Verify wipe package when wiping A/B device in recovery.
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.
Bug: 29159185
Test: Build and boot into recovery.
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 8b4d8ef..a5d692b 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -528,14 +528,31 @@
return false;
}
LOG(INFO) << " received command: [" << content << "] (" << content.size() << ")";
+ std::vector<std::string> options = android::base::Split(content, "\n");
+ std::string wipe_package;
+ for (auto& option : options) {
+ if (android::base::StartsWith(option, "--wipe_package=")) {
+ std::string path = option.substr(strlen("--wipe_package="));
+ if (!android::base::ReadFileToString(path, &wipe_package)) {
+ PLOG(ERROR) << "failed to read " << path;
+ return false;
+ }
+ option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size());
+ }
+ }
// c8. setup the bcb command
std::string err;
- if (!write_bootloader_message({content}, &err)) {
+ if (!write_bootloader_message(options, &err)) {
LOG(ERROR) << "failed to set bootloader message: " << err;
write_status_to_socket(-1, socket);
return false;
}
+ if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) {
+ PLOG(ERROR) << "failed to set wipe package: " << err;
+ write_status_to_socket(-1, socket);
+ return false;
+ }
// c10. send "100" status
write_status_to_socket(100, socket);
return true;