Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Previous commit 762c178b introduces an endless loop, preventing AUM to
run correctly on EFI systems.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

../managerd/boot-state-efi.c: In function ‘aum_boot_state_efi_read_dir’:
../managerd/boot-state-efi.c:78:10: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
   78 |   while (conf_file_name_ = g_dir_read_name(dir_name))
      |          ^~~~~~~~~~~~~~~
../managerd/boot-state-efi.c: In function ‘aum_boot_state_efi_conf_file_save’:
../managerd/boot-state-efi.c:126:10: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
  126 |   while (conf_file_name = g_dir_read_name(dir_name))
      |          ^~~~~~~~~~~~~~
../managerd/boot-state-efi.c:145:1: warning: control reaches end of non-void function [-Wreturn-type]
  145 | }
      | ^

/usr/include/glib-2.0/glib/gmacros.h:1049:10: warning: ‘options’ may be used uninitialized in this function [-Wmaybe-uninitialized]
 1049 |     { if (_ptr) (cleanup) ((ParentName *) _ptr); }                                                              \
      |          ^
../managerd/main.c:382:24: note: ‘options’ was declared here
  382 |   g_autoptr (GVariant) options;
      |                        ^~~~~~~

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

AUM crashes when an update is done OTA or using a downloaded bundle, i.e.
not an encrypted bundle on an USB drive and so without a loopback set.

Check presence of a loopback before trying to remove it.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Moses Christopher authored 4 years ago and Frederic Danis committed 3 years ago

The following boot state backend's throw a critical message,
when the respective boot state backend is not selected
  - boot-state-uboot-env
  - boot-state-uboot-ext
  - boot-state-efi

Reduce the log level by using g_message instead of g_critical

Signed-off-by: Moses Christopher <BollavarapuMoses.Christopher@in.bosch.com>

Gireesh Hiremath authored 4 years ago and Frederic Danis committed 3 years ago

If target failed to unlock upgrade bundle file,
required to notice the error.

Signed-off-by: Gireesh Hiremath <Gireesh.Hiremath@in.bosch.com>

Gireesh Hiremath authored 4 years ago and Frederic Danis committed 3 years ago

Avoid mass storage getting busy, even after bundle update.
we have to close the mounted loop device.

Signed-off-by: Gireesh Hiremath <Gireesh.Hiremath@in.bosch.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Gireesh Hiremath authored 4 years ago and Frederic Danis committed 3 years ago

To show update progress to user when it starts decrypting the bundle file

Signed-off-by: Gireesh Hiremath <Gireesh.Hiremath@in.bosch.com>

Gireesh Hiremath authored 4 years ago and Frederic Danis committed 3 years ago

Deploying state for offline upgrade. While updating bundle
file in offline, noticed that SystemUpgradeState follow
state Checking -> Pending then reboot the device.
There is the missing of state deploying and same is added

Signed-off-by: Gireesh Hiremath <Gireesh.Hiremath@in.bosch.com>

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Added optional parameter for changing network updates polling time:
  updatectl --check-network-updates 3600

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Added property `UpdatesPollingTime` for delay between OTA upgrades
attempts in seconds. Default is 300 seconds.
Could be set configuration file as well:
 [Manager]
 UpdatesPollingTime=300

Changing the property is not starting the update itself but reset the
timer to new value if update has been enabled already.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

If the `--dry-run` is used for offline upgrade, the static delta
will pass over all checks but upgrade will not started.

The output from `updatectl` started in monitoring mode will contain:
 AUM-Message: 15:32:30.993: Upgrade status: Available

and the log of AUM:
 Feb 21 15:32:57 apertis apertis-update-[1098]: Static delta is applicable for the system

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Now it is logging the downloading progress correctly instead of keeping
silence about the progress:
 Feb 21 13:01:56 apertis apertis-update-managerd[688]: Receiving metadata objects: 13/(estimating) 1.1 MB/s 2.1 MB
 Feb 21 13:01:57 apertis apertis-update-managerd[688]: Receiving metadata objects: 38/(estimating) 5.8 MB/s 17.3 MB
 Feb 21 13:01:59 apertis apertis-update-managerd[688]: Receiving objects: 29% (128/431) 5.9 MB/s 29.7 MB
 Feb 21 13:02:00 apertis apertis-update-managerd[688]: Receiving objects: 43% (186/431) 6.2 MB/s 37.1 MB
 Feb 21 13:02:01 apertis apertis-update-managerd[688]: Receiving objects: 58% (251/431) 5.7 MB/s 39.6 MB
 Feb 21 13:02:02 apertis apertis-update-managerd[688]: Receiving objects: 66% (286/431) 5.1 MB/s 40.4 MB
 Feb 21 13:02:04 apertis apertis-update-managerd[688]: Receiving objects: 92% (397/431) 4.3 MB/s 42.9 MB
 Feb 21 13:02:04 apertis apertis-update-managerd[688]: libostree pull from 'origin' for apertis/v2022dev1/amd64-uefi/minimal complete
                                                       security: GPG: disabled
                                                       security: SIGN: commit http: TLS
                                                       non-delta: meta: 70 content: 361
                                                       transfer: secs: 11 size: 43.3 MB

Use the `ostree_repo_pull_default_console_progress_changed` from
libostree instead of custom function `_ostree_upgrader_log_progress`,
since we do not need to set the downloading state in this function
anymore.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

If the dry run mode is set then just check is the OTA update is available
and do not try to download and apply the upgrade with:
  updatectl -u --dry-mode

The log from `updatectl` started in monitor mode will have new status:
 AUM-Message: 14:45:27.283: Upgrade status: Available

and the AUM log will contain the new string:
 Feb 21 14:45:27 apertis apertis-update-[888]: Network upgrade is available

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Option `--dry-run` should be used if we do not need to do an upgrade
but want to check if OTA upgrade is available or offline upgrade is
applicable for the current system.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

The dry run mode allows to check the availability and appliance of the
upgrade without the upgrade itself.
Additional state `AUM_OSTREE_UPGRADE_STATE_AVAILABLE` shows if the OTA update
is available and may be applied.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

When AUM crashes with an encrypted update bundle unlocked this will prevent
later update and the deletion of the loop device.
This commit clean-up the loop devices with an encrypted bundle backing
file.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

We need to change origin for the deployment. It is inherited from the
previous deployment in case of offline update.
Need to reset the target refspec to correct version for deployment origin
in while marking the upgrade as successful after upgrade.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

During the major upgrade of the Apertis OS with static delta
we need to use the commit containing current branch name in
metadata. Such commit would be accepted by AUM and libostree,
so the updated OS will be booted with new major version.

Due the nature of offline upgrade the branch name didn't changed
to the new name and AUM should to care about refs update.

In case if the system has been booted well we mark the update as
successful. Additional step has been added for marking the update
as complete -- read branches names from the commit metadata and
set repository to the newest version of Apertis if needed.
After this step the ostree repository will be configured for new
branch (release) usage.

Since all checks are done on the recent Apertis version during the
boot attempt, there is no need to change anything on the old system.

In case if refs could not be updated -- the update wouldn't be marked
as successful and rollback mechanism will boot the OS into previous state.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Function `aum_ostree_upgrader_set_refs()` allow to update the default
branch for remote from the booted commit.

Function checking if the booted commit contains the new branch
in metadata and update the default branch with a freshest version.
This allows to switch the system to new branch (release) smoothly
with a static bundle.

To switch to the new branch the static bundle should to include the
commit containing both branches in metadata -- the current one allowing
to be installed and the newer one.
On the first successful boot this function should be called to set up
default branch to the new version.

For Apertis naming schema it is enough to rely to default alphabetic
order for branches listed in metadata of signed commit.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Move the logic for gathering information about Collection ID and refs
from commit into separate function aum_get_metadata_collection_refs().

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

It is useful to put custom AUM binary onto FS with write permissions.
Redefination of `ExecStart` path allows to start development version
of AUM after reboot.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Allow to use signed and unsigned delta formats.
In case if repository have option `core.sign-verify-deltas=true`
only signed delta is allowed.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Starting v2020.7 `libostree` upstream support two versions of static
deltas. Signed static delta has different binary format
OSTREE_STATIC_DELTA_SIGNED_FORMAT and have an additional magic value
as indicator of signed version.

This commit doesn't change the logic of delta parsing, i.e. only unsigned
deltas could be parsed as before. But other preparation like API
changing is done here. No changes for functionality.

Added check of the option `core.sign-verify-deltas` in ostree repository.
If the option is not set as `true` then AUM allow to install unsigned
static delta (default behavior).

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Starting ostree v2020.7 verification of ostree delta is
a part of upstream.
To enable the verification of the delta file in libostree, the config
file for the repository must contain appropriate flag:

  ostree config set core.sign-verify-deltas true

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

We will need the signature engine for checking the static delta,
so move signature engine initialization out of commit's signature check.
Function `aum_check_signature()` became useless, so removing it.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Align options names with upstream for inlined public keys and file name
with custom keys if any. Simplify loading logic.
Those options aren't used in Apertis, for now we are using system-wide
public keys only.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Need to bump the requirement since upstream version have support of
signed static deltas and we are using it with a new API call:

  ostree_repo_static_delta_execute_offline_with_signature()

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Adding the log domain allows to see debug messages only from AUM.
Added usage example into readme file.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Unlocking encrypted update can take a long time, preventing other DBus
method to respond in time, e.g. `MarkUpdateSuccessful` with logs like:
```
Nov 17 15:41:30 apertispro apertis-update-[236]: mount added : /media/1AB7-E289
Nov 17 15:41:31 apertispro application[159]: DEBUG [SystemInit.cpp:135] [operator()]: UpdateMgr is ready.
Nov 17 15:41:31 apertispro application[159]: DEBUG [SystemInit.cpp:207] [operator()]: Boot count before MarkUpdateSuccessful() is: 1
Nov 17 15:41:56 apertispro application[159]: ERROR [UpdateMgr.cpp:205] [OnMarkUpdateSuccessful]: Error while MarkUpdateSuccessful : Timeout was reached
Nov 17 15:41:57 apertispro application[159]: DEBUG [SystemInit.cpp:220] [operator()]: Boot count after MarkUpdateSuccessful() is: 1
Nov 17 15:41:57 apertispro application[159]: ERROR [SystemInit.cpp:223] [operator()]: Boot count reset failed!
Nov 17 15:44:29 apertispro apertis-update-[236]: Marked update as successful
Nov 17 15:44:32 apertispro apertis-update-[236]: mount added : /media/update
Nov 17 15:44:32 apertispro apertis-update-[236]: Ostree static delta starting
```

Mount event for the encrypted filesystem can occur before return of
`udisks_filesystem_call_mount_sync()` call in the task
`unlock_and_mount_encrypted_thread`. During call to mount, store mounted
path and process them when the task is completed.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>