1 // 2 // Copyright (C) 2010 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_ 18 #define UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_ 19 20 #include <inttypes.h> 21 22 #include <limits> 23 #include <memory> 24 #include <string> 25 #include <utility> 26 #include <vector> 27 28 #include <base/time/time.h> 29 #include <brillo/secure_blob.h> 30 #include <google/protobuf/repeated_field.h> 31 #include <gtest/gtest_prod.h> // for FRIEND_TEST 32 33 #include "update_engine/common/hash_calculator.h" 34 #include "update_engine/common/platform_constants.h" 35 #include "update_engine/payload_consumer/file_descriptor.h" 36 #include "update_engine/payload_consumer/file_writer.h" 37 #include "update_engine/payload_consumer/install_plan.h" 38 #include "update_engine/payload_consumer/payload_metadata.h" 39 #include "update_engine/payload_consumer/payload_verifier.h" 40 #include "update_engine/update_metadata.pb.h" 41 42 namespace chromeos_update_engine { 43 44 class DownloadActionDelegate; 45 class BootControlInterface; 46 class HardwareInterface; 47 class PrefsInterface; 48 49 // This class performs the actions in a delta update synchronously. The delta 50 // update itself should be passed in in chunks as it is received. 51 52 class DeltaPerformer : public FileWriter { 53 public: 54 // Defines the granularity of progress logging in terms of how many "completed 55 // chunks" we want to report at the most. 56 static const unsigned kProgressLogMaxChunks; 57 // Defines a timeout since the last progress was logged after which we want to 58 // force another log message (even if the current chunk was not completed). 59 static const unsigned kProgressLogTimeoutSeconds; 60 // These define the relative weights (0-100) we give to the different work 61 // components associated with an update when computing an overall progress. 62 // Currently they include the download progress and the number of completed 63 // operations. They must add up to one hundred (100). 64 static const unsigned kProgressDownloadWeight; 65 static const unsigned kProgressOperationsWeight; 66 static const uint64_t kCheckpointFrequencySeconds; 67 68 DeltaPerformer(PrefsInterface* prefs, 69 BootControlInterface* boot_control, 70 HardwareInterface* hardware, 71 DownloadActionDelegate* download_delegate, 72 InstallPlan* install_plan, 73 InstallPlan::Payload* payload, 74 bool interactive) 75 : prefs_(prefs), 76 boot_control_(boot_control), 77 hardware_(hardware), 78 download_delegate_(download_delegate), 79 install_plan_(install_plan), 80 payload_(payload), 81 interactive_(interactive) {} 82 83 // FileWriter's Write implementation where caller doesn't care about 84 // error codes. 85 bool Write(const void* bytes, size_t count) override { 86 ErrorCode error; 87 return Write(bytes, count, &error); 88 } 89 90 // FileWriter's Write implementation that returns a more specific |error| code 91 // in case of failures in Write operation. 92 bool Write(const void* bytes, size_t count, ErrorCode* error) override; 93 94 // Wrapper around close. Returns 0 on success or -errno on error. 95 // Closes both 'path' given to Open() and the kernel path. 96 int Close() override; 97 98 // Open the target and source (if delta payload) file descriptors for the 99 // |current_partition_|. The manifest needs to be already parsed for this to 100 // work. Returns whether the required file descriptors were successfully open. 101 bool OpenCurrentPartition(); 102 103 // Attempt to open the error-corrected device for the current partition. 104 // Returns whether the operation succeeded. 105 bool OpenCurrentECCPartition(); 106 107 // Closes the current partition file descriptors if open. Returns 0 on success 108 // or -errno on error. 109 int CloseCurrentPartition(); 110 111 // Returns |true| only if the manifest has been processed and it's valid. 112 bool IsManifestValid(); 113 114 // Verifies the downloaded payload against the signed hash included in the 115 // payload, against the update check hash and size using the public key and 116 // returns ErrorCode::kSuccess on success, an error code on failure. 117 // This method should be called after closing the stream. Note this method 118 // skips the signed hash check if the public key is unavailable; it returns 119 // ErrorCode::kSignedDeltaPayloadExpectedError if the public key is available 120 // but the delta payload doesn't include a signature. 121 ErrorCode VerifyPayload(const brillo::Blob& update_check_response_hash, 122 const uint64_t update_check_response_size); 123 124 // Converts an ordered collection of Extent objects which contain data of 125 // length full_length to a comma-separated string. For each Extent, the 126 // string will have the start offset and then the length in bytes. 127 // The length value of the last extent in the string may be short, since 128 // the full length of all extents in the string is capped to full_length. 129 // Also, an extent starting at kSparseHole, appears as -1 in the string. 130 // For example, if the Extents are {1, 1}, {4, 2}, {kSparseHole, 1}, 131 // {0, 1}, block_size is 4096, and full_length is 5 * block_size - 13, 132 // the resulting string will be: "4096:4096,16384:8192,-1:4096,0:4083" 133 static bool ExtentsToBsdiffPositionsString( 134 const google::protobuf::RepeatedPtrField<Extent>& extents, 135 uint64_t block_size, 136 uint64_t full_length, 137 std::string* positions_string); 138 139 // Returns true if a previous update attempt can be continued based on the 140 // persistent preferences and the new update check response hash. 141 static bool CanResumeUpdate(PrefsInterface* prefs, 142 const std::string& update_check_response_hash); 143 144 // Resets the persistent update progress state to indicate that an update 145 // can't be resumed. Performs a quick update-in-progress reset if |quick| is 146 // true, otherwise resets all progress-related update state. 147 // If |skip_dynamic_partititon_metadata_updated| is true, do not reset 148 // dynamic-partition-metadata-updated. 149 // Returns true on success, false otherwise. 150 static bool ResetUpdateProgress( 151 PrefsInterface* prefs, 152 bool quick, 153 bool skip_dynamic_partititon_metadata_updated = false); 154 155 // Attempts to parse the update metadata starting from the beginning of 156 // |payload|. On success, returns kMetadataParseSuccess. Returns 157 // kMetadataParseInsufficientData if more data is needed to parse the complete 158 // metadata. Returns kMetadataParseError if the metadata can't be parsed given 159 // the payload. 160 MetadataParseResult ParsePayloadMetadata(const brillo::Blob& payload, 161 ErrorCode* error); 162 163 void set_public_key_path(const std::string& public_key_path) { 164 public_key_path_ = public_key_path; 165 } 166 167 void set_update_certificates_path( 168 const std::string& update_certificates_path) { 169 update_certificates_path_ = update_certificates_path; 170 } 171 172 // Return true if header parsing is finished and no errors occurred. 173 bool IsHeaderParsed() const; 174 175 // Returns the delta minor version. If this value is defined in the manifest, 176 // it returns that value, otherwise it returns the default value. 177 uint32_t GetMinorVersion() const; 178 179 // Compare |calculated_hash| with source hash in |operation|, return false and 180 // dump hash and set |error| if don't match. 181 // |source_fd| is the file descriptor of the source partition. 182 static bool ValidateSourceHash(const brillo::Blob& calculated_hash, 183 const InstallOperation& operation, 184 const FileDescriptorPtr source_fd, 185 ErrorCode* error); 186 187 // Initialize partitions and allocate required space for an update with the 188 // given |manifest|. |update_check_response_hash| is used to check if the 189 // previous call to this function corresponds to the same payload. 190 // - Same payload: not make any persistent modifications (not write to disk) 191 // - Different payload: make persistent modifications (write to disk) 192 // In both cases, in-memory flags are updated. This function must be called 193 // on the payload at least once (to update in-memory flags) before writing 194 // (applying) the payload. 195 // If error due to insufficient space, |required_size| is set to the required 196 // size on the device to apply the payload. 197 static bool PreparePartitionsForUpdate( 198 PrefsInterface* prefs, 199 BootControlInterface* boot_control, 200 BootControlInterface::Slot target_slot, 201 const DeltaArchiveManifest& manifest, 202 const std::string& update_check_response_hash, 203 uint64_t* required_size); 204 205 private: 206 friend class DeltaPerformerTest; 207 friend class DeltaPerformerIntegrationTest; 208 FRIEND_TEST(DeltaPerformerTest, BrilloMetadataSignatureSizeTest); 209 FRIEND_TEST(DeltaPerformerTest, BrilloParsePayloadMetadataTest); 210 FRIEND_TEST(DeltaPerformerTest, ChooseSourceFDTest); 211 FRIEND_TEST(DeltaPerformerTest, UsePublicKeyFromResponse); 212 213 // Parse and move the update instructions of all partitions into our local 214 // |partitions_| variable based on the version of the payload. Requires the 215 // manifest to be parsed and valid. 216 bool ParseManifestPartitions(ErrorCode* error); 217 218 // Appends up to |*count_p| bytes from |*bytes_p| to |buffer_|, but only to 219 // the extent that the size of |buffer_| does not exceed |max|. Advances 220 // |*cbytes_p| and decreases |*count_p| by the actual number of bytes copied, 221 // and returns this number. 222 size_t CopyDataToBuffer(const char** bytes_p, size_t* count_p, size_t max); 223 224 // If |op_result| is false, emits an error message using |op_type_name| and 225 // sets |*error| accordingly. Otherwise does nothing. Returns |op_result|. 226 bool HandleOpResult(bool op_result, 227 const char* op_type_name, 228 ErrorCode* error); 229 230 // Logs the progress of downloading/applying an update. 231 void LogProgress(const char* message_prefix); 232 233 // Update overall progress metrics, log as necessary. 234 void UpdateOverallProgress(bool force_log, const char* message_prefix); 235 236 // Returns true if enough of the delta file has been passed via Write() 237 // to be able to perform a given install operation. 238 bool CanPerformInstallOperation(const InstallOperation& operation); 239 240 // Checks the integrity of the payload manifest. Returns true upon success, 241 // false otherwise. 242 ErrorCode ValidateManifest(); 243 244 // Validates that the hash of the blobs corresponding to the given |operation| 245 // matches what's specified in the manifest in the payload. 246 // Returns ErrorCode::kSuccess on match or a suitable error code otherwise. 247 ErrorCode ValidateOperationHash(const InstallOperation& operation); 248 249 // Returns true on success. 250 bool PerformInstallOperation(const InstallOperation& operation); 251 252 // These perform a specific type of operation and return true on success. 253 // |error| will be set if source hash mismatch, otherwise |error| might not be 254 // set even if it fails. 255 bool PerformReplaceOperation(const InstallOperation& operation); 256 bool PerformZeroOrDiscardOperation(const InstallOperation& operation); 257 bool PerformMoveOperation(const InstallOperation& operation); 258 bool PerformBsdiffOperation(const InstallOperation& operation); 259 bool PerformSourceCopyOperation(const InstallOperation& operation, 260 ErrorCode* error); 261 bool PerformSourceBsdiffOperation(const InstallOperation& operation, 262 ErrorCode* error); 263 bool PerformPuffDiffOperation(const InstallOperation& operation, 264 ErrorCode* error); 265 266 // For a given operation, choose the source fd to be used (raw device or error 267 // correction device) based on the source operation hash. 268 // Returns nullptr if the source hash mismatch cannot be corrected, and set 269 // the |error| accordingly. 270 FileDescriptorPtr ChooseSourceFD(const InstallOperation& operation, 271 ErrorCode* error); 272 273 // Extracts the payload signature message from the blob on the |operation| if 274 // the offset matches the one specified by the manifest. Returns whether the 275 // signature was extracted. 276 bool ExtractSignatureMessageFromOperation(const InstallOperation& operation); 277 278 // Extracts the payload signature message from the current |buffer_| if the 279 // offset matches the one specified by the manifest. Returns whether the 280 // signature was extracted. 281 bool ExtractSignatureMessage(); 282 283 // Updates the payload hash calculator with the bytes in |buffer_|, also 284 // updates the signed hash calculator with the first |signed_hash_buffer_size| 285 // bytes in |buffer_|. Then discard the content, ensuring that memory is being 286 // deallocated. If |do_advance_offset|, advances the internal offset counter 287 // accordingly. 288 void DiscardBuffer(bool do_advance_offset, size_t signed_hash_buffer_size); 289 290 // Checkpoints the update progress into persistent storage to allow this 291 // update attempt to be resumed after reboot. 292 // If |force| is false, checkpoint may be throttled. 293 bool CheckpointUpdateProgress(bool force); 294 295 // Primes the required update state. Returns true if the update state was 296 // successfully initialized to a saved resume state or if the update is a new 297 // update. Returns false otherwise. 298 bool PrimeUpdateState(); 299 300 // Get the public key to be used to verify metadata signature or payload 301 // signature. Always use |public_key_path_| if exists, otherwise if the Omaha 302 // response contains a public RSA key and we're allowed to use it (e.g. if 303 // we're in developer mode), decode the key from the response and store it in 304 // |out_public_key|. Returns false on failures. 305 bool GetPublicKey(std::string* out_public_key); 306 307 // Creates a PayloadVerifier from the zip file containing certificates. If the 308 // path to the zip file doesn't exist, falls back to use the public key. 309 // Returns a tuple with the created PayloadVerifier and if we should perform 310 // the verification. 311 std::pair<std::unique_ptr<PayloadVerifier>, bool> CreatePayloadVerifier(); 312 313 // After install_plan_ is filled with partition names and sizes, initialize 314 // metadata of partitions and map necessary devices before opening devices. 315 // Also see comment for the static PreparePartitionsForUpdate(). 316 bool PreparePartitionsForUpdate(uint64_t* required_size); 317 318 // Update Engine preference store. 319 PrefsInterface* prefs_; 320 321 // BootControl and Hardware interface references. 322 BootControlInterface* boot_control_; 323 HardwareInterface* hardware_; 324 325 // The DownloadActionDelegate instance monitoring the DownloadAction, or a 326 // nullptr if not used. 327 DownloadActionDelegate* download_delegate_; 328 329 // Install Plan based on Omaha Response. 330 InstallPlan* install_plan_; 331 332 // Pointer to the current payload in install_plan_.payloads. 333 InstallPlan::Payload* payload_{nullptr}; 334 335 // File descriptor of the source partition. Only set while updating a 336 // partition when using a delta payload. 337 FileDescriptorPtr source_fd_{nullptr}; 338 339 // File descriptor of the error corrected source partition. Only set while 340 // updating partition using a delta payload for a partition where error 341 // correction is available. The size of the error corrected device is smaller 342 // than the underlying raw device, since it doesn't include the error 343 // correction blocks. 344 FileDescriptorPtr source_ecc_fd_{nullptr}; 345 346 // The total number of operations that failed source hash verification but 347 // passed after falling back to the error-corrected |source_ecc_fd_| device. 348 uint64_t source_ecc_recovered_failures_{0}; 349 350 // Whether opening the current partition as an error-corrected device failed. 351 // Used to avoid re-opening the same source partition if it is not actually 352 // error corrected. 353 bool source_ecc_open_failure_{false}; 354 355 // File descriptor of the target partition. Only set while performing the 356 // operations of a given partition. 357 FileDescriptorPtr target_fd_{nullptr}; 358 359 // Paths the |source_fd_| and |target_fd_| refer to. 360 std::string source_path_; 361 std::string target_path_; 362 363 PayloadMetadata payload_metadata_; 364 365 // Parsed manifest. Set after enough bytes to parse the manifest were 366 // downloaded. 367 DeltaArchiveManifest manifest_; 368 bool manifest_parsed_{false}; 369 bool manifest_valid_{false}; 370 uint64_t metadata_size_{0}; 371 uint32_t metadata_signature_size_{0}; 372 uint64_t major_payload_version_{0}; 373 374 // Accumulated number of operations per partition. The i-th element is the 375 // sum of the number of operations for all the partitions from 0 to i 376 // inclusive. Valid when |manifest_valid_| is true. 377 std::vector<size_t> acc_num_operations_; 378 379 // The total operations in a payload. Valid when |manifest_valid_| is true, 380 // otherwise 0. 381 size_t num_total_operations_{0}; 382 383 // The list of partitions to update as found in the manifest major version 2. 384 // When parsing an older manifest format, the information is converted over to 385 // this format instead. 386 std::vector<PartitionUpdate> partitions_; 387 388 // Index in the list of partitions (|partitions_| member) of the current 389 // partition being processed. 390 size_t current_partition_{0}; 391 392 // Index of the next operation to perform in the manifest. The index is linear 393 // on the total number of operation on the manifest. 394 size_t next_operation_num_{0}; 395 396 // A buffer used for accumulating downloaded data. Initially, it stores the 397 // payload metadata; once that's downloaded and parsed, it stores data for the 398 // next update operation. 399 brillo::Blob buffer_; 400 // Offset of buffer_ in the binary blobs section of the update. 401 uint64_t buffer_offset_{0}; 402 403 // Last |buffer_offset_| value updated as part of the progress update. 404 uint64_t last_updated_buffer_offset_{std::numeric_limits<uint64_t>::max()}; 405 406 // The block size (parsed from the manifest). 407 uint32_t block_size_{0}; 408 409 // Calculates the whole payload file hash, including headers and signatures. 410 HashCalculator payload_hash_calculator_; 411 412 // Calculates the hash of the portion of the payload signed by the payload 413 // signature. This hash skips the metadata signature portion, located after 414 // the metadata and doesn't include the payload signature itself. 415 HashCalculator signed_hash_calculator_; 416 417 // Signatures message blob extracted directly from the payload. 418 std::string signatures_message_data_; 419 420 // The public key to be used. Provided as a member so that tests can 421 // override with test keys. 422 std::string public_key_path_{constants::kUpdatePayloadPublicKeyPath}; 423 424 // The path to the zip file with X509 certificates. 425 std::string update_certificates_path_{constants::kUpdateCertificatesPath}; 426 427 // The number of bytes received so far, used for progress tracking. 428 size_t total_bytes_received_{0}; 429 430 // An overall progress counter, which should reflect both download progress 431 // and the ratio of applied operations. Range is 0-100. 432 unsigned overall_progress_{0}; 433 434 // The last progress chunk recorded. 435 unsigned last_progress_chunk_{0}; 436 437 // If |true|, the update is user initiated (vs. periodic update checks). 438 bool interactive_{false}; 439 440 // The timeout after which we should force emitting a progress log (constant), 441 // and the actual point in time for the next forced log to be emitted. 442 const base::TimeDelta forced_progress_log_wait_{ 443 base::TimeDelta::FromSeconds(kProgressLogTimeoutSeconds)}; 444 base::TimeTicks forced_progress_log_time_; 445 446 // The frequency that we should write an update checkpoint (constant), and 447 // the point in time at which the next checkpoint should be written. 448 const base::TimeDelta update_checkpoint_wait_{ 449 base::TimeDelta::FromSeconds(kCheckpointFrequencySeconds)}; 450 base::TimeTicks update_checkpoint_time_; 451 452 DISALLOW_COPY_AND_ASSIGN(DeltaPerformer); 453 }; 454 455 } // namespace chromeos_update_engine 456 457 #endif // UPDATE_ENGINE_PAYLOAD_CONSUMER_DELTA_PERFORMER_H_ 458