1e41f4b71Sopenharmony_ci# Security
2e41f4b71Sopenharmony_ci
3e41f4b71Sopenharmony_ci
4e41f4b71Sopenharmony_ci
5e41f4b71Sopenharmony_ci## Introduction
6e41f4b71Sopenharmony_ci
7e41f4b71Sopenharmony_ciThe security subsystem provides capabilities to protect the system security, data security, and application security of OpenHarmony.
8e41f4b71Sopenharmony_ci
9e41f4b71Sopenharmony_ciThe open security capabilities include application integrity verification, application permission management, device authentication, universal keystore management, and data transfer management.
10e41f4b71Sopenharmony_ci
11e41f4b71Sopenharmony_ci## System Architecture
12e41f4b71Sopenharmony_ci
13e41f4b71Sopenharmony_ci**Figure 1** Security subsystem architecture
14e41f4b71Sopenharmony_ci
15e41f4b71Sopenharmony_ci![](figures/security-architecture.png)
16e41f4b71Sopenharmony_ci
17e41f4b71Sopenharmony_ci- **Interface layer**: provides APIs, some of which are available only for system applications.
18e41f4b71Sopenharmony_ci- **Device authentication**: verifies devices in distributed scenarios and sets up secure connection channels between trusted devices for data transfer.
19e41f4b71Sopenharmony_ci
20e41f4b71Sopenharmony_ci- **Universal keystore management**: provides full lifecycle management of keys for upper-layer services, system applications, and system abilities. The universal keystore management includes generation, use, storage, and destruction of keys.
21e41f4b71Sopenharmony_ci- **Data transfer control**: controls data transfer between devices based on the data security level and device security level. Data can be transferred only between the devices whose security levels match the security level of the data.
22e41f4b71Sopenharmony_ci
23e41f4b71Sopenharmony_ci- **Crypto Framework**: provides unified APIs for cryptographic operations. The crypto framework shields the differences between the underlying hardware and encryption/decryption algorithm libraries and encapsulates algorithm libraries, making development a more enjoyable experience.
24e41f4b71Sopenharmony_ci
25e41f4b71Sopenharmony_ci- **Certificate framework**: provides system-level certificates, CRL verification, parsing, and output capabilities, and certificate chain and CRL chain capabilities for services.
26e41f4b71Sopenharmony_ci- **Certificate management**: provides full lifecycle management of CA root certificates and service certificates for upper-layer services and system applications or abilities on devices. The certificate management includes generation, storage, query and access, and deletion of certificates.
27e41f4b71Sopenharmony_ci
28e41f4b71Sopenharmony_ci- **Device security management**: implements device management based on the device security level and provides APIs for querying the security levels of the local and peer devices.
29e41f4b71Sopenharmony_ci
30e41f4b71Sopenharmony_ci
31e41f4b71Sopenharmony_ci
32e41f4b71Sopenharmony_ci## Directory Structure
33e41f4b71Sopenharmony_ci
34e41f4b71Sopenharmony_ci```
35e41f4b71Sopenharmony_ci/base/security
36e41f4b71Sopenharmony_ci├── dataclassification              # Data transfer control
37e41f4b71Sopenharmony_ci├── device_auth                     # Device authentication
38e41f4b71Sopenharmony_ci├── huks                            # Key management
39e41f4b71Sopenharmony_ci├── asset                           # Asset store service
40e41f4b71Sopenharmony_ci├── certificate_framework           # Certificate framework
41e41f4b71Sopenharmony_ci├── crypto_framework                # Crypto framework
42e41f4b71Sopenharmony_ci├── certificate_manager             # Certificate management
43e41f4b71Sopenharmony_ci├── device_security_level           # Device security management
44e41f4b71Sopenharmony_ci```
45e41f4b71Sopenharmony_ci
46e41f4b71Sopenharmony_ci## Constraints
47e41f4b71Sopenharmony_ci
48e41f4b71Sopenharmony_ci- The current version provides local application permission management, but not distributed application permission management (which uses the stub mode for joint debugging of distributed services).
49e41f4b71Sopenharmony_ci- Device authentication includes authentication of devices with the same account and peer-to-peer device authentication. The current version supports only the peer-to-peer device authentication. The authentication of devices with the same account uses the stub mode for joint debugging of distributed services.
50e41f4b71Sopenharmony_ci- The certificates used for application integrity verification are specific to OpenHarmony. The corresponding public key certificate and private key are preset in the OpenHarmony code repositories to provide offline signing and signature verification. The public key certificate and the corresponding private key must be replaced in OpenHarmony commercial versions.
51e41f4b71Sopenharmony_ci
52e41f4b71Sopenharmony_ci## Usage Guidelines
53e41f4b71Sopenharmony_ci
54e41f4b71Sopenharmony_ci### Application Permission Management
55e41f4b71Sopenharmony_ci
56e41f4b71Sopenharmony_ciThe applications and system abilities in OpenHarmony run in independent sandboxes. Both processes and data are isolated from each other to ensure application data security. However, the abilities or applications also need to provide APIs to implement specific functionality. To access these APIs across processes, the applications in other sandbox directories need permissions.
57e41f4b71Sopenharmony_ci
58e41f4b71Sopenharmony_ciApplication permission management provides a mechanism for defining permissions, allowing permissions to be defined for sensitive APIs of a system ability or application. Other applications cannot access the sensitive APIs without permission.
59e41f4b71Sopenharmony_ci
60e41f4b71Sopenharmony_ciApplication permission management also allows an application to request permissions that are defined by the system or other applications. Upon obtaining the permissions, the application can access the sensitive APIs.
61e41f4b71Sopenharmony_ci
62e41f4b71Sopenharmony_ciIn addition, application permission management allows users to view and manage the permission authorization status.
63e41f4b71Sopenharmony_ci
64e41f4b71Sopenharmony_ci### Application Integrity Verification
65e41f4b71Sopenharmony_ci
66e41f4b71Sopenharmony_ciThe security subsystem provides signing and signature verification for applications to be installed and applications in runtime to ensure that all applications running on OpenHarmony come from a known and approved source and have not been tampered with.
67e41f4b71Sopenharmony_ci
68e41f4b71Sopenharmony_ciApplication development: After developing an application and generating a package for installation, you must sign the installation package to prevent it from being tampered with after release. To sign the application package, you can use the signature tools and the public key certificates and follow the signing certificate generation specifications provided by the application integrity verification module. A public key certificate and the corresponding private key are preset in OpenHarmony to easy your operation. Note that you must replace the public key certificate and private key in your commercial version of OpenHarmony.
69e41f4b71Sopenharmony_ci
70e41f4b71Sopenharmony_ciThe OpenHarmony application framework subsystem is responsible for application installation. Upon receiving an application installation package, the application framework subsystem parses the signature of the installation package, and verifies the signature using the application integrity verification APIs. The application can be installed only after the verification is successful. During the verification, the application signature verification module uses the preset public key certificate to verify the signature.
71e41f4b71Sopenharmony_ci
72e41f4b71Sopenharmony_ciThe application integrity verification module also provides integrity check for applications in runtime, including the kernel-mode code signature verification and code integrity measurement. During application development, you can sign your code as required. When the application is installed, the OpenHarmony application framework subsystem calls the application integrity verification API to enable code signing for the application. Once code signing is enabled, the source, code owner, and code integrity of the application will be verified when the application is started to run.
73e41f4b71Sopenharmony_ci
74e41f4b71Sopenharmony_ci### Device Authentication and Universal Keystore
75e41f4b71Sopenharmony_ci
76e41f4b71Sopenharmony_ciA unified device binding and authentication solution that covers 1+8+N devices is provided. Generally, device authentication is used for cross-device communication implemented by DSoftBus, rather than directly interacting with applications. Device authentication provides the following functionalities:
77e41f4b71Sopenharmony_ci
78e41f4b71Sopenharmony_ci- Building and maintaining unified trust relationship for a group of devices using different accounts. Devices with different accounts can set up a local trust group after a trust relationship is built by certain means such as scanning a QR code. Services can call APIs to query the group information.
79e41f4b71Sopenharmony_ci
80e41f4b71Sopenharmony_ci- Implementing unified device authentication. A unified authentication solution is provided to discover devices and perform connection authentication and key agreement for encrypted, end-to-end sessions through DSoftBus for the devices in a trust group.
81e41f4b71Sopenharmony_ci
82e41f4b71Sopenharmony_ci- Providing credentials for device authentication and algorithms for key agreement via the universal keystore.
83e41f4b71Sopenharmony_ci
84e41f4b71Sopenharmony_ci### Data Transfer Control
85e41f4b71Sopenharmony_ci
86e41f4b71Sopenharmony_ciIn OpenHarmony, the data transfer control module provides cross-device data transfer management and control policies for distributed services. The module defines a sef of APIs to offer policies for cross-device data transfer and obtain the highest risk level of data to be sent to the peer device.
87e41f4b71Sopenharmony_ci
88e41f4b71Sopenharmony_ci
89e41f4b71Sopenharmony_ci### Security Issue Response Team Work Charter
90e41f4b71Sopenharmony_ci
91e41f4b71Sopenharmony_ci[security](https://gitee.com/openharmony/security)
92e41f4b71Sopenharmony_ci
93e41f4b71Sopenharmony_ci## Repositories Involved
94e41f4b71Sopenharmony_ci
95e41f4b71Sopenharmony_ciSecurity
96e41f4b71Sopenharmony_ci
97e41f4b71Sopenharmony_ci[security_dataclassification](https://gitee.com/openharmony/security_dataclassification)
98e41f4b71Sopenharmony_ci
99e41f4b71Sopenharmony_ci[security_huks](https://gitee.com/openharmony/security_huks)
100e41f4b71Sopenharmony_ci
101e41f4b71Sopenharmony_ci[security_device_auth](https://gitee.com/openharmony/security_device_auth)
102e41f4b71Sopenharmony_ci
103e41f4b71Sopenharmony_ci[security_device_security_level](https://gitee.com/openharmony/security_device_security_level)
104e41f4b71Sopenharmony_ci
105e41f4b71Sopenharmony_ci[security_certificate_manager](https://gitee.com/openharmony/security_certificate_manager)
106e41f4b71Sopenharmony_ci
107e41f4b71Sopenharmony_ci[security_crypto_framework](https://gitee.com/openharmony/security_crypto_framework)
108e41f4b71Sopenharmony_ci
109e41f4b71Sopenharmony_ci[security_certificate_framework](https://gitee.com/openharmony/security_certificate_framework)
110e41f4b71Sopenharmony_ci
111e41f4b71Sopenharmony_ci[security_asset](https://gitee.com/openharmony/security_asset)
112e41f4b71Sopenharmony_ci
113e41f4b71Sopenharmony_ci
114e41f4b71Sopenharmony_ci<!--no_check-->