From 60074168dab3c2991dc68dfa02e234314022bdb1 Mon Sep 17 00:00:00 2001
From: Bowgo Tsai <bowgotsai@google.com>
Date: Wed, 5 May 2021 12:27:09 +0800
Subject: [PATCH] Usee sha256 to build the hashtree in GSI image

The default algorithm is sha1, which shouldn't be used now.
Becaues sha256 is more robust against malicious attacks.

Bug: 187021780
Test: TreeHugger
Change-Id: Ia325f59d09687d6d501d9710cbdd3339d7566c60
---
 target/board/BoardConfigGsiCommon.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/board/BoardConfigGsiCommon.mk b/target/board/BoardConfigGsiCommon.mk
index a2150adb7d..c577870de5 100644
--- a/target/board/BoardConfigGsiCommon.mk
+++ b/target/board/BoardConfigGsiCommon.mk
@@ -41,6 +41,10 @@ BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
 BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
 BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
 BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1
+
+# Using sha256 for dm-verity partitions. b/156162446
+BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256
+
 ifdef BUILDING_GSI
 # super.img spec for GSI targets
 BOARD_SUPER_PARTITION_SIZE := 3229614080