ImageManager can map images in recovery, but not delete them, because
/data is not mounted. libsnapshot handles this by storing extra state
files, but this is complex to manage and inconvenient for
fs_mgr_overlayfs.
Instead, this patch introduces two new calls:
- DisableImage(), which indicates the image should not be used. This is
implemented by adding a new DISABLED attribute to
LpPartitionMetadata. CreateLogicalPartitions ignores this flag, and
thus recovery/fastbootd can disable the scratch partition and
communicate that it can be deleted. This cannot be called from binder
since it is intended for recovery/first-stage init only.
- RemoveDisabledImages(), which walks the images for a given folder on
/metadata and deletes any that are disabled. This can be called from
binder.
Note that there is no metadata version bump for this flag. It's
considered to be included in the flag list for minor version 1, and
currently is not used for the actual super partition.
Bug: 134949511
Test: adb remount, fastboot flash system
Test: fiemap_image_test
Change-Id: Iaeca2d1eddb5637dd9a20202cafd11ae60b4d0e3
A few times we have wanted to stash small bits of information in the
super header, but we haven't had any bits to do so. This patch addresses
future needs in two ways:
1. A "flags" field has been added for miscellanious bits that do not
need a version bump.
2. The header struct has been padded to 256 bytes to allow for future
expansion without complicating the struct-parsing code.
This is the first time we've materially changed the format, so this
patch needs some extra explanation.
In all the places we rely on sizeof(LpMetadataHeader), we now need to
use the |header_size| field instead. To make newer versions of liblp
compatible with older headers, we read the minimum required header size
and fill in the extra bytes as needed. To make the validation and
reading logic more clear, it is now combined into a single function,
ReadMetdataHeader.
MetadataBuilder will still emit 1.0-compatible headers, to avoid
changing the on-disk format of existing devices. The new header will
only be emitted as-needed.
Bug: 134949511
Test: liblp_test gtest
retrofit DAP device boots
launch DAP device boots
Change-Id: I6221123768ff0057a73967ecb2ff9b006c17af88
When the bootloader (or fastbootd) flashes the super partition, we need
to make sure that init doesn't re-map any snapshot or snapshot-merge targets.
A simple way to do this is to introduce an attribute that is only added
by update_engine. When this flag is present, we know the partition has
not been flashed.
This bumps the minor version of LpMetadata. To make this as uninvasive
as possible, the new minor version is only used when MetadataBuilder
detects the new attribute. The new liblp can read older metadata, but will
reject it if it contains an illegal attribute set.
Bug: 139154795
Test: liblp_test gtest
Change-Id: I5ae15d11219b41575a9f71d7dbdb43cbf07a3529
It helps to fix a compilation issue with host libc:
core/fs_mgr/liblp/reader.cpp:252:9: error: use of undeclared identifier 'memcpy'; did you mean 'wmemcpy'?
memcpy(&partition, cursor, sizeof(partition));
^~~~~~
wmemcpy
Change-Id: I68f9c5b815b09f846aeba67bce0290f6829c80cf
Bug: 122616553
Test: built and ran liblp_test on Pixel 3 with Q weekly build
Added missing __attribute__((packed)) in two metadata structures.
Fixed error logging message when repairing primary metadata.
Few very minor additions related to metadata validation.
Fixed an off by one error in the validation of partition name length.
Change-Id: Ic777baf97871c786a209da7c32bc13c1360a8482
Signed-off-by: Ramon Pantin <pantin@google.com>
This method was designed for a single-super model, and now needs to
change to accomodate two super partitions (system_a and system_b, for
retrofitting).
NewForUpdate is supposed to transition metadata from one block device
to the next for updates. For normal devices this is a no-op, since
metadata only exists on one partition (super). For retrofit devices,
metadata exists on system_a and system_b. This has two implications.
First, any references to the source slot must be rewritten. For example
"vendor_b" must become "vendor_a". However this is not true of partition
names. Partitions/extents are cleared in the updated metadata since they
no longer have any meaning (the block device list has been
rewritten). We also clear groups since they are re-added during OTA.
The reason we have to do this rewriting is that slot suffixes are
automatically applied in ReadMetadata. We do not have access to the
original unsuffixed metadata that was written by the initial OTA.
This was a conscious design decision, since it localizes retrofitting
idiosyncracies to just a few places (ReadMetadata, NewForUpdate, and
fastbootd), minimizing the number of external callers that have to
understand auto-slot-suffixing.
It would be arguably cleaner if retrofit metadata was always serialized
*without* slot suffixes, thereby making NewForUpdate a no-op. However
this would necessitate changes to the API elsewhere. The functions that
read partition names would have to take a slot suffix, and this would
further complicate MetadataBuilder and fastbootd. Another solution would
be to augment LpMetadata to retain unsuffixed information, but this is
probably not worthwhile given that retrofitting is intended to be
surgical, and will have a shorter lifespan than the non-retrofit case.
Bug: 116802789
Test: liblp_test gtest
Change-Id: I33596d92b38c47bc70bc0aa37ed04f6f0b9d4b6f
This is needed for update_engine to properly clean old partitions on
retrofit devices.
Bug: 119687874
Test: liblp_test gtest
Change-Id: Ida9483ad3c127e357f45789540ebbedc9d3d3883
This adds a new MetadataBuilder constructor, NewForUpdate, that can be
used by update_engine to simplify upgrading metadata. It is safe to call
whether or not the device is a retrofit. If the metadata has block
devices assigned to a specific slot, and that slot matches the slot
suffix, it will ensure that an equivalent entry exists for the alternate
slot.
Thus, if the source slot is _a and the target slot is _b, and the
metadata has "system_a" as a block device but not "system_b", this will
automatically add "system_b" as a block device.
Bug: 116802789
Test: liblp_test gtest
Change-Id: Ie89d4dbf4c708b5705e658220227ebf33fcb1930
On retrofit devices, an OTA package or super_empty.img won't know which
slot it applies to. This is not an issue on devices shipping with
dynamic partitions, since they ship on the "a" slot.
To work around this, partitions and block devices can be flagged as
"auto-slot-suffixed". This indicates that ReadMetadata should
automatically append a slot suffix before returning the metadata. This
flag is added by MetadataBuilder when requested, and will be enabled via
lpmake separately.
After ReadMetadata has applied slot suffixes, it takes care to remove
the slot-suffix flag. This prevents the suffix from being applied twice,
if for example the metadata is then imported into a MetadataBuilder.
Bug: 116802789
Test: liblp_test gtest
retrofit device boots
Change-Id: Ic7de06d31253a8d5b8d15c0d936175ca2939f857
This patch allows the block device table in LpMetadataHeader to contain
additional partitions. MetadataBuilder can now resize partitions such
that are allocated across block devices as needed, however, it attempts
to minimize this by grouping free regions by device.
Bug: 116802789
Test: liblp_test gtests
device with super partition flashes and boots
Change-Id: I9cf74c8925faf154703eeba2a26546a152efcaa2
This change introduces an IPartitionOpener abstraction. Methods that
interact with live metadata, such as ReadMetadata, UpdatePartitionTable,
and FlashPartitionTable, now require an IPartitionOpener object. Its
purpose is dependency injection: it will make these methods much easier
to test when the super partition spans multiple block devices.
All non-test consumers should be using PartitionOpener, and as such,
some helper methods have been added that automatically create one.
Bug: 116802789
Test: liblp_test gtest
device with super partition boots
Change-Id: I76725a5830ef643c5007c152c00ccaad8085151f
This patch removes the alignment, block device size, and starting sector
fields from LpGeometry into a new LpMetadataBlockDevice struct. The
metadata now contains a table of these structs, and the table will have
exactly one entry representing the super partition.
This refactoring will make it easier to have logical partitions span
multiple physical partitions. When that happens, the table will be
allowed to have more than one entry, and the first entry of the table
will be considered the "root" of the super partition.
Bug: 116802789
Test: liblp_test gtest
device with logical partitions flashes and boots
Change-Id: I97f23beac0363182cb6ae78ba2595860950afcf0
Traditionally the first 512 bytes of a partition can be interpreted as
an MBR. To prevent any compatibility issues, we explicitly zero the
first 4096 bytes of the super partition (one logical block, on most
systems).
Bug: 116802789
Test: liblp_test gtest
device with super partition flashes and boots
Change-Id: I29688ca75dbb52442f1464e8ab35893678a4f79e
Previously, metadata backups were stored at the end of the partition to
make them easy to locate. On older devices where the super partition
could span system/vendor partitions, we may want to leave the end of
each partition free to store an AVB footer. To allow this, we now store
geometry and metadata backups near the start of the partition instead.
They are still positioned at a fixed offset.
Bug: 116802789
Test: device boots after flashing new metadata
Change-Id: Ib173f251a4a13e290adcc4ac5cfbeb030eacda30
Note that this moves SparseBuilder into images.h, and splits
ReadLogicalPartitionGeometry into componenet methods for better
testability.
Bug: 116802789
Test: liblp_test gtest
Change-Id: Ib41a46b633c71623c136a10fcc8017e4de20884c
This patch introduces a new "groups" table in the super partition
metadata. Each entry denotes a named partition group with a maximum
size. All partitions now belong to a group, and the total size of
partitions in a group must not exceed its maximum size. This is enforced
by MetadataBuilder.
There is also a "default" group with no size restriction. This is used
for one-off partitions that aren't restricted by updates, for example,
the scratch partition for overlayfs, or partitions created through
fastbootd.
Bug: 116817738
Test: liblp gtest
Change-Id: I7049ffd35d326e41e25d01b1748cb53a584783a7
This change enables reading metadata images from memory, for situations
where using file descriptors is not practical (such as fastbootd flash).
Bug: 78793464
Test: liblp_test gtest
Change-Id: I9ad08b0ddd4cbb96e87583237a90785e0f4befa4
This is in preparation for "fastboot flash super", where we want to
verify the validity of a super image before writing it. To do so, we
need to parse the image from the download buffer, and it is useful to do
this from memory rather than a file descriptor.
Bug: 78793464
Test: liblp_test gtest
Change-Id: I7fb1ef4fdf2e8f1d93aea38f75626157fcb4bfc1
Callers of ParseMetadata must manually copy geometry to the final
LpMetadata structure, which is error-prone. Instead, force callers to
pass geometry to ParseMetadata to ensure it is always propagated.
Bug: N/A
Test: liblp_test gtest
Change-Id: I5b24b9d94ab1857db600c40bf6d3c9d8aaa47368
This is in preparation for adding sparse image support, to avoid
cluttering the more critical reading and writing logic.
Bug: 79173901
Test: N/A
Change-Id: Icdddb849aebba4adf18a3e63ffbd3f36adda812d
This makes offset calculations and library interactions much easier.
Bug: 79173901
Test: liblp_test gtest
Change-Id: I595c5435bd6bc166693a434ecdcd2d098185f963
This changes reader.h and writer.h to be private includes. A new liblp.h
header now contains the public API surface of those two files, as well
as some miscellanious functions previously in metadata_format.h.
Bug: 79173901
Test: N/A
Change-Id: I40c5dda0c8e5765f8bccfd5c17b4c800b41be77b
If UpdatePartitionTable is interrupted while writing metadata, the next
update becomes much more risky, as only one valid copy may exist. If
that subsequent update is interrupted, all metadata copies may be
corrupt.
To alleviate this, we now synchronize both metadata copies before each
update. If the backup copy is corrupted, we replace it with the primary
copy, and vice versa. Similarly if the primary and backup metadata do
not match, we sync the backup to contain the same data as the primary.
If for some reason this synchronization process fails, we do not proceed
to write a new partition table.
Bug: 79173901
Test: liblp_test gtest
Change-Id: Ic80cf9a5dc6336ff532e069ca5c8c76371550cb9
Block devices in the Linux kernel have a "minimum I/O request" size. The
minimum size is usually acquired by the block driver and can change
from device to device. When stacking devices (such as with
device-mapper), the kernel goes through great lengths to make sure this
alignment is respected for optimal I/O. In device-mapper's case,
misalignment can lead to kernel warnings and performance issues.
While this is unlikely to matter with a few targets, it could become
problematic on a large number of targets, and so we would prefer to
align all partition extents to the minimum I/O size.
We now support two new properties in the partition table geometry: an
"alignment", which is the minimum I/O size, and an "alignment offset",
which is an offset that when applied to sector 0, causes the sector to
be properly aligned within its parent device (for example, if a
physical partition is misaligned). All partition extents now begin on a
sector that respects this alignment.
One major caveat is that it is difficult for the initial partition table
to have the correct alignment without build system and/or flash tool
support. To accomodate this, all alignment is optional, and the lpmake
tool will support a default alignment of 1MiB as a failsafe.
Bug: 79173901
Test: liblp_test gtest
Change-Id: I5bc41b90aa085f4f30393951af0d2b37c4ac2a72
These tests check that various aspects of liblp's on-disk management
are functioning as intended. This checks redundancy, metadata slot
management, and metadata update and readback.
Bug: 79173901
Test: liblp_test gtest
Change-Id: Ib780676e0f34f44aa255e8fcfded2ceb71fe3dce
This library has methods to build, read, and modify logical partition tables
based on device-mapper targets. Targets currently supported are
dm-linear and dm-zero.
Note: this is a revert of a revert, with changes to fix Mac build
bustage.
Bug: 79173901
Test: N/A
Change-Id: If89a788d1919ce8ddc6eedaecc9687a92f111dfa
This library has methods to build, read, and modify logical partition tables
based on device-mapper targets. Targets currently supported are
dm-linear and dm-zero.
Bug: 79173901
Test: N/A
Change-Id: I194c6832cb53f781c396016d961386d3ca833f87
