3.1 Data Protection Architecture
3.1.1 File-Based Encryption
The MIUI file system is divided into a system partition and a user partition. The system partition is read-only and isolated from the user partition. Common applications can only access some of the system partition's directories. The user partition, on the other hand, features file-based data encryption and directory permission management mechanisms, which restrict data access between applications. In addition, MIUI offers enhanced security features and encryption-based applications to improve usability while protecting user data.
Step 1, Generate the Keymaster Key with the Hardware Key.
Step 2, Encrypt the Class Key with the Keymaster Key and user passwords.
Step 3, While starting up a system, a Wrapped-class Key is generated for each Class Key and used to prevent the Class Key’s plaintext from being exposed in an Android environment.
Step 4, Encrypt and protect the File Key with the Wrapped-class Key.
Step 5, Encrypt the file using the File Key.
*Note: This schematic diagram is applicable for Xiaomi smartphones that use Qualcomm chips and support FBE.
Each Xiaomi smartphone that supports FBE provides every user with two storage locations for applications:
Credential encrypted (CE) storage area: The CE area is the default storage area and is only accessible after the user has unlocked the device.
Device encrypted (DE) storage area: The DE area is accessible after the device has been powered on regardless of whether the screen is unlocked.
The CE storage area is the default storage area in MIUI for applications to store data to ensure the security of the application and the application's data. Only applications such as wireless authentication, alarm clock, ringtone, Bluetooth, and the like store certain data in the DE storage area. This ensures that certain essential services will run before users provide credentials while the system continues to protect users' private information.
3.1.2 Secure Storage
The secure storage function of MIUI is achieved by a TEE-based Secure File System (SFS) and is used to securely store sensitive information such as keys, certificates, fingerprint templates, and so forth. The trusted application (TA) running in the TEE uses a secure storage API to encrypt and store data. Encrypted data are only accessible by the TA and therefore cannot be accessed by external applications. The secure storage in MIUI adopts AES-256 for encryption and decryption. The secure storage keys are derived from the hardware unique key (HUK) and are invariably stored in the device's TEE. Data encrypted by the keys cannot be decrypted outside the TEE.
MIUI further provides the Flash-based RPMB (Replay Protected Memory Block) partitioning feature to protect certain system data from unauthorized deletions and access. RPMB is directly controlled by the TEE for security and linked to the keys derived from the hardware unique key (HUK). Only the TEE can access the RPMB-protected data, and the external Android side does not provide an interface to access the RPMB. RPMB prevents replay attacks through built-in counters, keys, and an HMAC verification mechanism to ensure that data cannot be maliciously overwritten or tampered with.
3.1.3 Secure Erase
A general "Factory reset" does not guarantee that data stored in physical storage will be thoroughly erased. To improve efficiency, this is usually achieved by deleting the logical address. However, physical address space is not wiped and the data can be recovered. MIUI provides users with the option to "format mock SD card" when they wish to restore factory settings. Once this option is chosen, the system will format the storage space and completely erase the data to protect user data security after the device is sold or scrapped.