HarmonyOS鸿蒙Next中应用如何获取设备的硬件安全能力(如是否支持 TEE、SE)?
HarmonyOS鸿蒙Next中应用如何获取设备的硬件安全能力(如是否支持 TEE、SE)? 我们需要根据设备安全等级决定密钥存储位置(普通存储 or TEE)。有没有 API 查询设备是否具备可信执行环境?
5 回复
只有L2设备有TEE,智能表、手机、PC都是L2设备,运动表是L0设备。实际使用时无需判断设备是否有TEE,开发时分配的设备类型即可,无直接接口判断,可以通过秘钥管理服务的api返回值来确认当前系统是否支持TEE,如果api返回的错误码为801,表示当前设备不支持。
执行单元安全等级:https://developer.huawei.com/consumer/cn/doc/harmonyos-guides/user-authentication-overview#生物认证可信等级划分原则
更多关于HarmonyOS鸿蒙Next中应用如何获取设备的硬件安全能力(如是否支持 TEE、SE)?的实战系列教程也可以访问 https://www.itying.com/category-93-b0.html
iTrustee TEE(Trusted Execution Environment)是华为自主研发的可信执行环境解决方案,基于ARM Trustzone架构提供硬件隔离的程序运行环境,具有高安全、高扩展和高稳定性的特点。
TA为运行在TEE环境中的可执行文件,TA可执行文件的入口函数以及接收CA侧调用请求的函数为Global Platform标准中定义的接口,以下代码展示了TA接收CA请求并返回处理结果给CA的简单示例。
#include <tee_internal_api.h>
#include <tee_ext_api.h>
#include <tee_log.h>
#include <securec.h>
#define TA_TEMPLATE_VERSION "demo_20200601"
#define OUT_BUFFER_INDEX 3
enum {
CMD_GET_TA_VERSION = 1,
};
static TEE_Result get_ta_version(char* buffer, size_t *buf_len)
{
char *version = TA_TEMPLATE_VERSION;
if (*buf_len < strlen(version) + 1) {
tloge("buffer is too short for storing result");
*buf_len = strlen(version) + 1;
return TEE_ERROR_SHORT_BUFFER;
}
errno_t err = strncpy_s(buffer, *buf_len, version, strlen(version) + 1);
if (err != EOK)
return TEE_ERROR_SECURITY;
*buf_len = strlen(version) + 1;
return TEE_SUCCESS;
}
/**
* Function TA_CreateEntryPoint
* Description:
* The function TA_CreateEntryPoint is the Trusted Application's constructor,
* which the Framework calls when it creates a new instance of this Trusted Application.
*/
TEE_Result TA_CreateEntryPoint(void)
{
tlogd("----- TA entry point ----- ");
tlogd("TA version: %s", TA_TEMPLATE_VERSION);
char *package_name = "com.huawei.itrustee.helloworld";
char *modulus =
"c5169effcc46070be2e7389eefe57d3a4bb66e8e7504ab3ae6815cfbf013b7fc83c92623a84a5b8c03f"
"9203091894cc997b7364eae2af38ffea83f13b8d8da3d56d756e74f176810ac742a6cd4bbd257c85e31"
"6dfc8fd5bedad60b6358a8b55e2d55d90f742b70e856a170a2ae0cd51aae50f755de0560a5522f06167"
"c4b2d028e9a396241c2c5aec242a1f513a6cc6f95f3f383417de94f9336761c7f5df3452467e314abf5"
"3381730b8b91cb5e3890801e588a5e6c0492f4d42f014ddca4604260fd0dfce056364e2cb0fcfaee89f"
"77ceab57cb0453e6fd6680af47062d572f367a62d63907ed8ff5bf3116a6c7b56c1f4107c81195b41bd"
"95b5bd266d1935";
char *public_exponent = "10001";
if (TEE_SUCCESS == AddCaller_CA_apk(package_name, modulus, public_exponent)) {
tlogd("TA entry point: add ca whitelist success");
} else {
tloge("TA_entry point: add ca whitelist failed");
return TEE_ERROR_GENERIC;
}
return TEE_SUCCESS;
}
/**
* Function TA_OpenSessionEntryPoint
* Description:
* The Framework calls the function TA_OpenSessionEntryPoint
* when a client requests to open a session with the Trusted Application.
* The open session request may result in a new Trusted Application instance
* being created.
*/
TEE_Result TA_OpenSessionEntryPoint(uint32_t parm_type,
TEE_Param params[4], void** session_context)
{
(void)parm_type;
(void)params;
(void)session_context;
tlogd("---- TA open session -------- ");
return TEE_SUCCESS;
}
/**
* Function TA_InvokeCommandEntryPoint:
* Description:
* The Framework calls this function when the client invokes a command
* within the given session.
*/
TEE_Result TA_InvokeCommandEntryPoint(void* session_context, uint32_t cmd,
uint32_t parm_type, TEE_Param params[4])
{
TEE_Result ret;
(void)session_context;
tlogd("---- TA invoke command ----------- ");
switch (cmd) {
case CMD_GET_TA_VERSION:
if (!check_param_type(parm_type,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_MEMREF_OUTPUT)) {
tloge("Bad expected parameter types");
return TEE_ERROR_BAD_PARAMETERS;
}
if (params[OUT_BUFFER_INDEX].memref.buffer == NULL ||
params[OUT_BUFFER_INDEX].memref.size == 0) {
tloge("InvokeCommand with bad, cmd is %u", cmd);
return TEE_ERROR_BAD_PARAMETERS;
}
ret = get_ta_version(params[OUT_BUFFER_INDEX].memref.buffer, ¶ms[OUT_BUFFER_INDEX].memref.size);
if (ret != TEE_SUCCESS) {
tloge("InvokeCommand Failed 0x%x. cmd is %u", ret, cmd);
return ret;
}
break;
default:
tloge("Unknown cmd is %u", cmd);
ret = TEE_ERROR_BAD_PARAMETERS;
}
return ret;
}
/**
* Function TA_CloseSessionEntryPoint:
* Description:
* The Framework calls this function to close a client session.
* During the call to this function the implementation can use
* any session functions.
*/
void TA_CloseSessionEntryPoint(void* session_context)
{
(void)session_context;
tlogd("---- close session ----- ");
}
/**
* Function TA_DestroyEntryPoint
* Description:
* The function TA_DestroyEntryPoint is the Trusted Application's destructor,
* which the Framework calls when the instance is being destroyed.
*/
void TA_DestroyEntryPoint(void)
{
tlogd("---- destory TA ---- ");
}
在HarmonyOS鸿蒙Next中,应用可通过@ohos.security.hardware模块获取硬件安全能力。使用hasSecureElement()方法检测设备是否支持SE安全元件,使用hasTrustedExecutionEnvironment()方法检测是否支持TEE可信执行环境。调用前需在module.json5中声明ohos.permission.USE_SECURITY_KEY权限。
在HarmonyOS Next中,可以通过security.hardwareSecurityLevel和security.tee等API来查询设备硬件安全能力。
具体步骤如下:
- 导入模块
import security from '@ohos.security.hardwareSecurity';
- 获取设备安全等级
try {
const level = security.getHardwareSecurityLevel();
// level取值:
// 0: S0(无硬件安全能力)
// 1: S1(基础硬件安全能力)
// 2: S2(增强硬件安全能力,通常包含TEE)
// 3: S3(高等级硬件安全能力,包含TEE+SE)
} catch (err) {
console.error('获取安全等级失败');
}
- 查询TEE支持状态
try {
const teeInfo = security.getTeeInfo();
// teeInfo.isSupported: boolean 是否支持TEE
// teeInfo.version: string TEE版本信息
} catch (err) {
console.error('获取TEE信息失败');
}
- 密钥存储决策示例
async function determineKeyStorage() {
try {
const level = security.getHardwareSecurityLevel();
const teeInfo = security.getTeeInfo();
if (level >= 2 && teeInfo.isSupported) {
// 使用TEE存储密钥
return 'tee';
} else {
// 使用普通加密存储
return 'normal';
}
} catch (err) {
// 降级处理
return 'normal';
}
}
注意事项:
- 相关API需要在API version 10及以上使用
- 调用前需在module.json5中声明ohos.permission.ACCESS_HARDWARE_SECURITY_LEVEL权限
- 实际开发中建议结合具体业务场景设计降级方案
这些API为应用提供了标准的设备安全能力查询方式,便于实现差异化的安全策略。
