[OTA] 系统加密后Recovery是如何读取OTA升级包的
目前很多Android手机采用的FUSE方案,也就是内部SD卡不单独占用一个文件系统而实际上占用的是userdata的空间。 当系统加密后,解密需要VOLD的参于。而在Recovery模式下,是没有VOLD的启动的。因此,若是OTA升级包保存在了usrdata或内部存储器中时,Recovery是没有法子直接读取的。
那么,Android 5.0上, 是怎么处理这个问题的呢? 我来从头一一分析起来:
首先,安装升级包一般是调用
frameworks/base/core/java/android/os/RecoverySystem.java 中的installPackage来触发的。
public static void installPackage(Context context, File packageFile)
throws IOException {
String filename = packageFile.getCanonicalPath();
Log.w(TAG, "!!! REBOOTING TO INSTALL " + filename + " !!!");
final String filenameArg = "--update_package=" + filename;
final String localeArg = "--locale=" + Locale.getDefault().toString();
bootCommand(context, filenameArg, localeArg);
}
最终调用到了bootCommand中,在/cache/recovery/command写入 “--update_package=升级包的文件路径”。然后调用PowerManager, 触发REBOOT_RECOVERY
/**
* Reboot into the recovery system with the supplied argument.
* @param args to pass to the recovery utility.
* @throws IOException if something goes wrong.
*/
private static void bootCommand(Context context, String... args) throws IOException {
RECOVERY_DIR.mkdirs(); // In case we need it
COMMAND_FILE.delete(); // In case it's not writable
LOG_FILE.delete();
FileWriter command = new FileWriter(COMMAND_FILE);
try {
for (String arg : args) {
if (!TextUtils.isEmpty(arg)) {
command.write(arg);
command.write("\n");
}
}
} finally {
command.close();
}
// Having written the command file, go ahead and reboot
PowerManager pm = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
pm.reboot(PowerManager.REBOOT_RECOVERY);
throw new IOException("Reboot failed (no permissions?)");
}至于pm.reboot, 最后会调用到PowerManagerService的lowLevelReboot:
/**
* Low-level function to reboot the device. On success, this
* function doesn't return. If more than 20 seconds passes from
* the time a reboot is requested (120 seconds for reboot to
* recovery), this method returns.
*
* @param reason code to pass to the kernel (e.g. "recovery"), or null.
*/
public static void lowLevelReboot(String reason) {
if (reason == null) {
reason = "";
}
long duration;
if (reason.equals(PowerManager.REBOOT_RECOVERY)) {
// If we are rebooting to go into recovery, instead of
// setting sys.powerctl directly we'll start the
// pre-recovery service which will do some preparation for
// recovery and then reboot for us.
//
// This preparation can take more than 20 seconds if
// there's a very large update package, so lengthen the
// timeout. We have seen 750MB packages take 3-4 minutes
SystemProperties.set("ctl.start", "pre-recovery");
duration = 300 * 1000L;
} else {
SystemProperties.set("sys.powerctl", "reboot," + reason);
duration = 20 * 1000L;
}
try {
Thread.sleep(duration);
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
}
}当重启原因是REBOOT_RECOVERY是,居然不是直接重启,而是启动了pre-recovery这个服务。 好吧,还要继续追踪,这个pre-recovery是啥东西?
在init.rc里有定义:
service pre-recovery /system/bin/uncrypt
class main
disabled
oneshot
继续找 uncrypt,路漫漫啊。
uncrypt在这里 “bootable/recovery/uncrypt/”, 看到Recovery了吧,开心了吧,快到头了。
int main(int argc, char** argv)
{
const char* input_path;
const char* map_file;
int do_reboot = 1;
if (argc != 1 && argc != 3) {
fprintf(stderr, "usage: %s [<transform_path> <map_file>]\n", argv[0]);
return 2;
}
if (argc == 3) {
// when command-line args are given this binary is being used
// for debugging; don't reboot to recovery at the end.
input_path = argv[1];
map_file = argv[2];
do_reboot = 0;
} else {
input_path = parse_recovery_command_file();
if (input_path == NULL) {
// if we're rebooting to recovery without a package (say,
// to wipe data), then we don't need to do anything before
// going to recovery.
ALOGI("no recovery command file or no update package arg");
reboot_to_recovery();
return 1;
}
map_file = CACHE_BLOCK_MAP;
}
ALOGI("update package is %s", input_path);
// Turn the name of the file we're supposed to convert into an
// absolute path, so we can find what filesystem it's on.
char path[PATH_MAX+1];
if (realpath(input_path, path) == NULL) {
ALOGE("failed to convert %s to absolute path: %s", input_path, strerror(errno));
return 1;
}
int encryptable;
int encrypted;
if (read_fstab() == NULL) {
return 1;
}
const char* blk_dev = find_block_device(path, &encryptable, &encrypted);
if (blk_dev == NULL) {
ALOGE("failed to find block device for %s", path);
return 1;
}
// If the filesystem it's on isn't encrypted, we only produce the
// block map, we don't rewrite the file contents (it would be
// pointless to do so).
ALOGI("encryptable: %s\n", encryptable ? "yes" : "no");
ALOGI(" encrypted: %s\n", encrypted ? "yes" : "no");
// Recovery supports installing packages from 3 paths: /cache,
// /data, and /sdcard. (On a particular device, other locations
// may work, but those are three we actually expect.)
//
// On /data we want to convert the file to a block map so that we
// can read the package without mounting the partition. On /cache
// and /sdcard we leave the file alone.
if (strncmp(path, "/data/", 6) != 0) {
// path does not start with "/data/"; leave it alone.
unlink(RECOVERY_COMMAND_FILE_TMP);
} else {
ALOGI("writing block map %s", map_file);
if (produce_block_map(path, map_file, blk_dev, encrypted) != 0) {
return 1;
}
}
wipe_misc();
rename(RECOVERY_COMMAND_FILE_TMP, RECOVERY_COMMAND_FILE);
if (do_reboot) reboot_to_recovery();
return 0;
}看看uncrypt干吗了:
1.) 看下是不是有额外参数,如果有,就以为是debug模式。。嗯,这个不管它。只看正常模式
2.) 调用 parse_recovery_command_file(), 就是读一下/cache/recovery/command了是的update-package。 这个是RecoverySystem.java写入的
3.) 读不到update-package,重启到recovery,如果是Factory Data Reset触发的wipe-data就走到这里。
4.) 看看系统是不是加密的,我是感觉原生代码上这里少了块逻辑,如果系统没有加密,真接重启进recovery就是了,为什么还要继续转换?
5.) 看看 update-pacakge是不是以"/data"开始的。如果是的话,就调用produce_block_map
6.) 删除中间文件,然后重启。
至于 produce_block_map干什么了,也是一目了然的。
1.) 生成了一个block map,把/cache/recovery/command中的update_package的值改成 @/cache/recovery/block.map
2.) 如果系统是加密的,就解密,嗯,uncrypt.c 注释里写的很详细,我就不瞎扯了(其实是我也没细看这逻辑)
// If the filesystem is using an encrypted block device, it will also
// read the file and rewrite it to the same blocks of the underlying
// (unencrypted) block device, so the file contents can be read
// without the need for the decryption key.不过,看这注释讲,如果加密了,这个文件等升级完系统重启后,己经是被废掉了。
先说到这吧。其实还有块,Recovery下面是怎么能识别 @/cache/recovery/block.map这样的update_package的。
必须提一下有个作死的BUG。
当uncrypt的selinux权限不够读原升级包文件时,会出错并退出,退出就退出吧,偏偏不重启进Recovery,此时会造成用户点系统升级后,能看到关机动画,然后就是黑屏卡住不动了。当升级包是内置sd卡时,无论是不是加密, 几乎是必出现的。
此时,会有selinux 的 denied的log.
04-14 09:32:50.094W/uncrypt ( 5524): type=1400 audit(0.0:25): avc: denied { getattr } forpath="/data/media" dev="mmcblk0p31" ino=567841scontext=u:r:uncrypt:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dirpermissive=0
要怪就怪原生uncrypt没有media_rw的权限吧! (莫非google的OTA不用内卡?) 解决方法也很简单,在uncrypt.te中加所需权
allow uncrypt media_rw_data_file:dir r_dir_perms;
allow uncrypt media_rw_data_file:file r_file_perms;
