Default avb_hash_algorithm to sha256 for android_filesystem modules
This change only impacts android_filesytem and android_system_image
soong modules which are currently only used to build microdroid images.
Also add a neverallow rule to discourage usage of sha1.
Bug: 341123987
Test: m
Test: manually set avb_hash_algorithm: "sha1" check build fails
Change-Id: I5449f711c751752db42dcca785ff1a2de054fb2d
diff --git a/android/neverallow.go b/android/neverallow.go
index 7615ca8..94d1569 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -65,6 +65,7 @@
AddNeverAllowRules(createKotlinPluginRule()...)
AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
AddNeverAllowRules(createAutogenRroBpDefineRule())
+ AddNeverAllowRules(createNoSha1HashRule())
}
// Add a NeverAllow rule to the set of rules to apply.
@@ -324,6 +325,14 @@
Because("is_auto_generated property is only allowed for filesystem modules in build/soong/fsgen directory")
}
+func createNoSha1HashRule() Rule {
+ return NeverAllow().
+ ModuleType("filesystem", "android_filesystem").
+ ModuleType("filesystem", "android_system_image").
+ With("avb_hash_algorithm", "sha1").
+ Because("sha1 is discouraged")
+}
+
func createKotlinPluginRule() []Rule {
kotlinPluginProjectsAllowedList := []string{
"external/kotlinc",