The system definition

Positioning system

HarmonyOS is a “future-oriented” distributed operating system for all scenarios (mobile office, sports and health, social communications, media and entertainment). Building on the traditional single-device system capabilities, HarmonyOS proposed a distributed approach based on the capabilities of the same system for multiple devices, including mobile phones, tablets, smart wearables, smart screens and mobile devices.

  • For consumers, HarmonyOS integrates capabilities across a wide range of devices, enabling fast connectivity, mutual support and resource sharing, matching the right devices and providing a seamless, holistic experience.
  • For application developers, HarmonyOS uses a variety of distributed technologies to enable application development to be implemented regardless of the form factor of different devices. This allows developers to focus on upper-level business logic, making it easier and more efficient to develop applications.
  • For device developers, HarmonyOS uses a component-based design solution that is tailored to the resource capabilities and service characteristics of the device to meet the operating system requirements of different terminal devices.

HarmonyOS provides an API that supports multiple development languages for application development. Supported development languages include Java, XML (Extensible Markup Language), C/C++, JS (JavaScript), CSS (Cascading Style Sheets), and HML (HarmonyOS Markup) Language).

System architecture

HarmonyOS follows a hierarchical design that includes the kernel layer, system service layer, framework layer, and application layer from bottom up. System functions You can choose System > Subsystem > Functions/Modules to perform system functions or modules. In multi-device deployment scenarios, you can cut some unnecessary subsystems or functions or modules based on actual requirements. The technical architecture of HarmonyOS is shown below.

The kernel layer

Kernel subsystem: HarmonyOS uses a multi-core design, allowing you to select an appropriate OS kernel for resource-constrained devices. The Kernel Abstract Layer (KAL) provides basic Kernel capabilities, including process/thread management, memory management, file system, network management, and peripheral management, to the upper Layer by shielding multi-kernel differences. Driver Subsystem: The Hardware Driver Framework (HDF) is the foundation of HarmonyOS ‘open hardware ecosystem, providing unified peripheral access and a driver development and management framework.

System Service layer

The System Services layer is HarmonyOS ‘core set of capabilities that provide services to applications through the framework layer. This layer contains the following sections:

  • System sets: basic ability subsystem for distributed application on HarmonyOS much equipment running, scheduling, migration and so on provides the basis capacity, operation by distributed soft bus, distributed data management, a distributed task scheduling, ark language runtime, public libraries, multimode input, graphics, security, AI and other subsystems. Among them, Ark runtime provides C/C++/JS multilanguage runtime and basic system class library, and also provides runtime for Java programs that use Ark compiler statically (that is, the part of the application or framework layer that uses Java language development).
  • Basic Software Service Subsystem set: HarmonyOS provides common and common software services. It consists of subsystems such as event notification, telephony, multimedia, DFX (Design For X), and MSDP&DV.
  • Enhanced Software Services Subsystem set: HarmonyOS delivers differentiated and enhanced software services to HarmonyOS on different devices. It consists of smart screen proprietary, wearable proprietary, and IoT proprietary subsystems.
  • Hardware Services Subsystem Set: HarmonyOS provides hardware services, comprising subsystems such as location services, biometrics, wearable proprietary hardware services, and IoT proprietary hardware services.

According to the deployment environment of different devices, the basic software service subsystem set, enhanced software service subsystem set, and hardware service subsystem set can be tailored according to the granularity of subsystems, and each subsystem can be tailored according to the granularity of functions.

The framework layer

The Framework layer provides HarmonyOS with the Java/C/C++/JS user application framework and the Ability framework for application development. Two UI frameworks (Java UI framework for Java and JS UI framework for JS) And a variety of software and hardware services open to the outside of the multi-language framework API. HarmonyOS devices support different apis depending on the degree of component-based tailoring.

The application layer

The application layer includes system applications and third-party non-system applications. The application of HarmonyOS consists of one or more FA (Feature Ability) or PA (Particle Ability). FA has A UI interface to provide the ability to interact with users. While PA has no UI, it provides the ability to run tasks in the background and a unified data access abstraction. The background data access required by FA in user interaction also needs to be supported by the corresponding PA. Applications developed based on FA/PA can implement specific service functions, support cross-device scheduling and distribution, and provide consistent and efficient application experience for users.

Technical characteristics

Hardware mutual assistance, resource sharing

A variety of devices can implement hardware mutual assistance and resource sharing, relying on key technologies such as distributed soft bus, distributed device virtualization, distributed data management, and distributed task scheduling. Distributed soft bus The distributed soft bus is the communication base for distributed devices such as mobile phones, tablets, smart wearables, smart screens, and vehicles. It provides unified distributed communication capabilities for interconnection among devices and creates conditions for non-inductive discovery and zero-wait transmission among devices. Developers only need to focus on the implementation of business logic and do not need to pay attention to networking and underlying protocols. The schematic diagram of distributed soft bus is shown in Figure 1.

Typical application scenarios:

  • Smart home scene: when cooking, mobile phone can touch and oven connection, and will automatically set cooking parameters according to the recipe, control the oven to produce dishes. Similarly, cooking machines, range hoods, air purifiers, air conditioners, lights and curtains can all be displayed and controlled by mobile phones. There is no need for complicated configuration between devices.
  • Multi-screen classroom: teachers interact with students through smart screens to create a classroom atmosphere; Students complete course study and in-class q&A via mobile phones. Unified and fully connected logical network ensures high bandwidth, low latency and high reliability of transmission channel.

Figure 1 schematic diagram of distributed soft bus

Distributed Device Virtualization

The distributed device virtualization platform enables different devices to merge resources, manage devices, and process data. Multiple devices form a super virtual terminal. For different types of tasks, we match and select the execution hardware with appropriate capabilities for users, so that business can flow continuously between different devices, and give full play to the advantages of different devices, such as display capability, camera capability, audio capability, interaction capability and sensor capability. See Figure 2 for distributed device virtualization.

Typical application scenarios:

  • Video call scenario: When you answer a video call while doing housework, you can connect your mobile phone to a smart screen and virtualize the screen, camera, and speaker of the smart screen as local resources, replacing the screen, camera, headset, and speaker of your mobile phone. In this way, you can make video calls using the smart screen and speaker while doing housework.
  • Game scene: When playing games on the smart screen, the mobile phone can be virtualized as a remote control, and the gravity sensor, acceleration sensor and touch control ability of the mobile phone can provide players with more convenient and smoother game experience.

Figure 2 Distributed device virtualization diagram

Distributed data Management

Distributed data management based on the ability of distributed soft bus, the distributed management of application data and user data is realized. User data is no longer with a single physical binding equipment, business logic and data separation, across the equipment fast and convenient to data processing as well as the local data processing, make it easy for developers to implement the whole scene under multiple devices, data storage, share and access, to create the user experience of the consistent and smooth created the basic conditions. A diagram of distributed data management is shown in Figure 3.

Typical application scenarios:

  • Collaborative office scenario: You can flip, zoom, or doodle a document on the smart screen to display the latest document status on the smart screen.
  • Family outing scene: When the family went out, mom took a lot of photos with her mobile phone. With family photo sharing, dad can view, bookmark and save the photos on his phone, and grandparents can view them on the smart screen.

FIG. 3 Schematic diagram of distributed data management

Distributed task scheduling

Distributed task scheduling Based on distributed soft bus, distributed data management, and distributed Profile, a unified distributed service management (discovery, synchronization, registration, and invocation) mechanism is constructed to support remote startup, invocation, connection, and migration of cross-device applications. Select appropriate devices to run distributed tasks based on the capabilities, locations, service running status, resource usage, and user habits and intentions of different devices.

Figure 4 illustrates the distributed task scheduling capability briefly, using application migration as an example.

Typical application scenarios:

  • Navigation scenario: If the user drives, before getting on the car, plan the navigation route on the phone; After getting on the bus, the navigation automatically migrates to the car machine and the car speaker; When you get off the bus, the navigation automatically migrates back to your phone. If a user rides a bike, he or she plans a navigational route on the phone, and the watch can follow up while riding.
  • Take-out scenario: After ordering take-out on your mobile phone, you can transfer the order information to your watch to check the delivery status of take-out at any time.

FIG. 4 Schematic diagram of distributed task scheduling

One development, multiple deployment

HarmonyOS provides the user application framework, the Ability framework, and the UI framework to enable the reuse of multi-terminal business logic and interface logic during application development, enabling multiple applications to be developed at once and deployed at multiple ends, improving cross-device application development efficiency. See Figure 5 for the schematic diagram of one-time development and multi-terminal deployment.

Among them, the UI framework supports Java and JS two development languages, and provides rich polymorphic controls, which can display different UI effects on mobile phones, tablets, smart wearables, smart screens and cars. Adopt the industry’s mainstream design method, provide a variety of responsive layout schemes, support raster layout, meet the interface adaptation ability of different screens.

Figure 5. Schematic diagram of single development and multiple deployment

Unified OS and flexible deployment

HarmonyOS supports flexible deployment of a variety of terminals on demand by using component-based and miniaturized design methods to meet different types of hardware resources and functional requirements. Support can automatically generate componentized dependency relationship through compiler chain relationship, form component tree dependency graph, support convenient development of product system, reduce the threshold of hardware development.

  • Component selection (optional) : You can select required components based on hardware types and requirements.
  • Function set configuration (large or small components) : You can configure function sets of components based on hardware resources and function requirements. For example, select some controls in the Configuration Graphics Frame component.
  • Support dependency correlation between components (platforms can be large or small) : Componentized dependencies can be automatically generated based on compile chain relationships. For example, selecting a graphics frame component will automatically select dependent graphics engine components, etc.

System security

HarmonyOS ensures that “the right people, using the right devices, are using the right data” on distributed terminals.

  • Ensure “the right person” through “distributed multi-party collaborative authentication”.
  • Ensure “correct equipment” by “building a trusted operating environment on distributed terminals”.
  • Ensure proper use of data by classifying and managing distributed data as it flows across terminals.

The right people

In the distributed terminal scenario, the “right person” refers to the authenticated data visitor and business operator. “The right person” is the prerequisite to ensure that user data is not accessed illegally and user privacy is not leaked. HarmonyOS implements collaborative identity through the following three aspects:

  • Zero-trust model: HarmonyOS uses the zero-trust model to authenticate users and control data access. When users need to access data resources across devices or perform high-security operations (for example, an operation on a security device), HarmonyOS authenticates users to ensure their identities are reliable.
  • Multi-factor authentication: HarmonyOS uses user identity management to improve authentication accuracy by associating authentication credentials that identify the same user on different devices.
  • Collaborative and mutual aid authentication: HarmonyOS decouples hardware from authentication capabilities (that is, information collection and authentication can be performed on different devices) to implement resource pooling and capability sharing among different devices. Devices with higher security levels assist devices with lower security levels in user identity authentication.

Correct equipment

In distributed terminal scenarios, user data can be effectively protected on virtual terminals only when the devices used by users are secure and reliable.

  • Safe launch

Ensure that the system firmware and applications running on each virtual device at source are complete and untampered with. Through secure startup, the image packages of various device manufacturers cannot be replaced with malicious programs illegally, thus protecting user data and privacy security.

  • Trusted execution environment

A hardware-based Trusted Execution Environment (TEE) is provided to protect the storage and processing of users’ personally sensitive data and ensure that data is not compromised. Due to the different security capabilities of distributed terminal hardware, sensitive personal data must be stored and processed by devices with high security levels. HarmonyOS received a commercial OS kernel CC EAL5+ certification rating using TEE microkernels based on mathematically verifiable formal development and validation.

  • Device Certificate Authentication

A device certificate can be preset for a device that has a trusted execution environment to prove its security capability to other virtual terminals. For devices with TEE environment, the Public Key Infrastructure (PKI) certificate is used to verify device identity and ensure that devices are legally manufactured. The device certificate is preset on the production line. The private key of the device certificate is written and stored in the TEE environment of the device. The private key is used only in the TEE. When sensitive user data (such as keys and encrypted biometric information) must be transmitted, a secure channel is established between the TEE of one device and the TEE of another device after the device certificate is used to verify the security environment. See Figure 1.

Figure 1 Schematic diagram of using the device certificate

Use data correctly

In the distributed terminal scenario, ensure that users can use data correctly. HarmonyOS protects the entire life cycle of data generation, storage, use, transmission and destruction to ensure that personal data and privacy, as well as confidential system data such as keys, are not compromised.

  • Data generation: According to the laws, regulations and standards of the country or organization where the data resides, classify and grade the data, and set the corresponding protection level according to the classification. The data of each protection level needs to be protected with different intensity according to corresponding security policies during the entire life cycle of storage, use, and transmission. The access control system of the virtual Hyperterminal supports access control policies based on labels to ensure that data is stored, used, and transmitted only between virtual terminals that provide sufficient security protection.
  • Data storage: HarmonyOS protects data by storing data in zones with different security protection capabilities based on different security levels. HarmonyOS provides seamless key flow across devices throughout the key life cycle and key access control across devices, supporting distributed identity authentication collaboration and distributed data sharing.
  • Data usage: HarmonyOS provides a trusted execution environment for devices through hardware. Sensitive personal data of users can be used only in the trusted execution environment of distributed virtual terminals to ensure data security and privacy.
  • Data transmission: in order to ensure the safety of data between virtual super terminal flow, need each equipment is correct and credible, established a trust relationship (multiple devices by huawei account matching relationship), and after the validation of trust relationship, to establish a secure connection channel, in accordance with the rules of the data flow, data transmission safely. When devices communicate with each other, they need to be authenticated based on their identity credentials. On this basis, an encrypted transmission channel can be established.
  • Data destruction: Destroying the key means destroying the data. Data is stored in virtual terminals on the basis of keys. When data is destroyed, only the corresponding key is destroyed to complete data destruction.