Default avb_hash_algorithm to sha256 for android_filesystem modules
This change only impacts android_filesytem and android_system_image
soong modules which are currently only used to build microdroid images.
Also add a neverallow rule to discourage usage of sha1.
Bug: 341123987
Test: m
Test: manually set avb_hash_algorithm: "sha1" check build fails
Change-Id: I5449f711c751752db42dcca785ff1a2de054fb2d
diff --git a/android/neverallow.go b/android/neverallow.go
index 7615ca8..94d1569 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -65,6 +65,7 @@
AddNeverAllowRules(createKotlinPluginRule()...)
AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
AddNeverAllowRules(createAutogenRroBpDefineRule())
+ AddNeverAllowRules(createNoSha1HashRule())
}
// Add a NeverAllow rule to the set of rules to apply.
@@ -324,6 +325,14 @@
Because("is_auto_generated property is only allowed for filesystem modules in build/soong/fsgen directory")
}
+func createNoSha1HashRule() Rule {
+ return NeverAllow().
+ ModuleType("filesystem", "android_filesystem").
+ ModuleType("filesystem", "android_system_image").
+ With("avb_hash_algorithm", "sha1").
+ Because("sha1 is discouraged")
+}
+
func createKotlinPluginRule() []Rule {
kotlinPluginProjectsAllowedList := []string{
"external/kotlinc",
diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go
index e3f3ce8..5516efc 100644
--- a/filesystem/filesystem.go
+++ b/filesystem/filesystem.go
@@ -119,7 +119,7 @@
Avb_algorithm *string
// Hash algorithm used for avbtool (for descriptors). This is passed as hash_algorithm to
- // avbtool. Default used by avbtool is sha1.
+ // avbtool. Default is sha256.
Avb_hash_algorithm *string
// The security patch passed to as the com.android.build.<type>.security_patch avb property.
@@ -896,9 +896,8 @@
if !proptools.BoolDefault(f.properties.Use_fec, true) {
avb_add_hashtree_footer_args += " --do_not_generate_fec"
}
- if hashAlgorithm := proptools.String(f.properties.Avb_hash_algorithm); hashAlgorithm != "" {
- avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm
- }
+ hashAlgorithm := proptools.StringDefault(f.properties.Avb_hash_algorithm, "sha256")
+ avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm
if f.properties.Rollback_index != nil {
rollbackIndex := proptools.Int(f.properties.Rollback_index)
if rollbackIndex < 0 {