1 // 2 // Copyright (C) 2012 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #include "update_engine/payload_consumer/delta_performer.h" 18 19 #include <errno.h> 20 #include <linux/fs.h> 21 22 #include <algorithm> 23 #include <cstring> 24 #include <memory> 25 #include <string> 26 #include <utility> 27 #include <vector> 28 29 #include <base/files/file_util.h> 30 #include <base/format_macros.h> 31 #include <base/metrics/histogram_macros.h> 32 #include <base/strings/string_number_conversions.h> 33 #include <base/strings/string_util.h> 34 #include <base/strings/stringprintf.h> 35 #include <base/time/time.h> 36 #include <brillo/data_encoding.h> 37 #include <bsdiff/bspatch.h> 38 #include <google/protobuf/repeated_field.h> 39 #include <puffin/puffpatch.h> 40 41 #include "update_engine/common/constants.h" 42 #include "update_engine/common/hardware_interface.h" 43 #include "update_engine/common/prefs_interface.h" 44 #include "update_engine/common/subprocess.h" 45 #include "update_engine/common/terminator.h" 46 #include "update_engine/payload_consumer/bzip_extent_writer.h" 47 #include "update_engine/payload_consumer/cached_file_descriptor.h" 48 #include "update_engine/payload_consumer/download_action.h" 49 #include "update_engine/payload_consumer/extent_reader.h" 50 #include "update_engine/payload_consumer/extent_writer.h" 51 #include "update_engine/payload_consumer/file_descriptor_utils.h" 52 #include "update_engine/payload_consumer/mount_history.h" 53 #if USE_MTD 54 #include "update_engine/payload_consumer/mtd_file_descriptor.h" 55 #endif 56 #include "update_engine/payload_consumer/payload_constants.h" 57 #include "update_engine/payload_consumer/payload_verifier.h" 58 #include "update_engine/payload_consumer/xz_extent_writer.h" 59 60 using google::protobuf::RepeatedPtrField; 61 using std::min; 62 using std::string; 63 using std::vector; 64 65 namespace chromeos_update_engine { 66 67 const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2; 68 const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 5; 69 70 const unsigned DeltaPerformer::kProgressLogMaxChunks = 10; 71 const unsigned DeltaPerformer::kProgressLogTimeoutSeconds = 30; 72 const unsigned DeltaPerformer::kProgressDownloadWeight = 50; 73 const unsigned DeltaPerformer::kProgressOperationsWeight = 50; 74 75 namespace { 76 const int kUpdateStateOperationInvalid = -1; 77 const int kMaxResumedUpdateFailures = 10; 78 #if USE_MTD 79 const int kUbiVolumeAttachTimeout = 5 * 60; 80 #endif 81 82 const uint64_t kCacheSize = 1024 * 1024; // 1MB 83 84 FileDescriptorPtr CreateFileDescriptor(const char* path) { 85 FileDescriptorPtr ret; 86 #if USE_MTD 87 if (strstr(path, "/dev/ubi") == path) { 88 if (!UbiFileDescriptor::IsUbi(path)) { 89 // The volume might not have been attached at boot time. 90 int volume_no; 91 if (utils::SplitPartitionName(path, nullptr, &volume_no)) { 92 utils::TryAttachingUbiVolume(volume_no, kUbiVolumeAttachTimeout); 93 } 94 } 95 if (UbiFileDescriptor::IsUbi(path)) { 96 LOG(INFO) << path << " is a UBI device."; 97 ret.reset(new UbiFileDescriptor); 98 } 99 } else if (MtdFileDescriptor::IsMtd(path)) { 100 LOG(INFO) << path << " is an MTD device."; 101 ret.reset(new MtdFileDescriptor); 102 } else { 103 LOG(INFO) << path << " is not an MTD nor a UBI device."; 104 #endif 105 ret.reset(new EintrSafeFileDescriptor); 106 #if USE_MTD 107 } 108 #endif 109 return ret; 110 } 111 112 // Opens path for read/write. On success returns an open FileDescriptor 113 // and sets *err to 0. On failure, sets *err to errno and returns nullptr. 114 FileDescriptorPtr OpenFile(const char* path, 115 int mode, 116 bool cache_writes, 117 int* err) { 118 // Try to mark the block device read-only based on the mode. Ignore any 119 // failure since this won't work when passing regular files. 120 bool read_only = (mode & O_ACCMODE) == O_RDONLY; 121 utils::SetBlockDeviceReadOnly(path, read_only); 122 123 FileDescriptorPtr fd = CreateFileDescriptor(path); 124 if (cache_writes && !read_only) { 125 fd = FileDescriptorPtr(new CachedFileDescriptor(fd, kCacheSize)); 126 LOG(INFO) << "Caching writes."; 127 } 128 #if USE_MTD 129 // On NAND devices, we can either read, or write, but not both. So here we 130 // use O_WRONLY. 131 if (UbiFileDescriptor::IsUbi(path) || MtdFileDescriptor::IsMtd(path)) { 132 mode = O_WRONLY; 133 } 134 #endif 135 if (!fd->Open(path, mode, 000)) { 136 *err = errno; 137 PLOG(ERROR) << "Unable to open file " << path; 138 return nullptr; 139 } 140 *err = 0; 141 return fd; 142 } 143 144 // Discard the tail of the block device referenced by |fd|, from the offset 145 // |data_size| until the end of the block device. Returns whether the data was 146 // discarded. 147 bool DiscardPartitionTail(const FileDescriptorPtr& fd, uint64_t data_size) { 148 uint64_t part_size = fd->BlockDevSize(); 149 if (!part_size || part_size <= data_size) 150 return false; 151 152 struct blkioctl_request { 153 int number; 154 const char* name; 155 }; 156 const vector<blkioctl_request> blkioctl_requests = { 157 {BLKDISCARD, "BLKDISCARD"}, 158 {BLKSECDISCARD, "BLKSECDISCARD"}, 159 #ifdef BLKZEROOUT 160 {BLKZEROOUT, "BLKZEROOUT"}, 161 #endif 162 }; 163 for (const auto& req : blkioctl_requests) { 164 int error = 0; 165 if (fd->BlkIoctl(req.number, data_size, part_size - data_size, &error) && 166 error == 0) { 167 return true; 168 } 169 LOG(WARNING) << "Error discarding the last " 170 << (part_size - data_size) / 1024 << " KiB using ioctl(" 171 << req.name << ")"; 172 } 173 return false; 174 } 175 176 } // namespace 177 178 179 // Computes the ratio of |part| and |total|, scaled to |norm|, using integer 180 // arithmetic. 181 static uint64_t IntRatio(uint64_t part, uint64_t total, uint64_t norm) { 182 return part * norm / total; 183 } 184 185 void DeltaPerformer::LogProgress(const char* message_prefix) { 186 // Format operations total count and percentage. 187 string total_operations_str("?"); 188 string completed_percentage_str(""); 189 if (num_total_operations_) { 190 total_operations_str = std::to_string(num_total_operations_); 191 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 192 completed_percentage_str = 193 base::StringPrintf(" (%" PRIu64 "%%)", 194 IntRatio(next_operation_num_, num_total_operations_, 195 100)); 196 } 197 198 // Format download total count and percentage. 199 size_t payload_size = payload_->size; 200 string payload_size_str("?"); 201 string downloaded_percentage_str(""); 202 if (payload_size) { 203 payload_size_str = std::to_string(payload_size); 204 // Upcasting to 64-bit to avoid overflow, back to size_t for formatting. 205 downloaded_percentage_str = 206 base::StringPrintf(" (%" PRIu64 "%%)", 207 IntRatio(total_bytes_received_, payload_size, 100)); 208 } 209 210 LOG(INFO) << (message_prefix ? message_prefix : "") << next_operation_num_ 211 << "/" << total_operations_str << " operations" 212 << completed_percentage_str << ", " << total_bytes_received_ 213 << "/" << payload_size_str << " bytes downloaded" 214 << downloaded_percentage_str << ", overall progress " 215 << overall_progress_ << "%"; 216 } 217 218 void DeltaPerformer::UpdateOverallProgress(bool force_log, 219 const char* message_prefix) { 220 // Compute our download and overall progress. 221 unsigned new_overall_progress = 0; 222 static_assert(kProgressDownloadWeight + kProgressOperationsWeight == 100, 223 "Progress weights don't add up"); 224 // Only consider download progress if its total size is known; otherwise 225 // adjust the operations weight to compensate for the absence of download 226 // progress. Also, make sure to cap the download portion at 227 // kProgressDownloadWeight, in case we end up downloading more than we 228 // initially expected (this indicates a problem, but could generally happen). 229 // TODO(garnold) the correction of operations weight when we do not have the 230 // total payload size, as well as the conditional guard below, should both be 231 // eliminated once we ensure that the payload_size in the install plan is 232 // always given and is non-zero. This currently isn't the case during unit 233 // tests (see chromium-os:37969). 234 size_t payload_size = payload_->size; 235 unsigned actual_operations_weight = kProgressOperationsWeight; 236 if (payload_size) 237 new_overall_progress += min( 238 static_cast<unsigned>(IntRatio(total_bytes_received_, payload_size, 239 kProgressDownloadWeight)), 240 kProgressDownloadWeight); 241 else 242 actual_operations_weight += kProgressDownloadWeight; 243 244 // Only add completed operations if their total number is known; we definitely 245 // expect an update to have at least one operation, so the expectation is that 246 // this will eventually reach |actual_operations_weight|. 247 if (num_total_operations_) 248 new_overall_progress += IntRatio(next_operation_num_, num_total_operations_, 249 actual_operations_weight); 250 251 // Progress ratio cannot recede, unless our assumptions about the total 252 // payload size, total number of operations, or the monotonicity of progress 253 // is breached. 254 if (new_overall_progress < overall_progress_) { 255 LOG(WARNING) << "progress counter receded from " << overall_progress_ 256 << "% down to " << new_overall_progress << "%; this is a bug"; 257 force_log = true; 258 } 259 overall_progress_ = new_overall_progress; 260 261 // Update chunk index, log as needed: if forced by called, or we completed a 262 // progress chunk, or a timeout has expired. 263 base::Time curr_time = base::Time::Now(); 264 unsigned curr_progress_chunk = 265 overall_progress_ * kProgressLogMaxChunks / 100; 266 if (force_log || curr_progress_chunk > last_progress_chunk_ || 267 curr_time > forced_progress_log_time_) { 268 forced_progress_log_time_ = curr_time + forced_progress_log_wait_; 269 LogProgress(message_prefix); 270 } 271 last_progress_chunk_ = curr_progress_chunk; 272 } 273 274 275 size_t DeltaPerformer::CopyDataToBuffer(const char** bytes_p, size_t* count_p, 276 size_t max) { 277 const size_t count = *count_p; 278 if (!count) 279 return 0; // Special case shortcut. 280 size_t read_len = min(count, max - buffer_.size()); 281 const char* bytes_start = *bytes_p; 282 const char* bytes_end = bytes_start + read_len; 283 buffer_.reserve(max); 284 buffer_.insert(buffer_.end(), bytes_start, bytes_end); 285 *bytes_p = bytes_end; 286 *count_p = count - read_len; 287 return read_len; 288 } 289 290 291 bool DeltaPerformer::HandleOpResult(bool op_result, const char* op_type_name, 292 ErrorCode* error) { 293 if (op_result) 294 return true; 295 296 size_t partition_first_op_num = 297 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0; 298 LOG(ERROR) << "Failed to perform " << op_type_name << " operation " 299 << next_operation_num_ << ", which is the operation " 300 << next_operation_num_ - partition_first_op_num 301 << " in partition \"" 302 << partitions_[current_partition_].partition_name() << "\""; 303 if (*error == ErrorCode::kSuccess) 304 *error = ErrorCode::kDownloadOperationExecutionError; 305 return false; 306 } 307 308 int DeltaPerformer::Close() { 309 int err = -CloseCurrentPartition(); 310 LOG_IF(ERROR, !payload_hash_calculator_.Finalize() || 311 !signed_hash_calculator_.Finalize()) 312 << "Unable to finalize the hash."; 313 if (!buffer_.empty()) { 314 LOG(INFO) << "Discarding " << buffer_.size() << " unused downloaded bytes"; 315 if (err >= 0) 316 err = 1; 317 } 318 return -err; 319 } 320 321 int DeltaPerformer::CloseCurrentPartition() { 322 int err = 0; 323 if (source_fd_ && !source_fd_->Close()) { 324 err = errno; 325 PLOG(ERROR) << "Error closing source partition"; 326 if (!err) 327 err = 1; 328 } 329 source_fd_.reset(); 330 source_path_.clear(); 331 332 if (target_fd_ && !target_fd_->Close()) { 333 err = errno; 334 PLOG(ERROR) << "Error closing target partition"; 335 if (!err) 336 err = 1; 337 } 338 target_fd_.reset(); 339 target_path_.clear(); 340 return -err; 341 } 342 343 bool DeltaPerformer::OpenCurrentPartition() { 344 if (current_partition_ >= partitions_.size()) 345 return false; 346 347 const PartitionUpdate& partition = partitions_[current_partition_]; 348 size_t num_previous_partitions = 349 install_plan_->partitions.size() - partitions_.size(); 350 const InstallPlan::Partition& install_part = 351 install_plan_->partitions[num_previous_partitions + current_partition_]; 352 // Open source fds if we have a delta payload with minor version >= 2. 353 if (payload_->type == InstallPayloadType::kDelta && 354 GetMinorVersion() != kInPlaceMinorPayloadVersion) { 355 source_path_ = install_part.source_path; 356 int err; 357 source_fd_ = OpenFile(source_path_.c_str(), O_RDONLY, false, &err); 358 if (!source_fd_) { 359 LOG(ERROR) << "Unable to open source partition " 360 << partition.partition_name() << " on slot " 361 << BootControlInterface::SlotName(install_plan_->source_slot) 362 << ", file " << source_path_; 363 return false; 364 } 365 } 366 367 target_path_ = install_part.target_path; 368 int err; 369 370 int flags = O_RDWR; 371 if (!is_interactive_) 372 flags |= O_DSYNC; 373 374 LOG(INFO) << "Opening " << target_path_ << " partition with" 375 << (is_interactive_ ? "out" : "") << " O_DSYNC"; 376 377 target_fd_ = OpenFile(target_path_.c_str(), flags, true, &err); 378 if (!target_fd_) { 379 LOG(ERROR) << "Unable to open target partition " 380 << partition.partition_name() << " on slot " 381 << BootControlInterface::SlotName(install_plan_->target_slot) 382 << ", file " << target_path_; 383 return false; 384 } 385 386 LOG(INFO) << "Applying " << partition.operations().size() 387 << " operations to partition \"" << partition.partition_name() 388 << "\""; 389 390 // Discard the end of the partition, but ignore failures. 391 DiscardPartitionTail(target_fd_, install_part.target_size); 392 393 return true; 394 } 395 396 namespace { 397 398 void LogPartitionInfoHash(const PartitionInfo& info, const string& tag) { 399 string sha256 = brillo::data_encoding::Base64Encode(info.hash()); 400 LOG(INFO) << "PartitionInfo " << tag << " sha256: " << sha256 401 << " size: " << info.size(); 402 } 403 404 void LogPartitionInfo(const vector<PartitionUpdate>& partitions) { 405 for (const PartitionUpdate& partition : partitions) { 406 if (partition.has_old_partition_info()) { 407 LogPartitionInfoHash(partition.old_partition_info(), 408 "old " + partition.partition_name()); 409 } 410 LogPartitionInfoHash(partition.new_partition_info(), 411 "new " + partition.partition_name()); 412 } 413 } 414 415 } // namespace 416 417 uint32_t DeltaPerformer::GetMinorVersion() const { 418 if (manifest_.has_minor_version()) { 419 return manifest_.minor_version(); 420 } else { 421 return payload_->type == InstallPayloadType::kDelta 422 ? kSupportedMinorPayloadVersion 423 : kFullPayloadMinorVersion; 424 } 425 } 426 427 bool DeltaPerformer::IsHeaderParsed() const { 428 return metadata_size_ != 0; 429 } 430 431 MetadataParseResult DeltaPerformer::ParsePayloadMetadata( 432 const brillo::Blob& payload, ErrorCode* error) { 433 *error = ErrorCode::kSuccess; 434 435 if (!IsHeaderParsed()) { 436 MetadataParseResult result = payload_metadata_.ParsePayloadHeader( 437 payload, supported_major_version_, error); 438 if (result != MetadataParseResult::kSuccess) 439 return result; 440 441 metadata_size_ = payload_metadata_.GetMetadataSize(); 442 metadata_signature_size_ = payload_metadata_.GetMetadataSignatureSize(); 443 major_payload_version_ = payload_metadata_.GetMajorVersion(); 444 445 // If the metadata size is present in install plan, check for it immediately 446 // even before waiting for that many number of bytes to be downloaded in the 447 // payload. This will prevent any attack which relies on us downloading data 448 // beyond the expected metadata size. 449 if (install_plan_->hash_checks_mandatory) { 450 if (payload_->metadata_size != metadata_size_) { 451 LOG(ERROR) << "Mandatory metadata size in Omaha response (" 452 << payload_->metadata_size 453 << ") is missing/incorrect, actual = " << metadata_size_; 454 *error = ErrorCode::kDownloadInvalidMetadataSize; 455 return MetadataParseResult::kError; 456 } 457 } 458 } 459 460 // Now that we have validated the metadata size, we should wait for the full 461 // metadata and its signature (if exist) to be read in before we can parse it. 462 if (payload.size() < metadata_size_ + metadata_signature_size_) 463 return MetadataParseResult::kInsufficientData; 464 465 // Log whether we validated the size or simply trusting what's in the payload 466 // here. This is logged here (after we received the full metadata data) so 467 // that we just log once (instead of logging n times) if it takes n 468 // DeltaPerformer::Write calls to download the full manifest. 469 if (payload_->metadata_size == metadata_size_) { 470 LOG(INFO) << "Manifest size in payload matches expected value from Omaha"; 471 } else { 472 // For mandatory-cases, we'd have already returned a kMetadataParseError 473 // above. We'll be here only for non-mandatory cases. Just send a UMA stat. 474 LOG(WARNING) << "Ignoring missing/incorrect metadata size (" 475 << payload_->metadata_size 476 << ") in Omaha response as validation is not mandatory. " 477 << "Trusting metadata size in payload = " << metadata_size_; 478 } 479 480 // See if we should use the public RSA key in the Omaha response. 481 base::FilePath path_to_public_key(public_key_path_); 482 base::FilePath tmp_key; 483 if (GetPublicKeyFromResponse(&tmp_key)) 484 path_to_public_key = tmp_key; 485 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 486 if (tmp_key.empty()) 487 tmp_key_remover.set_should_remove(false); 488 489 // We have the full metadata in |payload|. Verify its integrity 490 // and authenticity based on the information we have in Omaha response. 491 *error = payload_metadata_.ValidateMetadataSignature( 492 payload, payload_->metadata_signature, path_to_public_key); 493 if (*error != ErrorCode::kSuccess) { 494 if (install_plan_->hash_checks_mandatory) { 495 // The autoupdate_CatchBadSignatures test checks for this string 496 // in log-files. Keep in sync. 497 LOG(ERROR) << "Mandatory metadata signature validation failed"; 498 return MetadataParseResult::kError; 499 } 500 501 // For non-mandatory cases, just send a UMA stat. 502 LOG(WARNING) << "Ignoring metadata signature validation failures"; 503 *error = ErrorCode::kSuccess; 504 } 505 506 // The payload metadata is deemed valid, it's safe to parse the protobuf. 507 if (!payload_metadata_.GetManifest(payload, &manifest_)) { 508 LOG(ERROR) << "Unable to parse manifest in update file."; 509 *error = ErrorCode::kDownloadManifestParseError; 510 return MetadataParseResult::kError; 511 } 512 513 manifest_parsed_ = true; 514 return MetadataParseResult::kSuccess; 515 } 516 517 #define OP_DURATION_HISTOGRAM(_op_name, _start_time) \ 518 LOCAL_HISTOGRAM_CUSTOM_TIMES( \ 519 "UpdateEngine.DownloadAction.InstallOperation::" \ 520 _op_name ".Duration", \ 521 base::TimeTicks::Now() - _start_time, \ 522 base::TimeDelta::FromMilliseconds(10), \ 523 base::TimeDelta::FromMinutes(5), \ 524 20); 525 526 // Wrapper around write. Returns true if all requested bytes 527 // were written, or false on any error, regardless of progress 528 // and stores an action exit code in |error|. 529 bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode *error) { 530 *error = ErrorCode::kSuccess; 531 const char* c_bytes = reinterpret_cast<const char*>(bytes); 532 533 // Update the total byte downloaded count and the progress logs. 534 total_bytes_received_ += count; 535 UpdateOverallProgress(false, "Completed "); 536 537 while (!manifest_valid_) { 538 // Read data up to the needed limit; this is either maximium payload header 539 // size, or the full metadata size (once it becomes known). 540 const bool do_read_header = !IsHeaderParsed(); 541 CopyDataToBuffer(&c_bytes, &count, 542 (do_read_header ? kMaxPayloadHeaderSize : 543 metadata_size_ + metadata_signature_size_)); 544 545 MetadataParseResult result = ParsePayloadMetadata(buffer_, error); 546 if (result == MetadataParseResult::kError) 547 return false; 548 if (result == MetadataParseResult::kInsufficientData) { 549 // If we just processed the header, make an attempt on the manifest. 550 if (do_read_header && IsHeaderParsed()) 551 continue; 552 553 return true; 554 } 555 556 // Checks the integrity of the payload manifest. 557 if ((*error = ValidateManifest()) != ErrorCode::kSuccess) 558 return false; 559 manifest_valid_ = true; 560 561 // Clear the download buffer. 562 DiscardBuffer(false, metadata_size_); 563 564 // This populates |partitions_| and the |install_plan.partitions| with the 565 // list of partitions from the manifest. 566 if (!ParseManifestPartitions(error)) 567 return false; 568 569 // |install_plan.partitions| was filled in, nothing need to be done here if 570 // the payload was already applied, returns false to terminate http fetcher, 571 // but keep |error| as ErrorCode::kSuccess. 572 if (payload_->already_applied) 573 return false; 574 575 num_total_operations_ = 0; 576 for (const auto& partition : partitions_) { 577 num_total_operations_ += partition.operations_size(); 578 acc_num_operations_.push_back(num_total_operations_); 579 } 580 581 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestMetadataSize, 582 metadata_size_)) 583 << "Unable to save the manifest metadata size."; 584 LOG_IF(WARNING, !prefs_->SetInt64(kPrefsManifestSignatureSize, 585 metadata_signature_size_)) 586 << "Unable to save the manifest signature size."; 587 588 if (!PrimeUpdateState()) { 589 *error = ErrorCode::kDownloadStateInitializationError; 590 LOG(ERROR) << "Unable to prime the update state."; 591 return false; 592 } 593 594 if (!OpenCurrentPartition()) { 595 *error = ErrorCode::kInstallDeviceOpenError; 596 return false; 597 } 598 599 if (next_operation_num_ > 0) 600 UpdateOverallProgress(true, "Resuming after "); 601 LOG(INFO) << "Starting to apply update payload operations"; 602 } 603 604 while (next_operation_num_ < num_total_operations_) { 605 // Check if we should cancel the current attempt for any reason. 606 // In this case, *error will have already been populated with the reason 607 // why we're canceling. 608 if (download_delegate_ && download_delegate_->ShouldCancel(error)) 609 return false; 610 611 // We know there are more operations to perform because we didn't reach the 612 // |num_total_operations_| limit yet. 613 while (next_operation_num_ >= acc_num_operations_[current_partition_]) { 614 CloseCurrentPartition(); 615 current_partition_++; 616 if (!OpenCurrentPartition()) { 617 *error = ErrorCode::kInstallDeviceOpenError; 618 return false; 619 } 620 } 621 const size_t partition_operation_num = next_operation_num_ - ( 622 current_partition_ ? acc_num_operations_[current_partition_ - 1] : 0); 623 624 const InstallOperation& op = 625 partitions_[current_partition_].operations(partition_operation_num); 626 627 CopyDataToBuffer(&c_bytes, &count, op.data_length()); 628 629 // Check whether we received all of the next operation's data payload. 630 if (!CanPerformInstallOperation(op)) 631 return true; 632 633 // Validate the operation only if the metadata signature is present. 634 // Otherwise, keep the old behavior. This serves as a knob to disable 635 // the validation logic in case we find some regression after rollout. 636 // NOTE: If hash checks are mandatory and if metadata_signature is empty, 637 // we would have already failed in ParsePayloadMetadata method and thus not 638 // even be here. So no need to handle that case again here. 639 if (!payload_->metadata_signature.empty()) { 640 // Note: Validate must be called only if CanPerformInstallOperation is 641 // called. Otherwise, we might be failing operations before even if there 642 // isn't sufficient data to compute the proper hash. 643 *error = ValidateOperationHash(op); 644 if (*error != ErrorCode::kSuccess) { 645 if (install_plan_->hash_checks_mandatory) { 646 LOG(ERROR) << "Mandatory operation hash check failed"; 647 return false; 648 } 649 650 // For non-mandatory cases, just send a UMA stat. 651 LOG(WARNING) << "Ignoring operation validation errors"; 652 *error = ErrorCode::kSuccess; 653 } 654 } 655 656 // Makes sure we unblock exit when this operation completes. 657 ScopedTerminatorExitUnblocker exit_unblocker = 658 ScopedTerminatorExitUnblocker(); // Avoids a compiler unused var bug. 659 660 base::TimeTicks op_start_time = base::TimeTicks::Now(); 661 662 bool op_result; 663 switch (op.type()) { 664 case InstallOperation::REPLACE: 665 case InstallOperation::REPLACE_BZ: 666 case InstallOperation::REPLACE_XZ: 667 op_result = PerformReplaceOperation(op); 668 OP_DURATION_HISTOGRAM("REPLACE", op_start_time); 669 break; 670 case InstallOperation::ZERO: 671 case InstallOperation::DISCARD: 672 op_result = PerformZeroOrDiscardOperation(op); 673 OP_DURATION_HISTOGRAM("ZERO_OR_DISCARD", op_start_time); 674 break; 675 case InstallOperation::MOVE: 676 op_result = PerformMoveOperation(op); 677 OP_DURATION_HISTOGRAM("MOVE", op_start_time); 678 break; 679 case InstallOperation::BSDIFF: 680 op_result = PerformBsdiffOperation(op); 681 OP_DURATION_HISTOGRAM("BSDIFF", op_start_time); 682 break; 683 case InstallOperation::SOURCE_COPY: 684 op_result = PerformSourceCopyOperation(op, error); 685 OP_DURATION_HISTOGRAM("SOURCE_COPY", op_start_time); 686 break; 687 case InstallOperation::SOURCE_BSDIFF: 688 case InstallOperation::BROTLI_BSDIFF: 689 op_result = PerformSourceBsdiffOperation(op, error); 690 OP_DURATION_HISTOGRAM("SOURCE_BSDIFF", op_start_time); 691 break; 692 case InstallOperation::PUFFDIFF: 693 op_result = PerformPuffDiffOperation(op, error); 694 OP_DURATION_HISTOGRAM("PUFFDIFF", op_start_time); 695 break; 696 default: 697 op_result = false; 698 } 699 if (!HandleOpResult(op_result, InstallOperationTypeName(op.type()), error)) 700 return false; 701 702 if (!target_fd_->Flush()) { 703 return false; 704 } 705 706 next_operation_num_++; 707 UpdateOverallProgress(false, "Completed "); 708 CheckpointUpdateProgress(); 709 } 710 711 // In major version 2, we don't add dummy operation to the payload. 712 // If we already extracted the signature we should skip this step. 713 if (major_payload_version_ == kBrilloMajorPayloadVersion && 714 manifest_.has_signatures_offset() && manifest_.has_signatures_size() && 715 signatures_message_data_.empty()) { 716 if (manifest_.signatures_offset() != buffer_offset_) { 717 LOG(ERROR) << "Payload signatures offset points to blob offset " 718 << manifest_.signatures_offset() 719 << " but signatures are expected at offset " 720 << buffer_offset_; 721 *error = ErrorCode::kDownloadPayloadVerificationError; 722 return false; 723 } 724 CopyDataToBuffer(&c_bytes, &count, manifest_.signatures_size()); 725 // Needs more data to cover entire signature. 726 if (buffer_.size() < manifest_.signatures_size()) 727 return true; 728 if (!ExtractSignatureMessage()) { 729 LOG(ERROR) << "Extract payload signature failed."; 730 *error = ErrorCode::kDownloadPayloadVerificationError; 731 return false; 732 } 733 DiscardBuffer(true, 0); 734 // Since we extracted the SignatureMessage we need to advance the 735 // checkpoint, otherwise we would reload the signature and try to extract 736 // it again. 737 CheckpointUpdateProgress(); 738 } 739 740 return true; 741 } 742 743 bool DeltaPerformer::IsManifestValid() { 744 return manifest_valid_; 745 } 746 747 bool DeltaPerformer::ParseManifestPartitions(ErrorCode* error) { 748 if (major_payload_version_ == kBrilloMajorPayloadVersion) { 749 partitions_.clear(); 750 for (const PartitionUpdate& partition : manifest_.partitions()) { 751 partitions_.push_back(partition); 752 } 753 manifest_.clear_partitions(); 754 } else if (major_payload_version_ == kChromeOSMajorPayloadVersion) { 755 LOG(INFO) << "Converting update information from old format."; 756 PartitionUpdate root_part; 757 root_part.set_partition_name(kLegacyPartitionNameRoot); 758 #ifdef __ANDROID__ 759 LOG(WARNING) << "Legacy payload major version provided to an Android " 760 "build. Assuming no post-install. Please use major version " 761 "2 or newer."; 762 root_part.set_run_postinstall(false); 763 #else 764 root_part.set_run_postinstall(true); 765 #endif // __ANDROID__ 766 if (manifest_.has_old_rootfs_info()) { 767 *root_part.mutable_old_partition_info() = manifest_.old_rootfs_info(); 768 manifest_.clear_old_rootfs_info(); 769 } 770 if (manifest_.has_new_rootfs_info()) { 771 *root_part.mutable_new_partition_info() = manifest_.new_rootfs_info(); 772 manifest_.clear_new_rootfs_info(); 773 } 774 *root_part.mutable_operations() = manifest_.install_operations(); 775 manifest_.clear_install_operations(); 776 partitions_.push_back(std::move(root_part)); 777 778 PartitionUpdate kern_part; 779 kern_part.set_partition_name(kLegacyPartitionNameKernel); 780 kern_part.set_run_postinstall(false); 781 if (manifest_.has_old_kernel_info()) { 782 *kern_part.mutable_old_partition_info() = manifest_.old_kernel_info(); 783 manifest_.clear_old_kernel_info(); 784 } 785 if (manifest_.has_new_kernel_info()) { 786 *kern_part.mutable_new_partition_info() = manifest_.new_kernel_info(); 787 manifest_.clear_new_kernel_info(); 788 } 789 *kern_part.mutable_operations() = manifest_.kernel_install_operations(); 790 manifest_.clear_kernel_install_operations(); 791 partitions_.push_back(std::move(kern_part)); 792 } 793 794 // Fill in the InstallPlan::partitions based on the partitions from the 795 // payload. 796 for (const auto& partition : partitions_) { 797 InstallPlan::Partition install_part; 798 install_part.name = partition.partition_name(); 799 install_part.run_postinstall = 800 partition.has_run_postinstall() && partition.run_postinstall(); 801 if (install_part.run_postinstall) { 802 install_part.postinstall_path = 803 (partition.has_postinstall_path() ? partition.postinstall_path() 804 : kPostinstallDefaultScript); 805 install_part.filesystem_type = partition.filesystem_type(); 806 install_part.postinstall_optional = partition.postinstall_optional(); 807 } 808 809 if (partition.has_old_partition_info()) { 810 const PartitionInfo& info = partition.old_partition_info(); 811 install_part.source_size = info.size(); 812 install_part.source_hash.assign(info.hash().begin(), info.hash().end()); 813 } 814 815 if (!partition.has_new_partition_info()) { 816 LOG(ERROR) << "Unable to get new partition hash info on partition " 817 << install_part.name << "."; 818 *error = ErrorCode::kDownloadNewPartitionInfoError; 819 return false; 820 } 821 const PartitionInfo& info = partition.new_partition_info(); 822 install_part.target_size = info.size(); 823 install_part.target_hash.assign(info.hash().begin(), info.hash().end()); 824 825 install_plan_->partitions.push_back(install_part); 826 } 827 828 if (!install_plan_->LoadPartitionsFromSlots(boot_control_)) { 829 LOG(ERROR) << "Unable to determine all the partition devices."; 830 *error = ErrorCode::kInstallDeviceOpenError; 831 return false; 832 } 833 LogPartitionInfo(partitions_); 834 return true; 835 } 836 837 bool DeltaPerformer::CanPerformInstallOperation( 838 const chromeos_update_engine::InstallOperation& operation) { 839 // If we don't have a data blob we can apply it right away. 840 if (!operation.has_data_offset() && !operation.has_data_length()) 841 return true; 842 843 // See if we have the entire data blob in the buffer 844 if (operation.data_offset() < buffer_offset_) { 845 LOG(ERROR) << "we threw away data it seems?"; 846 return false; 847 } 848 849 return (operation.data_offset() + operation.data_length() <= 850 buffer_offset_ + buffer_.size()); 851 } 852 853 bool DeltaPerformer::PerformReplaceOperation( 854 const InstallOperation& operation) { 855 CHECK(operation.type() == InstallOperation::REPLACE || 856 operation.type() == InstallOperation::REPLACE_BZ || 857 operation.type() == InstallOperation::REPLACE_XZ); 858 859 // Since we delete data off the beginning of the buffer as we use it, 860 // the data we need should be exactly at the beginning of the buffer. 861 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 862 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 863 864 // Extract the signature message if it's in this operation. 865 if (ExtractSignatureMessageFromOperation(operation)) { 866 // If this is dummy replace operation, we ignore it after extracting the 867 // signature. 868 DiscardBuffer(true, 0); 869 return true; 870 } 871 872 // Setup the ExtentWriter stack based on the operation type. 873 std::unique_ptr<ExtentWriter> writer = std::make_unique<ZeroPadExtentWriter>( 874 std::make_unique<DirectExtentWriter>()); 875 876 if (operation.type() == InstallOperation::REPLACE_BZ) { 877 writer.reset(new BzipExtentWriter(std::move(writer))); 878 } else if (operation.type() == InstallOperation::REPLACE_XZ) { 879 writer.reset(new XzExtentWriter(std::move(writer))); 880 } 881 882 TEST_AND_RETURN_FALSE( 883 writer->Init(target_fd_, operation.dst_extents(), block_size_)); 884 TEST_AND_RETURN_FALSE(writer->Write(buffer_.data(), operation.data_length())); 885 TEST_AND_RETURN_FALSE(writer->End()); 886 887 // Update buffer 888 DiscardBuffer(true, buffer_.size()); 889 return true; 890 } 891 892 bool DeltaPerformer::PerformZeroOrDiscardOperation( 893 const InstallOperation& operation) { 894 CHECK(operation.type() == InstallOperation::DISCARD || 895 operation.type() == InstallOperation::ZERO); 896 897 // These operations have no blob. 898 TEST_AND_RETURN_FALSE(!operation.has_data_offset()); 899 TEST_AND_RETURN_FALSE(!operation.has_data_length()); 900 901 #ifdef BLKZEROOUT 902 bool attempt_ioctl = true; 903 int request = 904 (operation.type() == InstallOperation::ZERO ? BLKZEROOUT : BLKDISCARD); 905 #else // !defined(BLKZEROOUT) 906 bool attempt_ioctl = false; 907 int request = 0; 908 #endif // !defined(BLKZEROOUT) 909 910 brillo::Blob zeros; 911 for (const Extent& extent : operation.dst_extents()) { 912 const uint64_t start = extent.start_block() * block_size_; 913 const uint64_t length = extent.num_blocks() * block_size_; 914 if (attempt_ioctl) { 915 int result = 0; 916 if (target_fd_->BlkIoctl(request, start, length, &result) && result == 0) 917 continue; 918 attempt_ioctl = false; 919 } 920 // In case of failure, we fall back to writing 0 to the selected region. 921 zeros.resize(16 * block_size_); 922 for (uint64_t offset = 0; offset < length; offset += zeros.size()) { 923 uint64_t chunk_length = min(length - offset, 924 static_cast<uint64_t>(zeros.size())); 925 TEST_AND_RETURN_FALSE(utils::PWriteAll( 926 target_fd_, zeros.data(), chunk_length, start + offset)); 927 } 928 } 929 return true; 930 } 931 932 bool DeltaPerformer::PerformMoveOperation(const InstallOperation& operation) { 933 // Calculate buffer size. Note, this function doesn't do a sliding 934 // window to copy in case the source and destination blocks overlap. 935 // If we wanted to do a sliding window, we could program the server 936 // to generate deltas that effectively did a sliding window. 937 938 uint64_t blocks_to_read = 0; 939 for (int i = 0; i < operation.src_extents_size(); i++) 940 blocks_to_read += operation.src_extents(i).num_blocks(); 941 942 uint64_t blocks_to_write = 0; 943 for (int i = 0; i < operation.dst_extents_size(); i++) 944 blocks_to_write += operation.dst_extents(i).num_blocks(); 945 946 DCHECK_EQ(blocks_to_write, blocks_to_read); 947 brillo::Blob buf(blocks_to_write * block_size_); 948 949 // Read in bytes. 950 ssize_t bytes_read = 0; 951 for (int i = 0; i < operation.src_extents_size(); i++) { 952 ssize_t bytes_read_this_iteration = 0; 953 const Extent& extent = operation.src_extents(i); 954 const size_t bytes = extent.num_blocks() * block_size_; 955 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 956 TEST_AND_RETURN_FALSE(utils::PReadAll(target_fd_, 957 &buf[bytes_read], 958 bytes, 959 extent.start_block() * block_size_, 960 &bytes_read_this_iteration)); 961 TEST_AND_RETURN_FALSE( 962 bytes_read_this_iteration == static_cast<ssize_t>(bytes)); 963 bytes_read += bytes_read_this_iteration; 964 } 965 966 // Write bytes out. 967 ssize_t bytes_written = 0; 968 for (int i = 0; i < operation.dst_extents_size(); i++) { 969 const Extent& extent = operation.dst_extents(i); 970 const size_t bytes = extent.num_blocks() * block_size_; 971 TEST_AND_RETURN_FALSE(extent.start_block() != kSparseHole); 972 TEST_AND_RETURN_FALSE(utils::PWriteAll(target_fd_, 973 &buf[bytes_written], 974 bytes, 975 extent.start_block() * block_size_)); 976 bytes_written += bytes; 977 } 978 DCHECK_EQ(bytes_written, bytes_read); 979 DCHECK_EQ(bytes_written, static_cast<ssize_t>(buf.size())); 980 return true; 981 } 982 983 bool DeltaPerformer::ValidateSourceHash(const brillo::Blob& calculated_hash, 984 const InstallOperation& operation, 985 const FileDescriptorPtr source_fd, 986 ErrorCode* error) { 987 brillo::Blob expected_source_hash(operation.src_sha256_hash().begin(), 988 operation.src_sha256_hash().end()); 989 if (calculated_hash != expected_source_hash) { 990 LOG(ERROR) << "The hash of the source data on disk for this operation " 991 << "doesn't match the expected value. This could mean that the " 992 << "delta update payload was targeted for another version, or " 993 << "that the source partition was modified after it was " 994 << "installed, for example, by mounting a filesystem."; 995 LOG(ERROR) << "Expected: sha256|hex = " 996 << base::HexEncode(expected_source_hash.data(), 997 expected_source_hash.size()); 998 LOG(ERROR) << "Calculated: sha256|hex = " 999 << base::HexEncode(calculated_hash.data(), 1000 calculated_hash.size()); 1001 1002 vector<string> source_extents; 1003 for (const Extent& ext : operation.src_extents()) { 1004 source_extents.push_back( 1005 base::StringPrintf("%" PRIu64 ":%" PRIu64, 1006 static_cast<uint64_t>(ext.start_block()), 1007 static_cast<uint64_t>(ext.num_blocks()))); 1008 } 1009 LOG(ERROR) << "Operation source (offset:size) in blocks: " 1010 << base::JoinString(source_extents, ","); 1011 1012 // Log remount history if this device is an ext4 partition. 1013 LogMountHistory(source_fd); 1014 1015 *error = ErrorCode::kDownloadStateInitializationError; 1016 return false; 1017 } 1018 return true; 1019 } 1020 1021 bool DeltaPerformer::PerformSourceCopyOperation( 1022 const InstallOperation& operation, ErrorCode* error) { 1023 if (operation.has_src_length()) 1024 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1025 if (operation.has_dst_length()) 1026 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1027 1028 brillo::Blob source_hash; 1029 TEST_AND_RETURN_FALSE(fd_utils::CopyAndHashExtents(source_fd_, 1030 operation.src_extents(), 1031 target_fd_, 1032 operation.dst_extents(), 1033 block_size_, 1034 &source_hash)); 1035 1036 if (operation.has_src_sha256_hash()) { 1037 TEST_AND_RETURN_FALSE( 1038 ValidateSourceHash(source_hash, operation, source_fd_, error)); 1039 } 1040 1041 return true; 1042 } 1043 1044 bool DeltaPerformer::ExtentsToBsdiffPositionsString( 1045 const RepeatedPtrField<Extent>& extents, 1046 uint64_t block_size, 1047 uint64_t full_length, 1048 string* positions_string) { 1049 string ret; 1050 uint64_t length = 0; 1051 for (const Extent& extent : extents) { 1052 int64_t start = extent.start_block() * block_size; 1053 uint64_t this_length = 1054 min(full_length - length, 1055 static_cast<uint64_t>(extent.num_blocks()) * block_size); 1056 ret += base::StringPrintf("%" PRIi64 ":%" PRIu64 ",", start, this_length); 1057 length += this_length; 1058 } 1059 TEST_AND_RETURN_FALSE(length == full_length); 1060 if (!ret.empty()) 1061 ret.resize(ret.size() - 1); // Strip trailing comma off 1062 *positions_string = ret; 1063 return true; 1064 } 1065 1066 bool DeltaPerformer::PerformBsdiffOperation(const InstallOperation& operation) { 1067 // Since we delete data off the beginning of the buffer as we use it, 1068 // the data we need should be exactly at the beginning of the buffer. 1069 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1070 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1071 1072 string input_positions; 1073 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.src_extents(), 1074 block_size_, 1075 operation.src_length(), 1076 &input_positions)); 1077 string output_positions; 1078 TEST_AND_RETURN_FALSE(ExtentsToBsdiffPositionsString(operation.dst_extents(), 1079 block_size_, 1080 operation.dst_length(), 1081 &output_positions)); 1082 1083 TEST_AND_RETURN_FALSE(bsdiff::bspatch(target_path_.c_str(), 1084 target_path_.c_str(), 1085 buffer_.data(), 1086 buffer_.size(), 1087 input_positions.c_str(), 1088 output_positions.c_str()) == 0); 1089 DiscardBuffer(true, buffer_.size()); 1090 1091 if (operation.dst_length() % block_size_) { 1092 // Zero out rest of final block. 1093 // TODO(adlr): build this into bspatch; it's more efficient that way. 1094 const Extent& last_extent = 1095 operation.dst_extents(operation.dst_extents_size() - 1); 1096 const uint64_t end_byte = 1097 (last_extent.start_block() + last_extent.num_blocks()) * block_size_; 1098 const uint64_t begin_byte = 1099 end_byte - (block_size_ - operation.dst_length() % block_size_); 1100 brillo::Blob zeros(end_byte - begin_byte); 1101 TEST_AND_RETURN_FALSE(utils::PWriteAll( 1102 target_fd_, zeros.data(), end_byte - begin_byte, begin_byte)); 1103 } 1104 return true; 1105 } 1106 1107 namespace { 1108 1109 class BsdiffExtentFile : public bsdiff::FileInterface { 1110 public: 1111 BsdiffExtentFile(std::unique_ptr<ExtentReader> reader, size_t size) 1112 : BsdiffExtentFile(std::move(reader), nullptr, size) {} 1113 BsdiffExtentFile(std::unique_ptr<ExtentWriter> writer, size_t size) 1114 : BsdiffExtentFile(nullptr, std::move(writer), size) {} 1115 1116 ~BsdiffExtentFile() override = default; 1117 1118 bool Read(void* buf, size_t count, size_t* bytes_read) override { 1119 TEST_AND_RETURN_FALSE(reader_->Read(buf, count)); 1120 *bytes_read = count; 1121 offset_ += count; 1122 return true; 1123 } 1124 1125 bool Write(const void* buf, size_t count, size_t* bytes_written) override { 1126 TEST_AND_RETURN_FALSE(writer_->Write(buf, count)); 1127 *bytes_written = count; 1128 offset_ += count; 1129 return true; 1130 } 1131 1132 bool Seek(off_t pos) override { 1133 if (reader_ != nullptr) { 1134 TEST_AND_RETURN_FALSE(reader_->Seek(pos)); 1135 offset_ = pos; 1136 } else { 1137 // For writes technically there should be no change of position, or it 1138 // should be equivalent of current offset. 1139 TEST_AND_RETURN_FALSE(offset_ == static_cast<uint64_t>(pos)); 1140 } 1141 return true; 1142 } 1143 1144 bool Close() override { 1145 if (writer_ != nullptr) { 1146 TEST_AND_RETURN_FALSE(writer_->End()); 1147 } 1148 return true; 1149 } 1150 1151 bool GetSize(uint64_t* size) override { 1152 *size = size_; 1153 return true; 1154 } 1155 1156 private: 1157 BsdiffExtentFile(std::unique_ptr<ExtentReader> reader, 1158 std::unique_ptr<ExtentWriter> writer, 1159 size_t size) 1160 : reader_(std::move(reader)), 1161 writer_(std::move(writer)), 1162 size_(size), 1163 offset_(0) {} 1164 1165 std::unique_ptr<ExtentReader> reader_; 1166 std::unique_ptr<ExtentWriter> writer_; 1167 uint64_t size_; 1168 uint64_t offset_; 1169 1170 DISALLOW_COPY_AND_ASSIGN(BsdiffExtentFile); 1171 }; 1172 1173 } // namespace 1174 1175 bool DeltaPerformer::PerformSourceBsdiffOperation( 1176 const InstallOperation& operation, ErrorCode* error) { 1177 // Since we delete data off the beginning of the buffer as we use it, 1178 // the data we need should be exactly at the beginning of the buffer. 1179 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1180 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1181 if (operation.has_src_length()) 1182 TEST_AND_RETURN_FALSE(operation.src_length() % block_size_ == 0); 1183 if (operation.has_dst_length()) 1184 TEST_AND_RETURN_FALSE(operation.dst_length() % block_size_ == 0); 1185 1186 if (operation.has_src_sha256_hash()) { 1187 brillo::Blob source_hash; 1188 TEST_AND_RETURN_FALSE(fd_utils::ReadAndHashExtents( 1189 source_fd_, operation.src_extents(), block_size_, &source_hash)); 1190 TEST_AND_RETURN_FALSE( 1191 ValidateSourceHash(source_hash, operation, source_fd_, error)); 1192 } 1193 1194 auto reader = std::make_unique<DirectExtentReader>(); 1195 TEST_AND_RETURN_FALSE( 1196 reader->Init(source_fd_, operation.src_extents(), block_size_)); 1197 auto src_file = std::make_unique<BsdiffExtentFile>( 1198 std::move(reader), 1199 utils::BlocksInExtents(operation.src_extents()) * block_size_); 1200 1201 auto writer = std::make_unique<DirectExtentWriter>(); 1202 TEST_AND_RETURN_FALSE( 1203 writer->Init(target_fd_, operation.dst_extents(), block_size_)); 1204 auto dst_file = std::make_unique<BsdiffExtentFile>( 1205 std::move(writer), 1206 utils::BlocksInExtents(operation.dst_extents()) * block_size_); 1207 1208 TEST_AND_RETURN_FALSE(bsdiff::bspatch(std::move(src_file), 1209 std::move(dst_file), 1210 buffer_.data(), 1211 buffer_.size()) == 0); 1212 DiscardBuffer(true, buffer_.size()); 1213 return true; 1214 } 1215 1216 namespace { 1217 1218 // A class to be passed to |puffpatch| for reading from |source_fd_| and writing 1219 // into |target_fd_|. 1220 class PuffinExtentStream : public puffin::StreamInterface { 1221 public: 1222 // Constructor for creating a stream for reading from an |ExtentReader|. 1223 PuffinExtentStream(std::unique_ptr<ExtentReader> reader, uint64_t size) 1224 : PuffinExtentStream(std::move(reader), nullptr, size) {} 1225 1226 // Constructor for creating a stream for writing to an |ExtentWriter|. 1227 PuffinExtentStream(std::unique_ptr<ExtentWriter> writer, uint64_t size) 1228 : PuffinExtentStream(nullptr, std::move(writer), size) {} 1229 1230 ~PuffinExtentStream() override = default; 1231 1232 bool GetSize(uint64_t* size) const override { 1233 *size = size_; 1234 return true; 1235 } 1236 1237 bool GetOffset(uint64_t* offset) const override { 1238 *offset = offset_; 1239 return true; 1240 } 1241 1242 bool Seek(uint64_t offset) override { 1243 if (is_read_) { 1244 TEST_AND_RETURN_FALSE(reader_->Seek(offset)); 1245 offset_ = offset; 1246 } else { 1247 // For writes technically there should be no change of position, or it 1248 // should equivalent of current offset. 1249 TEST_AND_RETURN_FALSE(offset_ == offset); 1250 } 1251 return true; 1252 } 1253 1254 bool Read(void* buffer, size_t count) override { 1255 TEST_AND_RETURN_FALSE(is_read_); 1256 TEST_AND_RETURN_FALSE(reader_->Read(buffer, count)); 1257 offset_ += count; 1258 return true; 1259 } 1260 1261 bool Write(const void* buffer, size_t count) override { 1262 TEST_AND_RETURN_FALSE(!is_read_); 1263 TEST_AND_RETURN_FALSE(writer_->Write(buffer, count)); 1264 offset_ += count; 1265 return true; 1266 } 1267 1268 bool Close() override { 1269 if (!is_read_) { 1270 TEST_AND_RETURN_FALSE(writer_->End()); 1271 } 1272 return true; 1273 } 1274 1275 private: 1276 PuffinExtentStream(std::unique_ptr<ExtentReader> reader, 1277 std::unique_ptr<ExtentWriter> writer, 1278 uint64_t size) 1279 : reader_(std::move(reader)), 1280 writer_(std::move(writer)), 1281 size_(size), 1282 offset_(0), 1283 is_read_(reader_ ? true : false) {} 1284 1285 std::unique_ptr<ExtentReader> reader_; 1286 std::unique_ptr<ExtentWriter> writer_; 1287 uint64_t size_; 1288 uint64_t offset_; 1289 bool is_read_; 1290 1291 DISALLOW_COPY_AND_ASSIGN(PuffinExtentStream); 1292 }; 1293 1294 } // namespace 1295 1296 bool DeltaPerformer::PerformPuffDiffOperation(const InstallOperation& operation, 1297 ErrorCode* error) { 1298 // Since we delete data off the beginning of the buffer as we use it, 1299 // the data we need should be exactly at the beginning of the buffer. 1300 TEST_AND_RETURN_FALSE(buffer_offset_ == operation.data_offset()); 1301 TEST_AND_RETURN_FALSE(buffer_.size() >= operation.data_length()); 1302 1303 if (operation.has_src_sha256_hash()) { 1304 brillo::Blob source_hash; 1305 TEST_AND_RETURN_FALSE(fd_utils::ReadAndHashExtents( 1306 source_fd_, operation.src_extents(), block_size_, &source_hash)); 1307 TEST_AND_RETURN_FALSE( 1308 ValidateSourceHash(source_hash, operation, source_fd_, error)); 1309 } 1310 1311 auto reader = std::make_unique<DirectExtentReader>(); 1312 TEST_AND_RETURN_FALSE( 1313 reader->Init(source_fd_, operation.src_extents(), block_size_)); 1314 puffin::UniqueStreamPtr src_stream(new PuffinExtentStream( 1315 std::move(reader), 1316 utils::BlocksInExtents(operation.src_extents()) * block_size_)); 1317 1318 auto writer = std::make_unique<DirectExtentWriter>(); 1319 TEST_AND_RETURN_FALSE( 1320 writer->Init(target_fd_, operation.dst_extents(), block_size_)); 1321 puffin::UniqueStreamPtr dst_stream(new PuffinExtentStream( 1322 std::move(writer), 1323 utils::BlocksInExtents(operation.dst_extents()) * block_size_)); 1324 1325 const size_t kMaxCacheSize = 5 * 1024 * 1024; // Total 5MB cache. 1326 TEST_AND_RETURN_FALSE(puffin::PuffPatch(std::move(src_stream), 1327 std::move(dst_stream), 1328 buffer_.data(), 1329 buffer_.size(), 1330 kMaxCacheSize)); 1331 DiscardBuffer(true, buffer_.size()); 1332 return true; 1333 } 1334 1335 bool DeltaPerformer::ExtractSignatureMessageFromOperation( 1336 const InstallOperation& operation) { 1337 if (operation.type() != InstallOperation::REPLACE || 1338 !manifest_.has_signatures_offset() || 1339 manifest_.signatures_offset() != operation.data_offset()) { 1340 return false; 1341 } 1342 TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() && 1343 manifest_.signatures_size() == operation.data_length()); 1344 TEST_AND_RETURN_FALSE(ExtractSignatureMessage()); 1345 return true; 1346 } 1347 1348 bool DeltaPerformer::ExtractSignatureMessage() { 1349 TEST_AND_RETURN_FALSE(signatures_message_data_.empty()); 1350 TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset()); 1351 TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size()); 1352 signatures_message_data_.assign( 1353 buffer_.begin(), 1354 buffer_.begin() + manifest_.signatures_size()); 1355 1356 // Save the signature blob because if the update is interrupted after the 1357 // download phase we don't go through this path anymore. Some alternatives to 1358 // consider: 1359 // 1360 // 1. On resume, re-download the signature blob from the server and re-verify 1361 // it. 1362 // 1363 // 2. Verify the signature as soon as it's received and don't checkpoint the 1364 // blob and the signed sha-256 context. 1365 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignatureBlob, 1366 string(signatures_message_data_.begin(), 1367 signatures_message_data_.end()))) 1368 << "Unable to store the signature blob."; 1369 1370 LOG(INFO) << "Extracted signature data of size " 1371 << manifest_.signatures_size() << " at " 1372 << manifest_.signatures_offset(); 1373 return true; 1374 } 1375 1376 bool DeltaPerformer::GetPublicKeyFromResponse(base::FilePath *out_tmp_key) { 1377 if (hardware_->IsOfficialBuild() || 1378 utils::FileExists(public_key_path_.c_str()) || 1379 install_plan_->public_key_rsa.empty()) 1380 return false; 1381 1382 if (!utils::DecodeAndStoreBase64String(install_plan_->public_key_rsa, 1383 out_tmp_key)) 1384 return false; 1385 1386 return true; 1387 } 1388 1389 ErrorCode DeltaPerformer::ValidateManifest() { 1390 // Perform assorted checks to sanity check the manifest, make sure it 1391 // matches data from other sources, and that it is a supported version. 1392 1393 bool has_old_fields = 1394 (manifest_.has_old_kernel_info() || manifest_.has_old_rootfs_info()); 1395 for (const PartitionUpdate& partition : manifest_.partitions()) { 1396 has_old_fields = has_old_fields || partition.has_old_partition_info(); 1397 } 1398 1399 // The presence of an old partition hash is the sole indicator for a delta 1400 // update. 1401 InstallPayloadType actual_payload_type = 1402 has_old_fields ? InstallPayloadType::kDelta : InstallPayloadType::kFull; 1403 1404 if (payload_->type == InstallPayloadType::kUnknown) { 1405 LOG(INFO) << "Detected a '" 1406 << InstallPayloadTypeToString(actual_payload_type) 1407 << "' payload."; 1408 payload_->type = actual_payload_type; 1409 } else if (payload_->type != actual_payload_type) { 1410 LOG(ERROR) << "InstallPlan expected a '" 1411 << InstallPayloadTypeToString(payload_->type) 1412 << "' payload but the downloaded manifest contains a '" 1413 << InstallPayloadTypeToString(actual_payload_type) 1414 << "' payload."; 1415 return ErrorCode::kPayloadMismatchedType; 1416 } 1417 1418 // Check that the minor version is compatible. 1419 if (actual_payload_type == InstallPayloadType::kFull) { 1420 if (manifest_.minor_version() != kFullPayloadMinorVersion) { 1421 LOG(ERROR) << "Manifest contains minor version " 1422 << manifest_.minor_version() 1423 << ", but all full payloads should have version " 1424 << kFullPayloadMinorVersion << "."; 1425 return ErrorCode::kUnsupportedMinorPayloadVersion; 1426 } 1427 } else { 1428 if (manifest_.minor_version() != supported_minor_version_) { 1429 LOG(ERROR) << "Manifest contains minor version " 1430 << manifest_.minor_version() 1431 << " not the supported " 1432 << supported_minor_version_; 1433 return ErrorCode::kUnsupportedMinorPayloadVersion; 1434 } 1435 } 1436 1437 if (major_payload_version_ != kChromeOSMajorPayloadVersion) { 1438 if (manifest_.has_old_rootfs_info() || 1439 manifest_.has_new_rootfs_info() || 1440 manifest_.has_old_kernel_info() || 1441 manifest_.has_new_kernel_info() || 1442 manifest_.install_operations_size() != 0 || 1443 manifest_.kernel_install_operations_size() != 0) { 1444 LOG(ERROR) << "Manifest contains deprecated field only supported in " 1445 << "major payload version 1, but the payload major version is " 1446 << major_payload_version_; 1447 return ErrorCode::kPayloadMismatchedType; 1448 } 1449 } 1450 1451 if (manifest_.max_timestamp() < hardware_->GetBuildTimestamp()) { 1452 LOG(ERROR) << "The current OS build timestamp (" 1453 << hardware_->GetBuildTimestamp() 1454 << ") is newer than the maximum timestamp in the manifest (" 1455 << manifest_.max_timestamp() << ")"; 1456 return ErrorCode::kPayloadTimestampError; 1457 } 1458 1459 // TODO(garnold) we should be adding more and more manifest checks, such as 1460 // partition boundaries etc (see chromium-os:37661). 1461 1462 return ErrorCode::kSuccess; 1463 } 1464 1465 ErrorCode DeltaPerformer::ValidateOperationHash( 1466 const InstallOperation& operation) { 1467 if (!operation.data_sha256_hash().size()) { 1468 if (!operation.data_length()) { 1469 // Operations that do not have any data blob won't have any operation hash 1470 // either. So, these operations are always considered validated since the 1471 // metadata that contains all the non-data-blob portions of the operation 1472 // has already been validated. This is true for both HTTP and HTTPS cases. 1473 return ErrorCode::kSuccess; 1474 } 1475 1476 // No hash is present for an operation that has data blobs. This shouldn't 1477 // happen normally for any client that has this code, because the 1478 // corresponding update should have been produced with the operation 1479 // hashes. So if it happens it means either we've turned operation hash 1480 // generation off in DeltaDiffGenerator or it's a regression of some sort. 1481 // One caveat though: The last operation is a dummy signature operation 1482 // that doesn't have a hash at the time the manifest is created. So we 1483 // should not complaint about that operation. This operation can be 1484 // recognized by the fact that it's offset is mentioned in the manifest. 1485 if (manifest_.signatures_offset() && 1486 manifest_.signatures_offset() == operation.data_offset()) { 1487 LOG(INFO) << "Skipping hash verification for signature operation " 1488 << next_operation_num_ + 1; 1489 } else { 1490 if (install_plan_->hash_checks_mandatory) { 1491 LOG(ERROR) << "Missing mandatory operation hash for operation " 1492 << next_operation_num_ + 1; 1493 return ErrorCode::kDownloadOperationHashMissingError; 1494 } 1495 1496 LOG(WARNING) << "Cannot validate operation " << next_operation_num_ + 1 1497 << " as there's no operation hash in manifest"; 1498 } 1499 return ErrorCode::kSuccess; 1500 } 1501 1502 brillo::Blob expected_op_hash; 1503 expected_op_hash.assign(operation.data_sha256_hash().data(), 1504 (operation.data_sha256_hash().data() + 1505 operation.data_sha256_hash().size())); 1506 1507 brillo::Blob calculated_op_hash; 1508 if (!HashCalculator::RawHashOfBytes( 1509 buffer_.data(), operation.data_length(), &calculated_op_hash)) { 1510 LOG(ERROR) << "Unable to compute actual hash of operation " 1511 << next_operation_num_; 1512 return ErrorCode::kDownloadOperationHashVerificationError; 1513 } 1514 1515 if (calculated_op_hash != expected_op_hash) { 1516 LOG(ERROR) << "Hash verification failed for operation " 1517 << next_operation_num_ << ". Expected hash = "; 1518 utils::HexDumpVector(expected_op_hash); 1519 LOG(ERROR) << "Calculated hash over " << operation.data_length() 1520 << " bytes at offset: " << operation.data_offset() << " = "; 1521 utils::HexDumpVector(calculated_op_hash); 1522 return ErrorCode::kDownloadOperationHashMismatch; 1523 } 1524 1525 return ErrorCode::kSuccess; 1526 } 1527 1528 #define TEST_AND_RETURN_VAL(_retval, _condition) \ 1529 do { \ 1530 if (!(_condition)) { \ 1531 LOG(ERROR) << "VerifyPayload failure: " << #_condition; \ 1532 return _retval; \ 1533 } \ 1534 } while (0); 1535 1536 ErrorCode DeltaPerformer::VerifyPayload( 1537 const brillo::Blob& update_check_response_hash, 1538 const uint64_t update_check_response_size) { 1539 1540 // See if we should use the public RSA key in the Omaha response. 1541 base::FilePath path_to_public_key(public_key_path_); 1542 base::FilePath tmp_key; 1543 if (GetPublicKeyFromResponse(&tmp_key)) 1544 path_to_public_key = tmp_key; 1545 ScopedPathUnlinker tmp_key_remover(tmp_key.value()); 1546 if (tmp_key.empty()) 1547 tmp_key_remover.set_should_remove(false); 1548 1549 LOG(INFO) << "Verifying payload using public key: " 1550 << path_to_public_key.value(); 1551 1552 // Verifies the download size. 1553 TEST_AND_RETURN_VAL(ErrorCode::kPayloadSizeMismatchError, 1554 update_check_response_size == 1555 metadata_size_ + metadata_signature_size_ + 1556 buffer_offset_); 1557 1558 // Verifies the payload hash. 1559 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadVerificationError, 1560 !payload_hash_calculator_.raw_hash().empty()); 1561 TEST_AND_RETURN_VAL( 1562 ErrorCode::kPayloadHashMismatchError, 1563 payload_hash_calculator_.raw_hash() == update_check_response_hash); 1564 1565 // Verifies the signed payload hash. 1566 if (!utils::FileExists(path_to_public_key.value().c_str())) { 1567 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; 1568 return ErrorCode::kSuccess; 1569 } 1570 TEST_AND_RETURN_VAL(ErrorCode::kSignedDeltaPayloadExpectedError, 1571 !signatures_message_data_.empty()); 1572 brillo::Blob hash_data = signed_hash_calculator_.raw_hash(); 1573 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1574 PayloadVerifier::PadRSA2048SHA256Hash(&hash_data)); 1575 TEST_AND_RETURN_VAL(ErrorCode::kDownloadPayloadPubKeyVerificationError, 1576 !hash_data.empty()); 1577 1578 if (!PayloadVerifier::VerifySignature( 1579 signatures_message_data_, path_to_public_key.value(), hash_data)) { 1580 // The autoupdate_CatchBadSignatures test checks for this string 1581 // in log-files. Keep in sync. 1582 LOG(ERROR) << "Public key verification failed, thus update failed."; 1583 return ErrorCode::kDownloadPayloadPubKeyVerificationError; 1584 } 1585 1586 LOG(INFO) << "Payload hash matches value in payload."; 1587 1588 // At this point, we are guaranteed to have downloaded a full payload, i.e 1589 // the one whose size matches the size mentioned in Omaha response. If any 1590 // errors happen after this, it's likely a problem with the payload itself or 1591 // the state of the system and not a problem with the URL or network. So, 1592 // indicate that to the download delegate so that AU can backoff 1593 // appropriately. 1594 if (download_delegate_) 1595 download_delegate_->DownloadComplete(); 1596 1597 return ErrorCode::kSuccess; 1598 } 1599 1600 void DeltaPerformer::DiscardBuffer(bool do_advance_offset, 1601 size_t signed_hash_buffer_size) { 1602 // Update the buffer offset. 1603 if (do_advance_offset) 1604 buffer_offset_ += buffer_.size(); 1605 1606 // Hash the content. 1607 payload_hash_calculator_.Update(buffer_.data(), buffer_.size()); 1608 signed_hash_calculator_.Update(buffer_.data(), signed_hash_buffer_size); 1609 1610 // Swap content with an empty vector to ensure that all memory is released. 1611 brillo::Blob().swap(buffer_); 1612 } 1613 1614 bool DeltaPerformer::CanResumeUpdate(PrefsInterface* prefs, 1615 const string& update_check_response_hash) { 1616 int64_t next_operation = kUpdateStateOperationInvalid; 1617 if (!(prefs->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) && 1618 next_operation != kUpdateStateOperationInvalid && 1619 next_operation > 0)) 1620 return false; 1621 1622 string interrupted_hash; 1623 if (!(prefs->GetString(kPrefsUpdateCheckResponseHash, &interrupted_hash) && 1624 !interrupted_hash.empty() && 1625 interrupted_hash == update_check_response_hash)) 1626 return false; 1627 1628 int64_t resumed_update_failures; 1629 // Note that storing this value is optional, but if it is there it should not 1630 // be more than the limit. 1631 if (prefs->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures) && 1632 resumed_update_failures > kMaxResumedUpdateFailures) 1633 return false; 1634 1635 // Sanity check the rest. 1636 int64_t next_data_offset = -1; 1637 if (!(prefs->GetInt64(kPrefsUpdateStateNextDataOffset, &next_data_offset) && 1638 next_data_offset >= 0)) 1639 return false; 1640 1641 string sha256_context; 1642 if (!(prefs->GetString(kPrefsUpdateStateSHA256Context, &sha256_context) && 1643 !sha256_context.empty())) 1644 return false; 1645 1646 int64_t manifest_metadata_size = 0; 1647 if (!(prefs->GetInt64(kPrefsManifestMetadataSize, &manifest_metadata_size) && 1648 manifest_metadata_size > 0)) 1649 return false; 1650 1651 int64_t manifest_signature_size = 0; 1652 if (!(prefs->GetInt64(kPrefsManifestSignatureSize, 1653 &manifest_signature_size) && 1654 manifest_signature_size >= 0)) 1655 return false; 1656 1657 return true; 1658 } 1659 1660 bool DeltaPerformer::ResetUpdateProgress(PrefsInterface* prefs, bool quick) { 1661 TEST_AND_RETURN_FALSE(prefs->SetInt64(kPrefsUpdateStateNextOperation, 1662 kUpdateStateOperationInvalid)); 1663 if (!quick) { 1664 prefs->SetInt64(kPrefsUpdateStateNextDataOffset, -1); 1665 prefs->SetInt64(kPrefsUpdateStateNextDataLength, 0); 1666 prefs->SetString(kPrefsUpdateStateSHA256Context, ""); 1667 prefs->SetString(kPrefsUpdateStateSignedSHA256Context, ""); 1668 prefs->SetString(kPrefsUpdateStateSignatureBlob, ""); 1669 prefs->SetInt64(kPrefsManifestMetadataSize, -1); 1670 prefs->SetInt64(kPrefsManifestSignatureSize, -1); 1671 prefs->SetInt64(kPrefsResumedUpdateFailures, 0); 1672 prefs->Delete(kPrefsPostInstallSucceeded); 1673 } 1674 return true; 1675 } 1676 1677 bool DeltaPerformer::CheckpointUpdateProgress() { 1678 Terminator::set_exit_blocked(true); 1679 if (last_updated_buffer_offset_ != buffer_offset_) { 1680 // Resets the progress in case we die in the middle of the state update. 1681 ResetUpdateProgress(prefs_, true); 1682 TEST_AND_RETURN_FALSE( 1683 prefs_->SetString(kPrefsUpdateStateSHA256Context, 1684 payload_hash_calculator_.GetContext())); 1685 TEST_AND_RETURN_FALSE( 1686 prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, 1687 signed_hash_calculator_.GetContext())); 1688 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataOffset, 1689 buffer_offset_)); 1690 last_updated_buffer_offset_ = buffer_offset_; 1691 1692 if (next_operation_num_ < num_total_operations_) { 1693 size_t partition_index = current_partition_; 1694 while (next_operation_num_ >= acc_num_operations_[partition_index]) 1695 partition_index++; 1696 const size_t partition_operation_num = next_operation_num_ - ( 1697 partition_index ? acc_num_operations_[partition_index - 1] : 0); 1698 const InstallOperation& op = 1699 partitions_[partition_index].operations(partition_operation_num); 1700 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1701 op.data_length())); 1702 } else { 1703 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextDataLength, 1704 0)); 1705 } 1706 } 1707 TEST_AND_RETURN_FALSE(prefs_->SetInt64(kPrefsUpdateStateNextOperation, 1708 next_operation_num_)); 1709 return true; 1710 } 1711 1712 bool DeltaPerformer::PrimeUpdateState() { 1713 CHECK(manifest_valid_); 1714 block_size_ = manifest_.block_size(); 1715 1716 int64_t next_operation = kUpdateStateOperationInvalid; 1717 if (!prefs_->GetInt64(kPrefsUpdateStateNextOperation, &next_operation) || 1718 next_operation == kUpdateStateOperationInvalid || 1719 next_operation <= 0) { 1720 // Initiating a new update, no more state needs to be initialized. 1721 return true; 1722 } 1723 next_operation_num_ = next_operation; 1724 1725 // Resuming an update -- load the rest of the update state. 1726 int64_t next_data_offset = -1; 1727 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsUpdateStateNextDataOffset, 1728 &next_data_offset) && 1729 next_data_offset >= 0); 1730 buffer_offset_ = next_data_offset; 1731 1732 // The signed hash context and the signature blob may be empty if the 1733 // interrupted update didn't reach the signature. 1734 string signed_hash_context; 1735 if (prefs_->GetString(kPrefsUpdateStateSignedSHA256Context, 1736 &signed_hash_context)) { 1737 TEST_AND_RETURN_FALSE( 1738 signed_hash_calculator_.SetContext(signed_hash_context)); 1739 } 1740 1741 string signature_blob; 1742 if (prefs_->GetString(kPrefsUpdateStateSignatureBlob, &signature_blob)) { 1743 signatures_message_data_.assign(signature_blob.begin(), 1744 signature_blob.end()); 1745 } 1746 1747 string hash_context; 1748 TEST_AND_RETURN_FALSE(prefs_->GetString(kPrefsUpdateStateSHA256Context, 1749 &hash_context) && 1750 payload_hash_calculator_.SetContext(hash_context)); 1751 1752 int64_t manifest_metadata_size = 0; 1753 TEST_AND_RETURN_FALSE(prefs_->GetInt64(kPrefsManifestMetadataSize, 1754 &manifest_metadata_size) && 1755 manifest_metadata_size > 0); 1756 metadata_size_ = manifest_metadata_size; 1757 1758 int64_t manifest_signature_size = 0; 1759 TEST_AND_RETURN_FALSE( 1760 prefs_->GetInt64(kPrefsManifestSignatureSize, &manifest_signature_size) && 1761 manifest_signature_size >= 0); 1762 metadata_signature_size_ = manifest_signature_size; 1763 1764 // Advance the download progress to reflect what doesn't need to be 1765 // re-downloaded. 1766 total_bytes_received_ += buffer_offset_; 1767 1768 // Speculatively count the resume as a failure. 1769 int64_t resumed_update_failures; 1770 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { 1771 resumed_update_failures++; 1772 } else { 1773 resumed_update_failures = 1; 1774 } 1775 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); 1776 return true; 1777 } 1778 1779 } // namespace chromeos_update_engine 1780