| <html devsite><head> |
| <title>硬件安全性最佳做法</title> |
| <meta name="project_path" value="/_project.yaml"/> |
| <meta name="book_path" value="/_book.yaml"/> |
| </head> |
| <body> |
| <!-- |
| Copyright 2018 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| //www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <p id="hardware-security">此页面包含的建议可确保 Android 设备上的硬件有助于提高设备的整体安全性,而不会影响设备的安全性。</p> |
| |
| <h2 id="device-memory">设备内存</h2> |
| |
| <p>在为 Android 设备选择内存时,请务必了解可能的安全权衡。例如,某些类型的内存可能允许执行 <a href="https://en.wikipedia.org/wiki/Row_hammer" class="external">Rowhammer</a> 式攻击。</p> |
| |
| <ul> |
| <li>Android 设备使用的内存应该包含针对 Rowhammer 式攻击的缓解措施。设备制造商应与其内存制造商密切合作,以了解更多详情。</li> |
| </ul> |
| |
| <h2 id="strongbox-keymaster">StrongBox Keymaster</h2> |
| |
| <p>请务必安全存储和处理设备上可用的加密密钥。在 Android 设备上,通过利用在隔离环境(例如可信执行环境 (TEE))中实现的硬件支持 Keymaster 通常可实现此目的。此外,还建议支持 <a href="https://developer.android.com/preview/features/security#hardware-security-module" class="external">StrongBox Keymaster</a>(这是在防篡改硬件中实现的)。</p> |
| |
| <ul> |
| <li>确保 StrongBox Keymaster 在具有独立 CPU、安全存储、高品质的真随机数生成器、防篡改包装和防旁路攻击功能的环境中运行,以符合成为 StrongBox Keymaster 的要求。要详细了解这些要求,请参阅 Android 9 CDD 第 9.11.2 节。</li> |
| </ul> |
| |
| </body></html> |
