Nintendo Switch Brew

TSEC: Difference between revisions

← Older editNewer edit →
No edit summary
No edit summary
Line 5,277: Line 5,277:
!  Description
!  Description
|-
|-
| 0 || Secure Keyable (forced set if bit1 is set; once cleared, cannot be set again)
| 0 || [[#Secure Keyable|Secure Keyable]]
|-
|-
| 1 || Secure Readable (once cleared, cannot be set again)
| 1 || [[#Secure Readable|Secure Readable]]
|-
|-
| 2 || Keyable (forced set if bit3 is set; forced clear if bit0 is clear; can be toggled back and forth)
| 2 || [[#Insecure Keyable|Insecure Keyable]]
|-
|-
| 3 || Readable (forced clear if bit1 is clear; can be toggled back and forth)
| 3 || [[#Insecure Readable|Insecure Readable]]
|-
|-
| 4 || Writeable (can be toggled back and forth)
| 4 || [[#Insecure Writeable|Insecure Writeable]]
|}
|}


On boot, the ACL is 0x1F for all $cX.
On boot, every crypto register has an ACL value of 0x1F.


Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for heavy secure and non-secure mode respectively.
In HS mode, [[#STORE|STORE]] can always write to a crypto register and resets its ACL value back to 0x1F. In NS mode, [[#STORE|STORE]] can only write to a crypto register if it has the [[#Insecure Writeable|Insecure Writeable]] access mode.


Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for heavy secure and non-secure mode respectively.
In HS mode, [[#LOAD|LOAD]] can only retrieve a crypto register's value if it has the [[#Secure Readable|Secure Readable]] access mode. In NS mode, [[#LOAD|LOAD]] can only retrieve a crypto register's value if it has the [[#Insecure Readable|Insecure Readable]] and [[#Secure Readable|Secure Readable]] access modes.


Loading a secret into $cX sets a per-secret ACL, unconditionally.
Loading a secret into a crypto register sets a per-secret ACL, unconditionally.
 
==== Secure Keyable ====
Controls if a crypto register can be used as key in HS mode.
 
Forced set if the crypto register has [[#Secure Readable|Secure Readable]] access. Once cleared, this access mode cannot be set again.
 
==== Secure Readable ====
Controls if a crypto register can be read in HS mode.
 
Once cleared, this access mode cannot be set again.
 
==== Insecure Keyable ====
Controls if a crypto register can be used as key in NS mode.
 
Forced set if the crypto register has [[#Secure Readable|Insecure Readable]] access. This access mode cannot be set if the crypto register doesn't have [[#Secure Keyable|Secure Keyable]] access.
 
==== Insecure Readable ====
Controls if a crypto register can be read in NS mode.
 
This access mode cannot be set if the crypto register doesn't have [[#Secure Keyable|Secure Readable]] access.
 
==== Insecure Writeable ====
Controls if a crypto register can be written to in NS mode.
 
This access mode has no effect in HS mode.


=== Secrets ===
=== Secrets ===
Line 5,304: Line 5,329:
! Index || ACL || Description
! Index || ACL || Description
|-
|-
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x00 || 0x03 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
|-
| 0x01 || 0x00 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] for the signature generation algorithm.
| 0x01 || 0x00 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] for the signature generation algorithm.
Line 5,314: Line 5,339:
| 0x04 || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x04 || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
|-
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x05 || 0x03 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
|-
| 0x06 || 0x01 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC]] register).
| 0x06 || 0x01 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC]] register).
Line 5,322: Line 5,347:
| 0x08 || 0x00 ||
| 0x08 || 0x00 ||
|-
|-
| 0x09 || 0x13 || Used by nvhost_tsec firmware.
| 0x09 || 0x03 || Used by nvhost_tsec firmware.
|-
|-
| 0x0A || 0x01 ||
| 0x0A || 0x01 ||
Line 5,328: Line 5,353:
| 0x0B || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x0B || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
|-
| 0x0C || 0x13 ||
| 0x0C || 0x03 ||
|-
|-
| 0x0D || 0x01 ||
| 0x0D || 0x01 ||
Line 5,334: Line 5,359:
| 0x0E || 0x00 ||
| 0x0E || 0x00 ||
|-
|-
| 0x0F || 0x13 || Used by nvhost_tsec firmware.
| 0x0F || 0x03 || Used by nvhost_tsec firmware.
|-
|-
| 0x10 || 0x01 || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
| 0x10 || 0x01 || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
Line 5,340: Line 5,365:
| 0x11 || 0x00 ||
| 0x11 || 0x00 ||
|-
|-
| 0x12 || 0x13 ||
| 0x12 || 0x03 ||
|-
|-
| 0x13 || 0x01 ||
| 0x13 || 0x01 ||
Line 5,346: Line 5,371:
| 0x14 || 0x00 ||
| 0x14 || 0x00 ||
|-
|-
| 0x15 || 0x13 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
| 0x15 || 0x03 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
|-
|-
| 0x16 || 0x01 ||
| 0x16 || 0x01 ||
Line 5,352: Line 5,377:
| 0x17 || 0x00 || Used by [11.0.0+] nvhost_tsec firmware.
| 0x17 || 0x00 || Used by [11.0.0+] nvhost_tsec firmware.
|-
|-
| 0x18 || 0x13 ||
| 0x18 || 0x03 ||
|-
|-
| 0x19 || 0x01 ||
| 0x19 || 0x01 ||
Line 5,358: Line 5,383:
| 0x1A || 0x00 ||
| 0x1A || 0x00 ||
|-
|-
| 0x1B || 0x13 ||
| 0x1B || 0x03 ||
|-
|-
| 0x1C || 0x01 ||
| 0x1C || 0x01 ||
Line 5,364: Line 5,389:
| 0x1D || 0x00 ||
| 0x1D || 0x00 ||
|-
|-
| 0x1E || 0x13 ||
| 0x1E || 0x03 ||
|-
|-
| 0x1F || 0x01 ||
| 0x1F || 0x01 ||
Line 5,370: Line 5,395:
| 0x20 || 0x00 ||
| 0x20 || 0x00 ||
|-
|-
| 0x21 || 0x13 ||
| 0x21 || 0x03 ||
|-
|-
| 0x22 || 0x01 ||
| 0x22 || 0x01 ||
Line 5,376: Line 5,401:
| 0x23 || 0x00 ||
| 0x23 || 0x00 ||
|-
|-
| 0x24 || 0x13 ||
| 0x24 || 0x03 ||
|-
|-
| 0x25 || 0x01 ||
| 0x25 || 0x01 ||
Line 5,382: Line 5,407:
| 0x26 || 0x00 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]] and [[TSEC_Firmware#SecureBoot|SecureBoot]]
| 0x26 || 0x00 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]] and [[TSEC_Firmware#SecureBoot|SecureBoot]]
|-
|-
| 0x27 || 0x13 ||
| 0x27 || 0x03 ||
|-
|-
| 0x28 || 0x01 ||
| 0x28 || 0x01 ||
Line 5,388: Line 5,413:
| 0x29 || 0x00 ||
| 0x29 || 0x00 ||
|-
|-
| 0x2A || 0x13 ||
| 0x2A || 0x03 ||
|-
|-
| 0x2B || 0x01 ||
| 0x2B || 0x01 ||
Line 5,394: Line 5,419:
| 0x2C || 0x00 ||
| 0x2C || 0x00 ||
|-
|-
| 0x2D || 0x13 ||
| 0x2D || 0x03 ||
|-
|-
| 0x2E || 0x01 ||
| 0x2E || 0x01 ||
Line 5,400: Line 5,425:
| 0x2F || 0x00 ||
| 0x2F || 0x00 ||
|-
|-
| 0x30 || 0x13 ||
| 0x30 || 0x03 ||
|-
|-
| 0x31 || 0x01 ||
| 0x31 || 0x01 ||
Line 5,406: Line 5,431:
| 0x32 || 0x00 ||
| 0x32 || 0x00 ||
|-
|-
| 0x33 || 0x13 ||
| 0x33 || 0x03 ||
|-
|-
| 0x34 || 0x01 ||
| 0x34 || 0x01 ||
Line 5,412: Line 5,437:
| 0x35 || 0x00 ||
| 0x35 || 0x00 ||
|-
|-
| 0x36 || 0x13 ||
| 0x36 || 0x03 ||
|-
|-
| 0x37 || 0x01 ||
| 0x37 || 0x01 ||
Line 5,418: Line 5,443:
| 0x38 || 0x00 ||
| 0x38 || 0x00 ||
|-
|-
| 0x39 || 0x13 ||
| 0x39 || 0x03 ||
|-
|-
| 0x3A || 0x01 ||
| 0x3A || 0x01 ||
Line 5,424: Line 5,449:
| 0x3B || 0x00 ||
| 0x3B || 0x00 ||
|-
|-
| 0x3C || 0x13 || Used by nvhost_tsec firmware.
| 0x3C || 0x03 || Used by nvhost_tsec firmware.
|-
|-
| 0x3D || 0x01 ||
| 0x3D || 0x01 ||
Retrieved from "https://switchbrew.org/wiki/TSEC"