diff --git a/bundle.json b/bundle.json
index 55047c6f28450b98d54125f4487ca1d848da0eb5..414b8e6828b8cee3ee9ba4c1303825b3e9bafb20 100644
--- a/bundle.json
+++ b/bundle.json
@@ -30,7 +30,6 @@
         "hitrace",
         "hisysevent",
         "ability_base",
-        "bounds_checking_function",
         "c_utils",
         "ipc",
         "samgr",
diff --git a/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h b/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h
index 95a7dd127ead3762d381f3806d9b5e9616a2faab..5b61c48f545a577c3ad6c53c9b97f9726bd8ae61 100644
--- a/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h
+++ b/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h
@@ -20,7 +20,6 @@
 #include <cstring>
 
 #include "errcode.h"
-#include "jit_fort_helper.h"
 #include "jit_code_signer_base.h"
 #include "jit_code_signer_factory.h"
 #include "jit_fort_helper.h"
@@ -214,7 +213,7 @@ __attribute__((no_sanitize("cfi"))) static inline int32_t CopyToJitCode(
         return CS_ERR_JITFORT_IN;
     }
 #endif
-    if (IsSupportPACFeature()) {
+    if (IsSupportJitCodeSigner()) {
         ret = signer->ValidateCodeCopy(reinterpret_cast<Instr *>(jitMemory),
             reinterpret_cast<Byte *>(tmpBuffer), size);
     } else {
diff --git a/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h b/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h
index 46b33a992ec0f2f0c0fe177864c80d54971a3871..40e704d587a0b2b3d06828362f596ec97c8b70b9 100644
--- a/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h
+++ b/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h
@@ -22,7 +22,6 @@
 #ifdef __aarch64__
 #include <asm/hwcap.h>
 #include <cstdio>
-#include <sys/auxv.h>
 #endif
 
 #include "errcode.h"
@@ -67,7 +66,8 @@ __attribute__((always_inline)) static int inline PrctlWrapper(
 __attribute__((always_inline)) static inline bool IsSupportPACFeature()
 {
 #ifdef __aarch64__
-    long hwcaps = PrctlWrapper(JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0);
+    unsigned long hwcaps = static_cast<unsigned long>(PrctlWrapper(
+        JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0));
     if ((hwcaps & HWCAP_PACA) && (hwcaps & HWCAP_PACG)) {
         return true;
     }
diff --git a/interfaces/innerkits/local_code_sign/BUILD.gn b/interfaces/innerkits/local_code_sign/BUILD.gn
index 6257623dd6601f372a1ef32d9eacb86023d02b6b..eeb2f965d352962283d87c12bd25f05e26774da9 100644
--- a/interfaces/innerkits/local_code_sign/BUILD.gn
+++ b/interfaces/innerkits/local_code_sign/BUILD.gn
@@ -44,6 +44,9 @@ ohos_shared_library("liblocal_code_sign_sdk") {
   if (build_variant == "root") {
     defines += [ "CODE_SIGNATURE_DEBUGGABLE" ]
   }
+  if (code_signature_support_oh_code_sign) {
+    defines += [ "VERIFY_KEY_ATTEST_CERTCHAIN" ]
+  }
 
   external_deps = [
     "c_utils:utils",
diff --git a/services/key_enable/cfg/disable_xpm/key_enable.cfg b/services/key_enable/cfg/disable_xpm/key_enable.cfg
index ff934d49ee56a61ae88b746be1cde7214de9ee48..32a8fb391eca665373739157d3ccc811bccf0cdf 100644
--- a/services/key_enable/cfg/disable_xpm/key_enable.cfg
+++ b/services/key_enable/cfg/disable_xpm/key_enable.cfg
@@ -3,12 +3,12 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
diff --git a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg
index 3d0685a770321d8b90b4d21478b1482ba4519793..c96ac7c8bf2bd1f6ff14813c5d27862015697cbc 100644
--- a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg
+++ b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg
@@ -3,12 +3,12 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
diff --git a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg
index 8cd2cf51206cd3592fdccd7a12c8bbb4873ae529..68da39fbd155a5100d97c5d6911982172dbfccaa 100644
--- a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg
+++ b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg
@@ -3,12 +3,12 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
diff --git a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg
index 086faea23fcb920d01305f5685ee35b778a5d2b0..4d5fb6f69113a9440e2a48f26373b5c36c720882 100644
--- a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg
+++ b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg
@@ -3,12 +3,12 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
diff --git a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg
index 2a8c20d6ea0d3842cdcf0cbb0231d1aea548ba78..7d62a38110ddac62b8545c64eac7a387f1ff2cc0 100644
--- a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg
+++ b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg
@@ -3,19 +3,20 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
         }, {
             "name" : "pre-init",
             "cmds" : [
-                "write /proc/sys/kernel/xpm/xpm_mode 4"
+                "write /proc/sys/kernel/xpm/xpm_mode 4",
+                "write /proc/sys/kernel/jitfort/jitfort_mode 1"
             ]
         }
     ],
@@ -30,4 +31,4 @@
             "once": 1
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg
index d4615d7b241154aafc81894f7668c74d6efe7ba9..70852d558b8e90992b695c76118bf95489914760 100644
--- a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg
+++ b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg
@@ -3,19 +3,20 @@
             "name" : "post-fs-data",
             "cmds" : [
                 "write /proc/sys/fs/verity/require_signatures 1",
-                "mkdir /data/service/el1/profiles 0655 installs installs",
-                "mkdir /data/service/el1/profiles/release 0655 installs installs",
-                "mkdir /data/service/el1/profiles/debug 0655 installs installs"
+                "mkdir /data/service/el1/public/profiles 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/release 0655 installs installs",
+                "mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
             ]
         }, {
-            "name" : "late-fs",
+            "name" : "init",
             "cmds" : [
                 "start key_enable"
             ]
         }, {
             "name" : "pre-init",
             "cmds" : [
-                "write /proc/sys/kernel/xpm/xpm_mode 5"
+                "write /proc/sys/kernel/xpm/xpm_mode 5",
+                "write /proc/sys/kernel/jitfort/jitfort_mode 1"
             ]
         }
     ],
@@ -30,4 +31,4 @@
             "once": 1
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/services/key_enable/src/cert_chain_utils.rs b/services/key_enable/src/cert_chain_utils.rs
index 6cc5be97fb134ff7f38193b08d1785ddbc51f849..23c50cf51c95d5adc54fa633554206198aea5909 100644
--- a/services/key_enable/src/cert_chain_utils.rs
+++ b/services/key_enable/src/cert_chain_utils.rs
@@ -22,7 +22,7 @@ use ylong_json::JsonValue;
 
 const LOG_LABEL: HiLogLabel = HiLogLabel {
     log_type: LogType::LogCore,
-    domain: 0xd005a06, // security domain
+    domain: 0xd005a06,
     tag: "CODE_SIGN",
 };
 /// collection to contain pem data
diff --git a/services/key_enable/src/cert_path_utils.rs b/services/key_enable/src/cert_path_utils.rs
index 6841b15aede75b6334bb4ab6945d2c198ccd5370..9d03557a7642caaa0185980f9fce66610e54f83d 100644
--- a/services/key_enable/src/cert_path_utils.rs
+++ b/services/key_enable/src/cert_path_utils.rs
@@ -24,7 +24,7 @@ extern "C" {
 
 const LOG_LABEL: HiLogLabel = HiLogLabel {
     log_type: LogType::LogCore,
-    domain: 0xd005a06, // security domain
+    domain: 0xd005a06,
     tag: "CODE_SIGN",
 };
 const TRUST_PROFILE_PATH_KEY: &str = "trust-profile-path";
diff --git a/services/key_enable/src/key_enable.rs b/services/key_enable/src/key_enable.rs
index 5eebc3a17f8530e970cc124fbfbfddcaa7d6ab84..b9867d60dc7712da124dd1b4e06c8a4c856929d1 100644
--- a/services/key_enable/src/key_enable.rs
+++ b/services/key_enable/src/key_enable.rs
@@ -26,10 +26,12 @@ use std::io::{BufRead, BufReader};
 use std::option::Option;
 use std::ptr;
 use std::thread;
+use std::time::{Duration, Instant};
+use std::path::Path;
 
 const LOG_LABEL: HiLogLabel = HiLogLabel {
     log_type: LogType::LogCore,
-    domain: 0xd005a06, // security domain
+    domain: 0xd005a06,
     tag: "CODE_SIGN",
 };
 
@@ -39,6 +41,9 @@ const KEYRING_TYPE: &str = "keyring";
 const FSVERITY_KEYRING_NAME: &str = ".fs-verity";
 const LOCAL_KEY_NAME: &str = "local_key";
 const CODE_SIGN_KEY_NAME_PREFIX: &str = "fs_verity_key";
+const PROFILE_STORE_EL1: &str = "/data/service/el1/public/profiles";
+const PROFILE_SEARCH_SLEEP_TIME: u64 = 200;
+const PROFILE_SEARCH_SLEEP_OUT_TIME: u64 = 600;
 const SUCCESS: i32 = 0;
 
 type KeySerial = i32;
@@ -164,24 +169,37 @@ fn enable_trusted_keys(key_id: KeySerial, root_cert: &PemCollection) {
     }
 }
 
+fn check_and_add_cert_path(root_cert: &PemCollection, cert_paths: &TrustCertPath) -> bool {
+    if Path::new(PROFILE_STORE_EL1).exists() {
+        if add_profile_cert_path(root_cert, cert_paths).is_err() {
+            error!(LOG_LABEL, "Add cert path from local profile err.");
+        }
+        info!(LOG_LABEL, "Finished cert path adding.");
+        true
+    } else {
+        false
+    }
+}
+
 // start cert path ops thread add trusted cert & developer cert
-fn add_cert_path_thread(
+fn add_profile_cert_path_thread(
     root_cert: PemCollection,
     cert_paths: TrustCertPath,
 ) -> std::thread::JoinHandle<()> {
     thread::spawn(move || {
-        // enable trusted cert in prebuilt config
-        info!(LOG_LABEL, "Starting enable trusted cert.");
-        if cert_paths.add_cert_paths().is_err() {
-            error!(LOG_LABEL, "Add trusted cert path err.");
-        }
-
         // enable developer certs
         info!(LOG_LABEL, "Starting enable developer cert.");
-        if add_profile_cert_path(&root_cert, &cert_paths).is_err() {
-            error!(LOG_LABEL, "Add cert path from local profile err.");
+        let start_time = Instant::now();
+        loop {
+            if check_and_add_cert_path(&root_cert, &cert_paths) {
+                break;
+            } else if start_time.elapsed() >= Duration::from_secs(PROFILE_SEARCH_SLEEP_OUT_TIME) {
+                error!(LOG_LABEL, "Timeout while waiting for PROFILE_STORE_EL1.");
+                break;
+            } else {
+                thread::sleep(Duration::from_millis(PROFILE_SEARCH_SLEEP_TIME));
+            }
         }
-        info!(LOG_LABEL, "Finished cert path adding.");
     })
 }
 
@@ -230,12 +248,16 @@ pub fn enable_all_keys() {
     enable_trusted_keys(key_id, &root_cert);
 
     let cert_paths = get_cert_path();
-    let cert_thread = add_cert_path_thread(root_cert, cert_paths);
+    // enable trusted cert in prebuilt config
+    if cert_paths.add_cert_paths().is_err() {
+        error!(LOG_LABEL, "Add trusted cert path err.");
+    }
+    
+    let cert_thread = add_profile_cert_path_thread(root_cert, cert_paths);
     enable_keys_after_user_unlock(key_id);
 
     if let Err(e) = cert_thread.join() {
         error!(LOG_LABEL, "add cert path thread panicked: {:?}", e);
     }
-
     info!(LOG_LABEL, "Fnished enable all keys.");
 }
diff --git a/services/key_enable/src/profile_utils.rs b/services/key_enable/src/profile_utils.rs
index b0d2d628ba5f5beb17516f53169c4059809cad57..0a166612cb9ea00f1b7f376a780f8af1de21cbbc 100644
--- a/services/key_enable/src/profile_utils.rs
+++ b/services/key_enable/src/profile_utils.rs
@@ -42,8 +42,10 @@ const LOG_LABEL: HiLogLabel = HiLogLabel {
 };
 const PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/developer";
 const PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/release";
+const PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/release";
 const DEBUG_PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/debug";
 const DEBUG_PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/debug";
+const DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/debug";
 const PROFILE_STORE_TAIL: &str = "profile.p7b";
 const PROFILE_TYPE_KEY: &str = "type";
 const PROFILE_DEVICE_ID_TYPE_KEY: &str = "device-id-type";
@@ -220,8 +222,8 @@ fn format_x509_fabricate_name(name: &X509NameRef) -> String {
 fn get_profile_paths(is_debug: bool) -> Vec<String> {
     let mut paths = Vec::new();
     let profile_prefixes = match is_debug {
-        false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX],
-        true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX],
+        false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX, PROFILE_STORE_EL1_PUBLIC_PREFIX],
+        true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX, DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX],
     };
     for profile_prefix in profile_prefixes {
         paths.extend(get_paths_from_prefix(profile_prefix));
@@ -375,10 +377,10 @@ fn process_data(profile_data: &[u8]) -> Result<(String, String, u32), ()> {
 fn create_bundle_path(bundle_name: &str, profile_type: u32) -> Result<String, ()> {
     let bundle_path = match profile_type {
         value if value == DebugCertPathType::Developer as u32 => {
-            fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, bundle_name)
+            fmt_store_path(DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name)
         }
         value if value == ReleaseCertPathType::Developer as u32 => {
-            fmt_store_path(PROFILE_STORE_EL1_PREFIX, bundle_name)
+            fmt_store_path(PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name)
         }
         _ => {
             error!(LOG_LABEL, "invalid profile type");
@@ -422,24 +424,16 @@ fn enable_key_in_profile_internal(
     Ok(())
 }
 
-fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> {
-    let _bundle_name = c_char_to_string(bundle_name);
-    if _bundle_name.is_empty() {
-        error!(LOG_LABEL, "Invalid bundle name");
+fn process_remove_bundle(
+    prefix: &str,
+    bundle_name: &str,
+) -> Result<(), ()> {
+    let bundle_path = fmt_store_path(prefix, bundle_name);
+
+    if !file_exists(&bundle_path) {
         return Err(());
     }
 
-    let debug_bundle_path = fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, &_bundle_name);
-    let release_bundle_path = fmt_store_path(PROFILE_STORE_EL1_PREFIX, &_bundle_name);
-
-    let bundle_path = if file_exists(&debug_bundle_path) {
-        debug_bundle_path
-    } else if file_exists(&release_bundle_path) {
-        release_bundle_path
-    } else {
-        error!(LOG_LABEL, "bundle path does not exists!");
-        return Err(());
-    };
     let filename = fmt_store_path(&bundle_path, PROFILE_STORE_TAIL);
     let mut profile_data = Vec::new();
     if load_bytes_from_file(&filename, &mut profile_data).is_err() {
@@ -452,19 +446,48 @@ fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()>
         error!(LOG_LABEL, "remove profile data error!");
         return Err(());
     }
+
     info!(LOG_LABEL, "remove bundle_path path {}!", @public(bundle_path));
-    if unsafe { !IsDeveloperModeOn() } && profile_type == DebugCertPathType::Developer as u32 {
-        info!(LOG_LABEL, "not remove profile_type:{} when development off", @public(profile_type));
-        return Ok(());
-    }
+
     if remove_cert_path_info(subject, issuer, profile_type, DEFAULT_MAX_CERT_PATH_LEN).is_err() {
         error!(LOG_LABEL, "remove profile data error!");
         return Err(());
     }
+
     info!(LOG_LABEL, "finish remove cert path in ioctl!");
     Ok(())
 }
 
+fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> {
+    let _bundle_name = c_char_to_string(bundle_name);
+    if _bundle_name.is_empty() {
+        error!(LOG_LABEL, "Invalid bundle name");
+        return Err(());
+    }
+
+    let profile_prefix = vec![
+        DEBUG_PROFILE_STORE_EL0_PREFIX,
+        PROFILE_STORE_EL0_PREFIX,
+        DEBUG_PROFILE_STORE_EL1_PREFIX,
+        PROFILE_STORE_EL1_PREFIX,
+        DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX,
+        PROFILE_STORE_EL1_PUBLIC_PREFIX,
+    ];
+
+    let mut rm_succ = false;
+    for prefix in profile_prefix {
+        if process_remove_bundle(prefix, &_bundle_name).is_ok() {
+            rm_succ = true;
+        }
+    }
+    if rm_succ {
+        Ok(())
+    } else {
+        error!(LOG_LABEL, "Failed to remove bundle profile info, bundleName: {}.", @public(_bundle_name));
+        Err(())
+    }
+}
+
 fn c_char_to_string(c_str: *const c_char) -> String {
     unsafe {
         if c_str.is_null() {
diff --git a/services/key_enable/utils/include/key_utils.h b/services/key_enable/utils/include/key_utils.h
index 7ba018c14421a0973ae953deb74d7147c48cc781..7044124d23ad854bcd0e37e027cb5a7bd11e7b9c 100644
--- a/services/key_enable/utils/include/key_utils.h
+++ b/services/key_enable/utils/include/key_utils.h
@@ -41,6 +41,7 @@ KeySerial KeyctlRestrictKeyring(
     const char *restriction);
 
 bool IsRdDevice();
+int32_t CheckEfuseStatus(char *buf, ssize_t bunLen);
 #ifdef __cplusplus
 }
 #endif
diff --git a/services/key_enable/utils/src/devices_security.cpp b/services/key_enable/utils/src/devices_security.cpp
index 3ccca6e9476494ded7fb29143bab18d823e16101..a1cd19e2ea5abe38f923829bade885f4b74b5922 100644
--- a/services/key_enable/utils/src/devices_security.cpp
+++ b/services/key_enable/utils/src/devices_security.cpp
@@ -48,7 +48,7 @@ static bool CheckDeviceMode(char *buf, ssize_t bunLen)
     return false;
 }
 
-static int32_t CheckEfuseStatus(char *buf, ssize_t bunLen)
+int32_t CheckEfuseStatus(char *buf, ssize_t bunLen)
 {
     if (strstr(buf, "efuse_status=1")) {
         LOG_DEBUG(LABEL, "device is not efused");
diff --git a/services/local_code_sign/src/local_code_sign_service.cpp b/services/local_code_sign/src/local_code_sign_service.cpp
index 243d1ac3b8a47a16bd47575462d30327e0aba77c..d518c1978ee4ffcd77c717807e8590247df754ec 100644
--- a/services/local_code_sign/src/local_code_sign_service.cpp
+++ b/services/local_code_sign/src/local_code_sign_service.cpp
@@ -93,6 +93,10 @@ void LocalCodeSignService::DelayUnloadTask()
 void LocalCodeSignService::OnStop()
 {
     LOG_INFO("LocalCodeSignService OnStop");
+    if (unloadHandler_ != nullptr) {
+        unloadHandler_->RemoveTask(TASK_ID);
+        unloadHandler_ = nullptr;
+    }
     state_ = ServiceRunningState::STATE_NOT_START;
 }
 
diff --git a/services/local_code_sign/src/local_sign_key.cpp b/services/local_code_sign/src/local_sign_key.cpp
index 24412ec72e306ad4619b720fb23ccc2a2835b21f..bc17c5a27e56161646bc37249df8bacabbc4a4b1 100644
--- a/services/local_code_sign/src/local_sign_key.cpp
+++ b/services/local_code_sign/src/local_sign_key.cpp
@@ -297,7 +297,7 @@ bool LocalSignKey::SignByHUKS(const struct HksBlob *inData, struct HksBlob *outD
     if (ret != HKS_SUCCESS) {
         LOG_ERROR("HksUpdate Failed.");
         free(tmpOutData.data);
-        return CS_ERR_PARAM_INVALID;
+        return false;
     }
 
     // third stage: finish, get signature from HUKS
diff --git a/test/fuzztest/local_code_sign_stub/initlocalcertificatestub_fuzzer/initlocalcertificatestub_fuzzer.cpp b/test/fuzztest/local_code_sign_stub/initlocalcertificatestub_fuzzer/initlocalcertificatestub_fuzzer.cpp
index e4bfcdd23c00e8a176b0a69c3b7f2144d37a6f53..7405cbd6ac9708c02529ca496f2ee9d89e738f47 100644
--- a/test/fuzztest/local_code_sign_stub/initlocalcertificatestub_fuzzer/initlocalcertificatestub_fuzzer.cpp
+++ b/test/fuzztest/local_code_sign_stub/initlocalcertificatestub_fuzzer/initlocalcertificatestub_fuzzer.cpp
@@ -59,6 +59,7 @@ namespace OHOS {
         uint64_t selfTokenId = NativeTokenSet("key_enable");
         DelayedSingleton<LocalCodeSignService>::GetInstance()->OnStart();
         DelayedSingleton<LocalCodeSignService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
+        DelayedSingleton<LocalCodeSignService>::GetInstance()->OnStop();
         NativeTokenReset(selfTokenId);
         return true;
     }
diff --git a/test/fuzztest/local_code_sign_stub/signlocalcodestub_fuzzer/signlocalcodestub_fuzzer.cpp b/test/fuzztest/local_code_sign_stub/signlocalcodestub_fuzzer/signlocalcodestub_fuzzer.cpp
index f3778ae53f7f5cab4dc406f0938defca86fb0666..f7583a2e6f4e0990a1440770afefccf6d524f295 100644
--- a/test/fuzztest/local_code_sign_stub/signlocalcodestub_fuzzer/signlocalcodestub_fuzzer.cpp
+++ b/test/fuzztest/local_code_sign_stub/signlocalcodestub_fuzzer/signlocalcodestub_fuzzer.cpp
@@ -59,6 +59,7 @@ namespace OHOS {
         uint64_t selfTokenId = NativeTokenSet("compiler_service");
         DelayedSingleton<LocalCodeSignService>::GetInstance()->OnStart();
         DelayedSingleton<LocalCodeSignService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
+        DelayedSingleton<LocalCodeSignService>::GetInstance()->OnStop();
         NativeTokenReset(selfTokenId);
         return true;
     }
diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn
index 3f223fd0d8d159fb1bc631c801069022451cf92d..534c79e8d3a5eca5756aa61979cae34f38c9dd7e 100644
--- a/test/unittest/BUILD.gn
+++ b/test/unittest/BUILD.gn
@@ -132,6 +132,7 @@ ohos_unittest("local_code_sign_utils_unittest") {
     "mock/include",
     "utils/include",
     "${code_signature_root_dir}/services/local_code_sign/include",
+    "${code_signature_root_dir}/services/key_enable/utils/include",
   ]
 
   configs = [ "${code_signature_root_dir}:common_utils_config" ]
@@ -140,6 +141,7 @@ ohos_unittest("local_code_sign_utils_unittest") {
     "fsverity-utils:libfsverity_utils",
     "hilog:libhilog",
     "huks:libhukssdk",
+    "init:libbegetutil",
     "openssl:libcrypto_shared",
   ]
 }
@@ -299,11 +301,43 @@ ohos_unittest("key_enable_utils_unittest") {
   ]
 }
 
+ohos_unittest("cert_chain_verifier_unittest") {
+  module_out_path = "security/code_signature"
+  sources = [
+    "${code_signature_root_dir}/utils/src/cert_utils.cpp",
+    "${code_signature_root_dir}/utils/src/huks_attest_verifier.cpp",
+    "${code_signature_root_dir}/utils/src/openssl_utils.cpp",
+    "cert_chain_verifier_test.cpp",
+  ]
+  include_dirs = [ "utils/include" ]
+  configs = [
+    "${code_signature_root_dir}:common_utils_config",
+    "${code_signature_root_dir}:common_public_config",
+  ]
+  defines = [ "CODE_SIGNATURE_DEBUGGABLE" ]
+  if (code_signature_support_oh_release_app) {
+    defines += [ "CODE_SIGNATURE_OH_ROOT_CA" ]
+  }
+  deps = [
+    "${code_signature_root_dir}/services/key_enable/utils:libkey_enable_utils",
+  ]
+  external_deps = [
+    "access_token:libaccesstoken_sdk",
+    "access_token:libnativetoken",
+    "access_token:libtoken_setproc",
+    "c_utils:utils",
+    "hilog:libhilog",
+    "huks:libhukssdk",
+    "openssl:libcrypto_shared",
+  ]
+}
+
 group("unittest_group") {
   testonly = true
   if (!defined(ohos_lite)) {
     deps = [
       ":add_cert_path_unittest",
+      ":cert_chain_verifier_unittest",
       ":code_sign_utils_in_c_unittest",
       ":code_sign_utils_unittest",
       ":enable_verity_ioctl_unittest",
diff --git a/test/unittest/cert_chain_verifier_test.cpp b/test/unittest/cert_chain_verifier_test.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..1d35db714d55401569395784339b06a08ac0d842
--- /dev/null
+++ b/test/unittest/cert_chain_verifier_test.cpp
@@ -0,0 +1,367 @@
+/*
+ * Copyright (c) 2024-2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cstdlib>
+#include <fcntl.h>
+#include <gtest/gtest.h>
+#include <string>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include "access_token_setter.h"
+#include "byte_buffer.h"
+#include "huks_attest_verifier.h"
+#include "log.h"
+
+using namespace OHOS::Security::CodeSign;
+using namespace std;
+using namespace testing::ext;
+
+namespace OHOS {
+namespace Security {
+namespace CodeSign {
+const std::string SIGNING_CERT_CHAIN_PEM =
+"-----BEGIN CERTIFICATE-----\n" \
+"MIIDgzCCAm2gAwIBAgIBATALBgkqhkiG9w0BAQswfzELMAkGA1UEBhMCQ04xEzAR\n" \
+"BgNVBAgMCmhlbGxvd29ybGQxEzARBgNVBAoMCmhlbGxvd29ybGQxEzARBgNVBAsM\n" \
+"CmhlbGxvd29ybGQxFjAUBgNVBAMMDWhlbGxvd29ybGQxMTExGTAXBgkqhkiG9w0B\n" \
+"CQEWCmhlbGxvd29ybGQwHhcNMjQwODA5MDkzMDEyWhcNMzQwODA5MDkzMDEyWjAa\n" \
+"MRgwFgYDVQQDEw9BIEtleW1hc3RlciBLZXkwWTATBgcqhkjOPQIBBggqhkjOPQMB\n" \
+"BwNCAATJqTRIhGKhLmXuJbPI311/5gEljqPbpJpXNp6oe8dOmnyJ9SQQZmMomB5u\n" \
+"lC5aZIoNrCuKHTAgY1PpNNcFSBBpo4IBPDCCATgwCwYDVR0PBAQDAgeAMAgGA1Ud\n" \
+"HwQBADCCAR0GDCsGAQQBj1sCgngBAwSCAQswggEHAgEAMDQCAQAGDSsGAQQBj1sC\n" \
+"gngCAQQEIOIC9EG2Dn3zqle0WWjiHwk2CIP3hJuPjjQwi7z4FaFFMCICAQIGDSsG\n" \
+"AQQBj1sCgngCAQIEDkxPQ0FMX1NJR05fS0VZMFwCAQIGDSsGAQQBj1sCgngCAQMw\n" \
+"SAYOKwYBBAGPWwKCeAIBAwEENnsicHJvY2Vzc05hbWUiOiJsb2NhbF9jb2RlX3Np\n" \
+"Z24iLCJBUEwiOiJzeXN0ZW1fYmFzaWMifTAYAgECBg0rBgEEAY9bAoJ4AgELBAQA\n" \
+"AAAAMBgCAQIGDSsGAQQBj1sCgngCAQUEBAIAAAAwFgIBAgYOKwYBBAGPWwKCeAIE\n" \
+"AQUBAf8wCwYJKoZIhvcNAQELA4IBAQB8zqqeaXux3qkQF0GFax7I4YWtTpoeQeJU\n" \
+"BjyMk/eGmeX+ZD9absOQDzH/wH6MddzPLjoaIuoR+oxDXn2yqQ5xyGQp6uN0E8IB\n" \
+"OFCjeTbRBR86A+CulTGuitszOpfyKF7SvmzfGx+ij2OtQnZ7QZp+I2YEr1Jc4ESr\n" \
+"xXXt0zPslidnf7qso+f09C6U9YOnaxISfjxEqFn25+yWX2tXBJ62L6R7+zpKU3ee\n" \
+"0ljf4jYtlza7s5mYJ2+OHlwdXuF38cpS59cG48UpsL0DAqywqjs5uaGthkrWo2YB\n" \
+"FlAL4bVfBj2FmcqNhz+j3dgLTNA3VczwkNbj/FIY1T+FDTqnsCED\n" \
+"-----END CERTIFICATE-----";
+
+const std::string ISSUER_CERT_CHAIN_PEM =
+"-----BEGIN CERTIFICATE-----\n" \
+"MIIDyzCCArOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJDTjET\n" \
+"MBEGA1UECAwKaGVsbG93b3JsZDETMBEGA1UECgwKaGVsbG93b3JsZDETMBEGA1UE\n" \
+"CwwKaGVsbG93b3JsZDEVMBMGA1UEAwwMaGVsbG93b3JsZDExMRkwFwYJKoZIhvcN\n" \
+"AQkBFgpoZWxsb3dvcmxkMB4XDTIyMDEyMjA5MjUzM1oXDTMyMDEyMDA5MjUzM1ow\n" \
+"fzELMAkGA1UEBhMCQ04xEzARBgNVBAgMCmhlbGxvd29ybGQxEzARBgNVBAoMCmhl\n" \
+"bGxvd29ybGQxEzARBgNVBAsMCmhlbGxvd29ybGQxFjAUBgNVBAMMDWhlbGxvd29y\n" \
+"bGQxMTExGTAXBgkqhkiG9w0BCQEWCmhlbGxvd29ybGQwggEiMA0GCSqGSIb3DQEB\n" \
+"AQUAA4IBDwAwggEKAoIBAQC8HHhVEbY3uuriW3wAcAMFwIUd+VImAUKnWAYlsiHL\n" \
+"Ps3BhpHHb67kjzP3rcQbZ2l1LSMWjoV8jXckVMOFqOlTlrYlGM3G80bVaWcEgw4c\n" \
+"+nkSk+ApGmNUa69HK3h+5vfz81fVmJL1zX0VaYiA+wCzrFc1w5aGKhsFIcIY8FUo\n" \
+"i15xrwAURQ+/EylzeF302qGwkCHYy4zQqn3ohku25rPLUOyOp6gJNs/3BVh76b9/\n" \
+"1iTyP7ldDD7VV4UQCTDppFtrDQY/UrBhe9sPn0+6GWBfkkjz5n1aGE7JP2vmB3qM\n" \
+"gxIpEkmVLVIxh6dwBOmtr+sT7xJ+UzmTWbbhNGCkzSPxAgMBAAGjUzBRMB0GA1Ud\n" \
+"DgQWBBSDTqp6QOdxk9zF2H+7IGOckq/A1DAfBgNVHSMEGDAWgBRNYAEJlwxPOj5F\n" \
+"B7M4mTsMpokRLzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB4\n" \
+"CkKbJQWuC2pj0cS+zb4v8fRq8OPjRVPylqjHX4IMpmnl2VM0DkNXD0SYPC5IxkK4\n" \
+"bgtglG0Rkr4blYf+PdNenbebWZvw4Y3JUoQgSasfdIA/rJXZtf3mVUNLmPlcRWZC\n" \
+"OtGJmvlntp7/qWl7JCIaiD732baJU1DZchy3am2WWGpchBESBOtoSvdywG+T0xQQ\n" \
+"cXzYQ+mHPsym30JCzChvZCKz+QJlIZUJ3XgoKH7MVviASXGcWLKOBYYUDt3J8/PM\n" \
+"shbsqb+rm+VqU5ohV8Rr/nQ+QLvEFa8rrz7qY6/2QSbUy7QvFCv7MXFD1kCH92FL\n" \
+"GwkmWDavM1kdVMXZmV54\n" \
+"-----END CERTIFICATE-----";
+
+const std::string INTER_CA_CHAIN_PEM =
+"-----BEGIN CERTIFICATE-----\n" \
+"MIID3zCCAsegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCQ04x\n" \
+"EzARBgNVBAgMCmhlbGxvd29ybGQxEzARBgNVBAcMCmhlbGxvd29ybGQxEzARBgNV\n" \
+"BAoMCmhlbGxvd29ybGQxEzARBgNVBAsMCmhlbGxvd29ybGQxFDASBgNVBAMMC2hl\n" \
+"bGxvd29ybGQxMRkwFwYJKoZIhvcNAQkBFgpoZWxsb3dvcmxkMB4XDTIyMDEyMjA5\n" \
+"MjM0OFoXDTMyMDEyMDA5MjM0OFowfjELMAkGA1UEBhMCQ04xEzARBgNVBAgMCmhl\n" \
+"bGxvd29ybGQxEzARBgNVBAoMCmhlbGxvd29ybGQxEzARBgNVBAsMCmhlbGxvd29y\n" \
+"bGQxFTATBgNVBAMMDGhlbGxvd29ybGQxMTEZMBcGCSqGSIb3DQEJARYKaGVsbG93\n" \
+"b3JsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTJF+SAh/ccmcxF\n" \
+"+le0m8Wx7N9kclMYoUVGyJOPDv0L9kE/1hg9HEavCBWal9ZK69r+i1YiH18Y0F5o\n" \
+"AuqP0teedDByPii8IaDquJKZ1hlMi13vPY1cgUcG77cKzC5TMlmNTLes0ddn9/lY\n" \
+"4ajl4kgUr3bCEXlp4uhBQPYlntujctcjmEdMtcJQmhHpr2Js9cq2kZney59ae5kk\n" \
+"LCzpFqpj7cunz5Rs3RZs1+Njw5oABS18qAy1CEBnecLOi6lIPvIckngBHduwczOM\n" \
+"5YBBXeqOeNk7FWTiIf5MuXlqOSlZ57Wp8SqfDzwS49awwI9dvGpjgyGh3ZQA5TXX\n" \
+"GGIsn5cCAwEAAaNTMFEwHQYDVR0OBBYEFE1gAQmXDE86PkUHsziZOwymiREvMB8G\n" \
+"A1UdIwQYMBaAFJp3c+VFpGlC/r/UiPCozoH1UcgMMA8GA1UdEwEB/wQFMAMBAf8w\n" \
+"DQYJKoZIhvcNAQELBQADggEBAArLbWZWG3cHuCnMBGo28F0KVKctxjLVOCzDhKnH\n" \
+"IusLVqTnZ7AHeUU56NyoRfSRSIEJ2TNXkHO8MyxNN3lP4RapQavOvENLE99s269I\n" \
+"suLPCp3k6znJX1ZW7MIrSp7Bz+6rBTuh2H874H/BcvPXaCZB4X3Npjfu4tRcKEtS\n" \
+"JKdVmIlotjX1qM5eYHY5BDSR0MvRYvSlH7/wA9FEGJ8GHI7vaHxIMxf4+OOz+E4w\n" \
+"qKIZZfYeVBdEpZvfVGHRbS5dEofqc4NthlObTWlwAIhFgTzLqy8y2Y2jDWcJk91/\n" \
+"y9u8F1jQAuoemDCY5BalZ+Bn0eZQQHlXujwyZfoIK+oCuUo=\n" \
+"-----END CERTIFICATE-----";
+
+const uint8_t CHALLENGE[] = {
+    0xe2, 0x2, 0xf4, 0x41, 0xb6, 0xe, 0x7d, 0xf3,
+    0xaa, 0x57, 0xb4, 0x59, 0x68, 0xe2, 0x1f, 0x9,
+    0x36, 0x8, 0x83, 0xf7, 0x84, 0x9b, 0x8f, 0x8e,
+    0x34, 0x30, 0x8b, 0xbc, 0xf8, 0x15, 0xa1, 0x45
+};
+
+static ByteBuffer g_issuerCert;
+static ByteBuffer g_signingCert;
+static ByteBuffer g_interCA;
+static ByteBuffer g_invalidCert;
+static ByteBuffer g_rootCA;
+
+static inline uint8_t *CastToUint8Ptr(uint32_t *ptr)
+{
+    return reinterpret_cast<uint8_t *>(ptr);
+}
+
+static X509 *LoadPemString(const std::string &pemData)
+{
+    BIO *mem = BIO_new_mem_buf(pemData.c_str(), pemData.length());
+    if (mem == nullptr) {
+        return nullptr;
+    }
+
+    X509 *x509 = PEM_read_bio_X509(mem, nullptr, nullptr, nullptr);
+    EXPECT_NE(x509, nullptr);
+    BIO_free(mem);
+    return x509;
+}
+
+void LoadDerFormPemString(const std::string &pemData, ByteBuffer &certBuffer)
+{
+    X509 *x509 = LoadPemString(pemData);
+    uint8_t *derTemp = nullptr;
+    int32_t derTempLen = i2d_X509(x509, &derTemp);
+    EXPECT_NE(derTemp, nullptr);
+    if (derTempLen < 0) {
+        X509_free(x509);
+        return;
+    }
+
+    certBuffer.CopyFrom(derTemp, static_cast<uint32_t>(derTempLen));
+
+    X509_free(x509);
+    OPENSSL_free(derTemp);
+}
+
+static void FormattedCertChain(const std::vector<ByteBuffer> &certChain, ByteBuffer &buffer)
+{
+    uint32_t certsCount = certChain.size();
+    uint32_t totalLen = sizeof(uint32_t);
+    for (uint32_t i = 0; i < certsCount; i++) {
+        totalLen += sizeof(uint32_t) + certChain[i].GetSize();
+    }
+    buffer.Resize(totalLen);
+    if (!buffer.PutData(0, CastToUint8Ptr(&certsCount), sizeof(uint32_t))) {
+        return;
+    }
+    uint32_t pos = sizeof(uint32_t);
+    for (uint32_t i = 0; i < certsCount; i++) {
+        uint32_t size = certChain[i].GetSize();
+        if (!buffer.PutData(pos, CastToUint8Ptr(&size), sizeof(uint32_t))) {
+            return;
+        }
+        pos += sizeof(uint32_t);
+        if (!buffer.PutData(pos, certChain[i].GetBuffer(), certChain[i].GetSize())) {
+            return;
+        }
+        pos += certChain[i].GetSize();
+    }
+}
+
+class CertChainVerifierTest : public testing::Test {
+public:
+    CertChainVerifierTest() {};
+    virtual ~CertChainVerifierTest() {};
+    static void SetUpTestCase()
+    {
+        LoadDerFormPemString(SIGNING_CERT_CHAIN_PEM, g_signingCert);
+        LoadDerFormPemString(ISSUER_CERT_CHAIN_PEM, g_issuerCert);
+        LoadDerFormPemString(INTER_CA_CHAIN_PEM, g_interCA);
+        // fake root CA, no use in verifying
+        uint8_t tmp = 0;
+        g_rootCA.CopyFrom(&tmp, sizeof(tmp));
+        g_invalidCert.CopyFrom(&tmp, sizeof(tmp));
+    }
+    static void TearDownTestCase() {};
+    void SetUp() {};
+    void TearDown() {};
+};
+
+/**
+ * @tc.name: CertChainVerifierTest_001
+ * @tc.desc: Get chain from empty buffer
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_001, TestSize.Level0)
+{
+    ByteBuffer cert, challenge, certBuffer;
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0002
+ * @tc.desc: Get chain from empty cert chain
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_002, TestSize.Level0)
+{
+    ByteBuffer cert, challenge, certBuffer;
+    uint32_t count = 0;
+    cert.CopyFrom(reinterpret_cast<uint8_t *>(&count), sizeof(count));
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+}
+
+
+/**
+ * @tc.name: CertChainVerifierTest_0003
+ * @tc.desc: Get chain from invalid formatted buffer
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_003, TestSize.Level0)
+{
+    ByteBuffer cert, challenge, certBuffer;
+    std::vector<uint32_t> tmpBuffer = {0};
+    cert.CopyFrom(reinterpret_cast<uint8_t *>(tmpBuffer.data()), tmpBuffer.size() * sizeof(uint32_t));
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+
+    // one cert in cert chain, classify as root CA
+    tmpBuffer[0] = 1;
+    // load issuer failed
+    cert.CopyFrom(reinterpret_cast<uint8_t *>(tmpBuffer.data()), tmpBuffer.size() * sizeof(uint32_t));
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+
+    // two certs in cert chain
+    tmpBuffer[0] = 2;
+    // cert size
+    tmpBuffer.push_back(sizeof(uint32_t));
+    cert.CopyFrom(reinterpret_cast<uint8_t *>(tmpBuffer.data()), tmpBuffer.size() * sizeof(uint32_t));
+    // no content to load cert, convert from formatted buffer failed
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+
+    // fill issuer
+    tmpBuffer.push_back(0);
+    cert.CopyFrom(reinterpret_cast<uint8_t *>(tmpBuffer.data()), tmpBuffer.size() * sizeof(uint32_t));
+    // invalid content, convert content to x509 failed
+    EXPECT_EQ(GetVerifiedCert(cert, challenge, certBuffer), false);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0004
+ * @tc.desc: Get verified failed with invalid issuer format
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_004, TestSize.Level0)
+{
+    ByteBuffer formattedCert, challenge, certBuffer;
+    std::vector<ByteBuffer> certs;
+    certs.push_back(g_signingCert);
+    certs.push_back(g_invalidCert);
+    certs.push_back(g_interCA);
+    certs.push_back(g_rootCA);
+    FormattedCertChain(certs, formattedCert);
+    EXPECT_EQ(GetVerifiedCert(formattedCert, challenge, certBuffer), false);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0005
+ * @tc.desc: Get verified failed with invalid interCA format
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_005, TestSize.Level0)
+{
+    ByteBuffer formattedCert, challenge, certBuffer;
+    std::vector<ByteBuffer> certs;
+    certs.push_back(g_signingCert);
+    certs.push_back(g_issuerCert);
+    certs.push_back(g_invalidCert);
+    certs.push_back(g_rootCA);
+    FormattedCertChain(certs, formattedCert);
+    EXPECT_EQ(GetVerifiedCert(formattedCert, challenge, certBuffer), false);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0006
+ * @tc.desc: verifying issuer cert failed
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_006, TestSize.Level0)
+{
+    ByteBuffer formattedCert, challenge, certBuffer;
+    std::vector<ByteBuffer> certs;
+    certs.push_back(g_signingCert);
+    certs.push_back(g_signingCert);
+    certs.push_back(g_interCA);
+    certs.push_back(g_rootCA);
+    FormattedCertChain(certs, formattedCert);
+    EXPECT_EQ(GetVerifiedCert(formattedCert, challenge, certBuffer), false);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0007
+ * @tc.desc: verify signing cert failed
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_007, TestSize.Level0)
+{
+    ByteBuffer challenge;
+    //parse pub key of failed
+    EXPECT_EQ(VerifyCertAndExtension(nullptr, nullptr, challenge), false);
+    
+    X509 *signingCert = LoadPemString(SIGNING_CERT_CHAIN_PEM);
+    X509 *issuerCert = LoadPemString(ISSUER_CERT_CHAIN_PEM);
+    // verify signature failed
+    EXPECT_EQ(VerifyCertAndExtension(issuerCert, signingCert, challenge), false);
+
+    // verify extension failed
+    const char *invalidChallenge = "invalid";
+    challenge.CopyFrom(reinterpret_cast<const uint8_t *>(invalidChallenge),
+        sizeof(invalidChallenge));
+    EXPECT_EQ(VerifyCertAndExtension(signingCert, issuerCert, challenge), false);
+
+    // verify extension success
+    challenge.CopyFrom(CHALLENGE, sizeof(CHALLENGE));
+    EXPECT_EQ(VerifyCertAndExtension(signingCert, issuerCert, challenge), true);
+    X509_free(signingCert);
+    X509_free(issuerCert);
+}
+
+/**
+ * @tc.name: CertChainVerifierTest_0008
+ * @tc.desc: verifying issuer cert success
+ * @tc.type: Func
+ * @tc.require: IAJ4QG
+ */
+HWTEST_F(CertChainVerifierTest, CertChainVerifierTest_008, TestSize.Level0)
+{
+    ByteBuffer formattedCert, challenge, certBuffer;
+    std::vector<ByteBuffer> certs;
+    certs.push_back(g_signingCert);
+    certs.push_back(g_issuerCert);
+    certs.push_back(g_interCA);
+    certs.push_back(g_rootCA);
+    FormattedCertChain(certs, formattedCert);
+    // verify extension success
+    challenge.CopyFrom(CHALLENGE, sizeof(CHALLENGE));
+    EXPECT_EQ(GetVerifiedCert(formattedCert, challenge, certBuffer), true);
+}
+
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS
\ No newline at end of file
diff --git a/test/unittest/code_sign_utils_in_c_test.cpp b/test/unittest/code_sign_utils_in_c_test.cpp
index 261b1dd1453e1e6225902b2b3e020288798836e0..58e17b9eb4e8113afbe9179215b0dba0ba552285 100644
--- a/test/unittest/code_sign_utils_in_c_test.cpp
+++ b/test/unittest/code_sign_utils_in_c_test.cpp
@@ -77,6 +77,72 @@ HWTEST_F(CodeSignUtilsInCTest, CodeSignUtilsInCTest_0001, TestSize.Level0)
     entryMapEntry = nullptr;
     entryMapEntryData = nullptr;
 }
+
+/**
+ * @tc.name: CodeSignUtilsInCTest_0002
+ * @tc.desc: enable code signature for app with the c interface, nullptr
+ * @tc.type: Func
+ * @tc.require:
+ */
+HWTEST_F(CodeSignUtilsInCTest, CodeSignUtilsInCTest_0002, TestSize.Level0)
+{
+    std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/demo_with_code_sign_block.hap";
+    int32_t ret = EnforceCodeSignForApp(nullptr, nullptr, FILE_ALL);
+    EXPECT_EQ(ret, CS_ERR_PARAM_INVALID);
+
+    ret = EnforceCodeSignForApp(hapRealPath.c_str(), nullptr, FILE_ALL);
+    EXPECT_EQ(ret, CS_ERR_PARAM_INVALID);
+}
+
+/**
+ * @tc.name: CodeSignUtilsInCTest_0003
+ * @tc.desc: enable code signature for app with the c interface, entryMapEntry is nullptr
+ * @tc.type: Func
+ * @tc.require:
+ */
+HWTEST_F(CodeSignUtilsInCTest, CodeSignUtilsInCTest_0003, TestSize.Level0)
+{
+    std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/demo_with_code_sign_block.hap";
+    std::string filePath1("libs/arm64-v8a/libc++_shared.so");
+    std::string targetPath1 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libc++_shared.so";
+    std::string filePath2("libs/arm64-v8a/libentry.so");
+    std::string targetPath2 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libentry.so";
+
+    EntryMapEntryData *entryMapEntryData = static_cast<EntryMapEntryData *>(malloc(sizeof(EntryMapEntryData)));
+    (void)memset_s(entryMapEntryData, sizeof(EntryMapEntryData), 0, sizeof(EntryMapEntryData));
+
+    int32_t length = sizeof(EntryMapEntry) * ENTRYMAP_COUNT;
+    EntryMapEntry *entryMapEntry = static_cast<EntryMapEntry *>(malloc(length));
+    (void)memset_s(entryMapEntry, length, 0, length);
+
+    entryMapEntry[0].key = nullptr;
+    entryMapEntry[0].value = nullptr;
+    entryMapEntry[1].key = nullptr;
+    entryMapEntry[1].value = nullptr;
+
+    entryMapEntryData->count = ENTRYMAP_COUNT;
+    entryMapEntryData->entries = entryMapEntry;
+
+    int32_t ret = EnforceCodeSignForApp(hapRealPath.c_str(), entryMapEntryData, FILE_ALL);
+    EXPECT_EQ(ret, CS_ERR_PARAM_INVALID);
+
+    entryMapEntry[0].key = const_cast<char *>(filePath1.c_str());
+    entryMapEntryData->entries = entryMapEntry;
+
+    ret = EnforceCodeSignForApp(hapRealPath.c_str(), entryMapEntryData, FILE_ALL);
+    EXPECT_EQ(ret, CS_ERR_PARAM_INVALID);
+
+    entryMapEntry[0].value = const_cast<char *>(targetPath1.c_str());
+    entryMapEntryData->entries = entryMapEntry;
+
+    ret = EnforceCodeSignForApp(hapRealPath.c_str(), entryMapEntryData, FILE_ALL);
+    EXPECT_EQ(ret, CS_ERR_PARAM_INVALID);
+
+    free(entryMapEntry);
+    free(entryMapEntryData);
+    entryMapEntry = nullptr;
+    entryMapEntryData = nullptr;
+}
 }  // namespace CodeSign
 }  // namespace Security
 }  // namespace OHOS
diff --git a/test/unittest/key_enable_utils_test.cpp b/test/unittest/key_enable_utils_test.cpp
index 656863ebd9a53c8468b446a1e6ba7f3ea0b19824..356c9345bba1a69b61dd7b73452f5025e35b1ddb 100644
--- a/test/unittest/key_enable_utils_test.cpp
+++ b/test/unittest/key_enable_utils_test.cpp
@@ -46,6 +46,36 @@ HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0001, TestSize.Level0)
 {
     EXPECT_EQ(IsRdDevice(), true);
 }
+
+/**
+ * @tc.name: KeyEnableUtilsTest_0002
+ * @tc.desc: check efuse status
+ * @tc.type: Func
+ * @tc.require: issueI8FCGF
+ */
+HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0002, TestSize.Level0)
+{
+    std::string str = "efuse_status=0";
+    char *buf = const_cast<char*>(str.c_str());
+    ssize_t bunLen = 0;
+    int32_t ret = CheckEfuseStatus(buf, bunLen);
+    EXPECT_EQ(ret, false);
+}
+
+/**
+ * @tc.name: KeyEnableUtilsTest_0002
+ * @tc.desc: check efuse status
+ * @tc.type: Func
+ * @tc.require: issueI8FCGF
+ */
+HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0002, TestSize.Level0)
+{
+    std::string str = "efuse_status=1";
+    char *buf = const_cast<char*>(str.c_str());
+    ssize_t bunLen = 0;
+    int32_t ret = CheckEfuseStatus(buf, bunLen);
+    EXPECT_EQ(ret, true);
+}
 } // namespace CodeSign
 } // namespace Security
 } // namespace OHOS
diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml
index da43cbac627712d581d078649104a02145b45397..1452baccfe88282ecd03e3df5eaaeb3b607b7a41 100644
--- a/test/unittest/resources/ohos_test.xml
+++ b/test/unittest/resources/ohos_test.xml
@@ -97,7 +97,23 @@
             <option name="shell" value="rm -rf /data/test/tmp"/>
         </cleaner>
     </target>
-        <target name="local_code_sign_utils_unittest">
+    <target name="local_code_sign_utils_mock_unittest">
+        <preparer>
+            <option name="shell" value="mkdir -p /data/test/tmp"/>
+            <option name="shell" value="mkdir -p /data/local/ark-cache/tmp"/>
+            <option name="push" value="demo_an/demo.an -> /data/test/tmp" src="res"/>
+            <option name="shell" value="cp /data/test/tmp/demo.an /data/test/tmp/demo2.an"/>
+            <option name="shell" value="cp /data/test/tmp/* /data/local/ark-cache/tmp"/>
+            <option name="shell" value="power-shell wakeup"/>
+            <option name="shell" value="uinput -T -m 594 2117 594 864 400"/>
+            <option name="shell" value="power-shell setmode 602"/>
+        </preparer>
+        <cleaner>
+            <option name="shell" value="rm -rf /data/local/ark-cache/tmp"/>
+            <option name="shell" value="rm -rf /data/test/tmp"/>
+        </cleaner>
+    </target>
+    <target name="local_code_sign_utils_unittest">
         <preparer>
             <option name="shell" value="mkdir -p /data/test/tmp"/>
             <option name="shell" value="mkdir -p /data/local/ark-cache/tmp"/>
diff --git a/utils/include/fsverity_utils_helper.h b/utils/include/fsverity_utils_helper.h
index 5c2bbe0eacb74fa2e2739432ce28cc8abf4db37f..33f72866b599253e308c27eda2c151cd92d28c7c 100644
--- a/utils/include/fsverity_utils_helper.h
+++ b/utils/include/fsverity_utils_helper.h
@@ -36,6 +36,7 @@ class FsverityUtilsHelper {
 public:
     static FsverityUtilsHelper &GetInstance();
     bool GenerateFormattedDigest(const char *path, ByteBuffer &ret);
+    static void ErrorMsgLogCallback(const char *msg);
 
 private:
     FsverityUtilsHelper();
@@ -47,7 +48,6 @@ private:
     void Init();
     bool ComputeDigest(const char *path, struct libfsverity_digest **digest);
     bool FormatDigest(libfsverity_digest *digest, uint8_t *buffer);
-    static void ErrorMsgLogCallback(const char *msg);
 
     class FileReader {
     public:
diff --git a/utils/include/huks_attest_verifier.h b/utils/include/huks_attest_verifier.h
index bd725316b98ee708429e5449f9e5d55a05d4c1a9..bb14bc0aca2bab35585c28ced698b0cc3c49d869 100644
--- a/utils/include/huks_attest_verifier.h
+++ b/utils/include/huks_attest_verifier.h
@@ -23,6 +23,7 @@ namespace OHOS {
 namespace Security {
 namespace CodeSign {
 bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, ByteBuffer &cert);
+bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteBuffer &challenge);
 }
 }
 }
diff --git a/utils/src/cert_utils.cpp b/utils/src/cert_utils.cpp
index e9373899f91f50b8f3749ec572c406c4796f3349..af0c38a03c2b5d040fcd7301e8abc6654e646ae0 100644
--- a/utils/src/cert_utils.cpp
+++ b/utils/src/cert_utils.cpp
@@ -144,11 +144,11 @@ bool GetCertChainFormBuffer(const ByteBuffer &certChainBuffer,
 {
     uint8_t *rawPtr = certChainBuffer.GetBuffer();
     if (rawPtr == nullptr || certChainBuffer.GetSize() < sizeof(uint32_t)) {
+        LOG_ERROR("empty cert chain buffer.");
         return false;
     }
     uint32_t certsCount = *reinterpret_cast<uint32_t *>(rawPtr);
     rawPtr += sizeof(uint32_t);
-
     if (certsCount == 0) {
         return false;
     }
@@ -170,6 +170,7 @@ bool GetCertChainFormBuffer(const ByteBuffer &certChainBuffer,
             chain.emplace_back(cert);
         }
         if (!ret) {
+            LOG_ERROR("failed at index = %{public}u", i);
             break;
         }
     }
diff --git a/utils/src/huks_attest_verifier.cpp b/utils/src/huks_attest_verifier.cpp
index 8d6a43ae820907256c479f5d4f4b2be27fd8d7a8..1ce9808d427e2c4b576fe189344e5de5231f3250 100644
--- a/utils/src/huks_attest_verifier.cpp
+++ b/utils/src/huks_attest_verifier.cpp
@@ -61,6 +61,9 @@ static bool g_verifierInited = false;
 static int g_saNid = 0;
 static int g_challengeNid = 0;
 static int g_attestationNid = 0;
+#ifdef VERIFY_KEY_ATTEST_CERTCHAIN
+static constexpr uint32_t COMMON_NAME_BUF_SIZE = 256;
+#endif
 
 static inline int GetNidFromDefination(const std::vector<std::string> &defVector)
 {
@@ -173,7 +176,7 @@ static bool CompareTargetValue(int nid, uint8_t *data, int size, const ByteBuffe
     } else if (nid == g_challengeNid) {
         LOG_INFO("compare with challenge");
         return (static_cast<uint32_t>(size) == challenge.GetSize())
-                    || (memcmp(data, challenge.GetBuffer(), size) == 0);
+                    && (memcmp(data, challenge.GetBuffer(), size) == 0);
     }
     return true;
 }
@@ -202,14 +205,19 @@ static bool ParseASN1Sequence(uint8_t *data, int size, const ByteBuffer &challen
             ret = CompareTargetValue(curNid, value->data, value->length, challenge);
         }
         if (!ret) {
+            LOG_ERROR("Value is unexpected");
             break;
         }
     }
-    return true;
+    return ret;
 }
 
 static bool VerifyExtension(X509 *cert, const ByteBuffer &challenge)
 {
+    if (challenge.GetBuffer() == nullptr) {
+        return false;
+    }
+
     const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
     int num;
 
@@ -229,7 +237,10 @@ static bool VerifyExtension(X509 *cert, const ByteBuffer &challenge)
         int curNid = OBJ_obj2nid(obj);
         if (g_attestationNid == curNid) {
             const ASN1_OCTET_STRING *extData = X509_EXTENSION_get_data(ext);
-            ParseASN1Sequence(extData->data, extData->length, challenge);
+            if (!ParseASN1Sequence(extData->data, extData->length, challenge)) {
+                LOG_INFO("extension verify failed.");
+                return false;
+            }
         }
     }
     return true;
@@ -257,7 +268,7 @@ static void ShowCertInfo(const std::vector<ByteBuffer> &certChainBuffer,
 }
 #endif
 
-static bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteBuffer &challenge)
+bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteBuffer &challenge)
 {
     if (!VerifySigningCert(signCert, issuerCert)) {
         return false;
@@ -272,22 +283,66 @@ static bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteB
     return true;
 }
 
+static bool VerifyIntermediateCASubject(const std::vector<ByteBuffer> &certChainBuffer)
+{
+#ifndef VERIFY_KEY_ATTEST_CERTCHAIN
+    LOG_INFO("Skip intermediate CA subject verification.");
+    return true;
+#else
+    if (certChainBuffer.empty()) {
+        LOG_ERROR("The vector is empty");
+        return false;
+    }
+
+    auto certBuffer = certChainBuffer.back();
+    X509 *cert = LoadCertFromBuffer(certBuffer.GetBuffer(), certBuffer.GetSize());
+    if (cert == nullptr) {
+        LOG_ERROR("Load intermediate CA cert failed.");
+        return false;
+    }
+
+    bool ret = false;
+    do {
+        X509_NAME *subjectName = X509_get_subject_name(cert);
+        if (subjectName == nullptr) {
+            LOG_ERROR("Get subject name failed.");
+            break;
+        }
+
+        char commonNameBuf[COMMON_NAME_BUF_SIZE] = {0};
+        int len = X509_NAME_get_text_by_NID(subjectName, NID_commonName, commonNameBuf, COMMON_NAME_BUF_SIZE);
+        if (len <= 0) {
+            LOG_ERROR("Get common name failed.");
+            break;
+        }
+
+        if (!strstr(commonNameBuf, "Huawei CBG Mobile Equipment CA") &&
+            !strstr(commonNameBuf, "Huawei CBG Equipment S2 CA") &&
+            !strstr(commonNameBuf, "Huawei CBG Equipment S3 CA")) {
+            LOG_ERROR("Intermediate CA common name not matched, common name:%{private}s", commonNameBuf);
+            break;
+        }
+
+        ret = true;
+    } while (0);
+
+    X509_free(cert);
+    return ret;
+#endif
+}
 
 bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, ByteBuffer &certBuffer)
 {
     std::vector<ByteBuffer> certChainBuffer;
     ByteBuffer issuerBuffer;
     if (!GetCertChainFormBuffer(buffer, certBuffer, issuerBuffer, certChainBuffer)) {
-        LOG_ERROR("Get cert chain failed.");
         return false;
     }
-
     X509 *issuerCert = LoadCertFromBuffer(issuerBuffer.GetBuffer(), issuerBuffer.GetSize());
     if (issuerCert == nullptr) {
         LOG_ERROR("Load issuerCert cert failed.");
         return false;
     }
-
     bool ret = false;
     X509 *signCert = nullptr;
     STACK_OF(X509 *) certChain = nullptr;
@@ -297,18 +352,20 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte
             LOG_ERROR("Load cert chain failed.");
             break;
         }
+        if (!VerifyIntermediateCASubject(certChainBuffer)) {
+            LOG_ERROR("Failed to verify the Intermediate CA subject.");
+            break;
+        }
         if (!VerifyIssurCert(issuerCert, certChain)) {
             LOG_ERROR("Verify issuer cert not pass.");
             break;
         }
         LOG_DEBUG("Verify issuer cert pass");
-
         signCert = LoadCertFromBuffer(certBuffer.GetBuffer(), certBuffer.GetSize());
         if (signCert == nullptr) {
             LOG_ERROR("Load signing cert failed.");
             break;
         }
-
         if (!VerifyCertAndExtension(signCert, issuerCert, challenge)) {
             break;
         }
@@ -322,6 +379,7 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte
         ShowCertInfo(certChainBuffer, issuerBuffer, certBuffer);
     }
 #endif
+    LOG_INFO("verify finished.");
     return ret;
 }
 }