GitLab

(Cherry-pick back from master.)

Bug: 16984795
Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4

Something is leaving behind wipe commands in the BCB area of the /misc
partition.  We don't know what is doing that.  It should always be
safe to zero out that area from uncrypt, though (because if uncrypt is
running then it's got the command we want in the recovery command file
rather than the BCB).

Bug: 16715412
Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211

Bug: 17029174, 17015157
Change-Id: I1d24f3402875dfb972daa6daef0f385baeff84e9

Bug: 17015157
Change-Id: I3c4bdcf4f11d44b617bb731a48413e3707044d1c

We need to wipe the challenges on this partition
if OEM unlock is enabled, as this is a signal that
the user has opted out of factory reset protection.

go/factory-reset

Bug: 16633064
Change-Id: Icb8f1433bf99ca57813f5b72d5a3dd15fa94a263

These error messages include empty parens after each string
substition.  Ill-advised cut and paste, probably.

Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc

Fix wrong argument order.
Fix for 32 vs 64 bit.

(reported by htc)

Change-Id: Ie37a280bed2848199bcc075500e1326e371cd326

If recovery is invoked with a package somewhere other than /data,
leave it alone.

Change-Id: Ief358b53df467ae24a65e30e7a631da59bf13683

Sometimes renames will move a file into a directory
that does not yet exist.  This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.

Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d

Make a fuse filesystem that sits on top of the selected package file
on the sdcard, so we can verify that the file contents don't change
while being read and avoid copying the file to /tmp (that is, RAM)
before verifying and installing it.

Change-Id: Ifd982aa68bfe469eda5f839042648654bf7386a1

Split the adb-specific portions (fetching a block from the adb host
and closing the connections) out from the rest of the FUSE filesystem
code, so that we can reuse the fuse stuff for installing off sdcards
as well.

Change-Id: I0ba385fd35999c5f5cad27842bc82024a264dd14

Drop support for sideloading OTA packages of the cache partition (a
half-solution that's long since been deprecated by "adb sideload").
Refactor the code to sideload OTA packages from SD cards: remove the
installation code from the file browser.

Change-Id: Id0dff6b27c4a5837546f174f50e2e1d0379c43db

Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).

We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.

We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host.  This file is then passed to the
verification and installation systems like any other.

To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.

One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem).  We rely on SELinux enforcement to
restrict the set of things that can be accessed.

Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114

* commit '3e0fc39e':
  Fix recovery mode.

* commit '974fe112':
  Fix recovery mode.

Set panic_on_oops=1 to reboot if the kernel panics.

Change-Id: Id9e8689a570229db2ea2a3d72b52784f8a1ed107

Duplicate changes made to init.rc for https://android-review.googlesource.com/98852
in the init.rc used for recovery mode.

Bug 15849856

Change-Id: Ia376ddf6373a28718653f7fb1435bf7ecb33d813

Instead of LOCAL_ADDITIONAL_DEPENDENCIES.

Bug: 15702524
Change-Id: Ic152ae60354bf09eccdb9a85dcd04f0f076a6422

This adds F2FS support
- for wiping a device
- for the install "format" command.

Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".

Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>

Clear framebuffer at init.

[toddpoynor@google.com: forward port]
Change-Id: Ie98c7724cd974dcacef3e3559a6fe492864a5e72

While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.

Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371

* commit 'dff8afe1':
  restore holo UI in recovery -- DO NOT MERGE

Return to the recovery to the holo appearance.

Bug: 15424396
Change-Id: Id4d3f23e0a6251a12aa42f3793cff347f38b4243

* commit '54a61179':
  recovery: initialize keys press tracking status

* commit 'cfd4b286':
  recovery: initialize keys press tracking status

Checks for keys pressed return random results because of an uninitialized data
structure.

Change-Id: Ic8b3d453d62347921aa893403079b374c16a092e
Signed-off-by: Mihai Serban <mihai.serban@intel.com>

Since we don't have quantum assets for recovery yet, go back to the
holo appearance (dark background, blue glowing progress bar) for
lmp-preview.

Change-Id: Id4d3f23e0a6251a12aa42f3793cff347f38b4243

The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot.  (Debug
packages can explicitly request that the feature be reenabled.)

Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf

am 502e4595: am d1c64060: am 5fbb729f: Merge "exit instead of return if sideload file creation fails"

* commit '502e4595':
  exit instead of return if sideload file creation fails

* commit 'd1c64060':
  exit instead of return if sideload file creation fails

* commit '5fbb729f':
  exit instead of return if sideload file creation fails

* commit 'c4804e9b':
  fix vulnerability in bspatch

* commit 'd4592694':
  fix vulnerability in bspatch

* commit '3ca99f6c':
  fix vulnerability in bspatch