From 055128bf10597389e1400418d3b4c96f96741678 Mon Sep 17 00:00:00 2001 From: Tianjie Date: Thu, 10 Dec 2020 17:16:41 -0800 Subject: [PATCH] Use sha256 to build the hashtree in avb image The hashtree is used in verified boot, and sha256 is more robust against malicious attacks. Also, sha256 uses the same space as sha1 in the hashtree. And there isn't much performance regression per https://b.corp.google.com/issues/156162446#comment18 By putting the config in BoardConfigMainlineCommon.mk, we enable sha256 on all Pixels. And devices who want to use a different hash algorithm can override it in it's own board configs. Bug: 156162446 Test: boot the device and check performance Change-Id: I9f1d3bcf241bc65adf10376cc5ae7ab1986216fa --- target/board/BoardConfigPixelCommon.mk | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 target/board/BoardConfigPixelCommon.mk diff --git a/target/board/BoardConfigPixelCommon.mk b/target/board/BoardConfigPixelCommon.mk new file mode 100644 index 0000000000..a970fec1ec --- /dev/null +++ b/target/board/BoardConfigPixelCommon.mk @@ -0,0 +1,18 @@ +# BoardConfigPixelCommon.mk +# +# Common compile-time definitions for Pixel devices. + +# Using sha256 for dm-verity partitions. b/156162446 +# system, system_other, system_ext and product. +BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 +BOARD_AVB_SYSTEM_OTHER_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 +BOARD_AVB_SYSTEM_EXT_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 +BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 + +# vendor and odm. +BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 +BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 + +# vendor_dlkm and odm_dlkm. +BOARD_AVB_VENDOR_DLKM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256 +BOARD_AVB_ODM_DLKM_ADD_HASHTREE_FOOTER_ARGS += --hash_algorithm sha256