The HongMeng Kernel is a
microkernel, enabling greater modularity and larger portions of the OS to benefit from
memory protection. For greater performance, it also allows operating system services to be brought into the kernel when necessary for a particular application. It also contains a security hardening architecture for the
Linux API/ABI compatibility module based on an
SELinux module adapter. In embedded applications, the HongMeng kernel can be configured to run drivers in user space. , the current version of the HongMeng kernel used in
HarmonyOS 6 is 1.11.0. HongMeng Kernel objects used as carriers for data transmission during IPC communication. The
capability system ensures only the capability to read from or write to kernel objects can receive or send messages through these objects. As a result, the content of messages has inability to insert malicious processes. the kernel code in HongMeng Kernel is less than one-fourth in size, significantly reducing occurrence of vulnerabilities on the kernel. On HongMeng Kernel, the HKIP module provides various protection mechanisms. Other than code, the read-only data, and kernel page table, other critical structures within the kernel are not protected by HKIP. The finer-grained kernel module isolation featured in HongMeng kernel, which divides kernel resources into multiple types, different types are managed by corresponding modules, and modules communicate with each other through the IPC mechanism, which has a better effect on multiple modules defense against attacks. Then it divides the permissions between modules in a
fine-grained manner and communicates between modules through IPC, making it difficult for attackers to evolve the attack results of one module into the attack results of the entire system. HongMeng Kernel loads the driver in user mode, making it difficult to trigger an attack against drivers to an attack against the kernel EL1 layer by strictly obtaining only EL0 permissions. The Star Shield Security Architecture in OpenHarmony-based systems with
HarmonyOS operates at both system level and kernel level of Address Tokens, with a comprehensive approach that spans multiple layers. OpenHarmony's security architecture inherently relies on kernel-level security as the foundation for Process isolation and memory protection, Mandatory Access Control (MAC) systems, Secure boot and system integrity verification, Hardware-based security features, Comprehensive Layered Approach. The architecture implements "defense in depth" with security
hardening measures at Hardware level (trusted execution environments), Kernel level (fundamental isolation and access control), System level (application framework security, permissions) Access Token Manager (ATM)
access control which is a combination of
RBAC and
Capability-based and Application level (sandboxing, data protection) that is a unified security model that adapts to different hardware capabilities while maintaining consistent security principles from kernel to application layer. The HongMeng Kernel's L5 certification represents the highest security level for OpenHarmony-based devices. This level requires formal verification of core system software modules, hardware components resilient to physical and laboratory-simulated attacks, and dedicated security chips to establish a hardware-rooted trust chain during boot, storage, and execution. == History ==