 context. 1304 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignatureBlob, 1305 string(signatures_message_data_.begin(), 1306 signatures_message_data_.end()))) 1307 << "Unable to store the signature blob."; 1308 1309 LOG(INFO) << "Extracted signature data of size " 1310 << manifest_.signatures_size() << " at " 1311 << manifest_.signatures_offset(); 1312 return true; 1313 } 1314 1315 bool DeltaPerformer::GetPublicKeyFromResponse(base::FilePath *out_tmp_key) { 1316 if (hardware_->IsOfficialBuild() || 1317 utils::FileExists(public_key_path_.c_str()) || 1318 install_plan_->public_key_rsa.empty()) 1319 return false; 1320 1321 if (!utils::DecodeAndStoreBase64String(install_plan_->public_key_rsa, 1322 out_tmp_key)) 1323 return false; 1324 1325 return true; 1326 } 1327 1328 ErrorCode DeltaPerformer::ValidateMetadataSignature( 1329 const brillo::Blob& payload) { 1330 if (payload.size() < metadata_size_ + metadata_signature_size_) 1331 return ErrorCode::kDownloadMetadataSignatureError; 1332 1333 brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob; 1334 if (!payload_->metadata_signature.empty()) { 1335 // Convert base64-encoded signature to raw bytes. 1336 if (!brillo::data_encoding::Base64Decode(payload_->metadata_signature, 1337 &metadata_signature_blob)) { 1338 LOG(ERROR) << "Unable to decode base64 metadata signature: " 1339 << payload_->metadata_signature; 1340 return ErrorCode::kDownloadMetadataSignatureError; 1341 } 1342 } else if (major_payload_version_ == kBrilloMajorPayloadVersion) { 1343 metadata_signature_protobuf_blob.assign( 1344 payload.begin() + metadata_size_, 1345 payload.begin() + metadata_size_ + metadata_signature_size_); 1346 } 1347 1348 if (metadata_signature_blob.empty() && 1349 metadata_signature_protobuf_blob.empty()) { 1350 if (install_plan_->hash_checks_mandatory) { 1351 LOG(ERROR) << "Missing mandatory metadata signature in both Omaha " 1352 << "response and payload."; 1353 return ErrorCode::kDownloadMetadataSignatureMissingError; 1354 } 1355 1356 LOG(WARNING) << "Cannot validate metadata as the signature is empty"; 1357 return ErrorCode::kSuccess; 1358 } 1359 1360 // See if we should use the public RSA key in the Omaha response. 1361 base::FilePath path_to_public_key(public_key_path_); 1362 base::FilePath tmp_key; 1363 if (GetPublicKeyFromResponse(&tmp_key)) 1364 path_to_public_key = tmp_key; 1365 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 1366 if (tmp_key.empty()) 1367 tmp_key_remover.set_should_remove(false); 1368 1369 LOG(INFO) << "Verifying metadata hash signature using public key: " 1370 << path_to_public_key.value(); 1371 1372 brillo::Blob calculated_metadata_hash; 1373 if (!HashCalculator::RawHashOfBytes( 1374 payload.data(), metadata_size_, &calculated_metadata_hash)) { 1375 LOG(ERROR) << "Unable to compute actual hash of manifest"; 1376 return ErrorCode::kDownloadMetadataSignatureVerificationError; 1377 } 1378 1379 PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash); 1380 if (calculated_metadata_hash.empty()) { 1381 LOG(ERROR) << "Computed actual hash of metadata is empty."; 1382 return ErrorCode::kDownloadMetadataSignatureVerificationError; 1383 } 1384 1385 if (!metadata_signature_blob.empty()) { 1386 brillo::Blob expected_metadata_hash; 1387 if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob, 1388 path_to_public_key.value(), 1389 &expected_metadata_hash)) { 1390 LOG(ERROR) << "Unable to compute expected hash from metadata signature"; 1391 return ErrorCode::kDownloadMetadataSignatureError; 1392 } 1393 if (calculated_metadata_hash != expected_metadata_hash) { 1394 LOG(ERROR) << "Manifest hash verification failed. Expected hash = "; 1395 utils::HexDumpVector(expected_metadata_hash); 1396 LOG(ERROR) << "Calculated hash = "; 1397 utils::HexDumpVector(calculated_metadata_hash); 1398 return ErrorCode::kDownloadMetadataSignatureMismatch; 1399 } 1400 } else { 1401 if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob, 1402 path_to_public_key.value(), 1403 calculated_metadata_hash)) { 1404 LOG(ERROR) << "Manifest hash verification failed."; 1405 return ErrorCode::kDownloadMetadataSignatureMismatch; 1406 } 1407 } 1408 1409 // The autoupdate_CatchBadSignatures test checks for this string in 1410 // log-files. Keep in sync. 1411 LOG(INFO) << "Metadata hash signature matches value in Omaha response."; 1412 return ErrorCode::kSuccess; 1413 } 1414 1415 ErrorCode DeltaPerformer::ValidateManifest() { 1416 // Perform assorted checks to sanity check the manifest, make sure it 1417 // matches data from other sources, and that it is a supported version. 1418 1419 bool has_old_fields = 1420 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info()); 1421 for (const PartitionUpdate& partition : manifest_.partitions()) { 1422 has_old_fields = has_old_fields || partition.has_old_partition_info(); 1423 } 1424 1425 // The presence of an old partition hash is the sole indicator for a delta 1426 // update. 1427 InstallPayloadType actual_payload_type = 1428 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull; 1429 1430 if (payload_->type == InstallPayloadType::kUnknown) { 1431 LOG(INFO) << "Detected a '" 1432 << InstallPayloadTypeToString(actual_payload_type) 1433 << "' payload."; 1434 payload_->type = actual_payload_type; 1435 } else if (payload_->type != actual_payload_type) { 1436 LOG(ERROR) << "InstallPlan expected a '" 1437 << InstallPayloadTypeToString(payload_->type) 1438 << "' payload but the downloaded manifest contains a '" 1439 << InstallPayloadTypeToString(actual_payload_type) 1440 << "' payload."; 1441 return ErrorCode::kPayloadMismatchedType; 1442 } 1443 1444 // Check that the minor version is compatible. 1445 if (actual_payload_type == InstallPayloadType::kFull) { 1446 if (manifest_.minor_version() != kFullPayloadMinorVersion) { 1447 LOG(ERROR) << "Manifest contains minor version " 1448 << manifest_.minor_version() 1449 << ", but all full payloads should have version " 1450 << kFullPayloadMinorVersion << "."; 1451 return ErrorCode::kUnsupportedMinorPayloadVersion; 1452 } 1453 } else { 1454 if (manifest_.minor_version() != supported_minor_version_) { 1455 LOG(ERROR) << "Manifest contains minor version " 1456 << manifest_.minor_version() 1457 << " not the supported " 1458 << supported_minor_version_; 1459 return ErrorCode::kUnsupportedMinorPayloadVersion; 1460 } 1461 } 1462 1463 if (major_payload_version_ != kChromeOSMajorPayloadVersion) { 1464 if (manifest_.has_old_rootfs_info() || 1465 manifest_.has_new_rootfs_info() || 1466 manifest_.has_old_kernel_info() || 1467 manifest_.has_new_kernel_info() || 1468 manifest_.install_operations_size() != 0 || 1469 manifest_.kernel_install_operations_size() != 0) { 1470 LOG(ERROR) << "Manifest contains deprecated field only supported in " 1471 << "major payload version 1, but the payload major version is " 1472 << major_payload_version_; 1473 return ErrorCode::kPayloadMismatchedType; 1474 } 1475 } 1476 1477 // TODO(garnold) we should be adding more and more manifest checks, such as 1478 // partition boundaries etc (see chromium-os:37661). 1479 1480 return ErrorCode::kSuccess; 1481 } 1482 1483 ErrorCode DeltaPerformer::ValidateOperationHash( 1484 const InstallOperation& operation) { 1485 if (!operation.data_sha256_hash().size()) { 1486 if (!operation.data_length()) { 1487 // Operations that do not have any data blob won't have any operation hash 1488 // either. So, these operations are always considered validated since the 1489 // metadata that contains all the non-data-blob portions of the operation 1490 // has already been validated. This is true for both HTTP and HTTPS cases. 1491 return ErrorCode::kSuccess; 1492 } 1493 1494 // No hash is present for an operation that has data blobs. This shouldn't 1495 // happen normally for any client that has this code, because the 1496 // corresponding update should have been produced with the operation 1497 // hashes. So if it happens it means either we've turned operation hash 1498 // generation off in DeltaDiffGenerator or it's a regression of some sort. 1499 // One caveat though: The last operation is a dummy signature operation 1500 // that doesn't have a hash at the time the manifest is created. So we 1501 // should not complaint about that operation. This operation can be 1502 // recognized by the fact that it's offset is mentioned in the manifest. 1503 if (manifest_.signatures_offset() && 1504 manifest_.signatures_offset() == operation.data_offset()) { 1505 LOG(INFO) << "Skipping hash verification for signature operation " 1506 << next_operation_num_ + 1; 1507 } else { 1508 if (install_plan_->hash_checks_mandatory) { 1509 LOG(ERROR) << "Missing mandatory operation hash for operation " 1510 << next_operation_num_ + 1; 1511 return ErrorCode::kDownloadOperationHashMissingError; 1512 } 1513 1514 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1 1515 << " as there's no operation hash in manifest"; 1516 } 1517 return ErrorCode::kSuccess; 1518 } 1519 1520 brillo::Blob expected_op_hash; 1521 expected_op_hash.assign(operation.data_sha256_hash().data(), 1522 (operation.data_sha256_hash().data() + 1523 operation.data_sha256_hash().size())); 1524 1525 brillo::Blob calculated_op_hash; 1526 if (!HashCalculator::RawHashOfBytes( 1527 buffer_.data(), operation.data_length(), &calculated_op_hash)) { 1528 LOG(ERROR) << "Unable to compute actual hash of operation " 1529 << next_operation_num_; 1530 return ErrorCode::kDownloadOperationHashVerificationError; 1531 } 1532 1533 if (calculated_op_hash != expected_op_hash) { 1534 LOG(ERROR) << "Hash verification failed for operation " 1535 << next_operation_num_ << ". Expected hash = "; 1536 utils::HexDumpVector(expected_op_hash); 1537 LOG(ERROR) << "Calculated hash over " << operation.data_length() 1538 << " bytes at offset: " << operation.data_offset() << " = "; 1539 utils::HexDumpVector(calculated_op_hash); 1540 return ErrorCode::kDownloadOperationHashMismatch; 1541 } 1542 1543 return ErrorCode::kSuccess; 1544 } 1545 1546 #define TEST_AND_RETURN_VAL(_retval, _condition) \ 1547 do { \ 1548 if (!(_condition)) { \ 1549 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \ 1550 return _retval; \ 1551 } \ 1552 } while (0); 1553 1554 ErrorCode DeltaPerformer::VerifyPayload( 1555 const brillo::Blob& update_check_response_hash, 1556 const uint64_t update_check_response_size) { 1557 1558 // See if we should use the public RSA key in the Omaha response. 1559 base::FilePath path_to_public_key(public_key_path_); 1560 base::FilePath tmp_key; 1561 if (GetPublicKeyFromResponse(&tmp_key)) 1562 path_to_public_key = tmp_key; 1563 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 1564 if (tmp_key.empty()) 1565 tmp_key_remover.set_should_remove(false); 1566 1567 LOG(INFO) << "Verifying payload using public key: " 1568 << path_to_public_key.value(); 1569 1570 // Verifies the download size. 1571 TEST_AND_RETURN_VAL(ErrorCode::kPayloadSizeMismatchError, 1572 update_check_response_size == 1573 metadata_size_ + metadata_signature_size_ + 1574 buffer_offset_); 1575 1576 // Verifies the payload hash. 1577 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError, 1578 !payload_hash_calculator_.raw_hash().empty()); 1579 TEST_AND_RETURN_VAL( 1580 ErrorCode::kPayloadHashMismatchError, 1581 payload_hash_calculator_.raw_hash() == update_check_response_hash); 1582 1583 // Verifies the signed payload hash. 1584 if (!utils::FileExists(path_to_public_key.value().c_str())) { 1585 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; 1586 return ErrorCode::kSuccess; 1587 } 1588 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError, 1589 !signatures_message_data_.empty()); 1590 brillo::Blob hash_data = signed_hash_calculator_.raw_hash(); 1591 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1592 PayloadVerifier::PadRSA2048SHA256Hash(&hash_data)); 1593 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1594 !hash_data.empty()); 1595 1596 if (!PayloadVerifier::VerifySignature( 1597 signatures_message_data_, path_to_public_key.value(), hash_data)) { 1598 // The autoupdate_CatchBadSignatures test checks for this string 1599 // in log-files. Keep in sync. 1600 LOG(ERROR) << "Public key verification failed, thus update failed."; 1601 return ErrorCode::kDownloadPayloadPubKeyVerificationError; 1602 } 1603 1604 LOG(INFO) << "Payload hash matches value in payload."; 1605 1606 // At this point, we are guaranteed to have downloaded a full payload, i.e 1607 // the one whose size matches the size mentioned in Omaha response. If any 1608 // errors happen after this, it's likely a problem with the payload itself or 1609 // the state of the system and not a problem with the URL or network. So, 1610 // indicate that to the download delegate so that AU can backoff 1611 // appropriately. 1612 if (download_delegate_) 1613 download_delegate_->DownloadComplete(); 1614 1615 return ErrorCode::kSuccess; 1616 } 1617 1618 void DeltaPerformer::DiscardBuffer(bool do_advance_offset, 1619 size_t signed_hash_buffer_size) { 1620 // Update the buffer offset. 1621 if (do_advance_offset) 1622 buffer_offset_ += buffer_.size(); 1623 1624 // Hash the content. 1625 payload_hash_calculator_.Update(buffer_.data(), buffer_.size()); 1626 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size); 1627 1628 // Swap content with an empty vector to ensure that all memory is released. 1629 brillo::Blob().swap(buffer_); 1630 } 1631 1632 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs, 1633 const string& update_check_response_hash) { 1634 int64_t next_operation = kUpdateStateOperationInvalid; 1635 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) && 1636 next_operation != kUpdateStateOperationInvalid && 1637 next_operation > 0)) 1638 return false; 1639 1640 string interrupted_hash; 1641 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) && 1642 !interrupted_hash.empty() && 1643 interrupted_hash == update_check_response_hash)) 1644 return false; 1645 1646 int64_t resumed_update_failures; 1647 // Note that storing this value is optional, but if it is there it should not 1648 // be more than the limit. 1649 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) && 1650 resumed_update_failures > kMaxResumedUpdateFailures) 1651 return false; 1652 1653 // Sanity check the rest. 1654 int64_t next_data_offset = -1; 1655 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) && 1656 next_data_offset >= 0)) 1657 return false; 1658 1659 string sha256_context; 1660 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) && 1661 !sha256_context.empty())) 1662 return false; 1663 1664 int64_t manifest_metadata_size = 0; 1665 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) && 1666 manifest_metadata_size > 0)) 1667 return false; 1668 1669 int64_t manifest_signature_size = 0; 1670 if (!(prefs->GetInt64(kPrefsManifestSignatureSize, 1671 &manifest_signature_size) && 1672 manifest_signature_size >= 0)) 1673 return false; 1674 1675 return true; 1676 } 1677 1678 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) { 1679 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation, 1680 kUpdateStateOperationInvalid)); 1681 if (!quick) { 1682 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1); 1683 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0); 1684 prefs->SetString(kPrefsUpdateStateSHA256Context, ""); 1685 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, ""); 1686 prefs->SetString(kPrefsUpdateStateSignatureBlob, ""); 1687 prefs->SetInt64(kPrefsManifestMetadataSize, -1); 1688 prefs->SetInt64(kPrefsManifestSignatureSize, -1); 1689 prefs->SetInt64(kPrefsResumedUpdateFailures, 0); 1690 } 1691 return true; 1692 } 1693 1694 bool DeltaPerformer::CheckpointUpdateProgress() { 1695 Terminator::set_exit_blocked(true); 1696 if (last_updated_buffer_offset_ != buffer_offset_) { 1697 // Resets the progress in case we die in the middle of the state update. 1698 ResetUpdateProgress(prefs_, true); 1699 TEST_AND_RETURN_FALSE( 1700 prefs_->SetString(kPrefsUpdateStateSHA256Context, 1701 payload_hash_calculator_.GetContext())); 1702 TEST_AND_RETURN_FALSE( 1703 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, 1704 signed_hash_calculator_.GetContext())); 1705 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataOffset, 1706 buffer_offset_)); 1707 last_updated_buffer_offset_ = buffer_offset_; 1708 1709 if (next_operation_num_ < num_total_operations_) { 1710 size_t partition_index = current_partition_; 1711 while (next_operation_num_ >= acc_num_operations_[partition_index]) 1712 partition_index++; 1713 const size_t partition_operation_num = next_operation_num_ - ( 1714 partition_index ? acc_num_operations_[partition_index - 1] : 0); 1715 const InstallOperation& op = 1716 partitions_[partition_index].operations(partition_operation_num); 1717 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1718 op.data_length())); 1719 } else { 1720 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1721 0)); 1722 } 1723 } 1724 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextOperation, 1725 next_operation_num_)); 1726 return true; 1727 } 1728 1729 bool DeltaPerformer::PrimeUpdateState() { 1730 CHECK(manifest_valid_); 1731 block_size_ = manifest_.block_size(); 1732 1733 int64_t next_operation = kUpdateStateOperationInvalid; 1734 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) || 1735 next_operation == kUpdateStateOperationInvalid || 1736 next_operation <= 0) { 1737 // Initiating a new update, no more state needs to be initialized. 1738 return true; 1739 } 1740 next_operation_num_ = next_operation; 1741 1742 // Resuming an update -- load the rest of the update state. 1743 int64_t next_data_offset = -1; 1744 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsUpdateStateNextDataOffset, 1745 &next_data_offset) && 1746 next_data_offset >= 0); 1747 buffer_offset_ = next_data_offset; 1748 1749 // The signed hash context and the signature blob may be empty if the 1750 // interrupted update didn't reach the signature. 1751 string signed_hash_context; 1752 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context, 1753 &signed_hash_context)) { 1754 TEST_AND_RETURN_FALSE( 1755 signed_hash_calculator_.SetContext(signed_hash_context)); 1756 } 1757 1758 string signature_blob; 1759 if (prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signature_blob)) { 1760 signatures_message_data_.assign(signature_blob.begin(), 1761 signature_blob.end()); 1762 } 1763 1764 string hash_context; 1765 TEST_AND_RETURN_FALSE(prefs_->GetString(kPrefsUpdateStateSHA256Context, 1766 &hash_context) && 1767 payload_hash_calculator_.SetContext(hash_context)); 1768 1769 int64_t manifest_metadata_size = 0; 1770 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsManifestMetadataSize, 1771 &manifest_metadata_size) && 1772 manifest_metadata_size > 0); 1773 metadata_size_ = manifest_metadata_size; 1774 1775 int64_t manifest_signature_size = 0; 1776 TEST_AND_RETURN_FALSE( 1777 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) && 1778 manifest_signature_size >= 0); 1779 metadata_signature_size_ = manifest_signature_size; 1780 1781 // Advance the download progress to reflect what doesn't need to be 1782 // re-downloaded. 1783 total_bytes_received_ += buffer_offset_; 1784 1785 // Speculatively count the resume as a failure. 1786 int64_t resumed_update_failures; 1787 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { 1788 resumed_update_failures++; 1789 } else { 1790 resumed_update_failures = 1; 1791 } 1792 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); 1793 return true; 1794 } 1795 1796 } // namespace chromeos_update_engine 1797
