From 50fb49cabe70cfbde6743acb18543cd14befb7a5 Mon Sep 17 00:00:00 2001 From: Nikita Ioffe Date: Fri, 24 Jan 2025 13:49:00 +0000 Subject: Default avb_hash_algorithm to sha256 for android_filesystem modules This change only impacts android_filesytem and android_system_image soong modules which are currently only used to build microdroid images. Also add a neverallow rule to discourage usage of sha1. Bug: 341123987 Test: m Test: manually set avb_hash_algorithm: "sha1" check build fails Change-Id: I5449f711c751752db42dcca785ff1a2de054fb2d --- filesystem/filesystem.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'filesystem/filesystem.go') diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go index e3f3ce866..5516efc43 100644 --- a/filesystem/filesystem.go +++ b/filesystem/filesystem.go @@ -119,7 +119,7 @@ type FilesystemProperties struct { Avb_algorithm *string // Hash algorithm used for avbtool (for descriptors). This is passed as hash_algorithm to - // avbtool. Default used by avbtool is sha1. + // avbtool. Default is sha256. Avb_hash_algorithm *string // The security patch passed to as the com.android.build..security_patch avb property. @@ -896,9 +896,8 @@ func (f *filesystem) buildPropFile(ctx android.ModuleContext) (android.Path, and if !proptools.BoolDefault(f.properties.Use_fec, true) { avb_add_hashtree_footer_args += " --do_not_generate_fec" } - if hashAlgorithm := proptools.String(f.properties.Avb_hash_algorithm); hashAlgorithm != "" { - avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm - } + hashAlgorithm := proptools.StringDefault(f.properties.Avb_hash_algorithm, "sha256") + avb_add_hashtree_footer_args += " --hash_algorithm " + hashAlgorithm if f.properties.Rollback_index != nil { rollbackIndex := proptools.Int(f.properties.Rollback_index) if rollbackIndex < 0 { -- cgit v1.2.3-59-g8ed1b