Restrict the verification in block-based incremental OTAs

BlockImageDiff has three versions. Only the incremental OTAs generated with the latest version (3) can be re-applied to the system that's already on the target build. Otherwise, operations like move will make unconditional changes and damage the system. During the verification phase, abort the OTA update if BlockImageDiff is less than 3 and it doesn't match the checksum of the source build. Change-Id: Ic630346eab2a993a84d0aeaacd7167ef62cc24f6 (cherry picked from commit daebaa6ed3fbf4e7943e6c8290ec6b9233b542e9)
author: Tao Bao <tbao@google.com> 2015-03-12 12:32:37 -0700
committer: Tao Bao <tbao@google.com> 2015-03-13 17:57:15 -0700
commit: dd2a5892e500e9c07f933e3f511b18e67df076c4 (patch)
tree: 95f5c71ad986854d6fa7a5829210affca9b9d53c
parent: 137b049aef6ffc1de1340657ecf9208303ec1872 (diff)
download: build-dd2a5892e500e9c07f933e3f511b18e67df076c4.zip
build-dd2a5892e500e9c07f933e3f511b18e67df076c4.tar.gz
build-dd2a5892e500e9c07f933e3f511b18e67df076c4.tar.bz2
2 files changed, 48 insertions, 21 deletions
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 4241b2b..39c9b3d 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1024,17 +1024,19 @@ def ComputeDifferences(diffs):
 
 
 class BlockDifference:
-  def __init__(self, partition, tgt, src=None, check_first_block=False):
+  def __init__(self, partition, tgt, src=None, check_first_block=False, version=None):
     self.tgt = tgt
     self.src = src
     self.partition = partition
     self.check_first_block = check_first_block
 
-    self.version = 1
-    if OPTIONS.info_dict:
-      self.version = max(
-          int(i) for i in
-          OPTIONS.info_dict.get("blockimgdiff_versions", "1").split(","))
+    if version is None:
+      version = 1
+      if OPTIONS.info_dict:
+        version = max(
+            int(i) for i in
+            OPTIONS.info_dict.get("blockimgdiff_versions", "1").split(","))
+    self.version = version
 
     b = blockimgdiff.BlockImageDiff(tgt, src, threads=OPTIONS.worker_threads,
                                     version=self.version)
@@ -1069,17 +1071,25 @@ class BlockDifference:
         script.AppendExtra('if range_sha1("%s", "%s") == "%s" then' %
                             (self.device, self.src.care_map.to_string_raw(),
                             self.src.TotalSha1()))
-      script.Print("Verified %s image..." % (partition,))
+      script.Print('Verified %s image...' % (partition,))
       script.AppendExtra('else');
 
+      # When generating incrementals for the system and vendor partitions,
+      # explicitly check the first block (which contains the superblock) of
+      # the partition to see if it's what we expect. If this check fails,
+      # give an explicit log message about the partition having been
+      # remounted R/W (the most likely explanation) and the need to flash to
+      # get OTAs working again.
       if self.check_first_block:
         self._CheckFirstBlock(script)
 
-      script.AppendExtra(('(range_sha1("%s", "%s") == "%s") ||\n'
-                          '  abort("%s partition has unexpected contents");\n'
-                          'endif;') %
-                         (self.device, self.tgt.care_map.to_string_raw(),
-                          self.tgt.TotalSha1(), self.partition))
+      # Abort the OTA update. Note that the incremental OTA cannot be applied
+      # even if it may match the checksum of the target partition.
+      # a) If version < 3, operations like move and erase will make changes
+      #    unconditionally and damage the partition.
+      # b) If version >= 3, it won't even reach here.
+      script.AppendExtra(('abort("%s partition has unexpected contents");\n'
+                          'endif;') % (partition,))
 
   def _WriteUpdate(self, script, output_zip):
     partition = self.partition
@@ -1109,14 +1119,11 @@ class BlockDifference:
   def _CheckFirstBlock(self, script):
     r = RangeSet((0, 1))
     srchash = self._HashBlocks(self.src, r);
-    tgthash = self._HashBlocks(self.tgt, r);
 
     script.AppendExtra(('(range_sha1("%s", "%s") == "%s") || '
-                        '(range_sha1("%s", "%s") == "%s") || '
                         'abort("%s has been remounted R/W; '
                         'reflash device to reenable OTA updates");')
                        % (self.device, r.to_string_raw(), srchash,
-                          self.device, r.to_string_raw(), tgthash,
                           self.device))
 
 DataImage = blockimgdiff.DataImage
diff --git a/tools/releasetools/ota_from_target_files b/tools/releasetools/ota_from_target_files
index 945f11a..25309a4 100755
--- a/tools/releasetools/ota_from_target_files
+++ b/tools/releasetools/ota_from_target_files
@@ -740,8 +740,16 @@ def WriteBlockIncrementalOTAPackage(target_zip, source_zip, output_zip):
 
   system_src = GetImage("system", OPTIONS.source_tmp, OPTIONS.source_info_dict)
   system_tgt = GetImage("system", OPTIONS.target_tmp, OPTIONS.target_info_dict)
+
+  blockimgdiff_version = 1
+  if OPTIONS.info_dict:
+    blockimgdiff_version = max(
+        int(i) for i in
+        OPTIONS.info_dict.get("blockimgdiff_versions", "1").split(","))
+
   system_diff = common.BlockDifference("system", system_tgt, system_src,
-                                       check_first_block=True)
+                                       check_first_block=True,
+                                       version=blockimgdiff_version)
 
   if HasVendorPartition(target_zip):
     if not HasVendorPartition(source_zip):
@@ -749,7 +757,8 @@ def WriteBlockIncrementalOTAPackage(target_zip, source_zip, output_zip):
     vendor_src = GetImage("vendor", OPTIONS.source_tmp, OPTIONS.source_info_dict)
     vendor_tgt = GetImage("vendor", OPTIONS.target_tmp, OPTIONS.target_info_dict)
     vendor_diff = common.BlockDifference("vendor", vendor_tgt, vendor_src,
-                                         check_first_block=True)
+                                         check_first_block=True,
+                                         version=blockimgdiff_version)
   else:
     vendor_diff = None
 
@@ -810,11 +819,22 @@ else if get_stage("%(bcb_dev)s") != "3/3" then
   device_specific.IncrementalOTA_VerifyBegin()
 
   if oem_props is None:
-    script.AssertSomeFingerprint(source_fp, target_fp)
+    # When blockimgdiff version is less than 3 (non-resumable block-based OTA),
+    # patching on a device that's already on the target build will damage the
+    # system. Because operations like move don't check the block state, they
+    # always apply the changes unconditionally.
+    if blockimgdiff_version <= 2:
+      script.AssertSomeFingerprint(source_fp)
+    else:
+      script.AssertSomeFingerprint(source_fp, target_fp)
   else:
-    script.AssertSomeThumbprint(
-        GetBuildProp("ro.build.thumbprint", OPTIONS.target_info_dict),
-        GetBuildProp("ro.build.thumbprint", OPTIONS.source_info_dict))
+    if blockimgdiff_version <= 2:
+      script.AssertSomeThumbprint(
+          GetBuildProp("ro.build.thumbprint", OPTIONS.source_info_dict))
+    else:
+      script.AssertSomeThumbprint(
+          GetBuildProp("ro.build.thumbprint", OPTIONS.target_info_dict),
+          GetBuildProp("ro.build.thumbprint", OPTIONS.source_info_dict))
 
   if updating_boot:
     boot_type, boot_device = common.GetTypeAndDevice("/boot", OPTIONS.info_dict)
author	Tao Bao <tbao@google.com>	2015-03-12 12:32:37 -0700
committer	Tao Bao <tbao@google.com>	2015-03-13 17:57:15 -0700
commit	dd2a5892e500e9c07f933e3f511b18e67df076c4 (patch)
tree	95f5c71ad986854d6fa7a5829210affca9b9d53c
parent	137b049aef6ffc1de1340657ecf9208303ec1872 (diff)
download	build-dd2a5892e500e9c07f933e3f511b18e67df076c4.zip build-dd2a5892e500e9c07f933e3f511b18e67df076c4.tar.gz build-dd2a5892e500e9c07f933e3f511b18e67df076c4.tar.bz2