{"id":500,"date":"2023-10-22T11:53:45","date_gmt":"2023-10-22T03:53:45","guid":{"rendered":"https:\/\/vm1.go2see.me\/?p=500"},"modified":"2023-10-22T12:04:01","modified_gmt":"2023-10-22T04:04:01","slug":"500","status":"publish","type":"post","link":"https:\/\/vm1.go2see.me\/?p=500","title":{"rendered":"AGL \u5b89\u5168\u85cd\u5716"},"content":{"rendered":"<h1><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/01_Overview\">AGL \u5b89\u5168\u85cd\u5716<\/a>(master 2023-09)<\/h1>\n<blockquote>\n<p>\u6f22\u5316\u5f8c\u7a0d\u5fae\u6aa2\u67e5\u4e86\u4e00\u4e0b\u5f88\u9069\u5408\u6211\u5011\u53c3\u8003\u3002<\/p>\n<\/blockquote>\n<h2>1. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/01_Overview\/\">\u5b89\u5168\u85cd\u5716\u6982\u89bd<\/a><\/h2>\n<p>\u8207\u904e\u53bb\u7684\u6c7d\u8eca\u76f8\u6bd4\uff0c\u73fe\u4ee3\u6c7d\u8eca\u7684\u6280\u8853\u66f4\u52a0\u8907\u96dc\uff0c\u4e5f\u66f4\u52a0\u4e0d\u540c\u3002\u6211\u5011\u770b\u5230\u4e86\u66f4\u5ee3\u6cdb\u7684\u65b0\u7279\u6027\u548c\u529f\u80fd\uff0c\u4ee5\u53ca\u66f4\u8907\u96dc\u7684\u8edf\u9ad4\u3002\u53ef\u4ee5\u516c\u5e73\u5730\u8aaa\uff0c\u7576\u4eca\u5e02\u5834\u4e0a\u63a8\u51fa\u7684\u6c7d\u8eca\u8207\u624b\u6a5f\u7b49\u8a08\u7b97\u8a2d\u5099\u6bd4\u5176\u524d\u8f29\u6709\u66f4\u591a\u7684\u5171\u540c\u9ede\u3002\u73fe\u4ee3\u6c7d\u8eca\u88fd\u9020\u5546\u9084\u70ba\u9019\u4e9b\u201c\u4e92\u806f\u201d\u6c7d\u8eca\u96c6\u6210\u4e86\u5c0d\u5404\u7a2e\u901a\u4fe1\u6280\u8853\u7684\u652f\u6301\u3002\u96a8\u8457\u6b64\u985e\u8eca\u8f1b\u7684\u51fa\u73fe\uff0cLinux \u5df2\u6210\u70ba\u8edf\u9ad4\u5e73\u53f0\u7684\u81ea\u7136\u9078\u64c7\uff0c\u6c7d\u8eca\u7d1a Linux \u5c31\u662f\u4e00\u500b\u5f88\u6709\u524d\u666f\u7684\u4f8b\u5b50\u3002<\/p>\n<p>\u5f9e\u5b89\u5168\u89d2\u5ea6\u4f86\u770b\uff0c\u806f\u7db2\u6c7d\u8eca\u7684\u9060\u7a0b\u529f\u80fd\u6703\u5c0e\u81f4\u66f4\u5927\u7684\u653b\u64ca\u9762\u3002\u9019\u958b\u555f\u4e86\u4e00\u500b\u5168\u65b0\u7684\u5b89\u5168\u6f0f\u6d1e\u4e16\u754c\uff0c\u9700\u8981\u5728\u67b6\u69cb\u8a2d\u8a08\u904e\u7a0b\u4e2d\u4e88\u4ee5\u8003\u616e\u3002\u6b77\u53f2\u8868\u660e\uff0c\u5c0d\u8a2d\u5099\u7684\u7269\u7406\u8a2a\u554f\u8db3\u4ee5\u8b93\u9ed1\u5ba2\u7372\u5f97 root \u6b0a\u9650\u3002\u9019\u4f7f\u5f97\u6c7d\u8eca\u6210\u70ba\u4e00\u500b\u5145\u6eff\u6575\u610f\u7684\u74b0\u5883\u3002<\/p>\n<p><strong><em>\u5b89\u5168\u85cd\u5716\u8a18\u9304\u4e86\u4f5c\u70ba\u6c7d\u8eca\u7d1a Linux (AGL) \u4e00\u90e8\u5206\u5305\u542b\u7684\u5b89\u5168\u529f\u80fd\uff0c\u4e26\u78ba\u5b9a\u4e86\u4f5c\u70ba AGL \u4e00\u90e8\u5206\u5f9e\u5b89\u5168\u89d2\u5ea6\u9700\u8981\u89e3\u6c7a\u7684\u9818\u57df\u3002\u5b83\u9084\u63d0\u4f9b\u4e86\u6709\u95dc\u73fe\u6709\u6280\u8853\u548c\u89e3\u6c7a\u65b9\u6848\u7684\u6307\u5c0e\u3002<\/em><\/strong><\/p>\n<p>\u5b89\u5168\u57df\u5c07\u5141\u8a31\u6211\u5011\u5275\u5efa\u4e00\u7d44\u6e2c\u8a66\u4f86\u9a57\u8b49\u6c7d\u8eca\u7d1a Linux \u7684\u5b89\u5168\u6027\u3002<\/p>\n<p>\u672c\u6587\u6a94\u9996\u5148\u57fa\u65bc\u73fe\u6709\u7684 AGL \u5b89\u5168\u85cd\u5716\u3002<\/p>\n<blockquote>\n<p><strong>\u70ba\u4e86\u4fdd\u8b49\u5b89\u5168\u6709\u6548\uff0c\u6982\u5ff5\u5fc5\u9808\u7c21\u55ae\u3002\u9ed8\u8a8d\u60c5\u6cc1\u4e0b\uff0c\u4efb\u4f55\u4e0d\u5141\u8a31\u7684\u4e8b\u60c5\u90fd\u662f\u88ab\u7981\u6b62\u7684\u3002<\/strong><\/p>\n<\/blockquote>\n<p>\u6211\u5011\u5c07\u6db5\u84cb\u5f9e\u6700\u4f4e\u7d1a\u5225\uff08<em>\u786c\u9ad4<\/em>\uff09\u5230\u6700\u9ad8\u7d1a\u5225\uff08<em>\u9023\u63a5<\/em>\u548c<em>\u61c9\u7528\u7a0b\u5e8f<\/em>\uff09\u7684\u4e3b\u984c\u3002\u6211\u5011\u5c07\u5728 <em>\u786c\u9ad4<\/em>\u548c<em>\u9023\u63a5\u65b9\u9762<\/em>\u5feb\u901f\u63a1\u53d6\u884c\u52d5\uff0c\u56e0\u70ba\u6211\u5011\u7684\u7d1a\u5225\u4e0d\u652f\u6301\u9019\u4e00\u9ede\u3002\u9023\u63a5\u554f\u984c\u7684\u89e3\u6c7a\u65b9\u6848\u6d89\u53ca\u66f4\u65b0\u548c\u5b89\u5168\u914d\u7f6e\uff0c\u800c\u786c\u9ad4\u5b89\u5168\u5247\u8207\u88fd\u9020\u5546\u76f8\u95dc\u3002<\/p>\n<h3>1.1 \u653b\u64ca\u5c0d\u624b Adversaries<\/h3>\n<p>\u6c7d\u8eca\u9818\u57df\u7684\u5c0d\u624b\u548c\u653b\u64ca\u8005:<\/p>\n<ul>\n<li>\n<h4>1. \u72c2\u71b1\u653b\u64ca\u8005 Enthusiast Attackers<\/h4>\n<\/li>\n<\/ul>\n<p>\u72c2\u71b1\u653b\u64ca\u8005\u53ef\u4ee5\u5728\u96fb\u8def\u677f\u7d1a\u5225\u7269\u7406\u8a2a\u554f\u767c\u52d5\u6a5f\u63a7\u5236\u55ae\u5143 (ECU)\u3002\u4ed6\u5011\u53ef\u4ee5\u5c07\u201c\u6a21\u7d44\u82af\u7247\u201d\u710a\u63a5\u5230\u96fb\u8def\u677f\u4e0a\uff0c\u4e26\u53ef\u4ee5\u4f7f\u7528\u63a2\u6e2c\u5de5\u5177\u3002\u4ed6\u5011\u9084\u64c1\u6709\u6709\u95dc\u5148\u524d\u53d7\u5230\u640d\u5bb3\u7684 ECU \u7684\u4fe1\u606f\uff0c\u4e26\u53ef\u4ee5\u8a2a\u554f\u6c7d\u8eca\u6539\u88dd\u8ad6\u58c7\u5176\u4ed6\u6210\u54e1\u958b\u767c\u7684\u8edf\u9ad4\u548c\u6307\u4ee4\u3002\u72c2\u71b1\u9ed1\u5ba2\u7684\u76ee\u6a19\u53ef\u80fd\u662f\u4f46\u4e0d\u9650\u65bc\u70ba\u6c7d\u8eca\u589e\u52a0\u984d\u5916\u7684\u99ac\u529b\u6216\u53ea\u662f\u70ba\u4e86\u597d\u73a9\u800c\u9032\u884c\u9ed1\u5ba2\u653b\u64ca\u3002<\/p>\n<ul>\n<li>\n<h4>2. \u8150\u6557\u7684\u6c7d\u8eca\u7d93\u92b7\u5546 Corrupt Automotive Dealers<\/h4>\n<\/li>\n<\/ul>\n<p>\u8150\u6557\u7684\u6c7d\u8eca\u7d93\u92b7\u5546\u662f\u653b\u64ca\u8005\uff0c\u4ed6\u5011\u53ef\u4ee5\u8a2a\u554f\u8207\u72c2\u71b1\u8005\u76f8\u540c\u7684\u529f\u80fd\uff0c\u4f46\u4e5f\u53ef\u4ee5\u8a2a\u554f\u6c7d\u8eca\u88fd\u9020\u5546 (OEM) \u7684\u7d93\u92b7\u5546\u7db2\u7d61\u3002\u4ed6\u5011\u9084\u53ef\u4ee5\u8a2a\u554f\u6c7d\u8eca\u88fd\u9020\u5546\u63d0\u4f9b\u7684\u6a19\u6e96\u8abf\u8a66\u5de5\u5177\u3002\u4ed6\u5011\u7684\u76ee\u6a19\u53ef\u80fd\u662f\u652f\u6301\u7576\u5730\u7684\u6c7d\u8eca\u76dc\u7aca\u5718\u4f19\u6216\u6709\u7d44\u7e54\u7684\u72af\u7f6a\u5206\u5b50\u3002<\/p>\n<ul>\n<li>\n<h4>3. \u6709\u7d44\u7e54\u7684\u72af\u7f6a\u5206\u5b50 Organized Criminals<\/h4>\n<\/li>\n<\/ul>\n<p>\u6709\u7d44\u7e54\u7684\u72af\u7f6a\u5206\u5b50\u53ef\u4ee5\u8a2a\u554f\u4e0a\u8ff0\u6240\u6709\u5de5\u5177\uff0c\u4f46\u4e5f\u53ef\u80fd\u5c0d\u8a31\u591a\u7d93\u92b7\u5546\u7684\u5167\u90e8\u7db2\u7d61\u6709\u4e00\u5b9a\u7a0b\u5ea6\u7684\u63a7\u5236\u3002\u4ed6\u5011\u53ef\u80fd\u5165\u4fb5\u4e26\u7372\u5f97\u4e86\u5c0d\u7121\u7dda (OTA) \u670d\u52d9\u5668\u6216\u8eca\u8f09\u4fe1\u606f\u5a1b\u6a02 (IVI) \u7cfb\u7d71\u7684\u81e8\u6642\u63a7\u5236\u3002\u9019\u8207\u7576\u4eca\u4ed8\u8cbb\u5a92\u9ad4\u7b49\u5176\u4ed6\u884c\u696d\u4e2d\u7684\u6709\u7d44\u7e54\u72af\u7f6a\u5206\u5b50\u6240\u626e\u6f14\u7684\u89d2\u8272\u975e\u5e38\u76f8\u4f3c\u3002\u4ed6\u5011\u7684\u76ee\u6a19\u662f\u901a\u904e\u5a01\u8105\u505c\u7528\u591a\u8f1b\u8eca\u8f1b\u4f86\u5411\u539f\u59cb\u8a2d\u5099\u88fd\u9020\u5546\u548c\/\u6216\u653f\u5e9c\u52d2\u7d22\u91d1\u9322\u3002<\/p>\n<ul>\n<li>\n<h4>4. \u60e1\u610f\u8edf\u9ad4\u958b\u767c\u8005 Malware Developers<\/h4>\n<\/li>\n<\/ul>\n<p>\u60e1\u610f\u8edf\u9ad4\u958b\u767c\u4eba\u54e1\u958b\u767c\u4e86\u60e1\u610f\u8edf\u9ad4\u4f86\u653b\u64ca\u548c\u5371\u5bb3\u5927\u91cf\u8eca\u8f1b\u3002\u60e1\u610f\u8edf\u9ad4\u901a\u5e38\u65e8\u5728\u5f9e\u4e00\u8f1b\u8eca\u50b3\u64ad\u5230\u53e6\u4e00\u8f1b\u8eca\u3002\u901a\u5e38\uff0c\u76ee\u6a19\u662f\u63a7\u5236\u591a\u53f0\u8a08\u7b97\u6a5f\uff0c\u7136\u5f8c\u51fa\u65bc\u60e1\u610f\u76ee\u7684\u51fa\u552e\u5c0d\u5b83\u5011\u7684\u8a2a\u554f\u6b0a\u9650\uff0c\u4f8b\u5982\u62d2\u7d55\u670d\u52d9 (DoS) \u653b\u64ca\u6216\u7aca\u53d6\u79c1\u4eba\u4fe1\u606f\u548c\u6578\u64da\u3002<\/p>\n<ul>\n<li>\n<h4>5. \u5b89\u5168\u7814\u7a76\u4eba\u54e1 Security Researchers<\/h4>\n<\/li>\n<\/ul>\n<p>\u5b89\u5168\u7814\u7a76\u4eba\u54e1\u662f\u201c\u81ea\u6211\u5ba3\u50b3\u201d\u7684\u5b89\u5168\u9867\u554f\uff0c\u8a66\u5716\u8b93\u81ea\u5df1\u51fa\u540d\u3002\u4ed6\u5011\u53ef\u4ee5\u4f7f\u7528\u8edf\u9ad4\u5b89\u5168\u5206\u6790\u7684\u6a19\u6e96\u5de5\u5177\u3002\u4ed6\u5011\u9084\u53ef\u4ee5\u7269\u7406\u8a2a\u554f\u8eca\u8f1b\u548c\u6a19\u6e96\u786c\u9ad4\u8abf\u8a66\u5de5\u5177\uff08\u908f\u8f2f\u5206\u6790\u5100\u3001\u793a\u6ce2\u5668\u7b49\uff09\u3002\u4ed6\u5011\u7684\u76ee\u6a19\u662f\u70ba\u4e86\u500b\u4eba\u5229\u76ca\u800c\u516c\u958b\u653b\u64ca\uff0c\u6216\u8005\u53ea\u662f\u70ba\u4e86\u7372\u5f97\u500b\u4eba\u7406\u89e3\uff0c\u4ee5\u5e6b\u52a9\u4f7f\u4e8b\u60c5\u8b8a\u5f97\u66f4\u52a0\u5b89\u5168\u3002<\/p>\n<h3>1.2 \u653b\u64ca\u76ee\u6a19 Attack Goals<\/h3>\n<p>\u5728\u7576\u4eca\u7684\u4e92\u806f\u8eca\u8f1b\u4e2d\uff0c\u8d8a\u4f86\u8d8a\u591a\u7684\u529f\u80fd\u6b63\u5728\u8f49\u5411\u8edf\u9ad4\u63a7\u5236\uff0c\u9019\u610f\u5473\u8457\u653b\u64ca\u7684\u5a01\u8105\u8b8a\u5f97\u8d8a\u4f86\u8d8a\u5927\u3002\u6211\u5011\u770b\u5230\u5c0e\u822a\u548c\u53ec\u559a\u3001\u6c7d\u8eca\u8a2a\u554f\/\u767c\u52d5\u6a5f\u555f\u52d5\u4ee5\u53ca\u96fb\u6a5f\/ECU \u5347\u7d1a\u7b49\u6c7d\u8eca\u529f\u80fd\u5747\u901a\u904e\u8edf\u9ad4\u548c\u96f2\u9023\u63a5\u9032\u884c\u63a7\u5236\u3002\u7531\u65bc\u5b58\u5728\u9ad8\u50f9\u503c\u76ee\u6a19\uff0c\u56e0\u6b64\u53d7\u5230\u653b\u64ca\u7684\u98a8\u96aa\u5f88\u9ad8\u3002<\/p>\n<p>\u5728\u9019\u88e1\uff0c\u6211\u5011\u6982\u8ff0\u4e86\u4e00\u4e9b\u4e3b\u8981\u5a01\u8105\u985e\u5225\u4ee5\u53ca\u4e00\u4e9b\u793a\u4f8b\u653b\u64ca\u8005\u3001\u793a\u4f8b\u653b\u64ca\u548c\u76f8\u5c0d\u91cd\u8981\u6027\u3002\u9019\u4e9b\u5a01\u8105\u985e\u5225\u65e8\u5728\u4f5c\u70ba\u4e00\u822c\u793a\u4f8b\u3002\u5a01\u8105\u985e\u578b\u53ef\u80fd\u5b58\u5728\u8a31\u591a\u7d30\u5fae\u5dee\u5225\u3002\u6b64\u5916\uff0c\u53ef\u80fd\u6709\u8a31\u591a\u5b50\u653b\u64ca\u6700\u7d42\u5c0e\u81f4\u9019\u4e9b\u66f4\u9ad8\u7d1a\u5225\u7684\u653b\u64ca\u76ee\u6a19\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>\u5a01\u8105\u985e\u5225<\/th>\n<th>\u653b\u64ca\u8005\u6a23\u672c<\/th>\n<th>\u653b\u64ca\u793a\u4f8b<\/th>\n<th>\u76f8\u5c0d\u91cd\u8981\u6027<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u7aca\u53d6\u8eca\u8f1b<\/td>\n<td>\u500b\u4eba\u3001\u6709\u7d44\u7e54\u7684\u72af\u7f6a\u5206\u5b50<\/td>\n<td>\u5c07\u6c7d\u8eca\u9001\u5f80\u8a08\u5283\u5916\u7684\u76ee\u7684\u5730\uff0c\u7372\u53d6\u6c7d\u8eca\u9470\u5319\uff0c\u63a7\u5236\u89e3\u9396\u6a5f\u5236<\/td>\n<td>\u672a\u4f86\u8cfc\u8cb7\u8eca\u8f1b\u7684\u53ef\u80fd\u6027\u964d\u4f4e\uff08\u7a0d\u5f8c\u76c8\u5229\uff09\u3001\u8ca0\u9762\u65b0\u805e\uff08\u54c1\u724c\u5b8c\u6574\u6027\uff09<\/td>\n<\/tr>\n<tr>\n<td>\u8eca\u8f1b\u529f\u80fd\u6e1b\u5c11<\/td>\n<td>\u6050\u6016\u7d44\u7e54\u3001\u5fc3\u61f7\u4e0d\u6eff\u7684\u54e1\u5de5<\/td>\n<td>\u5c07\u99d5\u99db\u54e1\u9396\u5728\u8eca\u5916\u3001\u5c0e\u81f4\u6c7d\u8eca\u589c\u6bc0\u3001\u963b\u6b62\u8a2a\u554f\u4fe1\u606f\u5a1b\u6a02\u7cfb\u7d71<\/td>\n<td>\u7121\u6cd5\u92b7\u552e\u4ed8\u8cbb\u61c9\u7528\u7a0b\u5e8f\u548c\u5167\u5bb9\uff08\u7acb\u5373\u76c8\u5229\uff09\u3001\u8ca0\u9762\u65b0\u805e\uff08\u54c1\u724c\u8aa0\u4fe1\uff09\u3001\u53ef\u80fd\u9020\u6210\u751f\u547d\u640d\u5931\uff08\u4eba\u8eab\u50b7\u5bb3\uff09<\/td>\n<\/tr>\n<tr>\n<td>\u8eca\u8f1b\u9ed1\u5ba2\u653b\u64ca<\/td>\n<td>\u8eca\u4e3b\u3001\u7af6\u722d\u5c0d\u624b<\/td>\n<td>\u7121\u9700\u4ed8\u8cbb\u5373\u53ef\u7372\u53d6\u5167\u5bb9\u3001\u4fee\u6539 DRM \u8a31\u53ef\u8b49\u3001\u89e3\u9396\u552e\u5f8c\u5e02\u5834\u529f\u80fd\u3001\u76dc\u7aca IP<\/td>\n<td>\u5167\u5bb9\u548c\u529f\u80fd\u92b7\u552e\u640d\u5931\uff08\u7acb\u5373\u76c8\u5229\uff09\u3001\u5167\u5bb9\u6240\u6709\u8005\u63d0\u8d77\u8a34\u8a1f\uff08\u4ee5\u5f8c\u76c8\u5229\uff09\u3001\u7af6\u722d\u512a\u52e2\u55aa\u5931\uff08\u4ee5\u5f8c\u76c8\u5229\uff09<\/td>\n<\/tr>\n<tr>\n<td>\u7aca\u53d6\u654f\u611f\u8cc7\u7522<\/td>\n<td>\u6709\u7d44\u7e54\u7684\u72af\u7f6a\u5206\u5b50\u3001\u52d2\u7d22\u8005<\/td>\n<td>\u7aca\u53d6\u4fe1\u7528\u5361\u865f\u78bc\u3001\u5065\u5eb7\u4fe1\u606f\u3001\u651d\u50cf\u982d\u6578\u64da\u3001\u7aca\u53d6\u5e36\u5bec<\/td>\n<td>\u8ca0\u9762\u5831\u5c0e\uff08\u54c1\u724c\u8aa0\u4fe1\uff09\u3001\u8eca\u4e3b\u8a34\u8a1f\uff08\u5229\u6f64\u5f8c\u671f\uff09<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u6c7d\u8eca\u7d1a Linux (AGL) \u8a08\u5283<\/strong>\u4ee5 <strong>Linux<\/strong> \u548c <strong>Tizen<\/strong> \u7b49\u958b\u6e90\u8edf\u9ad4\u70ba\u57fa\u790e\uff0c\u63d0\u4f9b\u9748\u6d3b\u7684\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u3002\u7136\u800c\uff0c\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u3001<strong>Cynara<\/strong> \u548c\u5b89\u5168\u7ba1\u7406\u5668\u7684\u5b89\u5168\u898f\u5b9a\u50c5\u80fd\u963b\u6b62\u6700\u5927\u7684\u5a01\u8105\u3002\u7d93\u9a57\u8868\u660e\uff0c\u63d0\u4f9b\u53d7\u7d04\u675f\u7684\u61c9\u7528\u7a0b\u5e8f\uff08\u5982Android \u958b\u6e90\u5e73\u53f0\u4e2d\u7684\u61c9\u7528\u7a0b\u5e8f\uff09\u548c\u5546\u5e97\u958b\u767c\u6d41\u7a0b\u3001\u7c3d\u540d\u9a57\u8b49\u3001DAC \u6c99\u7bb1\u548c\u5e73\u53f0\u4e0a\u7684MAC (<strong>SMACK<\/strong>) \u63a7\u5236\u53ef\u4ee5\u53d6\u5f97\u4e00\u5b9a\u7684\u6210\u529f\uff0c\u540c\u6642\u4fdd\u8b49\u4ee5\u4e0b\u5b89\u5168\u6027\uff1a\u7cfb\u7d71\u3002\u7136\u800c\uff0c\u8a72\u7cfb\u7d71\u7684\u958b\u653e\u6027\u5438\u5f15\u4e86\u8a31\u591a\u7814\u7a76\u4eba\u54e1\u3001\u611b\u597d\u8005\u548c\u9ed1\u5ba2\u4ee5\u53ca\u51fa\u65bc\u7d93\u6fdf\u52d5\u6a5f\u7684\u653b\u64ca\u8005\u70ba\u4e86\u81ea\u5df1\u7684\u5229\u76ca\u800c\u7834\u58de\u7cfb\u7d71\u3002<\/p>\n<p>\u96a8\u8457 AGL \u61c9\u7528\u65bc\u73fe\u4ee3\u6c7d\u8eca\uff0c\u9019\u4e0d\u53ef\u907f\u514d\u5730\u6703\u9080\u8acb\u8a31\u591a\u6709\u80fd\u529b\u7684\u53c3\u8207\u8005\u4f86\u4fee\u6539\u3001\u653b\u64ca\u548c\u7834\u58de\u9019\u4e9b\u7d93\u904e\u6df1\u601d\u719f\u616e\u7684\u7cfb\u7d71\u53ca\u5176\u61c9\u7528\u7a0b\u5e8f\u3002\u51fa\u65bc\u5b89\u5168\u548c\u5b89\u4fdd\u7b49\u65b9\u9762\u7684\u8003\u616e\uff0c\u6c7d\u8eca\u884c\u696d\u4e0d\u80fd\u91cd\u8e48\u624b\u6a5f\u548c\u5e73\u677f\u96fb\u8166\u7b49\u6d88\u8cbb\u8a2d\u5099\u7684\u8986\u8f4d\uff0c\u56e0\u70ba\u9019\u4e9b\u8a2d\u5099\u7d93\u5e38\u9047\u5230\u5b89\u5168\u554f\u984c\u3002\u5fc5\u9808\u63a1\u7528\u5206\u5c64\u65b9\u6cd5\u548c\u6df1\u5ea6\u9632\u79a6\u4f86\u4fdd\u8b77\u7cfb\u7d71\u514d\u53d7\u4e0d\u53ef\u907f\u514d\u7684\u653b\u64ca\u3002<\/p>\n<h3>1.3 \u8cc7\u7522\u548c\u5b89\u5168\u5206\u985e Assets and Security Categorization<\/h3>\n<p>\u672c\u7bc0\u6982\u8ff0\u4e86\u8eca\u8f1b\u4e2d\u53ef\u80fd\u767c\u73fe\u7684\u4e00\u4e9b\u8cc7\u7522\u53ca\u5176\u5f9e\u653b\u64ca\u89d2\u5ea6\u4f86\u770b\u7684\u76f8\u5c0d\u654f\u611f\u6027\u3002\u6b64\u5916\uff0c\u53f3\u5074\u7684\u6700\u5f8c\u4e00\u5217\u5217\u51fa\u4e86\u4e00\u4e9b\u53ef\u61c9\u7528\u65bc\u9019\u4e9b\u985e\u578b\u8cc7\u7522\u7684\u63a8\u85a6\u4fdd\u8b77\u985e\u578b\uff08\u8acb\u6ce8\u610f\uff0c\u7a7a\u55ae\u5143\u683c\u6307\u7684\u662f\u5176\u4e0a\u65b9\u7684\u55ae\u5143\u683c\uff09\u3002\u826f\u597d\u7684\u4fdd\u8b77\u65b9\u6cd5\u5c07\u512a\u5148\u4fdd\u8b77\u6700\u654f\u611f\u7684\u8cc7\u7522\uff0c\u4e26\u4f7f\u7528\u7e31\u6df1\u9632\u79a6\u65b9\u6cd5\u4f86\u8986\u84cb\u9019\u4e9b\u8cc7\u7522\u3002\u4e0d\u592a\u654f\u611f\u7684\u8cc7\u7522\u7684\u512a\u5148\u7d1a\u8f03\u4f4e\uff0c\u901a\u5e38\u4f7f\u7528\u8f03\u5c11\u7684\u4fdd\u8b77\u6280\u8853\u9032\u884c\u4fdd\u8b77\u3002\u901a\u904e\u8003\u616e\u8eca\u8f1b\u7db2\u7d61\u62d3\u64b2\u548c\u73fe\u6709\u8a2a\u554f\u63a7\u5236\u7684\u8a73\u7d30\u5a01\u8105\u5206\u6790\uff0c\u53ef\u4ee5\u5c0d\u5177\u9ad4\u8eca\u8f1b\u7db2\u7d61\u4e2d\u7684\u8cc7\u7522\u9032\u884c\u66f4\u7d30\u7c92\u5ea6\u7684\u512a\u5148\u7d1a\u6392\u5e8f\u3002\u4f8b\u5982<strong>\u653b\u64ca\u6a39\u7684 EVITA \u6846\u67b6<\/strong>\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u8cc7\u7522\u985e\u5225<\/th>\n<th style=\"text-align: left;\">\u4f8b\u5b50<\/th>\n<th style=\"text-align: left;\">\u5a01\u8105\u654f\u611f\u7a0b\u5ea6<\/th>\n<th style=\"text-align: left;\">\u63a8\u85a6\u7684\u4fdd\u8b77\u985e\u578b<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">\u8edf\u9ad4<\/td>\n<td style=\"text-align: left;\">ECU \u8edf\u9ad4\u3001\u4fe1\u606f\u5a1b\u6a02\u8edf\u9ad4\u3001\u64cd\u4f5c\u7cfb\u7d71\u93e1\u50cf<\/td>\n<td style=\"text-align: left;\">\u56b4\u91cd\u7684<\/td>\n<td style=\"text-align: left;\">\u5bc6\u9470\u7ba1\u7406\u3001\u76f8\u4e92\u975e\u5c0d\u7a31\u8eab\u4efd\u9a57\u8b49\u3001HSM \u548c\u767d\u76d2\u52a0\u5bc6\u3001\u6d88\u606f\u5b8c\u6574\u6027\u6aa2\u67e5\u3001\u5f37\u5316\/\u8edf\u9ad4\u4fdd\u8b77\u3001\u7a0b\u5e8f\u8f49\u63db\/\u6df7\u6dc6\u3001\u5b8c\u6574\u6027\u9a57\u8b49\u3001\u5b89\u5168\u64cd\u4f5c\u7cfb\u7d71<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u6c7d\u8eca\u901a\u9053<\/td>\n<td style=\"text-align: left;\">\u751f\u7269\u8b58\u5225\u6578\u64da\u3001\u8eca\u9470\u5319<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u652f\u4ed8\u6578\u64da<\/td>\n<td style=\"text-align: left;\">\u4fe1\u7528\u5361\u3001\u7528\u6236\u8cc7\u6599\u95dc\u9375\u6578\u64da<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u9304\u97f3<\/td>\n<td style=\"text-align: left;\">\u5167\u90e8\u651d\u50cf\u982d\u9304\u97f3\u3001\u5167\u90e8\u9304\u97f3\u3001\u5916\u90e8\u651d\u50cf\u982d\u9304\u97f3<\/td>\n<td style=\"text-align: left;\">\u9ad8\u7684<\/td>\n<td style=\"text-align: left;\">\u52a0\u5bc6\u3001\u6d88\u606f\u5b8c\u6574\u6027\u6aa2\u67e5\u3001\u5f37\u5316\/\u8edf\u9ad4\u4fdd\u8b77\u3001\u7a0b\u5e8f\u8f49\u63db\/\u6df7\u6dc6<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u7528\u6236\u8cc7\u6599<\/td>\n<td style=\"text-align: left;\">\u7528\u6236\u540d\u548c\u5bc6\u78bc\u3001\u81ea\u5b9a\u7fa9\u3001\u65e5\u66c6\u3001\u806f\u7e6b\u4eba<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u5730\u9ede<\/td>\n<td style=\"text-align: left;\">GPS\u5750\u6a19\u3001\u8eca\u8f1b\u4f7f\u7528\u6578\u64da<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u8cfc\u8cb7\u7684\u5167\u5bb9<\/td>\n<td style=\"text-align: left;\">\u8996\u983b\u3001\u97f3\u983b\u3001\u8a31\u53ef\u8b49<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u96fb\u8a71\u6703\u8b70<\/td>\n<td style=\"text-align: left;\">\u804a\u5929\u3001\u97f3\u983b\u3001\u8996\u983b<\/td>\n<td style=\"text-align: left;\">\u4e2d\u7b49\u7684<\/td>\n<td style=\"text-align: left;\">\u8edf\u9ad4\u4fdd\u8b77\u3001\u7a0b\u5e8f\u8f49\u63db\/\u6df7\u6dc6\u3001\u50b3\u8f38\u9a57\u8b49\u52a0\u5bc6<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u8eca\u8f1b\u6578\u64da<\/td>\n<td style=\"text-align: left;\">\u8eca\u8f1b\u4fe1\u606f\u3001\u50b3\u611f\u5668\u6578\u64da<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u5c0e\u822a\u6578\u64da<\/td>\n<td style=\"text-align: left;\">\u975c\u614b\u548c\u52d5\u614b\u5730\u5716<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">\u7b2c\u4e09\u65b9\u6578\u64da<\/td>\n<td style=\"text-align: left;\">\u5bb6\u5ead\u81ea\u52d5\u5316\u547d\u4ee4\u3001\u96f2\u904a\u6232\u6578\u64da<\/td>\n<td style=\"text-align: left;\"><\/td>\n<td style=\"text-align: left;\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>1.4 \u201c\u5f37\u5316\u201d\u8853\u8a9e \uff08Hardening term\uff09<\/h3>\n<p>\u8853\u8a9e\u201c<strong>\u5f37\u5316<\/strong>\u201d\u662f\u6307\u6e1b\u5c11\u5d4c\u5165\u5f0f\u7cfb\u7d71\uff08\u4f8b\u5982\u5d4c\u5165\u5f0f\u63a7\u5236\u55ae\u5143 ( <strong>ECU<\/strong> ) \u6216\u5176\u4ed6\u8a17\u7ba1\u8a2d\u5099\uff09\u4e0a\u7684\u653b\u64ca\u9762\u6240\u9700\u7684\u5de5\u5177\u3001\u6280\u8853\u548c\u6d41\u7a0b\u3002\u6240\u6709\u5f37\u5316\u6d3b\u52d5\u7684<strong><em>\u76ee\u6a19\u662f\u9632\u6b62\u5728\u8a2d\u5099\u4e0a\u57f7\u884c\u7121\u6548\u7684\u4e8c\u9032\u88fd\u6587\u4ef6\uff0c\u4e26\u9632\u6b62\u5f9e\u8a2d\u5099\u8907\u88fd\u5b89\u5168\u76f8\u95dc\u6578\u64da\u3002<\/em><\/strong><\/p>\n<h3>1.5 AGL \u5b89\u5168\u6982\u8ff0 AGL security overview<\/h3>\n<p>AGL \u6839\u6e90\u57fa\u65bc\u5b89\u5168\u6982\u5ff5\u3002\u9019\u4e9b\u6982\u5ff5\u7531\u5b89\u5168\u6846\u67b6\u5be6\u73fe\uff0c\u5982\u4e0b\u5716\u6240\u793a\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/docs.automotivelinux.org\/en\/master\/03_Architecture_Guides\/02_Security_Blueprint\/images\/WhiteBoxArchi.png\" alt=\"AGL\u67b6\u69cb\" \/><\/p>\n<hr \/>\n<h3>1.6 \u7e2e\u7565\u8a9e<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u6700\u5f37\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>AGL<\/em><\/td>\n<td style=\"text-align: left;\"><strong>A<\/strong>utomotive <strong>G<\/strong>rade <strong>L<\/strong>inux \/ <strong>\u6c7d\u8eca\u7d1aLinux<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">ECU<\/td>\n<td style=\"text-align: left;\"><strong>E<\/strong>lectronic <strong>C<\/strong>ontrol <strong>U<\/strong>nit \/ <strong>\u96fb\u5b50\u63a7\u5236\u55ae\u5143<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>1.7 \u53c3\u8003<\/h3>\n<ul>\n<li><a href=\"http:\/\/docs.automotivelinux.org\/docs\/architecture\/en\/dev\/reference\/security\/01-overview.html\">\u5b89\u5168\u85cd\u5716<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/docs.automotivelinux.org\/docs\/architecture\/en\/dev\/reference\/security\/01-overview.html\">http:\/\/docs.automotivelinux.org\/docs\/architecture\/en\/dev\/reference\/security\/01-overview.html<\/a><\/em><\/li>\n<li><strong>[2017]<\/strong> &#8211;<a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/security\/\">\u5167\u6838\u5b89\u5168<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/security\/\">https:\/\/www.kernel.org\/doc\/Documentation\/security\/<\/a><\/em><\/li>\n<li><strong>[2017]<\/strong> &#8211; <a href=\"http:\/\/iot.bzh\/download\/public\/2017\/AMM-Dresden\/AGL-systemd.pdf\">Systemd \u96c6\u6210\u548c\u7528\u6236\u7ba1\u7406<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/iot.bzh\/download\/public\/2017\/AMM-Dresden\/AGL-systemd.pdf\">http:\/\/iot.bzh\/download\/public\/2017\/AMM-Dresden\/AGL-systemd.pdf<\/a><\/em><\/li>\n<li><strong>[2017]<\/strong> &#8211; <a href=\"http:\/\/iot.bzh\/download\/public\/2017\/SDK\/AppFw-Documentation-v3.1.pdf\">AGL &#8211; \u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u6587\u6a94<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/iot.bzh\/download\/public\/2017\/SDK\/AppFw-Documentation-v3.1.pdf\">http:\/\/iot.bzh\/download\/public\/2017\/SDK\/AppFw-Documentation-v3.1.pdf<\/a><\/em><\/li>\n<li><strong>[2017]<\/strong> &#8211;<a href=\"https:\/\/access.atis.org\/apps\/group_public\/download.php\/35648\/ATIS-I-0000059.pdf\">\u63d0\u9ad8\u8eca\u8f1b\u7db2\u7d61\u5b89\u5168<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/access.atis.org\/apps\/group_public\/download.php\/35648\/ATIS-I-0000059.pdf\">https:\/\/access.atis.org\/apps\/group_public\/download.php\/35648\/ATIS-I-0000059.pdf<\/a><\/em><\/li>\n<li><strong>[2016]<\/strong> &#8211; <a href=\"http:\/\/docs.automotivelinux.org\/docs\/apis_services\/en\/dev\/reference\/af-main\/0-introduction.html\">AGL \u6846\u67b6\u6982\u8ff0<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/docs.automotivelinux.org\/docs\/apis_services\/en\/dev\/reference\/af-main\/0-introduction.html\">http:\/\/docs.automotivelinux.org\/docs\/apis_services\/en\/dev\/reference\/af-main\/0-introduction.html<\/a><\/em><\/li>\n<li><strong>[2016]<\/strong> &#8211; <a href=\"http:\/\/iot.bzh\/download\/public\/2016\/publications\/SecureBoot-SecureSoftwareUpdates.pdf\">SecureBoot-SecureSoftwareUpdates<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/iot.bzh\/download\/public\/2016\/publications\/SecureBoot-SecureSoftwareUpdates.pdf\">http:\/\/iot.bzh\/download\/public\/2016\/publications\/SecureBoot-SecureSoftwareUpdates.pdf<\/a><\/em><\/li>\n<li><strong>[2016]<\/strong> &#8211; <a href=\"http:\/\/iot.bzh\/download\/public\/2016\/security\/Linux-Automotive-Security-v10.pdf\">Linux \u6c7d\u8eca\u5b89\u5168<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/iot.bzh\/download\/public\/2016\/security\/Linux-Automotive-Security-v10.pdf\">http:\/\/iot.bzh\/download\/public\/2016\/security\/Linux-Automotive-Security-v10.pdf<\/a><\/em><\/li>\n<li><strong>[2016]<\/strong> &#8211;<a href=\"https:\/\/www.mcafee.com\/it\/resources\/white-papers\/wp-automotive-security.pdf\">\u6c7d\u8eca\u5b89\u5168\u6700\u4f73\u5be6\u8e10<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/www.mcafee.com\/it\/resources\/white-papers\/wp-automotive-security.pdf\">https:\/\/www.mcafee.com\/it\/resources\/white-papers\/wp-automotive-security.pdf<\/a><\/em><\/li>\n<li><strong>[2016]<\/strong> &#8211;<a href=\"http:\/\/gattack.io\/whitepaper.pdf\">\u653b\u64ca\u85cd\u7259\u667a\u80fd\u8a2d\u5099<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/gattack.io\/whitepaper.pdf\">http:\/\/gattack.io\/whitepaper.pdf<\/a><\/em><\/li>\n<li><strong>[2015]<\/strong> &#8211;<a href=\"http:\/\/www.cs.wayne.edu\/fengwei\/15fa-csc6991\/slides\/8-CarHackingUsenixSecurity.pdf\">\u6c7d\u8eca\u653b\u64ca\u9762\u7684\u7d9c\u5408\u5be6\u9a57\u5206\u6790<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/www.cs.wayne.edu\/fengwei\/15fa-csc6991\/slides\/8-CarHackingUsenixSecurity.pdf\">http:\/\/www.cs.wayne.edu\/fengwei\/15fa-csc6991\/slides\/8-CarHackingUsenixSecurity.pdf<\/a><\/em><\/li>\n<li><strong>[2015]<\/strong> &#8211;<a href=\"http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.92.728&amp;rep=rep1&amp;type=pdf\">\u6c7d\u8eca\u7e3d\u7dda\u7cfb\u7d71\u7684\u5b89\u5168\u6027<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.92.728&amp;rep=rep1&amp;type=pdf\">http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.92.728&#038;rep=rep1&#038;type=pdf<\/a><\/em><\/li>\n<li><strong>[2014]<\/strong> &#8211; <a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf\">IOActive \u9060\u7a0b\u653b\u64ca\u9762<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf\">https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf<\/a><\/em><\/li>\n<li><strong>[2011]<\/strong> &#8211;<a href=\"https:\/\/media.blackhat.com\/bh-dc-11\/Perez-Pico\/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf\">\u91dd\u5c0d GPRS\/EDGE\/UMTS\/HSPA \u79fb\u52d5\u6578\u64da\u901a\u4fe1\u7684\u5be6\u969b\u653b\u64ca<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/media.blackhat.com\/bh-dc-11\/Perez-Pico\/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf\">https:\/\/media.blackhat.com\/bh-dc-11\/Perez-Pico\/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf<\/a><\/em><\/li>\n<li><strong>[2011]<\/strong> &#8211;<a href=\"http:\/\/www.autosec.org\/pubs\/cars-usenixsec2011.pdf\">\u6c7d\u8eca\u653b\u64ca\u9762\u7684\u7d9c\u5408\u5be6\u9a57\u5206\u6790<\/a>\u3002<\/li>\n<li><em><a href=\"http:\/\/www.autosec.org\/pubs\/cars-usenixsec2011.pdf\">http:\/\/www.autosec.org\/pubs\/cars-usenixsec2011.pdf<\/a><\/em><\/li>\n<li><strong>[2010]<\/strong> &#8211;<a href=\"https:\/\/eprint.iacr.org\/2010\/332.pdf\">\u73fe\u4ee3\u6c7d\u8eca\u88ab\u52d5\u7121\u9470\u5319\u9032\u5165\u548c\u555f\u52d5\u7cfb\u7d71\u7684\u4e2d\u7e7c\u653b\u64ca<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/eprint.iacr.org\/2010\/332.pdf\">https:\/\/eprint.iacr.org\/2010\/332.pdf<\/a><\/em><\/li>\n<li><strong>[2010]<\/strong> &#8211; <a href=\"https:\/\/matthieu.io\/dl\/wifi-attacks-wep-wpa.pdf\">Wifi \u653b\u64ca wep wpa<\/a>\u3002<\/li>\n<li><em><a href=\"https:\/\/matthieu.io\/dl\/wifi-attacks-wep-wpa.pdf\">https:\/\/matthieu.io\/dl\/wifi-attacks-wep-wpa.pdf<\/a><\/em><\/li>\n<li><strong>[2008<\/strong> []](<a href=\"http:\/\/schaufler-ca.com\/yahoo_site_admin\/assets\/docs\/SmackWhitePaper.257153003.pdf\">http:\/\/schaufler-ca.com\/yahoo_site_admin\/assets\/docs\/SmackWhitePaper.257153003.pdf<\/a>) -SMACK .<\/li>\n<li><em><a href=\"http:\/\/schaufler-ca.com\/yahoo_site_admin\/assets\/docs\/SmackWhitePaper.257153003.pdf\">http:\/\/schaufler-ca.com\/yahoo_site_admin\/assets\/docs\/SmackWhitePaper.257153003.pdf<\/a><\/em><\/li>\n<\/ul>\n<h2>2. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/02_Hardware\/\">\u786c\u9ad4\u85cd\u5716<\/a><\/h2>\n<p>\u6c7d\u8eca\u7d1a Linux \u5e73\u53f0\u662f\u4e00\u500b\u5177\u6709<strong>AGL<\/strong> \u517c\u5bb9\u61c9\u7528\u7a0b\u5e8f\u548c\u670d\u52d9\u7684 Linux \u767c\u884c\u7248\u3002\u8a72\u5e73\u53f0\u5305\u62ec\u4ee5\u4e0b\u786c\u9ad4\uff1a<\/p>\n<ul>\n<li>SoC\uff08\u7247\u4e0a\u7cfb\u7d71\uff09\u3002<\/li>\n<li>\u5167\u5b58\uff08RAM\u3001ROM\u3001\u5b58\u5132\u5668\u7b49\uff09\u3002<\/li>\n<li>\u5916\u570d\u8a2d\u5099\u3002<\/li>\n<\/ul>\n<p>\u60a8\u5c07\u5728\u7b2c\u4e00\u90e8\u5206\u4e2d\u627e\u5230\u8207\u786c\u9ad4\u5b89\u5168\u76f8\u95dc\u7684\u6240\u6709\u5167\u5bb9\u3002\u76ee\u6a19\u662f\u4fdd\u8b77\u7cfb\u7d71\u514d\u53d7\u6240\u6709\u8a66\u5716\u901a\u904e\u6062\u5fa9\u548c\/\u6216\u66f4\u6539\u52a0\u5bc6\u5bc6\u9470\u4f86\u7372\u53d6\u984d\u5916\u6b0a\u9650\u4ee5\u6539\u8b8a\u555f\u52d5\u5b8c\u6574\u6027\u7684\u653b\u64ca\u3002\u70ba\u4e86\u5be6\u73fe\u9019\u4e00\u76ee\u6a19\uff0c\u6211\u5011\u9084\u61c9\u8a72\u9632\u6b62\u786c\u9ad4\u4fee\u6539\u3002\u6211\u5011\u5c07\u5728\u4e0b\u9762\u5c55\u793a\u4e00\u4e9b\u53ef\u80fd\u7684\u914d\u7f6e\u793a\u4f8b\u3002<\/p>\n<hr \/>\n<h3>\u7e2e\u7565\u8a9e Acronyms and Abbreviations<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>HSM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>H<\/strong>ardware <strong>S<\/strong>ecurity <strong>M<\/strong>odule  \/  <strong>\u786c\u9ad4\u5b89\u5168\u6a21\u7d44<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>NVM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>N<\/strong>on-<strong>V<\/strong>olatile <strong>M<\/strong>emory  \/  <strong>\u975e\u6613\u5931\u6027\u8a18\u61b6\u9ad4<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SHE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>ecure <strong>H<\/strong>ardware <strong>E<\/strong>xtensions  \/  <strong>\u5b89\u5168\u786c\u9ad4\u64f4\u5c55<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>\u5b8c\u6574\u6027 Integrity<\/h3>\n<p>\u8a72\u677f\u5fc5\u9808\u5b58\u5132<strong>\u786c\u7de8\u78bc\u7684\u52a0\u5bc6\u5bc6\u9470<\/strong>\uff0c\u4ee5\u4fbf\u9a57\u8b49<em>\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f<\/em>\u7684<em>\u5b8c\u6574\u6027<\/em>\u7b49\u3002\u88fd\u9020\u5546\u53ef\u4ee5\u4f7f\u7528<strong>HSM<\/strong>\u548c <strong>SHE<\/strong>\u4f86\u589e\u5f37\u5176\u96fb\u8def\u677f\u7684\u5b89\u5168\u6027\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object \u6a19\u7684\u7269<\/th>\n<th style=\"text-align: left;\">Recommendations \u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-1<\/td>\n<td style=\"text-align: left;\">Bootloader<\/td>\n<td style=\"text-align: left;\">Must control bootloader integrity. <strong>\u5fc5\u9808\u63a7\u5236\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u7684\u5b8c\u6574\u6027\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-2<\/td>\n<td style=\"text-align: left;\">Board<\/td>\n<td style=\"text-align: left;\">Must use a HSM. <strong>\u5fc5\u9808\u4f7f\u7528HSM\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-3<\/td>\n<td style=\"text-align: left;\">RTC<\/td>\n<td style=\"text-align: left;\">Must not be alterable. <strong>\u5fc5\u9808\u4e0d\u53ef\u88ab\u66f4\u6539\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>\u8b49\u66f8 Certificates<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object \u6a19\u7684\u7269<\/th>\n<th style=\"text-align: left;\">Recommendations \u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-1<\/td>\n<td style=\"text-align: left;\">System<\/td>\n<td style=\"text-align: left;\">Shall allow storing dedicated certificates. <strong>\u61c9\u5141\u8a31\u5b58\u5132\u5c08\u7528\u8b49\u66f8\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-2<\/td>\n<td style=\"text-align: left;\">ECU<\/td>\n<td style=\"text-align: left;\">The ECU must verify the certification authority hierarchy. <strong>ECU \u5fc5\u9808\u9a57\u8b49\u8a8d\u8b49\u6a5f\u69cb\u5c64\u6b21\u7d50\u69cb\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-3<\/td>\n<td style=\"text-align: left;\">System<\/td>\n<td style=\"text-align: left;\">Allow the modification of certificates only if the source can be authenticated by a certificate already stored or in the higher levels of the chain of trust. <br \/><strong>\u50c5\u7576\u4f86\u6e90\u53ef\u4ee5\u901a\u904e\u5df2\u5b58\u5132\u7684\u8b49\u66f8\u6216\u4fe1\u4efb\u93c8\u7684\u66f4\u9ad8\u7d1a\u5225\u4e2d\u7684\u8b49\u66f8\u9451\u5225\u6642\uff0c\u624d\u5141\u8a31\u4fee\u6539\u8b49\u66f8\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>\u8a18\u61b6\u9ad4 Memory<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object \u6a19\u7684\u7269<\/th>\n<th style=\"text-align: left;\">Recommendations \u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Memory-1<\/td>\n<td style=\"text-align: left;\">ECU<\/td>\n<td style=\"text-align: left;\">The ECU shall never expose the unencrypted key in RAM when using cryptographic keys. <br \/><strong>\u7576\u4f7f\u7528\u52a0\u5bc6\u5bc6\u9470\u6642\uff0cECU \u7d55\u4e0d\u80fd\u66b4\u9732 RAM \u4e2d\u672a\u52a0\u5bc6\u7684\u5bc6\u9470\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Memory-2<\/td>\n<td style=\"text-align: left;\">Bootloader<\/td>\n<td style=\"text-align: left;\">Internal NVM only<br \/><strong>\u50c5\u5167\u90e8 NVM \u53ef\u555f\u52d5\u7cfb\u7d71\u3002<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Module-3<\/td>\n<td style=\"text-align: left;\">&#8211;<\/td>\n<td style=\"text-align: left;\">HSM must be used to secure keys.<br \/><strong>\u5fc5\u9808\u4f7f\u7528 HSM \u4f86\u4fdd\u8b77\u5bc6\u9470\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>3. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/03_Secure_Boot\/\">\u5b89\u5168\u555f\u52d5\u85cd\u5716<\/a><\/h2>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Abstract-1<\/td>\n<td style=\"text-align: left;\">More generic and add examples (The chain of trust). <strong>\u66f4\u901a\u7528\u4e26\u6dfb\u52a0\u793a\u4f8b\uff08\u4fe1\u4efb\u93c8\uff09\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5b89\u5168\u555f\u52d5\u662f\u6307\u9632\u6b62\u5728\u7cfb\u7d71\u555f\u52d5\u904e\u7a0b\u4e2d\u52a0\u8f09\u60e1\u610f\u8edf\u9ad4\u61c9\u7528\u7a0b\u5e8f\u548c\u201c\u672a\u7d93\u6388\u6b0a\u201d\u7684\u64cd\u4f5c\u7cfb\u7d71\u3002\u76ee\u6a19\u662f\u4fdd\u8b77\u7528\u6236\u514d\u53d7 Rootkit \u548c\u5176\u4ed6\u4f4e\u7d1a\u60e1\u610f\u8edf\u9ad4\u653b\u64ca\u3002\u73fe\u4ee3\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u5177\u6709\u53ef\u7528\u65bc\u5728\u7cfb\u7d71\u4e2d\u555f\u7528\u5b89\u5168\u5f15\u5c0e\u7684\u529f\u80fd\u3002<\/p>\n<p><strong>\u555f\u52d5\u5f37\u5316<\/strong>\uff1a\u914d\u7f6e\u555f\u52d5\u9806\u5e8f\u7684\u6b65\u9a5f\/\u8981\u6c42\uff0c\u4ee5\u9650\u5236\u8a2d\u5099\u57f7\u884c\u9664\u6279\u51c6\u7684\u8edf\u9ad4\u93e1\u50cf\u4e4b\u5916\u7684\u4efb\u4f55\u5167\u5bb9\u3002<\/p>\n<p>\u5728\u9019\u4e00\u90e8\u5206\u4e2d\uff0c\u6211\u5011\u5c07\u770b\u5230\u4e00\u7cfb\u5217\u914d\u7f6e\uff0c\u9019\u4e9b\u914d\u7f6e\u5c07\u4f7f\u6211\u5011\u80fd\u5920\u63d0\u9ad8\u555f\u52d5\u968e\u6bb5\u7684\u5b89\u5168\u6027\u3002\u51fa\u65bc\u53c3\u8003\u548c\u89e3\u91cb\u7684\u76ee\u7684\uff0c\u6211\u5011\u63d0\u4f9b\u6709\u95dc\u5982\u4f55\u914d\u7f6e\u904b\u884c 3.10.17 Linux \u5167\u6838\u7684\u5d4c\u5165\u5f0f\u8a2d\u5099\u7684\u6307\u5357\u3002\u5982\u679c\u672a\u6aa2\u67e5\u5b8c\u6574\u6027\u6216\u767c\u751f\u56b4\u91cd\u932f\u8aa4\uff0c\u7cfb\u7d71\u5fc5\u9808\u5728\u975e\u5e38\u7a69\u5b9a\u7684\u5099\u4efd\u93e1\u50cf\u4e0a\u555f\u52d5\u3002<\/p>\n<p><strong>\u8981\u6c42<\/strong>\uff1a\u5373\u4f7f\u9078\u64c7\u4e86 Linux \u5167\u6838\u7684\u66ff\u4ee3\u7248\u672c\uff0c\u4e5f\u5fc5\u9808\u6eff\u8db3\u9019\u4e9b\u8981\u6c42\u3002<\/p>\n<p><strong>\u5efa\u8b70<\/strong>\uff1a\u70ba\u4e86\u4fdd\u8b77\u8a2d\u5099\u800c\u61c9\u61c9\u7528\u7684\u8a73\u7d30\u6700\u4f73\u5be6\u8e10\u3002\u96d6\u7136\u5b83\u5011\u76ee\u524d\u6c92\u6709\u88ab\u5217\u70ba\u786c\u6027\u9700\u6c42\uff0c\u4f46\u5c07\u4f86\u53ef\u80fd\u6703\u5347\u7d1a\u70ba\u9700\u6c42\u72c0\u614b\u3002\u6b64\u5916\uff0c\u5177\u9ad4\u904b\u71df\u5546\u53ef\u4ee5\u6839\u64da\u81ea\u5df1\u7684\u5177\u9ad4\u9700\u6c42\u548c\u76ee\u6a19\u5c07\u5176\u4e2d\u4e00\u4e9b\u5efa\u8b70\u66f4\u6539\u70ba\u8981\u6c42\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Abstract-1<\/td>\n<td style=\"text-align: left;\">Review the definition of the &quot;boot loader&quot;.<br \/><strong>\u67e5\u6838\u201c\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u201d\u7684\u5b9a\u7fa9\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f<\/strong>\uff1a\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u7531\u99d0\u7559\u5728<strong>OTP<\/strong>\u5b58\u5132\u5668\u4e2d\u7684\u4e3b\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f \u3001sboot\u3001U-Boot \u548c\u99d0\u7559\u5728\u5916\u90e8\u9583\u5b58\uff08NAND \u6216 SPI\/NOR \u9583\u5b58\uff09\u4e2d\u7684\u5b89\u5168\u52a0\u8f09\u7a0b\u5e8f\u7d44\u6210\u3002CPU \u5728\u52a0\u96fb\u6216\u8907\u4f4d\u6642\u57f7\u884c\u4e3b\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u3002OTP\u4e3b\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u9032\u884c\u5fc5\u8981\u7684\u521d\u59cb\u7cfb\u7d71\u914d\u7f6e\uff0c\u7136\u5f8c\u5c07\u8f14\u52a9\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f sboot \u5f9e\u5916\u90e8\u9583\u5b58\u52a0\u8f09\u5230 RAM \u5b58\u5132\u5668\u3002\u7136\u5f8c\uff0csboot \u6703\u52a0\u8f09 U-Boot \u4ee5\u53ca\u5b89\u5168\u52a0\u8f09\u7a0b\u5e8f\u3002\u7136\u5f8c\uff0cU-Boot \u9a57\u8b49\u5167\u6838\/\u7cfb\u7d71\u93e1\u50cf\u7684<strong>\u5b8c\u6574\u6027<\/strong>\uff0c\u7136\u5f8c\u5728\u5c07\u63a7\u5236\u6b0a\u50b3\u905e\u7d66\u5b83\u4e4b\u524d\u52a0\u8f09\u5167\u6838\/\u7cfb\u7d71\u93e1\u50cf\u3002<\/p>\n<hr \/>\n<h3>3.1 \u7e2e\u7565\u8a9e<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>FUSE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>F<\/strong>ilesystem in <strong>U<\/strong>ser<strong>S<\/strong>pac<strong>E<\/strong>nv.  <strong>\u7528\u6236\u6a21\u5f0f\u4e0b\u7684\u6587\u4ef6\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>OTP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>O<\/strong>ne-<strong>T<\/strong>ime-<strong>P<\/strong>rogrammable  <strong>\u53ef\u55ae\u6b21\u71d2\u9304<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DOCSIS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>ata <strong>O<\/strong>ver <strong>C<\/strong>able <strong>S<\/strong>ervice <strong>I<\/strong>nterface <strong>S<\/strong>pecification  <strong>\u7e9c\u7dda\u670d\u52d9\u754c\u9762\u4e0a\u7684\u8cc7\u6599\u50b3\u8f38\u898f\u7bc4<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>3.2 \u93e1\u50cf<\/h3>\n<h4>\u93e1\u50cf\u9078\u64c7<\/h4>\n<p>\u5f15\u5c0e\u904e\u7a0b\u61c9\u662f\u4e0d\u9593\u65b7\u7684\uff0c\u4e26\u4e14\u61c9\u4e0d\u53ef\u64a4\u92b7\u5730\u5f15\u5c0e\u5f15\u5c0e\u74b0\u5883\u4e2d\u6307\u5b9a\u7684\u93e1\u50cf\u3002<\/p>\n<p>\u5728 U-Boot \u4e2d\u914d\u7f6e\u201c <em>bootdelay<\/em> \u201d\u74b0\u5883\u8b8a\u91cf\u548c\/\u6216\u5b9a\u7fa9 <code>CONFIG_BOOTDELAY<\/code>\u70ba<em>-2<\/em>\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><em>Variable<\/em> \/ <code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Selection-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BOOTDELAY<\/code><\/td>\n<td style=\"text-align: left;\"><code>-2<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Selection-2<\/td>\n<td style=\"text-align: left;\"><em>bootdelay<\/em><\/td>\n<td style=\"text-align: left;\"><code>-2<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u93e1\u50cf\u771f\u5be6\u6027<\/h4>\n<p>\u7121\u6cd5\u5f9e\u672a\u7d93\u9a57\u8b49\u7684\u93e1\u50cf\u555f\u52d5\u3002\u61c9\u555f\u7528 U-Boot \u4e2d\u7684\u5b89\u5168\u555f\u52d5\u529f\u80fd\u3002U-Boot 2013.07\u7248\u672c\u958b\u59cb\u63d0\u4f9b\u5b89\u5168\u555f\u52d5\u529f\u80fd\u3002\u8981\u555f\u7528\u5b89\u5168\u555f\u52d5\u529f\u80fd\uff0c\u8acb\u555f\u7528\u4ee5\u4e0b\u529f\u80fd\uff1a<\/p>\n<pre><code class=\"language-yaml\">CONFIG_FIT: Enables support for Flat Image Tree (FIT) uImage format.\nCONFIG_FIT_SIGNATURE: Enables signature verification of FIT images.\nCONFIG_RSA: Enables RSA algorithm used for FIT image verification.\nCONFIG_OF_CONTROL: Enables Flattened Device Tree (FDT) configuration.\nCONFIG_OF_SEPARATE: Enables separate build of u-Boot from the device tree.\nCONFIG_DEFAULT_DEVICE_TREE: Specifies the default Device Tree used for the run-time configuration of U-Boot.<\/code><\/pre>\n<p>\u4f7f\u7528\u516c\u9470\u751f\u6210 U-Boot \u93e1\u50cf\u4ee5\u9a57\u8b49\u548c\u52a0\u8f09\u93e1\u50cf\u3002\u5b83\u61c9\u4f7f\u7528 RSA2048 \u548c SHA256 \u9032\u884c\u8eab\u4efd\u9a57\u8b49\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FIT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FIT_SIGNATURE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_RSA<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OF_CONTROL<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OF_SEPARATE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-6<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEFAULT_DEVICE_TREE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>3.3 \u901a\u8a0a\u65b9\u5f0f<\/h3>\n<h4>\u7981\u7528 USB\u3001\u4e32\u884c\u548c DOCSIS \u652f\u6301<\/h4>\n<p>\u8981\u5728 U-Boot \u4e2d\u7981\u7528 USB \u652f\u6301\uff0c\u4e0d\u61c9\u5b9a\u7fa9\u4ee5\u4e0b\u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-yaml\">CONFIG_CMD_USB: Enables basic USB support and the usb command.\nCONFIG_USB_UHCI: Defines the lowlevel part.\nCONFIG_USB_KEYBOARD: Enables the USB Keyboard.\nCONFIG_USB_STORAGE: Enables the USB storage devices.\nCONFIG_USB_HOST_ETHER: Enables USB Ethernet adapter support.<\/code><\/pre>\n<p>\u53e6\u5916\uff0c\u5728U-Boot \u548csboot \u4e2d\u7981\u7528\u4e0d\u5fc5\u8981\u7684\u901a\u4fe1\u6a21\u5f0f\uff0c\u5982\u4ee5\u592a\u7db2\u3001\u4e32\u53e3\u3001DOCSIS\u3002<\/p>\n<p>\u5982\u679c\u4e0d\u9700\u8981\uff0cLinux \u5167\u6838\u5c0d USB \u7684\u652f\u6301\u61c9\u8a72\u88ab\u7de8\u8b6f\u51fa\u4f86\u3002\u5982\u679c\u9700\u8981\uff0cLinux \u5167\u6838\u61c9\u914d\u7f6e\u70ba\u50c5\u555f\u7528\u6240\u9700\u7684\u6700\u5c11 USB \u8a2d\u5099\u3002\u61c9\u7279\u5225\u5c0f\u5fc3\u5c0d\u5f85\u7528\u6236\u555f\u52d5\u7684 USB \u6587\u4ef6\u7cfb\u7d71\u3002\u7121\u8ad6\u6587\u4ef6\u7cfb\u7d71\u662f\u5426\u5b89\u88dd\u5728\u7528\u6236\u7a7a\u9593\uff08<strong>FUSE<\/strong>\uff09\u4e2d\uff0c\u90fd\u61c9\u9075\u5b88\u53d7\u9650\u7684\u5b89\u88dd\u9078\u9805\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>Domain \u9818\u57df<\/th>\n<th>\u901a\u8a0a\u6a21\u5f0f<\/th>\n<th><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Boot-Communication-1<\/td>\n<td><code>USB<\/code><\/td>\n<td><em>Disabled<\/em> and <em>Compiled-out<\/em> if not required.<\/td>\n<\/tr>\n<tr>\n<td>Boot-Communication-2<\/td>\n<td><code>USB<\/code><\/td>\n<td>Else, Kernel should be configured to only enable the <br \/>minimum required USB devices and filesystems should <br \/>be treated with special care.<\/td>\n<\/tr>\n<tr>\n<td>Boot-Communication-3<\/td>\n<td><code>Ethernet<\/code><\/td>\n<td><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td>Boot-Communication-4<\/td>\n<td>U-boot and sboot <code>DOCSIS<\/code><\/td>\n<td><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td>Boot-Communication-5<\/td>\n<td><code>Serial ports<\/code><\/td>\n<td><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMD_USB<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_UHCI<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_KEYBOARD<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_STORAGE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_HOST_ETHER<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u6240\u6709\u672a\u4f7f\u7528\u7684\u7db2\u7d61\u63a5\u53e3<\/h4>\n<p>\u50c5\u61c9\u555f\u7528\u4f7f\u7528\u7684\u7db2\u7d61\u63a5\u53e3\u3002\u5728\u53ef\u80fd\u7684\u60c5\u6cc1\u4e0b\uff0c\u670d\u52d9\u4e5f\u61c9\u50c5\u9650\u65bc\u5fc5\u8981\u7684\u7bc4\u570d\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>Domain \u9818\u57df<\/th>\n<th>\u901a\u8a0a\u6a21\u5f0f<\/th>\n<th><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Boot-Communication-1<\/td>\n<td><code>Network interfaces<\/code><\/td>\n<td>Preferably <em>no network interface is allowed<\/em>, otherwise, <br \/>restrict the services to those used.<br \/>\u6700\u597d<em>\u4e0d\u5141\u8a31\u4f7f\u7528\u4efb\u4f55\u7db2\u7d61\u63a5\u53e3<\/em>\uff0c\u5426\u5247\uff0c\u5c07\u670d\u52d9\u9650\u5236\u70ba<br \/>\u6240\u4f7f\u7528\u7684\u670d\u52d9\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u522a\u9664\u6216\u7981\u7528\u4e0d\u5fc5\u8981\u7684\u670d\u52d9\u3001\u7aef\u53e3\u548c\u8a2d\u5099<\/h4>\n<p>\u9650\u5236\u4f7f\u7528<code>services<\/code>,<code>ports<\/code>\u548c\u3002<code>devices<\/code><\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-1<\/td>\n<td style=\"text-align: left;\"><code>Services<\/code>, <code>ports<\/code> and <code>devices<\/code><\/td>\n<td style=\"text-align: left;\">Restrict the <code>services<\/code>, <code>ports<\/code> and <code>devices<\/code> to those used.<br \/>\u9650\u5236\u4f7f\u7528<code>services<\/code>,<code>ports<\/code>\u548c\u3002<code>devices<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u7981\u7528\u9583\u5b58\u8a2a\u554f<\/h4>\n<p><strong>\u63a8\u85a6<\/strong>\uff1a<\/p>\n<p>\u5728 U-Boot \u4e2d\uff0c\u61c9\u7981\u7528\u4ee5\u4e0b\u9583\u5b58\u547d\u4ee4\uff1a<\/p>\n<p><strong>NAND<\/strong><code>do_nand<\/code> \uff1a\u5fc5\u9808\u7981\u7528\u5c0d NAND \u9583\u5b58\u8a2a\u554f\u7684\u652f\u6301\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Command<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-Flash-1<\/td>\n<td style=\"text-align: left;\"><code>do_nand<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u540c\u6a23\uff0csboot \u61c9\u901a\u904e\u547d\u4ee4\u884c\u7981\u7528\u9583\u5b58\u8a2a\u554f\u652f\u6301\uff08\u5982\u679c\u6709\uff09\u3002<\/p>\n<h3>3.4 \u63a7\u5236\u53f0<\/h3>\n<h4>\u7981\u7528\u4e32\u53e3\u63a7\u5236\u53f0<\/h4>\n<p>\u61c9\u7981\u7528\u4e32\u53e3\u63a7\u5236\u53f0\u8f38\u51fa\u3002\u8981\u5728 U-Boot \u4e2d\u7981\u7528\u63a7\u5236\u53f0\u8f38\u51fa\uff0c\u8acb\u914d\u7f6e\u4ee5\u4e0b\u5b8f\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SILENT_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SYS_DEVICE_NULLDEV<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-1<\/td>\n<td style=\"text-align: left;\">Secure loader: No reference earlier?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e26\u914d\u7f6e\u201c <strong>silent<\/strong> \u201d\u74b0\u5883\u8b8a\u91cf\u3002\u5c0d\u65bc\u5b89\u5168\u52a0\u8f09\u7a0b\u5e8f\uff0c\u901a\u904e\u4e0d\u5b9a\u7fa9\u4ee5\u4e0b\u5b8f\u4f86\u7981\u7528\u8ddf\u8e2a\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Environment variable<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>INC_DEBUG_PRINT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5c0d\u65bc sboot\uff0c\u9700\u8981\u9032\u884c\u6b63\u78ba\u7684\u914d\u7f6e\u4ee5\u7981\u7528\u4e32\u53e3\u63a7\u5236\u53f0\u3002<\/p>\n<hr \/>\n<h4>\u4e0d\u53ef\u8b8a\u7684\u74b0\u5883\u8b8a\u91cf<\/h4>\n<p>\u5728U-Boot\u4e2d\uff0c\u78ba\u4fdd\u5167\u6838\u547d\u4ee4\u884c\u3001\u555f\u52d5\u547d\u4ee4\u3001\u555f\u52d5\u5ef6\u9072\u548c\u5176\u4ed6\u74b0\u5883\u8b8a\u91cf\u662f\u4e0d\u53ef\u8b8a\u7684\u3002\u9019\u5c07\u901a\u904e\u5c07\u5f15\u5c0e\u9078\u64c7\u9650\u5236\u70ba\u50c5\u9583\u5b58\u4e2d\u7684\u93e1\u50cf\u4f86\u9632\u6b62\u5099\u7528\u93e1\u50cf\u7684\u5074\u9762\u52a0\u8f09\u3002<\/p>\n<p>\u74b0\u5883\u8b8a\u91cf\u61c9\u4f5c\u70ba\u9ed8\u8a8d\u74b0\u5883\u8b8a\u91cf\u4f5c\u70ba U-Boot \u4e2d\u6587\u672c\u5340\u57df\u7684\u4e00\u90e8\u5206\uff0c\u800c\u4e0d\u662f\u5728\u975e\u6613\u5931\u6027\u5167\u5b58\u4e2d\u3002<\/p>\n<p>\u522a\u9664\u8207\u975e\u6613\u5931\u6027\u5167\u5b58\u76f8\u95dc\u7684\u914d\u7f6e\u9078\u9805\uff0c\u4f8b\u5982\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_MMC<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_EEPROM<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_FLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_DATAFLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_FAT<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-6<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_NAND<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-7<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_NVRAM<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-8<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_ONENAND<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-9<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_SPI_FLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-10<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_REMOTE<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-11<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_UBI<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-12<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_NOWHERE<\/code><\/td>\n<td style=\"text-align: left;\"><code>#define<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>\uff08\u5efa\u8b70\uff09\u522a\u9664\u5167\u5b58\u8f49\u5132\u547d\u4ee4<\/h3>\n<p>\u5728 U-Boot \u4e2d\uff0c\u61c9\u7981\u7528\u4ee5\u4e0b\u547d\u4ee4\u4ee5\u907f\u514d\u5167\u5b58\u8f49\u5132\uff1a<\/p>\n<pre><code>md : Memory Display command.\nmm : Memory modify command - auto incrementing address.\nnm : Memory modify command - constant address.\nmw : Memory write.\ncp : Memory copy.\nmwc : Memory write cyclic.\nmdc : Memory display cyclic.\nmtest : Simple ram read\/write test.\nloopw : Infinite write loop on address range.<\/code><\/pre>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Command<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-1<\/td>\n<td style=\"text-align: left;\"><code>md<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-2<\/td>\n<td style=\"text-align: left;\"><code>mm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-3<\/td>\n<td style=\"text-align: left;\"><code>nm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-4<\/td>\n<td style=\"text-align: left;\"><code>mw<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-5<\/td>\n<td style=\"text-align: left;\"><code>cp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-6<\/td>\n<td style=\"text-align: left;\"><code>mwc<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-7<\/td>\n<td style=\"text-align: left;\"><code>mdc<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-8<\/td>\n<td style=\"text-align: left;\"><code>mtest<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-9<\/td>\n<td style=\"text-align: left;\"><code>loopw<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u540c\u6a23\uff0c\u61c9\u5f9e sboot \u7981\u7528\u5167\u5b58\u8f49\u5132\u652f\u6301\u3002<\/p>\n<h2>4. \u865b\u64ec\u5316\u7ba1\u7406\u85cd\u5716<\/h2>\n<p><strong>\u5b9a\u7fa9<\/strong>\uff1a\u201c\u7ba1\u7406\u7a0b\u5e8f\u6216\u865b\u64ec\u6a5f\u76e3\u8996\u5668 (VMM) \u662f\u5275\u5efa\u548c\u904b\u884c\u865b\u64ec\u6a5f\u7684\u8a08\u7b97\u6a5f\u8edf\u9ad4\u3001\u97cc\u9ad4\u6216\u786c\u9ad4\u201d\u3002<\/p>\n<p>\u5b83\u5fc5\u9808\u5305\u62ec\u7c3d\u540d\u9a57\u8b49\uff08\u53ef\u80fd\u662f\u59d4\u8a17\u7684\uff09\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hypervisor-Abstract-1<\/td>\n<td style=\"text-align: left;\">Complete Hypervisor part (<a href=\"https:\/\/github.com\/siemens\/jailhouse\">jailhouse<\/a> \/ <a href=\"https:\/\/www.linux-kvm.org\/page\/Main_Page\">KVM<\/a> \/ <a href=\"https:\/\/www.xenproject.org\/developers\/teams\/embedded-and-automotive.html\">Xen<\/a>).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u672c\u6a5f\u6216\u88f8\u6a5f\u7ba1\u7406\u7a0b\u5e8f<\/h3>\n<p>\u9019\u4e9b\u865b\u64ec\u6a5f\u7ba1\u7406\u7a0b\u5e8f\u76f4\u63a5\u5728\u4e3b\u6a5f\u7684\u786c\u9ad4\u4e0a\u904b\u884c\uff0c\u4ee5\u63a7\u5236\u786c\u9ad4\u4e26\u7ba1\u7406\u4f86\u8cd3\u64cd\u4f5c\u7cfb\u7d71\u3002\u9019\u4e9b\u662f\u6211\u5011\u611f\u8208\u8da3\u7684\u3002<\/p>\n<h2>5. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/05_Kernel\/\">\u5167\u6838\u85cd\u5716<\/a><\/h2>\n<p><strong>\u7cfb\u7d71\u5f37\u5316\uff1a<\/strong>\u8207\u57fa\u65bc\u5d4c\u5165\u5f0f Linux \u7684\u64cd\u4f5c\u7cfb\u7d71\u914d\u7f6e\u76f8\u95dc\u7684\u6700\u4f73\u5be6\u8e10\u3002\u672c\u7bc0\u5305\u62ec\u5167\u6838\u672c\u8eab\u7684\u5f37\u5316\uff0c\u4ee5\u53ca\u7528\u65bc\u9632\u6b62\u6839\u6587\u4ef6\u7cfb\u7d71\u7684\u69cb\u5efa\u548c\u914d\u7f6e\u4e2d\u7684\u5df2\u77e5\u6f0f\u6d1e\u7684\u7279\u5b9a\u914d\u7f6e\u548c\u88dc\u4e01\u3002<\/p>\n<p><strong><em>\u5728\u5167\u6838\u7d1a\u5225\uff0c\u6211\u5011\u5fc5\u9808\u78ba\u4fdd\u7121\u6cd5\u555f\u52d5\u4efb\u4f55\u63a7\u5236\u53f0\u3002\u5b83\u53ef\u7528\u65bc\u66f4\u6539\u7cfb\u7d71\u7684\u884c\u70ba\u6216\u7372\u53d6\u6709\u95dc\u4fc2\u7d71\u7684\u66f4\u591a\u4fe1\u606f\u3002\u53e6\u4e00\u65b9\u9762\u662f\u5167\u6838\u4f7f\u7528\u7684\u5167\u5b58\u7684\u4fdd\u8b77\u3002<\/em><\/strong><\/p>\n<p>\u63a5\u4e0b\u4f86\u7684\u5c0f\u7bc0\u5305\u542b\u6709\u95dc\u5404\u7a2e\u5167\u6838\u914d\u7f6e\u9078\u9805\u7684\u4fe1\u606f\uff0c\u4ee5\u589e\u5f37\u5167\u6838 (3.10.17) \u7684\u5b89\u5168\u6027\uff0c\u4ee5\u53ca\u70ba\u5229\u7528\u9019\u4e9b\u5b89\u5168\u529f\u80fd\u800c\u7de8\u8b6f\u7684\u61c9\u7528\u7a0b\u5e8f\u7684\u4fe1\u606f\u3002\u6b64\u5916\uff0c\u9084\u6709\u4e00\u4e9b\u914d\u7f6e\u9078\u9805\u53ef\u4ee5\u9632\u6b62\u5df2\u77e5\u7684\u6613\u53d7\u653b\u64ca\u7684\u914d\u7f6e\u9078\u9805\u3002\u4ee5\u4e0b\u662f\u90e8\u7f72\u6240\u9700\u7684\u5404\u7a2e\u5167\u6838\u914d\u7f6e\u7684\u9ad8\u7d1a\u6458\u8981\u3002<\/p>\n<h3>5.1 \u5167\u6838\u7248\u672c<\/h3>\n<p>AGL \u7cfb\u7d71\u5167\u6838\u7248\u672c\u7684\u9078\u64c7\u5c0d\u5176\u5b89\u5168\u6027\u81f3\u95dc\u91cd\u8981\u3002\u6839\u64da\u95c6\u5361\u985e\u578b\u548c\u6700\u7d42\u751f\u7522\u7cfb\u7d71\u7684\u4e0d\u540c\uff0c\u4f7f\u7528\u4e0d\u540c\u7684\u5167\u6838\u7248\u672c\u3002\u4f8b\u5982\uff0c\u6240\u7814\u7a76\u7684\u7cfb\u7d71\u4e4b\u4e00\u4f7f\u7528 Linux \u5167\u6838\u7248\u672c 3.10\uff0c\u800c\u53e6\u4e00\u500b\u7cfb\u7d71\u4f7f\u7528 Linux \u5167\u6838\u7248\u672c 4.4\u3002\u5c0d\u65bcLinux\u5167\u6838\u7248\u672c3.10.31\uff0c\u5b58\u572825\u500b\u5df2\u77e5\u6f0f\u6d1e\u3002\u9019\u4e9b\u6f0f\u6d1e\u5c07\u5141\u8a31\u653b\u64ca\u8005\u7372\u5f97\u7279\u6b0a\u3001\u7e5e\u904e\u8a2a\u554f\u9650\u5236\u3001\u5141\u8a31\u5167\u5b58\u640d\u58de\u6216\u5c0e\u81f4\u62d2\u7d55\u670d\u52d9\u3002\u76f8\u6bd4\u4e4b\u4e0b\uff0cLinux \u5167\u6838\u7248\u672c 4.4 \u7684\u5df2\u77e5\u6f0f\u6d1e\u8981\u5c11\u5f97\u591a\u3002<strong><em>\u56e0\u6b64\uff0c\u6211\u5011\u901a\u5e38\u6703\u63a8\u85a6\u8f03\u65b0\u7684\u5167\u6838\u7248\u672c\u4f5c\u70ba\u5e73\u53f0\u7684\u57fa\u790e\u3002<\/em><\/strong><\/p>\n<p>\u8acb\u6ce8\u610f\uff0c\u5118\u7ba1\u6700\u65b0\u5167\u6838\u7248\u672c\u4e2d\u7684\u5df2\u77e5\u6f0f\u6d1e\u8f03\u5c11\uff0c\u4f46\u6f5b\u5728\u7684\u672a\u77e5\u6f0f\u6d1e\u53ef\u80fd\u5f88\u591a\u3002\u7d93\u9a57\u6cd5\u5247\u662f\u76e1\u53ef\u80fd\u66f4\u65b0\u5167\u6838\u4ee5\u907f\u514d\u60a8\u78ba\u5be6\u77e5\u9053\u7684\u554f\u984c\uff0c\u4f46\u60a8\u4e0d\u61c9\u8a72\u5c0d\u60a8\u5c0d\u5b83\u7684\u4fe1\u4efb\u611f\u5230\u81ea\u6eff\u3002\u7136\u5f8c\u5c07\u61c9\u7528\u7e31\u6df1\u9632\u79a6\u65b9\u6cd5\u3002<\/p>\n<p>\u5982\u679c\u5347\u7d1a\u5230\u8f03\u65b0\u7684\u5167\u6838\u7248\u672c\uff08\u4f8b\u5982\u8a2d\u5099\u9a45\u52d5\u7a0b\u5e8f\u3001\u4e3b\u677f\u652f\u6301\u63d0\u4f9b\u5546\uff09\u5b58\u5728\u9650\u5236\u548c\u4f9d\u8cf4\u6027\uff0c\u4e26\u4e14\u60a8\u88ab\u8feb\u4f7f\u7528\u8f03\u820a\u7684Linux \u5167\u6838\u7248\u672c\uff0c\u5247\u9700\u8981\u63a1\u53d6\u984d\u5916\u7684\u63aa\u65bd\u4f86\u964d\u4f4e\u5167\u6838\u6f0f\u6d1e\u5229\u7528\u7684\u98a8\u96aa\uff0c\u9019\u53ef\u4ee5\u5305\u62ec\u5167\u5b58\u76e3\u63a7\u3001\u770b\u9580\u72d7\u670d\u52d9\u548c\u7cfb\u7d71\u8abf\u7528\u639b\u9264\u3002\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u53ef\u80fd\u9700\u8981\u9032\u4e00\u6b65\u7684\u6df1\u5ea6\u9632\u79a6\u6280\u8853\u4f86\u6e1b\u8f15\u5df2\u77e5\u6f0f\u6d1e\u7684\u653b\u64ca\u98a8\u96aa\uff0c\u5176\u4e2d\u9084\u5305\u62ec\u5c0d\u6613\u53d7\u7be1\u6539\u7684\u7d44\u4ef6\u9032\u884c\u904b\u884c\u6642\u5b8c\u6574\u6027\u9a57\u8b49\u3002<\/p>\n<h3>5.2 \u5167\u6838\u69cb\u5efa\u914d\u7f6e<\/h3>\n<p>\u5167\u6838\u69cb\u5efa\u914d\u7f6e\u5c0d\u65bc\u78ba\u5b9a\u670d\u52d9\u8a2a\u554f\u7d1a\u5225\u548c\u6e1b\u5c11\u653b\u64ca\u9762\u7684\u5ee3\u5ea6\u6975\u5176\u91cd\u8981\u3002Linux \u5305\u542b\u5927\u91cf\u9748\u6d3b\u7684\u529f\u80fd\uff0c\u9019\u53ea\u80fd\u901a\u904e\u69cb\u5efa\u914d\u7f6e\u4f86\u63a7\u5236\u3002\u4f8b\u5982\uff0c\u8a72<code>CONFIG_MODULES<\/code>\u53c3\u6578\u5141\u8a31\u5728\u904b\u884c\u6642\u52a0\u8f09\u5167\u6838\u6a21\u7d44\uff0c\u5f9e\u800c\u64f4\u5c55\u5167\u6838\u7684\u529f\u80fd\u3002\u9700\u8981\u5728\u904b\u884c\u6642\u901a\u904e\u5176\u4ed6\u914d\u7f6e\u53c3\u6578\u4f86\u6291\u88fd\u6216\u63a7\u5236\u6b64\u529f\u80fd\u3002\u4f8b\u5982\uff0c<code>CONFIG_MODULE_SIG_FORCE=y<\/code> \u78ba\u4fdd\u50c5\u52a0\u8f09\u7c3d\u540d\u7684\u6a21\u7d44\u3002\u6709\u5927\u91cf\u7684\u5167\u6838\u914d\u7f6e\u53c3\u6578\uff0c\u672c\u7bc0\u5c07\u8a73\u7d30\u8a0e\u8ad6\u9019\u4e9b\u53c3\u6578\u3002<\/p>\n<h3>5.3 \u901a\u7528\u914d\u7f6e<\/h3>\n<h4>\u5f37\u5236\u8a2a\u554f\u63a7\u5236<\/h4>\n<p>\u5167\u6838\u61c9\u8a72\u4f7f\u7528\u6a19\u7c64\u548c\u7b56\u7565\u4f86\u63a7\u5236\u8a2a\u554f\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-1<\/td>\n<td style=\"text-align: left;\">CONFIG_IP_NF_SECURITY<\/td>\n<td style=\"text-align: left;\">m<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-2<\/td>\n<td style=\"text-align: left;\">CONFIG_IP6_NF_SECURITY<\/td>\n<td style=\"text-align: left;\">m<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-3<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT2_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-4<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT3_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-5<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT4_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-6<\/td>\n<td style=\"text-align: left;\">CONFIG_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-7<\/td>\n<td style=\"text-align: left;\">CONFIG_SECURITY_SMACK<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-8<\/td>\n<td style=\"text-align: left;\">CONFIG_TMPFS_XATTR<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u53e6\u8acb\u53c3\u95b1<a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/05_Kernel\/5_Platform.md\">Platform \u4e2d\u7684\u5f37\u5236\u8a2a\u554f\u63a7\u88fd\u6587\u6a94<\/a>\u3002<a href=\"https:\/\/en.wikipedia.org\/wiki\/Mandatory_access_control\"><strong>\u60a8\u9084\u53ef\u4ee5\u5728\u7dad\u57fa\u767e\u79d1\u4e0a\u627e\u5230\u6709\u95dcMAC<\/strong><\/a>\u548c <a href=\"https:\/\/en.wikipedia.org\/wiki\/Simplified_Mandatory_Access_Control_Kernel\"><strong>SMACK<\/strong><\/a>\u7684\u6709\u7528\u6587\u6a94\u548c\u93c8\u63a5 \u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528 kexec<\/h4>\n<p><strong>Kexec<\/strong>\u662f\u4e00\u500b\u7cfb\u7d71\u8abf\u7528\uff0c\u4f7f\u60a8\u80fd\u5920\u5f9e\u7576\u524d\u904b\u884c\u7684\u5167\u6838\u52a0\u8f09\u4e26\u5f15\u5c0e\u5230\u53e6\u4e00\u500b\u5167\u6838\u3002<strong>\u751f\u7522\u74b0\u5883\u4e2d\u4e0d\u9700\u8981\u6b64\u529f\u80fd<\/strong>\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-kexec-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KEXEC<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>kexec<\/strong>\u53ef\u4ee5\u52a0\u8f09\u4efb\u610f\u5167\u6838\uff0c\u4f46\u53ef\u4ee5\u5f37\u5236\u57f7\u884c\u65b0\u5167\u6838\u7684\u7c3d\u540d\uff0c\u5c31\u50cf\u53ef\u4ee5\u5f37\u5236\u57f7\u884c\u65b0\u6a21\u7d44\u4e00\u6a23\u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528\u5167\u6838 IP \u81ea\u52d5\u914d\u7f6e<\/h4>\n<p>\u6700\u597d\u4f7f\u7528\u7528\u6236\u7a7a\u9593\u5de5\u5177\u57f7\u884c IP \u914d\u7f6e\uff0c\u56e0\u70ba\u9019\u4e9b\u5de5\u5177\u5f80\u5f80\u5177\u6709\u66f4\u591a\u9a57\u8b49\u6027\u3002\u5728\u7cfb\u7d71\u6b63\u5e38\u555f\u52d5\u4e4b\u524d\uff0c\u6211\u5011\u4e0d\u5e0c\u671b\u7db2\u7d61\u63a5\u53e3\u555f\u52d5\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IPAutoConf-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_IP_PNP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528 Sysctl \u7cfb\u7d71\u8abf\u7528\u652f\u6301<\/h4>\n<p>\u555f\u7528\u6b64\u529f\u80fd\u5c07\u5c0e\u81f4\u5305\u542b\u96e3\u4ee5\u7dad\u8b77\u4e14\u672a\u7d93\u826f\u597d\u6e2c\u8a66\u7684\u4ee3\u78bc\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SysCtl_SysCall-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SYSCTL_SYSCALL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u820a\u7248 Linux \u652f\u6301<\/h4>\n<p>\u6709\u4e00\u4e9b\u5167\u6838\u914d\u7f6e\u50c5\u7528\u65bc\u652f\u6301\u820a\u7248\u4e8c\u9032\u88fd\u6587\u4ef6\u3002\u53e6\u8acb\u53c3\u95b1\u201c\u63a7\u5236\u53f0\u201d\u90e8\u5206\u4ee5\u7981\u7528\u5c0d\u820a\u4e8c\u9032\u5236\u683c\u5f0f\u7684\u652f\u6301\u3002<code>uselib<\/code>\u7279\u5225\u662f\u7cfb\u7d71\u8abf\u7528\uff0c\u6700\u8fd1\u5728\u4efb\u4f55\u7cfb\u7d71\u4e2d\u90fd\u6c92\u6709\u6709\u6548 \u7684\u7528\u9014<code>libc6<\/code>\u3002<strong>Linux 3.15 \u53ca\u66f4\u9ad8<\/strong><code>uclibc<\/code>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e \uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u6b64\u914d\u7f6e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LegacyLinux-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USELIB<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u7528\u6236\u6a21\u5f0f\u7684\u97cc\u9ad4\u81ea\u52d5\u52a0\u8f09\u52a9\u624b<\/h4>\n<p>\u97cc\u9ad4\u81ea\u52d5\u52a0\u8f09\u52a9\u624b\uff0c\u662f\u7576 <code>setuid<\/code> \u88ab\u914d\u7f6e\u6642\uff0c\u53ef\u8b93\u5167\u6838\u900f\u904e<code>hotplug<\/code> \u4e8b\u4ef6\u7d44\u8981\u6c42\u57f7\u884c\u97cc\u9ad4\u7684\u5de5\u5177\u3002\u56e0\u6b64\uff0c\u5c0d\u65bc\u63a7\u5236\u8a2d\u5099\u4e0a\u7269\u7406\u7aef\u53e3\u7684\u653b\u64ca\u8005\u4f86\u8aaa\uff0c\u6b64\u5e6b\u52a9\u5de5\u5177\u662f\u4e00\u500b\u6709\u5438\u5f15\u529b\u7684\u76ee\u6a19\u3002\u8acb<strong>\u7981\u7528Linux 3.9 \u53ca\u66f4\u9ad8\u7248\u672c<\/strong>\u4e2d\u652f\u6301\u7684\u6b64\u914d\u7f6e \u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-FirmHelper-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FW_LOADER_USER_HELPER<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u56b4\u683c\u4e0a\u4f86\u8aaa\u4e26\u4e0d\u9700\u8981<code>setuid<\/code>\uff0c\u53ef\u4ee5\u9078\u64c7\u5c07\u5167\u7f6e\u97cc\u9ad4\u50b3\u9001\u5230\u5167\u6838\u4e2d\uff0c\u800c\u7121\u9700 initrd\/\u6587\u4ef6\u7cfb\u7d71\u3002<\/p>\n<hr \/>\n<h4>\u5728 OOPS \u4e0a\u555f\u7528\u5167\u6838\u6050\u614c\uff08Kernel Panic\uff09<\/h4>\n<p>\u7576\u6a21\u7cca\u5167\u6838\u6216\u5617\u8a66\u5167\u6838\u6f0f\u6d1e\u6642\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u6703\u89f8\u767c\u5167\u6838 OOPS\u3002\u5c07 OOPS \u4e0a\u7684\u884c\u70ba\u914d\u7f6e\u70ba PANIC \u53ef\u80fd\u6703\u963b\u7919\u4ed6\u5011\u7684\u9032\u5ea6\u3002<\/p>\n<p><strong>Linux 3.5 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u61c9\u50c5\u91dd\u5c0d\u6b64\u985e\u7248\u672c\u555f\u7528\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-PanicOnOOPS-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PANIC_ON_OOPS<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u5957\u63a5\u5b57\u76e3\u63a7\u63a5\u53e3<\/h4>\n<p>\u9019\u4e9b\u76e3\u8996\u5668\u53ef\u7528\u65bc\u6aa2\u67e5 Unix \u57df\u5957\u63a5\u5b57\u4e0a\u7684\u5171\u4eab\u6587\u4ef6\u63cf\u8ff0\u7b26\u6216\u201clocalhost\u201d\u4e0a\u7684\u6d41\u91cf\uff0c\u5426\u5247\u9019\u4e9b\u6d41\u91cf\u5c07\u88ab\u8996\u70ba\u6a5f\u5bc6\u3002<\/p>\n<p><strong>Linux 3.7 \u53ca\u66f4\u9ad8<\/strong><code>CONFIG_PACKET_DIAG<\/code>\u7248\u672c\u652f\u6301\u8a72\u914d\u7f6e \uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u8a72\u914d\u7f6e\u3002<\/p>\n<p><strong>Linux 3.3 \u53ca\u66f4\u9ad8<\/strong><code>CONFIG_UNIX_DIAG<\/code>\u7248\u672c\u652f\u6301\u8a72\u914d\u7f6e \uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u8a72\u914d\u7f6e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SocketMon-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PACKET_DIAG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SocketMon-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_UNIX_DIAG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528 BPF JIT<\/h4>\n<p>BPF JIT \u53ef\u7528\u65bc\u6839\u64da\u9632\u706b\u7246\u8868\u898f\u5247\u5275\u5efa\u5167\u6838\u6709\u6548\u8ca0\u8f09\u3002<\/p>\n<p><strong>Linux 3.16 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-BPF_JIT-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BPF_JIT<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u555f\u7528\u5f37\u5236\u6a21\u7d44\u7c3d\u540d<\/h4>\n<p>\u5167\u6838\u6c7a\u4e0d\u61c9\u8a72\u5141\u8a31\u975e\u7279\u6b0a\u7528\u6236\u52a0\u8f09\u7279\u5b9a\u5167\u6838\u6a21\u7d44\uff0c\u56e0\u70ba\u9019\u5c07\u63d0\u4f9b\u610f\u5916\u64f4\u5c55\u53ef\u7528\u653b\u64ca\u9762\u7684\u4fbf\u5229\u3002<\/p>\n<p>\u70ba\u4e86\u9632\u6b62\u7279\u6b0a\u7528\u6236\u7684\u653b\u64ca\uff0c\u7cfb\u7d71\u53ef\u80fd\u9700\u8981\u5b8c\u5168\u7981\u7528\u6a21\u7d44\u52a0\u8f09\uff0c\u6216\u8005\u63d0\u4f9b\u7c3d\u540d\u6a21\u7d44\uff08\u4f8b\u5982 <code>CONFIG_MODULE_SIG_FORCE<\/code>\uff0c\u6216\u5e36\u6709 LoadPin \u7684 dm-crypt\uff09\uff0c\u4ee5\u9632\u6b62 root \u901a\u904e\u6a21\u7d44\u52a0\u8f09\u5668\u63a5\u53e3\u52a0\u8f09\u4efb\u610f\u5167\u6838\u4ee3\u78bc\u3002<\/p>\n<p><strong>Linux 3.7 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u61c9\u50c5\u91dd\u5c0d\u6b64\u985e\u7248\u672c\u555f\u7528\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-ModuleSigning-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_MODULE_SIG_FORCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u9084\u53ef\u4ee5\u4f7f\u7528\u201ckernel.modules_disabled\u201d\u5728\u555f\u52d5\u5f8c\u963b\u6b62\u6a21\u7d44\u7684\u52a0\u8f09\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Variable<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-ModuleSigning-2<\/td>\n<td style=\"text-align: left;\"><code>kernel.modules_disabled<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<hr \/>\n<h4>\u7981\u7528\u6240\u6709USB\u3001PCMCIA\uff08\u548c\u5176\u4ed6\u7e3d\u7dda\uff09\u9a45\u52d5\u7a0b\u5e8f\u4e0d\u9700\u8981\u7684 <code>hotplug<\/code><\/h4>\n<p>\u70ba\u4e86\u6e1b\u5c11\u653b\u64ca\u9762\uff0c<strong>\u9a45\u52d5\u7a0b\u5e8f\u679a\u8209\u3001\u63a2\u6e2c\u548c\u64cd\u4f5c\u90fd\u5728\u5167\u6838\u4e2d\u9032\u884c<\/strong>\u3002\u9a45\u52d5\u7a0b\u5e8f\u6578\u64da\u7531\u5167\u6838\u89e3\u6790\uff0c\u56e0\u6b64\u9019\u4e9b\u9a45\u52d5\u7a0b\u5e8f\u4e2d\u7684\u4efb\u4f55\u908f\u8f2f\u932f\u8aa4\u90fd\u53ef\u80fd\u6210\u70ba\u5167\u6838\u6f0f\u6d1e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-1<\/td>\n<td style=\"text-align: left;\"><code>USB<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-2<\/td>\n<td style=\"text-align: left;\"><code>PCMCIA<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-3<\/td>\n<td style=\"text-align: left;\">Other <code>hotplug<\/code> bus<\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u4f4d\u7f6e\u7121\u95dc\u7684\u53ef\u57f7\u884c\u6587\u4ef6<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IndependentExec-1<\/td>\n<td style=\"text-align: left;\">Kernel or\/and platform part ? \u5167\u6838\u6216\/\u548c\u5e73\u53f0\u90e8\u5206\uff1f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IndependentExec-1<\/td>\n<td style=\"text-align: left;\"><code>-pie -fpic<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5728\u652f\u6301\u5b83\u7684\u76ee\u6a19\u4e0a\u751f\u6210\u4f4d\u7f6e\u7121\u95dc\u7684\u53ef\u57f7\u884c\u6587\u4ef6\u3002<\/p>\n<hr \/>\n<h4>\u9632\u6b62\u8986\u84cb\u653b\u64ca<\/h4>\n<p><code>-z,relro<\/code>\u93c8\u63a5\u9078\u9805\u5728\u7a0b\u5e8f\u52a0\u8f09\u671f\u9593\u63d0\u4f9b\u5e6b\u52a9\uff0c\u93c8\u63a5\u5668\u9700\u8981\u5beb\u5165\u591a\u500b ELF \u5167\u5b58\u90e8\u5206\uff0c\u4f46\u53ef\u4ee5\u5728\u5c07\u63a7\u5236\u6b0a\u79fb\u4ea4\u7d66\u7a0b\u5e8f\u4e4b\u524d\u5c07\u5176\u8b8a\u70ba\u53ea\u8b80\u3002\u9019\u53ef\u4ee5\u9632\u6b62\u67d0\u4e9b\u5168\u5c40\u504f\u79fb\u8868 GOT \u8986\u84cb\u653b\u64ca\uff0c\u6216 ELF \u4e8c\u9032\u88fd\u6587\u4ef6\u7684 dtors \u90e8\u5206\u4e2d\u7684\u653b\u64ca\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-OverwriteAttacks-1<\/td>\n<td style=\"text-align: left;\"><code>-z,relro<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-OverwriteAttacks-2<\/td>\n<td style=\"text-align: left;\"><code>-z,now<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5728\u7a0b\u5e8f\u52a0\u8f09\u671f\u9593\uff0c\u6240\u6709\u52d5\u614b\u7b26\u865f\u90fd\u6703\u88ab\u89e3\u6790\uff0c\u5f9e\u800c\u5141\u8a31\u5c07\u5b8c\u6574\u7684 GOT \u6a19\u8a18\u70ba\u53ea\u8b80\uff08\u7531\u65bc<code>-z relro<\/code>\u4e0a\u8ff0\u539f\u56e0\uff09\u3002\u9019\u53ef\u4ee5\u9632\u6b62 GOT \u8986\u84cb\u653b\u64ca\u3002\u5c0d\u65bc\u975e\u5e38\u5927\u7684\u61c9\u7528\u7a0b\u5e8f\uff0c\u9019\u53ef\u80fd\u6703\u5728\u89e3\u6790\u7b26\u865f\u6642\u521d\u59cb\u52a0\u8f09\u671f\u9593\u5c0e\u81f4\u4e00\u4e9b\u6027\u80fd\u640d\u5931\uff0c\u4f46\u9019\u5c0d\u65bc\u5b88\u8b77\u7a0b\u5e8f\u4f86\u8aaa\u4e0d\u61c9\u8a72\u662f\u554f\u984c\u3002<\/p>\n<hr \/>\n<h4>\u5eab\u93c8\u63a5<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LibraryLinking-1<\/td>\n<td style=\"text-align: left;\">Keep this part? \u4fdd\u7559\u9019\u90e8\u5206\u55ce\uff1f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u5efa\u8b70\u4e00\u822c\u60c5\u6cc1\u4e0b\u4e0d\u5141\u8a31\u52d5\u614b\u93c8\u63a5<\/strong>\u3002\u4ee5\u907f\u514d\u7528\u6236\u7528\u60e1\u610f\u5eab\u66ff\u63db\u5eab\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LibraryLinking-1<\/td>\n<td style=\"text-align: left;\">Dynamic linking<\/td>\n<td style=\"text-align: left;\">Should generally not be allowed.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u975c\u614b\u93c8\u63a5\u6240\u6709\u5167\u5bb9\u4e0d\u6703\u6539\u8b8a\u4efb\u4f55\u5b89\u5168\u6027\uff0c\u56e0\u70ba\u4e8c\u9032\u88fd\u6587\u4ef6\u5c07\u4f4d\u65bc\u8207\u5eab\u548c setuid \u53ef\u57f7\u884c\u6587\u4ef6\u5ffd\u7565\u76f8\u540c\u7684 user:group \u4e0b <code>LD_PRELOAD\/LD_LIBRARY_PATH<\/code>\u3002\u5b83\u9084\u6703\u589e\u52a0 RSS \u4f54\u7528\u7a7a\u9593\u4e26\u9020\u6210\u5347\u7d1a\u554f\u984c\u3002<\/p>\n<h3>5.4 \u8a18\u61b6\u9ad4<\/h3>\n<h4>\u9650\u5236\u5c0d\u5167\u6838\u5167\u5b58\u7684\u8a2a\u554f<\/h4>\n<p>Linux\u7cfb\u7d71\u4e2d\u7684\/dev\/kmem\u6587\u4ef6\u76f4\u63a5\u6620\u5c04\u5230\u5167\u6838\u865b\u64ec\u5167\u5b58\u3002\u5982\u679c\u653b\u64ca\u8005\u7372\u5f97 root \u8a2a\u554f\u6b0a\u9650\uff0c\u9019\u53ef\u80fd\u662f\u707d\u96e3\u6027\u7684\uff0c\u56e0\u70ba\u653b\u64ca\u8005\u53ef\u4ee5\u76f4\u63a5\u8a2a\u554f\u5167\u6838\u865b\u64ec\u5167\u5b58\u3002<\/p>\n<p>\u8981\u7981\u7528\u61c9\u7528\u7a0b\u5e8f\u5f88\u5c11\u4f7f\u7528\u7684 <strong>\/dev\/kmem<\/strong> \u6587\u4ef6\uff0c\u61c9\u5728\u7de8\u8b6f\u6642\u5167\u6838\u914d\u7f6e\u4e2d\u914d\u7f6e\u4ee5\u4e0b\u5167\u6838\u9078\u9805\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-RestrictAccess-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVKMEM<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5982\u679c\u7528\u6236\u7a7a\u9593\u4e2d\u7684\u61c9\u7528\u7a0b\u5e8f\u9700\u8981 \/dev\/kmem \u652f\u6301\uff0c\u5247\u5b83\u61c9\u8a72\u50c5\u9069\u7528\u65bc\u7d93\u904e\u8eab\u4efd\u9a57\u8b49\u7684\u61c9\u7528\u7a0b\u5e8f\u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528\u5c0d\u5167\u6838\u5167\u6838\u8f49\u5132\uff08CoreDump\uff09\u7684\u8a2a\u554f<\/h4>\n<p>\u6b64\u5167\u6838\u914d\u7f6e\u7981\u6b62\u5f9e\u7528\u6236\u7a7a\u9593\u8a2a\u554f\u5167\u6838\u5167\u6838\u8f49\u5132\u3002\u5982\u679c\u555f\u7528\uff0c\u5b83\u53ef\u4ee5\u70ba\u653b\u64ca\u8005\u63d0\u4f9b\u5167\u6838\u5167\u5b58\u7684\u6709\u7528\u8996\u5716\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-CoreDump-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PROC_KCORE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u4ea4\u63db \uff08SWAP\uff09<\/h4>\n<p>\u5982\u679c\u4e0d\u7981\u7528\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5728\u904b\u884c\u6642\u555f\u7528\u4ea4\u63db\uff0c\u7d66\u5167\u5b58\u5b50\u7cfb\u7d71\u589e\u52a0\u58d3\u529b\uff0c\u7136\u5f8c\u641c\u7d22\u5beb\u5165\u4ea4\u63db\u7684\u9801\u9762\u4ee5\u7372\u53d6\u6709\u7528\u7684\u4fe1\u606f\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Swap-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SWAP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li>\u5728\u904b\u884c\u6642\u555f\u7528\u4ea4\u63db\u9700\u8981<code>CAP_SYS_ADMIN<\/code>.<\/li>\n<li>\u4ea4\u63db\u584a\u8a2d\u5099\u901a\u5e38\u4f4d\u65bc root:disk \u4e0b\u3002<\/li>\n<li>Linux \u5f9e\u4e0d\u4ea4\u63db\u5167\u6838\u9801\u9762\u3002<\/li>\n<li>\u5982\u679c\u7121\u6cd5\u7981\u7528\u4ea4\u63db\uff0c\u5247\u61c9\u555f\u7528\u4ea4\u63db\u52a0\u5bc6\u3002<\/li>\n<\/ul>\n<hr \/>\n<h4>\u7981\u7528\u201c\u52a0\u8f09\u6240\u6709\u7b26\u865f\u201d \uff08LoadAllSymbols\uff09<\/h4>\n<p>\u6709\u4e00\u500b \/proc\/kallsyms \u6587\u4ef6\uff0c\u5b83\u516c\u958b\u4e86\u8a31\u591a\u5167\u6838\u7b26\u865f\uff08\u51fd\u6578\u3001\u8b8a\u91cf\u7b49\uff09\u7684\u5167\u6838\u5167\u5b58\u7a7a\u9593\u5730\u5740\u3002\u6b64\u4fe1\u606f\u5c0d\u65bc\u653b\u64ca\u8005\u8b58\u5225\u5167\u6838\u7248\u672c\/\u914d\u7f6e\u4ee5\u53ca\u70ba\u5229\u7528\u5167\u6838\u7a7a\u9593\u6e96\u5099\u6709\u6548\u8ca0\u8f09\u975e\u5e38\u6709\u7528\u3002<\/p>\n<p><code>KALLSYMS_ALL<\/code> \u548c <code>KALLSYMS<\/code>\u5747\u61c9\u88ab\u7981\u7528\uff1b<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-LoadAllSymbols-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KALLSYMS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-LoadAllSymbols-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KALLSYMS_ALL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u5141\u7528\u5806\u68e7\u4fdd\u8b77\uff08Stack Protector\uff09<\/h4>\n<p>\u70ba\u4e86\u9632\u6b62\u5806\u68e7\u5d29\u6f70\uff0c\u985e\u4f3c\u65bc\u7528\u6236\u7a7a\u9593\u4e2d ELF \u7a0b\u5e8f\u4f7f\u7528\u7684\u5806\u68e7\u4fdd\u8b77\u5668\uff0c\u5167\u6838\u4e5f\u53ef\u4ee5\u4fdd\u8b77\u5176\u5167\u90e8\u5806\u68e7\u3002<\/p>\n<p><strong>Linux 3.11 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u61c9\u50c5\u91dd\u5c0d\u6b64\u985e\u7248\u672c\u555f\u7528\u3002<\/p>\n<p><strong>\u6b64\u914d\u7f6e\u9084\u9700\u8981\u4f7f\u7528gcc \u7de8\u8b6f\u5668 4.2 \u6216\u66f4\u9ad8\u7248\u672c<\/strong>\u69cb\u5efa\u5167\u6838\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Stack-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CC_STACKPROTECTOR<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5176\u4ed6\u9632\u79a6\u63aa\u65bd\u5305\u62ec\u5f71\u5b50\u5806\u68e7\u4e4b\u985e\u7684\u6771\u897f\u3002<\/p>\n<hr \/>\n<h4>\u7981\u6b62\u8a2a\u554f \/dev\/mem<\/h4>\n<p>Linux\u7cfb\u7d71\u4e2d\u7684\/dev\/mem\u6587\u4ef6\u76f4\u63a5\u6620\u5c04\u5230\u7269\u7406\u5167\u5b58\u3002\u5982\u679c\u653b\u64ca\u8005\u7372\u5f97 root \u8a2a\u554f\u6b0a\u9650\uff0c\u9019\u53ef\u80fd\u662f\u707d\u96e3\u6027\u7684\uff0c\u56e0\u70ba\u653b\u64ca\u8005\u53ef\u4ee5\u901a\u904e\u9019\u500b\u65b9\u4fbf\u7684\u8a2d\u5099\u6587\u4ef6\u76f4\u63a5\u8a2a\u554f\u7269\u7406\u5167\u5b58\u3002\u53ef\u80fd\u4e26\u4e0d\u7e3d\u662f\u53ef\u4ee5\u7981\u7528\u6b64\u985e\u6587\u4ef6\uff0c\u56e0\u70ba\u67d0\u4e9b\u61c9\u7528\u7a0b\u5e8f\u53ef\u80fd\u9700\u8981\u6b64\u985e\u652f\u6301\u3002\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u8a72\u8a2d\u5099\u6587\u4ef6\u61c9\u50c5\u53ef\u7528\u65bc\u7d93\u904e\u8eab\u4efd\u9a57\u8b49\u7684\u61c9\u7528\u7a0b\u5e8f\u3002<\/p>\n<p><strong>Linux 4.0 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u6b64\u914d\u7f6e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Access-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVMEM<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u8de8\u5167\u5b58\u9023\u63a5<\/h4>\n<p>\u7981\u7528 process<em>vm<\/em>*v \u7cfb\u7d71\u8abf\u7528\uff0c\u8a72\u7cfb\u7d71\u8abf\u7528\u5141\u8a31\u4e00\u500b\u9032\u7a0b\u5b58\u53d6\u53e6\u4e00\u500b\u9032\u7a0b\u7684\u865b\u64ec\u5167\u5b58\u3002<\/p>\n<p><strong>Linux 3.5 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-CrossMemAttach-1<\/td>\n<td style=\"text-align: left;\"><code>CROSS_MEMORY_ATTACH<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u5141\u7528\u5806\u68e7\u7c89\u788e\u653b\u64ca\u6aa2\u67e5<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-StackSmashing-1<\/td>\n<td style=\"text-align: left;\"><code>-fstack-protector-all<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u767c\u51fa\u984d\u5916\u7684\u4ee3\u78bc\u4f86\u6aa2\u67e5\u7de9\u885d\u5340\u6ea2\u51fa\uff0c\u4f8b\u5982\u5806\u68e7\u7c89\u788e\u653b\u64ca\u3002<\/p>\n<hr \/>\n<h4>\u5141\u8a31\u6aa2\u6e2c\u7de9\u885d\u5340\u6ea2\u51fa<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> options and <code>config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-BufferOverflows-1<\/td>\n<td style=\"text-align: left;\"><code>-D_FORTIFY_SOURCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>2<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-BufferOverflows-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FORTIFY_SOURCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5e6b\u52a9\u6aa2\u6e2c\u4e00\u4e9b\u7de9\u885d\u5340\u6ea2\u51fa\u932f\u8aa4\u3002<\/p>\n<h3>5.5 \u4e32\u53e3\u63a7\u5236\u53f0\uff08Serial Console\uff09<\/h3>\n<h4>\u7981\u7528\u4e32\u53e3\u63a7\u5236\u53f0<\/h4>\n<p>\u61c9\u7981\u7528\u4e32\u53e3\u63a7\u5236\u53f0\u4ee5\u9632\u6b62\u653b\u64ca\u8005\u8a2a\u554f\u9019\u500b\u5f37\u5927\u7684\u63a5\u53e3\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_8250<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_8250_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_CORE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_CORE_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u8abf\u6574\u5167\u6838\u547d\u4ee4\u884c\uff08Kernel Command Line)<\/h4>\n<p>\u5167\u6838\u547d\u4ee4\u884c\u7528\u65bc\u63a7\u5236\u5f15\u5c0e\u5167\u6838\u7684\u8a31\u591a\u65b9\u9762\uff0c\u4e26\u4e14\u5f88\u5bb9\u6613\u88ab\u7be1\u6539\uff0c\u56e0\u70ba\u5b83\u5011\u5728 RAM \u4e2d\u50b3\u905e\uff0c\u800c\u5c0d\u9019\u4e9b\u53c3\u6578\u5e7e\u4e4e\u6c92\u6709\u53cd\u5411\u9a57\u8b49\u3002\u70ba\u4e86\u9632\u6b62\u9019\u7a2e\u985e\u578b\u7684\u653b\u64ca\uff0c\u5167\u6838\u61c9\u914d\u7f6e\u70ba\u5ffd\u7565\u547d\u4ee4\u884c\u53c3\u6578\uff0c\u4e26\u4f7f\u7528\u9810\u914d\u7f6e\uff08\u7de8\u8b6f\u6642\uff09\u9078\u9805\u3002<\/p>\n<p>\u5728\u8a72\u9805\u4e2d\u914d\u7f6e\u5167\u6838\u547d\u4ee4\u884c<code>CONFIG_CMDLINE KConfig<\/code>\uff0c\u7136\u5f8c\u4e0d\u5f9e\u5f15\u5c0e\u52a0\u8f09\u7a0b\u5e8f\u50b3\u905e\u4efb\u4f55\u53c3\u6578\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE_BOOL<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE<\/code><\/td>\n<td style=\"text-align: left;\"><code>&quot;insert kernel command line here&quot;<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE_OVERRIDE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5efa\u8b70\u5f9e\u53ea\u8b80\u5b58\u5132\u5668\uff08\u6216\u6587\u4ef6\uff09\u5b58\u5132\u548c\u8a2a\u554f\u6bcf\u500b\u8a2d\u5099\u7684\u4efb\u4f55\u914d\u7f6e\uff08\u4f8b\u5982\uff1aMAC \u5730\u5740\u3001\u5e8f\u5217\u865f\u7b49\uff09\uff0c\u4e26\u4e14\u5728\u4f7f\u7528\u4efb\u4f55\u6b64\u985e\u53c3\u6578\u4e4b\u524d\u5c0d\u5176\u9032\u884c\u9a57\u8b49\uff08\u7c3d\u540d\u6aa2\u67e5\uff09 \u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528 KGDB<\/h4>\n<p>Linux \u5167\u6838\u901a\u904e USB \u548c\u63a7\u5236\u53f0\u7aef\u53e3\u652f\u6301 KGDB\u3002<code>kgdbdbgp<\/code>\u9019\u4e9b\u6a5f\u5236\u7531\u548c<code>kgdboc<\/code>\u5167\u6838\u547d\u4ee4\u884c\u53c3\u6578\u63a7\u5236\u3002\u91cd\u8981\u7684\u662f\u8981\u78ba\u4fdd\u6c92\u6709\u767c\u5e03\u7684\u7522\u54c1\u5305\u542b\u7de8\u8b6f\u6709 KGDB \u7684\u5167\u6838\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-KDBG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KGDB<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528 magic sysrq \u652f\u6301<\/h4>\n<p>\u5728\u67d0\u4e9b\u9ad4\u7cfb\u7d50\u69cb\u4e0a\uff0c\u60a8\u53ef\u4ee5\u901a\u904e\u9375\u76e4\u8a2a\u554f\u529f\u80fd\u5f37\u5927\u7684\u8abf\u8a66\u5668\u754c\u9762\u3002\u540c\u6a23\u5f37\u5927\u7684\u754c\u9762\u53ef\u4ee5\u51fa\u73fe\u5728\u5176\u4ed6\u67b6\u69cb\u4e0a\u7684 Linux \u7684\u4e32\u53e3\u63a7\u5236\u53f0\uff08\u97ff\u61c9\u4e32\u884c\u4e2d\u65b7\uff09\u4e0a\u3002\u7981\u7528\u4ee5\u907f\u514d\u6f5b\u5728\u5730\u66b4\u9732\u9019\u500b\u5f37\u5927\u7684\u5f8c\u9580\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-SysRQ-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_MAGIC_SYSRQ<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u5c0d\u9664 ELF \u4e4b\u5916\u7684\u4e8c\u9032\u5236\u683c\u5f0f\u7684\u652f\u6301<\/h4>\n<p>\u9019\u5c07\u4f7f\u5c07\u5305\u88dd\u9a45\u52d5\u7684\u4e8c\u9032\u5236\u683c\u5f0f\u63d2\u5165\u5167\u6838\u6210\u70ba\u53ef\u80fd\u3002\u5b83\u652f\u6301 ELF \u4ee5\u5916\u7684\u4e8c\u9032\u5236\u683c\u5f0f\u3002\u63d0\u4f9b\u4f7f\u7528\u5099\u7528\u89e3\u91cb\u5668\u7684\u80fd\u529b\u5c07\u6709\u52a9\u65bc\u653b\u64ca\u8005\u767c\u73fe\u653b\u64ca\u5411\u91cf\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-BinaryFormat-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BINFMT_MISC<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>5.6 \u8abf\u8a66<\/h3>\n<p>\u6587\u4ef6\u7cfb\u7d71\u4e0a\u4e0d\u61c9\u5b58\u5728\u8abf\u8a66\u5668\u3002\u9019\u5305\u62ec\u4f46\u4e0d\u9650\u65bc GNU \u8abf\u8a66\u5668\u5ba2\u6236\u7aef\/\u670d\u52d9\u5668\uff08\u901a\u5e38\u4ee5\u5176\u7e2e\u5beb\u540d\u7a31\u800c\u805e\u540d\uff0c\u4f8b\u5982\u5206\u5225\u70ba \u548c<code>gdb<\/code>\u53ef\u57f7\u884c<code>gdbserver<\/code>\u4e8c\u9032\u88fd\u6587\u4ef6\uff09\u3001 <code>LLDB<\/code>\u4e0b\u4e00\u4ee3\u8abf\u8a66\u5668\u6216<code>TCF<\/code>\uff08\u76ee\u6a19\u901a\u4fe1\u6846\u67b6\uff09\u7121\u95dc\u6846\u67b6\u3002\u5c07\u9019\u4e9b\u4e8c\u9032\u88fd\u6587\u4ef6\u4f5c\u70ba\u6587\u4ef6\u7cfb\u7d71\u7684\u4e00\u90e8\u5206\u5c07\u6709\u52a9\u65bc\u653b\u64ca\u8005\u5c0d\u8a2d\u5099\u4e0a\u7576\u524d\u6b63\u5728\u57f7\u884c\u7684\u4efb\u4f55\u9032\u7a0b\u9032\u884c\u9006\u5411\u5de5\u7a0b\u548c\u8abf\u8a66\uff08\u672c\u5730\u6216\u9060\u7a0b\uff09\u3002<\/p>\n<h4>\u7981\u7528\u5167\u6838\u8abf\u8a66\u7b26\u865f<\/h4>\n<p>\u61c9\u59cb\u7d42\u5f9e\u751f\u7522\u5167\u6838\u4e2d\u522a\u9664\u8abf\u8a66\u7b26\u865f\uff0c\u56e0\u70ba\u5b83\u5011\u70ba\u653b\u64ca\u8005\u63d0\u4f9b\u4e86\u5927\u91cf\u4fe1\u606f\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Symbols-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_INFO<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u9019\u4e9b\u5167\u6838\u8abf\u8a66\u7b26\u865f\u7531\u5167\u6838\u4e2d\u7684\u5176\u4ed6\u914d\u7f6e\u9805\u555f\u7528\u3002\u9084\u61c9\u6ce8\u610f\u7981\u7528\u5b83\u5011\u3002\u5982\u679c<code>CONFIG_DEBUG_INFO<\/code>\u7121\u6cd5\u7981\u7528\uff0c\u90a3\u9ebc\u555f\u7528<code>CONFIG_DEBUG_INFO_REDUCED<\/code>\u662f\u6b21\u4f73\u7684\u3002<\/p>\n<p>\u81f3\u5c11<code>CONFIG_DEBUG_INFO_REDUCED<\/code>\u61c9\u8a72\u59cb\u7d42\u5141\u8a31\u958b\u767c\u4eba\u54e1\u5c07 oops \u6d88\u606f\u4e2d\u7684\u5730\u5740\u8f49\u63db\u70ba\u884c\u865f\u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528 Kprobe<\/h4>\n<p>Kprobes \u4f7f\u60a8\u80fd\u5920\u52d5\u614b\u5730\u4fb5\u5165\u4efb\u4f55\u5167\u6838\u4f8b\u7a0b\u4e26\u7121\u4e2d\u65b7\u5730\u6536\u96c6\u8abf\u8a66\u548c\u6027\u80fd\u4fe1\u606f\u3002\u60a8\u53ef\u4ee5\u5728\u5e7e\u4e4e\u4efb\u4f55\u5167\u6838\u4ee3\u78bc\u5730\u5740\u8655\u6355\u7372\uff0c\u6307\u5b9a\u547d\u4e2d\u65b7\u9ede\u6642\u8981\u8abf\u7528\u7684\u8655\u7406\u7a0b\u5e8f\u4f8b\u7a0b\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Kprobes-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KPROBES<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u8ddf\u8e2a<\/h4>\n<p>FTrace \u4f7f\u5167\u6838\u80fd\u5920\u8ddf\u8e2a\u6bcf\u500b\u5167\u6838\u51fd\u6578\u3002\u63d0\u4f9b\u5167\u6838\u8ddf\u8e2a\u529f\u80fd\u5c07\u5e6b\u52a9\u653b\u64ca\u8005\u767c\u73fe\u653b\u64ca\u5411\u91cf\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Tracing-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FTRACE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u5206\u6790<\/h4>\n<p>\u5206\u6790\u548c OProfile \u53ef\u4ee5\u5206\u6790\u6574\u500b\u7cfb\u7d71\uff0c\u5305\u62ec\u5167\u6838\u3001\u5167\u6838\u6a21\u7d44\u3001\u5eab\u548c\u61c9\u7528\u7a0b\u5e8f\u3002\u63d0\u4f9b\u5206\u6790\u529f\u80fd\u5c07\u5e6b\u52a9\u653b\u64ca\u8005\u767c\u73fe\u653b\u64ca\u5411\u91cf\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Profiling-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OPROFILE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Profiling-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PROFILING<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528 BUG() \u4e0a\u7684 OOPS \u6253\u5370<\/h4>\n<p>\u7576\u5617\u8a66\u78ba\u5b9a\u6f0f\u6d1e\u5229\u7528\u7684\u6709\u6548\u6027\u6642\uff0cOOPS \u6253\u5370\u7684\u8f38\u51fa\u5c0d\u65bc\u9762\u5411\u8fd4\u56de\u7de8\u7a0b (ROP) \u5f88\u6709\u5e6b\u52a9\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-OOPSOnBUG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_BUGVERBOSE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u5167\u6838\u8abf\u8a66<\/h4>\n<p>\u5167\u6838\u4e2d\u5b58\u5728\u7531 <code>DEBUG_KERNEL<\/code>conf.d\u555f\u7528\u7684\u50c5\u7528\u65bc\u958b\u767c\u7684\u4ee3\u78bc\u5206\u652f\u3002\u61c9\u8a72\u7981\u7528\u6b64\u529f\u80fd\u4f86\u7de8\u8b6f\u9019\u4e9b\u5206\u652f\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Dev-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_KERNEL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Dev-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_EMBEDDED<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5728\u67d0\u4e9b\u5167\u6838\u7248\u672c\u4e2d\uff0c\u7981\u7528\u6b64\u529f\u80fd\u9084\u9700\u8981\u7981\u7528 <code>CONFIG_EMBEDDED<\/code>, \u548c<code>CONFIG_EXPERT<\/code>\u3002\u7981\u7528\u4f7f\u5f97<code>CONFIG_EXPERT<\/code>\u7121\u6cd5\u7981\u7528<code>COREDUMP<\/code>\u3001<code>DEBUG_BUGVERBOSE<\/code>\u3001<code>NAMESPACES<\/code>\u548c<code>KALLSYMS<\/code> \u3002<code>BUG<\/code>\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u6700\u597d\u555f\u7528\u6b64\u9078\u9805\u800c\u4e0d\u662f\u555f\u7528\u5176\u4ed6\u9078\u9805\u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528\u5167\u6838\u8abf\u8a66\u6587\u4ef6\u7cfb\u7d71<\/h4>\n<p>\u5167\u6838\u8abf\u8a66\u6587\u4ef6\u7cfb\u7d71\u5411\u653b\u64ca\u8005\u63d0\u4f9b\u4e86\u8a31\u591a\u6709\u7528\u7684\u4fe1\u606f\u548c\u64cd\u7e31\u5167\u6838\u7684\u65b9\u6cd5\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-FileSystem-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_FS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528 BUG() \u652f\u6301<\/h4>\n<p>\u5167\u6838\u6703\u5728\u5167\u6838\u7a7a\u9593\u4e2d\u986f\u793a BUG \u548c WARN \u7684\u56de\u6eaf\u548c\u8a3b\u518a\u4fe1\u606f\uff0c\u4f7f\u653b\u64ca\u8005\u66f4\u5bb9\u6613\u958b\u767c\u6f0f\u6d1e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-BUG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BUG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7981\u7528\u5167\u6838\u8f49\u5132\uff08CoreDumps\uff09<\/h4>\n<p>\u5167\u6838\u8f49\u5132\u70ba\u9ed1\u5ba2\u63d0\u4f9b\u4e86\u5927\u91cf\u8abf\u8a66\u4fe1\u606f\u3002\u56e0\u6b64\uff0c\u5efa\u8b70\u5728\u751f\u7522\u7248\u672c\u4e2d\u7981\u7528\u5167\u6838\u8f49\u5132\u3002<\/p>\n<p><strong>Linux 3.7 \u53ca\u66f4\u9ad8<\/strong>\u7248\u672c\u652f\u6301\u6b64\u914d\u7f6e\uff0c\u56e0\u6b64\u50c5\u61c9\u5728\u6b64\u985e\u7248\u672c\u4e2d\u7981\u7528\u6b64\u914d\u7f6e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-CoreDumps-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_COREDUMP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u9650\u5236\u5167\u6838\u5730\u5740\u986f\u793a<\/h4>\n<p>\u7576\u653b\u64ca\u8005\u5617\u8a66\u958b\u767c\u91dd\u5c0d\u5167\u6838\u6f0f\u6d1e\u7684\u201c\u96a8\u8655\u904b\u884c\u201d\u6f0f\u6d1e\u6642\uff0c\u4ed6\u5011\u7d93\u5e38\u9700\u8981\u77e5\u9053\u5167\u90e8\u5167\u6838\u7d50\u69cb\u7684\u4f4d\u7f6e\u3002\u901a\u904e\u5c07\u5167\u6838\u5730\u5740\u8996\u70ba\u654f\u611f\u4fe1\u606f\uff0c\u9019\u4e9b\u4f4d\u7f6e\u5c0d\u65bc\u666e\u901a\u672c\u5730\u7528\u6236\u4f86\u8aaa\u662f\u4e0d\u53ef\u898b\u7684\u3002<\/p>\n<p><strong>\/proc\/sys\/kernel\/kptr_restrict \u914d\u7f6e\u70ba\u201c1\u201d<\/strong>\u4ee5\u963b\u6b62\u5df2\u77e5\u5167\u6838\u5730\u5740\u6d29\u6f0f\u7684\u5831\u544a\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-1<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/sys\/kernel\/kptr_restrict<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6b64\u5916\uff0c\u5404\u7a2e\u6587\u4ef6\u548c\u76ee\u9304\u53ea\u80fd\u7531 root \u7528\u6236\u8b80\u53d6\uff1a<code>\/boot\/vmlinuz*<\/code>, <code>\/boot\/System.map*<\/code>, <code>\/sys\/kernel\/debug\/<\/code>, <code>\/proc\/slabinfo<\/code><\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> or <code>Directorie<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-1<\/td>\n<td style=\"text-align: left;\"><code>\/boot\/vmlinuz*<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-2<\/td>\n<td style=\"text-align: left;\"><code>\/boot\/System.map*<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-3<\/td>\n<td style=\"text-align: left;\"><code>\/sys\/kernel\/debug\/<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-4<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/slabinfo<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u9650\u5236 DMESG<\/h4>\n<p>\u7576\u653b\u64ca\u8005\u5617\u8a66\u958b\u767c\u201c\u96a8\u8655\u904b\u884c\u201d\u6f0f\u6d1e\u5229\u7528\u6642\uff0c\u4ed6\u5011\u7d93\u5e38\u6703\u4f7f\u7528<code>dmesg<\/code>\u8f38\u51fa\u3002\u901a\u904e\u5c07<code>dmesg<\/code>\u8f38\u51fa\u8996\u70ba\u654f\u611f\u4fe1\u606f\uff0c\u653b\u64ca\u8005\u5c07\u7121\u6cd5\u7372\u5f97\u6b64\u8f38\u51fa\u3002<\/p>\n<p><strong>\/proc\/sys\/kernel\/dmesg_restrict \u53ef\u4ee5\u914d\u7f6e\u70ba\u201c1\u201d<\/strong>\u4ee5\u5c07 dmesg \u8f38\u51fa\u8996\u70ba\u654f\u611f\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-DMESG-1<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/sys\/kernel\/dmesg_restrict<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5728\u69cb\u5efa\u7528\u6236\u7a7a\u9593\u61c9\u7528\u7a0b\u5e8f\u6642\u555f\u7528\u4ee5\u4e0b\u7de8\u8b6f\u5668\u548c\u93c8\u63a5\u5668\u9078\u9805\uff0c\u4ee5\u907f\u514d\u5806\u68e7\u5d29\u6f70\u3001\u7de9\u885d\u5340\u6ea2\u51fa\u653b\u64ca\u3002<\/p>\n<hr \/>\n<h4>\u7981\u7528\/proc\/config.gz<\/h4>\n<p>\u4e0d\u8981\u5c07\u751f\u7522\u8a2d\u5099\u4e0a\u4f7f\u7528\u7684\u5167\u6838\u914d\u7f6e\u66b4\u9732\u7d66\u6f5b\u5728\u7684\u653b\u64ca\u8005\uff0c\u9019\u4e00\u9ede\u975e\u5e38\u91cd\u8981\u3002\u901a\u904e\u8a2a\u554f\u5167\u6838\u914d\u7f6e\uff0c\u653b\u64ca\u8005\u6709\u53ef\u80fd\u70ba\u8a2d\u5099\u69cb\u5efa\u81ea\u5b9a\u7fa9\u5167\u6838\uff0c\u5f9e\u800c\u7981\u7528\u95dc\u9375\u5b89\u5168\u529f\u80fd\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Config-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_IKCONFIG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>5.7 \u6587\u4ef6\u7cfb\u7d71<\/h3>\n<h4>\u7981\u7528\u6240\u6709\u4e0d\u9700\u8981\u7684\u6587\u4ef6\u7cfb\u7d71<\/h4>\n<p>\u70ba\u4e86\u6e1b\u5c11\u653b\u64ca\u9762\uff0c\u6587\u4ef6\u7cfb\u7d71\u6578\u64da\u7531\u5167\u6838\u89e3\u6790\uff0c\u56e0\u6b64\u6587\u4ef6\u7cfb\u7d71\u9a45\u52d5\u7a0b\u5e8f\u4e2d\u7684\u4efb\u4f55\u908f\u8f2f\u932f\u8aa4\u90fd\u53ef\u80fd\u6210\u70ba\u5167\u6838\u6f0f\u6d1e\u3002<\/p>\n<h4>\u7981\u7528 NFS \u6587\u4ef6\u7cfb\u7d71<\/h4>\n<p>NFS \u6587\u4ef6\u7cfb\u7d71\u5728\u958b\u767c\u968e\u6bb5\u5f88\u6709\u7528\uff0c\u4f46\u5c0d\u65bc\u653b\u64ca\u8005\u4f86\u8aaa\uff0c\u7576\u60a8\u8655\u65bc\u751f\u7522\u6a21\u5f0f\u6642\uff0c\u9019\u53ef\u80fd\u662f\u4e00\u7a2e\u975e\u5e38\u6709\u7528\u7684\u7372\u53d6\u6587\u4ef6\u7684\u65b9\u6cd5\uff0c\u56e0\u6b64\u6211\u5011\u5fc5\u9808\u7981\u7528\u5b83\u5011\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-NFS-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_NFSD<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-NFS-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_NFS_FS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u6dfb\u52a0\u5206\u5340\u639b\u8f09\u9078\u9805<\/h4>\n<p>\u639b\u8f09\u6587\u4ef6\u7cfb\u7d71\u6642\u53ef\u4ee5\u5c0d\u5176\u914d\u7f6e\u591a\u7a2e\u5b89\u5168\u9650\u5236\u3002\u4e00\u4e9b\u5e38\u898b\u7684\u5b89\u5168\u9078\u9805\u5305\u62ec\u4f46\u4e0d\u9650\u65bc\uff1a<\/p>\n<p><code>nosuid<\/code>&#8211; \u4e0d\u5141\u8a31\u914d\u7f6e\u7528\u6236\u6a19\u8b58\u7b26\u6216\u914d\u7f6e\u7d44\u6a19\u8b58\u7b26\u4f4d\u751f\u6548\u3002<\/p>\n<p><code>nodev<\/code>&#8211; \u4e0d\u8981\u89e3\u91cb\u5b57\u7b26\u6216\u963b\u6b62\u6587\u4ef6\u7cfb\u7d71\u4e0a\u7684\u7279\u6b8a\u8a2d\u5099\u3002<\/p>\n<p><code>noexec<\/code>&#8211; \u4e0d\u5141\u8a31\u5728\u5df2\u5b89\u88dd\u7684\u6587\u4ef6\u7cfb\u7d71\u4e0a\u57f7\u884c\u4efb\u4f55\u4e8c\u9032\u88fd\u6587\u4ef6\u3002<\/p>\n<p><code>ro<\/code>&#8211; \u5c07\u6587\u4ef6\u7cfb\u7d71\u639b\u8f09\u70ba\u53ea\u8b80\u3002<\/p>\n<p>\u4ee5\u4e0b\u6a19\u8a8c\u61c9\u7528\u65bc\u639b\u8f09\u901a\u7528\u6587\u4ef6\u7cfb\u7d71\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Partition<\/code><\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-1<\/td>\n<td style=\"text-align: left;\"><code>\/boot<\/code><\/td>\n<td style=\"text-align: left;\"><code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-2<\/td>\n<td style=\"text-align: left;\"><code>\/var<\/code> &amp; <code>\/tmp<\/code><\/td>\n<td style=\"text-align: left;\">In <code>\/etc\/fstab<\/code> or <code>vfstab<\/code>, add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-3<\/td>\n<td style=\"text-align: left;\"><em>Non-root local<\/em><\/td>\n<td style=\"text-align: left;\">If type is <code>ext2<\/code> or <code>ext3<\/code> and mount point not &#8216;\/&#8217;, add <code>nodev<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-4<\/td>\n<td style=\"text-align: left;\"><em>Removable storage<\/em><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-5<\/td>\n<td style=\"text-align: left;\"><em>Temporary storage<\/em><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-6<\/td>\n<td style=\"text-align: left;\"><code>\/dev\/shm<\/code><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-7<\/td>\n<td style=\"text-align: left;\"><code>\/dev<\/code><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5982\u679c<code>CONFIG_DEVTMPFS_MOUNT<\/code>\u914d\u7f6e\u4e86\uff0c\u90a3\u9ebc\u5167\u6838\u5c07\u639b\u8f09 \/dev \u4e26\u4e14\u4e0d\u6703\u61c9\u7528<code>nosuid<\/code>,<code>noexec<\/code>\u9078\u9805\u3002\u7981\u7528<code>CONFIG_DEVTMPFS_MOUNT<\/code>\u6216\u6dfb\u52a0\u91cd\u65b0\u5b89\u88dd<code>noexec<\/code>\u4ee5\u53ca<code>nosuid<\/code>\u7cfb\u7d71\u555f\u52d5\u9078\u9805\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em> or <code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVTMPFS_MOUNT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em> or add remount with <code>noexec<\/code> and <code>nosuid<\/code> to <br \/>system startup.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>6. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/06_Platform\/\">\u5e73\u53f0\u85cd\u5716<\/a><\/h2>\n<h3>6.1 \u6982\u8ff0<\/h3>\n<p>\u6c7d\u8eca\u7d1a Linux \u5e73\u53f0\u662f\u4e00\u500b\u5177\u6709<strong>AGL<\/strong> \u517c\u5bb9\u61c9\u7528\u7a0b\u5e8f\u548c\u670d\u52d9\u7684 Linux \u767c\u884c\u7248\u3002\u8a72\u5e73\u53f0\u5305\u62ec\u4ee5\u4e0b\u8edf\u9ad4\uff1a<\/p>\n<ul>\n<li>\u70ba\u53c3\u8003\u677f\u914d\u7f6e\u7684Linux <strong>BSP \u3002<\/strong><\/li>\n<li>\u9069\u7528\u65bc\u53c3\u8003\u677f\u4e0a\u5e38\u898b\u5916\u8a2d\u7684\u5c08\u6709\u8a2d\u5099\u9a45\u52d5\u7a0b\u5e8f\u3002<\/li>\n<li>\u61c9\u7528\u6846\u67b6\u3002<\/li>\n<li>\u7a97\u53e3\/\u5716\u5c64\u7ba1\u7406\uff08\u5716\u5f62\uff09\u3002<\/li>\n<li>\u5065\u5168\u7684\u8cc7\u6e90\u7ba1\u7406\u3002<\/li>\n<li>\u539f\u5b50\u8edf\u9ad4\u66f4\u65b0\u7cfb\u7d71\uff08\u66f4\u65b0\u7ae0\u7bc0\uff09\u3002<\/li>\n<li>\u69cb\u5efa\u548c\u8abf\u8a66\u5de5\u5177\uff08\u57fa\u65bc Yocto \u9805\u76ee\uff09\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Abstract-1<\/td>\n<td style=\"text-align: left;\">Create a graphics and sound part. \u5275\u5efa\u5716\u5f62\u548c\u8072\u97f3\u90e8\u5206\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u672c\u90e8\u5206\u91cd\u9ede\u4ecb\u7d39 AGL \u5e73\u53f0\uff0c\u5305\u62ec\u7528\u65bc\u5347\u7d1a\u5b89\u5168\u6027\u548c\u964d\u4f4e\u5371\u96aa\u6027\u7684\u6240\u6709\u5de5\u5177\u548c\u6280\u8853\u3002\u5fc5\u9808\u53ef\u4ee5\u61c9\u7528\u6587\u4ef6\u958b\u982d\u6240\u5beb\u7684\u5169\u500b\u57fa\u672c\u539f\u5247\u3002\u9996\u5148\uff0c\u5b89\u5168\u7ba1\u7406\u5fc5\u9808\u4fdd\u6301\u7c21\u55ae\u3002\u60a8\u9084\u5fc5\u9808\u9ed8\u8a8d\u7981\u6b62\u4e00\u5207\uff0c\u7136\u5f8c\u5b9a\u7fa9\u4e00\u7d44\u6388\u6b0a\u898f\u5247\u3002\u4f5c\u70ba\u8981\u8655\u7406\u7684\u6848\u4ef6\uff0c\u6211\u5011\u5fc5\u9808\uff1a<\/p>\n<ul>\n<li>\u70ba\u9032\u7a0b\u548c\u6587\u4ef6\u5be6\u73fe<strong>MAC \u3002<\/strong><\/li>\n<li>\u9650\u5236\u61c9\u7528\u7a0b\u5e8f\u4e4b\u9593\u7684\u901a\u4fe1\uff08<em>SystemBus<\/em>\u548c<em>SystemD<\/em>\u90e8\u5206\uff09\u3002<\/li>\n<li>\u7981\u6b62\u958b\u767c\u6a21\u5f0f\u671f\u9593\u4f7f\u7528\u7684\u6240\u6709\u5de5\u5177\uff08<em>\u5be6\u7528\u7a0b\u5e8f<\/em>\u548c<em>\u670d\u52d9<\/em> \u90e8\u5206\uff09\u3002<\/li>\n<li>\u7ba1\u7406\u7528\u6236\u80fd\u529b\uff08<em>\u7528\u6236<\/em>\u90e8\u5206\uff09\u3002<\/li>\n<li>\u7ba1\u7406\u61c9\u7528\u7a0b\u5e8f\u6b0a\u9650\u548c\u7b56\u7565\uff08<em>AGLFw<\/em>\u90e8\u5206\uff09\u3002<\/li>\n<\/ul>\n<p>\u7528\u65bc\u6eff\u8db3\u9019\u4e9b\u9700\u6c42\u7684\u5de5\u5177\u548c\u6982\u5ff5\u50c5\u662f\u793a\u4f8b\u3002\u53ef\u4ee5\u4f7f\u7528\u6eff\u8db3\u9700\u8981\u7684\u4efb\u4f55\u5176\u4ed6\u5de5\u5177\u3002<\/p>\n<p>\u5728 AGL \u4e2d\uff0c\u8207\u8a31\u591a\u5176\u4ed6\u5d4c\u5165\u5f0f\u7cfb\u7d71\u4e00\u6a23\uff0c\u5167\u6838\u5c64\u4e2d\u914d\u7f6e\u4e86\u4e0d\u540c\u7684\u5b89\u5168\u6a5f\u5236\uff0c\u4ee5\u78ba\u4fdd\u9694\u96e2\u548c\u6578\u64da\u96b1\u79c1\u3002\u96d6\u7136\u5f37\u5236\u8a2a\u554f\u63a7\u5236\u5c64 ( <strong>SMACK<\/strong> ) \u63d0\u4f9b\u5168\u5c40\u5b89\u5168\u6027\u548c\u9694\u96e2\uff0c\u4f46\u9700\u8981\u5176\u4ed6\u6a5f\u5236\uff08\u4f8b\u5982<strong>Cynara\uff09<\/strong>\u5728\u904b\u884c\u6642\u6aa2\u67e5\u61c9\u7528\u7a0b\u5e8f\u7684\u6b0a\u9650\u3002\u61c9\u7528\u6b0a\u9650\uff08\u4e5f\u7a31\u70ba\u201c<em>\u7279\u6b0a<\/em>\u201d\uff09\u53ef\u80fd\u6703\u6839\u64da\u7528\u6236\u548c\u6b63\u5728\u904b\u884c\u7684\u61c9\u7528\u7a0b\u5e8f\u800c\u6709\u6240\u4e0d\u540c\uff1a\u50c5\u7576\u61c9\u7528\u7a0b\u5e8f\u7531\u6b63\u78ba\u7684\u7528\u6236\u904b\u884c\u4e26\u4e14\u88ab\u6388\u4e88\u9069\u7576\u7684\u6b0a\u9650\u6642\uff0c\u61c9\u7528\u7a0b\u5e8f\u624d\u61c9\u6709\u6b0a\u8a2a\u554f\u7d66\u5b9a\u7684\u670d\u52d9\u3002<\/p>\n<h4>\u81ea\u4e3b\u8a2a\u554f\u63a7\u5236 DAC<\/h4>\n<p><strong>\u81ea\u4e3b\u8a2a\u554f\u63a7\u5236( DAC )<\/strong> \u662f\u4e00\u7a2e\u5c07\u7528\u6236\u548c\u7d44\u76f8\u4e92\u5206\u96e2\u7684\u50b3\u7d71 Linux \u65b9\u6cd5\u3002\u5728\u591a\u500b\u7528\u6236\u53ef\u4ee5\u8a2a\u554f\u8a08\u7b97\u6a5f\u6216\u7db2\u7d61\u7684\u5171\u4eab\u74b0\u5883\u4e2d\uff0cUnix ID \u63d0\u4f9b\u4e86\u4e00\u7a2e\u5c07\u500b\u4eba\u8a2a\u554f\u6b0a\u9650\u9650\u5236\u5728\u6b0a\u9650\u5340\u57df\u5167\u6216\u5728\u7d44\u6216\u7cfb\u7d71\u4e4b\u9593\u5171\u4eab\u7684\u65b9\u6cd5\u3002Android \u7cfb\u7d71\u66f4\u9032\u4e00\u6b65\uff0c\u70ba\u6bcf\u500b\u61c9\u7528\u7a0b\u5e8f\u5206\u914d\u65b0\u7684\u7528\u6236 ID\u3002\u9019\u5f9e\u4f86\u90fd\u4e0d\u662f Linux UID \u7684\u521d\u8877\uff0c\u4f46\u5b83\u80fd\u5920\u63d0\u4f9b Android \u6700\u521d\u7684\u5b89\u5168\u5143\u7d20\uff1a\u6c99\u7bb1\u61c9\u7528\u7a0b\u5e8f\u7684\u80fd\u529b\u3002<\/p>\n<p>\u96d6\u7136AGL\u63d0\u5230\u4f7f\u7528<strong>DAC<\/strong>\u9032\u884c\u5b89\u5168\u9694\u96e2\uff0c<strong>\u4f46<\/strong>\u5b89\u5168\u8cac\u4efb\u7684\u91cd\u5fc3\u5728\u65bc<strong>\u5f37\u5236<\/strong>\u8a2a\u554f<strong>\u63a7\u5236<\/strong>\uff08<strong>MAC<\/strong>\uff09\u548c<strong>Cynara<\/strong>\u3002\u6b64\u5916\uff0c\u9084\u6709\u5177\u6709\u552f\u4e00 UID \u7684\u7cfb\u7d71\u670d\u52d9\u3002\u4e0d\u904e\uff0c\u8a72\u7cfb\u7d71\u4e26\u6c92\u6709\u8d70Android\u7684\u6975\u7aef\uff0c\u6bcf\u500b\u61c9\u7528\u7a0b\u5e8f\u90fd\u6709\u81ea\u5df1\u7684UID\u3002<strong>AGL \u4e2d\u7684\u6240\u6709\u6c99\u7bb1\uff08\u61c9\u7528\u7a0b\u5e8f\u9694\u96e2\uff09\u5747\u5728MAC<\/strong>\u4e0a\u4e0b\u6587\u4e2d\u8655\u7406\u3002<\/p>\n<h4>\u5f37\u5236\u8a2a\u554f\u63a7\u5236 MAC<\/h4>\n<p><strong>\u5f37\u5236\u8a2a\u554f\u63a7\u5236( MAC )<\/strong> \u662f<strong>DAC<\/strong>\u7684\u64f4\u5c55\uff0c\u901a\u904e\u64f4\u5c55\u5c6c\u6027 (xattr) \u8207\u6587\u4ef6\u7cfb\u7d71\u95dc\u806f\u3002\u5c0d\u65bc AGL\uff0csmackfs \u6587\u4ef6\u7cfb\u7d71\u5141\u8a31\u6587\u4ef6\u548c\u76ee\u9304\u8207 SMACK \u6a19\u7c64\u95dc\u806f\uff0c\u5f9e\u800c\u63d0\u4f9b\u9032\u4e00\u6b65\u5340\u5206\u8a2a\u554f\u63a7\u5236\u7684\u80fd\u529b\u3002SMACK \u6a19\u7c64\u662f\u4e00\u500b\u7c21\u55ae\u7684\u4ee5\u7a7a\u5b57\u7b26\u7d50\u5c3e\u7684\u5b57\u7b26\u4e32\uff0c\u6700\u5927\u9577\u5ea6\u70ba 255 \u500b\u5b57\u7bc0\u3002\u96d6\u7136\u5b83\u4e0d\u63d0\u4f9b SELinux \u6a19\u7c64\u7684\u8c50\u5bcc\u6027\uff08\u63d0\u4f9b\u7528\u6236\u3001\u89d2\u8272\u3001\u985e\u578b\u548c\u7d1a\u5225\uff09\uff0c\u4f46\u55ae\u500b\u503c\u7684\u7c21\u55ae\u6027\u4f7f\u5f97\u6574\u9ad4\u8a2d\u8a08\u8b8a\u5f97\u4e0d\u90a3\u9ebc\u8907\u96dc\u3002\u53ef\u4ee5\u8aaa\uff0c\u5b89\u5168\u4f5c\u8005\u5728\u88fd\u5b9a\u7684\u7b56\u7565\u4e2d\u72af\u932f\u8aa4\u7684\u53ef\u80fd\u6027\u8f03\u5c0f\u3002<\/p>\n<hr \/>\n<h4>\u7e2e\u7565\u8a9e<\/h4>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>ACL<\/em><\/td>\n<td style=\"text-align: left;\"><strong>A<\/strong>ccess <strong>C<\/strong>ontrol <strong>L<\/strong>ists<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>alsa<\/em><\/td>\n<td style=\"text-align: left;\"><strong>A<\/strong>dvanced <strong>L<\/strong>inux <strong>S<\/strong>ound <strong>A<\/strong>rchitecture<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>API<\/em><\/td>\n<td style=\"text-align: left;\"><strong>A<\/strong>pplication <strong>P<\/strong>rogramming <strong>I<\/strong>nterface<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>AppFw<\/em><\/td>\n<td style=\"text-align: left;\"><strong>App<\/strong>lication <strong>F<\/strong>rame<strong>w<\/strong>ork<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>BSP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>B<\/strong>oard <strong>S<\/strong>upport <strong>P<\/strong>ackage<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>Cap<\/em><\/td>\n<td style=\"text-align: left;\"><strong>Cap<\/strong>abilities<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DAC<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>iscretionary <strong>A<\/strong>ccess <strong>C<\/strong>ontrol<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DDOS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>istributed <strong>D<\/strong>enial <strong>O<\/strong>f <strong>S<\/strong>ervice<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DOS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>enial <strong>O<\/strong>f <strong>S<\/strong>ervice<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>IPC<\/em><\/td>\n<td style=\"text-align: left;\"><strong>I<\/strong>nter-<strong>P<\/strong>rocess <strong>C<\/strong>ommunication<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>MAC<\/em><\/td>\n<td style=\"text-align: left;\"><strong>M<\/strong>andatory <strong>A<\/strong>ccess <strong>C<\/strong>ontrol<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>PAM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>P<\/strong>luggable <strong>A<\/strong>uthentication <strong>M<\/strong>odules<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SMACK<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>implified <strong>M<\/strong>andatory <strong>A<\/strong>ccess <strong>C<\/strong>ontrol <strong>K<\/strong>ernel<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>6.2 \u5f37\u5236\u8a2a\u554f\u63a7\u5236 MAC<\/h3>\n<p><u>\u6211\u5011\u6c7a\u5b9a\u5c07<strong>MAC<\/strong>\u4fdd\u8b77\u653e\u5728\u5e73\u53f0\u90e8\u5206\uff0c\u5118\u7ba1\u5b83\u4e5f\u9069\u7528\u65bc\u5167\u6838<\/u>\uff0c\u56e0\u70ba\u5b83\u7684\u4f7f\u7528\u4e3b\u8981\u5728\u5e73\u53f0\u7d1a\u5225\uff08\u5e95\u5c64\u90e8\u5206\u9664\u5916\uff09\u3002<\/p>\n<p><strong>\u5f37\u5236\u8a2a\u554f\u63a7\u5236( MAC)<\/strong> \u662fLinux\u5167\u6838\u63d0\u4f9b\u7684\u4e00\u7a2e\u4fdd\u8b77<strong>\uff0c<\/strong>\u9700\u8981<strong>Linux\u5b89\u5168\u6a21\u7d44( LSM )<\/strong> \u3002<strong>AGL<\/strong>\u4f7f\u7528\u7a31\u70ba<strong>\u7c21\u5316\u5f37\u5236\u8a2a\u554f\u63a7\u5236\u5167\u6838( SMACK)<\/strong>\u7684 <strong>LSM<\/strong>\u3002\u6b64\u4fdd\u8b77\u6d89\u53ca\u5275\u5efa<strong>SMACK<\/strong>\u6a19\u7c64\u4f5c\u70ba\u6587\u4ef6\u64f4\u5c55\u5c6c\u6027\u7684\u64f4\u5c55\u5c6c\u6027<strong>SMACK<\/strong>\u6a19\u7c64 \u7684\u4e00\u90e8\u5206\u3002\u4e26\u4e14\u9084\u5275\u5efa\u4e86\u4e00\u500b\u7b56\u7565\u4f86\u5b9a\u7fa9\u6bcf\u500b\u6a19\u7c64\u7684\u884c\u70ba\u3002<\/p>\n<p>\u5167\u6838\u8a2a\u554f\u63a7\u5236\u57fa\u65bc\u9019\u4e9b\u6a19\u7c64\u548c\u8a72\u7b56\u7565\u3002\u5982\u679c\u6c92\u6709\u898f\u5247\uff0c\u5247\u4e0d\u6703\u6388\u4e88\u8a2a\u554f\u6b0a\u9650\uff0c\u56e0\u6b64\uff0c\u672a\u7d93\u660e\u78ba\u6388\u6b0a\u7684\u5167\u5bb9\u5c07\u88ab\u7981\u6b62\u3002<\/p>\n<p><strong>SMACK<\/strong>\u6a19\u7c64\u6709\u5169\u7a2e\u985e\u578b\uff1a<\/p>\n<ul>\n<li><strong>\u57f7\u884c SMACK<\/strong>\uff08\u9644\u52a0\u5230\u9032\u7a0b\uff09\uff1a\u5b9a\u7fa9 \u8a72\u9032\u7a0b\u5982\u4f55<em>\u8a2a\u554f<\/em>\u548c<em>\u5275\u5efa\u6587\u4ef6\u3002<\/em><\/li>\n<li><strong>\u6587\u4ef6\u8a2a\u554fSMACK<\/strong>\uff08\u5beb\u5165\u6587\u4ef6\u7684\u64f4\u5c55\u5c6c\u6027\uff09\uff1a\u5b9a\u7fa9 <em>\u54ea\u500b<\/em>\u9032\u7a0b\u53ef\u4ee5\u8a2a\u554f\u8a72\u6587\u4ef6\u3002<\/li>\n<\/ul>\n<p>\u9ed8\u8a8d\u60c5\u6cc1\u4e0b\uff0c\u9032\u7a0b\u4f7f\u7528\u5176\u6587\u4ef6\u8a2a\u554f<strong>SMACK<\/strong>\u6a19\u7c64\u57f7\u884c\uff0c\u9664\u975e\u5b9a\u7fa9\u4e86\u57f7\u884c<strong>SMACK\u6a19\u7c64\u3002<\/strong><\/p>\n<p>AGL \u7684<strong>SMACK<\/strong>\u65b9\u6848\u57fa\u65bc<em>Tizen 3 Q2\/2015<\/em>\u3002\u5b83\u5c07\u7cfb\u7d71\u5206\u70ba\u4ee5\u4e0b\u5e7e\u500b<strong>\u57df<\/strong>\uff1a<\/p>\n<ul>\n<li>Floor. \u5730\u9762<\/li>\n<li>System. \u7cfb\u7d71<\/li>\n<li>Applications, Services and User. \u61c9\u7528\u7a0b\u5e8f\u3001\u670d\u52d9\u548c\u7528\u6236<\/li>\n<\/ul>\n<p>\u6709\u95dc\u66f4\u591a\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"http:\/\/iot.bzh\/download\/public\/2017\/AMMQ1Tokyo\/AGL-security-framework-review.pdf\">AGL \u5b89\u5168\u6846\u67b6\u5be9\u67e5<\/a> \u548c<a href=\"http:\/\/schaufler-ca.com\/yahoo_site_admin\/assets\/docs\/SmackWhitePaper.257153003.pdf\">Smack \u767d\u76ae\u66f8\u3002<\/a><\/p>\n<hr \/>\n<h4>\u5730\u9762 \/ Floor<\/h4>\n<p>\u5e95\u5c64\u57df\u5305\u62ec\u57fa\u672c\u7cfb\u7d71\u670d\u52d9\u4ee5\u53ca\u4efb\u4f55\u76f8\u95dc\u7684\u6578\u64da\u548c\u5eab<em>\u3002<\/em>\u8a72\u6578\u64da\u5728\u904b\u884c\u6642\u4fdd\u6301\u4e0d\u8b8a\u3002\u50c5\u5728\u958b\u767c\u6a21\u5f0f\u6216\u8edf\u9ad4\u5b89\u88dd\u6216\u5347\u7d1a\u671f\u9593\u5141\u8a31\u5beb\u5165\u5e95\u5c64\u6587\u4ef6\u6216\u76ee\u9304\u3002<\/p>\n<p>\u4e0b\u8868\u8a73\u7d30\u4ecb\u7d39\u4e86<em>\u5e95<\/em>\u57df\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Label<\/th>\n<th style=\"text-align: left;\">Name<\/th>\n<th style=\"text-align: left;\">Execution <strong>SMACK<\/strong><\/th>\n<th style=\"text-align: left;\">File Access <strong>SMACK<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><code>-<\/code><\/td>\n<td style=\"text-align: left;\">Floor<\/td>\n<td style=\"text-align: left;\"><code>r-x<\/code> for all<\/td>\n<td style=\"text-align: left;\">Only kernel and internal kernel thread.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>^<\/code><\/td>\n<td style=\"text-align: left;\">Hat<\/td>\n<td style=\"text-align: left;\"><code>---<\/code> for all<\/td>\n<td style=\"text-align: left;\"><code>rx<\/code> on all Domain \u9818\u57dfs.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>*<\/code><\/td>\n<td style=\"text-align: left;\">Star<\/td>\n<td style=\"text-align: left;\"><code>rwx<\/code> for all<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li>Hat \u6a19\u7c64\u50c5\u9069\u7528\u65bc\u7279\u6b0a\u7cfb\u7d71\u670d\u52d9\uff08\u7576\u524d\u50c5 systemd-journal\uff09\u3002\u5c0d\u65bc\u5099\u4efd\u6216\u75c5\u6bd2\u6383\u63cf\u5f88\u6709\u7528\u3002\u9664\u8abf\u8a66\u65e5\u8a8c\u5916\uff0c\u4e0d\u61c9\u5b58\u5728\u5e36\u6709\u6b64\u6a19\u7c64\u7684\u6587\u4ef6\u3002<\/li>\n<li>\u661f\u865f\u6a19\u7c64\u7528\u65bc\u8a2d\u5099\u6587\u4ef6\u6216\u901a\u904e<strong>DAC<\/strong><code>\/tmp<\/code>\u7ba1\u7406\u7684\u8a2a\u554f\u9650\u5236\u3002\u5404\u500b\u6587\u4ef6\u4ecd\u7136\u53d7\u5230<strong>SMACK<\/strong>\u6a19\u7c64\u7684\u4fdd\u8b77\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-Floor-1<\/td>\n<td style=\"text-align: left;\"><code>^<\/code><\/td>\n<td style=\"text-align: left;\">Only for privileged system services. <br \/>\u50c5\u9069\u7528\u65bc\u7279\u6b0a\u7cfb\u7d71\u670d\u52d9\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-Floor-2<\/td>\n<td style=\"text-align: left;\"><code>*<\/code><\/td>\n<td style=\"text-align: left;\">Used for device files or <code>\/tmp<\/code> Access restriction via DAC. <br \/>\u7528\u65bc\u8a2d\u5099\u6587\u4ef6\u6216<code>\/tmp<\/code>\u901a\u904e DAC \u9032\u884c\u8a2a\u554f\u9650\u5236\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u7cfb\u7d71 \/ System<\/h4>\n<p>\u7cfb\u7d71\u57df\u5305\u62ec\u64cd\u4f5c\u7cfb\u7d71\u7684\u4e00\u7d44\u7cbe\u7c21\u7684\u5167\u6838\u7cfb\u7d71\u670d\u52d9\u548c\u4efb\u4f55\u76f8\u95dc\u6578\u64da<em>\u3002<\/em>\u8a72\u6578\u64da\u53ef\u80fd\u6703\u5728\u904b\u884c\u6642\u767c\u751f\u8b8a\u5316\u3002<\/p>\n<p>\u4e0b\u8868\u8a73\u7d30\u4ecb\u7d39\u4e86<em>\u7cfb\u7d71<\/em>\u57df\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Label<\/th>\n<th style=\"text-align: left;\">Name<\/th>\n<th style=\"text-align: left;\">Execution <strong>SMACK<\/strong><\/th>\n<th style=\"text-align: left;\">File Access <strong>SMACK<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><code>System<\/code><\/td>\n<td style=\"text-align: left;\">System<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<td style=\"text-align: left;\">Privileged processes<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>System::Run<\/code><\/td>\n<td style=\"text-align: left;\">Run<\/td>\n<td style=\"text-align: left;\"><code>rwxatl<\/code> for User and System label<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>System::Shared<\/code><\/td>\n<td style=\"text-align: left;\">Shared<\/td>\n<td style=\"text-align: left;\"><code>rwxatl<\/code> for system Domain \u9818\u57df <code>r-x<\/code> for User label<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>System::Log<\/code><\/td>\n<td style=\"text-align: left;\">Log<\/td>\n<td style=\"text-align: left;\"><code>rwa<\/code> for System label <code>xa<\/code> for user label<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>System::Sub<\/code><\/td>\n<td style=\"text-align: left;\">SubSystem<\/td>\n<td style=\"text-align: left;\">Subsystem Config files<\/td>\n<td style=\"text-align: left;\">SubSystem only<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-1<\/td>\n<td style=\"text-align: left;\"><code>System<\/code><\/td>\n<td style=\"text-align: left;\">Process should write only to file with transmute attribute.<br \/>\u9032\u7a0b\u61c9\u8a72\u53ea\u5beb\u5165\u5177\u6709 transmute \u5c6c\u6027\u7684\u6587\u4ef6\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-2<\/td>\n<td style=\"text-align: left;\"><code>System::run<\/code><\/td>\n<td style=\"text-align: left;\">Files are created with the directory label from user and system Domain \u9818\u57df (transmute) Lock is implicit with <code>w<\/code>.<br \/>\u6587\u4ef6\u662f\u4f7f\u7528\u4f86\u81ea\u7528\u6236\u548c\u7cfb\u7d71\u57df\u7684\u76ee\u9304\u6a19\u7c64\u5275\u5efa\u7684\uff08transmute\uff09 \u9396\u5b9a\u662f\u96b1\u5f0f\u7684<code>w<\/code>\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-3<\/td>\n<td style=\"text-align: left;\"><code>System::Shared<\/code><\/td>\n<td style=\"text-align: left;\">Files are created with the directory label from system Domain \u9818\u57df (transmute) User Domain \u9818\u57df has locked privilege.<br \/>\u6587\u4ef6\u662f\u4f7f\u7528\u7cfb\u7d71\u57df\u7684\u76ee\u9304\u6a19\u7c64\u5275\u5efa\u7684\uff08transmute\uff09 \u7528\u6236\u57df\u5177\u6709\u9396\u5b9a\u6b0a\u9650\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-4<\/td>\n<td style=\"text-align: left;\"><code>System::Log<\/code><\/td>\n<td style=\"text-align: left;\">Some limitation may impose to add <code>w<\/code> to enable append.<br \/><code>w<\/code>\u6dfb\u52a0\u4ee5\u555f\u7528\u9644\u52a0\u53ef\u80fd\u6703\u65bd\u52a0\u4e00\u4e9b\u9650\u5236\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-5<\/td>\n<td style=\"text-align: left;\"><code>System::Sub<\/code><\/td>\n<td style=\"text-align: left;\">Isolation of risky Subsystem.<br \/>\u9694\u96e2\u6709\u98a8\u96aa\u7684\u5b50\u7cfb\u7d71\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u61c9\u7528\u7a0b\u5e8f\u3001\u670d\u52d9\u548c\u7528\u6236 \/ Applications, Services and User<\/h4>\n<p><em>\u61c9\u7528\u7a0b\u5e8f<\/em>\u3001\u670d\u52d9<em>\u548c<\/em>\u7528\u6236<em>\u57df<\/em>\u5305\u62ec\u5411\u7cfb\u7d71\u548c\u7528\u6236\u63d0\u4f9b\u670d\u52d9\u7684\u4ee3\u78bc\u4ee5\u53ca\u4efb\u4f55\u76f8\u95dc\u6578\u64da\u3002\u5728\u6b64\u57df\u4e0a\u904b\u884c\u7684\u6240\u6709\u4ee3\u78bc\u5747\u5728<em>Cynara<\/em>\u63a7\u5236\u4e4b\u4e0b\u3002<\/p>\n<p>\u4e0b\u8868\u8a73\u7d30\u4ecb\u7d39\u4e86<em>\u61c9\u7528\u7a0b\u5e8f<\/em>\u3001<em>\u670d\u52d9<\/em>\u548c<em>\u7528\u6236<\/em>\u57df\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Label<\/th>\n<th style=\"text-align: left;\">Name<\/th>\n<th style=\"text-align: left;\">Execution <strong>SMACK<\/strong><\/th>\n<th style=\"text-align: left;\">File Access <strong>SMACK<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><code>User::Pkg::$AppID<\/code><\/td>\n<td style=\"text-align: left;\">AppID<\/td>\n<td style=\"text-align: left;\"><code>rwx<\/code> (for files created by the App). <code>rx<\/code> for files installed by <strong>AppFw<\/strong><\/td>\n<td style=\"text-align: left;\">$App runtime executing $App<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>User::Home<\/code><\/td>\n<td style=\"text-align: left;\">Home<\/td>\n<td style=\"text-align: left;\"><code>rwx-t<\/code> from System label <code>r-x-l<\/code> from App<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><code>User::App-Shared<\/code><\/td>\n<td style=\"text-align: left;\">Shared<\/td>\n<td style=\"text-align: left;\"><code>rwxat<\/code> from System and User Domain \u9818\u57dfs label of $User<\/td>\n<td style=\"text-align: left;\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-1<\/td>\n<td style=\"text-align: left;\"><code>User::Pkg::$AppID<\/code><\/td>\n<td style=\"text-align: left;\">Only one Label is allowed per App. A data directory is created by the AppFw in <code>rwx<\/code> mode.<br \/>\u6bcf\u500b\u61c9\u7528\u7a0b\u5e8f\u50c5\u5141\u8a31\u4e00\u500b\u6a19\u7c64\u3002\u6578\u64da\u76ee\u9304\u7531AppFw \u5728<code>rwx<\/code>\u6a21\u5f0f\u4e0b\u5275\u5efa\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-2<\/td>\n<td style=\"text-align: left;\"><code>User::Home<\/code><\/td>\n<td style=\"text-align: left;\">AppFw needs to create a directory in <code>\/home\/$USER\/App-Shared<\/code> at first launch if not present with label app-data access is <code>User::App-Shared<\/code> without transmute.<br \/>\u5728<code>\/home\/$USER\/App-Shared<\/code>\u5982\u679c\u4e0d\u5b58\u5728\u6a19\u7c64\u61c9\u7528\u7a0b\u5e8f\u6578\u64da\u8a2a\u554f\u5247<code>User::App-Shared<\/code>\u7121\u9700\u8f49\u63db\uff0cAppFw \u9700\u8981\u5728\u9996\u6b21\u555f\u52d5\u6642\u5275\u5efa\u4e00\u500b\u76ee\u9304\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-3<\/td>\n<td style=\"text-align: left;\"><code>User::App-Shared<\/code><\/td>\n<td style=\"text-align: left;\">Shared space between all App running for a given user.<br \/>\u70ba\u7d66\u5b9a\u7528\u6236\u904b\u884c\u7684\u6240\u6709\u61c9\u7528\u7a0b\u5e8f\u4e4b\u9593\u7684\u5171\u4eab\u7a7a\u9593\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u653b\u64ca\u5411\u91cf<\/h4>\n<p>\u8a72\u7cfb\u7d71\u6709 4 \u500b\u4e3b\u8981\u7d44\u4ef6\uff1a<\/p>\n<ul>\n<li>LSM \u5167\u6838\u6a21\u7d44\u3002<\/li>\n<li>\u6587\u4ef6<code>smackfs<\/code>\u7cfb\u7d71\u3002<\/li>\n<li>\u7528\u65bc\u7b56\u7565\u7ba1\u7406\u548c\u6aa2\u67e5\u7684\u57fa\u672c\u5be6\u7528\u7a0b\u5e8f\u3002<\/li>\n<li>\u7b56\u7565\/\u914d\u7f6e\u6578\u64da\u3002<\/li>\n<\/ul>\n<p>\u8207\u4efb\u4f55\u5f37\u5236\u8a2a\u554f\u7cfb\u7d71\u4e00\u6a23\uff0c\u9700\u8981\u5c0f\u5fc3\u5730\u5c07\u7b56\u7565\u7ba1\u7406\u8207\u6aa2\u67e5\u5206\u958b\uff0c\u56e0\u70ba\u7ba1\u7406\u5be6\u7528\u7a0b\u5e8f\u53ef\u80fd\u6210\u70ba\u65b9\u4fbf\u7684\u653b\u64ca\u9ede\u3002\u7b56\u7565\u7cfb\u7d71\u7684\u52d5\u614b\u6dfb\u52a0\u9700\u8981\u4ed4\u7d30\u9a57\u8b49\uff0c\u56e0\u70ba\u901a\u5e38\u9700\u8981\u66f4\u65b0\u7b56\u7565\u7684\u80fd\u529b\uff0c\u4f46\u6703\u5f15\u5165\u53ef\u80fd\u7684\u5a01\u8105\u3002\u6700\u5f8c\uff0c\u5373\u4f7f\u7b56\u7565\u7ba1\u7406\u5f97\u5230\u5f88\u597d\u7684\u4fdd\u8b77\uff0c\u7b56\u7565\u6aa2\u67e5\u548c\u6aa2\u67e5\u7684\u5931\u6557\u97ff\u61c9\u5c0d\u65bc\u7cfb\u7d71\u7684\u9806\u5229\u904b\u884c\u4e5f\u81f3\u95dc\u91cd\u8981\u3002<\/p>\n<p>\u96d6\u7136\u8207 DAC \u76f8\u6bd4\uff0c <strong>MAC<\/strong>\u7684\u5b89\u5168\u6027\u7121\u7591\u5f97\u5230\u4e86\u63d0\u5347\uff0c\u4f46\u4ecd\u7136\u6709\u5f88\u591a\u65b9\u6cd5\u53ef\u4ee5\u5371\u5bb3\u652f\u6301 SMACK \u7684 Linux \u7cfb\u7d71\u3002\u5176\u4e2d\u4e00\u4e9b\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n<ul>\n<li>\u5728\u8abf\u7528\u5167\u6838\u6642\u7981\u7528 SMACK\uff08\u4f7f\u7528\u547d\u4ee4\u884c\uff1asecurity=none\uff09\u3002<\/li>\n<li>\u5728\u5167\u6838\u69cb\u5efa\u4e2d\u7981\u7528 SMACK \u4e26\u91cd\u65b0\u90e8\u7f72\u5167\u6838\u3002<\/li>\n<li>\u5728\u5b89\u88dd\u6642\u66f4\u6539\u6587\u4ef6\u6216\u76ee\u9304\u7684 SMACK \u5c6c\u6027\u3002<\/li>\n<li>\u7be1\u6539\u5177\u6709 CAP_MAC_ADMIN \u6b0a\u9650\u7684\u9032\u7a0b\u3002<\/li>\n<li>\u914d\u7f6e\/\u91cd\u65b0\u914d\u7f6e\u6587\u4ef6\u7684 SMACK \u6a19\u7c64\u3002<\/li>\n<li>\u7be1\u6539\u9ed8\u8a8d\u57df\uff08\u5373\/etc\/smack\/accesses.d\/default-access-Domain \u9818\u57dfs\uff09\u3002<\/li>\n<li>\u7981\u7528\u6216\u7be1\u6539 SMACK \u6587\u4ef6\u7cfb\u7d71\uff08\u5373 \/smackfs\uff09\u3002<\/li>\n<li>\u6dfb\u52a0\u7b56\u7565<code>smackload<\/code>\uff08\u5982\u679c\u4e0d\u5b58\u5728\u5247\u6dfb\u52a0\u5be6\u7528\u7a0b\u5e8f\uff09\u3002<\/li>\n<li>\u66f4\u6539\u6a19\u7c64<code>chsmack<\/code>\uff08\u5982\u679c\u4e0d\u5b58\u5728\u5247\u6dfb\u52a0\u5be6\u7528\u7a0b\u5e8f\uff09\u3002<\/li>\n<\/ul>\n<h3>6.3 SystemD<\/h3>\n<p><code>afm-system-daemon<\/code>\u7528\u65bc\uff1a<\/p>\n<ul>\n<li>\u7ba1\u7406\u7528\u6236\u548c\u7528\u6236\u6703\u8a71\u3002<\/li>\n<li>\u914d\u7f6e\u61c9\u7528\u7a0b\u5e8f\u548c\u670d\u52d9\uff08<em>CGroups<\/em>\u3001<em>\u547d\u540d\u7a7a\u9593<\/em>\u3001\u81ea\u52d5\u555f\u52d5\u3001\u6b0a\u9650\uff09\u3002<\/li>\n<li>\u7528\u65bc<code>libsystemd<\/code>\u5176\u7a0b\u5e8f\uff08\u4e8b\u4ef6\u7ba1\u7406\u3001<strong>D-Bus<\/strong>\u63a5\u53e3\uff09\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-SystemD-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use Namespaces for containerization. \u4f7f\u7528\u547d\u540d\u7a7a\u9593\u9032\u884c\u5bb9\u5668\u5316\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-SystemD-2<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use CGroups to organise processes. \u4f7f\u7528 CGroup \u4f86\u7d44\u7e54\u6d41\u7a0b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u66f4\u591a\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"http:\/\/iot.bzh\/download\/public\/2017\/AMM-Dresden\/AGL-systemd.pdf\">systemd \u96c6\u6210\u548c\u7528\u6236\u7ba1\u7406\u3002<\/a><\/p>\n<h4>\u597d\u8655 Benefits<\/h4>\n<ul>\n<li>\u522a\u9664\u4e00\u500b\u7279\u6b0a\u9032\u7a0b\uff1a<strong>afm-user-daemon<\/strong><\/li>\n<li>\u8a2a\u554f\u548c\u4f7f\u7528\u9ad8\u7d1a\u529f\u80fd\uff1a<\/li>\n<li>\u5957\u63a5\u5b57\u6fc0\u6d3b\u3002<\/li>\n<li><strong>\u7528\u6236\u7ba1\u7406\u548cPAM<\/strong>\u96c6\u6210\u3002<\/li>\n<li>\u670d\u52d9\u7684\u4f9d\u8cf4\u89e3\u6790\u3002<\/li>\n<li><code>Cgroups<\/code>\u548c\u8cc7\u6e90\u63a7\u5236\u3002<\/li>\n<li><code>Namespaces<\/code>\u96c6\u88dd\u7bb1\u5316\u3002<\/li>\n<li>\u81ea\u52d5\u555f\u52d5\u6240\u9700\u7684 API\u3002<\/li>\n<li>\u6b0a\u9650\u548c\u5b89\u5168\u914d\u7f6e\u3002<\/li>\n<li>\u7db2\u7d61\u7ba1\u7406\u3002<\/li>\n<\/ul>\n<h4>\u63a7\u5236\u7d44 CGroups<\/h4>\n<p>\u63a7\u5236\u7d44\u63d0\u4f9b\u4e86\u5f88\u591a\u529f\u80fd\uff0c\u5176\u4e2d\u6700\u6709\u7528\u7684\u529f\u80fd\u662f\u60a8\u53ef\u4ee5\u63a7\u5236\u7684\uff1a\u5167\u5b58\u4f7f\u7528\u60c5\u6cc1\u3001\u5206\u914d\u4e86\u591a\u5c11 CPU \u6642\u9593\u3001\u5141\u8a31\u591a\u5c11\u8a2d\u5099 I\/O \u6216\u53ef\u4ee5\u8a2a\u554f\u54ea\u4e9b\u8a2d\u5099\u3002<strong>SystemD<\/strong>\u4f7f\u7528<strong><em>CGroup<\/em><\/strong>\u4f86\u7d44\u7e54\u9032\u7a0b\uff08\u6bcf\u500b\u670d\u52d9\u90fd\u662f\u4e00\u500b<em>CGroup<\/em>\uff0c\u4e26\u4e14\u7531\u8a72\u670d\u52d9\u555f\u52d5\u7684\u6240\u6709\u9032\u7a0b\u90fd\u4f7f\u7528\u8a72<em>CGroup<\/em>\uff09\u3002\u9ed8\u8a8d\u60c5\u6cc1\u4e0b\uff0c<strong>SystemD<\/strong>\u81ea\u52d5\u5275\u5efa\u5207\u7247\u3001\u7bc4\u570d\u548c\u670d\u52d9\u55ae\u5143\u7684\u5c64\u6b21\u7d50\u69cb\uff0c\u70ba<em>CGroups<\/em>\u6a39\u63d0\u4f9b\u7d71\u4e00\u7684\u7d50\u69cb\u3002\u4f7f\u7528\u8a72<code>systemctl<\/code>\u547d\u4ee4\uff0c\u60a8\u53ef\u4ee5\u901a\u904e\u5275\u5efa\u81ea\u5b9a\u7fa9\u5207\u7247\u4f86\u9032\u4e00\u6b65\u4fee\u6539\u6b64\u7d50\u69cb\u3002\u76ee\u524d\uff0c\u5728 AGL \u4e2d\uff0c\u6709 2 \u500b\u5207\u7247\uff08<strong>user.slice<\/strong>\u548c<strong>system.slice<\/strong>\uff09\u3002<\/p>\n<h4>\u547d\u540d\u7a7a\u9593 Namespaces<\/h4>\n<h5>\u7528\u6236\u5074<\/h5>\n<p>\u6709\u591a\u7a2e\u65b9\u6cd5\u53ef\u4ee5\u9a57\u8b49\u7528\u6236\u8eab\u4efd\uff08\u6309\u9375\u5c04\u983b\u3001\u96fb\u8a71\u3001\u624b\u52e2\u2026\u2026\uff09\u3002\u6bcf\u6b21\u8eab\u4efd\u9a57\u8b49\u90fd\u6703\u5411\u7d93\u904e\u8eab\u4efd\u9a57\u8b49\u7684\u7528\u6236\u52d5\u614b\u5206\u914d<strong>uid<\/strong>\u3002<strong>Uids<\/strong>\u7528\u65bc\u78ba\u4fdd\u7528\u6236\u96b1\u79c1\uff0c<strong>SMACK<\/strong> \u7528\u65bc\u78ba\u4fdd\u61c9\u7528\u7a0b\u5e8f\u96b1\u79c1\u3002<\/p>\n<p>\u9996\u5148\uff0c\u7528\u6236\u901a\u904e<strong>PAM<\/strong>\u6fc0\u6d3b\u4f86\u767c\u8d77\u8eab\u4efd\u9a57\u8b49\u3002<strong>PAM<\/strong> \u6a19\u51c6\u901a\u904e\u6a21\u7d44\u5316\u8a2d\u8a08\uff08\u4f8b\u5982\u9762\u90e8\u8b58\u5225\u3001\u8a9e\u97f3\u8b58\u5225\u6216\u5bc6\u78bc\uff09\u63d0\u4f9b\u9ad8\u5ea6\u53ef\u914d\u7f6e\u7684\u8eab\u4efd\u9a57\u8b49\u3002\u7136\u5f8c\u7528\u6236\u61c9\u8a72\u901a\u904e\u670d\u52d9\u548c\u61c9\u7528\u7a0b\u5e8f\u8a2a\u554f\u8eab\u4efd\u670d\u52d9\u3002<\/p>\n<h3>6.4 D-Bus \u9032\u7a0b\u9593\u901a\u8a0a\/\u5b88\u8b77<\/h3>\n<p>D-Bus \u662f\u4e00\u7a2e\u8457\u540d\u7684<strong>IPC<\/strong>\uff08\u9032\u7a0b\u9593\u901a\u4fe1\uff09\u5354\u8b70\uff08\u548c\u5b88\u8b77\u9032\u7a0b\uff09\uff0c\u53ef\u5e6b\u52a9\u61c9\u7528\u7a0b\u5e8f\u76f8\u4e92\u901a\u4fe1\u3002D-Bus \u7684\u4f7f\u7528\u975e\u5e38\u6709\u7528\uff0c\u56e0\u70ba\u5b83\u53ef\u4ee5\u5be6\u73fe\u767c\u73fe\u548c\u4fe1\u4ee4\u3002<\/p>\n<p>D-Bus \u6703\u8a71\u9ed8\u8a8d\u7531\u74b0\u5883\u8b8a\u91cf\u5c0b\u5740 <code>DBUS_SESSION_BUS_ADDRESS<\/code>\u3002\u4f7f\u7528<strong>systemd<\/strong>\u8b8a\u91cf <code>DBUS_SESSION_BUS_ADDRESS<\/code>\u6703\u81ea\u52d5\u70ba\u7528\u6236\u6703\u8a71\u914d\u7f6e\u3002D-Bus \u7684\u4f7f\u7528\u8207\u6b0a\u9650\u76f8\u95dc\u3002<\/p>\n<p>D-Bus \u5df2\u7d93\u5b58\u5728\u4e00\u4e9b<a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-13442\/D-bus-Project.html\">\u5b89\u5168\u554f\u984c<\/a> \uff08\u4e3b\u8981\u662f<strong>DoS<\/strong>\u554f\u984c\uff09\uff0c\u4ee5\u5141\u8a31\u61c9\u7528\u7a0b\u5e8f\u7e7c\u7e8c\u76f8\u4e92\u901a\u4fe1\u3002\u9632\u7bc4\u6b64\u985e\u653b\u64ca\u5c0d\u65bc\u4fdd\u6301\u7cfb\u7d71\u66f4\u52a0\u7a69\u5b9a\u975e\u5e38\u91cd\u8981\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-DBus-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use D-Bus as IPC. \u4f7f\u7528D-Bus\u4f5c\u70baIPC\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-DBus-2<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Apply D-BUS security patches: <a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-13442\/D-bus-Project.html\">D-Bus CVE<\/a> \u61c9\u7528 D-BUS \u5b89\u5168\u88dc\u4e01<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>6.5 \u7cfb\u7d71\u670d\u52d9\u548c\u5b88\u8b77\u9032\u7a0b<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Services-1<\/td>\n<td style=\"text-align: left;\">SystemD ?<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Services-2<\/td>\n<td style=\"text-align: left;\">Secure daemon ?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5de5\u5177<\/h4>\n<ul>\n<li><strong>connman<\/strong>\uff1a\u4e00\u500b\u4e92\u806f\u7db2\u9023\u63a5\u7ba1\u7406\u5668\uff0c\u65e8\u5728\u7cbe\u7c21\u4f75\u4f7f\u7528\u76e1\u53ef\u80fd\u5c11\u7684\u8cc7\u6e90\u3002\u5b83\u662f\u4e00\u500b\u5b8c\u5168\u6a21\u7d44\u5316\u7684\u7cfb\u7d71\uff0c\u53ef\u4ee5\u901a\u904e\u63d2\u4ef6\u9032\u884c\u64f4\u5c55\uff0c\u4ee5\u652f\u6301\u5404\u7a2e\u6709\u7dda\u6216\u7121\u7dda\u6280\u8853\u3002<\/li>\n<li><strong>bluez<\/strong>\u662f\u4e00\u500b\u85cd\u7259\u5806\u68e7\u3002\u5176\u76ee\u6a19\u662f\u88fd\u5b9a\u85cd\u7259\u7121\u7dda\u6a19\u6e96\u898f\u7bc4\u7684\u5be6\u65bd\u65b9\u6848\u3002\u9664\u4e86\u57fa\u672c\u5806\u68e7\u4e4b\u5916\uff0c<code>bluez-utils<\/code>\u548c<code>bluez-firmware<\/code>\u8edf\u9ad4\u5305\u9084\u5305\u542b\u4f4e\u7d1a\u5be6\u7528\u7a0b\u5e8f\uff0c\u4f8b\u5982<code>dfutool<\/code>\u53ef\u4ee5\u8a62\u554f\u85cd\u7259\u9069\u914d\u5668\u82af\u7247\u7d44\u4ee5\u78ba\u5b9a\u5176\u97cc\u9ad4\u662f\u5426\u53ef\u4ee5\u5347\u7d1a\u3002<\/li>\n<li><strong>gstreamer<\/strong>\u662f\u4e00\u500b\u57fa\u65bc\u7ba1\u9053\u7684\u591a\u5a92\u9ad4\u6846\u67b6\u3002\u5b83\u53ef\u7528\u65bc\u69cb\u5efa\u4e00\u500b\u7cfb\u7d71\uff0c\u4ee5\u4e00\u7a2e\u683c\u5f0f\u8b80\u53d6\u6587\u4ef6\u3001\u8655\u7406\u5b83\u5011\u4e26\u4ee5\u53e6\u4e00\u7a2e\u683c\u5f0f\u5c0e\u51fa\u5b83\u5011\u3002<\/li>\n<li><strong>alsa<\/strong>\u662f\u4e00\u500b\u8edf\u9ad4\u6846\u67b6\uff0c\u662f Linux \u5167\u6838\u7684\u4e00\u90e8\u5206\uff0c \u70ba\u8072\u5361\u8a2d\u5099\u9a45\u52d5\u7a0b\u5e8f\u63d0\u4f9b<strong>API \u3002<\/strong><\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Tool<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>connman<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> as a connection manager. <em>\u7528\u4f5c<\/em>\u9023\u63a5\u7ba1\u7406\u5668\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-2<\/td>\n<td style=\"text-align: left;\"><code>bluez<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> as a Bluetooth manager. <em>\u7528\u4f5c<\/em>\u85cd\u7259\u7ba1\u7406\u5668\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-3<\/td>\n<td style=\"text-align: left;\"><code>gstreamer<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to manage multimedia file format. <em>\u7528\u65bc<\/em>\u7ba1\u7406\u591a\u5a92\u9ad4\u6587\u4ef6\u683c\u5f0f\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-4<\/td>\n<td style=\"text-align: left;\"><code>alsa<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to provides an API for sound card device drivers. <br \/><em>\u7528\u65bc<\/em>\u70ba\u8072\u5361\u8a2d\u5099\u9a45\u52d5\u7a0b\u5e8f\u63d0\u4f9bAPI\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>6.6 \u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\/\u6a21\u578b\uff08<strong>AppFw<\/strong>\uff09<\/h3>\n<p>AGL\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u7531\u5e7e\u500b\u4e92\u64cd\u4f5c\u7684\u90e8\u5206\u7d44\u6210\uff1a<\/p>\n<ul>\n<li><strong>SMACK<\/strong>\uff1a\u5167\u6838\u7d1a<strong>LSM\uff08Linux\u5b89\u5168\u6a21\u7d44\uff09<\/strong>\uff0c\u57f7\u884c\u7cfb\u7d71\u7684\u64f4\u5c55\u8a2a\u554f\u63a7\u5236\u3002<\/li>\n<li><strong>Cynara<\/strong>\uff1a\u672c\u6a5f\u7db2\u5b88\u5b88\u8b77\u9032\u7a0b\uff0c\u7528\u65bc\u7b56\u7565\u8655\u7406\u3001\u66f4\u65b0\u6578\u64da\u5eab\u548c\u7b56\u7565\u6aa2\u67e5\u3002<\/li>\n<li><strong>\u5b89\u5168\u7ba1\u7406\u5668<\/strong>\uff1a\u4e00\u500b\u4e3b\u670d\u52d9\uff0c\u6240\u6709\u5b89\u5168\u4e8b\u4ef6\u90fd\u901a\u904e\u5b83\u767c\u751f\u3002<\/li>\n<li>\u5e7e\u500b\u672c\u6a5f\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6<strong>\u5be6\u7528\u7a0b\u5e8f<\/strong>\uff1a<code>afm-main-binding<\/code>\u3001 <code>afm-user-daemon<\/code>\u3001<code>afm-system-daemon<\/code>\u3002<\/li>\n<\/ul>\n<p>\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u7ba1\u7406\uff1a<\/p>\n<ul>\n<li>\u61c9\u7528\u7a0b\u5e8f\u548c\u670d\u52d9\u7ba1\u7406\uff1a\u5b89\u88dd\u3001\u5378\u8f09\u3001\u5217\u51fa\u2026\u2026<\/li>\n<li>\u61c9\u7528\u7a0b\u5e8f\u7684\u751f\u547d\u9031\u671f\uff1a\u958b\u59cb-&gt;\uff08\u66ab\u505c\u3001\u6062\u5fa9\uff09-&gt;\u505c\u6b62\u3002<\/li>\n<li>\u4e8b\u4ef6\u548c\u4fe1\u865f\u50b3\u64ad\u3002<\/li>\n<li>\u6b0a\u9650\u6388\u4e88\u548c\u6aa2\u67e5\u3002<\/li>\n<li>\u7528\u65bc\u8207\u61c9\u7528\u7a0b\u5e8f\u4ea4\u4e92\u7684 API\u3002<\/li>\n<li>\u5b89\u5168<strong>\u6a21\u578b<\/strong>\u662f\u6307\u7528\u65bc\u78ba\u4fdd\u5b89\u5168\u6027\u7684\u5b89\u5168\u6a21\u578b\u4ee5\u53ca\u70ba\u5be6\u73fe\u8a72\u6a21\u578b\u800c\u63d0\u4f9b\u7684\u5de5\u5177\u3002\u9019\u662f\u4e00\u500b\u4e0d\u61c9\u5f71\u97ff\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u4e4b\u4e0a\u7684\u5c64\u7684\u5be6\u73fe\u7d30\u7bc0\u3002<\/li>\n<li>\u5b89\u5168<strong>\u6a21\u578b<\/strong>\u662f\u6307\u7cfb\u7d71\u5982\u4f55\u4f7f\u7528<strong>DAC<\/strong>\uff08<strong>\u81ea\u7531<\/strong>\u8a2a\u554f<strong>\u63a7\u5236<\/strong>\uff09\u3001<strong>MAC<\/strong>\uff08\u5f37\u5236\u8a2a\u554f\u63a7\u5236\uff09\u4f86\u4fdd\u8b49\u5b89\u5168\u548c \u96b1\u79c1<strong>\u3002<\/strong>\u5b83\u9084\u5305\u62ec\u4f7f\u7528\u5be9\u6838\u529f\u80fd\u4ee5\u53ca\u7ba1\u7406\u65e5\u8a8c\u548c\u8b66\u5831\u9032\u884c\u5831\u544a\u7684\u529f\u80fd\u3002<code>Capabilities<\/code><\/li>\n<\/ul>\n<p>AppFw\u4f7f\u7528\u5b89\u5168\u6a21\u578b\u4f86\u78ba\u4fdd\u5176\u7ba1\u7406\u7684\u61c9\u7528\u7a0b\u5e8f\u7684\u5b89\u5168\u6027\u548c\u96b1\u79c1\u6027<strong>\u3002<\/strong>\u5b83\u5fc5\u9808\u7b26\u5408\u5e95\u5c64\u5b89\u5168\u6a21\u578b\u3002\u4f46\u5b83\u61c9\u8a72\u5c0d\u61c9\u7528\u7a0b\u5e8f\u96b1\u85cf\u5b83\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-AGLFw-AppFw-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use the AppFw as Security model.<br \/>\u4f7f\u7528 AppFw \u4f5c\u70ba\u5b89\u5168\u6a21\u578b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u8a73\u7d30\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"http:\/\/docs.automotivelinux.org\/docs\/devguides\/en\/dev\/reference\/iotbzh2016\/appfw\/03-AGL-AppFW-Privileges-Management.pdf\">AGL AppFw \u6b0a\u9650\u7ba1\u7406<\/a> \u548c<a href=\"http:\/\/iot.bzh\/download\/public\/2017\/SDK\/AppFw-Documentation-v3.1.pdf\">AGL &#8211; \u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u6587\u6a94\u3002<\/a><\/p>\n<p>\u5b89\u5168\u7ba1\u7406\u5668\u5c07\u7b56\u7565\u4fe1\u606f\u50b3\u9054\u7d66<strong>Cynara<\/strong>\uff0cCynara \u5c07\u4fe1\u606f\u4ee5\u5e36\u6709\u9017\u865f\u5206\u9694\u503c (CSV) \u7684\u6587\u672c\u6587\u4ef6\u683c\u5f0f\u4fdd\u7559\u5728\u81ea\u5df1\u7684\u6578\u64da\u5eab\u4e2d\u3002\u6709\u898f\u5b9a\u5728\u66f4\u65b0\u6587\u4ef6\u6642\u4fdd\u7559 CSV \u6587\u672c\u6587\u4ef6\u7684\u526f\u672c\u3002<\/p>\n<p>\u904b\u884c\u6642\u6aa2\u67e5\u901a\u904e<strong>Cynara<\/strong>\u9032\u884c\u3002\u6dfb\u52a0\u5230\u6846\u67b6\u4e2d\u7684\u6bcf\u500b\u61c9\u7528\u7a0b\u5e8f\u90fd\u6709\u81ea\u5df1\u7684 SMACK \u4e0a\u4e0b\u6587\u548c D \u7e3d\u7dda\u7d81\u5b9a\u7684\u5be6\u4f8b\u3002afb_daemon \u548c Binder \u5f62\u6210\u4e00\u500b Web \u670d\u52d9\uff0c\u901a\u904e http \u6216 Websocket \u5f9e\u61c9\u7528\u7a0b\u5e8f\u672c\u8eab\u9032\u884c\u901a\u4fe1\u3002\u6b64 http \u6216 websocket \u63a5\u53e3\u4f7f\u7528\u6a19\u6e96\u7684\u552f\u4e00 Web \u4ee4\u724c\u9032\u884c API \u901a\u4fe1\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/docs.automotivelinux.org\/en\/master\/03_Architecture_Guides\/02_Security_Blueprint\/images\/App-flow.png\" alt=\"\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6\u6d41\u7a0b\" \/><\/p>\n<h4>Cynara \u7b56\u7565\u6aa2\u67e5\u5668\u670d\u52d9<\/h4>\n<p>\u9700\u8981\u53e6\u4e00\u7a2e\u6a5f\u5236\u4f86\u8ca0\u8cac\u6aa2\u67e5\u61c9\u7528\u6b0a\u9650\uff1a\u76ee\u524d\u5728 AGL \u4e2d\uff0c\u6b64\u4efb\u52d9\u4f9d\u8cf4\u65bc\u7b56\u7565\u6aa2\u67e5\u5668\u670d\u52d9 ( <strong>Cynara<\/strong> )\u3002<\/p>\n<ul>\n<li>\u5c07\u5fa9\u96dc\u7684\u7b56\u7565\u5b58\u5132\u5728\u6578\u64da\u5eab\u4e2d\u3002<\/li>\n<li>\u201c\u8edf\u201d\u5b89\u5168\u6027\uff08\u8a2a\u554f\u7531\u6846\u67b6\u6aa2\u67e5\uff09\u3002<\/li>\n<\/ul>\n<p>Cynara \u8207<strong>D-Bus<\/strong>\u4ea4\u4e92\u4ee5\u50b3\u905e\u6b64\u4fe1\u606f\u3002<\/p>\n<p>Cynara \u7531\u5e7e\u500b\u90e8\u5206\u7d44\u6210\uff1a<\/p>\n<ul>\n<li>Cynara\uff1a\u7528\u65bc\u63a7\u5236\u7b56\u7565\u548c\u97ff\u61c9\u8a2a\u554f\u63a7\u5236\u8acb\u6c42\u7684\u5b88\u8b77\u9032\u7a0b\u3002<\/li>\n<li>\u6578\u64da\u5eab\uff1a\u4fdd\u5b58\u4fdd\u55ae\u7684\u5730\u65b9\u3002<\/li>\n<li>\u5eab\uff1a\u5e7e\u500b\u7528\u65bc\u8207 Cynara \u901a\u4fe1\u7684\u975c\u614b\u548c\u52d5\u614b\u5eab\u3002<\/li>\n<\/ul>\n<p>\u5b88\u8b77\u9032\u7a0b\u901a\u904e Unix \u57df\u5957\u63a5\u5b57\u8207\u5eab\u9032\u884c\u901a\u4fe1\u3002\u6578\u64da\u5eab\u5b58\u5132\u683c\u5f0f\u662f\u4e00\u7cfb\u5217\u5e36\u6709\u7d22\u5f15\u6587\u4ef6\u7684\u985e\u4f3c CSV \u7684\u6587\u4ef6\u3002<\/p>\n<p>\u653b\u64ca\u8005\u53ef\u4ee5\u901a\u904e\u591a\u7a2e\u65b9\u5f0f\u64cd\u7e31 Cynara \u7cfb\u7d71\u7684\u7b56\u7565\uff1a<\/p>\n<ul>\n<li>\u901a\u904e\u7d42\u6b62\u9032\u7a0b\u4f86\u7981\u7528 Cynara\u3002<\/li>\n<li>\u7be1\u6539\u78c1\u76e4\u4e0a\u6216\u5167\u5b58\u4e2d\u7684 Cynara \u4e8c\u9032\u88fd\u6587\u4ef6\u3002<\/li>\n<li>\u640d\u58de Cynara \u63a7\u5236\u7684\u6578\u64da\u5eab\u3002<\/li>\n<li>\u7be1\u6539 Cynara \u63a7\u5236\u7684\u6578\u64da\u5eab\u3002<\/li>\n<li>\u52ab\u6301 Cynara \u548c\u6578\u64da\u5eab\u4e4b\u9593\u7684\u901a\u4fe1\u3002<\/li>\n<\/ul>\n<p>\u57fa\u65bc\u6587\u672c\u7684\u6578\u64da\u5eab\u662f\u7cfb\u7d71\u4e2d\u6700\u8584\u5f31\u7684\u90e8\u5206\uff0c\u5118\u7ba1\u5b58\u5728\u4e00\u4e9b\u4e00\u81f4\u6027\u6a5f\u5236\uff08\u5373\u5099\u4efd\u9632\u8b77\uff09\uff0c\u4f46\u9019\u4e9b\u6a5f\u5236\u5145\u5176\u91cf\u662f\u8584\u5f31\u7684\uff0c\u4e26\u4e14\u5f88\u5bb9\u6613\u88ab\u653b\u64ca\u8005\u53cd\u64ca\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-AGLFw-Cynara-1<\/td>\n<td style=\"text-align: left;\">Permissions<\/td>\n<td style=\"text-align: left;\">Use Cynara as policy-checker service. \u4f7f\u7528 Cynara \u4f5c\u70ba\u7b56\u7565\u6aa2\u67e5\u670d\u52d9\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u653f\u7b56<\/h5>\n<ul>\n<li>\u653f\u7b56\u898f\u5247\uff1a<\/li>\n<li>\u5f88\u7c21\u55ae &#8211; \u5c0d\u65bc [\u61c9\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u3001\u6b0a\u9650] \u5c0d\uff0c\u6709\u76f4\u63a5\u7b54\u6848\uff08\u55ae\u4e00\u7b56\u7565\u985e\u578b\uff09\uff1a[\u5141\u8a31\/\u62d2\u7d55\/&#8230;]\u3002<\/li>\n<li>\u4e0d\u57f7\u884c\u4efb\u4f55\u4ee3\u78bc\uff08\u7121\u8173\u672c\uff09\u3002<\/li>\n<li>\u53ef\u4ee5\u8f15\u9b06\u7de9\u5b58\u548c\u7ba1\u7406\u3002<\/li>\n<li>\u61c9\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\uff08\u63cf\u8ff0\u7528\u6236\u7684 ID \u548c\u61c9\u7528\u7a0b\u5e8f\u6191\u64da\uff09\u5b83\u7684\u69cb\u5efa\u5982\u4e0b\uff1a<\/li>\n<li>\u904b\u884c\u61c9\u7528\u7a0b\u5e8f\u7684\u7528\u6236\u7684 UID\u3002<\/li>\n<li><strong>\u61c9\u7528\u7a0b\u5e8f\u7684SMACK<\/strong>\u6a19\u7c64\u3002<\/li>\n<\/ul>\n<h5>\u6301\u6709\u653f\u7b56<\/h5>\n<p>\u653f\u7b56\u4fdd\u5b58\u5728\u6876\u4e2d\u3002\u5b58\u5132\u6876\u662f\u4e00\u7d44\u5177\u6709\u9ed8\u8a8d\u7b54\u6848\u5c6c\u6027\u7684\u7b56\u7565\uff0c\u5982\u679c\u6c92\u6709\u7b56\u7565\u8207\u641c\u7d22\u9375\u5339\u914d\uff0c\u5247\u6703\u7522\u751f\u9ed8\u8a8d\u7b54\u6848\u3002\u5b58\u5132\u6876\u7684\u540d\u7a31\u53ef\u80fd\u6703\u5728\u7b56\u7565\u4e2d\u4f7f\u7528\uff08\u7528\u65bc\u6307\u793a\uff09\u3002<\/p>\n<h4>\u653b\u64ca\u5411\u91cf<\/h4>\n<p>\u4ee5\u4e0b\u653b\u64ca\u5411\u91cf\u4e26\u4e0d\u5b8c\u5168\u7368\u7acb\u3002\u96d6\u7136\u653b\u64ca\u8005\u53ef\u80fd\u5c0d AGL \u7cfb\u7d71\u5177\u6709\u4e0d\u540c\u7d1a\u5225\u7684\u8a2a\u554f\u6b0a\u9650\uff0c\u4f46\u7d93\u9a57\u8868\u660e\uff0c\u5178\u578b\u7684\u653b\u64ca\u53ef\u4ee5\u5f9e\u76f4\u63a5\u8a2a\u554f\u7cfb\u7d71\u958b\u59cb\uff0c\u627e\u5230\u6f0f\u6d1e\uff0c\u7136\u5f8c\u7e7c\u7e8c\u81ea\u52d5\u5316\u653b\u64ca\uff0c\u4ee5\u4fbf\u53ef\u4ee5\u5f9e\u4e0d\u6613\u8a2a\u554f\u7684\u89d2\u5ea6\u8abf\u7528\u653b\u64ca\uff08\u4f8b\u5982\u9060\u7a0b\uff09\u3002\u56e0\u6b64\uff0c\u8a55\u4f30\u6240\u6709\u5a01\u8105\u7d1a\u5225\u4e26\u9069\u7576\u4fdd\u8b77\u7cfb\u7d71\u975e\u5e38\u91cd\u8981\uff0c\u56e0\u70ba\u4e86\u89e3\u76f4\u63a5\u8a2a\u554f\u653b\u64ca\u662f\u9060\u7a0b\u653b\u64ca\u7684\u9580\u6236\u3002<\/p>\n<h5>\u9060\u7a0b\u653b\u64ca<\/h5>\n<p>\u7528\u65bc\u61c9\u7528\u7a0b\u5e8f\u7684\u672c\u5730 Web \u670d\u52d9\u5668\u63a5\u53e3\u662f\u7b2c\u4e00\u500b\u653b\u64ca\u9ede\uff0c\u56e0\u70ba Web \u670d\u52d9 API \u5f88\u5bb9\u6613\u88ab\u7406\u89e3\u4e26\u4e14\u5f88\u5bb9\u6613\u88ab\u6514\u622a\u3002\u901a\u904e\u672c\u5730\u670d\u52d9\u91cd\u5b9a\u5411 Web \u8acb\u6c42\u4e26\u5229\u7528 API\uff0c\u672c\u5730 Web \u670d\u52d9\u5668\u53ef\u80fd\u6703\u88ab\u5229\u7528\u3002\u96d6\u7136\u5728 Web \u670d\u52d9 API \u4e0a\u4f7f\u7528\u4e86\u5b89\u5168\u4ee4\u724c\uff0c\u4f46\u9019\u5145\u5176\u91cf\u53ea\u662f\u5f31\u6587\u672c\u5339\u914d\u3002\u9019\u4e26\u4e0d\u96e3\u6b3a\u9a19\u3002\u773e\u6240\u5468\u77e5\uff0c<a href=\"http:\/\/nordicapis.com\/why-api-keys-are-not-enough\/\">API \u5bc6\u9470\u4e0d\u63d0\u4f9b\u4efb\u4f55\u771f\u6b63\u7684\u5b89\u5168\u6027<\/a>\u3002<\/p>\n<p>http\/web \u670d\u52d9\u63a5\u53e3\u7684\u67b6\u69cb\u5305\u542b\u53ef\u80fd\u70ba\u672c\u5730\u6216 HTML5 \u7de8\u5beb\u7684\u61c9\u7528\u7a0b\u5e8f\u63d0\u4f9b\u4e86\u6700\u5927\u7684\u9748\u6d3b\u6027\u3002\u7136\u800c\uff0c\u9019\u7a2e\u9748\u6d3b\u6027\u53ef\u80fd\u6703\u4ee5\u5b89\u5168\u554f\u984c\u70ba\u4ee3\u50f9\u3002\u4f8b\u5982\uff0c\u5982\u679c\u672c\u6a5f\u61c9\u7528\u7a0b\u5e8f\u76f4\u63a5\u93c8\u63a5\u5230\u5e95\u5c64\u6846\u67b6\u670d\u52d9\uff0c\u90a3\u9ebc\u5c0d\u901a\u904e Web \u670d\u52d9\u63a5\u53e3\u9032\u884c\u9060\u7a0b\u653b\u64ca\u7684\u64d4\u6182\u5c31\u6703\u6e1b\u5c11\u3002<\/p>\n<p>\u8b93\u63a5\u53e3\u4fdd\u6301\u539f\u6a23\uff0c\u6e1b\u8f15\u653b\u64ca\u53ef\u80fd\u5305\u62ec\u4f7f\u7528\u52a0\u5bc6\u5354\u8b70\u9032\u4e00\u6b65\u4fdd\u8b77\u63a5\u53e3\u5c64\uff1a\u4f8b\u5982\u52a0\u5bc6\u4fe1\u606f\u50b3\u905e\u3001\u5bc6\u9470\u4ea4\u63db\uff08\u4f8b\u5982\u6a62\u5713\u66f2\u7ddaDiffie-Hellman\uff09\u3002<\/p>\n<h5>\u7528\u6236\u7d1a\u672c\u6a5f\u653b\u64ca<\/h5>\n<ul>\n<li>\u4fee\u6539 CSV \u6578\u64da\u5eab<\/li>\n<li>\u4fee\u6539 SQLite \u6578\u64da\u5eab<\/li>\n<li>\u7be1\u6539\u7528\u6236\u7d1a\u4e8c\u9032\u88fd\u6587\u4ef6<\/li>\n<li>\u7be1\u6539\u7528\u6236\u5b88\u8b77\u9032\u7a0b<\/li>\n<li>\u6b3a\u9a19 D \u7e3d\u7dda\u63a5\u53e3<\/li>\n<li>\u6dfb\u52a0\u53ef\u57f7\u884c\u6587\u4ef6\/\u5eab<\/li>\n<\/ul>\n<p>\u7531\u65bc\u76f4\u63a5\u8a2a\u554f\u8a2d\u5099\uff0c\u672c\u6a5f\u7d1a\u5225\u5b58\u5728\u8a31\u591a\u5b89\u5168\u554f\u984c\u3002\u4f8b\u5982\uff0c\u7531\u65bc<strong>Cynara<\/strong>\u4f7f\u7528\u5e36\u6709\u9017\u865f\u5206\u9694\u503c (CSV) \u7684\u6587\u672c\u6587\u4ef6\u6578\u64da\u5eab\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u7c21\u55ae\u5730\u4fee\u6539\u6578\u64da\u5eab\u4f86\u63d0\u5347\u61c9\u7528\u7a0b\u5e8f\u7684\u6b0a\u9650\u3002\u4e00\u65e6\u55ae\u500b\u61c9\u7528\u7a0b\u5e8f\u64c1\u6709\u7cfb\u7d71\u4e0a\u53ef\u80fd\u7684\u6240\u6709\u6b0a\u9650\uff0c\u6f0f\u6d1e\u5c31\u53ef\u4ee5\u901a\u904e\u9019\u7a2e\u65b9\u5f0f\u9032\u884c\u3002\u540c\u6a23\uff0c\u5b89\u5168\u7ba1\u7406\u5668\u4f7f\u7528\u7684 SQLite \u6578\u64da\u5eab\u8207\u7c21\u55ae\u7684\u6587\u672c\u6587\u4ef6\u6c92\u6709\u592a\u5927\u5340\u5225\u3002\u6709\u8a31\u591a\u5de5\u5177\u53ef\u7528\u65bc\u6dfb\u52a0\u3001\u522a\u9664\u3001\u4fee\u6539 SQLite \u6578\u64da\u5eab\u4e2d\u7684\u689d\u76ee\u3002<\/p>\n<p>\u5728\u4e0b\u4e00\u500b\u5c64\u9762\u4e0a\uff0c\u5e38\u898b\u7684\u653b\u64ca\u9ede\u662f\u4fee\u6539\u4e8c\u9032\u88fd\u6587\u4ef6\u6216\u5b88\u8b77\u7a0b\u5e8f\u4ee5\u5229\u7528\u529f\u80fd\u3002\u6709\u8a31\u591a Linux \u5de5\u5177\u53ef\u4ee5\u5728\u9019\u65b9\u9762\u63d0\u4f9b\u5e6b\u52a9\uff0c\u5305\u62ec\uff1a<a href=\"https:\/\/www.hex-rays.com\/products\/ida\/index.shtml\">IDA Pro<\/a>\u548c<a href=\"https:\/\/rada.re\/r\/\">Radare2<\/a>\u3002\u901a\u904e\u4fee\u6539\u4e8c\u9032\u88fd\u6587\u4ef6\u7684\u80fd\u529b\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u57f7\u884c\u4efb\u610f\u6578\u91cf\u7684\u6d3b\u52d5\uff0c\u5305\u62ec\uff1a\u522a\u9664\u5c0d\u5b89\u5168\u6aa2\u67e5\u7684\u8abf\u7528\u3001\u91cd\u5b9a\u5411\u63a7\u5236\u4ee5\u7e5e\u904e\u9a57\u8b49\u529f\u80fd\u3001\u5ffd\u7565\u5b89\u5168\u7b56\u7565\u8655\u7406\u3001\u5347\u7d1a\u6b0a\u9650\u7b49\u3002<\/p>\n<p>\u6b64\u5916\uff0c\u53e6\u4e00\u500b\u653b\u64ca\u9014\u5f91\u662f\u6b3a\u9a19 D \u7e3d\u7dda\u63a5\u53e3\u3002D-bus \u662f\u4e00\u7a2e\u57fa\u65bc\u9032\u7a0b\u9593\u901a\u4fe1 (IPC) \u69cb\u5efa\u7684\u6d88\u606f\u50b3\u905e\u7cfb\u7d71\uff0c\u5176\u4e2d\u57fa\u65bc\u5354\u8b70\u50b3\u905e\u7d50\u69cb\u5316\u6d88\u606f\u3002\u8a72\u63a5\u53e3\u662f\u901a\u7528\u7684\u4e26\u4e14\u6709\u8a73\u7d30\u7684\u6587\u6a94\u8a18\u9304\u3002\u56e0\u6b64\uff0c\u4fee\u6539\u6216\u6dfb\u52a0\u4e8c\u9032\u88fd\u6587\u4ef6\/\u5eab\u4f86\u6b3a\u9a19\u6b64\u63a5\u53e3\u662f\u4e00\u500b\u76f8\u5c0d\u7c21\u55ae\u7684\u904e\u7a0b\u3002\u4e00\u65e6\u63a5\u53e3\u88ab\u6b3a\u9a19\uff0c\u653b\u64ca\u8005\u5c31\u53ef\u4ee5\u767c\u51fa\u4efb\u610f\u6578\u91cf\u7684\u547d\u4ee4\u4f86\u63a7\u5236\u4f4e\u7d1a\u529f\u80fd\u3002<\/p>\n<p>\u4fdd\u8b77\u7cfb\u7d71\u514d\u53d7\u672c\u6a5f\u653b\u64ca\u9700\u8981\u63a1\u53d6\u6709\u689d\u4e0d\u7d0a\u7684\u65b9\u6cd5\u3002\u9996\u5148\uff0c\u7cfb\u7d71\u61c9\u8a72\u62d2\u7d55\u672a\u7d93\u6279\u51c6\u904b\u884c\u7684\u9032\u7a0b\u3002\u5b89\u88dd\u6642\u7684\u7c3d\u540d\u7d1a\u9a57\u8b49\u5c07\u5728\u9019\u65b9\u9762\u6709\u6240\u5e6b\u52a9\uff0c\u4f46\u904b\u884c\u6642\u5b8c\u6574\u6027\u9a57\u8b49\u8981\u597d\u5f97\u591a\u3002\u7c3d\u540d\u9700\u8981\u4f86\u81ea\u6388\u6b0a\u65b9\uff0c\u9019\u5c07\u5728\u61c9\u7528\u7a0b\u5e8f\u5546\u5e97\u7684\u5f8c\u9762\u90e8\u5206\u4e2d\u9032\u4e00\u6b65\u8a0e\u8ad6\u3002<\/p>\n<p>\u5728\u4e0b\u4e00\u500b\u7d1a\u5225\u4e0a\uff0c\u4e0d\u61c9\u5141\u8a31\u53ef\u57f7\u884c\u6587\u4ef6\u57f7\u884c\u672a\u7d93\u6388\u4e88\u6b0a\u9650\u7684\u64cd\u4f5c\u3002DAC \u548c SMACK \u653f\u7b56\u53ef\u4ee5\u5728\u9019\u65b9\u9762\u63d0\u4f9b\u5e6b\u52a9\u3002\u53e6\u4e00\u65b9\u9762\uff0c\u4ecd\u7136\u5b58\u5728\u5c0d\u5167\u5b58\u8a2a\u554f\u3001\u7cfb\u7d71\u8abf\u7528\u548c\u5176\u4ed6\u53ef\u80fd\u672a\u88ab\u6aa2\u6e2c\u5230\u7684\u9032\u7a0b\u6d3b\u52d5\u7684\u64d4\u6182\u3002\u56e0\u6b64\uff0c\u76e3\u8996\u6240\u6709\u6d3b\u52d5\u7684\u5b89\u5168\u74b0\u5883\u53ef\u4ee5\u6307\u793a\u7cfb\u7d71\u4e0a\u6240\u6709\u672a\u7d93\u6388\u6b0a\u7684\u6d3b\u52d5\u3002<\/p>\n<p>\u6700\u5f8c\uff0c\u6355\u7372\u7cfb\u7d71\u4e2d\u7684\u76f4\u63a5\u7be1\u6539\u653b\u64ca\u662f\u975e\u5e38\u56f0\u96e3\u7684\u3002\u9019\u4e9b\u985e\u578b\u7684\u653b\u64ca\u9700\u8981\u63a1\u7528\u6df1\u5ea6\u9632\u79a6\u65b9\u6cd5\uff0c\u5176\u4e2d\u9700\u8981\u88dc\u5145\u8edf\u9ad4\u4fdd\u8b77\u548c\u5f37\u5316\u6280\u8853\u3002\u9632\u7be1\u6539\u548c\u53cd\u9006\u5411\u5de5\u7a0b\u6280\u8853\u5305\u62ec\u7a0b\u5e8f\u8f49\u63db\/\u6df7\u6dc6\u3001\u5b8c\u6574\u6027\u9a57\u8b49\u548c\u767d\u76d2\u52a0\u5bc6\u3002\u5982\u679c\u4ee5\u76f8\u4e92\u4f9d\u8cf4\u7684\u65b9\u5f0f\u61c9\u7528\u4e26\u8003\u616e\u6027\u80fd\/\u5b89\u5168\u6b0a\u8861\uff0c\u8a72\u65b9\u6cd5\u53ef\u4ee5\u70ba\u5c0d\u7cfb\u7d71\u7684\u76f4\u63a5\u653b\u64ca\u63d0\u4f9b\u6709\u6548\u7684\u5c4f\u969c\u3002\u6b64\u5916\uff0c\u5a01\u8105\u76e3\u63a7\u7684\u4f7f\u7528\u63d0\u4f9b\u4e86\u5bf6\u8cb4\u7684\u9059\u6e2c\/\u5206\u6790\u80fd\u529b\u4ee5\u53ca\u5c0d\u53d7\u5230\u653b\u64ca\u7684\u7cfb\u7d71\u505a\u51fa\u53cd\u61c9\u548c\u66f4\u65b0\u7684\u80fd\u529b\u3002<\/p>\n<h5>\u6839\u7d1a\u672c\u6a5f\u653b\u64ca<\/h5>\n<ul>\n<li>\u7be1\u6539\u7cfb\u7d71\u5b88\u8b77\u9032\u7a0b<\/li>\n<li>\u7be1\u6539\u897f\u7d0d\u62c9<\/li>\n<li>\u7be1\u6539\u5b89\u5168\u7ba1\u7406\u5668<\/li>\n<li>\u7981\u7528 SMACK<\/li>\n<li>\u7be1\u6539\u5167\u6838<\/li>\n<\/ul>\n<p>\u4e00\u65e6\u5728\u8a2d\u5099\u4e0a\u5be6\u73fe\u4e86\u6839\u7d1a\u8a2a\u554f\uff08\u5373su\uff09\uff0c\u5c31\u6709\u5f88\u591a\u65b9\u6cd5\u53ef\u4ee5\u5371\u5bb3\u7cfb\u7d71\u3002\u7cfb\u7d71\u5b88\u8b77\u9032\u7a0b<strong>Cynara<\/strong>\u548c\u5b89\u5168\u7ba1\u7406\u5668\u5bb9\u6613\u53d7\u5230\u7be1\u6539\u653b\u64ca\u3002\u4f8b\u5982\uff0c\u53ef\u4ee5\u5728\u5167\u5b58\u4e2d\u4fee\u6539\u53ef\u57f7\u884c\u6587\u4ef6\u4ee5\u5835\u585e\u5206\u652f\u3001\u8df3\u8f49\u5230\u67d0\u500b\u5730\u5740\u6216\u5ffd\u7565\u6aa2\u67e5\u3002\u9019\u53ef\u4ee5\u50cf\u7528 NOP \u66ff\u63db\u5206\u652f\u6307\u4ee4\u3001\u66f4\u6539\u5167\u5b58\u503c\u6216\u4f7f\u7528\u8abf\u8a66\u5668\uff08\u4f8b\u5982 gdb\u3001IDA\uff09\u66f4\u6539\u6307\u4ee4\u4e00\u6a23\u7c21\u55ae\u3002\u7be1\u6539\u9019\u4e9b\u53ef\u57f7\u884c\u6587\u4ef6\u610f\u5473\u8457\u53ef\u4ee5\u5ffd\u7565\u7b56\u7565\u4e26\u7e5e\u904e\u9a57\u8b49\u6aa2\u67e5\u3002<\/p>\n<p>\u5373\u4f7f\u4e0d\u7be1\u6539\u53ef\u57f7\u884c\u6587\u4ef6\uff0c<strong>SMACK<\/strong>\u7cfb\u7d71\u4e5f\u5bb9\u6613\u53d7\u5230\u653b\u64ca\u3002\u4f8b\u5982\uff0c\u5982\u679c\u5167\u6838\u505c\u6b62\u4e26\u4f7f\u7528<em>security=none<\/em>\u6a19\u8a8c\u91cd\u65b0\u555f\u52d5\uff0c\u5247\u4e0d\u6703\u555f\u7528 SMACK\u3002\u6b64\u5916\uff0c\u5728\u555f\u52d5\u671f\u9593<code>systemd<\/code> \u958b\u59cb\u52a0\u8f09<strong>SMACK\u898f\u5247\u3002<\/strong>\u5982\u679c\u9019\u500b\u555f\u52d5\u904e\u7a0b\u53d7\u5230\u5e72\u64fe\uff0c\u90a3\u9ebc<strong>SMACK<\/strong>\u5c07\u4e0d\u6703\u904b\u884c\u3002\u6216\u8005\uff0c\u53ef\u4ee5\u6dfb\u52a0\u65b0\u7b56\u7565\uff0c<code>smackload<\/code>\u5141\u8a31\u66ff\u4ee3\u61c9\u7528\u7a0b\u5e8f\/\u53ef\u57f7\u884c\u6587\u4ef6\u5177\u6709\u4e0d\u53ef\u9810\u898b\u7684\u6b0a\u9650\u3002<\/p>\n<p><strong>\u5c0d\u5167\u6838\u7d1a\u5225\u7684\u53e6\u4e00\u7a2e\u5165\u4fb5\u662f\u91cd\u5efa\u5167\u6838\uff08\u56e0\u70ba\u5b83\u662f\u958b\u6e90\u7684\uff09\u4e26\u5c07\u5176\u66ff\u63db\u70ba\u7981\u7528\u4e86SMACK \u7684<\/strong>\u526f\u672c\uff0c\u751a\u81f3\u53ea\u662f\u7981\u7528\u4e86<strong>SMACK<\/strong>\u6587\u4ef6\u7cfb\u7d71 ( <code>smackfs<\/code>)\u3002\u5982\u679c\u6c92\u6709\u64f4\u5c55\u6a19\u7c64\u5c6c\u6027\uff0c<strong>SMACK<\/strong>\u7cfb\u7d71\u5c07\u88ab\u7981\u7528\u3002<\/p>\n<p>\u5c0d\u8a2d\u5099\u7684\u6839\u7d1a\u8a2a\u554f\u5177\u6709\u6700\u7d42\u7684\u6b0a\u529b\uff0c\u6574\u500b\u7cfb\u7d71\u90fd\u53ef\u80fd\u53d7\u5230\u640d\u5bb3\u3002\u66f4\u91cd\u8981\u7684\u662f\uff0c\u5177\u6709\u6b64\u7d1a\u5225\u8a2a\u554f\u6b0a\u9650\u7684\u7cfb\u7d71\u5141\u8a31\u653b\u64ca\u8005\u88fd\u4f5c\u66f4\u7c21\u55ae\u7684<em>\u9ede\u653b\u64ca<\/em>\uff0c\u8a72\u653b\u64ca\u53ef\u4ee5\u5728\u9700\u8981\u8f03\u5c11\u7279\u6b0a\u7684\u7d1a\u5225\u4e0a\u9032\u884c\u64cd\u4f5c\uff08\u4f8b\u5982\u9060\u7a0b\u8a2a\u554f\u3001\u7528\u6236\u7d1a\u8a2a\u554f\uff09\u3002<\/p>\n<h4>\u8106\u5f31\u8cc7\u6e90<\/h4>\n<h5>\u8cc7\u6e90\uff1a<code>afm-user-daemon<\/code><\/h5>\n<p>\u5b83<code>afm-user-daemon<\/code>\u8ca0\u8cac\u4ee3\u8868\u7528\u6236\u8655\u7406\u61c9\u7528\u7a0b\u5e8f\u3002\u5176\u4e3b\u8981\u4efb\u52d9\u662f\uff1a<\/p>\n<ul>\n<li>\u679a\u8209\u6700\u7d42\u7528\u6236\u53ef\u4ee5\u904b\u884c\u7684\u61c9\u7528\u7a0b\u5e8f\u4e26\u6839\u64da\u9700\u8981\u4fdd\u7559\u6b64\u5217\u8868\u3002<\/li>\n<li>\u4ee3\u8868\u6700\u7d42\u7528\u6236\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f\uff0c\u914d\u7f6e\u7528\u6236\u904b\u884c\u74b0\u5883\uff0c\u914d\u7f6e\u7528\u6236\u5b89\u5168\u4e0a\u4e0b\u6587\u3002<\/li>\n<li>\u5217\u51fa\u7576\u524d\u53ef\u904b\u884c\u6216\u6b63\u5728\u904b\u884c\u7684\u61c9\u7528\u7a0b\u5e8f\u3002<\/li>\n<li>\u505c\u6b62\uff08\u53c8\u7a31\u70ba\u66ab\u505c\uff09\u3001\u7e7c\u7e8c\uff08\u53c8\u7a31\u70ba\u6062\u5fa9\uff09\u3001\u7d42\u6b62\u7d66\u5b9a\u61c9\u7528\u7a0b\u5e8f\u7684\u6b63\u5728\u904b\u884c\u7684\u5be6\u4f8b\u3002<\/li>\n<li>\u5c07\u61c9\u7528\u7a0b\u5e8f\u5b89\u88dd\/\u5378\u8f09\u8acb\u6c42\u50b3\u8f38\u5230\u76f8\u61c9\u7684\u7cfb\u7d71\u5b88\u8b77\u9032\u7a0b afm-system-daemon\u3002<\/li>\n<\/ul>\n<p>\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f<code>afm-user-daemon<\/code>\u3002\u5b83\u5148\u70ba\u61c9\u7528\u7a0b\u5e8f\u69cb\u5efa\u4e00\u500b\u5b89\u5168\u7684\u74b0\u5883\uff0c\u7136\u5f8c\u518d\u5728\u8a72\u74b0\u5883\u4e2d\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f\u3002\u53ef\u4ee5\u6839\u64da\u63cf\u8ff0\u5982\u4f55\u5728\u7d66\u5b9a\u555f\u52d5\u6a21\u5f0f\uff08\u672c\u5730\u6216\u9060\u7a0b\uff09\u5167\u555f\u52d5\u7d66\u5b9a\u985e\u578b\u7684\u61c9\u7528\u7a0b\u5e8f\u7684\u914d\u7f6e\u6587\u4ef6\u4f86\u555f\u52d5\u4e0d\u540c\u985e\u578b\u7684\u61c9\u7528\u7a0b\u5e8f\u3002\u5728\u672c\u5730\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f\u610f\u5473\u8457\u61c9\u7528\u7a0b\u5e8f\u53ca\u5176\u7d81\u5b9a\u7a0b\u5e8f\u4e00\u8d77\u555f\u52d5\u3002\u9060\u7a0b\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f\u610f\u5473\u8457\u50c5\u555f\u52d5\u61c9\u7528\u7a0b\u5e8f\u7d81\u5b9a\u5668\u3002<\/p>\n<p>UI \u672c\u8eab\u5fc5\u9808\u901a\u904e\u8acb\u6c42\u9060\u7a0b\u6fc0\u6d3b\uff08\u5373\u700f\u89bd\u5668\u4e2d\u7684 HTML5 \u4e3b\u5c4f\u5e55\uff09\u3002\u4e00\u65e6\u555f\u52d5\uff0c\u6b63\u5728\u904b\u884c\u7684\u61c9\u7528\u7a0b\u5e8f\u5be6\u4f8b\u5c31\u6703\u6536\u5230\u4e00\u500b<code>runid<\/code>\u6a19\u8b58\u5b83\u5011\u7684\u5be6\u4f8b\u3002<code>afm-user-daemon<\/code>\u7ba1\u7406\u5df2\u555f\u52d5\u7684\u61c9\u7528\u7a0b\u5e8f\u5217\u8868\u3002\u7576\u64c1\u6709\u6b63\u78ba\u7684\u6b0a\u9650\u6642\uff0c\u5ba2\u6236\u7aef\u53ef\u4ee5\u7372\u5f97\u6b63\u5728\u904b\u884c\u7684\u5be6\u4f8b\u7684\u5217\u8868\u4ee5\u53ca\u6709\u95dc\u7279\u5b9a\u6b63\u5728\u904b\u884c\u7684\u5be6\u4f8b\u7684\u8a73\u7d30\u4fe1\u606f\u3002\u5b83\u9084\u53ef\u4ee5\u7d42\u6b62\u3001\u505c\u6b62\u6216\u7e7c\u7e8c\u7d66\u5b9a\u7684\u61c9\u7528\u7a0b\u5e8f\u3002\u5982\u679c\u5ba2\u6236\u7aef\u64c1\u6709\u6b63\u78ba\u7684\u6b0a\u9650\uff0c<code>afm-user-daemon<\/code>\u5247\u5c07\u5b89\u88dd\u548c\u5378\u8f09\u61c9\u7528\u7a0b\u5e8f\u7684\u4efb\u52d9\u59d4\u8a17\u7d66<code>afm-system-daemon<\/code>\u3002<\/p>\n<p><code>afm-user-daemon<\/code><code>systemd<\/code>\u4f5c\u70ba\u9644\u52a0\u5230\u7528\u6236\u6703\u8a71\u7684\u670d\u52d9\u555f\u52d5\u3002\u901a\u5e38\uff0c\u670d\u52d9\u6587\u4ef6\u4f4d\u65bc\/usr\/lib\/systemd\/user\/afm-user-daemon.service\u3002<\/p>\n<p>\u653b\u64ca\u8005\u76ee\u6a19\uff1a<\/p>\n<ul>\n<li>\u7981\u7528<code>afm-user-daemon<\/code>\u3002<\/li>\n<li>\u7be1\u6539<code>afm-user-daemon<\/code>\u914d\u7f6e\u3002<\/li>\n<li>\/usr\/lib\/systemd\/user\/afm-user-daemon.service.<\/li>\n<li>\u61c9\u7528\u7a0b\u5e8f\uff08\u5c0f\u90e8\u4ef6\uff09config.xml \u6587\u4ef6\u3002<\/li>\n<li>\/etc\/afm\/afm-launch.conf\uff08\u555f\u52d5\u5668\u914d\u7f6e\uff09\u3002<\/li>\n<li>\u5347\u7d1a\u7528\u6236\u6b0a\u9650\u4ee5\u7372\u5f97\u66f4\u591a\u8a2a\u554f\u6b0a\u9650<code>afm-user-daemon<\/code>\u3002<\/li>\n<li>\u5b89\u88dd\u60e1\u610f\u61c9\u7528\u7a0b\u5e8f\uff08\u5c0f\u90e8\u4ef6\uff09\u3002<\/li>\n<li>\u7be1\u6539<code>afm-user-daemon<\/code>\u78c1\u76e4\u6216\u5167\u5b58\u3002<\/li>\n<\/ul>\n<h5>\u8cc7\u6e90\uff1a<code>afm-system-daemon<\/code><\/h5>\n<p>\u8ca0\u8cac<code>afm-system-daemon<\/code>\u5728 AGL \u7cfb\u7d71\u4e0a\u5b89\u88dd\u61c9\u7528\u7a0b\u5e8f\u3002\u5176\u4e3b\u8981\u4efb\u52d9\u662f\uff1a<\/p>\n<ul>\n<li>\u5b89\u88dd\u61c9\u7528\u7a0b\u5e8f\u4e26\u70ba\u65b0\u5b89\u88dd\u7684\u61c9\u7528\u7a0b\u5e8f\u914d\u7f6e\u5b89\u5168\u6846\u67b6\u3002<\/li>\n<li>\u5378\u8f09\u61c9\u7528\u7a0b\u5e8f\u3002<\/li>\n<\/ul>\n<p><code>afm-system-daemon<\/code>\u4f5c\u70ba\u9644\u52a0\u5230\u7cfb\u7d71\u7684\u670d\u52d9\u555f\u52d5<code>systemd<\/code>\u3002\u901a\u5e38\uff0c\u670d\u52d9\u6587\u4ef6\u4f4d\u65bc\/lib\/systemd\/system\/afm-systemdaemon.service\u3002<\/p>\n<p>\u653b\u64ca\u8005\u76ee\u6a19\uff1a<\/p>\n<ul>\n<li>\u7981\u7528<code>afm-system-daemon<\/code>\u3002<\/li>\n<li>\u7be1\u6539<code>afm-system-daemon<\/code>\u914d\u7f6e\u3002<\/li>\n<li>\u7be1\u6539<code>afm-system-daemon<\/code>\u78c1\u76e4\u6216\u5167\u5b58\u3002<\/li>\n<\/ul>\n<h5>\u8cc7\u6e90\uff1a<code>afb-daemon<\/code><\/h5>\n<p><code>afb-binder<\/code>\u8ca0\u8cac\u901a\u904e HTTP \u63a5\u53e3\u63d0\u4f9b\u8cc7\u6e90\u548c\u529f\u80fd\u3002<code>afb-daemon<\/code>\u8ca0\u8cac\u5c07\u61c9\u7528\u7a0b\u5e8f\u7684\u4e00\u500b\u5be6\u4f8b\u7d81\u5b9a\u5230AGL\u6846\u67b6\u548cAGL\u7cfb\u7d71\u3002\u8a72\u61c9\u7528\u7a0b\u5e8f\u53ca\u5176\u914d\u5957\u7d81\u5b9a\u7a0b\u5e8f\u5728\u70ba\u5176\u914d\u7f6e\u7684\u5b89\u5168\u4e14\u9694\u96e2\u7684\u74b0\u5883\u4e2d\u904b\u884c\u3002\u61c9\u7528\u7a0b\u5e8f\u65e8\u5728\u901a\u904e\u6d3b\u9801\u593e\u8a2a\u554fAGL\u7cfb\u7d71\u3002<code>afb-daemon<\/code>\u7d81\u5b9a\u5668\u901a\u904e HTTP \u5354\u8b70\u63d0\u4f9b\u6587\u4ef6\uff0c\u4e26\u70ba\u958b\u767c\u4eba\u54e1\u63d0\u4f9b\u901a\u904e HTTP \u6216 WebSocket \u5354\u8b70\u516c\u958b\u61c9\u7528\u7a0b\u5e8f API \u65b9\u6cd5\u7684\u80fd\u529b\u3002<\/p>\n<p>Binder \u7d81\u5b9a\u7528\u65bc\u5c07 API \u6dfb\u52a0\u5230<code>afb-daemon<\/code>. \u7528\u6236\u53ef\u4ee5\u70ba \u7de8\u5beb\u7d81\u5b9a<code>afb-daemon<\/code>\u3002\u6d3b\u9801\u593e<code>afb-daemon<\/code>\u6709\u591a\u7a2e\u7528\u9014\uff1a<\/p>\n<ol>\n<li>\u5b83\u5145\u7576\u61c9\u7528\u7a0b\u5e8f\u8a2a\u554f\u7cfb\u7d71\u7684\u7db2\u95dc\u3002<\/li>\n<li>\u5b83\u5145\u7576 HTTP \u670d\u52d9\u5668\uff0c\u70ba HTML5 \u61c9\u7528\u7a0b\u5e8f\u63d0\u4f9b\u6587\u4ef6\u670d\u52d9\u3002<\/li>\n<li>\u5b83\u5141\u8a31 HTML5 \u61c9\u7528\u7a0b\u5e8f\u5177\u6709\u53d7\u5b89\u5168\u5f37\u5236\u57f7\u884c\u7684\u672c\u6a5f\u64f4\u5c55\uff0c\u4ee5\u8a2a\u554f\u786c\u9ad4\u8cc7\u6e90\u6216\u52a0\u901f\u90e8\u5206\u7b97\u6cd5\u3002<\/li>\n<\/ol>\n<p>\u653b\u64ca\u8005\u76ee\u6a19\uff1a<\/p>\n<ul>\n<li>\u64fa\u812b\u5b64\u7acb\u3002<\/li>\n<li>\u7981\u7528<code>afb-daemon<\/code>\u3002<\/li>\n<li>\u7be1\u6539<code>afb-demon<\/code>\u78c1\u76e4\u6216\u5167\u5b58\u3002<\/li>\n<li>\u901a\u904e\u5275\u5efa\/\u5b89\u88dd\u81ea\u5b9a\u7fa9\u7d81\u5b9a\u4f86 \u7be1\u6539<strong>\u529f\u80fd<\/strong><code>afb-daemon<\/code>\u3002<\/li>\n<\/ul>\n<h3>6.7 \u516c\u7528\u7a0b\u5f0f Utilities<\/h3>\n<ul>\n<li><strong>busybox<\/strong>\uff1a\u5728\u55ae\u500b\u53ef\u57f7\u884c\u6587\u4ef6\u4e2d\u63d0\u4f9b\u591a\u500b\u7cbe\u7c21 Unix \u5de5\u5177\u7684\u8edf\u9ad4\u3002\u7576\u7136\uff0c\u6709\u5fc5\u8981\u4f7f\u7528<strong>busybox<\/strong>\u7684\u201c\u751f\u7522\u201d\u7248\u672c\uff0c\u4ee5\u907f\u514d\u6240\u6709\u5de5\u5177\u50c5\u5728\u958b\u767c\u6a21\u5f0f\u4e0b\u6709\u7528\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Tool<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>busybox<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to provide a number of tools. Do not compile development tools.<br \/><em>\u7528\u4f86<\/em>\u63d0\u4f9b\u4e00\u4e9b\u5de5\u5177\u3002\u4e0d\u8981\u7de8\u8b6f\u958b\u767c\u5de5\u5177\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5728\u751f\u7522\u6a21\u5f0f\u4e2d\u61c9\u8a72\u522a\u9664\u7684\u516c\u7528\u7a0b\u5f0f<\/h4>\n<p>\u4f8b\u5982\uff0c\u5728\u751f\u7522\u6a21\u5f0f\u4e0b\uff0c\u5fc5\u9808\u7981\u7528\u8a31\u591a\u5de5\u5177\u4ee5\u9632\u6b62\u653b\u64ca\u8005\u67e5\u627e\u65e5\u8a8c\u3002\u9019\u5c0d\u65bc\u9650\u5236\u53ef\u898b\u8868\u9762\u5f88\u6709\u7528\uff0c\u5f9e\u800c\u4f7f\u6545\u969c\u67e5\u627e\u904e\u7a0b\u8b8a\u5f97\u8907\u96dc\u3002\u50c5\u5728\u958b\u767c\u6a21\u5f0f\u4e0b\u4f7f\u7528\u7684\u5de5\u5177\u6a19\u6709\u201c <strong>agl-devel<\/strong> \u201d\u529f\u80fd\u3002\u5728\u751f\u7522\u6a21\u5f0f\u4e0b\u69cb\u5efa\u6642\uff0c<u>\u9019\u4e9b\u5de5\u5177\u5c07\u4e0d\u6703\u88ab\u7de8\u8b6f<\/u>\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Utility<\/code> name and normal <code>path<\/code><\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>chgrp<\/code> in <code>\/bin\/chgrp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-2<\/td>\n<td style=\"text-align: left;\"><code>chmod<\/code> in <code>\/bin\/chmod<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-3<\/td>\n<td style=\"text-align: left;\"><code>chown<\/code> in <code>\/bin\/chown<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-4<\/td>\n<td style=\"text-align: left;\"><code>dmesg<\/code> in <code>\/bin\/dmesg<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-5<\/td>\n<td style=\"text-align: left;\"><code>DnsDomain \u9818\u57dfname<\/code> in <code>\/bin\/dnsDomain \u9818\u57dfname<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-6<\/td>\n<td style=\"text-align: left;\"><code>dropbear<\/code>, Remove &quot;dropbear&quot; from <code>\/etc\/init.d\/rcs<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-7<\/td>\n<td style=\"text-align: left;\"><code>Editors<\/code> in (vi) <code>\/bin\/vi<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-8<\/td>\n<td style=\"text-align: left;\"><code>find<\/code> in <code>\/bin\/find<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-9<\/td>\n<td style=\"text-align: left;\"><code>gdbserver<\/code> in <code>\/bin\/gdbserver<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-10<\/td>\n<td style=\"text-align: left;\"><code>hexdump<\/code> in <code>\/bin\/hexdump<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-11<\/td>\n<td style=\"text-align: left;\"><code>hostname<\/code> in <code>\/bin\/hostname<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-12<\/td>\n<td style=\"text-align: left;\"><code>install<\/code> in <code>\/bin\/install<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-13<\/td>\n<td style=\"text-align: left;\"><code>iostat<\/code> in <code>\/bin\/iostat<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-14<\/td>\n<td style=\"text-align: left;\"><code>killall<\/code> in <code>\/bin\/killall<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-15<\/td>\n<td style=\"text-align: left;\"><code>klogd<\/code> in <code>\/sbin\/klogd<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-16<\/td>\n<td style=\"text-align: left;\"><code>logger<\/code> in <code>\/bin\/logger<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-17<\/td>\n<td style=\"text-align: left;\"><code>lsmod<\/code> in <code>\/sbin\/lsmod<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-18<\/td>\n<td style=\"text-align: left;\"><code>pmap<\/code> in <code>\/bin\/pmap<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-19<\/td>\n<td style=\"text-align: left;\"><code>ps<\/code> in <code>\/bin\/ps<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-20<\/td>\n<td style=\"text-align: left;\"><code>ps<\/code> in <code>\/bin\/ps<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-21<\/td>\n<td style=\"text-align: left;\"><code>rpm<\/code> in <code>\/bin\/rpm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-22<\/td>\n<td style=\"text-align: left;\"><code>SSH<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-23<\/td>\n<td style=\"text-align: left;\"><code>stbhotplug<\/code> in <code>\/sbin\/stbhotplug<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-24<\/td>\n<td style=\"text-align: left;\"><code>strace<\/code> in <code>\/bin\/trace<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-25<\/td>\n<td style=\"text-align: left;\"><code>su<\/code> in <code>\/bin\/su<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-26<\/td>\n<td style=\"text-align: left;\"><code>syslogd<\/code> in (logger) <code>\/bin\/logger<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-27<\/td>\n<td style=\"text-align: left;\"><code>top<\/code> in <code>\/bin\/top<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-28<\/td>\n<td style=\"text-align: left;\"><code>UART<\/code> in <code>\/proc\/tty\/driver\/<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-29<\/td>\n<td style=\"text-align: left;\"><code>which<\/code> in <code>\/bin\/which<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-30<\/td>\n<td style=\"text-align: left;\"><code>who<\/code> and <code>whoami<\/code> in <code>\/bin\/whoami<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-31<\/td>\n<td style=\"text-align: left;\"><code>awk<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-32<\/td>\n<td style=\"text-align: left;\"><code>cut<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-33<\/td>\n<td style=\"text-align: left;\"><code>df<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-34<\/td>\n<td style=\"text-align: left;\"><code>echo<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-35<\/td>\n<td style=\"text-align: left;\"><code>fdisk<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-36<\/td>\n<td style=\"text-align: left;\"><code>grep<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-37<\/td>\n<td style=\"text-align: left;\"><code>mkdir<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-38<\/td>\n<td style=\"text-align: left;\"><code>mount<\/code> (vfat) (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-39<\/td>\n<td style=\"text-align: left;\"><code>printf<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-40<\/td>\n<td style=\"text-align: left;\"><code>sed<\/code> in <code>\/bin\/sed<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-41<\/td>\n<td style=\"text-align: left;\"><code>tail<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-42<\/td>\n<td style=\"text-align: left;\"><code>tee<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-43<\/td>\n<td style=\"text-align: left;\"><code>test<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>\u61c9\u5141\u8a31\u4e0a\u8ff0\u555f\u7528\u7684<\/em>Unix\/Linux \u5be6\u7528\u7a0b\u5e8f\uff0c\u56e0\u70ba\u5b83\u5011\u7d93\u5e38\u7528\u65bc\u555f\u52d5\u8173\u672c\u548c USB \u65e5\u8a8c\u8a18\u9304\u3002\u5982\u679c\u8a2d\u5099\u4e0d\u9700\u8981\u9019\u4e9b\u5be6\u7528\u7a0b\u5e8f\u4e2d\u7684\u4efb\u4f55\u4e00\u500b\uff0c\u5247\u61c9\u522a\u9664\u5b83\u5011\u3002<\/p>\n<h3>6.8 \u7528\u6236 Users<\/h3>\n<p>\u7528\u6236\u7b56\u7565\u53ef\u4ee5\u6309\u6c7d\u8eca\u5167\u7684\u529f\u80fd\u5c0d\u7528\u6236\u9032\u884c\u5206\u7d44\u3002\u4f8b\u5982\uff0c\u6211\u5011\u53ef\u4ee5\u8003\u616e\u4e00\u540d\u53f8\u6a5f\u548c\u4ed6\u7684\u4e58\u5ba2\u3002\u6bcf\u500b\u7528\u6236\u88ab\u5206\u914d\u5230\u4e00\u500b\u7d44\uff0c\u4ee5\u7c21\u5316\u7a7a\u9593\u5b89\u5168\u7684\u7ba1\u7406\u3002<\/p>\n<h4>\u9650\u5236root\u7528\u6236\u8a2a\u554f\u6b0a\u9650<\/h4>\n<p>\u4e3b\u8981\u61c9\u7528\u7a0b\u5e8f\uff08\u5373\u63d0\u4f9b\u5d4c\u5165\u5f0f\u8a2d\u5099\u4e3b\u8981\u529f\u80fd\u7684\u61c9\u7528\u7a0b\u5e8f\uff09\u4e0d\u61c9\u4ee5 root \u8eab\u4efd\u6216\u4efb\u4f55\u529f\u80fd\u57f7\u884c\u3002<\/p>\n<p>\u5982\u679c\u5141\u8a31\u4e3b\u61c9\u7528\u7a0b\u5e8f\u4ee5\u4efb\u4f55\u80fd\u529b\u57f7\u884c\uff0c\u5247\u6574\u500b\u7cfb\u7d71\u5c07\u53d7\u5230\u6240\u8ff0\u61c9\u7528\u7a0b\u5e8f\u826f\u597d\u884c\u70ba\u7684\u652f\u914d\u3002\u7576\u61c9\u7528\u7a0b\u5e8f\u53d7\u5230\u640d\u5bb3\u4e26\u80fd\u5920\u57f7\u884c\u53ef\u80fd\u901a\u904e\u690d\u5165\u60e1\u610f\u61c9\u7528\u7a0b\u5e8f\u800c\u6301\u7e8c\u4e14\u6301\u7e8c\u5730\u640d\u5bb3\u7cfb\u7d71\u7684\u547d\u4ee4\u6642\uff0c\u5c31\u6703\u51fa\u73fe\u554f\u984c\u3002<\/p>\n<p>\u5efa\u8b70\u4e2d\u9593\u4ef6\u548c UI \u61c9\u5728\u6c92\u6709\u4efb\u4f55\u80fd\u529b\u7684\u7528\u6236\u7684\u4e0a\u4e0b\u6587\u4e2d\u904b\u884c\uff0c\u4e26\u4e14\u61c9\u5728\u6c92\u6709\u4efb\u4f55\u80fd\u529b\u7684\u60c5\u6cc1\u4e0b\u7dad\u8b77\u6240\u6709\u6301\u4e45\u8cc7\u6e90\u3002<\/p>\n<p>\u78ba\u4fdd\u9019\u4e00\u9ede\u7684\u4e00\u7a2e\u65b9\u6cd5\u662f\u5be6\u73fe\u670d\u52d9\u5668-\u5ba2\u6236\u7aef\u7bc4\u4f8b\u3002\u7cfb\u7d71\u9a45\u52d5\u7a0b\u5e8f\u63d0\u4f9b\u7684\u670d\u52d9\u53ef\u4ee5\u901a\u904e\u9019\u7a2e\u65b9\u5f0f\u5171\u4eab\u3002\u9019\u7a2e\u65b9\u6cd5\u7684\u53e6\u4e00\u500b\u512a\u9ede\u662f\u591a\u500b\u61c9\u7528\u7a0b\u5e8f\u53ef\u4ee5\u540c\u6642\u5171\u4eab\u76f8\u540c\u7684\u8cc7\u6e90\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-1<\/td>\n<td style=\"text-align: left;\">Main application<\/td>\n<td style=\"text-align: left;\">Should not execute as root. \u4e0d\u61c9\u4ee5 root \u8eab\u4efd\u57f7\u884c\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-2<\/td>\n<td style=\"text-align: left;\">UI<\/td>\n<td style=\"text-align: left;\">Should run in a context on a user with no capability.<br \/>\u61c9\u8a72\u5728\u6c92\u6709\u80fd\u529b\u7684\u7528\u6236\u7684\u4e0a\u4e0b\u6587\u4e2d\u904b\u884c\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e0d\u61c9\u5141\u8a31\u4ee5\u4e0b\u5be6\u7528\u7a0b\u5e8f\u9032\u884c root \u8a2a\u554f\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Utility<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-3<\/td>\n<td style=\"text-align: left;\"><code>login<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-4<\/td>\n<td style=\"text-align: left;\"><code>su<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-5<\/td>\n<td style=\"text-align: left;\"><code>ssh<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-6<\/td>\n<td style=\"text-align: left;\"><code>scp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-7<\/td>\n<td style=\"text-align: left;\"><code>sftp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e0d\u61c9\u5141\u8a31\u63a7\u5236\u53f0\u8a2d\u5099\u9032\u884c root \u8a2a\u554f\u3002\u958b\u767c\u74b0\u5883\u61c9\u5141\u8a31\u7528\u6236\u4f7f\u7528\u9810\u5148\u5275\u5efa\u7684\u7528\u6236\u5e33\u6236\u767b\u9304\u3002<\/p>\n<p>\u958b\u767c\u74b0\u5883\u4e2d\u61c9\u5141\u8a31\u901a\u904e \u5207\u63db\u5230\u63d0\u5347\u7684\u6b0a\u9650<code>sudo<\/code>\u3002<\/p>\n<hr \/>\n<h4>\u7528\u6236\u80fd\u529b\uff08User Capabilities\uff09\u9650\u5236<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-Capabilities-1<\/td>\n<td style=\"text-align: left;\">Kernel or Platform-user?<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-Capabilities-2<\/td>\n<td style=\"text-align: left;\">Add config note.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u76ee\u6a19\u662f\u9650\u5236\u5728AGL<\/strong>\u4e2d\u7121\u7528\u7684\u529f\u80fd\u3002\u5b83\u5011\u88ab\u96c6\u6210\u5230<strong>LSM<\/strong>\u4e2d\u3002\u6bcf\u500b\u7279\u6b0a\u4e8b\u52d9\u90fd\u8207\u4e00\u7a2e\u80fd\u529b\u76f8\u95dc\u806f\u3002\u9019\u4e9b\u529f\u80fd\u5206\u70ba\u4e09\u7d44\uff1a<\/p>\n<ul>\n<li>e\uff1a\u6709\u6548\uff1a\u9019\u610f\u5473\u8457\u8a72\u529f\u80fd\u5df2\u201c\u6fc0\u6d3b\u201d\u3002<\/li>\n<li>p\uff1a\u5141\u8a31\uff1a\u9019\u610f\u5473\u8457\u8a72\u80fd\u529b\u53ef\u4ee5\u4f7f\u7528\/\u88ab\u5141\u8a31\u3002<\/li>\n<li>i\uff1a\u7e7c\u627f\uff1a\u4f8b\u5982\uff0c\u8a72\u529f\u80fd\u7531\u5b50\u9032\u7a0b\u5728 execve() \u4e0a\u4fdd\u7559\u3002<\/li>\n<\/ul>\n<h2>7. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/07_Application\/\">\u61c9\u7528\u85cd\u5716<\/a><\/h2>\n<p><strong>\u61c9\u7528\u7a0b\u5e8f\u5f37\u5316<\/strong>\uff1a\u61c9\u7528\u65bc\u7528\u6236\u7a7a\u9593\u61c9\u7528\u7a0b\u5e8f\u7684\u69cb\u5efa\u548c\u767c\u5e03\u7684\u6700\u4f73\u5be6\u8e10\uff0c\u4ee5\u6e1b\u5c11\u6f5b\u5728\u653b\u64ca\u8005\u4f7f\u7528\u7684\u653b\u64ca\u9762\u6578\u91cf\u3002<\/p>\n<p>\u61c9\u7528\u7a0b\u5e8f (App) \u4e00\u8a5e\u5728<strong>AGL<\/strong>\u4e2d\u5177\u6709\u975e\u5e38\u5ee3\u6cdb\u7684\u5b9a\u7fa9\u3002\u5e7e\u4e4e\u6240\u6709\u4e0d\u5728\u5167\u6838\u64cd\u4f5c\u7cfb\u7d71 (OS) \u4e2d\u7684\u6771\u897f\u90fd\u662f\u61c9\u7528\u7a0b\u5e8f\u3002\u61c9\u7528\u7a0b\u5e8f\u53ef\u4ee5\u5305\u542b\u5728\u57fa\u790e\u8edf\u9ad4\u5305\uff08\u93e1\u50cf\uff09\u4e2d\uff0c\u4e5f\u53ef\u4ee5\u5728\u904b\u884c\u6642\u6dfb\u52a0\u3002<\/p>\n<p>\u61c9\u7528\u7a0b\u5e8f\u904f\u5236\u662f\u901a\u904e\u4ee5\u4e0b\u4fdd\u8b77\u4f86\u5be6\u73fe\u7684\uff1a<\/p>\n<ul>\n<li>Linux \u539f\u751f\u4fdd\u8b77<\/li>\n<li>\u5f37\u5236\u8a2a\u554f\u63a7\u5236\uff08<strong>MAC<\/strong>\uff09<\/li>\n<li>AGL \u5e73\u53f0\u4fdd\u8b77<\/li>\n<li>\u539f\u7522\u5730\u8ffd\u8e2a\u548c\u9a57\u8b49<\/li>\n<li>\u901a\u904e Cynara \u9032\u884c\u61c9\u7528\u7a0b\u5e8f\u6b0a\u9650\u7ba1\u7406\u548c\u57f7\u884c<\/li>\n<li>\u901a\u904e D-Bus \u9032\u884c\u8eab\u4efd\u9a57\u8b49\u7684\u50b3\u8f38<\/li>\n<\/ul>\n<h3>7.1 \u61c9\u7528\u985e\u578b<\/h3>\n<p>AGL \u70ba\u4ee5\u4e0d\u540c\u5f62\u5f0f\u7de8\u5beb\u7684\u61c9\u7528\u7a0b\u5e8f\u63d0\u4f9b\u4e86\u4e00\u500b\u6846\u67b6\uff1a<\/p>\n<ul>\n<li>\u7db2\u7d61\u61c9\u7528\u7a0b\u5e8f\uff1aHTML5 + JavaScript<\/li>\n<li>Qt \u61c9\u7528\u7a0b\u5e8f\uff1a\u5728 QML \u6587\u4ef6\u4e2d<\/li>\n<li>\u672c\u6a5f\u61c9\u7528\u7a0b\u5e8f\uff1aC \u8a9e\u8a00<\/li>\n<\/ul>\n<p>\u96d6\u7136\u63d0\u4f9b\u591a\u7a2e\u985e\u578b\u7684\u61c9\u7528\u7a0b\u5e8f\u6c92\u6709\u58de\u8655\uff0c\u4f46\u5f9e\u5b89\u5168\u89d2\u5ea6\u4f86\u770b\uff0c\u9019\u78ba\u5be6\u589e\u52a0\u4e86\u5165\u4fb5\u8005\u7684\u653b\u64ca\u9762\u3002\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6 ( <strong>AppFw<\/strong> ) \u7531\u8a31\u591a\u70ba\u61c9\u7528\u7a0b\u5e8f\u63d0\u4f9b\u4e0a\u4e0b\u6587\u7684\u5be6\u7528\u7a0b\u5e8f\u548c\u5b88\u8b77\u7a0b\u5e8f\u7d44\u6210\u3002<strong>\u901a\u904eSMACK<\/strong>\u6a19\u7c64\u63d0\u4f9b\u9694\u96e2 \u3002<\/p>\n<h3>7.2 \u61c9\u7528\u5546\u5e97<\/h3>\n<p>\u5118\u7ba1Tizen\u7cfb\u7d71\u5b9a\u7fa9\u4e86<a href=\"https:\/\/wiki.tizen.org\/Security\/Tizen_3.X_Overview#Application_Singing_and_Certificates\">\u61c9\u7528\u7a0b\u5e8f\u7c3d\u540d\u548c\u7c3d\u540d\u6d41\u7a0b\u7684\u7cfb\u7d71<\/a> \uff0c\u4ee5\u907f\u514d\u53ef\u80fd\u5305\u542b\u60e1\u610f\u8edf\u9ad4\u7684\u672a\u7d93\u6388\u6b0a\u7684\u61c9\u7528\u7a0b\u5e8f\u7684\u50b3\u64ad\u3002\u76ee\u524d\u9084\u4e0d\u6e05\u695a AGL \u5c07\u63a1\u7528\u591a\u5c11\u8a72\u6d41\u7a0b\u3002\u7136\u800c\uff0c\u5f9e\u7d93\u9a57\u4f86\u770b\uff0c\u9019\u662f\u4e00\u500b\u5fc5\u4e0d\u53ef\u5c11\u7684\u8a71\u984c\u3002<a href=\"http:\/\/www.eweek.com\/mobile\/researchers-find-132-malware-infected-android-apps-on-google-play\">\u4f8b\u5982\uff0cGoogle Play\u5546\u5e97\u901a\u904e\u7c3d\u540d\u4f86\u63a7\u5236App\u7684\u6388\u6b0a\uff0c\u4f46\u5546\u5e97\u4e2d<\/a>\u4ecd\u7136\u5b58\u5728\u5927\u91cf\u5305\u542b\u60e1\u610f\u8edf\u9ad4\u7684App\u8cec\u6236\u3002<\/p>\n<p>Tizen \u5b9a\u7fa9\u4e86 5 \u500b\u7d1a\u5225\u7684\u8b49\u66f8\u548c\u6bcf\u500b\u7d1a\u5225\u7684\u7c3d\u540d\uff0c\u5305\u62ec\u4f5c\u8005\u3001\u6e2c\u8a66\u5206\u767c\u8005\u3001\u516c\u5171\u7d1a\u5225\u5546\u5e97\u5206\u767c\u8005\u3001\u5408\u4f5c\u5925\u4f34\u7d1a\u5225\u5546\u5e97\u5206\u767c\u8005\u548c\u5e73\u53f0\u7d1a\u5225\u5546\u5e97\u5206\u767c\u8005\u3002AGL \u53ef\u4ee5\u5b9a\u7fa9\u4e0d\u540c\u6578\u91cf\u7684\u7b2c\u4e09\u65b9\uff0c\u4f46\u81f3\u5c11\u61c9\u5b9a\u7fa9\u4f5c\u8005\u548c\u5546\u5e97\u5206\u92b7\u5546\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/docs.automotivelinux.org\/en\/master\/03_Architecture_Guides\/02_Security_Blueprint\/images\/App_signing_flow.png\" alt=\"\u61c9\u7528\u7a0b\u5e8f\u7c3d\u540d\u6d41\u7a0b\" \/><\/p>\n<p>\u4e00\u65e6\u78ba\u5b9a\u4e86\u7c3d\u540d\u6578\u91cf\uff0c\u81f3\u5c11\u9700\u8981\u5728 AGL \u8a2d\u5099\u4e0a\u5b89\u88dd\u6642\u9a57\u8b49\u9019\u4e9b\u7c3d\u540d\u3002\u78ba\u4fdd\u7528\u65bc\u7c3d\u540d\u9a57\u8b49\u7684\u516c\u9470\u7684\u7a69\u5065\u6027\/\u5b8c\u6574\u6027\u975e\u5e38\u91cd\u8981\u3002\u5982\u679c\u516c\u9470\u88ab\u4fee\u6539\uff0c\u5247\u8a72\u6d29\u9732\u7684\u5bc6\u9470\u53ef\u7528\u65bc\u9a57\u8b49\u653b\u64ca\u8005\u7684\u79c1\u9470\u7c3d\u540d\u3002<\/p>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u5b89\u88dd\u6642\u9a57\u8b49\u53d7\u5230\u9650\u5236\u3002\u904b\u884c\u6642\u5167\u5b58\u4e2d\u7684\u61c9\u7528\u7a0b\u5e8f\u53ef\u80fd\u6703\u53d7\u5230\u653b\u64ca\u3002\u5b89\u88dd\u6642\u9a57\u8b49\u5c07\u932f\u904e\u5b89\u88dd\u5f8c\u6240\u505a\u7684\u4efb\u4f55\u4fee\u6539\u3002\u5728\u57f7\u884c\u671f\u9593\u904b\u884c\u7684\u5b8c\u6574\u6027\u9a57\u8b49\u53ef\u4ee5\u5be6\u73fe\u66f4\u5b8c\u6574\u7684\u5b89\u5168\u6545\u4e8b\u3002<\/p>\n<hr \/>\n<h3>7.3 \u7e2e\u7565\u8a9e<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>3GPP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>3<\/strong>rd <strong>G<\/strong>eneration <strong>P<\/strong>artnership <strong>P<\/strong>roject  \u7b2c\u4e09\u4ee3\u5408\u4f5c\u5925\u4f34\u8a08\u5283<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>CASB<\/em><\/td>\n<td style=\"text-align: left;\"><strong>C<\/strong>loud <strong>A<\/strong>ccess <strong>S<\/strong>ecurity <strong>B<\/strong>roker  \u96f2\u8a2a\u554f\u5b89\u5168\u4ee3\u7406<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DAST<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>ynamic <strong>A<\/strong>pplication <strong>S<\/strong>ecurity <strong>T<\/strong>esting   \u52d5\u614b\u61c9\u7528\u5b89\u5168\u6e2c\u8a66<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>DPI<\/em><\/td>\n<td style=\"text-align: left;\"><strong>D<\/strong>eep <strong>P<\/strong>acket <strong>I<\/strong>nspection  \u6df1\u5ea6\u5305\u6aa2\u6e2c<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>IDS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>I<\/strong>ntrusion <strong>D<\/strong>etection <strong>S<\/strong>ystems  \u5165\u4fb5\u6aa2\u6e2c\u7cfb\u7d71<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>IPS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>I<\/strong>ntrusion <strong>P<\/strong>revention <strong>S<\/strong>ystems  \u5165\u4fb5\u9632\u79a6\u7cfb\u7d71<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>IPSec<\/em><\/td>\n<td style=\"text-align: left;\"><strong>I<\/strong>nternet <strong>P<\/strong>rotocol <strong>Sec<\/strong>urity  \u7db2\u7d61\u5b89\u5168\u5354\u8b70<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>LSM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>L<\/strong>inux <strong>S<\/strong>ecurity <strong>M<\/strong>odule    Linux\u5b89\u5168\u6a21\u7d44<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>MITM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>M<\/strong>an <strong>I<\/strong>n <strong>T<\/strong>he <strong>M<\/strong>iddle   \u4e2d\u9593\u4eba<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>OSI<\/em><\/td>\n<td style=\"text-align: left;\"><strong>O<\/strong>pen <strong>S<\/strong>ystems <strong>I<\/strong>nterconnection  \u958b\u653e\u7cfb\u7d71\u4e92\u9023<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SATS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>tatic <strong>A<\/strong>pplication <strong>S<\/strong>ecurity <strong>T<\/strong>esting  \u975c\u614b\u61c9\u7528\u5b89\u5168\u6e2c\u8a66<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>7.4 \u672c\u5730\u5b89\u88dd\u61c9\u7528<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-1<\/td>\n<td style=\"text-align: left;\">Talk about AppFw offline mode.  \u95dc\u65bc AppFw\u96e2\u7dda\u6a21\u5f0f\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u53ef\u4ee5\u4f7f\u7528AppFw<\/strong>\u63d0\u4f9b\u7684\u7279\u6b8a\u96e2\u7dda\u6a21\u5f0f\u8207\u57fa\u790e\u93e1\u50cf\u4e00\u8d77\u4ea4\u4ed8\u548c\u5b89\u88dd\u61c9\u7528\u7a0b\u5e8f\u3002\u61c9\u7528\u7a0b\u5e8f\u4e5f\u53ef\u4ee5\u5728\u904b\u884c\u6642\u5b89\u88dd\u3002<\/p>\n<p>\u5728\u65e9\u671f\u767c\u5e03\u671f\u9593\uff0c\u9ed8\u8a8d\u61c9\u7528\u7a0b\u5e8f\u6703\u5728\u9996\u6b21\u555f\u52d5\u6642\u5b89\u88dd\u5728\u93e1\u50cf\u4e0a\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u76ee\u7684<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-1<\/td>\n<td style=\"text-align: left;\">\u61c9\u7528\u9632\u706b\u7246<\/td>\n<td style=\"text-align: left;\">\u63d0\u4f9b\u96e2\u7dda\u6a21\u5f0f\u4ee5\u4fbf\u4f7f\u7528\u57fa\u790e\u93e1\u50cf\u5b89\u88dd\u61c9\u7528\u7a0b\u5e8f\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-2<\/td>\n<td style=\"text-align: left;\">\u6b63\u76f4<\/td>\n<td style=\"text-align: left;\">\u50c5\u7576\u61c9\u7528\u7a0b\u5e8f\u5b8c\u6574\u6027\u826f\u597d\u6642\u624d\u5141\u8a31\u5b89\u88dd\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>7.5 \u672c\u5730\u6b0a\u9650\u7ba1\u7406<\/h3>\n<p>\u61c9\u7528\u7a0b\u5e8f\u6b0a\u9650\u7531<strong>Cynara<\/strong>\u548c<strong>AppFw<\/strong>\u4e2d\u7684\u5b89\u5168\u7ba1\u7406\u5668\u7ba1\u7406\u3002\u66f4\u591a\u8a73\u7d30\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1\u5e73\u53f0\u90e8\u5206\u7684AppFw\u6587\u6a94\u3002<\/p>\n<h3>7.6 \u61c9\u7528\u7c3d\u540d<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Signature-1<\/td>\n<td style=\"text-align: left;\">Add content (see secure build in Secure development part).<br \/>\u6dfb\u52a0\u5167\u5bb9\uff08\u8acb\u53c3\u95b1\u5b89\u5168\u958b\u767c\u90e8\u5206\u4e2d\u7684\u5b89\u5168\u69cb\u5efa\uff09\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>7.7 \u61c9\u7528\u670d\u52d9<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Services-1<\/td>\n<td style=\"text-align: left;\">Add content (Which services?).<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Services-2<\/td>\n<td style=\"text-align: left;\">Add Binder.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>8. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/\">\u4e92\u806f\u6027\u85cd\u5716<\/a><\/h2>\n<p>\u9019\u90e8\u5206\u5c55\u793a\u4e86\u5c0d\u6c7d\u8eca\u7684\u4e0d\u540c\u9023\u63a5\u653b\u64ca\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Abstract-1<\/td>\n<td style=\"text-align: left;\">\u6539\u9032\u6458\u8981\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>8.1 \u7e2e\u7565\u8a9e<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>ARP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>A<\/strong>ddress <strong>R<\/strong>esolution <strong>P<\/strong>rotocol  \/ <strong>\u5730\u5740\u89e3\u6790\u5354\u8b70<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>BLE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>B<\/strong>luetooth <strong>L<\/strong>ow <strong>E<\/strong>nergy \/ <strong>\u4f4e\u529f\u8017\u85cd\u7259<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>CAN<\/em><\/td>\n<td style=\"text-align: left;\"><strong>C<\/strong>ar <strong>A<\/strong>rea <strong>N<\/strong>etwork \/ <strong>\u6c7d\u8eca\u5340\u57df\u7db2\u8def<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>CCMP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>C<\/strong>ounter-Mode\/<strong>C<\/strong>BC-<strong>M<\/strong>ac <strong>P<\/strong>rotocol  \/  <strong>\u8a08\u6578\u5668\u6a21\u5f0f\/ CBC &#8211; Mac\u5354\u8b70<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>EDGE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>E<\/strong>nhanced <strong>D<\/strong>ata <strong>R<\/strong>ates for <strong>GSM<\/strong> <strong>E<\/strong>volution &#8211; Evolution of <strong>GPRS<\/strong>  \/  <strong>GSM\u6f14\u9032\u7684\u589e\u5f37\u6578\u64da\u901f\u7387-GPRS\u7684\u6f14\u9032<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>GEA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>G<\/strong>PRS <strong>E<\/strong>ncryption <strong>A<\/strong>lgorithm  \/  <strong>GPRS\u52a0\u5bc6\u7b97\u6cd5<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>GPRS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>G<\/strong>eneral <strong>P<\/strong>acket <strong>R<\/strong>adio <strong>S<\/strong>ervice (2,5G, 2G+)  \/  <strong>\u901a\u7528\u5206\u7d44\u7121\u7dda\u670d\u52d9<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>GSM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>G<\/strong>lobal <strong>S<\/strong>ystem for <strong>M<\/strong>obile Communications (2G)  \/  <strong>\u5168\u7403\u79fb\u52d5\u901a\u4fe1\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>HSPA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>H<\/strong>igh <strong>S<\/strong>peed <strong>P<\/strong>acket <strong>A<\/strong>ccess (3G+)  \/  <strong>\u9ad8\u901f\u6578\u64da\u5305\u63a5\u5165( 3G + )<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>IMEI<\/em><\/td>\n<td style=\"text-align: left;\"><strong>I<\/strong>nternational <strong>M<\/strong>obile <strong>E<\/strong>quipment <strong>I<\/strong>dentity \/  <strong>\u570b\u969b\u79fb\u52d5\u8a2d\u5099\u6a19\u8b58<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>LIN<\/em><\/td>\n<td style=\"text-align: left;\"><strong>L<\/strong>ocal <strong>I<\/strong>nterconnect <strong>N<\/strong>etwork \/  <strong>\u672c\u5730\u4e92\u9023\u7db2\u7d61<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>MOST<\/em><\/td>\n<td style=\"text-align: left;\"><strong>M<\/strong>edia <strong>O<\/strong>riented <strong>S<\/strong>ystem <strong>T<\/strong>ransport  \/  <strong>\u9762\u5411\u5a92\u9ad4\u7684\u7cfb\u7d71\u50b3\u8f38<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>NFC<\/em><\/td>\n<td style=\"text-align: left;\"><strong>N<\/strong>ear <strong>F<\/strong>ield <strong>C<\/strong>ommunication  \/  <strong>\u8fd1\u5834\u901a\u4fe1<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>OBD<\/em><\/td>\n<td style=\"text-align: left;\"><strong>O<\/strong>n-<strong>B<\/strong>oard <strong>D<\/strong>iagnostics  \/  <strong>\u8eca\u8f09\u8a3a\u65b7\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>PATS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>P<\/strong>assive <strong>A<\/strong>nti-<strong>T<\/strong>heft <strong>S<\/strong>ystem  \/  <strong>\u88ab\u52d5\u9632\u76dc\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>PKE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>P<\/strong>assive <strong>K<\/strong>eyless <strong>E<\/strong>ntry  \/  <strong>\u88ab\u52d5\u7121\u9470\u5319\u9032\u5165<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>PSK<\/em><\/td>\n<td style=\"text-align: left;\"><strong>P<\/strong>hase-<strong>S<\/strong>hift <strong>K<\/strong>eying  \/  <strong>\u76f8\u79fb\u9375\u63a7<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>RDS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>R<\/strong>adio <strong>D<\/strong>ata <strong>S<\/strong>ystem  \/  <strong>\u7121\u7dda\u96fb\u6578\u64da\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>RFID<\/em><\/td>\n<td style=\"text-align: left;\"><strong>R<\/strong>adio <strong>F<\/strong>requency <strong>I<\/strong>dentification  \/  <strong>\u5c04\u983b\u8b58\u5225<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>RKE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>R<\/strong>emote <strong>K<\/strong>eyless <strong>E<\/strong>ntry  \/  <strong>\u9060\u7a0b\u7121\u9470\u5319\u9032\u5165<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SDR<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>oftware <strong>D<\/strong>efined <strong>R<\/strong>adio  \/  <strong>\u8edf\u9ad4\u5b9a\u7fa9\u7121\u7dda\u96fb<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SSP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>ecure <strong>S<\/strong>imple <strong>P<\/strong>airing  \/  <strong>\u5b89\u5168\u7c21\u55ae\u7684\u914d\u5c0d<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>TKIP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>T<\/strong>emporal <strong>K<\/strong>ey <strong>I<\/strong>ntegrity <strong>P<\/strong>rotocol  \/  <strong>\u81e8\u6642\u5bc6\u9470\u5b8c\u6574\u6027\u5354\u8b70<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>TPMS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>T<\/strong>ire <strong>P<\/strong>ressure <strong>M<\/strong>onitoring <strong>S<\/strong>ystem  \/  <strong>\u80ce\u58d3\u76e3\u6e2c\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>UMTS<\/em><\/td>\n<td style=\"text-align: left;\"><strong>U<\/strong>niversal <strong>M<\/strong>obile <strong>T<\/strong>elecommunications <strong>S<\/strong>ystem (3G)  \/  <strong>\u901a\u7528\u79fb\u52d5\u901a\u4fe1\u7cfb\u7d71<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>USB<\/em><\/td>\n<td style=\"text-align: left;\"><strong>U<\/strong>niversal <strong>S<\/strong>erial <strong>B<\/strong>us  \/  <strong>\u901a\u7528\u4e32\u884c\u7e3d\u7dda<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>WEP<\/em><\/td>\n<td style=\"text-align: left;\"><strong>W<\/strong>ired <strong>E<\/strong>quivalent <strong>P<\/strong>rivacy  \/  <strong>\u6709\u7dda\u7b49\u6548\u96b1\u79c1<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>WPA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>W<\/strong>ifi <strong>P<\/strong>rotected <strong>A<\/strong>ccess  \/  <strong>Wifi\u4fdd\u8b77\u8a2a\u554f<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>8.2 Bus\uff08\u7e3d\u7dda\/\u532f\u6d41\u6392\uff09<\/h3>\n<p>\u6211\u5011<strong>\u53ea\u4ee5CAN\u7e3d\u7dda\u70ba\u4f8b<\/strong>\uff0c\u56e0\u70ba <strong><em>FlewRay<\/em><\/strong>\u3001<strong><em>ByteFlight<\/em><\/strong>\u3001<strong><em>Most<\/em><\/strong>\u548c<strong><em>Lin<\/em><\/strong>\u7b49\u4e0d\u540c\u7684\u7e3d\u7dda\u653b\u64ca\u90fd\u63a1\u7528\u4e86\u5fa9\u53e4\u5de5\u7a0b\uff0c\u800c\u63d0\u9ad8\u5176\u5b89\u5168\u6027\u7684\u4e3b\u8981\u8ad6\u9ede\u662f\u5c0d\u6578\u64da\u5305\u9032\u884c\u52a0\u5bc6\u3002\u6211\u5011\u53ea\u662f\u7c21\u55ae\u63cf\u8ff0\u4e00\u4e0b\u5b83\u5011\uff1a<\/p>\n<ul>\n<li><strong>CAN<\/strong>\uff1a\u63a7\u5236\u5668\u5340\u57df\u7db2\u7d61\uff0c\u958b\u767c\u65bc 20 \u4e16\u7d00 80 \u5e74\u4ee3\u521d\u671f\uff0c\u662f\u4e00\u7a2e\u4e8b\u4ef6\u89f8\u767c\u7684\u63a7\u5236\u5668\u7db2\u7d61\uff0c\u7528\u65bc\u6578\u64da\u901f\u7387\u9ad8\u9054 1 MBit\/s \u7684\u4e32\u884c\u901a\u4fe1\u3002<strong>CAN<\/strong>\u6d88\u606f\u6839\u64da\u5404\u81ea\u7684\u6a19\u8b58\u7b26\u9032\u884c\u5206\u985e\u3002<strong>CAN<\/strong>\u63a7\u5236\u5668\u5c07\u5176\u6d88\u606f\u5ee3\u64ad\u5230\u6240\u6709\u9023\u63a5\u7684\u7bc0\u9ede\uff0c\u4e26\u4e14\u6240\u6709\u63a5\u6536\u7bc0\u9ede\u7368\u7acb\u6c7a\u5b9a\u662f\u5426\u8655\u7406\u8a72\u6d88\u606f\u3002<\/li>\n<li><strong>FlewRay<\/strong>\uff1a\u662f\u4e00\u7a2e\u78ba\u5b9a\u6027\u4e14\u5bb9\u932f\u7684\u9ad8\u901f\u7e3d\u7dda\u3002\u6578\u64da\u901f\u7387\u9ad8\u9054 10 MBit\/s\u3002<\/li>\n<li><strong>ByteFlight<\/strong>\uff1a\u7528\u65bc\u6a5f\u52d5\u8eca\u8f1b\u4e2d\u7684\u5b89\u5168\u95dc\u9375\u578b\u61c9\u7528\uff0c\u4f8b\u5982\u5b89\u5168\u6c23\u56ca\u3002Byteflight \u901a\u904e 2 \u6216 3 \u7dda\u5851\u6599\u5149\u7e96\u4ee5 10Mbps \u7684\u901f\u5ea6\u904b\u884c\u3002<\/li>\n<li><strong>\u5927\u591a\u6578<\/strong>\uff1a\u9762\u5411\u5a92\u9ad4\u7684\u7cfb\u7d71\u50b3\u8f38\uff0c\u7528\u65bc\u901a\u904e\u5149\u7e96\u96fb\u7e9c\u50b3\u8f38\u97f3\u983b\u3001\u8996\u983b\u3001\u8a9e\u97f3\u548c\u63a7\u5236\u6578\u64da\u3002\u540c\u6b65\u65b9\u5f0f\u6700\u9ad8\u53ef\u905424 MBit\/s\uff0c\u7570\u6b65\u65b9\u5f0f\u6700\u9ad8\u53ef\u905414 MBit\/s\u3002 <strong>\u5927\u591a\u6578<\/strong>\u6d88\u606f\u59cb\u7d42\u5305\u542b\u660e\u78ba\u7684\u767c\u9001\u8005\u548c\u63a5\u6536\u8005\u5730\u5740\u3002<\/li>\n<li><strong>LIN<\/strong>\uff1a\u672c\u5730\u4e92\u9023\u7db2\u7d61\uff0c\u662f\u4e00\u7a2e\u55ae\u7dda\u5b50\u7db2\uff0c\u7528\u65bc\u667a\u80fd\u50b3\u611f\u5668\u548c\u57f7\u884c\u5668\u4e4b\u9593\u7684\u4f4e\u6210\u672c\u4e32\u884c\u901a\u4fe1\uff0c\u5178\u578b\u6578\u64da\u901f\u7387\u9ad8\u9054 20 kBit\/s\u3002\u5b83\u8a08\u5283\u5f9e 2001 \u5e74\u958b\u59cb\u7528\u65bc\u6c7d\u8eca\u4e2d \u4e0d\u9700\u8981<strong>CAN\u7db2\u7d61\u5e36\u5bec\u548c\u591a\u529f\u80fd\u6027\u7684\u4efb\u4f55\u5730\u65b9\u3002<\/strong><\/li>\n<\/ul>\n<p>\u5e7e\u4e4e\u6bcf\u8f1b\u8eca\u4e0a\u7684<strong>ECU\uff08\u96fb\u5b50\u63a7\u5236\u55ae\u5143\uff09<\/strong>\u90fd\u901a\u904e CAN \u7e3d\u7dda\u9032\u884c\u901a\u4fe1\uff0cCAN \u7e3d\u7dda\u662f\u4e00\u7a2e\u5169\u7dda\u7e3d\u7dda\uff0c\u5c0d\u5171\u4eab\u4ecb\u8cea\u4e0a\u767c\u9001\u7684\u6d88\u606f\u4f7f\u7528\u786c\u9ad4\u4ef2\u88c1\u3002\u9019\u672c\u8cea\u4e0a\u662f\u4e00\u500b<em>\u53d7\u4fe1\u4efb\u7684<\/em>\u7db2\u7d61\uff0c\u5176\u4e2d\u6240\u6709\u6d41\u91cf\u5c0d\u6240\u6709\u63a7\u5236\u5668\u90fd\u662f\u53ef\u898b\u7684\uff0c\u4e26\u4e14\u4efb\u4f55\u63a7\u5236\u5668\u90fd\u53ef\u4ee5\u767c\u9001\u4efb\u4f55\u6d88\u606f\u3002<\/p>\n<p><strong>CAN<\/strong> \u7e3d\u7dda\u4e0a\u7684\u60e1\u610f<strong>ECU<\/strong>\u53ef\u4ee5\u8f15\u9b06\u6ce8\u5165\u767c\u5f80\u4efb\u4f55\u5176\u4ed6\u8a2d\u5099\u7684\u6d88\u606f\uff0c\u5305\u62ec\u5100\u8868\u677f\u548c\u97f3\u97ff\u4e3b\u6a5f\u7b49\u8a2d\u5099\u3002\u786c\u9ad4\u6709 USB \u8f49 CAN \u7684\u5e38\u898b\u65b9\u6cd5\uff0c\u958b\u6e90\u8edf\u9ad4\u4e5f\u6709\u767c\u9001\u548c\u63a5\u6536\u6d88\u606f\u7684\u65b9\u6cd5\u3002\u4f8b\u5982\uff0cLinux \u5167\u6838\u4e2d\u5305\u542b\u4e00\u500b\u9a45\u52d5\u7a0b\u5e8f\uff0c\u53ef\u7528\u65bc\u767c\u9001\/\u63a5\u6536 CAN \u4fe1\u865f\u3002CAN\u7e3d\u7dda\u4e0a\u7684\u60e1\u610f\u8a2d\u5099\u53ef\u80fd\u6703\u5c0e\u81f4\u7cfb\u7d71\u767c\u751f\u5927\u91cf\u6709\u5bb3\u7684\u4e8b\u60c5\uff0c\u5305\u62ec\uff1a\u5411\u5176\u4ed6\u8a2d\u5099\u767c\u9001\u865b\u5047\u4fe1\u606f\u3001\u5411ECU\u767c\u9001\u975e\u9810\u671f\u547d\u4ee4\u3001\u5c0e\u81f4CAN\u7e3d\u7dda\u4e0a\u7684DOS\uff08\u62d2\u7d55\u670d\u52d9\uff09\u7b49\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>\u9818\u57df<\/th>\n<th>\u6280\u8853\u540d\u7a31<\/th>\n<th>\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Connectivity-BusAndConnector-Bus-1<\/td>\n<td>CAN<\/td>\n<td>\u5be6\u65bd\u786c\u9ad4\u89e3\u6c7a\u65b9\u6848\u4ee5\u7981\u6b62\u767c\u9001\u4e0d\u9700\u8981\u7684\u4fe1\u865f\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u8a73\u7d30\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.92.728&amp;rep=rep1&amp;type=pdf\">\u6c7d\u8eca\u7e3d\u7dda\u7cfb\u7d71\u7684\u5b89\u5168\u6027\u3002<\/a><\/p>\n<h3>8.3 \u9023\u63a5\u5668<\/h3>\n<p>\u5c0d\u65bc\u9023\u63a5\u5668\uff0c\u6211\u5011\u5047\u8a2d\u5b83\u5011\u9ed8\u8a8d\u88ab\u7981\u7528\u3002\u4f8b\u5982\uff0c\u5fc5\u9808\u7981\u7528<strong>USB\u4ee5\u907f\u514d\u50cfBadUSB\u9019\u6a23\u7684\u653b\u64ca\u3002<\/strong>\u5982\u679c\u6c92\u6709\uff0c\u8acb\u5c07\u5167\u6838\u914d\u7f6e\u70ba\u50c5\u555f\u7528\u6700\u4f4e\u8981\u6c42\u7684<strong>USB<\/strong>\u8a2d\u5099\u3002\u7528\u65bc\u8a3a\u65b7\u6c7d\u8eca\u7684\u9023\u63a5\u5668\uff08\u5982<strong>OBD-II\uff09<\/strong>\u5fc5\u9808\u5728\u8eca\u5eab\u5916\u7981\u7528\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-1<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u7981\u7528\u3002\u5982\u679c\u6c92\u6709\uff0c\u5247\u50c5\u555f\u7528\u6700\u4f4e\u8981\u6c42\u7684 USB \u8a2d\u5099\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-2<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">\u901a\u904e USB \u8207 ECU \u4ea4\u63db\u7684\u6a5f\u5bc6\u6578\u64da\u5fc5\u9808\u662f\u5b89\u5168\u7684\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-3<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u7981\u7528 ECU \u4e0a\u7684 USB \u555f\u52d5\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-4<\/td>\n<td style=\"text-align: left;\">OBD-II<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u5728\u8eca\u5eab\u5916\u7981\u7528\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>8.4 \u7121\u7dda\u9023\u63a5<\/h3>\n<p>\u5728\u9019\u4e00\u90e8\u5206\u4e2d\uff0c\u6211\u5011\u6839\u64da\u53ef\u80fd\u7684\u653b\u64ca\u9818\u57df\u7684\u4e0d\u540c\uff0c\u8a0e\u8ad6\u5c0d\u6c7d\u8eca\u53ef\u80fd\u9032\u884c\u7684\u9060\u7a0b\u653b\u64ca\u3002\u5c0d\u65bc\u6bcf\u500b\u901a\u4fe1\u6e20\u9053\uff0c\u6211\u5011\u63cf\u8ff0\u4e86\u653b\u64ca\u4ee5\u53ca\u5982\u4f55\u9810\u9632\u5b83\u5011\u4e26\u63d0\u4f9b\u4e86\u4e00\u4e9b\u5efa\u8b70\u3002\u4e3b\u8981\u5efa\u8b70\u662f\u59cb\u7d42\u95dc\u6ce8\u9019\u4e9b\u9060\u7a0b\u901a\u4fe1\u6e20\u9053\u7684\u6700\u65b0\u66f4\u65b0\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u76ee\u7684<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-1<\/td>\n<td style=\"text-align: left;\">\u66f4\u65b0<\/td>\n<td style=\"text-align: left;\">\u59cb\u7d42\u95dc\u6ce8\u9060\u7a0b\u901a\u8a0a\u6e20\u9053\u7684\u6700\u65b0\u66f4\u65b0\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6211\u5011\u5c07\u770b\u5230\u4ee5\u4e0b\u90e8\u5206\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/#wifi\">\u7121\u7dda\u4e0a\u7db2<\/a><\/li>\n<li><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/#bluetooth\">\u85cd\u7259<\/a><\/li>\n<li><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/#cellular\">\u8702\u7aa9\u7db2\u7d61<\/a><\/li>\n<li><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/#radio\">\u7121\u7dda\u96fb<\/a><\/li>\n<li><a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/08_Connectivity\/#nfc\">\u8fd1\u5834\u901a\u4fe1<\/a><\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-1<\/td>\n<td style=\"text-align: left;\">\u6dfb\u52a0\u901a\u4fe1\u901a\u9053\uff08RFID\u3001ZigBee\uff1f\uff09\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p>\u5c0d\u65bc\u73fe\u6709\u7684\u6c7d\u8eca\u5c08\u7528\u624b\u6bb5\uff0c\u6211\u5011\u5f9e<em>IOActive<\/em>\u6587\u6a94\uff08<a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf\">\u9060\u7a0b\u6c7d\u8eca\u653b\u64ca\u9762\u8abf\u67e5<\/a>\uff09\u548c ETH \u6587\u6a94\uff08<a href=\"https:\/\/eprint.iacr.org\/2010\/332.pdf\">\u73fe\u4ee3\u6c7d\u8eca\u88ab\u52d5\u7121\u9470\u5319\u9032\u5165\u548c\u555f\u52d5\u7cfb\u7d71\u7684\u4e2d\u7e7c\u653b\u64ca<\/a>\uff09\u4e2d\u7372\u53d6\u73fe\u6709\u7cfb\u7d71\u653b\u64ca\u7684\u793a\u4f8b\u3002<\/p>\n<ul>\n<li><a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf#[{&quot;num&quot;%3A40%2C&quot;gen&quot;%3A0}%2C{&quot;name&quot;%3A&quot;XYZ&quot;}%2C60%2C720%2C0]\">\u9060\u7a0b\u4fe1\u606f\u8655\u7406<\/a><\/li>\n<li><a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf#[{&quot;num&quot;%3A11%2C&quot;gen&quot;%3A0}%2C{&quot;name&quot;%3A&quot;XYZ&quot;}%2C60%2C574%2C0]\">\u88ab\u52d5\u9632\u76dc\u7cfb\u7d71 (PATS)<\/a><\/li>\n<li><a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf#[{&quot;num&quot;%3A17%2C&quot;gen&quot;%3A0}%2C{&quot;name&quot;%3A&quot;XYZ&quot;}%2C60%2C720%2C0]\">\u8f2a\u80ce\u58d3\u529b\u76e3\u6e2c\u7cfb\u7d71\uff08TPMS\uff09<\/a><\/li>\n<li><a href=\"https:\/\/www.ioactive.com\/pdfs\/IOActive_Remote_Attack_Surfaces.pdf#[{&quot;num&quot;%3A26%2C&quot;gen&quot;%3A0}%2C{&quot;name&quot;%3A&quot;XYZ&quot;}%2C60%2C720%2C0]\">\u9060\u7a0b\u7121\u9470\u5319\u9032\u5165\/\u555f\u52d5 (RKE)<\/a><\/li>\n<li><a href=\"https:\/\/eprint.iacr.org\/2010\/332.pdf\">\u88ab\u52d5\u7121\u9470\u5319\u9032\u5165 (PKE)<\/a><\/li>\n<\/ul>\n<hr \/>\n<h4>\u7121\u7dda\u4e0a\u7db2\uff08WiFi\uff09<\/h4>\n<h5>\u653b\u64ca<\/h5>\n<p>\u6211\u5011\u53ef\u4ee5\u5c07\u73fe\u6709\u7684 WiFi \u653b\u64ca\u5206\u70ba\u5169\u985e\uff1a <strong>WEP<\/strong>\u653b\u64ca\u548c<strong>WPA<\/strong>\u653b\u64ca\u3002<\/p>\n<h6><strong>WEP<\/strong>\u653b\u64ca\uff1a<\/h6>\n<ul>\n<li><strong>FMS<\/strong>\uff1a\uff08<strong>F<\/strong> luhrer\u3001<strong>M<\/strong> antin \u548c<strong>Shamir<\/strong>\u653b\u64ca\uff09\u662f\u91dd\u5c0d\u5ee3\u6cdb\u4f7f\u7528\u7684 RC4 \u6d41\u5bc6\u78bc\u7684\u201c\u6d41\u5bc6\u78bc\u653b\u64ca\u201d\u3002\u8a72\u653b\u64ca\u5141\u8a31\u653b\u64ca\u8005\u5f9e RC4 \u52a0\u5bc6\u6d41\u4e2d\u7684\u5927\u91cf\u6d88\u606f\u4e2d\u6062\u5fa9\u8a72\u6d41\u4e2d\u7684\u5bc6\u9470\u201d\u3002<\/li>\n<li><strong>KoreK<\/strong>\uff1a\u201c\u5141\u8a31\u653b\u64ca\u8005\u6e1b\u5c11\u5bc6\u9470\u7a7a\u9593\u201d\u3002<\/li>\n<li><strong>PTW<\/strong>\uff1a\uff08<strong>Pyshkin<\/strong> <strong>Tews<\/strong> Weinmann\u653b\u64ca\uff09<strong>\u3002<\/strong><\/li>\n<li><strong>Chopchop<\/strong>\uff1a\u7531 KoreK \u767c\u73fe\uff0c\u201cCRC32 \u6821\u9a57\u548c\u7684\u5f31\u9ede\u4ee5\u53ca\u7f3a\u4e4f\u91cd\u653e\u4fdd\u8b77\u3002\u201d<\/li>\n<li><strong>\u788e\u7247\u5316<\/strong><\/li>\n<\/ul>\n<h6><strong>WPA<\/strong>\u653b\u64ca\uff1a<\/h6>\n<ul>\n<li><strong>Beck \u548c Tews<\/strong>\uff1a\u5229\u7528<strong>TKIP<\/strong>\u7684\u5f31\u9ede\u3002\u201c\u5141\u8a31\u653b\u64ca\u8005\u89e3\u5bc6<strong>ARP<\/strong>\u6578\u64da\u5305\u4e26\u5c07\u6d41\u91cf\u6ce8\u5165\u7db2\u7d61\uff0c\u751a\u81f3\u5141\u8a31\u4ed6\u57f7\u884c DoS<strong>\u6216<\/strong>ARP<strong>\u4e2d\u6bd2<\/strong>\u201d\u3002<\/li>\n<li><a href=\"https:\/\/github.com\/kristate\/krackinfo\"><strong>KRACK<\/strong><\/a>\uff1a(K)ey (R)einstallation (A)tta(ck) (<a href=\"https:\/\/jira.automotivelinux.org\/browse\/SPEC-1017\">jira AGL SPEC-1017<\/a>)\u3002<\/li>\n<\/ul>\n<h5>\u5efa\u8b70<\/h5>\n<ul>\n<li>\u8acb\u52ff\u4f7f\u7528<strong>WEP<\/strong>\u3001<strong>PSK<\/strong>\u548c<strong>TKIP<\/strong>\u3002<\/li>\n<li><strong>\u5c07WPA2<\/strong>\u8207<strong>CCMP<\/strong>\u7d50\u5408\u4f7f\u7528\u3002<\/li>\n<li>\u61c9\u4fdd\u8b77\u6578\u64da\u55c5\u63a2\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31\u6216\u5c0d\u8c61<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-1<\/td>\n<td style=\"text-align: left;\">WEP\u3001PSK\u3001TKIP<\/td>\n<td style=\"text-align: left;\">\u7981\u6b62<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-2<\/td>\n<td style=\"text-align: left;\">WPA2 \u548c AES-CCMP<\/td>\n<td style=\"text-align: left;\">\u4f7f\u7528<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-3<\/td>\n<td style=\"text-align: left;\">WPA2<\/td>\n<td style=\"text-align: left;\">\u61c9\u4fdd\u8b77\u6578\u64da\u55c5\u63a2\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-4<\/td>\n<td style=\"text-align: left;\">PSK<\/td>\n<td style=\"text-align: left;\">\u5b9a\u671f\u66f4\u6539\u5bc6\u78bc\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-5<\/td>\n<td style=\"text-align: left;\">Device<\/td>\n<td style=\"text-align: left;\">\u8f15\u9b06\u5347\u7d1a\u8edf\u9ad4\u6216\u97cc\u9ad4\u4ee5\u7372\u5f97\u6700\u65b0\u7684\u5b89\u5168\u66f4\u65b0\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u8a73\u7d30\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"https:\/\/matthieu.io\/dl\/wifi-attacks-wep-wpa.pdf\">Wifi \u653b\u64ca WEP WPA<\/a>\u548c <a href=\"https:\/\/dl.aircrack-ng.org\/breakingwepandwpa.pdf\">\u7834\u58de wep \u548c wpa (Beck and Tews)<\/a>\u3002<\/p>\n<hr \/>\n<h4>\u85cd\u7259\uff08Bluetooth\uff09<\/h4>\n<h5>\u653b\u64ca<\/h5>\n<ul>\n<li><strong>Bluesnarfing<\/strong> \u653b\u64ca\u8005\u79d8\u5bc6\u8a2a\u554f\u60a8\u7684\u85cd\u7259\u8a2d\u5099\uff0c\u4ee5\u6aa2\u7d22\u4fe1\u606f\uff0c\u5305\u62ec\u5730\u5740\u3001\u65e5\u66c6\u4fe1\u606f\u751a\u81f3\u8a2d\u5099\u7684\u570b\u969b\u79fb\u52d5\u8a2d\u5099\u8eab\u4efd\u3002 \u901a\u904e IMEI\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5c07\u60a8\u7684\u4f86\u96fb\u8def\u7531\u5230\u4ed6\u7684\u624b\u6a5f\u4e0a\u3002<\/li>\n<li><strong>Bluebugging<\/strong> \u662f\u85cd\u7259\u653b\u64ca\u7684\u4e00\u7a2e\u5f62\u5f0f\uff0c\u901a\u5e38\u662f\u7531\u65bc\u7f3a\u4e4f\u610f\u8b58\u800c\u5f15\u8d77\u7684\u3002\u8207 bluesnarfing \u985e\u4f3c\uff0cbluebugging \u53ef\u4ee5\u8a2a\u554f\u548c\u4f7f\u7528\u6240\u6709\u624b\u6a5f\u529f\u80fd\uff0c\u4f46\u53d7\u5230 2 \u985e\u85cd\u7259\u7121\u7dda\u96fb\u767c\u5c04\u529f\u7387\u7684\u9650\u5236\uff0c\u901a\u5e38\u5c07\u5176\u7bc4\u570d\u9650\u5236\u5728 10-15 \u7c73\u3002<\/li>\n<li><strong>Bluejacking<\/strong> \u662f\u767c\u9001\u672a\u7d93\u8acb\u6c42\u7684\u85cd\u7259\u6d88\u606f\u3002<\/li>\n<li><strong>BLE<\/strong>\uff1a\u4f4e\u529f\u8017\u85cd\u7259<strong><a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/woot13\/woot13-ryan.pdf\">\u653b\u64ca<\/a>\u3002<\/strong><\/li>\n<li><strong>DoS<\/strong>\uff1a\u8017\u76e1\u8a2d\u5099\u7684\u96fb\u6c60\u6216\u66ab\u6642\u4f7f\u624b\u6a5f\u7671\u7613\u3002<\/li>\n<\/ul>\n<h5>\u5efa\u8b70<\/h5>\n<ul>\n<li>\u82e5\u672a\u624b\u52d5\u5c07\u85cd\u7259\u9a45\u52d5\u8a2d\u7f6e\u70ba\u914d\u5c0d\u6a21\u5f0f\uff0c\u5247\u4e0d\u5141\u8a31\u9032\u884c\u85cd\u7259\u914d\u5c0d\u5617\u8a66\u3002<\/li>\n<li>\u9700\u8981\u76e3\u63a7\u3002<\/li>\n<li>\u8b39\u614e\u4f7f\u7528<strong>BLE \u3002<\/strong><\/li>\n<li>\u5c0d\u65bc\u4f7f\u7528<strong>\u5b89\u5168\u7c21\u55ae\u914d\u5c0d( SSP )<\/strong>\u7684 v2.1 \u53ca\u66f4\u9ad8\u7248\u672c\u7684\u8a2d\u5099\uff0c\u8acb\u907f\u514d\u4f7f\u7528\u201cJust Works\u201d\u95dc\u806f\u6a21\u578b\u3002\u5728\u914d\u5c0d\u671f\u9593\uff0c\u8a2d\u5099\u5fc5\u9808\u9a57\u8b49\u662f\u5426\u5df2\u751f\u6210\u901a\u904e\u8eab\u4efd\u9a57\u8b49\u7684\u93c8\u63a5\u5bc6\u9470\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-1<\/td>\n<td style=\"text-align: left;\">BLE<\/td>\n<td style=\"text-align: left;\">\u8b39\u614e\u4f7f\u7528\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-2<\/td>\n<td style=\"text-align: left;\">Bluetooth<\/td>\n<td style=\"text-align: left;\">\u76e3\u63a7<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-3<\/td>\n<td style=\"text-align: left;\">SSP<\/td>\n<td style=\"text-align: left;\">\u907f\u514d\u4f7f\u7528\u201cJust Works\u201d\u95dc\u806f\u6a21\u578b\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-4<\/td>\n<td style=\"text-align: left;\">Visibility<\/td>\n<td style=\"text-align: left;\">\u9ed8\u8a8d\u914d\u7f6e\u70ba\u4e0d\u53ef\u767c\u73fe\u3002\u9664\u975e\u9700\u8981\u7684\u6642\u5019\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-5<\/td>\n<td style=\"text-align: left;\">Anti-scanning<\/td>\n<td style=\"text-align: left;\">\u9664\u5176\u4ed6\u5916\uff0c\u7528\u4f86\u6e1b\u7de9\u66b4\u529b\u653b\u64ca\u7684\u901f\u5ea6\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u66f4\u591a\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"http:\/\/www.ti.com\/lit\/wp\/sway008\/sway008.pdf\">\u4f4e\u80fd\u8017\u548c\u6c7d\u8eca\u8f49\u578b<\/a>\u3001<a href=\"http:\/\/gattack.io\/whitepaper.pdf\">\u653b\u64ca\u85cd\u7259\u667a\u80fd\u8a2d\u5099<\/a>\u3001<a href=\"http:\/\/www.autosec.org\/pubs\/cars-usenixsec2011.pdf\">\u6c7d\u8eca\u653b\u64ca\u9762\u7684\u7d9c\u5408\u5be6\u9a57\u5206\u6790<\/a>\u548c<a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/woot13\/woot13-ryan.pdf\">\u4f4e\u80fd\u8017\u5e36\u4f86\u4f4e\u5b89\u5168\u6027\u3002<\/a><\/p>\n<hr \/>\n<h4>\u8702\u7aa9\u7db2\u7d61\uff08Celluar\uff09<\/h4>\n<h5>\u653b\u64ca<\/h5>\n<ul>\n<li>IMSI-Catcher\uff1a\u662f\u4e00\u7a2e\u96fb\u8a71\u7aca\u807d\u8a2d\u5099\uff0c\u7528\u65bc\u6514\u622a\u624b\u6a5f\u6d41\u91cf\u4e26\u8ddf\u8e2a\u624b\u6a5f\u7528\u6236\u7684\u4f4d\u7f6e\u6578\u64da\u3002\u662f\u4e00\u500b\u4ecb\u65bc\u76ee\u6a19\u624b\u6a5f\u548c\u670d\u52d9\u63d0\u4f9b\u5546\u7684\u771f\u5be6\u4fe1\u865f\u5854\u4e4b\u9593\u52d5\u4f5c\u7684\u201c\u5047\u201d\u4fe1\u865f\u5854\uff0c\u88ab\u8996\u70ba\u4e2d\u9593\u4eba ( MITM )<strong>\u653b\u64ca<\/strong>\u3002<\/li>\n<li>\u7f3a\u4e4f\u8207GEA0\u7684\u76f8\u4e92\u8a8d\u8b49\uff08GPRS\/EDGE\uff09\u548c\u52a0\u5bc6\u3002<\/li>\n<li>\u5f9eUMTS\/HSPA\u56de\u9000\u5230GPRS\/EDGE\uff08\u5c0dUMTS\/HPA\u7684\u5e72\u64fe\uff09\u3002<\/li>\n<li>4G DoS\u653b\u64ca\u3002<\/li>\n<\/ul>\n<h5>\u5efa\u8b70<\/h5>\n<ul>\n<li>\u6aa2\u67e5\u5929\u7dda\u7684\u5408\u6cd5\u6027\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Cellular-1<\/td>\n<td style=\"text-align: left;\">GPRS\/Edge<\/td>\n<td style=\"text-align: left;\">\u907f\u514d\u4f7f\u7528\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Cellular-2<\/td>\n<td style=\"text-align: left;\">UMTS\/HSPA<\/td>\n<td style=\"text-align: left;\">\u9632\u6b62\u5e72\u64fe\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6709\u95dc\u8a73\u7d30\u4fe1\u606f\uff0c\u8acb\u53c3\u95b1<a href=\"https:\/\/media.blackhat.com\/bh-dc-11\/Perez-Pico\/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf\">\u91dd\u5c0d GPRS\/EDGE\/UMTS\/HSPA \u79fb\u52d5\u6578\u64da\u901a\u4fe1\u7684\u5be6\u969b\u653b\u64ca<\/a> \u3002<\/p>\n<hr \/>\n<h4>\u7121\u7dda\u96fb\uff08Radio\uff09<\/h4>\n<h5>\u653b\u64ca<\/h5>\n<ul>\n<li>\u4f7f\u7528\u4f4e\u6210\u672c\u6750\u6599\u6514\u622a\u6578\u64da\uff08\u4f8b\u5982\u4f7f\u7528\u52ab\u6301\u7684 <strong>DVB-T\/DAB<\/strong> \u9032\u884c<strong>SDR \uff09\u3002<\/strong><\/li>\n<\/ul>\n<h5>\u5efa\u8b70<\/h5>\n<ul>\n<li>\u50c5\u4f7f\u7528<strong>\u7121\u7dda\u96fb\u6578\u64da\u7cfb\u7d71( RDS )<\/strong> \u767c\u9001\u97f3\u983b\u8f38\u51fa\u4fe1\u865f\u548c\u6709\u95dc\u7121\u7dda\u96fb\u7684\u5143\u6578\u64da\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Radio-1<\/td>\n<td style=\"text-align: left;\">RDS<\/td>\n<td style=\"text-align: left;\">\u50c5\u97f3\u983b\u8f38\u51fa\u548c\u6709\u95dc\u7121\u7dda\u96fb\u7684\u5143\u6578\u64da\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u8fd1\u5834\u901a\u4fe1\uff08NFC\uff09<\/h4>\n<h5>\u653b\u64ca<\/h5>\n<ul>\n<li><strong>MITM<\/strong>\uff1a\u4e2d\u7e7c\u548c\u91cd\u653e\u653b\u64ca\u3002<\/li>\n<\/ul>\n<h5>\u5efa\u8b70<\/h5>\n<ul>\n<li>\u61c9\u8a72\u5be6\u65bd\u91dd\u5c0d\u4e2d\u7e7c\u548c\u91cd\u653e\u653b\u64ca\uff08\u4ee4\u724c\u7b49\uff09\u7684\u4fdd\u8b77\u3002<\/li>\n<li>\u7981\u7528\u4e0d\u9700\u8981\u548c\u672a\u7d93\u6279\u51c6\u7684\u670d\u52d9\u548c\u914d\u7f6e\u6587\u4ef6\u3002<\/li>\n<li>NFC \u61c9\u4f7f\u7528\u52a0\u5bc6\u93c8\u63a5\uff08\u5b89\u5168\u901a\u9053\uff09\u3002\u6a19\u6e96\u5bc6\u9470\u5354\u5546\u5354\u8b70\uff08\u4f8b\u5982\u57fa\u65bc RSA \u6216\u6a62\u5713\u66f2\u7dda\u7684 Diffie-Hellmann\uff09\u53ef\u7528\u65bc\u5728\u5169\u500b\u8a2d\u5099\u4e4b\u9593\u5efa\u7acb\u5171\u4eab\u79d8\u5bc6\u3002<\/li>\n<li>\u6c7d\u8ecaNFC\u8a2d\u5099\u61c9\u7372\u5f97NFC\u8ad6\u58c7\u5be6\u9ad4\u7684\u8a8d\u8b49\uff1aNFC\u8ad6\u58c7\u8a8d\u8b49\u6a19\u8a8c\u8868\u660e\u7522\u54c1\u7b26\u5408\u5168\u7403\u4e92\u64cd\u4f5c\u6027\u6a19\u6e96\u3002<\/li>\n<li>NFC \u4fee\u6539\u7c73\u52d2\u7de8\u78bc\u512a\u65bc NFC \u66fc\u5fb9\u65af\u7279\u7de8\u78bc\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6280\u8853\u540d\u7a31<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-NFC-1<\/td>\n<td style=\"text-align: left;\">NFC \u8fd1\u5834\u901a\u4fe1<\/td>\n<td style=\"text-align: left;\">\u9632\u6b62\u4e2d\u7e7c\u548c\u91cd\u653e\u653b\u64ca\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-NFC-2<\/td>\n<td style=\"text-align: left;\">Device \u8a2d\u5099<\/td>\n<td style=\"text-align: left;\">\u7981\u7528\u4e0d\u9700\u8981\u548c\u672a\u7d93\u6279\u51c6\u7684\u670d\u52d9\u548c\u914d\u7f6e\u6587\u4ef6\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>8.5 \u96f2\u7aef<\/h3>\n<h3>8.6 \u4e0b\u8f09<\/h3>\n<ul>\n<li><strong>\u8eab\u4efd\u9a57\u8b49<\/strong>\uff1a\u8eab\u4efd\u9a57\u8b49\u662f\u4e00\u7a2e\u5b89\u5168\u904e\u7a0b\uff0c\u5b83\u4f9d\u8cf4\u65bc\u8207\u8a72\u8a2d\u5099\u3001\u5be6\u9ad4\u6216\u500b\u4eba\u7d81\u5b9a\u7684\u4e00\u500b\u6216\u591a\u500b\u7279\u5fb5\u4f86\u9a57\u8b49\u8a72\u8a2d\u5099\u3001\u5be6\u9ad4\u6216\u500b\u4eba\u6240\u8072\u7a31\u7684\u8eab\u4efd\u3002<\/li>\n<li><strong>\u6388\u6b0a<\/strong>\uff1a\u901a\u904e\u63d0\u4f9b\u898f\u5247\u4e26\u6839\u64da\u8a02\u6236\u7684\u500b\u4eba\u8cc7\u6599\u548c\u8cfc\u8cb7\u7684\u670d\u52d9\u5141\u8a31\u8a2a\u554f\u6216\u62d2\u7d55\u8a2a\u554f\uff0c\u89e3\u6790\u7db2\u7d61\u4ee5\u5141\u8a31\u8a2a\u554f\u90e8\u5206\u6216\u5168\u90e8\u7db2\u7d61\u529f\u80fd\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u76ee\u7684<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Download-1<\/td>\n<td style=\"text-align: left;\">\u9a57\u8b49<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u5be6\u65bd\u8eab\u4efd\u9a57\u8b49\u904e\u7a0b\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Download-2<\/td>\n<td style=\"text-align: left;\">\u6388\u6b0a<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u5be6\u65bd\u6388\u6b0a\u6d41\u7a0b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u57fa\u790e\u8a2d\u65bd<\/h4>\n<ul>\n<li><strong>\u6df1\u5ea6\u6578\u64da\u5305\u6aa2\u6e2c<\/strong>\uff1a<strong>DPI<\/strong>\u63d0\u4f9b\u4e86\u5206\u6790\u6bcf\u500b\u6578\u64da\u5305\u6709\u6548\u8ca0\u8f09\u7684\u6280\u8853\uff0c\u589e\u52a0\u4e86\u984d\u5916\u7684\u5b89\u5168\u5c64\u3002<strong>DPI<\/strong>\u53ef\u4ee5\u6aa2\u6e2c\u4e26\u6d88\u9664\u5176\u4ed6\u5b89\u5168\u6a5f\u5236\u53ef\u80fd\u907a\u6f0f\u7684\u653b\u64ca\u3002<\/li>\n<li>DoS\u4fdd\u8b77\uff0c\u4ee5\u907f\u514d\u57fa\u790e\u8a2d\u65bd\u5728\u4e00\u6bb5\u6642\u9593<strong>\u5167<\/strong>\u7121\u6cd5\u8a2a\u554f\u3002<\/li>\n<li><strong>SATS<\/strong>\u548c<strong>DAST<\/strong>\u8a55\u4f30\u7b49<strong>\u6383\u63cf\u5de5\u5177<\/strong>\u5c0d Web \u61c9\u7528\u7a0b\u5e8f\u7684\u6e90\u4ee3\u78bc\u548c\u6578\u64da\u6d41\u57f7\u884c\u6f0f\u6d1e\u6383\u63cf\u3002\u8a31\u591a\u6383\u63cf\u5de5\u5177\u90fd\u6703\u904b\u884c\u4e0d\u540c\u7684\u5b89\u5168\u6e2c\u8a66\uff0c\u9019\u4e9b\u6e2c\u8a66\u6703\u5728\u67d0\u4e9b\u653b\u64ca\u5834\u666f\u4e0b\u5c0d\u61c9\u7528\u7a0b\u5e8f\u65bd\u52a0\u58d3\u529b\uff0c\u4ee5\u767c\u73fe\u5b89\u5168\u554f\u984c\u3002<\/li>\n<li><strong>IDS \u548c IPS<\/strong>\uff1a<strong>IDS<\/strong>\u6aa2\u6e2c\u4e26\u8a18\u9304\u4e0d\u9069\u7576\u3001\u4e0d\u6b63\u78ba\u6216\u7570\u5e38\u7684\u6d3b\u52d5\u3002<strong>IDS<\/strong>\u53ef\u4ee5\u4f4d\u65bc\u96fb\u4fe1\u7db2\u7d61\u4e2d\u548c\/\u6216\u4e3b\u6a5f\u670d\u52d9\u5668\u6216\u8a08\u7b97\u6a5f\u5167\u3002\u96fb\u4fe1\u904b\u71df\u5546\u5728\u8207\u8def\u7531\u5668\u548c\u670d\u52d9\u5668\u7684\u6240\u6709\u7db2\u7d61\u9023\u63a5\u4e2d\u69cb\u5efa\u5165\u4fb5\u6aa2\u6e2c\u529f\u80fd\uff0c\u4e26\u5c07\u5176\u4f5c\u70ba\u670d\u52d9\u63d0\u4f9b\u7d66\u4f01\u696d\u5ba2\u6236\u3002\u4e00\u65e6 <strong>IDS<\/strong>\u7cfb\u7d71\u8b58\u5225\u51fa\u653b\u64ca\uff0c<strong>IPS<\/strong>\u5c07\u78ba\u4fdd\u60e1\u610f\u6578\u64da\u5305\u5728\u5c0d\u5f8c\u7aef\u7cfb\u7d71\u548c\u7db2\u7d61\u9020\u6210\u4efb\u4f55\u640d\u5bb3\u4e4b\u524d\u88ab\u963b\u6b62\u3002<strong>IDS<\/strong>\u901a\u5e38\u901a\u904e\u4ee5\u4e0b\u4e09\u500b\u7cfb\u7d71\u4e2d\u7684\u4e00\u500b\u6216\u591a\u500b\u767c\u63ee\u4f5c\u7528\uff1a<\/li>\n<li>\u6a21\u5f0f\u5339\u914d\u3002<\/li>\n<li>\u7570\u5e38\u6aa2\u6e2c\u3002<\/li>\n<li>\u5354\u8b70\u884c\u70ba\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u76ee\u7684<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-1<\/td>\n<td style=\"text-align: left;\">Packet \/ \u5305<\/td>\n<td style=\"text-align: left;\">\u61c9\u8a72\u5be6\u65bd DPI\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-2<\/td>\n<td style=\"text-align: left;\">DoS \/ \u963b\u65b7\u670d\u52d9<\/td>\n<td style=\"text-align: left;\">\u5fc5\u9808\u5be6\u65bd DoS \u4fdd\u8b77\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-3<\/td>\n<td style=\"text-align: left;\">Test \/ \u6e2c\u8a66<\/td>\n<td style=\"text-align: left;\">\u61c9\u5be6\u65bd SATS \u548c DAST \u7b49\u6383\u63cf\u5de5\u5177\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-4<\/td>\n<td style=\"text-align: left;\">Log \/ \u65e5\u8a8c<\/td>\n<td style=\"text-align: left;\">\u61c9\u5be6\u65bd\u5b89\u5168\u5de5\u5177\uff08IDS \u548c IPS\uff09\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-5<\/td>\n<td style=\"text-align: left;\">App integrity \/ \u61c9\u7528\u7a0b\u5e8f\u5b8c\u6574\u6027<\/td>\n<td style=\"text-align: left;\">\u61c9\u7528\u7a0b\u5e8f\u5fc5\u9808\u7531\u4ee3\u78bc\u7c3d\u540d\u6a5f\u69cb\u7c3d\u540d\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u50b3\u8f38<\/h4>\n<p>\u5c0d\u65bc\u6578\u64da\u50b3\u8f38\uff0c\u9700\u8981\u5c0d<strong>\u6578\u64da\u9032\u884c\u7aef\u5230\u7aef\u52a0\u5bc6<\/strong>\u3002\u70ba\u4e86\u9632\u6b62 <strong>MITM<\/strong>\u653b\u64ca\uff0c\u4efb\u4f55\u7b2c\u4e09\u65b9\u90fd\u4e0d\u61c9\u80fd\u5920\u89e3\u91cb\u50b3\u8f38\u7684\u6578\u64da\u3002\u53e6\u4e00\u65b9\u9762\u662f\u6578\u64da\u533f\u540d\u5316\uff0c\u4ee5\u9632\u6b62\u7528\u6236\u6216\u4efb\u4f55\u5176\u4ed6\u7b2c\u4e09\u65b9\u7684\u79c1\u4eba\u4fe1\u606f\u6d29\u9732\u3002<\/p>\n<p><strong>IPSec<\/strong>\u7b49\u6a19\u6e96\u7684\u4f7f\u7528\u63d0\u4f9b\u4e86\u201c<em>\u901a\u904e\u4f7f\u7528\u52a0\u5bc6\u5b89\u5168\u670d\u52d9\uff0c\u5728 IP \u7db2\u7d61\u4e0a\u9032\u884c\u79c1\u6709\u4e14\u5b89\u5168\u7684\u901a\u4fe1\uff0c\u662f\u4e00\u7d44\u4f7f\u7528\u7b97\u6cd5\u5728 IP \u7db2\u7d61\u4e0a\u50b3\u8f38\u5b89\u5168\u6578\u64da\u7684\u5354\u8b70\u201d<\/em>\u3002\u6b64\u5916\uff0c<strong>IPSec\u5728**<\/strong>OSI<strong>\u6a21\u578b\u7684\u7db2\u7d61\u5c64\u904b\u884c \uff0c\u9019\u8207\u4ee5\u524d\u5728\u61c9\u7528\u5c64\u904b\u884c\u7684\u6a19\u6e96\u76f8\u53cd\u3002\u9019\u4f7f\u5176\u61c9\u7528\u7a0b\u5e8f\u7368\u7acb\uff0c\u4e26\u4e14\u610f\u5473\u8457\u7528\u6236\u7121\u9700\u6839\u64da<\/strong>IPSec**\u6a19\u6e96\u914d\u7f6e\u6bcf\u500b\u61c9\u7528\u7a0b\u5e8f\u3002<\/p>\n<p><strong>IPSec<\/strong>\u63d0\u4f9b\u4ee5\u4e0b\u670d\u52d9\uff1a<\/p>\n<ul>\n<li>\u4fdd\u5bc6\u6027\uff1a\u4e00\u7a2e\u5982\u679c\u4e0d\u662f\u63a5\u6536\u8005\u5c31\u7121\u6cd5\u89e3\u91cb\u6578\u64da\u7684\u670d\u52d9\u3002\u52a0\u5bc6\u529f\u80fd\u901a\u904e\u5c07\u53ef\u7406\u89e3\u7684\uff08\u672a\u52a0\u5bc6\u7684\uff09\u6578\u64da\u8f49\u63db\u70ba\u4e0d\u53ef\u7406\u89e3\u7684\uff08\u5df2\u52a0\u5bc6\u7684\uff09\u6578\u64da\u4f86\u63d0\u4f9b\u9019\u7a2e\u670d\u52d9\u3002<\/li>\n<li>\u8eab\u4efd\u9a57\u8b49\uff1a\u78ba\u4fdd\u6578\u64da\u4f86\u81ea\u5176\u61c9\u6709\u4f86\u6e90\u7684\u670d\u52d9\u3002<\/li>\n<li>\u5b8c\u6574\u6027\uff1a\u78ba\u4fdd\u6578\u64da\u4e0d\u88ab\u610f\u5916\u6216\u6b3a\u8a50\u6027\u7be1\u6539\u7684\u670d\u52d9\u3002<\/li>\n<li>\u91cd\u653e\u4fdd\u8b77\uff1a\u901a\u904e\u5c07\u6709\u6548\u6514\u622a\u7684\u6578\u64da\u5305\u91cd\u65b0\u767c\u9001\u5230\u7db2\u7d61\u4ee5\u7372\u5f97\u76f8\u540c\u6388\u6b0a\u4f86\u9632\u6b62\u653b\u64ca\u7684\u670d\u52d9\u3002\u8a72\u670d\u52d9\u662f\u901a\u904e\u5e8f\u5217\u865f\u4f86\u63d0\u4f9b\u7684\u3002<\/li>\n<li><strong>\u5bc6\u9470\u7ba1\u7406\uff1a\u7528\u65bc\u5728\u5169\u500bIPSec<\/strong>\u5143\u7d20\u4e4b\u9593\u5354\u5546\u52a0\u5bc6\u5bc6\u9470\u9577\u5ea6\u4e26\u4ea4\u63db\u9019\u4e9b\u5bc6\u9470\u7684\u6a5f\u5236\u3002<\/li>\n<\/ul>\n<p>\u53e6\u4e00\u7a2e\u4fdd\u8b77\u65b9\u6cd5\u662f\u5728\u7528\u6236\u548c\u96f2\u4e4b\u9593\u9032\u884c\u76e3\u63a7\uff0c\u6b63\u5982<strong>CASB<\/strong>\u6240\u63d0\u4f9b\u7684\u90a3\u6a23\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u76ee\u7684<\/th>\n<th style=\"text-align: left;\">\u5efa\u8b70<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Transport-1<\/td>\n<td style=\"text-align: left;\">Integrity, confidentiality and legitimacy \/ \u5b8c\u6574\u6027\u3001\u4fdd\u5bc6\u6027\u548c\u5408\u6cd5\u6027<\/td>\n<td style=\"text-align: left;\">\u61c9\u5be6\u65bd IPSec \u6a19\u6e96\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>9. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/09_Update_%28Over_The_Air%29\/\">\u7a7a\u4e2d\u66f4\u65b0<\/a><\/h2>\n<p>\u66f4\u65b0\u61c9\u7528\u7a0b\u5e8f\u548c\u97cc\u9ad4\u5c0d\u65bc\u958b\u767c\u65b0\u529f\u80fd\uff0c\u751a\u81f3\u4fee\u5fa9\u5b89\u5168\u6f0f\u6d1e\u81f3\u95dc\u91cd\u8981\u3002\u4f46\u662f\uff0c\u5982\u679c\u60e1\u610f\u7b2c\u4e09\u65b9\u8a2d\u6cd5\u5728\u50b3\u8f38\u904e\u7a0b\u4e2d\u66f4\u6539\u5167\u5bb9\uff0c\u5247\u53ef\u80fd\u6703\u66f4\u6539\u7cfb\u7d71\u548c\/\u6216\u61c9\u7528\u7a0b\u5e8f\u7684\u529f\u80fd\u3002\u56e0\u6b64\uff0c\u70ba\u4e86\u4fdd\u8b49\u50b3\u8f38\u6578\u64da\u7684\u5b8c\u6574\u6027\u3001\u6a5f\u5bc6\u6027\u548c\u5408\u6cd5\u6027\uff0c\u66f4\u65b0\u7684\u5b89\u5168\u6027\u662f\u8a55\u4f30\u7684\u95dc\u9375\u9ede\u3002<\/p>\n<h3>9.1 \u653b\u64ca\u5411\u91cf<\/h3>\n<p>\u7a7a\u4e2d\u66f4\u65b0 (OTA) \u662f\u653b\u64ca\u8005\u6700\u5e38\u898b\u7684\u6ef2\u900f\u9ede\u4e4b\u4e00\u3002OTA\u66f4\u65b0\u6a5f\u5236\u662f\u7cfb\u7d71\u4e2d\u6700\u5927\u7684\u5a01\u8105\u4e4b\u4e00\u3002\u5982\u679c\u653b\u64ca\u8005\u80fd\u5920\u5728\u7cfb\u7d71\u4e0a\u5b89\u88dd\u81ea\u5df1\u7684\u61c9\u7528\u7a0b\u5e8f\u6216\u97cc\u9ad4\uff0c\u4ed6\u5c31\u53ef\u4ee5\u7372\u5f97\u8207\u539f\u59cb\u61c9\u7528\u7a0b\u5e8f\u6216\u97cc\u9ad4\u76f8\u540c\u7d1a\u5225\u7684\u8a2a\u554f\u6b0a\u9650\u3002\u5f9e\u90a3\u6642\u8d77\uff0c\u5165\u4fb5\u8005\u53ef\u4ee5\u4e0d\u53d7\u9650\u5236\u5730\u8a2a\u554f\u7cfb\u7d71\u7684\u5176\u9918\u90e8\u5206\uff0c\u5176\u4e2d\u53ef\u80fd\u5305\u62ec\u9032\u884c\u4fee\u6539\u3001\u4e0b\u8f09\u5176\u4ed6\u8edf\u9ad4\u548c\u7aca\u53d6\u8cc7\u7522\u3002<\/p>\n<h4>Man In The Middle (MITM) \u4e2d\u9593\u4eba\u653b\u64ca<\/h4>\n<p>\u4e2d\u9593\u4eba\u653b\u64ca\u662f\u6700\u7d93\u5178\u7684\u653b\u64ca\u793a\u4f8b\uff0c\u5176\u4e2d\u653b\u64ca\u8005\u5c07\u81ea\u5df1\u63d2\u5165\u5169\u500b\u901a\u4fe1\u5be6\u9ad4\u4e4b\u9593\u4e26\u7372\u53d6\u6b63\u5728\u901a\u4fe1\u7684\u4efb\u4f55\u5167\u5bb9\u3002\u5728 OTA \u653b\u64ca\u7684\u60c5\u6cc1\u4e0b\uff0c\u7db2\u7d61\u4e2d\u7684\u9023\u63a5\u53ef\u80fd\u6703\u88ab\u6514\u622a\uff1a<\/p>\n<ul>\n<li>\u5728\u4e92\u806f\u7db2\u4e0a\uff0c\u5728\u96f2\u5f8c\u7aef\u4e4b\u524d\u3002<\/li>\n<li>\u5728\u57fa\u7ad9\uff0c3G\u30014G\u30015G \u9023\u63a5\u5230\u4e92\u806f\u7db2\u3002<\/li>\n<li>\u5728\u63a5\u6536\u5929\u7dda\u8655\uff0c\u9023\u63a5\u5230\u6c7d\u8eca\u3002<\/li>\n<li>\u63a5\u6536\u5929\u7dda\u548c\u7db2\u95dc\u8def\u7531\u5668\uff08\u5982\u679c\u6709\uff09\u4e4b\u9593\uff0c\u8eca\u5167\u9023\u63a5\u3002<\/li>\n<li>\u5728\u7db2\u95dc\u8def\u7531\u5668\u548c\u76ee\u6a19\u7d44\u4ef6\uff08IVI\u3001\u8eca\u8f09\u4fe1\u606f\u5a1b\u6a02\u55ae\u5143\uff09\u4e4b\u9593\u3002<\/li>\n<\/ul>\n<p>\u767c\u52d5 MITM \u653b\u64ca\u7684\u65b9\u6cd5\u6709\u5f88\u591a\u7a2e\u3002\u4f8b\u5982\uff0cBurp Proxy \u7b49\u4ee3\u7406\u5de5\u5177\u53ef\u7528\u65bc\u4f5c\u70ba\u4e2d\u9593\u4eba\u6514\u622a Web \u6d41\u91cf\u3002\u4ee3\u7406\u670d\u52d9\u5668\u6253\u8457\u6e2c\u8a66\u5de5\u5177\u7684\u5e4c\u5b50\uff0c\u7d93\u5e38\u7528\u65bc\u653b\u64ca\u5834\u666f\u3002\u5b83\u904b\u884c\u5728\u5404\u7a2e\u5e73\u53f0\u4e0a\u3002<\/p>\n<p>\u4f5c\u70ba\u53e6\u4e00\u500b\u4f8b\u5b50\uff0c\u773e\u6240\u5468\u77e5\uff0c\u865b\u5047\u57fa\u7ad9\u653b\u64ca\u76f8\u7576\u5bb9\u6613\u914d\u7f6e\u3002\u9019\u500b\u554f\u984c\u5728\u4e2d\u570b\u548c\u82f1\u570b\u7b49\u570b\u5bb6\u986f\u7136\u76f8\u7576\u666e\u904d\u3002\u9019\u4e9b\u5047\u57fa\u7ad9\u6709\u6642\u53ea\u662f\u7aca\u807d\u901a\u4fe1\uff0c\u4f46\u5176\u4ed6\u57fa\u7ad9\u5247\u6709\u53ef\u80fd\u9020\u6210\u56b4\u91cd\u5371\u5bb3\u3002<\/p>\n<p>\u91dd\u5c0d MITM \u653b\u64ca\u7684\u9632\u79a6\u5305\u62ec\u52a0\u5bc6\u548c\u7c3d\u540d\u7684\u6578\u64da\u7ba1\u9053\u3002\u6b64\u5916\uff0c\u9084\u5efa\u8b70\u67b6\u69cb\u5e2b\u548c\u958b\u767c\u4eba\u54e1\u5c0d\u901a\u904e\u9019\u4e9b\u7ba1\u9053\u50b3\u905e\u7684\u6709\u6548\u8ca0\u8f09\u9032\u884c\u52a0\u5bc6\u548c\u7c3d\u540d\uff0c\u4ee5\u9632\u6b62\u6578\u64da\u88ab\u7aca\u53d6\u3002<\/p>\n<h4>Man At The End (MATE) \u672b\u7aef\u4eba\u653b\u64ca<\/h4>\n<p>\u672b\u7aef\u4eba\u653b\u64ca\u662f\u6307\u5165\u4fb5\u8005\u5728\u8edf\u9ad4\u8a2a\u554f\u6578\u64da\u901a\u4fe1\u6642\u5206\u6790\u901a\u4fe1\u7684\u7aef\u9ede\u3002\u9019\u662f\u4e00\u7a2e\u66f4\u56b4\u91cd\u7684\u653b\u64ca\u985e\u578b\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\uff1a<\/p>\n<ul>\n<li>\u5077\u9470\u5319\u3002<\/li>\n<li>\u4f8b\u5982\uff0c\u904b\u884c\u8edf\u9ad4\u4e2d\u7684\u7c21\u55ae\u8abf\u8a66\u6703\u8a71\u53ef\u80fd\u6703\u63ed\u793a\u5167\u5b58\u4e2d\u4f7f\u7528\u7684\u5bc6\u9470\u3002<\/li>\n<li>\u7be1\u6539\u8edf\u9ad4\u3002<\/li>\n<li>\u4f8b\u5982\uff0c\u50c5\u7528 NOP\uff08\u5373\u7121\u64cd\u4f5c\uff09\u66ff\u63db\u8edf\u9ad4\u4e2d\u7684\u4e00\u500b\u51fd\u6578\u8abf\u7528\u5c31\u53ef\u4ee5\u6975\u5927\u5730\u6539\u8b8a\u7a0b\u5e8f\u7684\u884c\u70ba\u3002<\/li>\n<li>\u5835\u585e\u63a7\u5236\u5206\u652f\u3002<\/li>\n<li>\u4f8b\u5982\uff0c\u4f7f\u7a0b\u5e8f\u63a1\u7528\u4e00\u500b\u63a7\u5236\u5206\u652f\u800c\u4e0d\u662f\u9810\u671f\u5206\u652f\u53ef\u80fd\u610f\u5473\u8457\u6388\u6b0a\u5b89\u88dd\u548c\u975e\u6388\u6b0a\u5b89\u88dd\u4e4b\u9593\u7684\u5340\u5225\u3002<\/li>\n<li>\u4fee\u6539\u91cd\u8981\u6578\u64da\u3002<\/li>\n<li>\u4f8b\u5982\uff0c\u5982\u679c\u66f4\u6539\u7684\u6578\u64da\u662f\u901a\u5411\u63a7\u5236\u8def\u5f91\u7684\u5bc6\u9470\u6216\u6578\u64da\uff0c\u5247\u9019\u7a2e\u653b\u64ca\u53ef\u80fd\u6703\u5f88\u56b4\u91cd\u3002<\/li>\n<li>\u5c0d\u65bc OTA \u66f4\u65b0\uff0cMATE \u653b\u64ca\u5c0d\u7cfb\u7d71\u4f86\u8aaa\u5c24\u5176\u6210\u554f\u984c\u3002MATE \u653b\u64ca\u7684\u5f8c\u679c\u4e4b\u4e00\u662f\u5b89\u88dd\u5141\u8a31\u5b89\u88dd\u4efb\u4f55\u5176\u4ed6\u8edf\u9ad4\u7684\u8edf\u9ad4\u3002\u4f8b\u5982\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u6703\u5b89\u88dd\u9060\u7a0b\u8a2a\u554f\u8edf\u9ad4\u4f86\u63a7\u5236\u7cfb\u7d71\u7684\u4efb\u4f55\u90e8\u5206\u3002<\/li>\n<\/ul>\n<hr \/>\n<h3>9.2 \u7e2e\u7565\u8a9e<\/h3>\n<p>\u4e0b\u8868\u5217\u51fa\u4e86\u672c\u90e8\u5206\u6587\u6a94\u4e2d\u4f7f\u7528\u7684\u8853\u8a9e\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u7e2e\u5beb<\/th>\n<th style=\"text-align: left;\">\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><em>FOTA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>F<\/strong>irmware <strong>O<\/strong>ver <strong>T<\/strong>he <strong>A<\/strong>ir   \/  <strong>\u7a7a\u4e2d\u97cc\u9ad4\u66f4\u65b0<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>MATE<\/em><\/td>\n<td style=\"text-align: left;\"><strong>M<\/strong>an <strong>A<\/strong>t <strong>T<\/strong>he <strong>E<\/strong>nd  \/  <strong>\u672b\u7aef\u4eba\u653b\u64ca<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>MITM<\/em><\/td>\n<td style=\"text-align: left;\"><strong>M<\/strong>an <strong>I<\/strong>n <strong>T<\/strong>he <strong>M<\/strong>iddle  \/  <strong>\u4e2d\u9593\u4eba\u653b\u64ca<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>OTA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>O<\/strong>ver <strong>T<\/strong>he <strong>A<\/strong>ir  \/  <strong>\u900f\u904e\u7a7a\u4e2d\u50b3\u8f38<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>SOTA<\/em><\/td>\n<td style=\"text-align: left;\"><strong>S<\/strong>oftware <strong>O<\/strong>ver <strong>T<\/strong>he <strong>A<\/strong>ir  \/  <strong>\u7a7a\u4e2d\u8edf\u9ad4\u66f4\u65b0<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><em>TUF<\/em><\/td>\n<td style=\"text-align: left;\"><strong>T<\/strong>he <strong>U<\/strong>pdate <strong>F<\/strong>ramework  \/  <strong>\u66f4\u65b0\u6846\u67b6<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>9.3 FOTA \u7a7a\u4e2d\u97cc\u9ad4\u66f4\u65b0<\/h3>\n<p>\u97cc\u9ad4\u66f4\u65b0\u81f3\u95dc\u91cd\u8981\uff0c\u56e0\u70ba\u5b83\u7684\u4fee\u6539\u6703\u5371\u53ca\u6574\u500b\u7cfb\u7d71\u3002\u56e0\u6b64\uff0c\u6709\u5fc5\u8981\u63a1\u53d6\u9069\u7576\u7684\u9632\u8b77\u63aa\u65bd\u3002<\/p>\n<p>AGL \u5305\u62ec<em>\u5143\u66f4\u65b0\u7a0b\u5e8fYocto \u5c64\uff0c\u53ef\u901a\u904e<\/em><a href=\"https:\/\/uptane.github.io\/\">Uptane<\/a>\u9032\u884c OTA \u8edf\u9ad4\u66f4\u65b0\uff0cUptane \u662f<a href=\"https:\/\/theupdateframework.github.io\/\">\u66f4\u65b0\u6846\u67b6<\/a>\u7684\u6c7d\u8eca\u5c08\u7528\u64f4\u5c55\u3002Uptane \u548c TUF \u662f\u958b\u653e\u6a19\u6e96\uff0c\u5b9a\u7fa9\u4e86\u4e00\u7a2e\u5b89\u5168\u5354\u8b70\uff0c\u5373\u4f7f\u5728\u670d\u52d9\u5668\u548c\u7db2\u7d61\uff08\u4e92\u806f\u7db2\u548c\u6c7d\u8eca\u5167\u90e8\uff09\u4e0d\u5b8c\u5168\u53d7\u4fe1\u4efb\u7684\u60c5\u6cc1\u4e0b\u4e5f\u80fd\u63d0\u4f9b\u548c\u9a57\u8b49\u66f4\u65b0\u3002<\/p>\n<p><em>\u5143\u66f4\u65b0\u7a0b\u5e8f<\/em>\u5305\u62ec\u61c9\u7528\u7a0b\u5e8f <a href=\"https:\/\/github.com\/advancedtelematic\/aktualizr\"><code>aktualizr<\/code><\/a>\uff0c\u958b\u767c\u4e86\u9ad8\u7d1a\u9060\u7a0b\u4fe1\u606f\u8655\u7406\u7cfb\u7d71\uff08\u73fe\u5728\u662f HERE Technologies \u7684\u4e00\u90e8\u5206\uff09\uff0c\u8a72\u7cfb\u7d71\u652f\u6301 ECU \u7684 OTA\u3002<code>aktualizr<\/code>\u8207 Uptane \u7d50\u5408\u9069\u7528\u65bc\u66f4\u65b0\u529f\u80fd\u95dc\u9375 ECU \u4e0a\u7684\u97cc\u9ad4\u3001\u8edf\u9ad4\u548c\u5176\u4ed6\u8edf\u9ad4\u5305\u3002<code>aktualizr<\/code>\u53ef\u4ee5\u901a\u904e\u514d\u8cbb\u7684\u958b\u6e90\u5f8c\u7aef\u555f\u7528 <a href=\"https:\/\/github.com\/advancedtelematic\/ota-community-edition\"><code>ota-community-edition<\/code><\/a>\u3002<\/p>\n<p>\u53ef\u4ee5\u901a\u904e\u8a72\u529f\u80fd\u555f\u7528\u6b64 FOTA \u66f4\u65b0\u6a5f\u5236<code>agl-sota<\/code>\u3002<\/p>\n<h4>Building \u69cb\u5efa<\/h4>\n<p>\u8981\u4f7f\u7528<code>aktualizr<\/code> \u69cb\u5efa AGL \u93e1\u50cf\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u5167\u5bb9\u3002<\/p>\n<pre><code>source meta-agl\/scripts\/aglsetup.sh -m &lt;machine&gt; agl-sota &lt;other-features...&gt;<\/code><\/pre>\n<p>\u5728\u69cb\u5efa\u904e\u7a0b\u4e2d\uff0c<em>\u5143\u66f4\u65b0\u7a0b\u5e8f<\/em>\u5c07\u4f7f\u7528\u4e0b\u8f09\u7684\u6191\u64da\u4f86 <code>ota-community-edition<\/code>\u7c3d\u7f72\u5143\u6578\u64da\uff0c\u4ee5\u9a57\u8b49\u69cb\u5efa\u7684\u771f\u5be6\u6027\u3002\u9019\u4e9b\u7c3d\u540d\u662f Uptane \u6846\u67b6\u7684\u4e00\u90e8\u5206\uff0c\u7528\u65bc\u9a57\u8b49 FOTA \u66f4\u65b0\u3002<\/p>\n<h4>Atomic Upgrades with Rollbacks \u53ef\u56de\u6efe\u7684\u539f\u5b50\u5347\u7d1a<\/h4>\n<p><code> aktualizr<\/code>\u66f4\u65b0\u97cc\u9ad4\u7684\u4e3b\u8981\u65b9\u6cd5\u662f\u4f7f\u7528<code>libostree<\/code>\u4e8c\u9032\u5236\u5dee\u7570\u3002\u4e8c\u9032\u5236\u5dee\u7570\u4f7f\u7528\u6700\u5c11\u7684\u5e36\u5bec\uff0c\u4e26\u4e14\u672c\u8cea\u4e0a\u5c07<code>libostree<\/code>\u7576\u524d\u548c\u4ee5\u524d\u7684\u97cc\u9ad4\u7248\u672c\u5b58\u5132\u5728\u78c1\u76e4\u6216\u9583\u5b58\u4e2d\u4ee5\u5141\u8a31\u56de\u6efe\u3002<\/p>\n<p><code>libostree<\/code>\u662f\u4e00\u500b\u5167\u5bb9\u53ef\u5c0b\u5740\u7684\u5c0d\u8c61\u5b58\u5132\uff0c\u5f88\u50cf<code>git<\/code>. \u7248\u672c\u901a\u904e SHA2-256 \u6307\u5b9a\u3002\u9019\u4e9b\u54c8\u5e0c\u503c\u5728 Uptane \u5143\u6578\u64da\u4e2d\u9032\u884c\u7c3d\u540d\uff0c\u4e26\u4e14\u80fd\u5920\u62b5\u79a6\u52a0\u5bc6\u6d29\u9732\u3002<\/p>\n<h3>9.4 SOTA \u7a7a\u4e2d\u8edf\u9ad4\u66f4\u65b0<\/h3>\n<p>\u806f\u7db2\u8eca\u8f1b\u4e2d\u7684\u8edf\u9ad4\u66f4\u65b0\u662f\u4e00\u9805\u975e\u5e38\u6709\u7528\u7684\u529f\u80fd\uff0c\u53ef\u4ee5\u5e36\u4f86\u986f\u8457\u7684\u597d\u8655\u3002\u5982\u679c\u4e0d\u8003\u616e\u5b89\u5168\u6027\uff0c\u8edf\u9ad4\u66f4\u65b0\u53ef\u80fd\u6703\u5c0e\u81f4\u56b4\u91cd\u7684\u6f0f\u6d1e\u3002\u4efb\u4f55\u8edf\u9ad4\u66f4\u65b0\u7cfb\u7d71\u90fd\u5fc5\u9808\u78ba\u4fdd\u4e0d\u50c5\u4ee5\u5b89\u5168\u7684\u65b9\u5f0f\u5b8c\u6210\u8a2d\u5099\u7684\u8edf\u9ad4\u66f4\u65b0\uff0c\u800c\u4e14\u8a17\u7ba1\u9019\u4e9b\u66f4\u65b0\u7684\u5b58\u5132\u5eab\u548c\u670d\u52d9\u5668\u4e5f\u5f97\u5230\u5145\u5206\u7684\u4fdd\u8b77\u3002\u96a8\u8457\u8edf\u9ad4\u66f4\u65b0\u904e\u7a0b\u5f9e\u7d93\u92b7\u5546\u66f4\u65b0\u6a21\u578b\u9077\u79fb\u5230<strong>OTA<\/strong>\u66f4\u65b0\u6a21\u578b\uff0c\u78ba\u4fdd\u9019\u4e9b\u904e\u7a0b\u7684\u5b89\u5168\u6210\u70ba\u91cd\u4e2d\u4e4b\u91cd\u3002<\/p>\n<p><strong>SOTA<\/strong>\u662f\u901a\u904e<strong>AppFw<\/strong>\u5be6\u73fe\u7684\uff08\u53c3\u898b\u5e73\u53f0\u90e8\u5206\uff09\u3002\u53ef\u4ee5\u4ee5\u7c21\u55ae\u7684\u65b9\u5f0f\u7ba1\u7406\u6578\u64da\u5305\uff08\u4f8b\u5982 Android\uff09\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Update-SOTA-1<\/td>\n<td style=\"text-align: left;\">\u5f85\u5b8c\u6210\u7684\u90e8\u5206\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>10. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/10_Secure_development\/\">\u5b89\u5168\u958b\u767c<\/a><\/h2>\n<p>\u70ba\u4e86\u7bc0\u7701\u5927\u91cf\u4ee3\u78bc\u5be9\u6838\u6642\u9593\uff0c\u958b\u767c\u4eba\u54e1\u5fc5\u9808\u9075\u5faa\u7de8\u78bc\u6307\u5357\u3002<\/p>\n<h3>10.1 \u5b89\u5168\u69cb\u5efa<\/h3>\n<h4>\u5167\u6838\u69cb\u5efa<\/h4>\n<p>\u5de5\u5177\u5982\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/jduck\/lk-reducer\">\u4ee3\u78bc\u512a\u5316\u5de5\u5177\uff08lk_reducer\uff09<\/a>\u3002<\/li>\n<li>\u4f7f\u7528 <a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity17\/sec17-machiry.pdf\">dr_checker<\/a> \u9032\u884c<a href=\"https:\/\/github.com\/ucsb-seclab\/dr_checker\">\u5167\u6838\u9a45\u52d5\u7a0b\u5e8f\u6e2c\u8a66<\/a>\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-SecureBuild-1<\/td>\n<td style=\"text-align: left;\">\u6dfb\u52a0\u5167\u5bb9\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>10.2 \u61c9\u7528\u7a0b\u5e8f\/\u5c0f\u90e8\u4ef6\u7c3d\u540d<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-Signatures-1<\/td>\n<td style=\"text-align: left;\">\u6dfb\u52a0\u5167\u5bb9\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>10.3 \u4ee3\u78bc\u5be9\u6838<\/h3>\n<p>\u9019\u4e9b\u5de5\u5177\u7528\u65bc\u6aa2\u67e5\u529f\u80fd\u7684\u6b63\u78ba\u5be6\u73fe\u4ee5\u53ca\u662f\u5426\u7b26\u5408\u76f8\u95dc\u7684\u826f\u597d\u5be6\u8e10\u3002<\/p>\n<ul>\n<li><a href=\"https:\/\/www.sonarqube.org\/\">\u6301\u7e8c\u7684\u4ee3\u78bc\u8cea\u91cf<\/a>\u3002<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">\u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-CodeAudit-1<\/td>\n<td style=\"text-align: left;\">\u6dfb\u52a0CVE\u5206\u6790\u5668\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">SecureDev-CodeAudit-2<\/td>\n<td style=\"text-align: left;\"><a href=\"http:\/\/www.isecom.org\/mirror\/OSSTMM.3.pdf\">OSSTMM<\/a>\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>1. SATS &#8211; Static auditing-tool-for-security \u975c\u614b\u5b89\u5168\u5be9\u6838\u5de5\u5177<\/h4>\n<ul>\n<li><a href=\"https:\/\/github.com\/andrew-d\/rough-auditing-tool-for-security\">RATS<\/a>\uff08\u4e5f\u8a31\u8001\u4e86\uff09\u3002rough-auditing-tool-for-security<\/li>\n<li><a href=\"https:\/\/www.dwheeler.com\/flawfinder\/\">\u7f3a\u9677\u67e5\u627e\u5668<\/a>\u3002flawfinder<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/List_of_tools_for_static_code_analysis\">\u7dad\u57fa\u5217\u8868<\/a>\u3002List_of_tools_for_static_code_analysis<\/li>\n<li><a href=\"https:\/\/perso.univ-rennes1.fr\/david.lubicz\/planches\/David_Pichardie.pdf\">\u6578\u5b78\u65b9\u6cd5<\/a>\u3002David_Pichardie.pdf<\/li>\n<\/ul>\n<p>\u6709\u5fc5\u8981\u9a57\u8b49\u61c9\u7528\u7a0b\u5e8f\u4ee3\u78bc\u4e0d\u4f7f\u7528\u88ab\u6298\u820a\u548c\u8b58\u5225\u70ba\u4e0d\u5b89\u5168\u6216\u5c0e\u81f4\u554f\u984c\u7684\u529f\u80fd\u3002<\/p>\n<h4>2. DATS &#8211; Dynamic auditing-tool-for-security \u52d5\u614b\u5b89\u5168\u5be9\u6838\u5de5\u5177<\/h4>\n<ul>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Dynamic_program_analysis#Example_tools\">\u7dad\u57fa\u5217\u8868<\/a>\u3002Example_tools<\/li>\n<\/ul>\n<h2>A. <a href=\"https:\/\/docs.automotivelinux.org\/en\/master\/#03_Architecture_Guides\/02_Security_Blueprint\/11_Annexes\/\">\u9644\u9304<\/a><\/h2>\n<h5>A1. \u679a\u8209\u4e86\u60a8\u5fc5\u9808\u5be6\u73fe\u7684\u6240\u6709\u914d\u7f6e<\/h5>\n<p>\u6c92\u6709\u4efb\u4f55\u8aaa\u660e\uff0c\u56e0\u70ba\u6240\u6709\u8aaa\u660e\u5df2\u5728\u6587\u6a94\u4e2d\u7d66\u51fa\u3002<\/p>\n<ul>\n<li><em>config<\/em> \u6a19\u7c64\u53ef\u4ee5\u5feb\u901f\u8b58\u5225\u914d\u7f6e\u548c\u8981\u63a1\u53d6\u7684\u5efa\u8b70\u3002<\/li>\n<li><em>note<\/em> \u6a19\u7c64\u5141\u8a31\u60a8\u901a\u77e5\u4e00\u4e9b\u984d\u5916\u7684\u8a73\u7d30\u4fe1\u606f\u3002<\/li>\n<li><em>todo<\/em> \u6a19\u7c64\u986f\u793a\u4e86\u53ef\u80fd\u7684\u6539\u9032\u3002<\/li>\n<\/ul>\n<h5>A2. \u5217\u51fa\u6240\u6709\u5f85\u8fa6\u4e8b\u9805<\/h5>\n<p>\u4ee5\u4fbf\u5c0d\u6587\u6a94\u7684\u53ef\u80fd\u6539\u9032\u6709\u4e00\u500b\u5168\u5c40\u7684\u4e86\u89e3\u3002<\/p>\n<h3>A1. Config notes\uff08\u914d\u7f6e\u9805\u8a18\u9304\uff09<\/h3>\n<h4>\u786c\u9ad4\u914d\u7f6e\u5efa\u8b70<\/h4>\n<h5>\u96c6\u6210\u5efa\u8b70<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-1<\/td>\n<td style=\"text-align: left;\">Bootloader<\/td>\n<td style=\"text-align: left;\">Must control bootloader integrity.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-2<\/td>\n<td style=\"text-align: left;\">Board<\/td>\n<td style=\"text-align: left;\">Must use a HSM.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Integrity-3<\/td>\n<td style=\"text-align: left;\">RTC<\/td>\n<td style=\"text-align: left;\">Must not be alterable.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u8a8d\u8b49\u5efa\u8b70<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-1<\/td>\n<td style=\"text-align: left;\">System<\/td>\n<td style=\"text-align: left;\">Shall allow storing dedicated certificates.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-2<\/td>\n<td style=\"text-align: left;\">ECU<\/td>\n<td style=\"text-align: left;\">The ECU must verify the certification authority hierarchy.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Certificate-3<\/td>\n<td style=\"text-align: left;\">System<\/td>\n<td style=\"text-align: left;\">Allow the modification of certificates only if the source can be <br \/>authenticated by a certificate already stored or in the higher levels of the chain of trust.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u8a18\u61b6\u9ad4\u8207\u5b89\u5168\u6a21\u7d44\u5efa\u8b70<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hardware-Memory-1<\/td>\n<td style=\"text-align: left;\">ECU<\/td>\n<td style=\"text-align: left;\">The ECU shall never expose the unencrypted key in RAM <br \/>when using cryptographic keys.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Memory-2<\/td>\n<td style=\"text-align: left;\">Bootloader<\/td>\n<td style=\"text-align: left;\">Internal NVM only<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Hardware-Module-3<\/td>\n<td style=\"text-align: left;\">&#8211;<\/td>\n<td style=\"text-align: left;\">HSM must be used to secure keys.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5b89\u5168\u555f\u52d5\u914d\u7f6e\u8207\u5efa\u8b70<\/h4>\n<h5>\u555f\u52d5\u93e1\u50cf\u914d\u7f6e<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><em>Variable<\/em> \/ <code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Selection-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BOOTDELAY<\/code><\/td>\n<td style=\"text-align: left;\"><code>-2<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Selection-2<\/td>\n<td style=\"text-align: left;\"><em>bootdelay<\/em><\/td>\n<td style=\"text-align: left;\"><code>-2<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u555f\u52d5\u93e1\u50cf\u5be9\u6838\u914d\u7f6e<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FIT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FIT_SIGNATURE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_RSA<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OF_CONTROL<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OF_SEPARATE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Image-Authenticity-6<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEFAULT_DEVICE_TREE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u555f\u52d5\u901a\u8a0a\u914d\u7f6e\u8207\u5efa\u8b70<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u901a\u8a0a\u6a21\u5f0f<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-1<\/td>\n<td style=\"text-align: left;\"><code>USB<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em> and <em>Compiled-out<\/em> if not required.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-2<\/td>\n<td style=\"text-align: left;\"><code>USB<\/code><\/td>\n<td style=\"text-align: left;\">Else, Kernel should be configured to only enable the minimum <br \/>required USB devices and filesystems should be treated with <br \/>special care.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-3<\/td>\n<td style=\"text-align: left;\"><code>Ethernet<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-4<\/td>\n<td style=\"text-align: left;\">U-boot and <br \/>sboot <code>DOCSIS<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-5<\/td>\n<td style=\"text-align: left;\"><code>Serial ports<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMD_USB<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_UHCI<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_KEYBOARD<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_STORAGE<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-USB-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USB_HOST_ETHER<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">\u901a\u8a0a\u6a21\u5f0f<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-1<\/td>\n<td style=\"text-align: left;\"><code>Network interfaces<\/code><\/td>\n<td style=\"text-align: left;\">Preferably <em>no network interface is allowed<\/em>, otherwise, <br \/>restrict the services to those used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-1<\/td>\n<td style=\"text-align: left;\"><code>Services<\/code>, <code>ports<\/code> and <code>devices<\/code><\/td>\n<td style=\"text-align: left;\">Restrict the <code>services<\/code>, <code>ports<\/code> and <code>devices<\/code> to those used.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Command<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Communication-Flash-1<\/td>\n<td style=\"text-align: left;\"><code>do_nand<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>\u555f\u52d5\u63a7\u5236\u53f0\u76f8\u95dc\u914d\u7f6e<\/h5>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SILENT_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SYS_DEVICE_NULLDEV<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC<\/code><\/td>\n<td style=\"text-align: left;\"><code>Disable<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Environment variable<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>INC_DEBUG_PRINT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not defined<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_MMC<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_EEPROM<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_FLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_DATAFLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-5<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_FAT<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-6<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_NAND<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-7<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_NVRAM<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-8<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_ONENAND<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-9<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_SPI_FLASH<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-10<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_REMOTE<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-11<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_IN_UBI<\/code><\/td>\n<td style=\"text-align: left;\"><code>#undef<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-Variables-12<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_ENV_IS_NOWHERE<\/code><\/td>\n<td style=\"text-align: left;\"><code>#define<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Command<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-1<\/td>\n<td style=\"text-align: left;\"><code>md<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-2<\/td>\n<td style=\"text-align: left;\"><code>mm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-3<\/td>\n<td style=\"text-align: left;\"><code>nm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-4<\/td>\n<td style=\"text-align: left;\"><code>mw<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-5<\/td>\n<td style=\"text-align: left;\"><code>cp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-6<\/td>\n<td style=\"text-align: left;\"><code>mwc<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-7<\/td>\n<td style=\"text-align: left;\"><code>mdc<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-8<\/td>\n<td style=\"text-align: left;\"><code>mtest<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-MemDump-9<\/td>\n<td style=\"text-align: left;\"><code>loopw<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5167\u6838\u914d\u7f6e<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-1<\/td>\n<td style=\"text-align: left;\">CONFIG_IP_NF_SECURITY<\/td>\n<td style=\"text-align: left;\">m<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-2<\/td>\n<td style=\"text-align: left;\">CONFIG_IP6_NF_SECURITY<\/td>\n<td style=\"text-align: left;\">m<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-3<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT2_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-4<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT3_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-5<\/td>\n<td style=\"text-align: left;\">CONFIG_EXT4_FS_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-6<\/td>\n<td style=\"text-align: left;\">CONFIG_SECURITY<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-7<\/td>\n<td style=\"text-align: left;\">CONFIG_SECURITY_SMACK<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-MAC-8<\/td>\n<td style=\"text-align: left;\">CONFIG_TMPFS_XATTR<\/td>\n<td style=\"text-align: left;\">y<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-kexec-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KEXEC<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IPAutoConf-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_IP_PNP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SysCtl_SysCall-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SYSCTL_SYSCALL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LegacyLinux-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_USELIB<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-FirmHelper-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FW_LOADER_USER_HELPER<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-PanicOnOOPS-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PANIC_ON_OOPS<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SocketMon-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PACKET_DIAG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-SocketMon-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_UNIX_DIAG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-BPF_JIT-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BPF_JIT<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-ModuleSigning-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_MODULE_SIG_FORCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Variable<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-ModuleSigning-2<\/td>\n<td style=\"text-align: left;\"><code>kernel.modules_disabled<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-1<\/td>\n<td style=\"text-align: left;\"><code>USB<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-2<\/td>\n<td style=\"text-align: left;\"><code>PCMCIA<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-Drivers-3<\/td>\n<td style=\"text-align: left;\">Other <code>hotplug<\/code> bus<\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IndependentExec-1<\/td>\n<td style=\"text-align: left;\"><code>-pie -fpic<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-OverwriteAttacks-1<\/td>\n<td style=\"text-align: left;\"><code>-z,relro<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-OverwriteAttacks-2<\/td>\n<td style=\"text-align: left;\"><code>-z,now<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LibraryLinking-1<\/td>\n<td style=\"text-align: left;\">Dynamic linking<\/td>\n<td style=\"text-align: left;\">Should generally not be allowed.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-RestrictAccess-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVKMEM<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-CoreDump-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PROC_KCORE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Swap-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SWAP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-LoadAllSymbols-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KALLSYMS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-LoadAllSymbols-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KALLSYMS_ALL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Stack-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CC_STACKPROTECTOR<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-Access-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVMEM<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-CrossMemAttach-1<\/td>\n<td style=\"text-align: left;\"><code>CROSS_MEMORY_ATTACH<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> and <code>linker<\/code> options<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-StackSmashing-1<\/td>\n<td style=\"text-align: left;\"><code>-fstack-protector-all<\/code><\/td>\n<td style=\"text-align: left;\"><em>Enable<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>compiler<\/code> options and <code>config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-BufferOverflows-1<\/td>\n<td style=\"text-align: left;\"><code>-D_FORTIFY_SOURCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>2<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Memory-BufferOverflows-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FORTIFY_SOURCE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_8250<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_8250_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_CORE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-Serial-4<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_SERIAL_CORE_CONSOLE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE_BOOL<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE<\/code><\/td>\n<td style=\"text-align: left;\"><code>&quot;insert kernel command line here&quot;<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-CommandLine-3<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_CMDLINE_OVERRIDE<\/code><\/td>\n<td style=\"text-align: left;\"><code>y<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-KDBG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KGDB<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-SysRQ-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_MAGIC_SYSRQ<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Consoles-BinaryFormat-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BINFMT_MISC<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Symbols-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_INFO<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Kprobes-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_KPROBES<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Tracing-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_FTRACE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Profiling-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_OPROFILE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Profiling-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_PROFILING<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-OOPSOnBUG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_BUGVERBOSE<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Dev-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_KERNEL<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Dev-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_EMBEDDED<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-FileSystem-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEBUG_FS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-BUG-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_BUG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-CoreDumps-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_COREDUMP<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-1<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/sys\/kernel\/kptr_restrict<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> or <code>Directorie<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-1<\/td>\n<td style=\"text-align: left;\"><code>\/boot\/vmlinuz*<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-2<\/td>\n<td style=\"text-align: left;\"><code>\/boot\/System.map*<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-3<\/td>\n<td style=\"text-align: left;\"><code>\/sys\/kernel\/debug\/<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-AdressDisplay-4<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/slabinfo<\/code><\/td>\n<td style=\"text-align: left;\"><em>Readable Only for root user<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>File<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-DMESG-1<\/td>\n<td style=\"text-align: left;\"><code>\/proc\/sys\/kernel\/dmesg_restrict<\/code><\/td>\n<td style=\"text-align: left;\"><code>1<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-Debug-Config-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_IKCONFIG<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-NFS-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_NFSD<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-NFS-2<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_NFS_FS<\/code><\/td>\n<td style=\"text-align: left;\"><code>n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Partition<\/code><\/th>\n<th style=\"text-align: left;\"><code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-1<\/td>\n<td style=\"text-align: left;\"><code>\/boot<\/code><\/td>\n<td style=\"text-align: left;\"><code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-2<\/td>\n<td style=\"text-align: left;\"><code>\/var<\/code> &amp; <code>\/tmp<\/code><\/td>\n<td style=\"text-align: left;\">In <code>\/etc\/fstab<\/code> or <code>vfstab<\/code>, add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-3<\/td>\n<td style=\"text-align: left;\"><em>Non-root local<\/em><\/td>\n<td style=\"text-align: left;\">If type is <code>ext2<\/code> or <code>ext3<\/code> and mount point not &#8216;\/&#8217;, add <code>nodev<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-4<\/td>\n<td style=\"text-align: left;\"><em>Removable storage<\/em><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-5<\/td>\n<td style=\"text-align: left;\"><em>Temporary storage<\/em><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-6<\/td>\n<td style=\"text-align: left;\"><code>\/dev\/shm<\/code><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code>, <code>nodev<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-7<\/td>\n<td style=\"text-align: left;\"><code>\/dev<\/code><\/td>\n<td style=\"text-align: left;\">Add <code>nosuid<\/code> and <code>noexec<\/code>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Config<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em> or <code>Value<\/code><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-FileSystems-Mount-1<\/td>\n<td style=\"text-align: left;\"><code>CONFIG_DEVTMPFS_MOUNT<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em> or add remount with <code>noexec<\/code> and <code>nosuid<\/code> to <br \/>system startup.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-Floor-1<\/td>\n<td style=\"text-align: left;\"><code>^<\/code><\/td>\n<td style=\"text-align: left;\">Only for privileged system services.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-Floor-2<\/td>\n<td style=\"text-align: left;\"><code>*<\/code><\/td>\n<td style=\"text-align: left;\">Used for device files or <code>\/tmp<\/code> Access restriction via DAC.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-1<\/td>\n<td style=\"text-align: left;\"><code>System<\/code><\/td>\n<td style=\"text-align: left;\">Process should write only to file with transmute attribute.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-2<\/td>\n<td style=\"text-align: left;\"><code>System::run<\/code><\/td>\n<td style=\"text-align: left;\">Files are created with the directory label from user and <br \/>system Domain \u9818\u57df (transmute) Lock is implicit with <code>w<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-3<\/td>\n<td style=\"text-align: left;\"><code>System::Shared<\/code><\/td>\n<td style=\"text-align: left;\">Files are created with the directory label from <br \/>system Domain \u9818\u57df (transmute) User Domain \u9818\u57df has locked privilege.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-4<\/td>\n<td style=\"text-align: left;\"><code>System::Log<\/code><\/td>\n<td style=\"text-align: left;\">Some limitation may impose to add <code>w<\/code> to enable append.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-5<\/td>\n<td style=\"text-align: left;\"><code>System::Sub<\/code><\/td>\n<td style=\"text-align: left;\">Isolation of risky Subsystem.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Label<\/code> name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-1<\/td>\n<td style=\"text-align: left;\"><code>User::Pkg::$AppID<\/code><\/td>\n<td style=\"text-align: left;\">Only one Label is allowed per App. A data directory is <br \/>created by the AppFw in <code>rwx<\/code> mode.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-2<\/td>\n<td style=\"text-align: left;\"><code>User::Home<\/code><\/td>\n<td style=\"text-align: left;\">AppFw needs to create a directory in <code>\/home\/$USER\/App-Shared<\/code> <br \/>at first launch if not present with label app-data access is<br \/> <code>User::App-Shared<\/code> without transmute.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Kernel-MAC-System-3<\/td>\n<td style=\"text-align: left;\"><code>User::App-Shared<\/code><\/td>\n<td style=\"text-align: left;\">Shared space between all App running for a given user.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5e73\u53f0\u914d\u7f6e\u8207\u5efa\u8b70<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-SystemD-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use Namespaces for containerization.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-SystemD-2<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use CGroups to organise processes.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-DBus-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use D-Bus as IPC.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-DBus-2<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Apply D-BUS security patches: <a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-13442\/D-bus-Project.html\">D-Bus CVE<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Tool<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>connman<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> as a connection manager.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-2<\/td>\n<td style=\"text-align: left;\"><code>bluez<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> as a Bluetooth manager.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-3<\/td>\n<td style=\"text-align: left;\"><code>gstreamer<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to manage multimedia file format.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-4<\/td>\n<td style=\"text-align: left;\"><code>alsa<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to provides an API for sound card device drivers.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-AGLFw-AppFw-1<\/td>\n<td style=\"text-align: left;\">Security model<\/td>\n<td style=\"text-align: left;\">Use the AppFw as Security model.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-AGLFw-Cynara-1<\/td>\n<td style=\"text-align: left;\">Permissions<\/td>\n<td style=\"text-align: left;\">Use Cynara as policy-checker service.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Tool<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>busybox<\/code><\/td>\n<td style=\"text-align: left;\"><em>Used<\/em> to provide a number of tools. Do not compile development tools.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Utility<\/code> name and normal <code>path<\/code><\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-1<\/td>\n<td style=\"text-align: left;\"><code>chgrp<\/code> in <code>\/bin\/chgrp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-2<\/td>\n<td style=\"text-align: left;\"><code>chmod<\/code> in <code>\/bin\/chmod<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-3<\/td>\n<td style=\"text-align: left;\"><code>chown<\/code> in <code>\/bin\/chown<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-4<\/td>\n<td style=\"text-align: left;\"><code>dmesg<\/code> in <code>\/bin\/dmesg<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-5<\/td>\n<td style=\"text-align: left;\"><code>DnsDomain \u9818\u57dfname<\/code> in <code>\/bin\/dnsDomain \u9818\u57dfname<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-6<\/td>\n<td style=\"text-align: left;\"><code>dropbear<\/code>, Remove &quot;dropbear&quot; from <code>\/etc\/init.d\/rcs<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-7<\/td>\n<td style=\"text-align: left;\"><code>Editors<\/code> in (vi) <code>\/bin\/vi<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-8<\/td>\n<td style=\"text-align: left;\"><code>find<\/code> in <code>\/bin\/find<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-9<\/td>\n<td style=\"text-align: left;\"><code>gdbserver<\/code> in <code>\/bin\/gdbserver<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-10<\/td>\n<td style=\"text-align: left;\"><code>hexdump<\/code> in <code>\/bin\/hexdump<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-11<\/td>\n<td style=\"text-align: left;\"><code>hostname<\/code> in <code>\/bin\/hostname<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-12<\/td>\n<td style=\"text-align: left;\"><code>install<\/code> in <code>\/bin\/install<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-13<\/td>\n<td style=\"text-align: left;\"><code>iostat<\/code> in <code>\/bin\/iostat<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-14<\/td>\n<td style=\"text-align: left;\"><code>killall<\/code> in <code>\/bin\/killall<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-15<\/td>\n<td style=\"text-align: left;\"><code>klogd<\/code> in <code>\/sbin\/klogd<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-16<\/td>\n<td style=\"text-align: left;\"><code>logger<\/code> in <code>\/bin\/logger<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-17<\/td>\n<td style=\"text-align: left;\"><code>lsmod<\/code> in <code>\/sbin\/lsmod<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-18<\/td>\n<td style=\"text-align: left;\"><code>pmap<\/code> in <code>\/bin\/pmap<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-19<\/td>\n<td style=\"text-align: left;\"><code>ps<\/code> in <code>\/bin\/ps<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-20<\/td>\n<td style=\"text-align: left;\"><code>ps<\/code> in <code>\/bin\/ps<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-21<\/td>\n<td style=\"text-align: left;\"><code>rpm<\/code> in <code>\/bin\/rpm<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-22<\/td>\n<td style=\"text-align: left;\"><code>SSH<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-23<\/td>\n<td style=\"text-align: left;\"><code>stbhotplug<\/code> in <code>\/sbin\/stbhotplug<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-24<\/td>\n<td style=\"text-align: left;\"><code>strace<\/code> in <code>\/bin\/trace<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-25<\/td>\n<td style=\"text-align: left;\"><code>su<\/code> in <code>\/bin\/su<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-26<\/td>\n<td style=\"text-align: left;\"><code>syslogd<\/code> in (logger) <code>\/bin\/logger<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-27<\/td>\n<td style=\"text-align: left;\"><code>top<\/code> in <code>\/bin\/top<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-28<\/td>\n<td style=\"text-align: left;\"><code>UART<\/code> in <code>\/proc\/tty\/driver\/<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-29<\/td>\n<td style=\"text-align: left;\"><code>which<\/code> in <code>\/bin\/which<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-30<\/td>\n<td style=\"text-align: left;\"><code>who<\/code> and <code>whoami<\/code> in <code>\/bin\/whoami<\/code><\/td>\n<td style=\"text-align: left;\"><em>Disabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-31<\/td>\n<td style=\"text-align: left;\"><code>awk<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-32<\/td>\n<td style=\"text-align: left;\"><code>cut<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-33<\/td>\n<td style=\"text-align: left;\"><code>df<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-34<\/td>\n<td style=\"text-align: left;\"><code>echo<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-35<\/td>\n<td style=\"text-align: left;\"><code>fdisk<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-36<\/td>\n<td style=\"text-align: left;\"><code>grep<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-37<\/td>\n<td style=\"text-align: left;\"><code>mkdir<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-38<\/td>\n<td style=\"text-align: left;\"><code>mount<\/code> (vfat) (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-39<\/td>\n<td style=\"text-align: left;\"><code>printf<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-40<\/td>\n<td style=\"text-align: left;\"><code>sed<\/code> in <code>\/bin\/sed<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-41<\/td>\n<td style=\"text-align: left;\"><code>tail<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-42<\/td>\n<td style=\"text-align: left;\"><code>tee<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Utilities-43<\/td>\n<td style=\"text-align: left;\"><code>test<\/code> (busybox)<\/td>\n<td style=\"text-align: left;\"><em>Enabled<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-1<\/td>\n<td style=\"text-align: left;\">Main application<\/td>\n<td style=\"text-align: left;\">Should not execute as root.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-2<\/td>\n<td style=\"text-align: left;\">UI<\/td>\n<td style=\"text-align: left;\">Should run in a context on a user with no capability.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\"><code>Utility<\/code> name<\/th>\n<th style=\"text-align: left;\"><em>State<\/em><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-3<\/td>\n<td style=\"text-align: left;\"><code>login<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-4<\/td>\n<td style=\"text-align: left;\"><code>su<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-5<\/td>\n<td style=\"text-align: left;\"><code>ssh<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-6<\/td>\n<td style=\"text-align: left;\"><code>scp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-root-7<\/td>\n<td style=\"text-align: left;\"><code>sftp<\/code><\/td>\n<td style=\"text-align: left;\"><em>Not allowed<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u61c9\u7528\u914d\u7f6e\u5efa\u8b70<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-1<\/td>\n<td style=\"text-align: left;\">AppFw<\/td>\n<td style=\"text-align: left;\">Provide offline-mode in order to install app with the base image.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-2<\/td>\n<td style=\"text-align: left;\">Integrity<\/td>\n<td style=\"text-align: left;\">Allow the installation of applications only if their integrity is good.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u9023\u63a5\u6027\u914d\u7f6e\u5efa\u8b70<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Bus-1<\/td>\n<td style=\"text-align: left;\">CAN<\/td>\n<td style=\"text-align: left;\">Implement hardware solution in order to <br \/>prohibit sending unwanted signals.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-1<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">Must be disabled. If not, only enable <br \/>the minimum require USB devices.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-2<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">Confidential data exchanged with the ECU <br \/>over USB must be secure.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-3<\/td>\n<td style=\"text-align: left;\">USB<\/td>\n<td style=\"text-align: left;\">USB Boot on a ECU must be disable.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-BusAndConnector-Connectors-4<\/td>\n<td style=\"text-align: left;\">OBD-II<\/td>\n<td style=\"text-align: left;\">Must be disabled outside garages.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-1<\/td>\n<td style=\"text-align: left;\">Update<\/td>\n<td style=\"text-align: left;\">Always follow the latest updates of remote communication channels.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name or object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-1<\/td>\n<td style=\"text-align: left;\">WEP, PSK, TKIP<\/td>\n<td style=\"text-align: left;\">Disabled<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-2<\/td>\n<td style=\"text-align: left;\">WPA2 and AES-CCMP<\/td>\n<td style=\"text-align: left;\">Used<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-3<\/td>\n<td style=\"text-align: left;\">WPA2<\/td>\n<td style=\"text-align: left;\">Should protect data sniffing.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-4<\/td>\n<td style=\"text-align: left;\">PSK<\/td>\n<td style=\"text-align: left;\">Changing regularly the password.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Wifi-5<\/td>\n<td style=\"text-align: left;\">Device<\/td>\n<td style=\"text-align: left;\">Upgraded easily in software or firmware to have the <br \/>last security update.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-1<\/td>\n<td style=\"text-align: left;\">BLE<\/td>\n<td style=\"text-align: left;\">Use with caution.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-2<\/td>\n<td style=\"text-align: left;\">Bluetooth<\/td>\n<td style=\"text-align: left;\">Monitoring<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-3<\/td>\n<td style=\"text-align: left;\">SSP<\/td>\n<td style=\"text-align: left;\">Avoid using the &quot;Just Works&quot; association model.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-4<\/td>\n<td style=\"text-align: left;\">Visibility<\/td>\n<td style=\"text-align: left;\">Configured by default as undiscoverable. Except when needed.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Bluetooth-5<\/td>\n<td style=\"text-align: left;\">Anti-scanning<\/td>\n<td style=\"text-align: left;\">Used, inter alia, to slow down brute force attacks.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Cellular-1<\/td>\n<td style=\"text-align: left;\">GPRS\/EDGE<\/td>\n<td style=\"text-align: left;\">Avoid<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Cellular-2<\/td>\n<td style=\"text-align: left;\">UMTS\/HSPA<\/td>\n<td style=\"text-align: left;\">Protected against Jamming.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-Radio-1<\/td>\n<td style=\"text-align: left;\">RDS<\/td>\n<td style=\"text-align: left;\">Only audio output and meta concerning radio.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Tech name<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-NFC-1<\/td>\n<td style=\"text-align: left;\">NFC<\/td>\n<td style=\"text-align: left;\">Protected against relay and replay attacks.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-NFC-2<\/td>\n<td style=\"text-align: left;\">Device<\/td>\n<td style=\"text-align: left;\">Disable unneeded and unapproved services and profiles.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u61c9\u7528\u4e0b\u8f09\u914d\u7f6e\u5efa\u8b70<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Download-1<\/td>\n<td style=\"text-align: left;\">authentication<\/td>\n<td style=\"text-align: left;\">Must implement authentication process.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Download-2<\/td>\n<td style=\"text-align: left;\">Authorization<\/td>\n<td style=\"text-align: left;\">Must implement Authorization process.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-1<\/td>\n<td style=\"text-align: left;\">Packet<\/td>\n<td style=\"text-align: left;\">Should implement a DPI.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-2<\/td>\n<td style=\"text-align: left;\">DoS<\/td>\n<td style=\"text-align: left;\">Must implement a DoS protection.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-3<\/td>\n<td style=\"text-align: left;\">Test<\/td>\n<td style=\"text-align: left;\">Should implement scanning tools like SATS and DAST.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-4<\/td>\n<td style=\"text-align: left;\">Log<\/td>\n<td style=\"text-align: left;\">Should implement security tools (IDS and IPS).<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Infrastructure-5<\/td>\n<td style=\"text-align: left;\">App integrity<\/td>\n<td style=\"text-align: left;\">Applications must be signed by the code signing authority.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Object<\/th>\n<th style=\"text-align: left;\">Recommendations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Cloud-Transport-1<\/td>\n<td style=\"text-align: left;\">Integrity, confidentiality and legitimacy<\/td>\n<td style=\"text-align: left;\">Should implement IPSec standards.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>A2. Todo Notes\uff08\u5f85\u8fa6\u4e8b\u9805\u8a18\u9304\uff09<\/h3>\n<h4>\u555f\u52d5\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Abstract-1<\/td>\n<td style=\"text-align: left;\">More generic and add examples (The chain of trust).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Abstract-1<\/td>\n<td style=\"text-align: left;\">Review the definition of the &quot;boot loader&quot;.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Boot-Consoles-1<\/td>\n<td style=\"text-align: left;\">Secure loader: No reference earlier?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u865b\u64ec\u6a5f\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Hypervisor-Abstract-1<\/td>\n<td style=\"text-align: left;\">Complete Hypervisor part (<a href=\"https:\/\/github.com\/siemens\/jailhouse\">jailhouse<\/a> \/ <a href=\"https:\/\/www.linux-kvm.org\/page\/Main_Page\">KVM<\/a> \/ <a href=\"https:\/\/www.xenproject.org\/developers\/teams\/embedded-and-automotive.html\">Xen<\/a>).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5167\u6838\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-IndependentExec-1<\/td>\n<td style=\"text-align: left;\">Kernel or\/and platform part ?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Kernel-General-LibraryLinking-1<\/td>\n<td style=\"text-align: left;\">Keep this part?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5e73\u53f0\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Abstract-1<\/td>\n<td style=\"text-align: left;\">Create a graphics and sound part.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Services-1<\/td>\n<td style=\"text-align: left;\">SystemD ?<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Services-2<\/td>\n<td style=\"text-align: left;\">Secure daemon ?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-Capabilities-1<\/td>\n<td style=\"text-align: left;\">Kernel or Platform-user?<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Platform-Users-Capabilities-2<\/td>\n<td style=\"text-align: left;\">Add config note.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u61c9\u7528\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Installation-1<\/td>\n<td style=\"text-align: left;\">Talk about AppFw offline mode.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Signature-1<\/td>\n<td style=\"text-align: left;\">Add content (see secure build in Secure development part).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Application-Services-1<\/td>\n<td style=\"text-align: left;\">Add content (Which services?).<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Application-Services-2<\/td>\n<td style=\"text-align: left;\">Add Binder.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u9023\u63a5\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Abstract-1<\/td>\n<td style=\"text-align: left;\">Improve abstract.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Connectivity-Wireless-1<\/td>\n<td style=\"text-align: left;\">Add communication channels (RFID, ZigBee?).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5347\u7d1a\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">Update-SOTA-1<\/td>\n<td style=\"text-align: left;\">Part to complete.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5b89\u5168\u958b\u767c\u76f8\u95dc<\/h4>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-SecureBuild-1<\/td>\n<td style=\"text-align: left;\">Add content.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-Signatures-1<\/td>\n<td style=\"text-align: left;\">Add content.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Domain \u9818\u57df<\/th>\n<th style=\"text-align: left;\">Improvement \u6539\u9032<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">SecureDev-CodeAudit-1<\/td>\n<td style=\"text-align: left;\">Add CVE analyser.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">SecureDev-CodeAudit-2<\/td>\n<td style=\"text-align: left;\"><a href=\"http:\/\/www.isecom.org\/mirror\/OSSTMM.3.pdf\">OSSTMM<\/a>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>AGL \u5b89\u5168\u85cd\u5716(master 2023-09) \u6f22\u5316\u5f8c\u7a0d\u5fae\u6aa2\u67e5\u4e86\u4e00\u4e0b\u5f88\u9069\u5408\u6211\u5011\u53c3\u8003\u3002 1. \u5b89\u5168\u85cd\u5716\u6982\u89bd \u8207&#8230; &raquo; <a class=\"read-more-link\" href=\"https:\/\/vm1.go2see.me\/?p=500\">\u95b1\u8b80\u5168\u6587<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,10,11],"tags":[],"class_list":["post-500","post","type-post","status-publish","format-standard","hentry","category-agl","category-embedded","category-linux"],"_links":{"self":[{"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/posts\/500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=500"}],"version-history":[{"count":4,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/posts\/500\/revisions"}],"predecessor-version":[{"id":504,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=\/wp\/v2\/posts\/500\/revisions\/504"}],"wp:attachment":[{"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vm1.go2see.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}