2.1 Hardware Trusted Environment

2.1.1 Trusted Execution Environment (TEE)

MIUI supports TEE (Trusted Execution Environment) secure operating systems. TEE is a small, independent operating environment isolated from the main operating system, allowing applications with higher security and privacy demands to run in isolation from the Android system.

The software and hardware resources that TEE can access are separated from the main operating system. TEE provides a secure execution environment for trusted applications, it also protects the confidentiality and integrity of, and access permissions to, the data and resources belonging to those trusted applications. To guarantee the root-of-trust of the TEE itself, the TEE needs to be verified and isolated from the main operating system during the secure boot process. Inside the TEE, each trusted application is independent of the other, and cannot access one another without authorization. TEE's internal API mainly includes key management, a cryptographic algorithm, secure storage, a secure clock, and other resources and services, as well as extended trusted UIs.

The trusted UI means that when displaying sensitive information and performing sensitive operations (e.g., entering a PIN or password), hardware resources, such as screen display and keyboard, are completely controlled by the TEE and thus cannot be accessed by software in the Android system.

2.1.2 Device Attestation

To ensure the trustworthiness of Xiaomi smartphones, Xiaomi has pre-installed a device certificate in the TEE to uniquely identify each mobile phone. The public keys for such certificates are centrally stored in Xiaomi's servers. In scenarios where a higher level of security is required, the application can send authentication requests to Xiaomi servers to verify the device's authenticity.

2.1.3 Hardware Unique Key (HUK)

The HUK (Hardware Unique Key), which is solidified to the motherboard before leaving the factory, varies from phone to phone and cannot be tampered with. It is accessible only by the hardware encryption engine and it guarantees device uniqueness with respect to the keys used for screen lock password protection and file system encryption.

2.1.4 Hardware Cryptographic Engine

Encryption and decryption are very complicated operations and require great computing power. For mobile devices, computing speed, energy conservation and security are vital. Xiaomi smartphone has considered these factors in its design, and the device is equipped with a high-performance hardware encryption engine*(such as AES-256) to ensure that the devices achieve sufficient security strength without affecting the performance and battery life.

*Note: Some models are not equipped with hardware cryptographic engines.