subsys-security-overview.md 3.6 KB
Newer Older
W
wusongqing 已提交
1
# Security Overview
M
mamingshuai 已提交
2

A
annie_wangli 已提交
3

M
mamingshuai 已提交
4 5 6
The OpenHarmony security subsystem provides security capabilities that make your applications and devices more secure and help you manage permissions. This subsystem has the following modules:


A
annie_wangli 已提交
7
- Application signature verification
M
mamingshuai 已提交
8

A
annie_wangli 已提交
9
  To ensure the content integrity of applications, the system controls sources of the applications through application signatures and profiles. For a debugging application, the system uses the signature verification API to check whether the Unique Device Identifier (UDID) of the application matches that of the device, so as to ensure that the application is installed on the right device.
M
mamingshuai 已提交
10

A
annie_wangli 已提交
11
- Application permission management
M
mamingshuai 已提交
12

A
annie_wangli 已提交
13
  Application permissions determine what system resources and capabilities an application can access. During application development, you need to declare the permissions that the application may require in the profile.json file. Static permissions need to be registered during application installation, while dynamic permissions usually involve sensitive information and need users' dynamic authorization.
M
mamingshuai 已提交
14

A
annie_wangli 已提交
15
- Inter-process communication (IPC) authentication
A
annie_wangli 已提交
16

A
annie_wangli 已提交
17
  The caller that attempts to invoke the APIs provided by system services through IPC must be authenticated. The system services registered with Samgr can expose APIs to other processes through IPC, with access policies configured. When other processes attempt to call these APIs, the IPC authentication mechanism will be triggered. If the processes do not have the access permission, the access request will be rejected.
A
annie_wangli 已提交
18

A
annie_wangli 已提交
19
- DSLM
M
mamingshuai 已提交
20

A
annie_wangli 已提交
21
  The Device Security Level Management (DSLM) module is introduced to manage the security levels of OpenHarmony devices. When different types of user data are hopped or processed in OpenHarmony distributed services, the DSLM APIs can be called to obtain the security levels of related devices for subsequent processing.
M
mamingshuai 已提交
22

A
Annie_wang 已提交
23 24 25 26
- HUKS

  The OpenHarmony Universal Keystore (HUKS) provides system-level key management capabilities, ensuring secure management and use of keys throughout their entire lifecycle (generation, storage, use, and destruction). Applications can call the APIs provided by the HUKS module to perform operations on keys. In addition, the keys in plaintext must be used in a trusted execution environment (TEE).

M
mamingshuai 已提交
27

A
annie_wangli 已提交
28
## Basic Concepts
M
mamingshuai 已提交
29

A
annie_wangli 已提交
30
Before developing an application that depends on the signature verification component, you should understand the following basic concepts:
M
mamingshuai 已提交
31

A
annie_wangli 已提交
32
- Samgr
M
mamingshuai 已提交
33

A
annie_wangli 已提交
34
  System Ability Manager (Samgr) is a module of OpenHarmony for managing system capabilities. For details, see the Application Framework development guidelines.
M
mamingshuai 已提交
35

A
annie_wangli 已提交
36
- BMS
M
mamingshuai 已提交
37

A
annie_wangli 已提交
38
  Bundle Manager Service (BMS) manages application installation, uninstallation, and data on OpenHarmony.
M
mamingshuai 已提交
39

A
annie_wangli 已提交
40
- Profile
M
mamingshuai 已提交
41

A
annie_wangli 已提交
42
  The profile in this document refers to HarmonyAppProvision, which is in JSON format.
M
mamingshuai 已提交
43

A
annie_wangli 已提交
44
- Debug application
M
mamingshuai 已提交
45

A
annie_wangli 已提交
46
  A debug application is an OpenHarmony Ability Package (HAP) that is signed with a debug certificate and profile obtained from the application store.
M
mamingshuai 已提交
47

A
annie_wangli 已提交
48
- Release application
M
mamingshuai 已提交
49

A
annie_wangli 已提交
50
  A release application is a HAP that is signed with a release certificate and profile obtained from the application store, and formally released in the application store.
M
mamingshuai 已提交
51

A
annie_wangli 已提交
52
- OpenHarmony self-signed application
M
mamingshuai 已提交
53

A
annie_wangli 已提交
54
  A self-signed application is an application that is signed with the signing certificate and profile issued by OpenHarmony's open-source root CA, which is composed of a certificate and a key.
M
mamingshuai 已提交
55 56


A
annie_wangli 已提交
57
## Constraints
M
mamingshuai 已提交
58

A
annie_wangli 已提交
59
- Only signatures of the debug, release, and OpenHarmony self-signed applications can be verified.
M
mamingshuai 已提交
60

A
annie_wangli 已提交
61
- To verify the signature of a debug application, the UDID of the device on which the debug application is installed must be in the UDID list contained in the profile.