Use sha256 to build the hashtree in avb image

The hashtree is used in verified boot, and sha256 is more robust against malicious attacks. Also, sha256 uses the same space as sha1 in the hashtree. And there isn't much performance regression per https://b.corp.google.com/issues/156162446#comment18 By putting the config in BoardConfigMainlineCommon.mk, we enable sha256 on all Pixels. And devices who want to use a different hash algorithm can override it in it's own board configs. Bug: 156162446 Test: boot the device and check performance Change-Id: I9f1d3bcf241bc65adf10376cc5ae7ab1986216fa
2020-12-10 17:16:41 -08:00 · 2020-12-10 17:16:41 -08:00 · 055128bf10
parent 33571ac8dd
commit 055128bf10
1 changed files with 18 additions and 0 deletions
--- a/target/board/BoardConfigPixelCommon.mk
+++ b/target/board/BoardConfigPixelCommon.mk
@ -0,0 +1,18 @@
+# BoardConfigPixelCommon.mk
+#
+# Common compile-time definitions for Pixel devices.
+
+# Using sha256 for dm-verity partitions. b/156162446
+# system, system_other, system_ext and product.
+BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+BOARD_AVB_SYSTEM_OTHER_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+BOARD_AVB_SYSTEM_EXT_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+
+# vendor and odm.
+BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+
+# vendor_dlkm and odm_dlkm.
+BOARD_AVB_VENDOR_DLKM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+BOARD_AVB_ODM_DLKM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256