You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
340 lines
15 KiB
340 lines
15 KiB
4 months ago
|
//
|
||
|
// Copyright (C) 2011 The Android Open Source Project
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
//
|
||
|
|
||
|
#include "update_engine/cros/omaha_response_handler_action.h"
|
||
|
|
||
|
#include <limits>
|
||
|
#include <string>
|
||
|
|
||
|
#include <base/logging.h>
|
||
|
#include <base/strings/string_number_conversions.h>
|
||
|
#include <base/version.h>
|
||
|
#include <policy/device_policy.h>
|
||
|
|
||
|
#include "update_engine/common/constants.h"
|
||
|
#include "update_engine/common/hardware_interface.h"
|
||
|
#include "update_engine/common/prefs_interface.h"
|
||
|
#include "update_engine/common/system_state.h"
|
||
|
#include "update_engine/common/utils.h"
|
||
|
#include "update_engine/cros/connection_manager_interface.h"
|
||
|
#include "update_engine/cros/omaha_request_params.h"
|
||
|
#include "update_engine/cros/payload_state_interface.h"
|
||
|
#include "update_engine/payload_consumer/delta_performer.h"
|
||
|
#include "update_engine/update_manager/policy.h"
|
||
|
#include "update_engine/update_manager/update_manager.h"
|
||
|
|
||
|
using chromeos_update_manager::kRollforwardInfinity;
|
||
|
using chromeos_update_manager::Policy;
|
||
|
using chromeos_update_manager::UpdateManager;
|
||
|
using std::numeric_limits;
|
||
|
using std::string;
|
||
|
|
||
|
namespace chromeos_update_engine {
|
||
|
|
||
|
OmahaResponseHandlerAction::OmahaResponseHandlerAction()
|
||
|
: deadline_file_(constants::kOmahaResponseDeadlineFile) {}
|
||
|
|
||
|
void OmahaResponseHandlerAction::PerformAction() {
|
||
|
CHECK(HasInputObject());
|
||
|
ScopedActionCompleter completer(processor_, this);
|
||
|
const OmahaResponse& response = GetInputObject();
|
||
|
if (!response.update_exists) {
|
||
|
LOG(INFO) << "There are no updates. Aborting.";
|
||
|
completer.set_code(ErrorCode::kNoUpdate);
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
// All decisions as to which URL should be used have already been done. So,
|
||
|
// make the current URL as the download URL.
|
||
|
string current_url = SystemState::Get()->payload_state()->GetCurrentUrl();
|
||
|
if (current_url.empty()) {
|
||
|
// This shouldn't happen as we should always supply the HTTPS backup URL.
|
||
|
// Handling this anyway, just in case.
|
||
|
LOG(ERROR) << "There are no suitable URLs in the response to use.";
|
||
|
completer.set_code(ErrorCode::kOmahaResponseInvalid);
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
// This is the url to the first package, not all packages.
|
||
|
// (For updates): All |Action|s prior to this must pass in non-excluded URLs
|
||
|
// within the |OmahaResponse|, reference exlusion logic in
|
||
|
// |OmahaRequestAction| and keep the enforcement of exclusions for updates.
|
||
|
install_plan_.download_url = current_url;
|
||
|
install_plan_.version = response.version;
|
||
|
|
||
|
OmahaRequestParams* const params = SystemState::Get()->request_params();
|
||
|
PayloadStateInterface* const payload_state =
|
||
|
SystemState::Get()->payload_state();
|
||
|
|
||
|
// If we're using p2p to download and there is a local peer, use it.
|
||
|
if (payload_state->GetUsingP2PForDownloading() &&
|
||
|
!payload_state->GetP2PUrl().empty()) {
|
||
|
LOG(INFO) << "Replacing URL " << install_plan_.download_url
|
||
|
<< " with local URL " << payload_state->GetP2PUrl()
|
||
|
<< " since p2p is enabled.";
|
||
|
install_plan_.download_url = payload_state->GetP2PUrl();
|
||
|
payload_state->SetUsingP2PForDownloading(true);
|
||
|
}
|
||
|
|
||
|
// Fill up the other properties based on the response.
|
||
|
string update_check_response_hash;
|
||
|
for (const auto& package : response.packages) {
|
||
|
brillo::Blob raw_hash;
|
||
|
if (!base::HexStringToBytes(package.hash, &raw_hash)) {
|
||
|
LOG(ERROR) << "Failed to convert payload hash from hex string to bytes: "
|
||
|
<< package.hash;
|
||
|
completer.set_code(ErrorCode::kOmahaResponseInvalid);
|
||
|
return;
|
||
|
}
|
||
|
install_plan_.payloads.push_back(
|
||
|
{.payload_urls = package.payload_urls,
|
||
|
.size = package.size,
|
||
|
.metadata_size = package.metadata_size,
|
||
|
.metadata_signature = package.metadata_signature,
|
||
|
.hash = raw_hash,
|
||
|
.type = package.is_delta ? InstallPayloadType::kDelta
|
||
|
: InstallPayloadType::kFull,
|
||
|
.fp = package.fp,
|
||
|
.app_id = package.app_id});
|
||
|
update_check_response_hash += package.hash + ":";
|
||
|
}
|
||
|
install_plan_.public_key_rsa = response.public_key_rsa;
|
||
|
install_plan_.hash_checks_mandatory = AreHashChecksMandatory(response);
|
||
|
install_plan_.is_resume = DeltaPerformer::CanResumeUpdate(
|
||
|
SystemState::Get()->prefs(), update_check_response_hash);
|
||
|
if (install_plan_.is_resume) {
|
||
|
payload_state->UpdateResumed();
|
||
|
} else {
|
||
|
payload_state->UpdateRestarted();
|
||
|
LOG_IF(WARNING,
|
||
|
!DeltaPerformer::ResetUpdateProgress(SystemState::Get()->prefs(),
|
||
|
false))
|
||
|
<< "Unable to reset the update progress.";
|
||
|
LOG_IF(WARNING,
|
||
|
!SystemState::Get()->prefs()->SetString(
|
||
|
kPrefsUpdateCheckResponseHash, update_check_response_hash))
|
||
|
<< "Unable to save the update check response hash.";
|
||
|
}
|
||
|
|
||
|
if (params->is_install()) {
|
||
|
install_plan_.target_slot =
|
||
|
SystemState::Get()->boot_control()->GetCurrentSlot();
|
||
|
install_plan_.source_slot = BootControlInterface::kInvalidSlot;
|
||
|
} else {
|
||
|
install_plan_.source_slot =
|
||
|
SystemState::Get()->boot_control()->GetCurrentSlot();
|
||
|
install_plan_.target_slot = install_plan_.source_slot == 0 ? 1 : 0;
|
||
|
}
|
||
|
|
||
|
// The Omaha response doesn't include the channel name for this image, so we
|
||
|
// use the download_channel we used during the request to tag the target slot.
|
||
|
// This will be used in the next boot to know the channel the image was
|
||
|
// downloaded from.
|
||
|
string current_channel_key =
|
||
|
kPrefsChannelOnSlotPrefix + std::to_string(install_plan_.target_slot);
|
||
|
SystemState::Get()->prefs()->SetString(current_channel_key,
|
||
|
params->download_channel());
|
||
|
|
||
|
// Checking whether device is able to boot up the returned rollback image.
|
||
|
if (response.is_rollback) {
|
||
|
if (!params->rollback_allowed()) {
|
||
|
LOG(ERROR) << "Received rollback image but rollback is not allowed.";
|
||
|
completer.set_code(ErrorCode::kOmahaResponseInvalid);
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
// Calculate the values on the version values on current device.
|
||
|
auto min_kernel_key_version = static_cast<uint32_t>(
|
||
|
SystemState::Get()->hardware()->GetMinKernelKeyVersion());
|
||
|
auto min_firmware_key_version = static_cast<uint32_t>(
|
||
|
SystemState::Get()->hardware()->GetMinFirmwareKeyVersion());
|
||
|
|
||
|
uint32_t kernel_key_version =
|
||
|
static_cast<uint32_t>(response.rollback_key_version.kernel_key) << 16 |
|
||
|
static_cast<uint32_t>(response.rollback_key_version.kernel);
|
||
|
uint32_t firmware_key_version =
|
||
|
static_cast<uint32_t>(response.rollback_key_version.firmware_key)
|
||
|
<< 16 |
|
||
|
static_cast<uint32_t>(response.rollback_key_version.firmware);
|
||
|
|
||
|
LOG(INFO) << "Rollback image versions:"
|
||
|
<< " device_kernel_key_version=" << min_kernel_key_version
|
||
|
<< " image_kernel_key_version=" << kernel_key_version
|
||
|
<< " device_firmware_key_version=" << min_firmware_key_version
|
||
|
<< " image_firmware_key_version=" << firmware_key_version;
|
||
|
|
||
|
// Don't attempt a rollback if the versions are incompatible or the
|
||
|
// target image does not specify the version information.
|
||
|
if (kernel_key_version == numeric_limits<uint32_t>::max() ||
|
||
|
firmware_key_version == numeric_limits<uint32_t>::max() ||
|
||
|
kernel_key_version < min_kernel_key_version ||
|
||
|
firmware_key_version < min_firmware_key_version) {
|
||
|
LOG(ERROR) << "Device won't be able to boot up the rollback image.";
|
||
|
completer.set_code(ErrorCode::kRollbackNotPossible);
|
||
|
return;
|
||
|
}
|
||
|
install_plan_.is_rollback = true;
|
||
|
install_plan_.rollback_data_save_requested =
|
||
|
params->rollback_data_save_requested();
|
||
|
}
|
||
|
|
||
|
// Powerwash if either the response requires it or the parameters indicated
|
||
|
// powerwash (usually because there was a channel downgrade) and we are
|
||
|
// downgrading the version. Enterprise rollback, indicated by
|
||
|
// |response.is_rollback| is dealt with separately above.
|
||
|
if (response.powerwash_required) {
|
||
|
install_plan_.powerwash_required = true;
|
||
|
} else if (params->ShouldPowerwash() && !response.is_rollback) {
|
||
|
base::Version new_version(response.version);
|
||
|
base::Version current_version(params->app_version());
|
||
|
|
||
|
if (!new_version.IsValid()) {
|
||
|
LOG(WARNING) << "Not powerwashing,"
|
||
|
<< " the update's version number is unreadable."
|
||
|
<< " Update's version number: " << response.version;
|
||
|
} else if (!current_version.IsValid()) {
|
||
|
LOG(WARNING) << "Not powerwashing,"
|
||
|
<< " the current version number is unreadable."
|
||
|
<< " Current version number: " << params->app_version();
|
||
|
} else if (new_version < current_version) {
|
||
|
install_plan_.powerwash_required = true;
|
||
|
// Always try to preserve enrollment and wifi data for enrolled devices.
|
||
|
install_plan_.rollback_data_save_requested =
|
||
|
SystemState::Get()->device_policy() &&
|
||
|
SystemState::Get()->device_policy()->IsEnterpriseEnrolled();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
TEST_AND_RETURN(HasOutputPipe());
|
||
|
if (HasOutputPipe())
|
||
|
SetOutputObject(install_plan_);
|
||
|
install_plan_.Dump();
|
||
|
|
||
|
// Send the deadline data (if any) to Chrome through a file. This is a pretty
|
||
|
// hacky solution but should be OK for now.
|
||
|
//
|
||
|
// TODO(petkov): Re-architect this to avoid communication through a
|
||
|
// file. Ideally, we would include this information in D-Bus's GetStatus
|
||
|
// method and UpdateStatus signal. A potential issue is that update_engine may
|
||
|
// be unresponsive during an update download.
|
||
|
if (!deadline_file_.empty()) {
|
||
|
if (payload_state->GetRollbackHappened()) {
|
||
|
// Don't do forced update if rollback has happened since the last update
|
||
|
// check where policy was present.
|
||
|
LOG(INFO) << "Not forcing update because a rollback happened.";
|
||
|
utils::WriteFile(deadline_file_.c_str(), nullptr, 0);
|
||
|
} else {
|
||
|
utils::WriteFile(deadline_file_.c_str(),
|
||
|
response.deadline.data(),
|
||
|
response.deadline.size());
|
||
|
}
|
||
|
chmod(deadline_file_.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
|
||
|
}
|
||
|
|
||
|
// Check the generated install-plan with the Policy to confirm that
|
||
|
// it can be applied at this time (or at all).
|
||
|
UpdateManager* const update_manager = SystemState::Get()->update_manager();
|
||
|
CHECK(update_manager);
|
||
|
auto ec = ErrorCode::kSuccess;
|
||
|
update_manager->PolicyRequest(
|
||
|
&Policy::UpdateCanBeApplied, &ec, &install_plan_);
|
||
|
completer.set_code(ec);
|
||
|
|
||
|
const auto allowed_milestones = params->rollback_allowed_milestones();
|
||
|
if (allowed_milestones > 0) {
|
||
|
auto max_firmware_rollforward = numeric_limits<uint32_t>::max();
|
||
|
auto max_kernel_rollforward = numeric_limits<uint32_t>::max();
|
||
|
|
||
|
// Determine the version to update the max rollforward verified boot
|
||
|
// value.
|
||
|
OmahaResponse::RollbackKeyVersion version =
|
||
|
response.past_rollback_key_version;
|
||
|
|
||
|
// Determine the max rollforward values to be set in the TPM.
|
||
|
max_firmware_rollforward = static_cast<uint32_t>(version.firmware_key)
|
||
|
<< 16 |
|
||
|
static_cast<uint32_t>(version.firmware);
|
||
|
max_kernel_rollforward = static_cast<uint32_t>(version.kernel_key) << 16 |
|
||
|
static_cast<uint32_t>(version.kernel);
|
||
|
|
||
|
// In the case that the value is 0xffffffff, log a warning because the
|
||
|
// device should not be installing a rollback image without having version
|
||
|
// information.
|
||
|
if (max_firmware_rollforward == numeric_limits<uint32_t>::max() ||
|
||
|
max_kernel_rollforward == numeric_limits<uint32_t>::max()) {
|
||
|
LOG(WARNING)
|
||
|
<< "Max rollforward values were not sent in rollback response: "
|
||
|
<< " max_kernel_rollforward=" << max_kernel_rollforward
|
||
|
<< " max_firmware_rollforward=" << max_firmware_rollforward
|
||
|
<< " rollback_allowed_milestones="
|
||
|
<< params->rollback_allowed_milestones();
|
||
|
} else {
|
||
|
LOG(INFO) << "Setting the max rollforward values: "
|
||
|
<< " max_kernel_rollforward=" << max_kernel_rollforward
|
||
|
<< " max_firmware_rollforward=" << max_firmware_rollforward
|
||
|
<< " rollback_allowed_milestones="
|
||
|
<< params->rollback_allowed_milestones();
|
||
|
SystemState::Get()->hardware()->SetMaxKernelKeyRollforward(
|
||
|
max_kernel_rollforward);
|
||
|
// TODO(crbug/783998): Set max firmware rollforward when implemented.
|
||
|
}
|
||
|
} else {
|
||
|
LOG(INFO) << "Rollback is not allowed. Setting max rollforward values"
|
||
|
<< " to infinity";
|
||
|
// When rollback is not allowed, explicitly set the max roll forward to
|
||
|
// infinity.
|
||
|
SystemState::Get()->hardware()->SetMaxKernelKeyRollforward(
|
||
|
kRollforwardInfinity);
|
||
|
// TODO(crbug/783998): Set max firmware rollforward when implemented.
|
||
|
}
|
||
|
}
|
||
|
|
||
|
bool OmahaResponseHandlerAction::AreHashChecksMandatory(
|
||
|
const OmahaResponse& response) {
|
||
|
// We sometimes need to waive the hash checks in order to download from
|
||
|
// sources that don't provide hashes, such as dev server.
|
||
|
// At this point UpdateAttempter::IsAnyUpdateSourceAllowed() has already been
|
||
|
// checked, so an unofficial update URL won't get this far unless it's OK to
|
||
|
// use without a hash. Additionally, we want to always waive hash checks on
|
||
|
// unofficial builds (i.e. dev/test images).
|
||
|
// The end result is this:
|
||
|
// * Base image:
|
||
|
// - Official URLs require a hash.
|
||
|
// - Unofficial URLs only get this far if the IsAnyUpdateSourceAllowed()
|
||
|
// devmode/debugd checks pass, in which case the hash is waived.
|
||
|
// * Dev/test image:
|
||
|
// - Any URL is allowed through with no hash checking.
|
||
|
if (!SystemState::Get()->request_params()->IsUpdateUrlOfficial() ||
|
||
|
!SystemState::Get()->hardware()->IsOfficialBuild()) {
|
||
|
// Still do a hash check if a public key is included.
|
||
|
if (!response.public_key_rsa.empty()) {
|
||
|
// The autoupdate_CatchBadSignatures test checks for this string
|
||
|
// in log-files. Keep in sync.
|
||
|
LOG(INFO) << "Mandating payload hash checks since Omaha Response "
|
||
|
<< "for unofficial build includes public RSA key.";
|
||
|
return true;
|
||
|
} else {
|
||
|
LOG(INFO) << "Waiving payload hash checks for unofficial update URL.";
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
LOG(INFO) << "Mandating hash checks for official URL on official build.";
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
} // namespace chromeos_update_engine
|