1 //
2 // Copyright (C) 2011 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "update_engine/omaha_response_handler_action.h"
18 
19 #include <limits>
20 #include <string>
21 
22 #include <base/logging.h>
23 #include <base/strings/string_number_conversions.h>
24 #include <policy/device_policy.h>
25 
26 #include "update_engine/common/constants.h"
27 #include "update_engine/common/hardware_interface.h"
28 #include "update_engine/common/prefs_interface.h"
29 #include "update_engine/common/utils.h"
30 #include "update_engine/connection_manager_interface.h"
31 #include "update_engine/omaha_request_params.h"
32 #include "update_engine/payload_consumer/delta_performer.h"
33 #include "update_engine/payload_state_interface.h"
34 #include "update_engine/update_manager/policy.h"
35 #include "update_engine/update_manager/update_manager.h"
36 
37 using chromeos_update_manager::Policy;
38 using chromeos_update_manager::UpdateManager;
39 using std::numeric_limits;
40 using std::string;
41 
42 namespace chromeos_update_engine {
43 
44 OmahaResponseHandlerAction::OmahaResponseHandlerAction(
45     SystemState* system_state)
46     : system_state_(system_state),
47       deadline_file_(constants::kOmahaResponseDeadlineFile) {}
48 
49 void OmahaResponseHandlerAction::PerformAction() {
50   CHECK(HasInputObject());
51   ScopedActionCompleter completer(processor_, this);
52   const OmahaResponse& response = GetInputObject();
53   if (!response.update_exists) {
54     LOG(INFO) << "There are no updates. Aborting.";
55     completer.set_code(ErrorCode::kNoUpdate);
56     return;
57   }
58 
59   // All decisions as to which URL should be used have already been done. So,
60   // make the current URL as the download URL.
61   string current_url = system_state_->payload_state()->GetCurrentUrl();
62   if (current_url.empty()) {
63     // This shouldn't happen as we should always supply the HTTPS backup URL.
64     // Handling this anyway, just in case.
65     LOG(ERROR) << "There are no suitable URLs in the response to use.";
66     completer.set_code(ErrorCode::kOmahaResponseInvalid);
67     return;
68   }
69 
70   // This is the url to the first package, not all packages.
71   install_plan_.download_url = current_url;
72   install_plan_.version = response.version;
73   install_plan_.system_version = response.system_version;
74 
75   OmahaRequestParams* const params = system_state_->request_params();
76   PayloadStateInterface* const payload_state = system_state_->payload_state();
77 
78   // If we're using p2p to download and there is a local peer, use it.
79   if (payload_state->GetUsingP2PForDownloading() &&
80       !payload_state->GetP2PUrl().empty()) {
81     LOG(INFO) << "Replacing URL " << install_plan_.download_url
82               << " with local URL " << payload_state->GetP2PUrl()
83               << " since p2p is enabled.";
84     install_plan_.download_url = payload_state->GetP2PUrl();
85     payload_state->SetUsingP2PForDownloading(true);
86   }
87 
88   // Fill up the other properties based on the response.
89   string update_check_response_hash;
90   for (const auto& package : response.packages) {
91     brillo::Blob raw_hash;
92     if (!base::HexStringToBytes(package.hash, &raw_hash)) {
93       LOG(ERROR) << "Failed to convert payload hash from hex string to bytes: "
94                  << package.hash;
95       completer.set_code(ErrorCode::kOmahaResponseInvalid);
96       return;
97     }
98     install_plan_.payloads.push_back(
99         {.size = package.size,
100          .metadata_size = package.metadata_size,
101          .metadata_signature = package.metadata_signature,
102          .hash = raw_hash,
103          .type = package.is_delta ? InstallPayloadType::kDelta
104                                   : InstallPayloadType::kFull});
105     update_check_response_hash += package.hash + ":";
106   }
107   install_plan_.public_key_rsa = response.public_key_rsa;
108   install_plan_.hash_checks_mandatory = AreHashChecksMandatory(response);
109   install_plan_.is_resume = DeltaPerformer::CanResumeUpdate(
110       system_state_->prefs(), update_check_response_hash);
111   if (install_plan_.is_resume) {
112     payload_state->UpdateResumed();
113   } else {
114     payload_state->UpdateRestarted();
115     LOG_IF(WARNING,
116            !DeltaPerformer::ResetUpdateProgress(system_state_->prefs(), false))
117         << "Unable to reset the update progress.";
118     LOG_IF(WARNING,
119            !system_state_->prefs()->SetString(kPrefsUpdateCheckResponseHash,
120                                               update_check_response_hash))
121         << "Unable to save the update check response hash.";
122   }
123 
124   if (params->is_install()) {
125     install_plan_.target_slot = system_state_->boot_control()->GetCurrentSlot();
126     install_plan_.source_slot = BootControlInterface::kInvalidSlot;
127   } else {
128     install_plan_.source_slot = system_state_->boot_control()->GetCurrentSlot();
129     install_plan_.target_slot = install_plan_.source_slot == 0 ? 1 : 0;
130   }
131 
132   // The Omaha response doesn't include the channel name for this image, so we
133   // use the download_channel we used during the request to tag the target slot.
134   // This will be used in the next boot to know the channel the image was
135   // downloaded from.
136   string current_channel_key =
137       kPrefsChannelOnSlotPrefix + std::to_string(install_plan_.target_slot);
138   system_state_->prefs()->SetString(current_channel_key,
139                                     params->download_channel());
140 
141   // Checking whether device is able to boot up the returned rollback image.
142   if (response.is_rollback) {
143     if (!params->rollback_allowed()) {
144       LOG(ERROR) << "Received rollback image but rollback is not allowed.";
145       completer.set_code(ErrorCode::kOmahaResponseInvalid);
146       return;
147     }
148     auto min_kernel_key_version = static_cast<uint32_t>(
149         system_state_->hardware()->GetMinKernelKeyVersion());
150     auto min_firmware_key_version = static_cast<uint32_t>(
151         system_state_->hardware()->GetMinFirmwareKeyVersion());
152     uint32_t kernel_key_version =
153         static_cast<uint32_t>(response.rollback_key_version.kernel_key) << 16 |
154         static_cast<uint32_t>(response.rollback_key_version.kernel);
155     uint32_t firmware_key_version =
156         static_cast<uint32_t>(response.rollback_key_version.firmware_key)
157             << 16 |
158         static_cast<uint32_t>(response.rollback_key_version.firmware);
159 
160     // Don't attempt a rollback if the versions are incompatible or the
161     // target image does not specify the version information.
162     if (kernel_key_version == numeric_limits<uint32_t>::max() ||
163         firmware_key_version == numeric_limits<uint32_t>::max() ||
164         kernel_key_version < min_kernel_key_version ||
165         firmware_key_version < min_firmware_key_version) {
166       LOG(ERROR) << "Device won't be able to boot up the rollback image.";
167       completer.set_code(ErrorCode::kRollbackNotPossible);
168       return;
169     }
170     install_plan_.is_rollback = true;
171   }
172 
173   if (response.powerwash_required || params->ShouldPowerwash())
174     install_plan_.powerwash_required = true;
175 
176   TEST_AND_RETURN(HasOutputPipe());
177   if (HasOutputPipe())
178     SetOutputObject(install_plan_);
179   LOG(INFO) << "Using this install plan:";
180   install_plan_.Dump();
181 
182   // Send the deadline data (if any) to Chrome through a file. This is a pretty
183   // hacky solution but should be OK for now.
184   //
185   // TODO(petkov): Re-architect this to avoid communication through a
186   // file. Ideally, we would include this information in D-Bus's GetStatus
187   // method and UpdateStatus signal. A potential issue is that update_engine may
188   // be unresponsive during an update download.
189   if (!deadline_file_.empty()) {
190     if (payload_state->GetRollbackHappened()) {
191       // Don't do forced update if rollback has happened since the last update
192       // check where policy was present.
193       LOG(INFO) << "Not forcing update because a rollback happened.";
194       utils::WriteFile(deadline_file_.c_str(), nullptr, 0);
195     } else {
196       utils::WriteFile(deadline_file_.c_str(),
197                        response.deadline.data(),
198                        response.deadline.size());
199     }
200     chmod(deadline_file_.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
201   }
202 
203   // Check the generated install-plan with the Policy to confirm that
204   // it can be applied at this time (or at all).
205   UpdateManager* const update_manager = system_state_->update_manager();
206   CHECK(update_manager);
207   auto ec = ErrorCode::kSuccess;
208   update_manager->PolicyRequest(
209       &Policy::UpdateCanBeApplied, &ec, &install_plan_);
210   completer.set_code(ec);
211 }
212 
213 bool OmahaResponseHandlerAction::AreHashChecksMandatory(
214     const OmahaResponse& response) {
215   // We sometimes need to waive the hash checks in order to download from
216   // sources that don't provide hashes, such as dev server.
217   // At this point UpdateAttempter::IsAnyUpdateSourceAllowed() has already been
218   // checked, so an unofficial update URL won't get this far unless it's OK to
219   // use without a hash. Additionally, we want to always waive hash checks on
220   // unofficial builds (i.e. dev/test images).
221   // The end result is this:
222   //  * Base image:
223   //    - Official URLs require a hash.
224   //    - Unofficial URLs only get this far if the IsAnyUpdateSourceAllowed()
225   //      devmode/debugd checks pass, in which case the hash is waived.
226   //  * Dev/test image:
227   //    - Any URL is allowed through with no hash checking.
228   if (!system_state_->request_params()->IsUpdateUrlOfficial() ||
229       !system_state_->hardware()->IsOfficialBuild()) {
230     // Still do a hash check if a public key is included.
231     if (!response.public_key_rsa.empty()) {
232       // The autoupdate_CatchBadSignatures test checks for this string
233       // in log-files. Keep in sync.
234       LOG(INFO) << "Mandating payload hash checks since Omaha Response "
235                 << "for unofficial build includes public RSA key.";
236       return true;
237     } else {
238       LOG(INFO) << "Waiving payload hash checks for unofficial update URL.";
239       return false;
240     }
241   }
242 
243   LOG(INFO) << "Mandating hash checks for official URL on official build.";
244   return true;
245 }
246 
247 }  // namespace chromeos_update_engine
248