update_engine: Update libchrome APIS to r456626. am: 2b9d241772
am: 76a62ae06b
Change-Id: Ia0534e94f58ba309155a07ff54f67d7cafb1de4e
diff --git a/common/error_code.h b/common/error_code.h
index adae391..0b08005 100644
--- a/common/error_code.h
+++ b/common/error_code.h
@@ -74,7 +74,7 @@
kUserCanceled = 48,
kNonCriticalUpdateInOOBE = 49,
// kOmahaUpdateIgnoredOverCellular = 50,
- // kPayloadTimestampError = 51,
+ kPayloadTimestampError = 51,
kUpdatedButNotActive = 52,
// VERY IMPORTANT! When adding new error codes:
diff --git a/common/error_code_utils.cc b/common/error_code_utils.cc
index 983d004..313a15f 100644
--- a/common/error_code_utils.cc
+++ b/common/error_code_utils.cc
@@ -144,6 +144,8 @@
return "ErrorCode::kUserCanceled";
case ErrorCode::kNonCriticalUpdateInOOBE:
return "ErrorCode::kNonCriticalUpdateInOOBE";
+ case ErrorCode::kPayloadTimestampError:
+ return "ErrorCode::kPayloadTimestampError";
case ErrorCode::kUpdatedButNotActive:
return "ErrorCode::kUpdatedButNotActive";
// Don't add a default case to let the compiler warn about newly added
diff --git a/common/fake_hardware.h b/common/fake_hardware.h
index 5d0fca3..a384597 100644
--- a/common/fake_hardware.h
+++ b/common/fake_hardware.h
@@ -81,6 +81,8 @@
return false;
}
+ int64_t GetBuildTimestamp() const override { return build_timestamp_; }
+
// Setters
void SetIsOfficialBuild(bool is_official_build) {
is_official_build_ = is_official_build;
@@ -125,6 +127,10 @@
powerwash_count_ = powerwash_count;
}
+ void SetBuildTimestamp(int64_t build_timestamp) {
+ build_timestamp_ = build_timestamp;
+ }
+
private:
bool is_official_build_{true};
bool is_normal_boot_mode_{true};
@@ -137,6 +143,7 @@
std::string ec_version_{"Fake EC v1.0a"};
int powerwash_count_{kPowerwashCountNotSet};
bool powerwash_scheduled_{false};
+ int64_t build_timestamp_{0};
DISALLOW_COPY_AND_ASSIGN(FakeHardware);
};
diff --git a/common/hardware_interface.h b/common/hardware_interface.h
index 316ad3d..c9e2f85 100644
--- a/common/hardware_interface.h
+++ b/common/hardware_interface.h
@@ -17,6 +17,8 @@
#ifndef UPDATE_ENGINE_COMMON_HARDWARE_INTERFACE_H_
#define UPDATE_ENGINE_COMMON_HARDWARE_INTERFACE_H_
+#include <stdint.h>
+
#include <string>
#include <vector>
@@ -89,6 +91,9 @@
// powerwash cycles. In case of an error, such as no directory available,
// returns false.
virtual bool GetPowerwashSafeDirectory(base::FilePath* path) const = 0;
+
+ // Returns the timestamp of the current OS build.
+ virtual int64_t GetBuildTimestamp() const = 0;
};
} // namespace chromeos_update_engine
diff --git a/hardware_android.cc b/hardware_android.cc
index 5872c54..86432a9 100644
--- a/hardware_android.cc
+++ b/hardware_android.cc
@@ -36,6 +36,7 @@
#include "update_engine/utils_android.h"
using android::base::GetBoolProperty;
+using android::base::GetIntProperty;
using android::base::GetProperty;
using std::string;
@@ -57,6 +58,7 @@
const char kPropProductManufacturer[] = "ro.product.manufacturer";
const char kPropBootHardwareSKU[] = "ro.boot.hardware.sku";
const char kPropBootRevision[] = "ro.boot.revision";
+const char kPropBuildDateUTC[] = "ro.build.date.utc";
// Write a recovery command line |message| to the BCB. The arguments to recovery
// must be separated by '\n'. An empty string will erase the BCB.
@@ -195,4 +197,8 @@
return false;
}
+int64_t HardwareAndroid::GetBuildTimestamp() const {
+ return GetIntProperty<int64_t>(kPropBuildDateUTC, 0);
+}
+
} // namespace chromeos_update_engine
diff --git a/hardware_android.h b/hardware_android.h
index 78af871..80fd9df 100644
--- a/hardware_android.h
+++ b/hardware_android.h
@@ -47,6 +47,7 @@
bool CancelPowerwash() override;
bool GetNonVolatileDirectory(base::FilePath* path) const override;
bool GetPowerwashSafeDirectory(base::FilePath* path) const override;
+ int64_t GetBuildTimestamp() const override;
private:
DISALLOW_COPY_AND_ASSIGN(HardwareAndroid);
diff --git a/hardware_chromeos.cc b/hardware_chromeos.cc
index 4b0b82f..f0f3ea9 100644
--- a/hardware_chromeos.cc
+++ b/hardware_chromeos.cc
@@ -230,6 +230,11 @@
return true;
}
+int64_t HardwareChromeOS::GetBuildTimestamp() const {
+ // TODO(senj): implement this in Chrome OS.
+ return 0;
+}
+
void HardwareChromeOS::LoadConfig(const string& root_prefix, bool normal_mode) {
brillo::KeyValueStore store;
diff --git a/hardware_chromeos.h b/hardware_chromeos.h
index 03ad750..a756a9b 100644
--- a/hardware_chromeos.h
+++ b/hardware_chromeos.h
@@ -51,6 +51,7 @@
bool CancelPowerwash() override;
bool GetNonVolatileDirectory(base::FilePath* path) const override;
bool GetPowerwashSafeDirectory(base::FilePath* path) const override;
+ int64_t GetBuildTimestamp() const override;
private:
friend class HardwareChromeOSTest;
diff --git a/metrics_utils.cc b/metrics_utils.cc
index 7e6b20f..46530f0 100644
--- a/metrics_utils.cc
+++ b/metrics_utils.cc
@@ -78,6 +78,7 @@
case ErrorCode::kDownloadPayloadVerificationError:
case ErrorCode::kSignedDeltaPayloadExpectedError:
case ErrorCode::kDownloadPayloadPubKeyVerificationError:
+ case ErrorCode::kPayloadTimestampError:
return metrics::AttemptResult::kPayloadVerificationFailed;
case ErrorCode::kNewRootfsVerificationError:
@@ -213,6 +214,7 @@
case ErrorCode::kOmahaRequestXMLHasEntityDecl:
case ErrorCode::kFilesystemVerifierError:
case ErrorCode::kUserCanceled:
+ case ErrorCode::kPayloadTimestampError:
case ErrorCode::kUpdatedButNotActive:
break;
diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index 4ac0c49..f74506f 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc
@@ -1418,6 +1418,14 @@
}
}
+ if (manifest_.max_timestamp() < hardware_->GetBuildTimestamp()) {
+ LOG(ERROR) << "The current OS build timestamp ("
+ << hardware_->GetBuildTimestamp()
+ << ") is newer than the maximum timestamp in the manifest ("
+ << manifest_.max_timestamp() << ")";
+ return ErrorCode::kPayloadTimestampError;
+ }
+
// TODO(garnold) we should be adding more and more manifest checks, such as
// partition boundaries etc (see chromium-os:37661).
diff --git a/payload_consumer/delta_performer_unittest.cc b/payload_consumer/delta_performer_unittest.cc
index 3d967a8..4a86ac8 100644
--- a/payload_consumer/delta_performer_unittest.cc
+++ b/payload_consumer/delta_performer_unittest.cc
@@ -639,6 +639,20 @@
ErrorCode::kUnsupportedMinorPayloadVersion);
}
+TEST_F(DeltaPerformerTest, ValidateManifestDowngrade) {
+ // The Manifest we are validating.
+ DeltaArchiveManifest manifest;
+
+ manifest.set_minor_version(kFullPayloadMinorVersion);
+ manifest.set_max_timestamp(1);
+ fake_hardware_.SetBuildTimestamp(2);
+
+ RunManifestValidation(manifest,
+ DeltaPerformer::kSupportedMajorPayloadVersion,
+ InstallPayloadType::kFull,
+ ErrorCode::kPayloadTimestampError);
+}
+
TEST_F(DeltaPerformerTest, BrilloMetadataSignatureSizeTest) {
EXPECT_TRUE(performer_.Write(kDeltaMagic, sizeof(kDeltaMagic)));
diff --git a/payload_generator/generate_delta_main.cc b/payload_generator/generate_delta_main.cc
index 698de09..e2ae776 100644
--- a/payload_generator/generate_delta_main.cc
+++ b/payload_generator/generate_delta_main.cc
@@ -334,6 +334,10 @@
DEFINE_string(properties_file, "",
"If passed, dumps the payload properties of the payload passed "
"in --in_file and exits.");
+ DEFINE_int64(max_timestamp,
+ 0,
+ "The maximum timestamp of the OS allowed to apply this "
+ "payload.");
DEFINE_string(old_channel, "",
"The channel for the old image. 'dev-channel', 'npo-channel', "
@@ -575,6 +579,8 @@
LOG(INFO) << "Using provided minor_version=" << FLAGS_minor_version;
}
+ payload_config.max_timestamp = FLAGS_max_timestamp;
+
LOG(INFO) << "Generating " << (payload_config.is_delta ? "delta" : "full")
<< " update";
diff --git a/payload_generator/payload_file.cc b/payload_generator/payload_file.cc
index ddb2833..4cb117d 100644
--- a/payload_generator/payload_file.cc
+++ b/payload_generator/payload_file.cc
@@ -70,6 +70,7 @@
*(manifest_.mutable_new_image_info()) = config.target.image_info;
manifest_.set_block_size(config.block_size);
+ manifest_.set_max_timestamp(config.max_timestamp);
return true;
}
diff --git a/payload_generator/payload_generation_config.h b/payload_generator/payload_generation_config.h
index ca6fb04..c553d29 100644
--- a/payload_generator/payload_generation_config.h
+++ b/payload_generator/payload_generation_config.h
@@ -186,6 +186,9 @@
// The block size used for all the operations in the manifest.
size_t block_size = 4096;
+
+ // The maximum timestamp of the OS allowed to apply this payload.
+ int64_t max_timestamp = 0;
};
} // namespace chromeos_update_engine
diff --git a/payload_state.cc b/payload_state.cc
index cff02b1..4992606 100644
--- a/payload_state.cc
+++ b/payload_state.cc
@@ -305,6 +305,7 @@
case ErrorCode::kPayloadMismatchedType:
case ErrorCode::kUnsupportedMajorPayloadVersion:
case ErrorCode::kUnsupportedMinorPayloadVersion:
+ case ErrorCode::kPayloadTimestampError:
IncrementUrlIndex();
break;
diff --git a/scripts/brillo_update_payload b/scripts/brillo_update_payload
index 61ecadf..65c63f5 100755
--- a/scripts/brillo_update_payload
+++ b/scripts/brillo_update_payload
@@ -167,6 +167,10 @@
"Optional: Path to a source image. If specified, this makes a delta update."
DEFINE_string metadata_size_file "" \
"Optional: Path to output metadata size."
+ DEFINE_string max_timestamp "" \
+ "Optional: The maximum unix timestamp of the OS allowed to apply this \
+payload, should be set to a number higher than the build timestamp of the \
+system running on the device, 0 if not specified."
fi
if [[ "${COMMAND}" == "hash" || "${COMMAND}" == "sign" ]]; then
DEFINE_string unsigned_payload "" "Path to the input unsigned payload."
@@ -567,6 +571,10 @@
GENERATOR_ARGS+=( --out_metadata_size_file="${FLAGS_metadata_size_file}" )
fi
+ if [[ -n "${FLAGS_max_timestamp}" ]]; then
+ GENERATOR_ARGS+=( --max_timestamp="${FLAGS_max_timestamp}" )
+ fi
+
if [[ -n "${POSTINSTALL_CONFIG_FILE}" ]]; then
GENERATOR_ARGS+=(
--new_postinstall_config_file="${POSTINSTALL_CONFIG_FILE}"
diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index e716296..82e3855 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -29,6 +29,7 @@
#include <brillo/data_encoding.h>
#include <brillo/message_loops/message_loop.h>
#include <brillo/strings/string_utils.h>
+#include <log/log_safetynet.h>
#include "update_engine/common/constants.h"
#include "update_engine/common/file_fetcher.h"
@@ -350,6 +351,11 @@
LOG(INFO) << "Resetting update progress.";
break;
+ case ErrorCode::kPayloadTimestampError:
+ // SafetyNet logging, b/36232423
+ android_errorWriteLog(0x534e4554, "36232423");
+ break;
+
default:
// Ignore all other error codes.
break;
diff --git a/update_manager/chromeos_policy.cc b/update_manager/chromeos_policy.cc
index 12f417c..b32b626 100644
--- a/update_manager/chromeos_policy.cc
+++ b/update_manager/chromeos_policy.cc
@@ -79,6 +79,7 @@
case ErrorCode::kPayloadMismatchedType:
case ErrorCode::kUnsupportedMajorPayloadVersion:
case ErrorCode::kUnsupportedMinorPayloadVersion:
+ case ErrorCode::kPayloadTimestampError:
LOG(INFO) << "Advancing download URL due to error "
<< chromeos_update_engine::utils::ErrorCodeToString(err_code)
<< " (" << static_cast<int>(err_code) << ")";
diff --git a/update_metadata.proto b/update_metadata.proto
index 4fe5fd3..be45f88 100644
--- a/update_metadata.proto
+++ b/update_metadata.proto
@@ -281,4 +281,8 @@
// array can have more than two partitions if needed, and they are identified
// by the partition name.
repeated PartitionUpdate partitions = 13;
+
+ // The maximum timestamp of the OS allowed to apply this payload.
+ // Can be used to prevent downgrading the OS.
+ optional int64 max_timestamp = 14;
}