Tizen 4.0 Review

Purpose

Tizen which whom AGL share most of the the security model has released a new version 4.0. Having a look at the correction and improvement done in particular in the security FW would be valuable.

Overview of Tizen 4

The vision of Samsung for Tizen 4 is mainly that (see 1, 2, 3):

So the security model of Tizen 4 is mainly unchanged.

Valuable content of Tizen 4 for AGL framework

Preliminary

After reviewing of content, packages and differences (see below) between Tizen and AGL, here are our observations.

There no evolution in the security model of Tizen between version 3 and version 4. However, Tizen is an alive project and even if the model didn't changed, the implementation evolved: bug fixes, enhanced coverage and tuning of functionalities. Consequently, this work checks differences between actual states of Tizen and AGL.

AGL implements the same security model than Tizen. But the application framework differs. Consequently, the set of rules applied to the security model differs at some points without changing the model.

One big difference is that AGL leverage systemd as launcher of applications. Without this mechanism, Tizen needs many services that are otherwise available with systemd: a launcher, a nss library for "initgroups" setting depending on privileges, a mounting/namespace service. This difference makes parts of security-manager useless.

An other difference, is the use by AGL of the "binder". The integration of this "binder" component is, after review, beneficial. At least 2 reasons lead to that good conclusion: the binder integrates cynara checks and provides connection and transport framework.

These differences make that using Tizen's component inside AGL can be difficult. But this is not always the case: Tizen's sources include integration of OPTEE, the open source trusted execution environment within the TrustZone of ARM, that implements key secure key storage. This probably can be used directly.

Things of interest for AGL security framework

Other things of interest

Content of Tizen 4

The content of Tizen 4 can be analyzed by looking in the build system of Tizen 5.

This build system shows only the flavours "Base" and "Unified" Tizen 4 (where Tizen 3 shows "Base", "Common", "IVI", "Mobile", "TV", "Wearable"). This results from an effort to provide Tizen as a common basis for all subsystems (see 1).

The build project 6 leads to the repository 7 that contains the binaries and their metadata.

Difference with AGL by components

AGL imports very few components of Tizen: Cynara, Security-manager and DBus with cynara patches.

kernel

Not checked for all flavour:

This is are old kernel. Actually EEL version of AGL runs the kernel 4.9 for R-CAR.

dbus

The AGL version of DBUS is sticked on 1.8.18 (2015-05-14) while Tizen upgraded it to the version 1.10.6 (2015-12-01)

The current stable upstream version is 1.11.6 (see 8)

Security-Manager and Cynara

The version used by AGL tends to be old because their integration layer, 'meta-intel-iot-security', removed these components. So upgrading efforts made at the beginning for AGL was no more possible and AGL stuck to oldest version of 'meta-intel-iot-security' that included it (See SPEC-511).

List of repositories of Tizen 4

This is the annotated list of a selection repositories of Tizen:

The work consisted to review the content of these repositories (about 16K files, 371M bytes).

platform/core/csapi/tizenfx
 - dot.net export of Tizen native API (capi)

platform/core/account/account-common
platform/core/account/account-manager
platform/core/account/account-parser
 - handle accounts
 - DBus service but encode calls to cynara

platform/core/account/fido-asm
platform/core/account/fido-client
platform/core/account/fido-syspopup
 - fido framework

platform/core/account/liboauth2
 - OAuth2 facility with embedded EFL webview
 - TODO: check the redirection

platform/core/account/sync-manager
 - queueing of jobs (sync or not)
 - DBus service but encode calls to cynara

platform/core/api/*
 - Tizen common native API (capi)

platform/core/convergence/*
 - Convergence service (see https://wiki.tizen.org/Convergence)
 - Similar to Identity Manager
 - collaboration of apps across devices through convergence

platform/core/security/askuser
 - ask user for permission consent
 - include the privacy privilege manager

platform/core/security/audit-trail
 - a daemon which is for trailing security logs of auditing

platform/core/security/auth-fw
 - manage user passwords

platform/core/security/ca-certificates
 - root certificates and update scripts

platform/core/security/ca-certificates-tizen
 - Tizen specific certificates

platform/core/security/cert-svc
 - Manage certificates (wifi, vpn, email, system, disabled)

platform/core/security/device-certificate-manager
 - certificate management

platform/core/security/cynara
 - cynara framework

platform/core/security/default-ac-domains
 - definition of the common basis smack policy
 - include integration of signal/append
 - include System::Privileged for "onlycap" features
 - include User::Shell for sdb (the adb equivalent of Tizen)
 - here is the basis
    System               System::Log          rwxa
    System               System::Privileged   rwxat
    System               System::Run          rwxat
    System               System::Shared       rwxat
    System               User                 rwxa
    System               User::App::Shared    rwxat
    System               User::Home           rwxat
    System               User::Shell          rwxat
    System               _                    rwxa
    System               ^                    rwxa
    System::Privileged   System               rwxat
    System::Privileged   System::Log          rwxa
    System::Privileged   System::Run          rwxat
    System::Privileged   System::Shared       rwxat
    System::Privileged   User                 rwxa
    System::Privileged   User::App::Shared    rwxat
    System::Privileged   User::Home           rwxat
    System::Privileged   User::Shell          rwxat
    System::Privileged   _                    rwxa
    System::Privileged   ^                    rwxa
    User                 System               wx
    User                 System::Log          rwxa
    User                 System::Privileged   wx
    User                 System::Run          rwxat
    User                 System::Shared       rxl
    User                 User::App::Shared    rwxat
    User                 User::Home           rwxat
    User                 User::Shell          rwxat
    User::Shell          System               wx
    User::Shell          System::Log          w
    User::Shell          System::Run          rxl
    User::Shell          System::Shared       rxl
    User::Shell          User                 wx
    User::Shell          User::App::Shared    rwxat
    User::Shell          User::Home           rxl
    _                    System               wx
    _                    System::Privileged   wx
    _                    System::Run          rwxat
    ^                    System               rwxa
    ^                    System::Log          rwxa
    ^                    System::Privileged   rwxa
    ^                    System::Run          rwxat

platform/core/security/device-policy-client
 - client library for accessing the device policy manager

platform/core/security/device-policy-manager
 - the device policy manager

platform/core/security/dpm-application
platform/core/security/dpm-auth
platform/core/security/dpm-bluetooth
platform/core/security/dpm-browser
platform/core/security/dpm-email
platform/core/security/dpm-location
platform/core/security/dpm-media
platform/core/security/dpm-security
platform/core/security/dpm-storage
platform/core/security/dpm-telephony
platform/core/security/dpm-usb
platform/core/security/dpm-wifi
platform/core/security/dpm-zone
 - same as device-policy-client but splitted

platform/core/security/drm-service-core-tizen
 - decrypt of apps with licensing data

platform/core/security/hash-signer
 - tool for signing widgets off-line

platform/core/security/key-manager
 - key and cert service client of trust zone

platform/core/security/klay
 - library of general use for C++

platform/core/security/krate
platform/core/security/libkrate
 - execution of application in separate user context (krate)
 - encrypted file-system per user
 - client library inside the krate
 - DRAFT

platform/core/security/libcryptsvc
 - crypt wrapper above openssl for drm-service-core-tizen

platform/core/security/libwebappenc
 - service for (de)crypt data per application

platform/core/security/nether
 - service for enforcing network (netlink + netfilter)

platform/core/security/nice-lad
 - DRAFT analysis of audit and logs

platform/core/security/ode
platform/core/security/ode-ui
 - encryption/decryption of storage

platform/core/security/privacy-guard
 - client/server for permission management

platform/core/security/privilege-checker
 - manage privileges (definition and translations database)

platform/core/security/privilege-info
 - display name and explanation of privileges

platform/core/security/pubkey-pinning
 - deprecated

platform/core/security/security-config
 - setting of security

platform/core/security/security-manager
 - database of application/package/user/...
 - smack rules template
 - service for (de)installing app
 - service for shared buffers
 - nss for initialization of supplementary groups
 - manage of digital license

platform/core/security/tef-dummy
platform/core/security/tef-optee_client
 - trust zone environment client library

platform/core/security/tef-optee_os
 - trust zone environment for rpi3

platform/core/security/tef-simulator
 - trust zone environment simulator

platform/core/security/trust-anchor
 - manage certificates of applications

platform/core/security/trusted
 - key manager in ARM trust zone

platform/core/security/yaca
 - yet another crypto api

platform/core/system/argos_watchdog
 - wrapper above systemd watchdog

platform/core/system/buxton2
 - storage subsystem

platform/core/system/crash-worker
 - various binaries for dumping system/state/core/stack

platform/core/system/deviced
 - service for hardware device control
 - use device-node

platform/core/system/dlog
 - logging utility

platform/core/system/dockzen-launcher
 - docker integration service

platform/core/system/factory-reset
 - restore factory settings

platform/core/system/faultd
 - collect faults (audit, systemd, startup) and react to it

platform/core/system/feedbackd
 - vibration feedback

platform/core/system/initrd
platform/core/system/initrd-fota
platform/core/system/initrd-recovery
 - initial ramdisk

platform/core/system/libdbuspolicy
 - library for querying dbus policy (and cynara)

platform/core/system/libdevice-node
 - manage device

platform/core/system/libstorage
 - library for storage management

platform/core/system/libsvi
 - sound and vibration feedback library

platform/core/system/libtota
 - FOTA with delta files

platform/core/system/libtracker
 - obscure tracking system for download, media, network, location, sensor, iot

platform/core/system/memps
 - dump of memory use

platform/core/system/pass
 - power aware system service
 - use device-node

platform/core/system/peripheral-bus
 - gpio, i2c, spi, uart, pwm handling

platform/core/system/resourced
platform/core/system/resourced-headless
 - daemon that manages resources (with headless version)

platform/core/system/sensord
 - library for accessing sensors

platform/core/system/session-utils
 - utilities for session control in user environment

platform/core/system/storaged
 - daemon for storage management

platform/core/system/tizen-platform-config
platform/core/system/tizen-platform-config-meta
 - setting of directories

platform/core/system/tlm
 - Tizen login manager