Add support for update-on-boot feature.

Add a separate system service RecoverySystemService to handle recovery
related requests (calling uncrypt to de-encrypt the OTA package on the
/data partition, setting up bootloader control block (aka BCB) and etc).

We used to trigger uncrypt in ShutdownThread before rebooting into
recovery. Now we expose new SystemApi (RecoverySystem.processPackage())
to allow the caller (e.g. GmsCore) to call that upfront before
initiating a reboot. This will reduce the reboot time and get rid of the
progress bar ("processing update package"). However, we need to reserve
the functionality in ShutdownThread to optionally call uncrypt if
finding that's still needed.

In order to support the update-on-boot feature, we also add new
SystemApis scheduleUpdateOnBoot() and cancelScheduledUpdate() into
android.os.RecoverySystem. They allow the caller (e.g. GmsCore) to
schedule / cancel an update by setting up the BCB, which will be read by
the bootloader and the recovery image. With the new SystemApis, an
update package can be processed (uncrypt'd) in the background and
scheduled to be installed at the next boot.

Bug: 26830925
Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560

1 files changed, 288 insertions, 45 deletions

diff --git a/core/java/android/os/RecoverySystem.java b/core/java/android/os/RecoverySystem.java
index 154c9bbab312..ddcd63520549 100644
--- a/core/java/android/os/RecoverySystem.java
+++ b/core/java/android/os/RecoverySystem.java
@@ -16,6 +16,7 @@
 
 package android.os;
 
+import android.annotation.SystemApi;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
@@ -66,15 +67,34 @@ public class RecoverySystem {
     private static final long PUBLISH_PROGRESS_INTERVAL_MS = 500;
 
     /** Used to communicate with recovery.  See bootable/recovery/recovery.cpp. */
-    private static File RECOVERY_DIR = new File("/cache/recovery");
-    private static File BLOCK_MAP_FILE = new File(RECOVERY_DIR, "block.map");
-    private static File COMMAND_FILE = new File(RECOVERY_DIR, "command");
-    private static File UNCRYPT_FILE = new File(RECOVERY_DIR, "uncrypt_file");
-    private static File LOG_FILE = new File(RECOVERY_DIR, "log");
-    private static String LAST_PREFIX = "last_";
+    private static final File RECOVERY_DIR = new File("/cache/recovery");
+    private static final File LOG_FILE = new File(RECOVERY_DIR, "log");
+    private static final String LAST_PREFIX = "last_";
+
+    /**
+     * The recovery image uses this file to identify the location (i.e. blocks)
+     * of an OTA package on the /data partition. The block map file is
+     * generated by uncrypt.
+     *
+     * @hide
+     */
+    public static final File BLOCK_MAP_FILE = new File(RECOVERY_DIR, "block.map");
+
+    /**
+     * UNCRYPT_PACKAGE_FILE stores the filename to be uncrypt'd, which will be
+     * read by uncrypt.
+     *
+     * @hide
+     */
+    public static final File UNCRYPT_PACKAGE_FILE = new File(RECOVERY_DIR, "uncrypt_file");
 
     // Length limits for reading files.
-    private static int LOG_FILE_MAX_LENGTH = 64 * 1024;
+    private static final int LOG_FILE_MAX_LENGTH = 64 * 1024;
+
+    // Prevent concurrent execution of requests.
+    private static final Object sRequestLock = new Object();
+
+    private final IRecoverySystem mService;
 
     /**
      * Interface definition for a callback to be invoked regularly as
@@ -287,6 +307,89 @@ public class RecoverySystem {
     }
 
     /**
+     * Process a given package with uncrypt. No-op if the package is not on the
+     * /data partition.
+     *
+     * @param Context      the Context to use
+     * @param packageFile  the package to be processed
+     * @param listener     an object to receive periodic progress updates as
+     *                     processing proceeds.  May be null.
+     * @param handler      the Handler upon which the callbacks will be
+     *                     executed.
+     *
+     * @throws IOException if there were any errors processing the package file.
+     *
+     * @hide
+     */
+    @SystemApi
+    public static void processPackage(Context context,
+                                      File packageFile,
+                                      final ProgressListener listener,
+                                      final Handler handler)
+            throws IOException {
+        String filename = packageFile.getCanonicalPath();
+        if (!filename.startsWith("/data/")) {
+            return;
+        }
+
+        RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+        IRecoverySystemProgressListener progressListener = null;
+        if (listener != null) {
+            final Handler progressHandler;
+            if (handler != null) {
+                progressHandler = handler;
+            } else {
+                progressHandler = new Handler(context.getMainLooper());
+            }
+            progressListener = new IRecoverySystemProgressListener.Stub() {
+                int lastProgress = 0;
+                long lastPublishTime = System.currentTimeMillis();
+
+                @Override
+                public void onProgress(final int progress) {
+                    final long now = System.currentTimeMillis();
+                    progressHandler.post(new Runnable() {
+                        @Override
+                        public void run() {
+                            if (progress > lastProgress &&
+                                    now - lastPublishTime > PUBLISH_PROGRESS_INTERVAL_MS) {
+                                lastProgress = progress;
+                                lastPublishTime = now;
+                                listener.onProgress(progress);
+                            }
+                        }
+                    });
+                }
+            };
+        }
+
+        if (!rs.uncrypt(filename, progressListener)) {
+            throw new IOException("process package failed");
+        }
+    }
+
+    /**
+     * Process a given package with uncrypt. No-op if the package is not on the
+     * /data partition.
+     *
+     * @param Context      the Context to use
+     * @param packageFile  the package to be processed
+     * @param listener     an object to receive periodic progress updates as
+     *                     processing proceeds.  May be null.
+     *
+     * @throws IOException if there were any errors processing the package file.
+     *
+     * @hide
+     */
+    @SystemApi
+    public static void processPackage(Context context,
+                                      File packageFile,
+                                      final ProgressListener listener)
+            throws IOException {
+        processPackage(context, packageFile, listener, null);
+    }
+
+    /**
      * Reboots the device in order to install the given update
      * package.
      * Requires the {@link android.Manifest.permission#REBOOT} permission.
@@ -301,30 +404,127 @@ public class RecoverySystem {
      * fails, or if the reboot itself fails.
      */
     public static void installPackage(Context context, File packageFile)
-        throws IOException {
-        String filename = packageFile.getCanonicalPath();
+            throws IOException {
+        installPackage(context, packageFile, false);
+    }
 
-        FileWriter uncryptFile = new FileWriter(UNCRYPT_FILE);
-        try {
-            uncryptFile.write(filename + "\n");
-        } finally {
-            uncryptFile.close();
-        }
-        // UNCRYPT_FILE needs to be readable by system server on bootup.
-        if (!UNCRYPT_FILE.setReadable(true, false)) {
-            Log.e(TAG, "Error setting readable for " + UNCRYPT_FILE.getCanonicalPath());
+    /**
+     * If the package hasn't been processed (i.e. uncrypt'd), set up
+     * UNCRYPT_PACKAGE_FILE and delete BLOCK_MAP_FILE to trigger uncrypt during the
+     * reboot.
+     *
+     * @param context      the Context to use
+     * @param packageFile  the update package to install.  Must be on a
+     * partition mountable by recovery.
+     * @param processed    if the package has been processed (uncrypt'd).
+     *
+     * @throws IOException if writing the recovery command file fails, or if
+     * the reboot itself fails.
+     *
+     * @hide
+     */
+    @SystemApi
+    public static void installPackage(Context context, File packageFile, boolean processed)
+            throws IOException {
+        synchronized (sRequestLock) {
+            LOG_FILE.delete();
+            // Must delete the file in case it was created by system server.
+            UNCRYPT_PACKAGE_FILE.delete();
+
+            String filename = packageFile.getCanonicalPath();
+            Log.w(TAG, "!!! REBOOTING TO INSTALL " + filename + " !!!");
+
+            if (!processed && filename.startsWith("/data/")) {
+                FileWriter uncryptFile = new FileWriter(UNCRYPT_PACKAGE_FILE);
+                try {
+                    uncryptFile.write(filename + "\n");
+                } finally {
+                    uncryptFile.close();
+                }
+                // UNCRYPT_PACKAGE_FILE needs to be readable and writable by system server.
+                if (!UNCRYPT_PACKAGE_FILE.setReadable(true, false)
+                        || !UNCRYPT_PACKAGE_FILE.setWritable(true, false)) {
+                    Log.e(TAG, "Error setting permission for " + UNCRYPT_PACKAGE_FILE);
+                }
+
+                BLOCK_MAP_FILE.delete();
+            }
+
+            // If the package is on the /data partition, use the block map file as
+            // the package name instead.
+            if (filename.startsWith("/data/")) {
+                filename = "@/cache/recovery/block.map";
+            }
+
+            final String filenameArg = "--update_package=" + filename + "\n";
+            final String localeArg = "--locale=" + Locale.getDefault().toString() + "\n";
+            final String command = filenameArg + localeArg;
+
+            RecoverySystem rs = (RecoverySystem) context.getSystemService(
+                    Context.RECOVERY_SERVICE);
+            if (!rs.setupBcb(command)) {
+                throw new IOException("Setup BCB failed");
+            }
+
+            // Having set up the BCB (bootloader control block), go ahead and reboot
+            PowerManager pm = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
+            pm.reboot(PowerManager.REBOOT_RECOVERY_UPDATE);
+
+            throw new IOException("Reboot failed (no permissions?)");
         }
-        Log.w(TAG, "!!! REBOOTING TO INSTALL " + filename + " !!!");
+    }
 
-        // If the package is on the /data partition, write the block map file
-        // into COMMAND_FILE instead.
+    /**
+     * Schedule to install the given package on next boot. The caller needs to
+     * ensure that the package must have been processed (uncrypt'd) if needed.
+     * It sets up the command in BCB (bootloader control block), which will
+     * be read by the bootloader and the recovery image.
+     *
+     * @param Context      the Context to use.
+     * @param packageFile  the package to be installed.
+     *
+     * @throws IOException if there were any errors setting up the BCB.
+     *
+     * @hide
+     */
+    @SystemApi
+    public static void scheduleUpdateOnBoot(Context context, File packageFile)
+            throws IOException {
+        String filename = packageFile.getCanonicalPath();
+
+        // If the package is on the /data partition, use the block map file as
+        // the package name instead.
         if (filename.startsWith("/data/")) {
             filename = "@/cache/recovery/block.map";
         }
 
-        final String filenameArg = "--update_package=" + filename;
-        final String localeArg = "--locale=" + Locale.getDefault().toString();
-        bootCommand(context, filenameArg, localeArg);
+        final String filenameArg = "--update_package=" + filename + "\n";
+        final String localeArg = "--locale=" + Locale.getDefault().toString() + "\n";
+        final String command = filenameArg + localeArg;
+
+        RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+        if (!rs.setupBcb(command)) {
+            throw new IOException("schedule update on boot failed");
+        }
+    }
+
+    /**
+     * Cancel any scheduled update by clearing up the BCB (bootloader control
+     * block).
+     *
+     * @param Context      the Context to use.
+     *
+     * @throws IOException if there were any errors clearing up the BCB.
+     *
+     * @hide
+     */
+    @SystemApi
+    public static void cancelScheduledUpdate(Context context)
+            throws IOException {
+        RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+        if (!rs.clearBcb()) {
+            throw new IOException("cancel scheduled update failed");
+        }
     }
 
     /**
@@ -434,27 +634,28 @@ public class RecoverySystem {
      * @throws IOException if something goes wrong.
      */
     private static void bootCommand(Context context, String... args) throws IOException {
-        RECOVERY_DIR.mkdirs();  // In case we need it
-        COMMAND_FILE.delete();  // In case it's not writable
-        LOG_FILE.delete();
+        synchronized (sRequestLock) {
+            LOG_FILE.delete();
 
-        FileWriter command = new FileWriter(COMMAND_FILE);
-        try {
+            StringBuilder command = new StringBuilder();
             for (String arg : args) {
                 if (!TextUtils.isEmpty(arg)) {
-                    command.write(arg);
-                    command.write("\n");
+                    command.append(arg);
+                    command.append("\n");
                 }
             }
-        } finally {
-            command.close();
-        }
 
-        // Having written the command file, go ahead and reboot
-        PowerManager pm = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
-        pm.reboot(PowerManager.REBOOT_RECOVERY);
+            // Write the command into BCB (bootloader control block).
+            RecoverySystem rs = (RecoverySystem) context.getSystemService(
+                    Context.RECOVERY_SERVICE);
+            rs.setupBcb(command.toString());
 
-        throw new IOException("Reboot failed (no permissions?)");
+            // Having set up the BCB, go ahead and reboot.
+            PowerManager pm = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
+            pm.reboot(PowerManager.REBOOT_RECOVERY);
+
+            throw new IOException("Reboot failed (no permissions?)");
+        }
     }
 
     /**
@@ -476,10 +677,10 @@ public class RecoverySystem {
 
         // Only remove the OTA package if it's partially processed (uncrypt'd).
         boolean reservePackage = BLOCK_MAP_FILE.exists();
-        if (!reservePackage && UNCRYPT_FILE.exists()) {
+        if (!reservePackage && UNCRYPT_PACKAGE_FILE.exists()) {
             String filename = null;
             try {
-                filename = FileUtils.readTextFile(UNCRYPT_FILE, 0, null);
+                filename = FileUtils.readTextFile(UNCRYPT_PACKAGE_FILE, 0, null);
             } catch (IOException e) {
                 Log.e(TAG, "Error reading uncrypt file", e);
             }
@@ -487,7 +688,7 @@ public class RecoverySystem {
             // Remove the OTA package on /data that has been (possibly
             // partially) processed. (Bug: 24973532)
             if (filename != null && filename.startsWith("/data")) {
-                if (UNCRYPT_FILE.delete()) {
+                if (UNCRYPT_PACKAGE_FILE.delete()) {
                     Log.i(TAG, "Deleted: " + filename);
                 } else {
                     Log.e(TAG, "Can't delete: " + filename);
@@ -499,13 +700,13 @@ public class RecoverySystem {
         // the block map file (BLOCK_MAP_FILE) for a package. BLOCK_MAP_FILE
         // will be created at the end of a successful uncrypt. If seeing this
         // file, we keep the block map file and the file that contains the
-        // package name (UNCRYPT_FILE). This is to reduce the work for GmsCore
-        // to avoid re-downloading everything again.
+        // package name (UNCRYPT_PACKAGE_FILE). This is to reduce the work for
+        // GmsCore to avoid re-downloading everything again.
         String[] names = RECOVERY_DIR.list();
         for (int i = 0; names != null && i < names.length; i++) {
             if (names[i].startsWith(LAST_PREFIX)) continue;
             if (reservePackage && names[i].equals(BLOCK_MAP_FILE.getName())) continue;
-            if (reservePackage && names[i].equals(UNCRYPT_FILE.getName())) continue;
+            if (reservePackage && names[i].equals(UNCRYPT_PACKAGE_FILE.getName())) continue;
 
             recursiveDelete(new File(RECOVERY_DIR, names[i]));
         }
@@ -533,6 +734,39 @@ public class RecoverySystem {
     }
 
     /**
+     * Talks to RecoverySystemService via Binder to trigger uncrypt.
+     */
+    private boolean uncrypt(String packageFile, IRecoverySystemProgressListener listener) {
+        try {
+            return mService.uncrypt(packageFile, listener);
+        } catch (RemoteException unused) {
+        }
+        return false;
+    }
+
+    /**
+     * Talks to RecoverySystemService via Binder to set up the BCB.
+     */
+    private boolean setupBcb(String command) {
+        try {
+            return mService.setupBcb(command);
+        } catch (RemoteException unused) {
+        }
+        return false;
+    }
+
+    /**
+     * Talks to RecoverySystemService via Binder to clear up the BCB.
+     */
+    private boolean clearBcb() {
+        try {
+            return mService.clearBcb();
+        } catch (RemoteException unused) {
+        }
+        return false;
+    }
+
+    /**
      * Internally, recovery treats each line of the command file as a separate
      * argv, so we only need to protect against newlines and nulls.
      */
@@ -546,5 +780,14 @@ public class RecoverySystem {
     /**
      * @removed Was previously made visible by accident.
      */
-    public RecoverySystem() { }
+    public RecoverySystem() {
+        mService = null;
+    }
+
+    /**
+     * @hide
+     */
+    public RecoverySystem(IRecoverySystem service) {
+        mService = service;
+    }
 }