While everyone knows that hardware security is important, it has never received attention that matches its importance. The Magic V released by Honor on January 10, in addition to the new generation of Snapdragon 8 mobile platform and folding screen, also focused on promoting security features that have not entered the public eye for a long time.
Honor Magic V's official promotion is "one safe and two locks", equipped with Honor's first independent security memory chip, with a dual TEE (Trusted Execution Environment) security system independent of the Android operating system. It has a privacy maintenance mode and can be switched at any time, can remotely lock the SIM card, will also require an account password after being maliciously swiped, and even if the memory chip is physically cracked, it cannot read personal data and many other security features.
There is no doubt that smartphones are the products with the highest level of technological security that ordinary people can access. Today, when smartphones can provide extremely high security, let's take qualcomm as an example to review the security architecture history of the Android camp.
Security hardware evolution in the ARM camp
When it comes to Android, it is naturally inseparable from the ARM instruction set and Qualcomm. The former is a cornerstone of the mobile world, and the latter is synonymous with the Android camp SoC. From the advent of Qualcomm's first generation of Snapdragon S1, the Snapdragon brand has gone through fourteen years, whether it is the Snapdragon S1 to S4 period, or the "Snapdragon 8XX" period, Qualcomm Snapdragon has always been the royal mobile platform of Android flagship. The continuous strengthening of the security capabilities of the Qualcomm Snapdragon platform is the most important security and privacy foundation of the Android ecosystem.
Whether it is the TPM trusted platform module of the desktop platform or the security chip of the mobile terminal, the three elements of security have been pursued: Confidenciality confidentiality, Integrity integrity, and Availability availability. The evolution of the ARM camp security hardware in the past 10 years is itself a history of rapid development and popularization of new features.
The "prehistoric" ARM v7 instruction set introduced the concept of Security Extension, where the CPU can switch between the "normal world and the security world", and the two modes have separate MMU memory management units, TZASC for isolated memory, TZP for isolating peripherals, and CCI bus, which can provide a trusted execution environment without increasing hardware costs.
In the ARM v8.x era, a series of safety features have been introduced:
PAN and UAO (Privileged Execute Never and User Access Only) to some extent separate kernel-state programs from user resources;
PA (Pointer Authentication) and CFI (Control Flow Integrity) prevent jump pointers from being modified, ensure control flow integrity, and prevent ROP attacks;
The next milestone is the introduction of hypervisors by ARM v8.4 in the security world, which supports multiple TEEOS at the software level, and payment services with high security levels can run in separate TEEOS and be isolated in the general TEEOS;
ARM v8.5 introduces BTI (Branch Target Identifiers), which restricts indirect hops and protects against JOP attacks, and MT (Memory Tagging), which flags memory regions to prevent overflows and UAF vulnerabilities;
Arm v9 (Snapdragon 8 Gen 1 generation) introduced the concept of Arm CCA, introducing a new "Realm secret realm" that generates a secure containerized execution environment that is completely opaque to the OS or hypervisor, protects the data and code in use, and shortens the chain of trust.
Qualcomm Snapdragon's security capabilities evolve
Schematic diagram of the components of the Snapdragon 845 that year
From the instruction set upwards to the SoC layer, Qualcomm will take the lead in introducing the latest security features in almost every generation of Snapdragon flagships, and user security and privacy protection measures are being upgraded at a military competition-like rate:
The 2015 Snapdragon 810 introduced the SafeSwitch feature. After losing the phone, you can remotely lock the phone and easily erase the user data on the phone, and SafeSwitch starts before the operating system, making "simple flashing and breaking the account" a thing of the past;
The 2016 Snapdragon 820 introduced Smart Protect, the first product to leverage Qualcomm Zeroth technology with machine learning capabilities. Its signature-based anti-malware service can automatically block the operation of known malware, monitor the background of the mobile phone in real time and make abnormal warnings, and finally achieve the effect of zero-day detection of viruses and malware, and can run offline;
The 2017 Snapdragon 835 has a built-in Qualcomm Haven security platform, including content protection, malware detection, anti-theft, authentication and other 4 aspects. At this time, the Android flagship can already allow sensitive information such as iris and face to be stored in the SoC's TrustZone and isolated from the system. The cooperation with FIDO Alliance, Tencent and other manufacturers has also paved the way for fingerprint and iris mobile payment;
The Snapdragon 845 brings an independent security processing unit, which Qualcomm calls a "security island." This modified Arm SC300 has its own CPU core, independent power supply and flash memory, which can independently store user biometric information such as images, fingerprint recognition, bank cards and other financial information, and has its own encryption engine, which can prevent tampering and replay attacks;
The Snapdragon 855 is the first mobile SoC to achieve smart card-level security, with Common Criteria EAL-4+ global security certification, saving OEMs the hassle of plug-in security chips. Its stronger SPU, which can be used in systems such as Android StrongBox and Gatekeeper, can support offline payments, TPMs, electronic ID cards, encrypted wallets and other functions, and begins to support iSIM applications.
Snapdragon 865 debut support for the latest security credential API of the Android system at that time, and security optimizations have been made for ISP, DSP, and storage, and even if malware is installed, data will not be copied outside the enclave. The new high-pass sensor hub also provides safety protection with extremely low power consumption.
Snapdragon 888 brings a new Type-1 Hypervisor support to the mobile terminal, allowing the phone to enable multiple instances of the same system, while protecting and isolating data, it can switch between different applications and multiple operating systems instantly, and also allow Hypervisor application data to be completely isolated from other applications in the main operating system. It also supports Adobe's CAI digital verification standard, which creates an encrypted imprint on photos to verify the authenticity of digital content.
The new generation of Snapdragon 8, a new mobile security architecture
The all-new Snapdragon 8 was released at the 2021 Snapdragon Technology Summit. At the beginning of the conference, it was close to the hot spot, which was the metacosm. 5G, computer vision, head/eyeball/pose tracking, and tools, 3D reconstruction, perception algorithms, contextual language understanding/audio enhancements, and creative support.
At this time, Snapdragon is already a complete platform containing more than 50 chipsets, and everything must be built on the basis of security. At this year's press conference, the first thing said after the opening speech was safety, ranking higher than images, AI, and games, you know Qualcomm's emphasis on security features.
First, the Hypervisor Deep Protection layer, introduced in the previous generation, is now open source for partners and customers, claiming to allow applications and services to communicate with more parts of the SoC, providing more features in virtualized environments.
Qualcomm also continues to implement its Defense-In-Depth strategy, adding a layer of security to hypervisor – a new Trust Management Engine. It runs under the hypervisor layer of Android and other security services, protecting low-level data and providing an additional root of trust for applications and services, even if the high-level software stack is compromised. This trust management engine can even work with other security technologies such as the cloud to change local policies through website and application credit assessment in the cloud, react to new risks in the first place, and achieve trust protection from the chip to the cloud.
Under Qualcomm's claim to be a vault-level security configuration, the new generation of Snapdragon 8 became the world's first mobile platform to comply with the Android Ready SE standard. The latter is an alliance launched by Google in March 2021 for the research and development and promotion of the SE security chip standard, with the goal of using open source SE security interfaces and programs to enable smart devices such as mobile phones, tablets, and cars to be used as housing keys, car keys, digital wallets / currencies, electronic driver's licenses, passports, and digitize more physical items.
The new Snapdragon 8 is also the first mobile platform that allows creators to mint NFT "non-homogeneous tokens" directly on their phones, which can "stamp" digital content and keep them in the blockchain ledger. Qualcomm also establishes connection security scenarios with governments and communication service providers to implement Stingray pseudo-base station protection, provide malicious cellular network identification, and block its data connection. The new Snapdragon 8's secure processing unit SPU is also integrated with iSIM, so it can replace the physical SIM card and card slot at any time to save valuable body space if the application manufacturer wants.
In addition, the Snapdragon 8 can complete 24/7 visual perception without recording and recording, and it can even detect people next to you peeking at the screen and automatically lock the screen. The improvement of encryption performance also allows Snapdragon 8 to break the continuous write speed limit of 800MB/s of the previous Snapdragon platform.
summary
Although the metaverse is still a popular concept, billions of mobile devices, tens of billions of application calls, hundreds of billions of service requests, and the reshaping of modern life by mobile phones have long put us in the digital "metaverse".
In addition to the popularity of mobile payment, electronic driver's license, and electronic ID card, from the future of VR/AR to the digitization of car keys, wallets, and currencies, digital life will continue to sink and penetrate. The importance of the security features of mobile devices, especially smartphones, cannot be overemphasized.
The basis for the downstream application field to rush forward is the safety technology support that Qualcomm's upstream suppliers do in advance. The 12th year of the birth of modern smartphones and the 8th year of large-scale application of biometrics, the mobile SoC represented by Qualcomm Snapdragon, its software and hardware security functions have been enhanced unprecedented in a round of offensive and defensive battles. The new generation of Snapdragon 8, from TrustZone to Hypervisor, to the trust management engine, Android Ready SE standard and NFT support, has entered a new stage of mobile security.
Technology is so loud when it is looked forward to, and so quiet when it is realized. Now, on the other hand, the underlying security issues of smart devices have never received attention that matches their importance, which may be a good thing. Incredibly low-key, even difficult to perceive, is the perfect footnote to many powerful security features.
Leifeng networkLeifeng networkLeifeng network