Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 2969290920696611a67aed184baf71cac062b416^! / . / dynamic_partition_control_android.h
commit2969290920696611a67aed184baf71cac062b416[log] [tgz]
authorYifan Hong <elsk@google.com>Thu Mar 26 12:47:05 2020 -0700
committerYifan Hong <elsk@google.com>Fri Apr 03 16:14:49 2020 -0700
treea0086c60ebe08355f9018f362a22aebbf34fec9e
parent7b3910a58bd0b8d9f0bd316fad5776ef0a8494ba [diff] [blame]
Add DynamicPartitionControl::EraseSystemOtherAvbFooter

Erase AVB footer of system other partition prior to any updates so that if
an update overwrites it partially, and the device rolled back (or even
before we finish writing the partition), and the device factory resets,
mapping system_other as /postinstall won't trigger verity errors and
reboots the device.

Bug: 152444348
Test: apply update, rollback, then FDR
Test: apply update, then set sys.cppreopt=requested; observe that
/postinstall cannot be mounted.

Change-Id: I62e5bb8f4c31d9a1beff485c47fc4b07a3a5686b

diff --git a/dynamic_partition_control_android.h b/dynamic_partition_control_android.h
index 6dbe370..9dcdcf1 100644
--- a/dynamic_partition_control_android.h
+++ b/dynamic_partition_control_android.h

@@ -136,6 +136,43 @@
   // Allow mock objects to override this to test recovery mode.
   virtual bool IsRecovery();
 
+  // Determine path for system_other partition.
+  // |source_slot| should be current slot.
+  // |target_slot| should be "other" slot.
+  // |partition_name_suffix| should be "system" + suffix(|target_slot|).
+  // Return true and set |path| if successful.
+  // Set |path| to empty if no need to erase system_other.
+  // Set |should_unmap| to true if path needs to be unmapped later.
+  //
+  // Note: system_other cannot use GetPartitionDevice or
+  // GetDynamicPartitionDevice because:
+  // - super partition metadata may be loaded from the source slot
+  // - UPDATED flag needs to be check to skip erasing if partition is not
+  //   created by flashing tools
+  // - Snapshots from previous update attempts should not be used.
+  virtual bool GetSystemOtherPath(uint32_t source_slot,
+                                  uint32_t target_slot,
+                                  const std::string& partition_name_suffix,
+                                  std::string* path,
+                                  bool* should_unmap);
+
+  // Returns true if any entry in the fstab file in |path| has AVB enabled,
+  // false if not enabled, and nullopt for any error.
+  virtual std::optional<bool> IsAvbEnabledInFstab(const std::string& path);
+
+  // Returns true if system_other has AVB enabled, false if not enabled, and
+  // nullopt for any error.
+  virtual std::optional<bool> IsAvbEnabledOnSystemOther();
+
+  // Erase system_other partition that may contain system_other.img.
+  // After the update, the content of system_other may be corrupted but with
+  // valid AVB footer. If the update is rolled back and factory data reset is
+  // triggered, system_b fails to be mapped with verity errors (see
+  // b/152444348). Erase the system_other so that mapping system_other is
+  // skipped.
+  virtual bool EraseSystemOtherAvbFooter(uint32_t source_slot,
+                                         uint32_t target_slot);
+
  private:
   friend class DynamicPartitionControlAndroidTest;