When a partition shrinks, it is not correct to use the base device as
the "source" device for the new COW format, because we may need to read
blocks that do not exist in the new partition.
To resolve this, we store a copy of the old partition layout in /metadata,
and use it to create a "source" view of the old partition. The new
stacking looks as follows:
partition_b (dm-snapshot):
- partition_b-base (partition_b dm-linear)
- partition_b-cow-user (dm-user + snapuserd):
- partition_b-cow (COW image)
- partition_b-src (partition_a dm-linear)
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I872f271cc1f25cc796b94188fdde247cdc4050b4
VAB has an unused optimization that allows bypassing snapshots for the
area of a partition that grows during an OTA. The code for this is
entirely unused since the optimization was never enabled. The benefits
are marginal, and making it safe is quite complicated. The "new" region
cannot overlap with any region being relinquished by a shrink operation,
without snapshotting the region that would be overwritten. This would be
burdensome to implement and would minimize space savings.
Let's remove the code related to this optimization until we are
confident we can implement it safely in VABC.
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I7d6a68dce57c8a4389ea6bff9f31971276a20db4
Bug: http://b/177693725
fchmod is used to ensure profraw files are readable by all users with
Clang's profile merging.
Test: ensure mediaswcodec doesn't crash in code coverage build.
Change-Id: Ia1e3b5b51c1d2fc86d548cfd066e849b03004731
* changes:
libsnapshot: Fix incorrect CHECK in PerformInitTransition().
libsnapshot: Propagate the compression bit across state changes.
libsnapshot: Adjust partition sizes so tests pass with or without compression.
A future early-boot daemon (on-device signing) needs to access
/data/misc before fs-verity keys are locked. Therefore, move the
restorecon of /data up a bit, to make sure the labels are correct. To be
safe, only run it after init_user0, since that function is responsible
for loading DE keys.
Also move early boot keys and fs-verity key locking a bit later, since
the on-device signing daemon needs to use both of these, but it also
needs the restorecon to function correctly.
Bug: 174740982
Test: manual
Change-Id: I9b6e44d9b547d420e1c6ba01fb3d3accc0625e20
The sector count can decrease as the merge progresses, so we only care
that the sector count is less than or equal to the device size.
Bug: N/A
Test: reboot during VABC merge
Change-Id: I1da956456ea28ca0fdfbf9373848987c9f71ff68
This bit was getting lost because InitiateMerge() did not save the
compression bit when overwriting the update state.
Bug: N/A
Test: vts_libsnapshot_test
Test: reboot during merge phase of VABC OTA
Change-Id: I1a2219b501088de352a9c31d4b8b1a3f72d0e159
The pvmfw partition holds the protected VM firmware that is used by
Protected KVM to bootstrap the trust in protected VMs. Teach fastboot
about the partition so it gets flashed with flashall.
pvmfw is an AVB chained partition so is marked as BootCritical to allow
ABL's AVB verification to pass.
Test: tab complete and flashall
Bug: 171280178
Change-Id: Ie4cc478de25a945bc510488d87c2bee3aa5031f2
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.
Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.
Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc
Trusty shared memory now uses dmabuf instead of memfd. Switch the
coverage buffer allocation to use libdmabufheap.
Test: atest libtrusty_coverage_test
Bug: None
Change-Id: I067dd0774d19b42380ce5cb8ceb3541fa77ef9f0
WaitForDelete is supposed to block until close() has been called on the
COW image. However, it could race with the destructor for Snapuserd
since nothing guaranteed it was freed within the global lock.
This patch fixes the bug and refactors the surrounding code to make the
responsibilities of each thread clearer.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Icfc264e6dff378db585c81cde381cc24269f4800
Grouping metadata into clusters decreases the overhead occured by extra
reads. Assuming a constant added cost with reads, we currently measure
this to be around 1.2 microseconds. For an entire OTA, this can add up
to several seconds of time. Setting the cluster size to 200 removes
99.5% of that extra time, while adding 20 bytes per 200 ops, as well as
up to 200*20 byes (4kb) unused space near the end of the file, although
it would be half of that on average. We save 99.5% of the overhead of
separate reads for a 0.5% space increase.
We've opted for a change to the default so that tools that estimate cow
size and any others will automatically be kept up to date, without
needing to update the value everywhere.
Bug: 172026020
Test: cow_api_test
Change-Id: Id4525cf2abfecf4691b46588823cb3cb4f6234d9
This change will help non-user builds with keeping debugfs
disabled during run time. Instead, debugfs will be mounted by init
to enable boot time initializations to set up vendor debug data
collection and unmounted after boot. It will be also be mounted by
dumpstate for bug report generation and unmounted after.
This change is only intended to help vendors (who depend on debugfs to
collect debug information from userdebug/eng builds) keep debugfs
disabled during runtime. Platform code must not depend on debugfs at all.
Test: manual
Bug: 176936478
Change-Id: I2e89d5b9540e3de094976563682d4b8c5c125876
The corpus of Confirmationui usually contains multiple data packets
to be transfered from Android side to Trusty side.
Therefore we adjust the Confirmationui fuzzer so that it can send
data to Confirmationui TA several times through a same tipc channel.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: Ib6ae831e6a19c98eb62a1c75f77eb00f914e2f5c
* changes:
libsnapshot: Fix tests that depend on PrepareOneSnapshot().
libsnapshot: Ensure dm-user devices are destroyed after a merge.
libsnapshot: Fix tests for mapping snapshots in first-stage init.
init: Add an selinux transition for snapuserd.
The following API was added for the API level 30 and beyond. Currently,
its existence is tested using the null check which is done regardless of
the min sdk version of the compilation unit. (which in turn required us
to mark the API symbol weak regardless of the min sdk version.)
* AGroupController_getFlags
Now, we have a better way of testing the API availability;
__builtin_available. The null check is replaced with the call to the
compiler-provided macro which determines if the code is running in a
version of OS where the API is known to exist.
Bug: 150860940
Bug: 134795810
Test: m
Change-Id: I5d17fc877c553c402a62485b61af574a54658a76
__ANDROID_API__ guards are removed in favor of __INTRODUCED_IN macros.
Currently, __INTRODUCED_IN macro does nothing for these headers (it's
meaningful only to the headers processed by versioner which are limited
to binic headers). The plan is to make the macros to tag the declaration
with the availability attribute. Then, when the min_sdk_version of a
caller is set to an API level that is older than the API level of the
APIs, the compiler will provide them as weak symbols and enforce that
calling the APIs are guarded with a runtime check.
For now, these guards are preventing from making a build system change
to let __ANDROID_API__ track the min_sdk_version property instead of the
sdk_version property. With the build system change, __ANDROID_API__ will
suddenly drop for the native modules where min_sdk_version <
sdk_version, which is the case when the modules are included in APEXes.
As a result, some new APIs will be unavailable at build-time. Dropping
the hand-written guards fixes the problem.
Bug: 163288375
Test: m
Change-Id: If1cc6b9af410f536abe6d777c22711209fa76530
PrepareOneSnapshot was hardcoded in a way that only worked with
pre-compression devices. This patch makes it use the public API and
supported update flow.
One test, SnapshotTest.Merge, now uses OpenSnapshotWriter instead of
MapUpdateSnapshot. There are still other tests using the old API call.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Iec4bf6efe6a82e1f90b81fa4211201845ebabe62
