recovery: Add support to brick a device.

When recovery starts with --brick, it tries to brick the device by
securely wiping all the partitions as listed in /etc/recovery.brick.

This is designed to support bricking lost devices.

Bug: 27253717
Change-Id: Ib0bd4f0a3bdaca4febc91fce6b682e3ec74354e2
diff --git a/recovery.cpp b/recovery.cpp
index 4a3c7ef..b4dc41b 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -19,7 +19,9 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <getopt.h>
+#include <inttypes.h>
 #include <limits.h>
+#include <linux/fs.h>
 #include <linux/input.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -33,12 +35,16 @@
 #include <unistd.h>
 
 #include <chrono>
+#include <string>
+#include <vector>
 
 #include <adb.h>
 #include <android/log.h> /* Android Log Priority Tags */
 #include <android-base/file.h>
 #include <android-base/parseint.h>
 #include <android-base/stringprintf.h>
+#include <android-base/strings.h>
+#include <android-base/unique_fd.h>
 #include <cutils/android_reboot.h>
 #include <cutils/properties.h>
 #include <healthd/BatteryMonitor.h>
@@ -75,6 +81,7 @@
   { "stages", required_argument, NULL, 'g' },
   { "shutdown_after", no_argument, NULL, 'p' },
   { "reason", required_argument, NULL, 'r' },
+  { "brick", no_argument, NULL, 0 },
   { NULL, 0, NULL, 0 },
 };
 
@@ -97,6 +104,7 @@
 // So we should check battery with a slightly lower limitation.
 static const int BATTERY_OK_PERCENTAGE = 20;
 static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
+constexpr const char* RECOVERY_BRICK = "/etc/recovery.brick";
 
 RecoveryUI* ui = NULL;
 char* locale = NULL;
@@ -811,6 +819,75 @@
     return success;
 }
 
+// Secure-wipe a given partition. It uses BLKSECDISCARD, if supported.
+// Otherwise, it goes with BLKDISCARD (if device supports BLKDISCARDZEROES) or
+// BLKZEROOUT.
+static bool secure_wipe_partition(const std::string& partition) {
+    android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(partition.c_str(), O_WRONLY)));
+    if (fd == -1) {
+        LOGE("failed to open \"%s\": %s\n", partition.c_str(), strerror(errno));
+        return false;
+    }
+
+    uint64_t range[2] = {0, 0};
+    if (ioctl(fd, BLKGETSIZE64, &range[1]) == -1 || range[1] == 0) {
+        LOGE("failed to get partition size: %s\n", strerror(errno));
+        return false;
+    }
+    printf("Secure-wiping \"%s\" from %" PRIu64 " to %" PRIu64 ".\n",
+           partition.c_str(), range[0], range[1]);
+
+    printf("Trying BLKSECDISCARD...\t");
+    if (ioctl(fd, BLKSECDISCARD, &range) == -1) {
+        printf("failed: %s\n", strerror(errno));
+
+        // Use BLKDISCARD if it zeroes out blocks, otherwise use BLKZEROOUT.
+        unsigned int zeroes;
+        if (ioctl(fd, BLKDISCARDZEROES, &zeroes) == 0 && zeroes != 0) {
+            printf("Trying BLKDISCARD...\t");
+            if (ioctl(fd, BLKDISCARD, &range) == -1) {
+                printf("failed: %s\n", strerror(errno));
+                return false;
+            }
+        } else {
+            printf("Trying BLKZEROOUT...\t");
+            if (ioctl(fd, BLKZEROOUT, &range) == -1) {
+                printf("failed: %s\n", strerror(errno));
+                return false;
+            }
+        }
+    }
+
+    printf("done\n");
+    return true;
+}
+
+// Brick the current device, with a secure wipe of all the partitions in
+// RECOVERY_BRICK.
+static bool brick_device() {
+    ui->SetBackground(RecoveryUI::ERASING);
+    ui->SetProgressType(RecoveryUI::INDETERMINATE);
+
+    std::string partition_list;
+    if (!android::base::ReadFileToString(RECOVERY_BRICK, &partition_list)) {
+        LOGE("failed to read \"%s\".\n", RECOVERY_BRICK);
+        return false;
+    }
+
+    std::vector<std::string> lines = android::base::Split(partition_list, "\n");
+    for (const std::string& line : lines) {
+        std::string partition = android::base::Trim(line);
+        // Ignore '#' comment or empty lines.
+        if (android::base::StartsWith(partition, "#") || partition.empty()) {
+            continue;
+        }
+
+        // Proceed anyway even if it fails to wipe some partition.
+        secure_wipe_partition(partition);
+    }
+    return true;
+}
+
 static void choose_recovery_file(Device* device) {
     if (!has_cache) {
         ui->Print("No /cache partition found.\n");
@@ -1262,6 +1339,7 @@
     const char *update_package = NULL;
     bool should_wipe_data = false;
     bool should_wipe_cache = false;
+    bool should_brick = false;
     bool show_text = false;
     bool sideload = false;
     bool sideload_auto_reboot = false;
@@ -1270,7 +1348,8 @@
     int retry_count = 0;
 
     int arg;
-    while ((arg = getopt_long(argc, argv, "", OPTIONS, NULL)) != -1) {
+    int option_index;
+    while ((arg = getopt_long(argc, argv, "", OPTIONS, &option_index)) != -1) {
         switch (arg) {
         case 'n': android::base::ParseInt(optarg, &retry_count, 0); break;
         case 'u': update_package = optarg; break;
@@ -1291,6 +1370,13 @@
         }
         case 'p': shutdown_after = true; break;
         case 'r': reason = optarg; break;
+        case 0: {
+            if (strcmp(OPTIONS[option_index].name, "brick") == 0) {
+                should_brick = true;
+                break;
+            }
+            break;
+        }
         case '?':
             LOGE("Invalid command argument\n");
             continue;
@@ -1415,6 +1501,10 @@
         if (!wipe_cache(false, device)) {
             status = INSTALL_ERROR;
         }
+    } else if (should_brick) {
+        if (!brick_device()) {
+            status = INSTALL_ERROR;
+        }
     } else if (sideload) {
         // 'adb reboot sideload' acts the same as user presses key combinations
         // to enter the sideload mode. When 'sideload-auto-reboot' is used, text