應用程式平台Application platform

在 Azure Sphere 裝置上執行的應用程式會在沙箱化容器中運作。Applications that run on a Azure Sphere device operate in a sandboxed container. 此環境的設計訴求是要維護軟體和資料的安全性,以及避免服務中斷。This environment is designed to maintain the security of software and data and to prevent disruption of service.

此圖顯示應用程式平台的軟體元素。The figure shows the software elements of the application platform. Microsoft 提供的元素是灰色的,而製造商提供的元素是白色的。Microsoft-supplied elements are gray, and manufacturer-supplied elements are white.

應用程式平台

Azure Sphere 應用程式平台Azure Sphere Application Platform

應用程式平台支援兩個作業環境:一般世界和安全世界。The application platform supports two operating environments: Normal World and Secure World. Azure Sphere 應用程式會在一般世界使用者模式的應用程式容器中執行,而且可以存取 Azure Sphere 程式庫和一組有限的作業系統服務。Azure Sphere applications run in an application container in Normal World user mode and have access to the Azure Sphere libraries and a limited set of OS services. 基礎自訂 Linux 核心 (包括 Microsoft 提供的裝置驅動程式) 以一般世界監督員模式執行,而安全性監視器會在安全世界中執行。The underlying custom Linux kernel, which includes Microsoft-supplied device drivers, runs in Normal World supervisor mode, and the Security Monitor runs in Secure World. 只有 Microsoft 提供的程式碼可以在監督員模式或安全世界中執行。Only Microsoft-supplied code can run in supervisor mode or in Secure World.

應用程式會在支援 POSIX 環境子集的容器中執行。Applications run in containers that support a subset of the POSIX environment. 系統函式只能透過 Azure Sphere 程式庫和執行階段服務存取;無法使用整組 POSIX 系統函式。System functions are accessible only through the Azure Sphere libraries and run-time services; the complete set of POSIX system functions is not available.

在硬體層級 (未顯示在圖表中),安全性子系統會提供硬體式安全的信任根目錄。At the hardware level (not shown in the diagram), a security subsystem provides a hardware-based secure root of trust. 在裝置開機時,安全性子系統會驗證整體硬體安全性,然後只會在驗證其韌體已正確簽署之後啟動其他元件。At device boot, the security subsystem validates overall hardware security, then brings up other components only after validating that their firmware is correctly signed. 同樣地,韌體會在載入下一層軟體之前,驗證軟體的安全性,而後續每一層軟體都會驗證其上一層。Similarly, the firmware validates the security of the next layer of software before loading it, and each subsequent layer of software validates the layer above it.

應用程式安全性Application security

Azure Sphere 應用程式平台的設計訴求是要確保裝置、應用程式及其資料的安全性。The Azure Sphere application platform is designed to ensure the security of the device, the application, and its data. 應用程式安全性功能包括︰Application security features include:

  • 有限的外部資源存取權Limited access to external resources
  • 應用程式功能Application capabilities
  • 簽署需求Signing requirements
  • 裝置功能Device capabilities

資源存取權Access to resources

為了防止外部軟體的惡意干擾,Azure Sphere 應用程式只能存取 Microsoft 所提供的程式庫和執行階段服務。To prevent malicious interference from outside software, Azure Sphere applications have access only to libraries and run-time services that Microsoft provides. 程式庫會受限制,以確保平台保持安全並可輕鬆地更新。The libraries are restricted to ensure that the platform remains secure and can be easily updated. 除了其他條件約束以外,它們也不支援直接檔案 I/O、處理序間通訊 (IPC),或殼層存取。They do not support direct file I/O, inter-process communication (IPC), or shell access, among other constraints.

應用程式功能Application capabilities

「應用程式功能」 ) 是應用程式所需的資源。Application capabilities are the resources that an application requires. 應用程式功能包括應用程式使用的 GPIO 和 UART 週邊設備、它所連線的網際網路主機,以及變更 Wi-fi 組態的權限。Application capabilities include the GPIO and UART peripherals that the application uses, the internet hosts to which it connects, and permission to change the Wi-Fi configuration. 每個應用程式必須擁有應用程式資訊清單,其可識別這些資源。Every application must have an application manifest, which identifies these resources.

簽署需求Signing requirements

所有部署到 Azure Sphere 裝置的映像套件都必須經過簽署。All image packages deployed to an Azure Sphere device must be signed. 適用於 Azure Sphere 的 Visual Studio 擴充功能 (預覽) 和 azsphere image package 命令都會使用 SDK 簽署金鑰來簽署映像套件,以進行測試。The Visual Studio Extension for Azure Sphere Preview and the azsphere image package command sign image packages for testing by using an SDK signing key. 只有當 appDevelopment「裝置功能」 也會存在時,Azure Sphere 裝置才會信任此金鑰。Azure Sphere devices trust this key only if the appDevelopment device capability is also present.

當您將映像套件上傳至雲端時,Azure Sphere 安全性服務會生產簽署映像套件。The Azure Sphere Security Service production-signs image packages when you upload them to the cloud. 生產簽署的映像套件可以透過無線 (OTA) 方式側載或載入。Production-signed image packages can be sideloaded or loaded over the air.

裝置功能Device capabilities

「裝置功能」 可讓使用者執行裝置特有活動。A device capability allows a user to perform a device-specific activity. 裝置功能是由 Azure Sphere 安全性服務授與,而且會儲存在 Azure Sphere 晶片上的快閃記憶體中。Device capabilities are granted by the Azure Sphere Security Service and are stored in flash memory on the Azure Sphere chip. 根據預設,Azure Sphere 晶片沒有任何裝置功能。By default, Azure Sphere chips have no device capabilities.

appDevelopment 裝置功能可變更裝置所信任的簽署類型。The appDevelopment device capability changes the type of signing that the device trusts. 根據預設,Azure Sphere 裝置會信任生產簽署的映像套件,但不信任 SDK 簽署的映像套件。By default, Azure Sphere devices trust production-signed image packages but do not trust SDK-signed image packages. 如此一來,您無法將 SDK 簽署的映像套件側載到沒有這項功能的 Azure Sphere 裝置。As a result, you cannot sideload an SDK-signed image package to an Azure Sphere device that does not have this capability. 不過,若有 appDevelopment 功能存在,裝置就會信任 SDK 簽署的映像套件。When the appDevelopment capability is present, however, the device trusts SDK-signed image packages. 此外,它可讓使用者啟動、停止、偵錯應用程式,或從裝置中移除應用程式。In addition, it enables a user to start, stop, debug, or remove an application from the device. 總而言之,應用程式開發功能必須先存在於裝置上,您才能:In summary, the application development capability must be present on the device before you can:

  • 側載由 Visual Studio 或 azsphere image package 命令所建置的映像套件。Sideload an image package that was built by Visual Studio or the azsphere image package command.
  • 不論映像套件的簽署方式為何,啟動、停止、偵錯映像套件,或從 Azure Sphere 裝置中移除映像套件。Start, stop, debug, or remove an image package from the Azure Sphere device, regardless of how the image package is signed.

azsphere device prep-debug 命令會建立及套用 appDevelopment 功能,並且防止裝置接收無線 (OTA) 更新。The azsphere device prep-debug command creates and applies the appDevelopment capability and prevents the device from receiving over-the-air (OTA) updates.