• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Porting the Security Subsystem
2
3
4The security subsystem provides functions such as network device connection, authentication, and authorization. It depends on mbedtls to implement hardware random numbers and network connection functions.
5
6
7Because the chip hardware and the implementation for the hardware-based random number varies by vendor, the hardware-based random number interface needs to be adapted.
8
9
10## Procedure
11
12OpenHarmony provides an open-source library of Mbed TLS, which is stored in **//third_party/mbedtls**. This library provides several random number generation modes, such as **mbedtls_platform_entropy_poll**, **mbedtls_hardclock_poll**, **mbedtls_havege_poll**, and **mbedtls_hardware_poll**. For the hardware-based random number, adapt **mbedtls_hardware_poll** based on your chip.
13
14
15## Example
16
171. Add a file system to the **config.json** file.
18
19   Path: **vendor/MyVendorCompany/MyProduct/config.json**
20
21     The sample code is as follows:
22
23   ```
24   {
25     "subsystem": "security",
26     "components": [
27       { "component": "hichainsdk", "features":[] },
28       { "component": "huks", "features":[]}
29     ]
30   },
31   ```
32
332. Configure the macro to enable the code related to the hardware-based random number interface.
34
35   According to the Mbed TLS compilation file, the macro is configured in the **MBEDTLS_CONFIG_FILE=\<../port/config/config_liteos_m.h>** file.
36
37   Path: **third_party/mbedtls/BUILD.gn**
38
39
40   ```
41   if (ohos_kernel_type == "liteos_m") {
42     defines += [
43       "__unix__",
44       "MBEDTLS_CONFIG_FILE=<../port/config/config_liteos_m.h>",
45     ]
46   }
47   ```
48
49   According to the code, configure the **MBEDTLS_NO_PLATFORM_ENTROPY** and **MBEDTLS_ENTROPY_HARDWARE_ALT** macros to build the related code.
50
51   Path: **third_party/mbedtls/library/entropy.c**
52
53
54   ```
55   #if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
56   #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
57       mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL,
58                                   MBEDTLS_ENTROPY_MIN_PLATFORM,
59                                   MBEDTLS_ENTROPY_SOURCE_STRONG );
60   #endif
61   ......
62   #if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
63       mbedtls_entropy_add_source( ctx, mbedtls_hardware_poll, NULL,
64                                   MBEDTLS_ENTROPY_MIN_HARDWARE,
65                                   MBEDTLS_ENTROPY_SOURCE_STRONG );
66   #endif
67   ......
68   #endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
69   }
70   ```
71
723. Adapt the hardware-based random number interface.
73
74   The API definition is as follows.
75
76   Path: **third_party/mbedtls/include/mbedtls/entropy_poll.h**
77
78
79   ```
80   int mbedtls_hardware_poll( void *data,unsigned char *output, size_t len, size_t *olen );
81   ```
82
83
84  **Table 1** Configuration items of the security subsystem
85
86| Configuration Item| Description|
87| -------- | -------- |
88| disable_huks_binary | Whether to compile the HUKS source code.<br>(1) **false** (default): The HUKS source code is not compiled.<br>(2) **true**: The HUKS source code is not compiled.|
89| disable_authenticate | Whether tailoring is required for the HiChain authentication function.<br>(1) **true** (default): Tailoring is not required.<br>(2) **false**: Tailoring is required.|
90| huks_use_lite_storage | Whether the lightweight storage solution is used. The lightweight storage solution can be used for devices that come with flash storage and do not have file systems.<br>(1) **true** (default): The lightweight storage solution is used.<br>(2) **false**: The lightweight storage solution is not used.|
91| huks_use_hardware_root_key | Whether the hardware root key is used. If a device has the hardware root key capability, the hardware root key solution needs to be adapted based on the device capability. The RKC solution provided by HUKS is only for simulation implementation.<br>(1) **false** (default): The hardware root key is not used.<br>(2) **true**: The hardware root key is used. This requires adaptation.|
92| huks_config_file | Whether to use the default HUKS configuration file **hks_config.h**.<br>(1) **""**(default): The default HUKS configuration file is used.<br>(2) Other files: You can select the features to be supported from the HUKS support capability set.|
93
94
95> ![icon-note.gif](public_sys-resources/icon-note.gif) **NOTE**
96>
97> When adding a security subsystem, you can directly select the features of the security subsystem by configuring features.
98>
99>
100> ```
101> {
102>   "subsystem": "security",
103>   "components": [
104>     { "component": "hichainsdk", "features":[] },
105>     { "component": "huks", "features":
106>       [
107>         "disable_huks_binary = false",
108>         "disable_authenticate = false"
109>       ]
110>     }
111>   ]
112> },
113> ```
114