Merge "Update_verifier should read blocks in EIO mode" am: 21d481c81e am: 89559e3cfe
am: 81f5b04df2

Change-Id: I20f459c3403ec0e120769bd805b9508dbe11b989
(cherry picked from commit e3ea825181d073eb240cdedaf4aa412647b495fd)
diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp
index 83b1c46..72b6dcc 100644
--- a/update_verifier/update_verifier.cpp
+++ b/update_verifier/update_verifier.cpp
@@ -19,9 +19,14 @@
  * update. It gets invoked by init, and will only perform the verification if
  * it's the first boot post an A/B OTA update.
  *
- * It relies on dm-verity to capture any corruption on the partitions being
- * verified. dm-verity must be in enforcing mode, so that it will reboot the
- * device on dm-verity failures. When that happens, the bootloader should
+ * Update_verifier relies on dm-verity to capture any corruption on the partitions
+ * being verified. And its behavior varies depending on the dm-verity mode.
+ * Upon detection of failures:
+ *   enforcing mode: dm-verity reboots the device
+ *   eio mode: dm-verity fails the read and update_verifier reboots the device
+ *   other mode: not supported and update_verifier reboots the device
+ *
+ * After a predefined number of failing boot attempts, the bootloader should
  * mark the slot as unbootable and stops trying. Other dm-verity modes (
  * for example, veritymode=EIO) are not accepted and simply lead to a
  * verification failure.
@@ -35,6 +40,7 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
 
 #include <string>
 #include <vector>
@@ -46,6 +52,7 @@
 #include <android-base/strings.h>
 #include <android-base/unique_fd.h>
 #include <android/hardware/boot/1.0/IBootControl.h>
+#include <cutils/android_reboot.h>
 
 using android::sp;
 using android::hardware::boot::V1_0::IBootControl;
@@ -66,18 +73,9 @@
   return 0;
 }
 
-static bool read_blocks(const std::string& blk_device, const std::string& range_str) {
-  // Parse the partition in the end of the block_device string.
-  // Here is one example: "/dev/block/bootdevice/by-name/system"
-  std::string partition;
-  if (android::base::EndsWith(blk_device, "system")) {
-    partition = "system";
-  } else if (android::base::EndsWith(blk_device, "vendor")) {
-    partition = "vendor";
-  } else {
-    LOG(ERROR) << "Failed to parse partition string in " << blk_device;
-    return false;
-  }
+static bool read_blocks(const std::string& partition, const std::string& range_str) {
+  CHECK(partition == "system" || partition == "vendor")
+      << "partition name should be system or vendor" << partition;
 
   // Iterate the content of "/sys/block/dm-X/dm/name". If it matches "system"
   // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition.
@@ -172,7 +170,7 @@
         return true;
     }
     // Care map file has four lines (two lines if vendor partition is not present):
-    // First line has the block device name, e.g./dev/block/.../by-name/system.
+    // First line has the block partition name (system/vendor).
     // Second line holds all ranges of blocks to verify.
     // The next two lines have the same format but for vendor partition.
     std::string file_content;
@@ -198,6 +196,14 @@
     return true;
 }
 
+static int reboot_device() {
+  if (android_reboot(ANDROID_RB_RESTART2, 0, nullptr) == -1) {
+    LOG(ERROR) << "Failed to reboot.";
+    return -1;
+  }
+  while (true) pause();
+}
+
 int main(int argc, char** argv) {
   for (int i = 1; i < argc; i++) {
     LOG(INFO) << "Started with arg " << i << ": " << argv[i];
@@ -206,7 +212,7 @@
   sp<IBootControl> module = IBootControl::getService();
   if (module == nullptr) {
     LOG(ERROR) << "Error getting bootctrl module.";
-    return -1;
+    return reboot_device();
   }
 
   uint32_t current_slot = module->getCurrentSlot();
@@ -221,18 +227,19 @@
     std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", "");
     if (verity_mode.empty()) {
       LOG(ERROR) << "Failed to get dm-verity mode.";
-      return -1;
+      return reboot_device();
     } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) {
-      // We shouldn't see verity in EIO mode if the current slot hasn't booted
-      // successfully before. Therefore, fail the verification when veritymode=eio.
-      LOG(ERROR) << "Found dm-verity in EIO mode, skip verification.";
-      return -1;
+      // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before.
+      // Continue the verification until we fail to read some blocks.
+      LOG(WARNING) << "Found dm-verity in EIO mode.";
     } else if (verity_mode != "enforcing") {
       LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing.";
-      return -1;
-    } else if (!verify_image(CARE_MAP_FILE)) {
+      return reboot_device();
+    }
+
+    if (!verify_image(CARE_MAP_FILE)) {
       LOG(ERROR) << "Failed to verify all blocks in care map file.";
-      return -1;
+      return reboot_device();
     }
 #else
     LOG(WARNING) << "dm-verity not enabled; marking without verification.";
@@ -242,7 +249,7 @@
     module->markBootSuccessful([&cr](CommandResult result) { cr = result; });
     if (!cr.success) {
       LOG(ERROR) << "Error marking booted successfully: " << cr.errMsg;
-      return -1;
+      return reboot_device();
     }
     LOG(INFO) << "Marked slot " << current_slot << " as booted successfully.";
   }