Cryptosystem: Difference between revisions
→Table of used keyblobs: 6.0.0 |
→Versions: fix M1-M4 |
||
| (6 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
= BootROM = | |||
The bootrom initializes two keyslots in the hardware engine: | The bootrom initializes two keyslots in the hardware engine: | ||
| Line 48: | Line 48: | ||
} | } | ||
= Falcon coprocessor = | |||
The falcon processor (TSEC) generates a special console-unique key (that will be referred to as the "tsec key"). | The falcon processor (TSEC) generates a special console-unique key (that will be referred to as the "tsec key"). | ||
This is presumably using data stored in fuses that only microcode authenticated by NVidia has access to. | This is presumably using data stored in fuses that only microcode authenticated by NVidia has access to. | ||
= Package1ldr = | |||
== Key table == | |||
[1.0.0-3.0.2] During package1ldr: | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 84: | Line 83: | ||
|} | |} | ||
[1.0.0-3.0.2] After package1ldr: | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 107: | Line 105: | ||
|} | |} | ||
[4.0.0+] After package1ldr (Secure Monitor boot): | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 142: | Line 139: | ||
|} | |} | ||
[4.0.0+] After package1ldr (Secure Monitor runtime): | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 171: | Line 167: | ||
|} | |} | ||
[6.2.0+] After package1ldr/TSEC Payload (Secure Monitor boot): | |||
{| class="wikitable" border="1" | |||
|- | |||
! Keyslot | |||
! Name | |||
! Set by | |||
! Per-console | |||
! Per-firmware | |||
|- | |||
| 12 | |||
| TsecKey | |||
| [[TSEC#Payload|Package1ldr TSEC Firmware]] | |||
| Yes | |||
| No | |||
|- | |||
| 13 | |||
| TsecRootKey | |||
| [[TSEC#Payload|Package1ldr TSEC Firmware]] | |||
| No | |||
| Unknown | |||
|- | |||
| 14 | |||
| SecureBootKey | |||
| Bootrom | |||
| Yes | |||
| No | |||
|- | |||
| 15 | |||
| SecureStorageKey | |||
| Bootrom | |||
| Yes | |||
| No | |||
|} | |||
== Key generation == | |||
Note: aes_unwrap(wrapped_key, wrap_key) is just another name for a single AES-128 block decryption. | Note: aes_unwrap(wrapped_key, wrap_key) is just another name for a single AES-128 block decryption. | ||
| Line 217: | Line 245: | ||
.. and on 4.0.0 it was further moved around: | .. and on 4.0.0 it was further moved around: | ||
keyblob_key /* slot13 */ = aes_unwrap(aes_unwrap(wrapped_keyblob_key, tsec_key /* slot13 */), sbk /* slot14 */) | keyblob_key /* slot13 */ = aes_unwrap(aes_unwrap(wrapped_keyblob_key, tsec_key /* slot13 */), sbk /* slot14 */) | ||
cmac_key /* slot11 */ = aes_unwrap(59c7fb6f.., keyblob_key) | cmac_key /* slot11 */ = aes_unwrap(59c7fb6f.., keyblob_key) | ||
| Line 232: | Line 259: | ||
new_per_console_key /* slot13 */ = aes_unwrap(0c9109db.., old_keyblob_key) | new_per_console_key /* slot13 */ = aes_unwrap(0c9109db.., old_keyblob_key) | ||
per_console_key /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key) | per_console_key /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key) | ||
.. and on 6.2.0, they moved key generation out of package1ldr, and into the Secure Monitor's boot section: | |||
clear_keyslots_other_than_12_13_and_14() | |||
old_keyblob_key /* slot15 */ = aes_unwrap(aes_unwrap(df206f59.., tsec_key /* slot12 */), sbk /* slot14 */) | |||
/* Previously, master_kek was stored at keyblob+0x20) */ | |||
master_kek /* slot13 */ = aes_unwrap(374b7729.. /* probably firmware specific */, tsec_root_key /* slot13 */) | |||
clear_keyslot(12) | |||
// Final keys: | |||
new_master_key /* slot12 */ = aes_unwrap(2dc1f48d.., master_kek) | |||
master_key /* slot13 */ = aes_unwrap(normalseed_retail, master_kek) | |||
new_per_console_key /* slot14 */ = aes_unwrap(0c9109db.., old_keyblob_key) | |||
per_console_key /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key) | |||
SBK and SSK keyslots are cleared after keys have been generated. | SBK and SSK keyslots are cleared after keys have been generated. | ||
| Line 243: | Line 287: | ||
This means that if you have an attack on the bootloader, you need to re-preform it every time they move to a new keyblob. | This means that if you have an attack on the bootloader, you need to re-preform it every time they move to a new keyblob. | ||
Dumping the SBK and TSEC key of any single system should be enough to derive all key material on the system. | Dumping the SBK and TSEC key of any single system should be enough to derive all key material on the system, prior to 6.2.0. | ||
The key-derivation is described in more detail [[Package1#Key_generation|here]]. | The key-derivation is described in more detail [[Package1#Key_generation|here]]. | ||
=== Keyblob === | |||
There are 32 keyblobs written to NAND at factory, with each keyblob encrypted with a console-unique key derived from the console's SBK, the console's tsec key, and a constant specific to each keyblob. | There are 32 keyblobs written to NAND at factory, with each keyblob encrypted with a console-unique key derived from the console's SBK, the console's tsec key, and a constant specific to each keyblob. | ||
Despite being encrypted with console unique keys, though, the decrypted keyblob contents are shared for all consoles. | Despite being encrypted with console unique keys, though, the decrypted keyblob contents are shared for all consoles. | ||
Used keyblobs are as follows: | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
| Line 300: | Line 324: | ||
| 1 | | 1 | ||
|- | |- | ||
| 6.0.0 | | 6.0.0-6.1.0 | ||
| 6 | | 6 | ||
| 1 | | 1 | ||
|} | |} | ||
== Secure Monitor Init | Starting from 6.2.0, key generation no longer uses keyblobs. | ||
=== Seeds === | |||
normalseed_retail = d8a2410a... | |||
[1.0.0] wrapped_keyblob_key = df206f59... | |||
[1.0.0] simpleseed_dev0 = aff11423... | |||
[1.0.0] simpleseed_dev1 = 5e177ee1... | |||
[1.0.0] normalseed_dev = 0542a0fd... | |||
[3.0.0] wrapped_keyblob_key = 0c25615d... | |||
[3.0.0] simpleseed_dev0 = de00216a... | |||
[3.0.0] simpleseed_dev1 = 2db7c0a1... | |||
[3.0.0] normalseed_dev = 678c5a03... | |||
[3.0.1] wrapped_keyblob_key = 337685ee... | |||
[3.0.1] simpleseed_dev0 = e045f5ba... | |||
[3.0.1] simpleseed_dev1 = 84d92e0d... | |||
[3.0.1] normalseed_dev = cd88155b... | |||
[4.0.0] wrapped_keyblob_key = 2d1f4880... | |||
=== Versions === | |||
The key generation system has historically been revised several times. Each version is bound to a specific BCT public key and can be identified by its first byte as follows: | |||
{| class="wikitable" border="1" | |||
|- | |||
! Version | |||
! BCT public key's first byte | |||
! Description | |||
|- | |||
| K1 | |||
| 0x11 | |||
| Erista prototype development | |||
|- | |||
| K2 | |||
| 0xFB | |||
| Erista prototype development | |||
|- | |||
| K3 | |||
| 0x4F | |||
| Erista prototype development | |||
|- | |||
| K4 | |||
| | |||
| Erista prototype retail | |||
|- | |||
| K5 | |||
| 0x37 | |||
| Erista development | |||
|- | |||
| K6 | |||
| 0xF7 | |||
| Erista retail | |||
|- | |||
| M1 | |||
| 0x19 | |||
| Mariko prototype development | |||
|- | |||
| M2 | |||
| 0xC3 | |||
| Mariko development | |||
|- | |||
| M3 | |||
| 0xDD | |||
| Mariko prototype retail (pre-6.0.0) | |||
|- | |||
| M4 | |||
| 0x9B | |||
| Mariko retail | |||
|} | |||
= Secure Monitor Init = | |||
On all versions, the key to decrypt [[Package2]] is generated by decrypting a constant seed with the master key. The key is erased after use. | On all versions, the key to decrypt [[Package2]] is generated by decrypting a constant seed with the master key. The key is erased after use. | ||
Additionally, starting from 4.0.0, the Secure Monitor init will decrypt another constant seed successively with a special per console key and a special static key passed by package1loader, to generate the firmware specific per-console key. The operation will erase these special keys passed by package1loader. | Additionally, starting from 4.0.0, the Secure Monitor init will decrypt another constant seed successively with a special per console key and a special static key passed by package1loader, to generate the firmware specific per-console key. The operation will erase these special keys passed by package1loader. | ||
= Secure Monitor = | |||
The secure monitor performs some runtime cryptographic operations. See [[SMC]] for what operations it provides. | The secure monitor performs some runtime cryptographic operations. See [[SMC]] for what operations it provides. | ||