diff options
| author | 2025-01-24 13:49:00 +0000 | |
|---|---|---|
| committer | 2025-02-04 14:10:56 +0000 | |
| commit | 50fb49cabe70cfbde6743acb18543cd14befb7a5 (patch) | |
| tree | 9dcac051b7127a4bcc543b99bc0f83b1ec81d18a | |
| parent | a8cacac72a743b6c2d8a4480b3ae6619d22fb2d0 (diff) | |
Default avb_hash_algorithm to sha256 for android_filesystem modules
This change only impacts android_filesytem and android_system_image
soong modules which are currently only used to build microdroid images.
Also add a neverallow rule to discourage usage of sha1.
Bug: 341123987
Test: m
Test: manually set avb_hash_algorithm: "sha1" check build fails
Change-Id: I5449f711c751752db42dcca785ff1a2de054fb2d
| -rw-r--r-- | android/neverallow.go | 9 | ||||
| -rw-r--r-- | filesystem/filesystem.go | 7 |
2 files changed, 12 insertions, 4 deletions
diff --git a/android/neverallow.go b/android/neverallow.go index 7615ca805..94d1569b5 100644 --- a/android/neverallow.go +++ b/android/neverallow.go @@ -65,6 +65,7 @@ func init() { AddNeverAllowRules(createKotlinPluginRule()...) AddNeverAllowRules(createPrebuiltEtcBpDefineRule()) AddNeverAllowRules(createAutogenRroBpDefineRule()) + AddNeverAllowRules(createNoSha1HashRule()) } // Add a NeverAllow rule to the set of rules to apply. @@ -324,6 +325,14 @@ func createFilesystemIsAutoGeneratedRule() Rule { Because("is_auto_generated property is only allowed for filesystem modules in build/soong/fsgen directory") } +func createNoSha1HashRule() Rule { + return NeverAllow(). + ModuleType("filesystem", "android_filesystem"). + ModuleType("filesystem", "android_system_image"). + With("avb_hash_algorithm", "sha1"). + Because("sha1 is discouraged") +} + func createKotlinPluginRule() []Rule { kotlinPluginProjectsAllowedList := []string{ "external/kotlinc", diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go index e3f3ce866..5516efc43 100644 --- a/filesystem/filesystem.go +++ b/filesystem/filesystem.go @@ -119,7 +119,7 @@ type FilesystemProperties struct { Avb_algorithm *string // Hash algorithm used for avbtool (for descriptors). This is passed as hash_algorithm to - // avbtool. Default used by avbtool is sha1. + // avbtool. Default is sha256. Avb_hash_algorithm *string // The security patch passed to as the com.android.build.<type>.security_patch avb property. @@ -896,9 +896,8 @@ func (f *filesystem) buildPropFile(ctx android.ModuleContext) (android.Path, and if !proptools.BoolDefault(f.properties.Use_fec, true) { avb_add_hashtree_footer_args += " --do_not_generate_fec" } - if hashAlgorithm := proptools.String(f.properties.Avb_hash_algorithm); hashAlgorithm != "" { - avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm - } + hashAlgorithm := proptools.StringDefault(f.properties.Avb_hash_algorithm, "sha256") + avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm if f.properties.Rollback_index != nil { rollbackIndex := proptools.Int(f.properties.Rollback_index) if rollbackIndex < 0 { |