1//
2// Copyright (C) 2010 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17// Update file format: An update file contains all the operations needed
18// to update a system to a specific version. It can be a full payload which
19// can update from any version, or a delta payload which can only update
20// from a specific version.
21// The update format is represented by this struct pseudocode:
22// struct delta_update_file {
23//   char magic[4] = "CrAU";
24//   uint64 file_format_version;  // payload major version
25//   uint64 manifest_size;  // Size of protobuf DeltaArchiveManifest
26//
27//   // Only present if format_version >= 2:
28//   uint32 metadata_signature_size;
29//
30//   // The DeltaArchiveManifest protobuf serialized, not compressed.
31//   char manifest[manifest_size];
32//
33//   // The signature of the metadata (from the beginning of the payload up to
34//   // this location, not including the signature itself). This is a serialized
35//   // Signatures message.
36//   char metadata_signature_message[metadata_signature_size];
37//
38//   // Data blobs for files, no specific format. The specific offset
39//   // and length of each data blob is recorded in the DeltaArchiveManifest.
40//   struct {
41//     char data[];
42//   } blobs[];
43//
44//   // The signature of the entire payload, everything up to this location,
45//   // except that metadata_signature_message is skipped to simplify signing
46//   // process. These two are not signed:
47//   uint64 payload_signatures_message_size;
48//   // This is a serialized Signatures message.
49//   char payload_signatures_message[payload_signatures_message_size];
50//
51// };
52
53// The DeltaArchiveManifest protobuf is an ordered list of InstallOperation
54// objects. These objects are stored in a linear array in the
55// DeltaArchiveManifest. Each operation is applied in order by the client.
56
57// The DeltaArchiveManifest also contains the initial and final
58// checksums for the device.
59
60// The client will perform each InstallOperation in order, beginning even
61// before the entire delta file is downloaded (but after at least the
62// protobuf is downloaded). The types of operations are explained:
63// - REPLACE: Replace the dst_extents on the drive with the attached data,
64//   zero padding out to block size.
65// - REPLACE_BZ: bzip2-uncompress the attached data and write it into
66//   dst_extents on the drive, zero padding to block size.
67// - MOVE: Copy the data in src_extents to dst_extents. Extents may overlap,
68//   so it may be desirable to read all src_extents data into memory before
69//   writing it out. (deprecated)
70// - SOURCE_COPY: Copy the data in src_extents in the old partition to
71//   dst_extents in the new partition. There's no overlapping of data because
72//   the extents are in different partitions.
73// - BSDIFF: Read src_length bytes from src_extents into memory, perform
74//   bspatch with attached data, write new data to dst_extents, zero padding
75//   to block size. (deprecated)
76// - SOURCE_BSDIFF: Read the data in src_extents in the old partition, perform
77//   bspatch with the attached data and write the new data to dst_extents in the
78//   new partition.
79// - ZERO: Write zeros to the destination dst_extents.
80// - DISCARD: Discard the destination dst_extents blocks on the physical medium.
81//   the data read from those blocks is undefined.
82// - REPLACE_XZ: Replace the dst_extents with the contents of the attached
83//   xz file after decompression. The xz file should only use crc32 or no crc at
84//   all to be compatible with xz-embedded.
85// - PUFFDIFF: Read the data in src_extents in the old partition, perform
86//   puffpatch with the attached data and write the new data to dst_extents in
87//   the new partition.
88//
89// The operations allowed in the payload (supported by the client) depend on the
90// major and minor version. See InstallOperation.Type below for details.
91
92syntax = "proto2";
93
94package chromeos_update_engine;
95
96// Data is packed into blocks on disk, always starting from the beginning
97// of the block. If a file's data is too large for one block, it overflows
98// into another block, which may or may not be the following block on the
99// physical partition. An ordered list of extents is another
100// representation of an ordered list of blocks. For example, a file stored
101// in blocks 9, 10, 11, 2, 18, 12 (in that order) would be stored in
102// extents { {9, 3}, {2, 1}, {18, 1}, {12, 1} } (in that order).
103// In general, files are stored sequentially on disk, so it's more efficient
104// to use extents to encode the block lists (this is effectively
105// run-length encoding).
106// A sentinel value (kuint64max) as the start block denotes a sparse-hole
107// in a file whose block-length is specified by num_blocks.
108
109message Extent {
110  optional uint64 start_block = 1;
111  optional uint64 num_blocks = 2;
112}
113
114// Signatures: Updates may be signed by the OS vendor. The client verifies
115// an update's signature by hashing the entire download. The section of the
116// download that contains the signature is at the end of the file, so when
117// signing a file, only the part up to the signature part is signed.
118// Then, the client looks inside the download's Signatures message for a
119// Signature message that it knows how to handle. Generally, a client will
120// only know how to handle one type of signature, but an update may contain
121// many signatures to support many different types of client. Then client
122// selects a Signature message and uses that, along with a known public key,
123// to verify the download. The public key is expected to be part of the
124// client.
125
126message Signatures {
127  message Signature {
128    optional uint32 version = 1 [deprecated = true];
129    optional bytes data = 2;
130
131    // The DER encoded signature size of EC keys is nondeterministic for
132    // different input of sha256 hash. However, we need the size of the
133    // serialized signatures protobuf string to be fixed before signing;
134    // because this size is part of the content to be signed. Therefore, we
135    // always pad the signature data to the maximum possible signature size of
136    // a given key. And the payload verifier will truncate the signature to
137    // its correct size based on the value of |unpadded_signature_size|.
138    optional fixed32 unpadded_signature_size = 3;
139  }
140  repeated Signature signatures = 1;
141}
142
143message PartitionInfo {
144  optional uint64 size = 1;
145  optional bytes hash = 2;
146}
147
148message InstallOperation {
149  enum Type {
150    REPLACE = 0;     // Replace destination extents w/ attached data.
151    REPLACE_BZ = 1;  // Replace destination extents w/ attached bzipped data.
152    MOVE = 2 [deprecated = true];    // Move source extents to target extents.
153    BSDIFF = 3 [deprecated = true];  // The data is a bsdiff binary diff.
154
155    // On minor version 2 or newer, these operations are supported:
156    SOURCE_COPY = 4;    // Copy from source to target partition
157    SOURCE_BSDIFF = 5;  // Like BSDIFF, but read from source partition
158
159    // On minor version 3 or newer and on major version 2 or newer, these
160    // operations are supported:
161    REPLACE_XZ = 8;  // Replace destination extents w/ attached xz data.
162
163    // On minor version 4 or newer, these operations are supported:
164    ZERO = 6;     // Write zeros in the destination.
165    DISCARD = 7;  // Discard the destination blocks, reading as undefined.
166    BROTLI_BSDIFF = 10;  // Like SOURCE_BSDIFF, but compressed with brotli.
167
168    // On minor version 5 or newer, these operations are supported:
169    PUFFDIFF = 9;  // The data is in puffdiff format.
170
171    // On minor version 8 or newer, these operations are supported:
172    ZUCCHINI = 11;
173
174    // On minor version 9 or newer, these operations are supported:
175    LZ4DIFF_BSDIFF = 12;
176    LZ4DIFF_PUFFDIFF = 13;
177  }
178  required Type type = 1;
179
180  // Only minor version 6 or newer support 64 bits |data_offset| and
181  // |data_length|, older client will read them as uint32.
182  // The offset into the delta file (after the protobuf)
183  // where the data (if any) is stored
184  optional uint64 data_offset = 2;
185  // The length of the data in the delta file
186  optional uint64 data_length = 3;
187
188  // Ordered list of extents that are read from (if any) and written to.
189  repeated Extent src_extents = 4;
190  // Byte length of src, equal to the number of blocks in src_extents *
191  // block_size. It is used for BSDIFF and SOURCE_BSDIFF, because we need to
192  // pass that external program the number of bytes to read from the blocks we
193  // pass it.  This is not used in any other operation.
194  optional uint64 src_length = 5;
195
196  repeated Extent dst_extents = 6;
197  // Byte length of dst, equal to the number of blocks in dst_extents *
198  // block_size. Used for BSDIFF and SOURCE_BSDIFF, but not in any other
199  // operation.
200  optional uint64 dst_length = 7;
201
202  // Optional SHA 256 hash of the blob associated with this operation.
203  // This is used as a primary validation for http-based downloads and
204  // as a defense-in-depth validation for https-based downloads. If
205  // the operation doesn't refer to any blob, this field will have
206  // zero bytes.
207  optional bytes data_sha256_hash = 8;
208
209  // Indicates the SHA 256 hash of the source data referenced in src_extents at
210  // the time of applying the operation. If present, the update_engine daemon
211  // MUST read and verify the source data before applying the operation.
212  optional bytes src_sha256_hash = 9;
213}
214
215// Hints to VAB snapshot to skip writing some blocks if these blocks are
216// identical to the ones on the source image. The src & dst extents for each
217// CowMergeOperation should be contiguous, and they're a subset of an OTA
218// InstallOperation.
219// During merge time, we need to follow the pre-computed sequence to avoid
220// read after write, similar to the inplace update schema.
221message CowMergeOperation {
222  enum Type {
223    COW_COPY = 0;     // identical blocks
224    COW_XOR = 1;      // used when src/dst blocks are highly similar
225    COW_REPLACE = 2;  // Raw replace operation
226  }
227  optional Type type = 1;
228
229  optional Extent src_extent = 2;
230  optional Extent dst_extent = 3;
231  // For COW_XOR, source location might be unaligned, so this field is in range
232  // [0, block_size), representing how much should the src_extent shift toward
233  // larger block number. If this field is non-zero, then src_extent will
234  // include 1 extra block in the end, as the merge op actually references the
235  // first |src_offset| bytes of that extra block. For example, if |dst_extent|
236  // is [10, 15], |src_offset| is 500, then src_extent might look like [25, 31].
237  // Note that |src_extent| contains 1 extra block than the |dst_extent|.
238  optional uint32 src_offset = 4;
239}
240
241// Describes the update to apply to a single partition.
242message PartitionUpdate {
243  // A platform-specific name to identify the partition set being updated. For
244  // example, in Chrome OS this could be "ROOT" or "KERNEL".
245  required string partition_name = 1;
246
247  // Whether this partition carries a filesystem with post-install program that
248  // must be run to finalize the update process. See also |postinstall_path| and
249  // |filesystem_type|.
250  optional bool run_postinstall = 2;
251
252  // The path of the executable program to run during the post-install step,
253  // relative to the root of this filesystem. If not set, the default "postinst"
254  // will be used. This setting is only used when |run_postinstall| is set and
255  // true.
256  optional string postinstall_path = 3;
257
258  // The filesystem type as passed to the mount(2) syscall when mounting the new
259  // filesystem to run the post-install program. If not set, a fixed list of
260  // filesystems will be attempted. This setting is only used if
261  // |run_postinstall| is set and true.
262  optional string filesystem_type = 4;
263
264  // If present, a list of signatures of the new_partition_info.hash signed with
265  // different keys. If the update_engine daemon requires vendor-signed images
266  // and has its public key installed, one of the signatures should be valid
267  // for /postinstall to run.
268  repeated Signatures.Signature new_partition_signature = 5;
269
270  optional PartitionInfo old_partition_info = 6;
271  optional PartitionInfo new_partition_info = 7;
272
273  // The list of operations to be performed to apply this PartitionUpdate. The
274  // associated operation blobs (in operations[i].data_offset, data_length)
275  // should be stored contiguously and in the same order.
276  repeated InstallOperation operations = 8;
277
278  // Whether a failure in the postinstall step for this partition should be
279  // ignored.
280  optional bool postinstall_optional = 9;
281
282  // On minor version 6 or newer, these fields are supported:
283
284  // The extent for data covered by verity hash tree.
285  optional Extent hash_tree_data_extent = 10;
286
287  // The extent to store verity hash tree.
288  optional Extent hash_tree_extent = 11;
289
290  // The hash algorithm used in verity hash tree.
291  optional string hash_tree_algorithm = 12;
292
293  // The salt used for verity hash tree.
294  optional bytes hash_tree_salt = 13;
295
296  // The extent for data covered by FEC.
297  optional Extent fec_data_extent = 14;
298
299  // The extent to store FEC.
300  optional Extent fec_extent = 15;
301
302  // The number of FEC roots.
303  optional uint32 fec_roots = 16 [default = 2];
304
305  // Per-partition version used for downgrade detection, added
306  // as an effort to support partial updates. For most partitions,
307  // this is the build timestamp.
308  optional string version = 17;
309
310  // A sorted list of CowMergeOperation. When writing cow, we can choose to
311  // skip writing the raw bytes for these extents. During snapshot merge, the
312  // bytes will read from the source partitions instead.
313  repeated CowMergeOperation merge_operations = 18;
314
315  // Estimated size for COW image. This is used by libsnapshot
316  // as a hint. If set to 0, libsnapshot should use alternative
317  // methods for estimating size.
318  optional uint64 estimate_cow_size = 19;
319
320  // Information about the cow used by Cow Writer to specify
321  // number of cow operations to be written
322  optional uint64 estimate_op_count_max = 20;
323}
324
325message DynamicPartitionGroup {
326  // Name of the group.
327  required string name = 1;
328
329  // Maximum size of the group. The sum of sizes of all partitions in the group
330  // must not exceed the maximum size of the group.
331  optional uint64 size = 2;
332
333  // A list of partitions that belong to the group.
334  repeated string partition_names = 3;
335}
336
337message VABCFeatureSet {
338  optional bool threaded = 1;
339  optional bool batch_writes = 2;
340}
341
342// Metadata related to all dynamic partitions.
343message DynamicPartitionMetadata {
344  // All updatable groups present in |partitions| of this DeltaArchiveManifest.
345  // - If an updatable group is on the device but not in the manifest, it is
346  //   not updated. Hence, the group will not be resized, and partitions cannot
347  //   be added to or removed from the group.
348  // - If an updatable group is in the manifest but not on the device, the group
349  //   is added to the device.
350  repeated DynamicPartitionGroup groups = 1;
351
352  // Whether dynamic partitions have snapshots during the update. If this is
353  // set to true, the update_engine daemon creates snapshots for all dynamic
354  // partitions if possible. If this is unset, the update_engine daemon MUST
355  // NOT create snapshots for dynamic partitions.
356  optional bool snapshot_enabled = 2;
357
358  // If this is set to false, update_engine should not use VABC regardless. If
359  // this is set to true, update_engine may choose to use VABC if device
360  // supports it, but not guaranteed.
361  // VABC stands for Virtual AB Compression
362  optional bool vabc_enabled = 3;
363
364  // The compression algorithm used by VABC. Available ones are "gz", "brotli".
365  // See system/core/fs_mgr/libsnapshot/cow_writer.cpp for available options,
366  // as this parameter is ultimated forwarded to libsnapshot's CowWriter
367  optional string vabc_compression_param = 4;
368
369  // COW version used by VABC. The represents the major version in the COW
370  // header
371  optional uint32 cow_version = 5;
372
373  // A collection of knobs to tune Virtual AB Compression
374  optional VABCFeatureSet vabc_feature_set = 6;
375
376  // Max bytes to be compressed at once during ota. Options: 4k, 8k, 16k, 32k,
377  // 64k, 128k
378  optional uint64 compression_factor = 7;
379}
380
381// Definition has been duplicated from
382// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
383message ApexInfo {
384  optional string package_name = 1;
385  optional int64 version = 2;
386  optional bool is_compressed = 3;
387  optional int64 decompressed_size = 4;
388}
389
390// Definition has been duplicated from
391// $ANDROID_BUILD_TOP/build/tools/releasetools/ota_metadata.proto. Keep in sync.
392message ApexMetadata {
393  repeated ApexInfo apex_info = 1;
394}
395
396message DeltaArchiveManifest {
397  // Only present in major version = 1. List of install operations for the
398  // kernel and rootfs partitions. For major version = 2 see the |partitions|
399  // field.
400  reserved 1, 2;
401
402  // (At time of writing) usually 4096
403  optional uint32 block_size = 3 [default = 4096];
404
405  // If signatures are present, the offset into the blobs, generally
406  // tacked onto the end of the file, and the length. We use an offset
407  // rather than a bool to allow for more flexibility in future file formats.
408  // If either is absent, it means signatures aren't supported in this
409  // file.
410  optional uint64 signatures_offset = 4;
411  optional uint64 signatures_size = 5;
412
413  // Fields deprecated in major version 2.
414  reserved 6,7,8,9,10,11;
415
416  // The minor version, also referred as "delta version", of the payload.
417  // Minor version 0 is full payload, everything else is delta payload.
418  optional uint32 minor_version = 12 [default = 0];
419
420  // Only present in major version >= 2. List of partitions that will be
421  // updated, in the order they will be updated. This field replaces the
422  // |install_operations|, |kernel_install_operations| and the
423  // |{old,new}_{kernel,rootfs}_info| fields used in major version = 1. This
424  // array can have more than two partitions if needed, and they are identified
425  // by the partition name.
426  repeated PartitionUpdate partitions = 13;
427
428  // The maximum timestamp of the OS allowed to apply this payload.
429  // Can be used to prevent downgrading the OS.
430  optional int64 max_timestamp = 14;
431
432  // Metadata related to all dynamic partitions.
433  optional DynamicPartitionMetadata dynamic_partition_metadata = 15;
434
435  // If the payload only updates a subset of partitions on the device.
436  optional bool partial_update = 16;
437
438  // Information on compressed APEX to figure out how much space is required for
439  // their decompression
440  repeated ApexInfo apex_info = 17;
441
442  // Security patch level of the device, usually in the format of
443  // yyyy-mm-dd
444  optional string security_patch_level = 18;
445}
446