WO2023016151A1 - Software framework of security application of linux system, and creation method for same - Google Patents

Software framework of security application of linux system, and creation method for same Download PDF

Info

Publication number
WO2023016151A1
WO2023016151A1 PCT/CN2022/104299 CN2022104299W WO2023016151A1 WO 2023016151 A1 WO2023016151 A1 WO 2023016151A1 CN 2022104299 W CN2022104299 W CN 2022104299W WO 2023016151 A1 WO2023016151 A1 WO 2023016151A1
Authority
WO
WIPO (PCT)
Prior art keywords
basic
security
application
framework
software
Prior art date
Application number
PCT/CN2022/104299
Other languages
French (fr)
Chinese (zh)
Inventor
刘成城
Original Assignee
北京字节跳动网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京字节跳动网络技术有限公司 filed Critical 北京字节跳动网络技术有限公司
Publication of WO2023016151A1 publication Critical patent/WO2023016151A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation

Definitions

  • the present disclosure relates to the technical field of computer basic software, for example, to a software framework and a creation method of a Linux system security application.
  • TEE Trusted Execution Environment
  • PIN Personal Identification Number
  • DRM Digital Rights Management
  • This disclosure provides a software framework and creation method for a Linux system security application, which can avoid the situation that the security application compatible with the Android system is not compatible with the Linux system in related technologies, and realize the normal operation of the security application compatible with the Android system in the Linux system. .
  • This disclosure provides a software framework for Linux system security applications, the software framework can be deployed on the Linux system in the form of an application package and run on the Linux system;
  • the application package includes: a security application, a trusted execution environment module, and an Android basic framework;
  • the security application is a security application running on a Linux system
  • the trusted execution environment module is configured to provide a trusted operating basis for the secure application
  • the Android basic framework is set to provide a running basis for the trusted execution environment module.
  • the present disclosure also provides a computer program product, including a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute according to the above-mentioned Steps in any method for creating a software framework for a Linux system security application.
  • the present disclosure also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor.
  • the processor executes the program, any one of the above-mentioned Describe the steps of the method for creating a software framework for Linux system security applications.
  • Fig. 1 is a schematic diagram of the architecture of the software framework of the security application in the Android system of the related art
  • Fig. 2 is the structural representation of the software framework of Linux system security application provided by the present disclosure
  • Fig. 3 is a schematic diagram of the architecture of the software framework of the Linux system security application provided by the present disclosure
  • Fig. 4 is the flowchart of the method for creating the software framework of the Linux system security application provided by the present disclosure
  • FIG. 5 is a flowchart of step 430 in FIG. 4 .
  • Fig. 6 is a schematic structural diagram of an electronic device provided by the present disclosure.
  • TEE Trusted Execution Environment
  • REE Centralized Execution Environment
  • REE Remote Execution Environment
  • REE provides a common environment for mobile devices and runs common Operating system (Operating System, OS), such as Android, IOS system, etc.
  • OS Operating System
  • the TEE module interacts with the REE module through shared memory.
  • the TEE module is divided into kernel mode and user mode.
  • the user mode of TEE can run multiple different security applications (Trusted Application, TA).
  • TA Trusted Application
  • the most direct way to apply the TEE module in the REE module is to communicate with the TA in the TEE module, so the part of the REE module that communicates with the TA is called the client application (Client Application, CA).
  • FIG. 1 it is a schematic diagram of the software framework of the security application on the Android system in the related art.
  • the TEE driver, TEE basic library, TEE management service and multiple CAs in the REE module side corresponding to the TEE module on the left side of the figure all belong to the TEE
  • the components of the module, three security applications (services) including decryption, fingerprint and face are listed in the figure.
  • the CA of each security application in the REE side system depends on the TEE basic library, and the TEE management service component of the TEE module itself also depends on the TEE basic library, and the TEE basic library depends on the Android basic framework and the TEE kernel.
  • the TEE kernel is located in the Linux kernel that the Android system depends on and is not easy to change and transplant.
  • TEE schemes There are many kinds of TEE schemes. Based on different TEE cores, multiple sets of TEE schemes are derived, such as: op-tee, trusty, QSEE, etc.
  • op-tee is a TEE solution supported by the main line of the Linux kernel.
  • the Linux kernel provides support for drivers, upper-layer management services and basic libraries
  • trusty is a TEE solution used in Android, which provides a basic framework ( Basic library/management service), and trusty kernel
  • QSEE is the TEE solution adopted by Qualcomm platform.
  • the trusty-based TEE provided by each chip manufacturer may also be different, and each manufacturer may modify management services, basic library interfaces, etc. according to its own chip characteristics.
  • the loading verification signature process of TA is also different.
  • Android device manufacturers will also provide different versions of device TEE application solutions according to each chip manufacturer.
  • the final product integrator is basically unable to "create” a new TEE solution by itself, or even fine-tune the original solution.
  • the problem becomes particularly difficult.
  • the Android system has already played a pivotal role in all parts of the world. Chip manufacturers and equipment manufacturers have provided software and hardware solutions for the Android system, including the TEE solution.
  • the operating system kernel since the operating system kernel depends on multiple device drivers, most of the security applications compatible with the Android system are transplanted to the Linux system and run, and most of them adopt a container solution, that is, put the Android system into a certain container of the Linux system ( The components of each TEE module are also located in the container), so that the security application running on the Android system can be quickly transplanted to the Linux system and run.
  • the container solution is to put the entire Android system or most of the key components into the container, so that the attributes of the container must be set in a highly isolated manner (for example, different process identification systems are used inside and outside the container, and Inter Process Communication (Inter Process Communication) inside and outside the container , IPC) communication is limited, and the storage of the container is partially or completely isolated), otherwise it will cause conflicts between resources inside and outside the container. Therefore, many applications in the Linux system application ecosystem outside the container cannot easily use the TEE module of the Android system located in the container. Even if it can be used, it is necessary to modify the source code of the existing application in the Linux system ecosystem (for example Only by modifying the inter-process communication method) can the TEE in the container be used, which brings a lot of burden to the development.
  • Android is the operating system on the mobile terminal developed by Google, based on the open source version of the system Android Open Source Project (Android Open-Source Project, AOSP)
  • Google Android Open Source Project
  • AOSP Android Open-Source Project
  • MIUI MIUI
  • EMUI EMUI
  • One UI a number of companies have derived and developed versions such as MIUI, EMUI, and One UI, as well as customized versions such as Pixel Experience and Lineage OS in the open source community.
  • the Android mentioned in this disclosure covers the above-mentioned various implementations.
  • the Linux system includes various Linux OS distributions based on the Linux kernel, such as Ubuntu, RedHat, Jing OS, and the like.
  • the so-called Android basic framework includes the basic component Android Framework for supporting the operation of the Android OS.
  • the embodiment of the present disclosure provides a software framework for Linux system security applications, it is easy to understand that the software framework can be deployed on the Linux system in the form of an application package, and run on the Linux system;
  • the application package includes : a security application 210, a trusted execution environment module 220 and an Android basic framework 230;
  • the security application 210 is a security application running on a Linux system
  • the trusted execution environment module 220 is configured to provide a trusted operating basis for the secure application
  • the Android basic framework 230 is configured to provide a running basis for the trusted execution environment module.
  • security applications refer to applications related to security functions, such as applications related to fingerprint recognition, face recognition, financial payment, encryption and decryption, etc. that rely on the trusted environment provided by the TEE module.
  • TEE module because the application related to the security function depends on the trusted environment provided by the TEE module, the normal operation of the security application depends on the support provided by the TEE component in the TEE module, and the operation of the TEE component depends on the relevant TEE basic library, and TEE basic library relies on the Android basic framework, and packages multiple parts that security applications or services depend on in the application package, so that the application package can run normally in the Linux system, thereby avoiding security applications that rely on the Android basic framework Compatible operation in Linux system.
  • the TEE module includes basic components, security support components and basic libraries;
  • the basic class components and the security support class components respectively correspond to the basic libraries on which their own operation depends;
  • the basic component is set to provide basic support for the security support component; the security support component is set to provide the support of the trusted execution environment for the operation of the security application.
  • each component in the TEE module has its own division of labor.
  • General basic components such as the TEE kernel and TEE management services, are developed by the chip manufacturer.
  • the CA (client application) and the corresponding TA ( Security applications) are developed by equipment vendors and integrated by integrators.
  • a typical secure application fingerprint recognition function that relies on the application TEE module is used as an example to illustrate.
  • the fingerprint provider sends a request from the CA running in the non-secure world to the TA running in the secure world on the TEE infrastructure framework.
  • the TA is responsible for high-level security processing and returns the result to the CA.
  • the TEE basic framework does not pay attention to the business logic between CA and TA, and only provides basic services, such as communication channel establishment, TA identity verification, etc.
  • the software framework of the Linux system security application also includes a management software package, and the management software package is deployed on the Linux system and runs on the Linux system;
  • the management software package includes: the basic class component, the basic library on which the basic class component depends, and the Android basic framework.
  • the basic class components that the security support class components depend on are packaged and deployed on the Linux system, in order to support the security support class components on the Linux system. Support for normal operation.
  • the TEE management service belonging to the basic component and its dependent TEE basic library and Android basic framework are packaged to form an independent management software package and deployed on the Linux system.
  • the application package in the embodiment of the present disclosure includes: at least one security application, the security support component that each security application depends on, the basic library that each security support component depends on, and the Android basic framework .
  • the software framework in the embodiments of the present disclosure includes at least one application package.
  • each security application may be packaged independently in an application package, or several or all security applications may be packaged in the same application package to provide comprehensive functions externally.
  • the external presentation of the application package can be a single application or an intermediate service.
  • each snap package in Figure 3 includes the Android basic framework, and the Android basic framework in the snap package
  • the client application corresponding to the framework, TEE basic library and security application does not depend on the Linux framework, but other parts in the snap package depend on the Linux framework, and the snap mechanism itself depends on the Linux framework and basic services.
  • the method for creating the software framework of the Linux system security application provided by the embodiment of the present disclosure is described below.
  • the method for creating the software framework of the Linux system security application described below and the software framework of the Linux system security application described above can be referred to each other, as shown in FIG. 4, the embodiment of the present disclosure provides a method for creating a software framework for Linux system security applications, including the following steps:
  • Step 410 Determine the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; wherein, the trusted execution environment module includes components and basic libraries;
  • each security application developed on the Linux system depends on the security support component TEE component in the TEE module.
  • the security application in this step refers to the application or service related to system security related to the TEE module on the Linux system.
  • the normal operation of these applications or services depends on the function of the TEE module to complete a certain security function, such as fingerprint identification , face recognition, document decryption, etc.
  • Step 420 Determine the basic library corresponding to the component that the security application depends on;
  • Step 430 package the security application, the components that the security application depends on, the basic library corresponding to the component, and the Android basic framework that the basic library depends on, into a software package with a set format to obtain an application package;
  • the TEE basic library that each security application depends on in the Linux system and the part of the basic framework in the entire Android framework are packaged as software to form an application package, which is directly transplanted in the Linux system, so that the TEE module can be used on the Linux system. Support the normal operation of each security application.
  • the security application, the security support component that the security application depends on, the basic library corresponding to the security support component, and the Android basic framework that the basic library depends on are packaged in software , to get the application package in the form of snap.
  • the use of the unique snap technology on Linux can avoid the situation that the original TEE module cannot run due to environmental changes in the Linux system.
  • the Android basic framework that the TEE module depends on is packaged together with the Linux CA into a snap package, and the snap package is deployed in the Linux system, so that the security application can run normally in the Linux system.
  • the security application, the security support component that the security application depends on, the basic library corresponding to the security support component, and the Android basic framework that the basic library depends on are packaged in software , to get the application package in the form of flatpak.
  • the use of the unique flatpak technology on Linux can avoid the situation that the original TEE module cannot run due to environmental changes in the Linux system.
  • flatpak is a package management utility that distributes installs and manages software without worrying about dependencies, runtimes, or Linux distributions.
  • Software can be installed regardless of the Linux distribution (whether it is a Debian-based distribution or an Arch-based distribution), so flatpak is called a universal package.
  • the application package only includes the Android basic framework on which the TEE module depends, so using snap or flatpak is more flexible and can abandon the isolation limitation of the container.
  • the particularity of the TEE module is that the driver of the TEE module is different from drivers such as Bluetooth audio, GPS, etc.
  • the TEE module driver itself supports multiple visitors to use at the same time (the Android system in the container and Linux system access at the same time), so the TEE module can use the solution provided by the embodiment of the present disclosure to meet the safety application requirements without transplanting its driver.
  • step 440 deploy the application package on the Linux system, and run the software package when the security application needs to be executed.
  • the application packages in this step are deployed on the Linux system according to the actual system conditions, so that each application package can run normally on the Linux system, and provide support for a safe operating environment for each security application to run normally on the Linux system.
  • step 430 it is necessary to find all the basic libraries that the security application indirectly depends on, and Encapsulate all the basic libraries that are depended on in the application package.
  • step 430 it also includes:
  • Step 510 performing software packaging on the base class component, the base library corresponding to the base class component, and the Android basic framework on which the base base library depends, to obtain a management software package in the form of snap or flatpak;
  • the system publisher may perform step 520: deploy the management software package on the Linux system, so as to provide it to users.
  • FIG. 6 A schematic diagram of the physical structure of an electronic device provided by an embodiment of the present disclosure is described below in conjunction with FIG. 6.
  • FIG. 6 As shown in FIG. ) 630 and a communication bus 640, wherein, the processing 610, the communication interface 620, and the storage 630 complete mutual communication through the communication bus 640.
  • the processor 610 can call the logical instructions in the memory 630 to execute a method for creating a software framework of a Linux system security application, and the method includes: determining the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; , the trusted execution environment module includes a component and a basic library; determining the basic library corresponding to the component that the security application depends on; combining the security application, the component that the security application depends on, and the basic library corresponding to the component and the Android basic framework on which the basic library depends, and package the software in a set format to obtain an application package; deploy and run the application package on a Linux system.
  • the logic instructions in the above-mentioned memory 630 may be implemented in the form of software functional units and when sold or used as an independent product, may be stored in a computer-readable storage medium.
  • the technical solution of the embodiments of the present disclosure is essentially or the part that contributes to the related technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • a computer device which may be a personal computer, a server, or a network device, etc.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
  • the processor 610 may be a central processing unit (English: Central Processing Unit, CPU for short), and may also be other general-purpose processors, digital signal processors (English: Digital Signal Processor, Abbreviation: DSP), application specific integrated circuit (English: Application Specific Integrated Circuit, abbreviation: ASIC), etc.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in conjunction with the present disclosure may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
  • an embodiment of the present disclosure also provides a computer program product
  • the computer program product includes a computer program stored on a non-transitory computer-readable storage medium
  • the computer program includes program instructions, and when the program instructions When being executed by a computer, the computer can execute the method for creating a software framework of a Linux system security application provided by the above multiple methods, the method includes: determining the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; Wherein, the trusted execution environment module includes a component and a base library; determine the base library corresponding to the component that the security application depends on; set the security application, the component that the security application depends on, and the base library that the component
  • the library and the Android basic framework on which the basic library depends are packaged with software in a set format to obtain an application package; the application package is deployed and run on a Linux system.
  • an embodiment of the present disclosure also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it is implemented to execute the Linux system security application provided by the above-mentioned multiple embodiments.
  • a method for creating a software framework determining the dependency relationship between a security application running on a Linux system and a component in a trusted execution environment module; wherein, the trusted execution environment module includes a component and a basic library; determining all the components that the security application depends on The base library corresponding to the above-mentioned components; the security application, the components that the security application depends on, the base library corresponding to the components, and the Android basic framework that the base library depends on are packaged with software in a set format to obtain an application package ; Deploy and run the application package on the Linux system.
  • the device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.
  • the software framework and creation method of the Linux system security application provided by the present disclosure are deployed in the Linux system in the form of an application package by deploying the security application to be run in the Linux system, the trusted execution environment module and the Android basic framework on which it depends. It is convenient to quickly transplant the security application compatible with the Android system to the Linux system and realize the normal operation of the security application compatible with the Android system in the Linux system.

Abstract

Provided in the present disclosure are a software framework of a security application of a Linux system, and a creation method for same. The software framework is deployed on a Linux system in the form of an application package, and is run on the Linux system, wherein the application package comprises a security application, a trusted execution environment module, and an Android basic framework; the security application is a security-type application run on the Linux system; the trusted execution environment module is configured to provide a trusted operation basis for the security application; and the Android basic framework is configured to provide an operation basis for the trusted execution environment module.

Description

Linux系统安全应用的软件框架及创建方法Software framework and creation method of Linux system security application
本申请要求在2021年8月12日提交中国专利局、申请号为202110924877.X的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application with application number 202110924877.X filed with the China Patent Office on August 12, 2021, the entire contents of which are incorporated herein by reference.
技术领域technical field
本公开涉及计算机基础软件技术领域,例如涉及一种Linux系统安全应用的软件框架及创建方法。The present disclosure relates to the technical field of computer basic software, for example, to a software framework and a creation method of a Linux system security application.
背景技术Background technique
可信执行环境(Trusted Execution Environment,TEE),该环境可以保证计算不被常规操作系统干扰,因此称为“可信”。TEE通常用于运行关键的操作,例如:(1)、移动支付:指纹验证、个人识别码(Personal Identification Number,PIN)输入等;(2)、机密数据:私钥、证书等的安全存储;(3)、内容保护:数字版权保护(Digital Rights Management,DRM)等。Trusted Execution Environment (TEE), which can ensure that computing will not be interfered by the conventional operating system, so it is called "trusted". TEE is usually used to run key operations, such as: (1), mobile payment: fingerprint verification, personal identification number (Personal Identification Number, PIN) input, etc.; (2), confidential data: secure storage of private keys, certificates, etc.; (3), content protection: digital rights protection (Digital Rights Management, DRM), etc.
由于TEE模块的正常运行依赖Android系统的基础框架,因此如何使得兼容Android系统的安全应用在Linux系统中正常运行成为相关技术中要解决的主要技术问题。Since the normal operation of the TEE module depends on the basic framework of the Android system, how to make the security application compatible with the Android system run normally in the Linux system has become a major technical problem to be solved in related technologies.
发明内容Contents of the invention
本公开提供一种Linux系统安全应用的软件框架及创建方法,可以避免相关技术中兼容Android系统的安全应用在Linux系统中不兼容运行的情况,实现兼容Android系统的安全应用在Linux系统中正常运行。This disclosure provides a software framework and creation method for a Linux system security application, which can avoid the situation that the security application compatible with the Android system is not compatible with the Linux system in related technologies, and realize the normal operation of the security application compatible with the Android system in the Linux system. .
本公开提供一种Linux系统安全应用的软件框架,所述软件框架可以应用包的形式部署在Linux系统上并在Linux系统上运行;所述应用包包括:安全应用、可信执行环境模块以及Android基础框架;This disclosure provides a software framework for Linux system security applications, the software framework can be deployed on the Linux system in the form of an application package and run on the Linux system; the application package includes: a security application, a trusted execution environment module, and an Android basic framework;
所述安全应用为在Linux系统上运行的安全类应用;The security application is a security application running on a Linux system;
所述可信执行环境模块设置为对所述安全应用提供可信的运行基础;The trusted execution environment module is configured to provide a trusted operating basis for the secure application;
所述Android基础框架设置为对所述可信执行环境模块提供运行基础。The Android basic framework is set to provide a running basis for the trusted execution environment module.
本公开还提供一种计算机程序产品,包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机可执行根据如上述任一种所述Linux系统安全应用的软件框架创建方法的步骤。The present disclosure also provides a computer program product, including a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute according to the above-mentioned Steps in any method for creating a software framework for a Linux system security application.
本公开还提供一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如上述任一种所述Linux系统安全应用的软件框架创建方法的步骤。The present disclosure also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, any one of the above-mentioned Describe the steps of the method for creating a software framework for Linux system security applications.
附图说明Description of drawings
图1是相关技术的Android系统中安全应用在的软件框架的架构示意图;Fig. 1 is a schematic diagram of the architecture of the software framework of the security application in the Android system of the related art;
图2是本公开提供的Linux系统安全应用的软件框架的结构示意图;Fig. 2 is the structural representation of the software framework of Linux system security application provided by the present disclosure;
图3是本公开提供的Linux系统安全应用的软件框架的架构示意图;Fig. 3 is a schematic diagram of the architecture of the software framework of the Linux system security application provided by the present disclosure;
图4是本公开提供的Linux系统安全应用的软件框架创建方法流程图;Fig. 4 is the flowchart of the method for creating the software framework of the Linux system security application provided by the present disclosure;
图5是图4中步骤430的流程图。FIG. 5 is a flowchart of step 430 in FIG. 4 .
图6是本公开提供的电子设备的结构示意图。Fig. 6 is a schematic structural diagram of an electronic device provided by the present disclosure.
具体实施方式Detailed ways
可信执行环境(Trusted Execution Environment,TEE),其内部运行一个完整的操作系统,与REE(Rich Execution Environment)(如Android系统或者Linux系统)隔离运行,REE为移动设备提供通用环境,运行通用的操作系统(Operating System,OS),例如Android、IOS系统等。TEE模块与REE模块通过共享内存进行交互。Trusted Execution Environment (TEE), which runs a complete operating system inside, runs in isolation from REE (Rich Execution Environment) (such as Android system or Linux system). REE provides a common environment for mobile devices and runs common Operating system (Operating System, OS), such as Android, IOS system, etc. The TEE module interacts with the REE module through shared memory.
TEE模块内部分为内核态与用户态,TEE的用户态可以运行多个不同的安全应用(Trusted Application,TA)。在REE模块中应用TEE模块的最直接的方法是同TEE模块中的TA进行通信,因此REE模块中的与TA进行通信的部分称为客户端应用程序,(Client Application,CA)。The TEE module is divided into kernel mode and user mode. The user mode of TEE can run multiple different security applications (Trusted Application, TA). The most direct way to apply the TEE module in the REE module is to communicate with the TA in the TEE module, so the part of the REE module that communicates with the TA is called the client application (Client Application, CA).
如图1所示为相关技术中Android系统上安全应用的软件框架示意图,在图中左侧对应TEE模块的REE模块侧中的TEE驱动、TEE基础库、TEE管理服务以及多个CA均属于TEE模块的组件,图中列举了解密、指纹、人脸三项安全应用(服务)。在图1中REE侧系统中的每个安全应用的CA依赖于TEE基础库,TEE模块本身的TEE管理服务组件也依赖于TEE基础库,而TEE基础库又依赖于Android基础框架以及TEE内核,而TEE内核位于Android系统所依赖的Linux内核中而且不容易改动、移植。As shown in Figure 1, it is a schematic diagram of the software framework of the security application on the Android system in the related art. The TEE driver, TEE basic library, TEE management service and multiple CAs in the REE module side corresponding to the TEE module on the left side of the figure all belong to the TEE The components of the module, three security applications (services) including decryption, fingerprint and face are listed in the figure. In Figure 1, the CA of each security application in the REE side system depends on the TEE basic library, and the TEE management service component of the TEE module itself also depends on the TEE basic library, and the TEE basic library depends on the Android basic framework and the TEE kernel. The TEE kernel is located in the Linux kernel that the Android system depends on and is not easy to change and transplant.
TEE的方案有很多种,基于不同的TEE内核,衍生出多套TEE方案,例如:op-tee、trusty、QSEE等。其中,op-tee是Linux内核主线支持的TEE方案,针对op-tee内核,Linux内核提供驱动、上层管理服务和基础库的支持;trusty是Android中采用的TEE方案,给出了基础的框架(基础库/管理服务),以及trusty内核;QSEE是高通平台采取的TEE方案。There are many kinds of TEE schemes. Based on different TEE cores, multiple sets of TEE schemes are derived, such as: op-tee, trusty, QSEE, etc. Among them, op-tee is a TEE solution supported by the main line of the Linux kernel. For the op-tee kernel, the Linux kernel provides support for drivers, upper-layer management services and basic libraries; trusty is a TEE solution used in Android, which provides a basic framework ( Basic library/management service), and trusty kernel; QSEE is the TEE solution adopted by Qualcomm platform.
另外,同为Android系统的trusty解决方案,每个芯片商提供出来的基于trusty的TEE也可能有所不同,每个厂商可能会根据自己的芯片特点修改管理服务、基础库接口等。而且,TA的加载验证签名过程也不同。Android设备商也会根据每个芯片商的不同提供不同版本的设备TEE应用方案。In addition, as the same trusty solution for the Android system, the trusty-based TEE provided by each chip manufacturer may also be different, and each manufacturer may modify management services, basic library interfaces, etc. according to its own chip characteristics. Moreover, the loading verification signature process of TA is also different. Android device manufacturers will also provide different versions of device TEE application solutions according to each chip manufacturer.
基于以上原因,导致最终的产品集成商,基本无法自行“创造”新的TEE方案,甚至不能微调原有方案。这样,当原有方案的REE系统不是产品商要采用的系统时就显得问题格外棘手。Based on the above reasons, the final product integrator is basically unable to "create" a new TEE solution by itself, or even fine-tune the original solution. In this way, when the REE system of the original scheme is not the system that the product manufacturer wants to adopt, the problem becomes particularly difficult.
Android系统目前在世界各地已经占到举足轻重的地位,芯片商和设备商都纷纷为Android系统提供软硬件解决方案,这其中就包括TEE方案。The Android system has already played a pivotal role in all parts of the world. Chip manufacturers and equipment manufacturers have provided software and hardware solutions for the Android system, including the TEE solution.
相关技术中,由于操作系统内核依赖于多个设备驱动,将兼容Android系统的安全应用移植到Linux系统上并进行运行,大多采取容器的方案,即将Android系统放入Linux系统的某个容器内(每个TEE模块的组件也位于容器中),使得在Android系统上运行的安全应用快速移植到Linux系统并运行。In related technologies, since the operating system kernel depends on multiple device drivers, most of the security applications compatible with the Android system are transplanted to the Linux system and run, and most of them adopt a container solution, that is, put the Android system into a certain container of the Linux system ( The components of each TEE module are also located in the container), so that the security application running on the Android system can be quickly transplanted to the Linux system and run.
容器方案是将整个Android系统或者大部分关键组件放入容器中,导致容器的属性必须设置成高度隔离的方式(例如,容器内外使用不同的进程标识体系,容器内外的进程间通信 (Inter Process Communication,IPC)通信受限,容器的存储部分或者全部隔离),否则会造成容器内和容器外资源冲突。由此,容器外的Linux系统应用生态中众多应用,就不能很方便地使用位于容器内的Android系统的TEE模块,即使可以使用,也需要修改已有Linux系统生态中的应用的源代码(例如修改进程间通信方式)才能使用容器内的TEE,给开发带来很多负担。The container solution is to put the entire Android system or most of the key components into the container, so that the attributes of the container must be set in a highly isolated manner (for example, different process identification systems are used inside and outside the container, and Inter Process Communication (Inter Process Communication) inside and outside the container , IPC) communication is limited, and the storage of the container is partially or completely isolated), otherwise it will cause conflicts between resources inside and outside the container. Therefore, many applications in the Linux system application ecosystem outside the container cannot easily use the TEE module of the Android system located in the container. Even if it can be used, it is necessary to modify the source code of the existing application in the Linux system ecosystem (for example Only by modifying the inter-process communication method) can the TEE in the container be used, which brings a lot of burden to the development.
因此,将兼容Android系统的安全应用快捷、方便地部署并运行在Linux系统中,成为亟需要解决的技术问题。Therefore, quickly and conveniently deploying and running a security application compatible with the Android system in the Linux system has become a technical problem that needs to be solved urgently.
在本公开的实施例中,本领域技术人员可以理解,Android是Google公司开发的移动终端上的操作系统,在该系统的开源版本Android开放源代码项目(Android Open-Source Project,AOSP)的基础上,多家企业衍生开发了诸如MIUI、EMUI、One UI等版本以及开源社区的Pixel Experience、Lineage OS等定制版,本公开所称的Android涵盖上述多种实现情况。In the embodiment of the present disclosure, those skilled in the art can understand that Android is the operating system on the mobile terminal developed by Google, based on the open source version of the system Android Open Source Project (Android Open-Source Project, AOSP) On the Internet, a number of companies have derived and developed versions such as MIUI, EMUI, and One UI, as well as customized versions such as Pixel Experience and Lineage OS in the open source community. The Android mentioned in this disclosure covers the above-mentioned various implementations.
在本公开的实施例中,Linux系统包括以Linux kernel为基础的多种Linux OS发行版,如Ubuntu、RedHat、Jing OS等。In an embodiment of the present disclosure, the Linux system includes various Linux OS distributions based on the Linux kernel, such as Ubuntu, RedHat, Jing OS, and the like.
在本公开的实施例中,所称的Android基础框架包括用于支持Android OS运行的基础组件Android Framework。In the embodiments of the present disclosure, the so-called Android basic framework includes the basic component Android Framework for supporting the operation of the Android OS.
如图2所示,本公开实施例提供一种Linux系统安全应用的软件框架,容易理解,该软件框架可以应用包的形式部署在Linux系统上,并在Linux系统上运行;所述应用包包括:安全应用210、可信执行环境模块220以及Android基础框架230;As shown in Figure 2, the embodiment of the present disclosure provides a software framework for Linux system security applications, it is easy to understand that the software framework can be deployed on the Linux system in the form of an application package, and run on the Linux system; the application package includes : a security application 210, a trusted execution environment module 220 and an Android basic framework 230;
所述安全应用210为在Linux系统上运行的安全类应用;The security application 210 is a security application running on a Linux system;
所述可信执行环境模块220设置为对所述安全应用提供可信的运行基础;The trusted execution environment module 220 is configured to provide a trusted operating basis for the secure application;
所述Android基础框架230设置为对所述可信执行环境模块提供运行基础。The Android basic framework 230 is configured to provide a running basis for the trusted execution environment module.
本公开实施例中,安全应用是指与安全功能相关的应用,例如与指纹识别、人脸识别、金融支付、加解密等依赖于TEE模块提供的可信任环境的应用,“可信执行环境模块”以下简称“TEE模块”,由于与安全功能相关的应用依赖于TEE模块提供的可信任环境,因此安全应用的正常运行依赖于TEE模块中的TEE组件提供支持,而TEE组件的运行依赖相关的TEE基础库,而TEE基础库依赖Android基础框架,将安全应用或服务依赖的多个部分都打包在应用包内,以使得应用包在Linux系统中正常运行,从而避免依赖Android基础框架的安全应用在Linux系统中的兼容运行情况。In the embodiments of the present disclosure, security applications refer to applications related to security functions, such as applications related to fingerprint recognition, face recognition, financial payment, encryption and decryption, etc. that rely on the trusted environment provided by the TEE module. "Hereinafter referred to as "TEE module", because the application related to the security function depends on the trusted environment provided by the TEE module, the normal operation of the security application depends on the support provided by the TEE component in the TEE module, and the operation of the TEE component depends on the relevant TEE basic library, and TEE basic library relies on the Android basic framework, and packages multiple parts that security applications or services depend on in the application package, so that the application package can run normally in the Linux system, thereby avoiding security applications that rely on the Android basic framework Compatible operation in Linux system.
本公开实施例中,TEE模块包括基础类组件、安全支持类组件及基础库;In the embodiment of the present disclosure, the TEE module includes basic components, security support components and basic libraries;
所述基础类组件及安全支持类组件分别对应自身运行所依赖的所述基础库;The basic class components and the security support class components respectively correspond to the basic libraries on which their own operation depends;
所述基础类组件设置为对安全支持类组件提供基础支持;所述安全支持类组件设置为对所述安全应用运行提供可信执行环境的支持。The basic component is set to provide basic support for the security support component; the security support component is set to provide the support of the trusted execution environment for the operation of the security application.
本公开实施例中,TEE模块中的每个组件的开发各有分工,一般基础类组件,如TEE内核、TEE管理服务等由芯片商负责开发,CA(客户端应用程序)和对应的TA(安全应用)由设备商负责开发、集成商负责集成。In the embodiment of the present disclosure, the development of each component in the TEE module has its own division of labor. General basic components, such as the TEE kernel and TEE management services, are developed by the chip manufacturer. The CA (client application) and the corresponding TA ( Security applications) are developed by equipment vendors and integrated by integrators.
以典型的依赖应用TEE模块的安全应用指纹识别功能为例进行说明。指纹商在TEE基础框架上从非安全世界运行的CA发送请求至运行在安全世界的TA,TA负责高安全级别的处理,把结果返回给CA。TEE基础框架不关注CA和TA之间的业务逻辑,只提供基础服务, 如通信通道建立、TA的身份校验等。A typical secure application fingerprint recognition function that relies on the application TEE module is used as an example to illustrate. The fingerprint provider sends a request from the CA running in the non-secure world to the TA running in the secure world on the TEE infrastructure framework. The TA is responsible for high-level security processing and returns the result to the CA. The TEE basic framework does not pay attention to the business logic between CA and TA, and only provides basic services, such as communication channel establishment, TA identity verification, etc.
本公开实施例中,Linux系统安全应用的软件框架还包括管理软件包,所述管理软件包部署在Linux系统上,并在Linux系统上运行;In the embodiment of the present disclosure, the software framework of the Linux system security application also includes a management software package, and the management software package is deployed on the Linux system and runs on the Linux system;
所述管理软件包包括:所述基础类组件、所述基础类组件依赖的基础库以及Android基础框架。The management software package includes: the basic class component, the basic library on which the basic class component depends, and the Android basic framework.
本公开实施例中,将安全支持类组件依赖的基础类组件,以及基础类组件相关的基础库及Android基础框架进行软件打包部署在Linux系统上,是为了对安全支持类组件在Linux系统上的正常运行提供支持。如在图3中,将属于基础类组件的TEE管理服务与其依赖的TEE基础库以及Android基础框架进行打包形成一个独立的管理软件包部署在Linux系统上。In the embodiment of the present disclosure, the basic class components that the security support class components depend on, as well as the basic libraries related to the basic class components and the Android basic framework are packaged and deployed on the Linux system, in order to support the security support class components on the Linux system. Support for normal operation. As shown in Figure 3, the TEE management service belonging to the basic component and its dependent TEE basic library and Android basic framework are packaged to form an independent management software package and deployed on the Linux system.
例如,本公开实施例中的应用包包括:至少一个所述安全应用,每个所述安全应用依赖的所述安全支持类组件、每个所述安全支持类组件依赖的基础库以及Android基础框架。For example, the application package in the embodiment of the present disclosure includes: at least one security application, the security support component that each security application depends on, the basic library that each security support component depends on, and the Android basic framework .
例如,本公开实施例中的软件框架包括至少一个所述应用包。For example, the software framework in the embodiments of the present disclosure includes at least one application package.
本公开实施例,可将每一安全应用分别独立打包在应用包中,也可将几个或者全部安全应用全部打包在同一应用包中,对外提供综合功能。应用包对外呈现可以是单个应用或者是中间服务。In the embodiments of the present disclosure, each security application may be packaged independently in an application package, or several or all security applications may be packaged in the same application package to provide comprehensive functions externally. The external presentation of the application package can be a single application or an intermediate service.
如图3所示为本公开实施例提供的Linux系统安全应用的软件框架架构示意图之一,以snap形式的应用包为例,图3中每个snap包包括Android基础框架,snap包内Android基础框架和TEE基础库及安全应用对应的客户应用程序不依赖于Linux框架,但snap包内的其他部分依赖于Linux框架,snap机制本身依赖于Linux框架及基础服务。As shown in Figure 3, it is one of the software framework schematic diagrams of the Linux system security application provided by the embodiment of the present disclosure. Taking the application package in the form of snap as an example, each snap package in Figure 3 includes the Android basic framework, and the Android basic framework in the snap package The client application corresponding to the framework, TEE basic library and security application does not depend on the Linux framework, but other parts in the snap package depend on the Linux framework, and the snap mechanism itself depends on the Linux framework and basic services.
下面对本公开实施例提供的Linux系统安全应用的软件框架创建方法进行描述,下文描述的Linux系统安全应用的软件框架创建方法与上文描述的Linux系统安全应用的软件框架可相互对应参照,如图4所示,本公开实施例提供一种Linux系统安全应用的软件框架创建方法,包括以下步骤:The method for creating the software framework of the Linux system security application provided by the embodiment of the present disclosure is described below. The method for creating the software framework of the Linux system security application described below and the software framework of the Linux system security application described above can be referred to each other, as shown in FIG. 4, the embodiment of the present disclosure provides a method for creating a software framework for Linux system security applications, including the following steps:
步骤410:确定在Linux系统上运行的安全应用与可信执行环境模块中组件的依赖关系;其中,所述可信执行环境模块包括组件及基础库;Step 410: Determine the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; wherein, the trusted execution environment module includes components and basic libraries;
本步骤中,确定Linux系统上开发的每个安全应用与TEE模块中安全支持类组件的对应关系。本步骤中,在Linux系统上开发的每个安全应用依赖于TEE模块中的安全支持类组件TEE组件。本步骤中的安全应用是指Linux系统上与TEE模块相关的系统安全相关的应用或服务,这些应用或者服务的正常运行都依赖于TEE模块的功能,以完成某项安全的功能,例如指纹识别、人脸识别、文档解密等。In this step, the corresponding relationship between each security application developed on the Linux system and the security support component in the TEE module is determined. In this step, each security application developed on the Linux system depends on the security support component TEE component in the TEE module. The security application in this step refers to the application or service related to system security related to the TEE module on the Linux system. The normal operation of these applications or services depends on the function of the TEE module to complete a certain security function, such as fingerprint identification , face recognition, document decryption, etc.
步骤420:确定所述安全应用依赖的所述组件对应的基础库;Step 420: Determine the basic library corresponding to the component that the security application depends on;
步骤430:将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包;Step 430: package the security application, the components that the security application depends on, the basic library corresponding to the component, and the Android basic framework that the basic library depends on, into a software package with a set format to obtain an application package;
本步骤中将Linux系统中每个安全应用依赖的TEE基础库以及整个Android框架中的部分的基础框架进行软件打包,形成应用包,将其直接移植在Linux系统中,使得TEE模块在Linux系统上支持每个安全应用的正常运行。In this step, the TEE basic library that each security application depends on in the Linux system and the part of the basic framework in the entire Android framework are packaged as software to form an application package, which is directly transplanted in the Linux system, so that the TEE module can be used on the Linux system. Support the normal operation of each security application.
在本步骤的一些实施例中,将所述安全应用、所述安全应用依赖的安全支持类组件、所述安全支持类组件对应的基础库以及所述基础库依赖的Android基础框架,进行软件打包,得到snap形式的应用包。In some embodiments of this step, the security application, the security support component that the security application depends on, the basic library corresponding to the security support component, and the Android basic framework that the basic library depends on are packaged in software , to get the application package in the form of snap.
本实施例中,采用Linux上特有的snap技术可以避免原有TEE模块在Linux系统中由于环境变化而不能运行的情况。In this embodiment, the use of the unique snap technology on Linux can avoid the situation that the original TEE module cannot run due to environmental changes in the Linux system.
通过打包应用直接依赖的本属于系统部分基础组件,与应用共同制作成为一个snap应用包,这样的应用包安装在不同的运行环境都可以正常运行。By packaging the basic components of the system that the application directly depends on, they are co-produced with the application into a snap application package, and such an application package can run normally when installed in different operating environments.
把TEE模块依赖的Android的基础框架同Linux CA一起打包成为一个snap包,将snap包部署在Linux系统中,使得安全应用在Linux系统中正常运行。The Android basic framework that the TEE module depends on is packaged together with the Linux CA into a snap package, and the snap package is deployed in the Linux system, so that the security application can run normally in the Linux system.
在本步骤的一些实施例中,将所述安全应用、所述安全应用依赖的安全支持类组件、所述安全支持类组件对应的基础库以及所述基础库依赖的Android基础框架,进行软件打包,得到flatpak形式的应用包。In some embodiments of this step, the security application, the security support component that the security application depends on, the basic library corresponding to the security support component, and the Android basic framework that the basic library depends on are packaged in software , to get the application package in the form of flatpak.
本实施例中,采用Linux上特有的flatpak技术可以避免原有TEE模块在Linux系统中由于环境变化而不能运行的情况。In this embodiment, the use of the unique flatpak technology on Linux can avoid the situation that the original TEE module cannot run due to environmental changes in the Linux system.
flatpak是一个程序包管理实用程序,可分发安装和管理软件,而不必担心依赖项,运行时或Linux分发。可以安装软件而与Linux发行版无关(无论是基于Debian的发行版还是基于Arch的发行版),因此flatpak称为通用软件包。flatpak is a package management utility that distributes installs and manages software without worrying about dependencies, runtimes, or Linux distributions. Software can be installed regardless of the Linux distribution (whether it is a Debian-based distribution or an Arch-based distribution), so flatpak is called a universal package.
本公开实施例提供的技术方案可以适用的前提是应用包中仅包括TEE模块依赖的Android基础框架,所以用snap或flatpak更为灵活,能抛弃容器的隔离限制。除此之外,TEE模块的特殊性还在于TEE模块的驱动与诸如蓝牙音频、GPS等的驱动有区别,TEE模块驱动本身就支持多个访问者同时使用(可以容器内Android系统和容器外Linux系统同时访问),所以TEE模块可以在无需移植其驱动的情况下使用本公开实施例提供的方案即可满足安全应用需求。The premise that the technical solutions provided by the embodiments of the present disclosure can be applied is that the application package only includes the Android basic framework on which the TEE module depends, so using snap or flatpak is more flexible and can abandon the isolation limitation of the container. In addition, the particularity of the TEE module is that the driver of the TEE module is different from drivers such as Bluetooth audio, GPS, etc. The TEE module driver itself supports multiple visitors to use at the same time (the Android system in the container and Linux system access at the same time), so the TEE module can use the solution provided by the embodiment of the present disclosure to meet the safety application requirements without transplanting its driver.
在构建了上述软件包后,用户或系统发行者可以执行步骤440:将所述应用包部署在Linux系统上,并在需要执行所述安全应用的时候运行所述软件包。After building the above software package, the user or system publisher can perform step 440: deploy the application package on the Linux system, and run the software package when the security application needs to be executed.
本步骤的应用包根据实际系统情况部署在Linux系统,以使得每个应用包在Linux系统上正常运行,为每个安全应用在Linux系统上正常运行提供安全运行环境的支持。The application packages in this step are deployed on the Linux system according to the actual system conditions, so that each application package can run normally on the Linux system, and provide support for a safe operating environment for each security application to run normally on the Linux system.
本公开实施例中,TEE模块的多个组件分别依赖于相应的基础库,而所依赖的基础库可能同样依赖其他基础库,因此在步骤430中需要找到安全应用间接依赖的所有基础库,并将所被依赖的所有基础库封装在应用包内。In the embodiment of the present disclosure, multiple components of the TEE module depend on the corresponding basic libraries, and the dependent basic libraries may also depend on other basic libraries. Therefore, in step 430, it is necessary to find all the basic libraries that the security application indirectly depends on, and Encapsulate all the basic libraries that are depended on in the application package.
本公开的一些实施例中,如图5所示,步骤430之后还包括:In some embodiments of the present disclosure, as shown in FIG. 5 , after step 430, it also includes:
步骤510:将所述基础类组件、所述基础类组件对应的基础库以及所述基础库依赖的Android基础框架,进行软件打包,得到snap或者flatpak形式的管理软件包;Step 510: performing software packaging on the base class component, the base library corresponding to the base class component, and the Android basic framework on which the base base library depends, to obtain a management software package in the form of snap or flatpak;
在得到所述管理软件包后,系统发行者可以执行步骤520:将所述管理软件包部署在Linux系统上,从而提供给用户使用。After obtaining the management software package, the system publisher may perform step 520: deploy the management software package on the Linux system, so as to provide it to users.
下面结合图6描述本公开实施例提供的一种电子设备的实体结构示意图,如图6所示,该电子设备可以包括:处理器(processor)610、通信接口(Communications Interface)620、存储器(memory)630和通信总线640,其中,处理610,通信接口620,存储630通过通信总线640完成相互间的通信。处理器610可以调用存储器630中的逻辑指令,以执行Linux系统安全应用的软件框架创建方法,该方法包括:确定在Linux系统上运行的安全应用与可信执行环境模块中组件的依赖关系;其中,所述可信执行环境模块包括组件及基础库;确定所述安全应用依赖的所述组件对应的基础库;将所述安全应用、所述安全应用依赖的组件、所述组件 对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包;将所述应用包部署在Linux系统上并运行。A schematic diagram of the physical structure of an electronic device provided by an embodiment of the present disclosure is described below in conjunction with FIG. 6. As shown in FIG. ) 630 and a communication bus 640, wherein, the processing 610, the communication interface 620, and the storage 630 complete mutual communication through the communication bus 640. The processor 610 can call the logical instructions in the memory 630 to execute a method for creating a software framework of a Linux system security application, and the method includes: determining the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; , the trusted execution environment module includes a component and a basic library; determining the basic library corresponding to the component that the security application depends on; combining the security application, the component that the security application depends on, and the basic library corresponding to the component and the Android basic framework on which the basic library depends, and package the software in a set format to obtain an application package; deploy and run the application package on a Linux system.
此外,上述的存储器630中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本公开实施例的技术方案本质上或者说对相关技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本公开多个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等多种可以存储程序代码的介质。In addition, the logic instructions in the above-mentioned memory 630 may be implemented in the form of software functional units and when sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiments of the present disclosure is essentially or the part that contributes to the related technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium. Several instructions are included to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the multiple embodiments of the present disclosure. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
在上述终端设备实施例中,应理解,处理器610可以是中央处理单元(英文:Central Processing Unit,简称:CPU),还可以是其他通用处理器、数字信号处理器(英文:Digital Signal Processor,简称:DSP)、专用集成电路(英文:Application Specific Integrated Circuit,简称:ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本公开所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。In the above terminal device embodiment, it should be understood that the processor 610 may be a central processing unit (English: Central Processing Unit, CPU for short), and may also be other general-purpose processors, digital signal processors (English: Digital Signal Processor, Abbreviation: DSP), application specific integrated circuit (English: Application Specific Integrated Circuit, abbreviation: ASIC), etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in conjunction with the present disclosure may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
另一方面,本公开实施例还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机可执行上述多个方法所提供的Linux系统安全应用的软件框架创建方法,该方法包括:确定在Linux系统上运行的安全应用与可信执行环境模块中组件的依赖关系;其中,所述可信执行环境模块包括组件及基础库;确定所述安全应用依赖的所述组件对应的基础库;将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包;将所述应用包部署在Linux系统上并运行。On the other hand, an embodiment of the present disclosure also provides a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions When being executed by a computer, the computer can execute the method for creating a software framework of a Linux system security application provided by the above multiple methods, the method includes: determining the dependency relationship between the security application running on the Linux system and the components in the trusted execution environment module; Wherein, the trusted execution environment module includes a component and a base library; determine the base library corresponding to the component that the security application depends on; set the security application, the component that the security application depends on, and the base library that the component The library and the Android basic framework on which the basic library depends are packaged with software in a set format to obtain an application package; the application package is deployed and run on a Linux system.
又一方面,本公开实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述多个实施例提供的Linux系统安全应用的软件框架创建方法:确定在Linux系统上运行的安全应用与可信执行环境模块中组件的依赖关系;其中,所述可信执行环境模块包括组件及基础库;确定所述安全应用依赖的所述组件对应的基础库;将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包;将所述应用包部署在Linux系统上并运行。In yet another aspect, an embodiment of the present disclosure also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it is implemented to execute the Linux system security application provided by the above-mentioned multiple embodiments. A method for creating a software framework: determining the dependency relationship between a security application running on a Linux system and a component in a trusted execution environment module; wherein, the trusted execution environment module includes a component and a basic library; determining all the components that the security application depends on The base library corresponding to the above-mentioned components; the security application, the components that the security application depends on, the base library corresponding to the components, and the Android basic framework that the base library depends on are packaged with software in a set format to obtain an application package ; Deploy and run the application package on the Linux system.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到多个实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机 软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行多个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that multiple implementations can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solutions or the part that contributes to related technologies can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, disk , CD, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in multiple embodiments or some parts of the embodiments.
本公开提供的Linux系统安全应用的软件框架及创建方法,通过将要在Linux系统中运行的安全应用,与其依赖的可信执行环境模块及Android基础框架以应用包的形式部署在Linux系统中,从而方便兼容Android系统的安全应用在Linux系统快速移植并实现兼容Android系统的安全应用在Linux系统中的正常运行。The software framework and creation method of the Linux system security application provided by the present disclosure are deployed in the Linux system in the form of an application package by deploying the security application to be run in the Linux system, the trusted execution environment module and the Android basic framework on which it depends. It is convenient to quickly transplant the security application compatible with the Android system to the Linux system and realize the normal operation of the security application compatible with the Android system in the Linux system.

Claims (10)

  1. 一种Linux系统安全应用的软件框架,所述软件框架可以应用包的形式部署在Linux系统上并在Linux系统上运行;所述应用包包括:安全应用、可信执行环境模块,以及安卓Android基础框架;A software framework for Linux system security applications, the software framework can be deployed on the Linux system in the form of an application package and run on the Linux system; the application package includes: security applications, trusted execution environment modules, and Android Android foundation frame;
    所述安全应用为在所述Linux系统上运行的安全类应用;The security application is a security class application running on the Linux system;
    所述可信执行环境模块设置为对所述安全应用提供可信的运行基础;The trusted execution environment module is configured to provide a trusted operating basis for the secure application;
    所述Android基础框架设置为对所述可信执行环境模块提供运行基础。The Android basic framework is set to provide a running basis for the trusted execution environment module.
  2. 根据权利要求1所述的软件框架,其中,所述可信执行环境模块包括基础类组件、安全支持类组件及基础库;The software framework according to claim 1, wherein the trusted execution environment module includes basic components, security support components and basic libraries;
    所述基础类组件及安全支持类组件分别对应自身运行所依赖的所述基础库;The basic class components and the security support class components respectively correspond to the basic libraries on which their own operation depends;
    所述基础类组件设置为对所述安全支持类组件提供基础支持;The basic class components are set to provide basic support for the security support class components;
    所述安全支持类组件设置为对所述安全应用运行提供可信执行环境的支持。The security support component is configured to provide support for a trusted execution environment for the security application to run.
  3. 根据权利要求2所述的软件框架,还包括管理软件包,所述管理软件包可部署在所述Linux系统上并在所述Linux系统上运行;The software framework according to claim 2, further comprising a management software package that can be deployed on the Linux system and run on the Linux system;
    所述管理软件包包括:所述基础类组件、所述基础类组件依赖的基础库,以及Android基础框架。The management software package includes: the basic class component, the basic library on which the basic class component depends, and the Android basic framework.
  4. 根据权利要求3所述的软件框架,其中,所述应用包包括:至少一个所述安全应用,每个安全应用依赖的所述安全支持类组件、每个所述安全支持类组件依赖的基础库以及Android基础框架。The software framework according to claim 3, wherein the application package includes: at least one of the security applications, the security support components that each security application depends on, and the basic library that each security support component depends on And Android basic framework.
  5. 根据权利要求4所述的软件框架,其中,所述软件框架包括至少一个所述应用包。4. The software framework of claim 4, wherein said software framework includes at least one of said application packages.
  6. 一种Linux系统安全应用的软件框架创建方法,所述方法包括:A method for creating a software framework for Linux system security applications, the method comprising:
    确定所述在Linux系统上运行的安全应用与可信执行环境模块中组件的依赖关系;其中,所述可信执行环境模块包括所述组件及基础库;Determine the dependency relationship between the secure application running on the Linux system and the components in the trusted execution environment module; wherein the trusted execution environment module includes the components and the basic library;
    确定所述安全应用依赖的所述组件对应的基础库;determining a basic library corresponding to the component on which the security application depends;
    将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库,以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包。The security application, the components that the security application depends on, the basic library corresponding to the component, and the Android basic framework that the basic library depends on are packaged with software in a set format to obtain an application package.
  7. 根据权利要求6所述的方法,其中,所述组件包括基础类组件、安全支持类组件;The method according to claim 6, wherein said components include base class components and security support class components;
    所述将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包,包括:The described security application, the components that the security application depends on, the basic library corresponding to the component, and the Android basic framework that the basic library depends on, are packaged with software in a set format to obtain an application package, including:
    将所述安全应用、所述安全应用依赖的安全支持类组件、所述安全支持类组件对应的基础库以及所述基础库依赖的Android基础框架,进行软件打包,得到snap或者flatpak形式的应用包。The security application, the security support component that the security application depends on, the basic library corresponding to the security support component, and the Android basic framework that the basic library depends on are packaged in software to obtain an application package in the form of snap or flatpak .
  8. 根据权利要求7所述的方法,所述将所述安全应用、所述安全应用依赖的组件、所述组件对应的基础库以及所述基础库依赖的Android基础框架,进行设定格式的软件打包,得到应用包之后,还包括:According to the method according to claim 7, the said security application, the components that the security application depends on, the basic library corresponding to the component, and the Android basic framework that the basic library depends on, are packaged in a software package with a set format , after getting the application package, it also includes:
    将所述基础类组件、所述基础类组件对应的基础库以及所述基础库依赖的Android基础框架,进行软件打包,得到snap或者flatpak形式的管理软件包。The basic class component, the basic library corresponding to the basic class component, and the Android basic framework on which the basic library depends are packaged in software to obtain a management software package in the form of snap or flatpak.
  9. 一种计算机程序产品,包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机可执行根据权利要求6至8中任一项所述Linux系统安全应用的软件框架创建方法的步骤。A computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, the computer can execute the Steps in any one of the methods for creating a software framework for Linux system security applications.
  10. 一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求6至8所述Linux系统安全应用的软件框架创建方法的步骤。An electronic device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, when the processor executes the program, the Linux system as claimed in claims 6 to 8 is realized Steps of a method for creating a software framework for a safety application.
PCT/CN2022/104299 2021-08-12 2022-07-07 Software framework of security application of linux system, and creation method for same WO2023016151A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110924877.X 2021-08-12
CN202110924877.XA CN113703790A (en) 2021-08-12 2021-08-12 Software framework of Linux system security application and establishing method

Publications (1)

Publication Number Publication Date
WO2023016151A1 true WO2023016151A1 (en) 2023-02-16

Family

ID=78652431

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/104299 WO2023016151A1 (en) 2021-08-12 2022-07-07 Software framework of security application of linux system, and creation method for same

Country Status (2)

Country Link
CN (1) CN113703790A (en)
WO (1) WO2023016151A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113703790A (en) * 2021-08-12 2021-11-26 北京鲸鲮信息系统技术有限公司 Software framework of Linux system security application and establishing method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170031680A1 (en) * 2015-07-27 2017-02-02 Mechdome, Inc. Computer-implemented method and system for executing android apps natively on any environment
CN109086100A (en) * 2018-07-26 2018-12-25 中国科学院信息工程研究所 A kind of high safety is credible mobile terminal safety architectural framework and security service method
CN112486512A (en) * 2020-11-25 2021-03-12 湖南麒麟信安科技股份有限公司 Linux general software adaptation method and system based on container and stacked file system
CN113703790A (en) * 2021-08-12 2021-11-26 北京鲸鲮信息系统技术有限公司 Software framework of Linux system security application and establishing method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012138046A1 (en) * 2011-04-04 2012-10-11 주식회사 인프라웨어테크놀러지 Terminal device and method for executing an android application on a general-purpose operating system, and computer-readable recording medium for same
KR101427561B1 (en) * 2013-05-16 2014-08-07 주식회사 인프라웨어테크놀러지 Method for adaptively executing an android application on tizen platform by automatically transforming the android application into tizen-installable package, and computer-readable recording medium for the same
US20180284712A1 (en) * 2017-03-28 2018-10-04 Accenture Global Solutions Limited Integrated services platform
CN108469962B (en) * 2018-03-27 2020-03-17 恒宝股份有限公司 Mobile terminal based on mobile phone shield and mobile phone shield management method
CN112631563A (en) * 2020-12-09 2021-04-09 北京飞讯数码科技有限公司 System development method and device based on framework, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170031680A1 (en) * 2015-07-27 2017-02-02 Mechdome, Inc. Computer-implemented method and system for executing android apps natively on any environment
CN109086100A (en) * 2018-07-26 2018-12-25 中国科学院信息工程研究所 A kind of high safety is credible mobile terminal safety architectural framework and security service method
CN112486512A (en) * 2020-11-25 2021-03-12 湖南麒麟信安科技股份有限公司 Linux general software adaptation method and system based on container and stacked file system
CN113703790A (en) * 2021-08-12 2021-11-26 北京鲸鲮信息系统技术有限公司 Software framework of Linux system security application and establishing method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CAI ZEPHYR: "The most complete introduction to Android Trusted Execution Environment TEE", LOG.CSDN.NET, CSDN, CN, 10 March 2021 (2021-03-10), CN, pages 1 - 9, XP093035287, Retrieved from the Internet <URL:https://blog.csdn.net/caizehui/article/details/114638207> [retrieved on 20230328] *

Also Published As

Publication number Publication date
CN113703790A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
KR102255767B1 (en) Systems and methods for virtual machine auditing
TWI533204B (en) Method and system for application execution in a restricted application execution environment, and computer-readable storage medium for recording related instructions thereon
KR101928127B1 (en) Selective file access for applications
US10013421B2 (en) Trusted file indirection
EP2549380B1 (en) Information processing device, virtual machine generation method, and application software distribution system
US8843926B2 (en) Guest operating system using virtualized network communication
MX2014007102A (en) Facilitating system service request interactions for hardware-protected applications.
US20180060588A1 (en) Operating system
AU2020235010B2 (en) Starting a secure guest using an initial program load mechanism
US20220255941A1 (en) Method and System for Secure Container Application Framework
US9652223B2 (en) Method and apparatus for executing integrated application program
CN114402295A (en) Secure runtime system and method
WO2023123850A1 (en) Method and apparatus for implementing firmware root of trust, device, and readable storage medium
WO2023016151A1 (en) Software framework of security application of linux system, and creation method for same
US11436318B2 (en) System and method for remote attestation in trusted execution environment creation using virtualization technology
US10387681B2 (en) Methods and apparatus for controlling access to secure computing resources
US11513825B2 (en) System and method for implementing trusted execution environment on PCI device
KR20220091356A (en) Reducing latency of hardware trusted execution environments
KR20140127124A (en) Electronic device for managing access to system resource
US11467889B2 (en) System and method of utilizing legacy applications with secure memory medium portions
US20230359741A1 (en) Trusted boot method and apparatus, electronic device, and readable storage medium
CN116028044A (en) Android software processing method and related device
CN115185634A (en) Subsystem implementation method and computing device
Zamani et al. Android Basic Architecture including Operating System using their Application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22855135

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE