1 -> System Definition
HarmonyOS is a new distributed operating system for the Internet of Everything era.
Based on the traditional single-device system capabilities, HarmonyOS proposes a distributed concept based on the same set of system capabilities and adapting to multiple device forms, which can support multiple terminal devices such as mobile phones, tablets, smart wearables, smart screens, car machines, PCs, smart speakers, headphones, and AR/VR glasses, and provide all-scenario service capabilities (mobile office, sports and health, social communication, media and entertainment, etc.).
HarmonyOS has three main features:
Devices equipped with this operating system are integrated at the system level to form a super terminal, so that the hardware capabilities of the devices can be flexibly expanded, and hardware mutual assistance and resource sharing between devices can be realized. For consumers, HarmonyOS can integrate the capabilities of various devices in daily life scenarios to achieve fast connection, mutual assistance and resource sharing between different devices, and match the right devices to provide a smooth all-scenario experience.
For developers, it can achieve one-time development and multi-terminal deployment. For app developers, HarmonyOS uses a variety of distributed technologies to make app development independent of the differences in the form of different devices, so that developers can focus on the upper-layer business logic and develop apps more conveniently and efficiently.
One set of operating systems can meet the requirements of devices with different capabilities, achieving a unified OS and flexible deployment. For device developers, HarmonyOS adopts a component-based design solution, which can be flexibly tailored to the resource capacity and service characteristics of the device to meet the operating system requirements of different forms of terminal devices.
HarmonyOS provides APIs that support multiple development languages for developers to develop applications. Supported development languages include Java, XML (Extensible Markup Language), C/C++, JS (JavaScript), Cascading Style Sheets (CSS), and HarmonyOS Markup Language (HML).
2 -> Technical Architecture
HarmonyOS follows a layered design, starting from bottom to top: kernel layer, system service layer, framework layer, and application layer. System functions are developed according to "system > subsystem > functions/modules", and in multi-device deployment scenarios, some non-essential subsystems or functions/modules can be tailored according to actual needs.
2.1 -> kernel layer
Kernel Subsystem:HarmonyOS is designed with multiple cores, allowing you to select the right OS kernel for different resource-constrained devices. The Kernel Abstract Layer (KAL) provides basic kernel capabilities for the upper layer by shielding the differences between multiple cores, including process/thread management, memory management, file system, network management, and peripheral management.
Driver Subsystem: The Hardware Driver Framework (HDF) is the open foundation of the HarmonyOS hardware ecosystem, providing unified peripheral access capabilities and driver development and management frameworks.
2.2 -> System Service Layer
The system service layer is a set of core capabilities of HarmonyOS, which provides services to applications through the framework layer. This layer consists of the following sections:
Basic system capability subsystem set: It provides basic capabilities for the operation, scheduling, and migration of distributed applications on multiple devices of HarmonyOS, and consists of distributed software bus, distributed data management, distributed task scheduling, Ark multilingual runtime, common basic library, multi-mode input, graphics, security, and AI subsystems. Among them, the Ark Runtime provides a C/C++/JS multi-language runtime and basic system class libraries, and also provides a runtime for static Java programs (that is, the part of the application or framework layer developed in Java language) that uses the Ark compiler.
Basic Software Service Subsystem: Provides public and general software services for HarmonyOS, including event notification, telephony, multimedia, DFX (Design For X), MSDP, and DV.
Enhanced Software Service Subsystem Set: Provides differentiated capability-enhancing software services for different devices for HarmonyOS, consisting of smart screen proprietary services, wearable proprietary services, IoT proprietary services, and other subsystems.
Hardware service subsystem set: provides hardware services for HarmonyOS, including location services, biometrics, wearable proprietary hardware services, and IoT proprietary hardware services.
According to the deployment environment of different device forms, the basic software service subsystem set, the enhanced software service subsystem set, and the hardware service subsystem set can be trimmed according to the subsystem granularity, and each subsystem can be trimmed according to the functional granularity.
2.3 -> Frame layer
The framework layer provides HarmonyOS application development with multi-language user application frameworks such as ArkTS/JS/C/C++/Java, two UI frameworks (including the ArkTS/JS development framework for ArkTS/JS (ArkUI) and the Java UI framework for Java), as well as multi-language framework APIs for various software and hardware services. Depending on the degree of component tailoring of the system, the APIs supported by HarmonyOS devices will vary.
2.4 -> Application layer
The application layer includes system applications and third-party non-system applications. An application in HarmonyOS consists of one or more Feature Ability (FA) or Particle Ability (PA). Among them, FA has a UI interface that provides the ability to interact with users; PA, on the other hand, has no UI interface and provides the ability to run tasks in the background and a unified data access abstraction. The background data access required by the FA for user interaction also needs to be supported by the corresponding PA. Applications developed based on FA/PA can implement specific business functions, support cross-device scheduling and distribution, and provide users with a consistent and efficient application experience.
3 -> System Security
Distributed devices equipped with HarmonyOS ensure that "the right people, through the right devices, and the right data are used correctly."
Through "distributed multi-terminal collaborative identity authentication" to ensure the "right person".
We ensure "the right equipment" by "building a trusted operating environment on distributed terminals".
Through "distributed data in the process of cross-terminal flow, data is classified and hierarchically managed" to ensure "correct use of data".
3.1 -> The right person
In the distributed terminal scenario, the "right person" refers to the data accessor and business operator who have passed identity authentication. The "right person" is a prerequisite to ensure that user data is not illegally accessed and user privacy is not leaked. HarmonyOS implements collaborative identity authentication in the following three ways:
Zero Trust Model:HarmonyOS is based on a zero-trust model that implements user authentication and data access control. When users need to access data resources across devices or initiate high-security business operations (such as operations on security devices), HarmonyOS authenticates users to ensure the reliability of their identities.
Multi-Factor Fusion Authentication:HarmonyOS uses user identity management to associate authentication credentials that identify the same user on different devices to identify a user, improving the accuracy of authentication.
Synergy Certification:By decoupling hardware and authentication capabilities (i.e., information collection and authentication can be completed on different devices), HarmonyOS enables resource pooling and capability pooling and capability sharing among different devices, allowing devices with a higher security level to assist devices with a lower security level to complete user authentication.
3.2 -> Correct equipment
In the distributed terminal scenario, only by ensuring that the device used by the user is safe and reliable can the user data be effectively protected on the virtual terminal and avoid the leakage of user privacy.
Secure Boot: Ensure that the system firmware and applications running on each virtual appliance at the source are intact and untampered. Through secure boot, the image package of each device manufacturer is not easy to be illegally replaced with malicious programs, so as to protect users' data and privacy.
Trusted Execution Environment: A hardware-based Trusted Execution Environment (TEE) is provided to protect the storage and processing of users' sensitive personal data and ensure that data is not leaked. Due to the different security capabilities of distributed terminal hardware, users need to use high-security devices to store and process their sensitive personal data. HarmonyOS uses a formal TEE microkernel developed and validated based on mathematically provable formalities, and has been awarded the CC EAL5+ certification rating for commercial OS kernels.
Device certificate authentication: You can preset device certificates for devices with a trusted execution environment to prove their security capabilities to other virtual terminals. For devices in a TEE environment, you can preset a PKI (Public Key Infrastructure) certificate to prove the identity of the device to ensure that the device is legally manufactured. The device certificate is preset on the production line, and the private key of the device certificate is written and securely stored in the TEE environment of the device, and is used only in the TEE. When it is necessary to transmit the user's sensitive data (such as keys, encrypted biometrics, etc.), a secure channel is established from the TEE of one device to the TEE of another device after the device certificate is used for secure environment verification.
3.3 -> Correct use of data
In the distributed terminal scenario, it is necessary to ensure that users can use data correctly. HarmonyOS protects the entire lifecycle of data from generation, storage, use, transmission, and destruction to ensure that personal data, privacy, and confidential data (such as keys) are not leaked.
Data generation: Classify and grade data according to the laws, regulations, and standards of the country or organization where the data is located, and set the corresponding protection level according to the classification. Data of each protection level needs to be protected with different levels of security according to the corresponding security policies throughout the entire life cycle of storage, use, and transmission from the time it is generated. The access control system of the hyperterminal supports tag-based access control policies to ensure that data can only be stored, used, and transmitted between virtual terminals that can provide adequate security protection.
Data Storage:HarmonyOS protects data by distinguishing security levels and storing data in partitions with different security protection capabilities, and provides seamless cross-device key flow and cross-device key access control capabilities throughout the key lifecycle, supporting services such as distributed identity authentication collaboration and distributed data sharing.
Data Usage:HarmonyOS provides a trusted execution environment for devices through hardware. The user's personal sensitive data is only used in the trusted execution environment of the distributed virtual terminal to ensure the security and privacy of the user's data.
Data transmission: To ensure the secure flow of data between virtual hyperterminals, each device must be correctly trusted, establish a trust relationship (multiple devices can be paired through HUAWEI ID), and be able to establish a secure connection channel after verifying the trust relationship to securely transmit data in accordance with the rules of data flow. When devices communicate with each other, the devices need to be authenticated based on their identity credentials, and a secure encrypted transmission channel is established on this basis.
Data Destruction: Data is destroyed when the key is destroyed. The storage of data in the virtual terminal is based on the key. When data is destroyed, only the corresponding key needs to be destroyed to complete the data destruction.
Top comments (0)