/src/u-boot/boot/android_ab.c
Line | Count | Source |
1 | | // SPDX-License-Identifier: BSD-2-Clause |
2 | | /* |
3 | | * Copyright (C) 2017 The Android Open Source Project |
4 | | */ |
5 | | #include <android_ab.h> |
6 | | #include <android_bootloader_message.h> |
7 | | #include <blk.h> |
8 | | #include <log.h> |
9 | | #include <malloc.h> |
10 | | #include <part.h> |
11 | | #include <memalign.h> |
12 | | #include <linux/err.h> |
13 | | #include <u-boot/crc.h> |
14 | | |
15 | | /** |
16 | | * ab_control_compute_crc() - Compute the CRC32 of the bootloader control. |
17 | | * |
18 | | * @abc: Bootloader control block |
19 | | * |
20 | | * Only the bytes up to the crc32_le field are considered for the CRC-32 |
21 | | * calculation. |
22 | | * |
23 | | * Return: crc32 sum |
24 | | */ |
25 | | static uint32_t ab_control_compute_crc(struct bootloader_control *abc) |
26 | 0 | { |
27 | 0 | return crc32(0, (void *)abc, offsetof(typeof(*abc), crc32_le)); |
28 | 0 | } |
29 | | |
30 | | /** |
31 | | * ab_control_default() - Initialize bootloader_control to the default value. |
32 | | * |
33 | | * @abc: Bootloader control block |
34 | | * |
35 | | * It allows us to boot all slots in order from the first one. This value |
36 | | * should be used when the bootloader message is corrupted, but not when |
37 | | * a valid message indicates that all slots are unbootable. |
38 | | * |
39 | | * Return: 0 on success and a negative on error |
40 | | */ |
41 | | static int ab_control_default(struct bootloader_control *abc) |
42 | 0 | { |
43 | 0 | int i; |
44 | 0 | const struct slot_metadata metadata = { |
45 | 0 | .priority = 15, |
46 | 0 | .tries_remaining = 7, |
47 | 0 | .successful_boot = 0, |
48 | 0 | .verity_corrupted = 0, |
49 | 0 | .reserved = 0 |
50 | 0 | }; |
51 | |
|
52 | 0 | if (!abc) |
53 | 0 | return -EFAULT; |
54 | | |
55 | 0 | memcpy(abc->slot_suffix, "_a\0\0", 4); |
56 | 0 | abc->magic = BOOT_CTRL_MAGIC; |
57 | 0 | abc->version = BOOT_CTRL_VERSION; |
58 | 0 | abc->nb_slot = NUM_SLOTS; |
59 | 0 | memset(abc->reserved0, 0, sizeof(abc->reserved0)); |
60 | 0 | for (i = 0; i < abc->nb_slot; ++i) |
61 | 0 | abc->slot_info[i] = metadata; |
62 | |
|
63 | 0 | memset(abc->reserved1, 0, sizeof(abc->reserved1)); |
64 | 0 | abc->crc32_le = ab_control_compute_crc(abc); |
65 | |
|
66 | 0 | return 0; |
67 | 0 | } |
68 | | |
69 | | /** |
70 | | * ab_control_create_from_disk() - Load the boot_control from disk into memory. |
71 | | * |
72 | | * @dev_desc: Device where to read the boot_control struct from |
73 | | * @part_info: Partition in 'dev_desc' where to read from, normally |
74 | | * the "misc" partition should be used |
75 | | * @abc: pointer to pointer to bootloader_control data |
76 | | * @offset: boot_control struct offset |
77 | | * |
78 | | * This function allocates and returns an integer number of disk blocks, |
79 | | * based on the block size of the passed device to help performing a |
80 | | * read-modify-write operation on the boot_control struct. |
81 | | * The boot_control struct offset (2 KiB) must be a multiple of the device |
82 | | * block size, for simplicity. |
83 | | * |
84 | | * Return: 0 on success and a negative on error |
85 | | */ |
86 | | static int ab_control_create_from_disk(struct blk_desc *dev_desc, |
87 | | const struct disk_partition *part_info, |
88 | | struct bootloader_control **abc, |
89 | | ulong offset) |
90 | 0 | { |
91 | 0 | ulong abc_offset, abc_blocks, ret; |
92 | |
|
93 | 0 | abc_offset = offset + |
94 | 0 | offsetof(struct bootloader_message_ab, slot_suffix); |
95 | 0 | if (abc_offset % part_info->blksz) { |
96 | 0 | log_err("ANDROID: Boot control block not block aligned.\n"); |
97 | 0 | return -EINVAL; |
98 | 0 | } |
99 | 0 | abc_offset /= part_info->blksz; |
100 | |
|
101 | 0 | abc_blocks = DIV_ROUND_UP(sizeof(struct bootloader_control), |
102 | 0 | part_info->blksz); |
103 | 0 | if (abc_offset + abc_blocks > part_info->size) { |
104 | 0 | log_err("ANDROID: boot control partition too small. Need at least %lu blocks but have " LBAF " blocks.\n", |
105 | 0 | abc_offset + abc_blocks, part_info->size); |
106 | 0 | return -EINVAL; |
107 | 0 | } |
108 | 0 | *abc = malloc_cache_aligned(abc_blocks * part_info->blksz); |
109 | 0 | if (!*abc) |
110 | 0 | return -ENOMEM; |
111 | | |
112 | 0 | ret = blk_dread(dev_desc, part_info->start + abc_offset, abc_blocks, |
113 | 0 | *abc); |
114 | 0 | if (IS_ERR_VALUE(ret)) { |
115 | 0 | log_err("ANDROID: Could not read from boot ctrl partition\n"); |
116 | 0 | free(*abc); |
117 | 0 | return -EIO; |
118 | 0 | } |
119 | | |
120 | 0 | log_debug("ANDROID: Loaded ABC, %lu blocks\n", abc_blocks); |
121 | |
|
122 | 0 | return 0; |
123 | 0 | } |
124 | | |
125 | | /** |
126 | | * ab_control_store() - Store the loaded boot_control block. |
127 | | * |
128 | | * @dev_desc: Device where we should write the boot_control struct |
129 | | * @part_info: Partition on the 'dev_desc' where to write |
130 | | * @abc Pointer to the boot control struct and the extra bytes after |
131 | | * it up to the nearest block boundary |
132 | | * @offset: boot_control struct offset |
133 | | * |
134 | | * Store back to the same location it was read from with |
135 | | * ab_control_create_from_misc(). |
136 | | * |
137 | | * Return: 0 on success and a negative on error |
138 | | */ |
139 | | static int ab_control_store(struct blk_desc *dev_desc, |
140 | | const struct disk_partition *part_info, |
141 | | struct bootloader_control *abc, ulong offset) |
142 | 0 | { |
143 | 0 | ulong abc_offset, abc_blocks, ret; |
144 | |
|
145 | 0 | if (offset % part_info->blksz) { |
146 | 0 | log_err("ANDROID: offset not block aligned\n"); |
147 | 0 | return -EINVAL; |
148 | 0 | } |
149 | | |
150 | 0 | abc_offset = (offset + |
151 | 0 | offsetof(struct bootloader_message_ab, slot_suffix)) / |
152 | 0 | part_info->blksz; |
153 | 0 | abc_blocks = DIV_ROUND_UP(sizeof(struct bootloader_control), |
154 | 0 | part_info->blksz); |
155 | 0 | ret = blk_dwrite(dev_desc, part_info->start + abc_offset, abc_blocks, |
156 | 0 | abc); |
157 | 0 | if (IS_ERR_VALUE(ret)) { |
158 | 0 | log_err("ANDROID: Could not write back the misc partition\n"); |
159 | 0 | return -EIO; |
160 | 0 | } |
161 | | |
162 | 0 | return 0; |
163 | 0 | } |
164 | | |
165 | | /** |
166 | | * ab_compare_slots() - Compare two slots. |
167 | | * |
168 | | * @a: The first bootable slot metadata |
169 | | * @b: The second bootable slot metadata |
170 | | * |
171 | | * The function determines slot which is should we boot from among the two. |
172 | | * |
173 | | * Return: Negative if the slot "a" is better, positive of the slot "b" is |
174 | | * better or 0 if they are equally good. |
175 | | */ |
176 | | static int ab_compare_slots(const struct slot_metadata *a, |
177 | | const struct slot_metadata *b) |
178 | 0 | { |
179 | | /* Higher priority is better */ |
180 | 0 | if (a->priority != b->priority) |
181 | 0 | return b->priority - a->priority; |
182 | | |
183 | | /* Higher successful_boot value is better, in case of same priority */ |
184 | 0 | if (a->successful_boot != b->successful_boot) |
185 | 0 | return b->successful_boot - a->successful_boot; |
186 | | |
187 | | /* Higher tries_remaining is better to ensure round-robin */ |
188 | 0 | if (a->tries_remaining != b->tries_remaining) |
189 | 0 | return b->tries_remaining - a->tries_remaining; |
190 | | |
191 | 0 | return 0; |
192 | 0 | } |
193 | | |
194 | | int ab_select_slot(struct blk_desc *dev_desc, struct disk_partition *part_info, |
195 | | bool dec_tries) |
196 | 0 | { |
197 | 0 | struct bootloader_control *abc = NULL; |
198 | 0 | struct bootloader_control *backup_abc = NULL; |
199 | 0 | u32 crc32_le; |
200 | 0 | int slot, i, ret; |
201 | 0 | bool store_needed = false; |
202 | 0 | bool valid_backup = false; |
203 | 0 | char slot_suffix[4]; |
204 | |
|
205 | 0 | ret = ab_control_create_from_disk(dev_desc, part_info, &abc, 0); |
206 | 0 | if (ret < 0) { |
207 | | /* |
208 | | * This condition represents an actual problem with the code or |
209 | | * the board setup, like an invalid partition information. |
210 | | * Signal a repair mode and do not try to boot from either slot. |
211 | | */ |
212 | 0 | return ret; |
213 | 0 | } |
214 | | |
215 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) { |
216 | 0 | ret = ab_control_create_from_disk(dev_desc, part_info, &backup_abc, |
217 | 0 | CONFIG_ANDROID_AB_BACKUP_OFFSET); |
218 | 0 | if (ret < 0) { |
219 | 0 | free(abc); |
220 | 0 | return ret; |
221 | 0 | } |
222 | 0 | } |
223 | | |
224 | 0 | crc32_le = ab_control_compute_crc(abc); |
225 | 0 | if (abc->crc32_le != crc32_le) { |
226 | 0 | log_err("ANDROID: Invalid CRC-32 (expected %.8x, found %.8x),", |
227 | 0 | crc32_le, abc->crc32_le); |
228 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) { |
229 | 0 | crc32_le = ab_control_compute_crc(backup_abc); |
230 | 0 | if (backup_abc->crc32_le != crc32_le) { |
231 | 0 | log_err(" ANDROID: Invalid backup CRC-32 "); |
232 | 0 | log_err("(expected %.8x, found %.8x),", |
233 | 0 | crc32_le, backup_abc->crc32_le); |
234 | 0 | } else { |
235 | 0 | valid_backup = true; |
236 | 0 | log_info(" copying A/B metadata from backup.\n"); |
237 | 0 | memcpy(abc, backup_abc, sizeof(*abc)); |
238 | 0 | } |
239 | 0 | } |
240 | |
|
241 | 0 | if (!valid_backup) { |
242 | 0 | log_err(" re-initializing A/B metadata.\n"); |
243 | 0 | ret = ab_control_default(abc); |
244 | 0 | if (ret < 0) { |
245 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) |
246 | 0 | free(backup_abc); |
247 | 0 | free(abc); |
248 | 0 | return -ENODATA; |
249 | 0 | } |
250 | 0 | } |
251 | 0 | store_needed = true; |
252 | 0 | } |
253 | | |
254 | 0 | if (abc->magic != BOOT_CTRL_MAGIC) { |
255 | 0 | log_err("ANDROID: Unknown A/B metadata: %.8x\n", abc->magic); |
256 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) |
257 | 0 | free(backup_abc); |
258 | 0 | free(abc); |
259 | 0 | return -ENODATA; |
260 | 0 | } |
261 | | |
262 | 0 | if (abc->version > BOOT_CTRL_VERSION) { |
263 | 0 | log_err("ANDROID: Unsupported A/B metadata version: %.8x\n", |
264 | 0 | abc->version); |
265 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) |
266 | 0 | free(backup_abc); |
267 | 0 | free(abc); |
268 | 0 | return -ENODATA; |
269 | 0 | } |
270 | | |
271 | | /* |
272 | | * At this point a valid boot control metadata is stored in abc, |
273 | | * followed by other reserved data in the same block. We select a with |
274 | | * the higher priority slot that |
275 | | * - is not marked as corrupted and |
276 | | * - either has tries_remaining > 0 or successful_boot is true. |
277 | | * If the selected slot has a false successful_boot, we also decrement |
278 | | * the tries_remaining until it eventually becomes unbootable because |
279 | | * tries_remaining reaches 0. This mechanism produces a bootloader |
280 | | * induced rollback, typically right after a failed update. |
281 | | */ |
282 | | |
283 | | /* Safety check: limit the number of slots. */ |
284 | 0 | if (abc->nb_slot > ARRAY_SIZE(abc->slot_info)) { |
285 | 0 | abc->nb_slot = ARRAY_SIZE(abc->slot_info); |
286 | 0 | store_needed = true; |
287 | 0 | } |
288 | |
|
289 | 0 | slot = -1; |
290 | 0 | for (i = 0; i < abc->nb_slot; ++i) { |
291 | 0 | if (abc->slot_info[i].verity_corrupted || |
292 | 0 | !abc->slot_info[i].tries_remaining) { |
293 | 0 | log_debug("ANDROID: unbootable slot %d tries: %d, ", |
294 | 0 | i, abc->slot_info[i].tries_remaining); |
295 | 0 | log_debug("corrupt: %d\n", |
296 | 0 | abc->slot_info[i].verity_corrupted); |
297 | 0 | continue; |
298 | 0 | } |
299 | 0 | log_debug("ANDROID: bootable slot %d pri: %d, tries: %d, ", |
300 | 0 | i, abc->slot_info[i].priority, |
301 | 0 | abc->slot_info[i].tries_remaining); |
302 | 0 | log_debug("corrupt: %d, successful: %d\n", |
303 | 0 | abc->slot_info[i].verity_corrupted, |
304 | 0 | abc->slot_info[i].successful_boot); |
305 | |
|
306 | 0 | if (slot < 0 || |
307 | 0 | ab_compare_slots(&abc->slot_info[i], |
308 | 0 | &abc->slot_info[slot]) < 0) { |
309 | 0 | slot = i; |
310 | 0 | } |
311 | 0 | } |
312 | |
|
313 | 0 | if (slot >= 0 && !abc->slot_info[slot].successful_boot) { |
314 | 0 | log_err("ANDROID: Attempting slot %c, tries remaining %d\n", |
315 | 0 | BOOT_SLOT_NAME(slot), |
316 | 0 | abc->slot_info[slot].tries_remaining); |
317 | 0 | if (dec_tries) { |
318 | 0 | abc->slot_info[slot].tries_remaining--; |
319 | 0 | store_needed = true; |
320 | 0 | } |
321 | 0 | } |
322 | |
|
323 | 0 | if (slot >= 0) { |
324 | | /* |
325 | | * Legacy user-space requires this field to be set in the BCB. |
326 | | * Newer releases load this slot suffix from the command line |
327 | | * or the device tree. |
328 | | */ |
329 | 0 | memset(slot_suffix, 0, sizeof(slot_suffix)); |
330 | 0 | slot_suffix[0] = '_'; |
331 | 0 | slot_suffix[1] = BOOT_SLOT_NAME(slot); |
332 | 0 | if (memcmp(abc->slot_suffix, slot_suffix, |
333 | 0 | sizeof(slot_suffix))) { |
334 | 0 | memcpy(abc->slot_suffix, slot_suffix, |
335 | 0 | sizeof(slot_suffix)); |
336 | 0 | store_needed = true; |
337 | 0 | } |
338 | 0 | } |
339 | |
|
340 | 0 | if (store_needed) { |
341 | 0 | abc->crc32_le = ab_control_compute_crc(abc); |
342 | 0 | ret = ab_control_store(dev_desc, part_info, abc, 0); |
343 | 0 | if (ret < 0) { |
344 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) |
345 | 0 | free(backup_abc); |
346 | 0 | free(abc); |
347 | 0 | return ret; |
348 | 0 | } |
349 | 0 | } |
350 | | |
351 | 0 | if (CONFIG_ANDROID_AB_BACKUP_OFFSET) { |
352 | | /* |
353 | | * If the backup doesn't match the primary, write the primary |
354 | | * to the backup offset |
355 | | */ |
356 | 0 | if (memcmp(backup_abc, abc, sizeof(*abc)) != 0) { |
357 | 0 | ret = ab_control_store(dev_desc, part_info, abc, |
358 | 0 | CONFIG_ANDROID_AB_BACKUP_OFFSET); |
359 | 0 | if (ret < 0) { |
360 | 0 | free(backup_abc); |
361 | 0 | free(abc); |
362 | 0 | return ret; |
363 | 0 | } |
364 | 0 | } |
365 | 0 | free(backup_abc); |
366 | 0 | } |
367 | | |
368 | 0 | free(abc); |
369 | |
|
370 | 0 | if (slot < 0) |
371 | 0 | return -EINVAL; |
372 | | |
373 | 0 | return slot; |
374 | 0 | } |
375 | | |
376 | | int ab_dump_abc(struct blk_desc *dev_desc, struct disk_partition *part_info) |
377 | 0 | { |
378 | 0 | struct bootloader_control *abc; |
379 | 0 | u32 crc32_le; |
380 | 0 | int i, ret; |
381 | 0 | struct slot_metadata *slot; |
382 | |
|
383 | 0 | if (!dev_desc || !part_info) { |
384 | 0 | log_err("ANDROID: Empty device descriptor or partition info\n"); |
385 | 0 | return -EINVAL; |
386 | 0 | } |
387 | | |
388 | 0 | ret = ab_control_create_from_disk(dev_desc, part_info, &abc, 0); |
389 | 0 | if (ret < 0) { |
390 | 0 | log_err("ANDROID: Cannot create bcb from disk %d\n", ret); |
391 | 0 | return ret; |
392 | 0 | } |
393 | | |
394 | 0 | if (abc->magic != BOOT_CTRL_MAGIC) { |
395 | 0 | log_err("ANDROID: Unknown A/B metadata: %.8x\n", abc->magic); |
396 | 0 | ret = -ENODATA; |
397 | 0 | goto error; |
398 | 0 | } |
399 | | |
400 | 0 | if (abc->version > BOOT_CTRL_VERSION) { |
401 | 0 | log_err("ANDROID: Unsupported A/B metadata version: %.8x\n", |
402 | 0 | abc->version); |
403 | 0 | ret = -ENODATA; |
404 | 0 | goto error; |
405 | 0 | } |
406 | | |
407 | 0 | if (abc->nb_slot > ARRAY_SIZE(abc->slot_info)) { |
408 | 0 | log_err("ANDROID: Wrong number of slots %u, expected %zu\n", |
409 | 0 | abc->nb_slot, ARRAY_SIZE(abc->slot_info)); |
410 | 0 | ret = -ENODATA; |
411 | 0 | goto error; |
412 | 0 | } |
413 | | |
414 | 0 | printf("Bootloader Control: [%s]\n", part_info->name); |
415 | 0 | printf("Active Slot: %s\n", abc->slot_suffix); |
416 | 0 | printf("Magic Number: 0x%x\n", abc->magic); |
417 | 0 | printf("Version: %u\n", abc->version); |
418 | 0 | printf("Number of Slots: %u\n", abc->nb_slot); |
419 | 0 | printf("Recovery Tries Remaining: %u\n", abc->recovery_tries_remaining); |
420 | |
|
421 | 0 | printf("CRC: 0x%.8x", abc->crc32_le); |
422 | |
|
423 | 0 | crc32_le = ab_control_compute_crc(abc); |
424 | 0 | if (abc->crc32_le != crc32_le) |
425 | 0 | printf(" (Invalid, Expected: 0x%.8x)\n", crc32_le); |
426 | 0 | else |
427 | 0 | printf(" (Valid)\n"); |
428 | |
|
429 | 0 | for (i = 0; i < abc->nb_slot; ++i) { |
430 | 0 | slot = &abc->slot_info[i]; |
431 | 0 | printf("\nSlot[%d] Metadata:\n", i); |
432 | 0 | printf("\t- Priority: %u\n", slot->priority); |
433 | 0 | printf("\t- Tries Remaining: %u\n", slot->tries_remaining); |
434 | 0 | printf("\t- Successful Boot: %u\n", slot->successful_boot); |
435 | 0 | printf("\t- Verity Corrupted: %u\n", slot->verity_corrupted); |
436 | 0 | } |
437 | |
|
438 | 0 | error: |
439 | 0 | free(abc); |
440 | |
|
441 | 0 | return ret; |
442 | 0 | } |