Default avb_hash_algorithm to sha256 for android_filesystem modules

This change only impacts android_filesytem and android_system_image
soong modules which are currently only used to build microdroid images.

Also add a neverallow rule to discourage usage of sha1.

Bug: 341123987
Test: m
Test: manually set avb_hash_algorithm: "sha1" check build fails
Change-Id: I5449f711c751752db42dcca785ff1a2de054fb2d

1 files changed, 9 insertions, 0 deletions

diff --git a/android/neverallow.go b/android/neverallow.go
index 7615ca805..94d1569b5 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -65,6 +65,7 @@ func init() {
 	AddNeverAllowRules(createKotlinPluginRule()...)
 	AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
 	AddNeverAllowRules(createAutogenRroBpDefineRule())
+	AddNeverAllowRules(createNoSha1HashRule())
 }
 
 // Add a NeverAllow rule to the set of rules to apply.
@@ -324,6 +325,14 @@ func createFilesystemIsAutoGeneratedRule() Rule {
 		Because("is_auto_generated property is only allowed for filesystem modules in build/soong/fsgen directory")
 }
 
+func createNoSha1HashRule() Rule {
+	return NeverAllow().
+		ModuleType("filesystem", "android_filesystem").
+		ModuleType("filesystem", "android_system_image").
+		With("avb_hash_algorithm", "sha1").
+		Because("sha1 is discouraged")
+}
+
 func createKotlinPluginRule() []Rule {
 	kotlinPluginProjectsAllowedList := []string{
 		"external/kotlinc",