Secure Monitor: Difference between revisions

(30 intermediate revisions by 4 users not shown)

Line 1:

= ~~Secure Monitor Calls~~ =

= SMC =

The secure monitor provides two top level handlers of which each provides a range of sub handlers.

Line 31:

| 0xC3000401 || SetConfig

|-

| 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]])

| 0xC3000002 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId1]])

|-

| 0xC3000003 || GetResult

Line 39:

| 0xC3000E05 || ModularExponentiate

|-

| 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]])

| 0xC3000006 || [[#GenerateRandomBytes|GenerateRandomBytes]] (same as in [[#FunctionId1]])

|-

| 0xC3000007 || [[#GenerateAesKek]]

| 0xC3000007 || [[#GenerateAesKek|GenerateAesKek]]

|-

| 0xC3000008 || [[#LoadAesKey]]

| 0xC3000008 || [[#LoadAesKey|LoadAesKey]]

|-

| 0xC3000009 || [[#ComputeAes]]

| 0xC3000009 || [[#ComputeAes|ComputeAes]]

|-

| 0xC300000A || [[#GenerateSpecificAesKey]]

| 0xC300000A || [[#GenerateSpecificAesKey|GenerateSpecificAesKey]]

|-

| 0xC300040B || [[#ComputeCmac]]

| 0xC300040B || [[#ComputeCmac|ComputeCmac]]

|-

| [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey]]

| [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey]]

|-

| [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData]]

| [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData]]

|-

| 0xC300100D || [[#DecryptDeviceUniqueData]]

| 0xC300100D || [[#DecryptDeviceUniqueData|DecryptDeviceUniqueData]]

|-

| [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey]]

| [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey|DecryptAndImportLotusKey]]

|-

| 0xC300060F || [[#ModularExponentiateByStorageKey]]

| 0xC300060F || [[#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey]]

|-

| 0xC3000610 || [[#PrepareEsDeviceUniqueKey]]

| 0xC3000610 || [[#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey]]

|-

| 0xC3000011 || [[#LoadPreparedAesKey]]

| 0xC3000011 || [[#LoadPreparedAesKey|LoadPreparedAesKey]]

|-

| 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey]]

| 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey|PrepareEsCommonKey]]

|}

Line 77:

** This means: Plaintext kek keys never leave TrustZone.

** Further, this means: Actual AES/RSA keys never leave TrustZone.

=== GenerateRandomBytes ===

Takes an u64 '''Size'''. Returns [[#Result]] and '''RandomBytes'''.

'''Size''' is limited to 0x38 (for fitting in return registers).

=== GenerateAesKek ===

Line 155:

Line 160:

! Value || Name

|-

| 0xC4000001 || [[#SuspendCpu]]

| 0xC4000001 || [[#SuspendCpu|SuspendCpu]]

|-

| 0x84000002 || [[#PowerOffCpu]]

| 0x84000002 || [[#PowerOffCpu|PowerOffCpu]]

|-

| 0xC4000003 || [[#PowerOnCpu]]

| 0xC4000003 || [[#PowerOnCpu|PowerOnCpu]]

|-

| 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]])

| 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]])

|-

| 0xC3000005 || [[#GenerateRandomBytes|~~GenerateRandomBytesNonBlock~~]] ~~(same as in [[#FunctionId0]])~~

| 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]]

|-

| 0xC3000006 || [[#ShowError]]

| 0xC3000006 || [[#ShowError|ShowError]]

|-

| 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion]]

| 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion|SetKernelCarveoutRegion]]

|-

| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]]

| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister|ReadWriteRegister]]

|}

Line 199:

Line 204:

| 1 || [[#DisableProgramVerification]]

|-

| 2 || [[#DramId]]

| 2 || [S1] [[#DramId]]

|-

| 3 || [[#SecurityEngineInterruptNumber]]

|-

| 4 || [[#FuseVersion]]

| 4 || [S1] [[#FuseVersion]]

|-

| 5 || [[#HardwareType]]

Line 209:

Line 214:

| 6 || [[#HardwareState]]

|-

| 7 || [[#IsRecoveryBoot]]

| 7 || [S1] [[#IsRecoveryBoot]]

|-

| 8 || [[#DeviceId]]

Line 221:

Line 226:

| 12 || [[#KernelConfiguration]]

|-

| 13 || [[#IsChargerHiZModeEnabled]]

| 13 || [S1] [[#IsChargerHiZModeEnabled]]

|-

| 14 || [4.0.0+] [[#~~IsQuest~~]]

| 14 || [4.0.0+] [[#RetailInteractiveDisplayState]]

|-

| 15 || [5.0.0+] [[#RegulatorType]]

| 15 || [S1] [5.0.0+] [[#RegulatorType]]

|-

| 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]

|-

| 17 || [5.0.0+] [[#Package2Hash]]

|-

| 18 || [S2]

|-

| 19 || [S2]

|-

| 256-280 || [S2] [[#Bcc]]

|}

Line 251:

Line 262:

|-

| 3

| ~~Reserved~~

| [11.0.0+] MarikoIowaHynix1y4gb ([1.0.0-10.2.0] EristaCopperSamsung4gb)

|-

| 4

Line 257:

Line 268:

|-

| 5

| [4.0.0+] ~~Reserved~~

| [12.0.0+] MarikoHoagHynix1y4gb ([4.0.0-11.0.1] EristaCopperHynix4gb)

|-

| 6

| [4.0.0+] ~~Reserved~~

| [13.0.0+] MarikoAulaHynix1y4gb ([4.0.0-12.1.0] EristaCopperMicron4gb)

|-

| 7

| [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)

| [15.0.0+] Reserved ([5.0.0-14.1.2] MarikoIowax1x2Samsung4gb, [4.0.0-4.1.0] Reserved)

|-

| 8

Line 290:

Line 301:

|-

| 16

| [8.0.0+] MarikoIowaSamsung4gbY

| [15.0.0+] Reserved ([8.0.0-14.1.2] MarikoIowaSamsung4gbY)

|-

| 17

Line 302:

Line 313:

|-

| 20

| [9.0.0+] MarikoIowaSamsung1y4gbY

| [14.0.0+] MarikoIowaSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y4gbY)

|-

| 21

| [9.0.0+] MarikoIowaSamsung1y8gbY

| [14.0.0+] MarikoHoagSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y8gbY)

|-

| 22

| [9.0.0+] ~~MarikoIowaSamsung1y4gbA~~

| [14.0.0+] MarikoAulaSamsung1z4gb ([13.0.0-13.2.1] Reserved, [9.0.0-12.1.0] MarikoAulaSamsung1y4gb)

|-

| 23

| [10.0.0+] ~~MarikoUnkSamsung1y8gbX~~

| [10.0.0+] MarikoHoagSamsung1y8gbX

|-

| 24

| [10.0.0+] ~~MarikoUnkSamsung1y4gbX~~

| [10.0.0+] MarikoAulaSamsung1y4gbX

|-

| 25

| [11.0.0+] MarikoIowaMicron1y4gb

|-

| 26

| [11.0.0+] MarikoHoagMicron1y4gb

|-

| 27

| [11.0.0+] MarikoAulaMicron1y4gb

|-

| 28

| [11.0.0+] MarikoAulaSamsung1y8gbX

|-

| 29

| [16.0.0+] MarikoIowaHynix1a4gb ([15.0.0-15.0.1] MarikoIowax1x2Samsung4gb)

|-

| 30

| [16.0.0+] MarikoHoagHynix1a4gb ([15.0.0-15.0.1] MarikoHoagx1x2Samsung4gb)

|-

| 31

| [16.0.0+] MarikoAulaHynix1a4gb ([15.0.0-15.0.1] MarikoAulax1x2Samsung4gb)

|-

| 32

| [16.0.0+] MarikoIowaMicron1a4gb ([15.0.0-15.0.1] MarikoIowaSamsung4gbY)

|-

| 33

| [16.0.0+] MarikoHoagMicron1a4gb ([15.0.0-15.0.1] MarikoHoagSamsung4gbY)

|-

| 34

| [16.0.0+] MarikoAulaMicron1a4gb ([15.0.0-15.0.1] MarikoAulaSamsung4gbY)

|}

Line 551:

Line 592:

'''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.

'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is ~~a prototype unit~~. Among other differences, this has extra hardware to support HDMI output.

'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is unreleased. Among other differences, this has extra hardware to support HDMI output.

[8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.

[10.0.0+] '''nx-abcd''' was added.

[10.0.0+] '''nx-abcd''' ('''Aula''') was added for the OLED Model retail and ADEV form factors.

'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.

Line 563:

Line 604:

===== FuseVersion =====

The current [[Package2#Versions|~~Package1 Maxver Constant~~]] - 1.

The current [[Package2#Versions|bootloader maximum version]] - 1.

===== HardwareType =====

Line 579:

Line 620:

| 4 || [8.0.0+] Calcio

|-

| 5 || [10.0.0+] ~~Unknown~~

| 5 || [10.0.0+] Aula

|-

| 15 || Invalid

Line 590:

Line 631:

[7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.

Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if ~~development flag~~ (bit 8) is ~~'''Retail'''~~ and ~~production flag~~ (bit 2) is ~~'''Production'''~~.

Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 1 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 0.

Hardware is '''Copper''' (Erista ~~prototype~~) if ~~development flag~~ (bit 8) is ~~'''Development'''~~ and ~~production flag~~ (bit 2) is ~~'''Prototype'''~~.

Hardware is '''Copper''' (unreleased Erista model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.

[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if ~~new hardware type~~ (bits 16-19) is ~~'''Iowa'''~~.

[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 1.

[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if ~~new hardware type~~ (bits 16-19) is ~~'''Hoag'''~~.

[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 2.

[8.0.0+] Hardware is '''Calcio''' (Mariko ~~prototype~~) if ~~development flag~~ (bit 8) is ~~'''Development'''~~ and ~~production flag~~ (bit 2) is ~~'''Prototype'''~~.

[8.0.0+] Hardware is '''Calcio''' (unreleased Mariko model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.

[10.0.0+] Hardware is '''~~Unknown~~''' if ~~new hardware type~~ (bits 16-19) is ~~0x4~~.

[10.0.0+] Hardware is '''Aula''' (Mariko OLED Model retail and ADEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 4.

===== HardwareState =====

Line 614:

Line 655:

This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].

Hardware is '''Development''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 3 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 0.

Hardware is '''Production''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 1.

===== IsRecoveryBoot =====

Line 705:

Line 750:

|-

| 2

| ~~PerformanceMonitoringUnit~~

| EnablePmuAccess

|-

| 3

| [8.0.0+] ~~EnableApplicationExtraThread~~

| [8.0.0+] EnableExtraThreadResourceAllocation

|-

| 4

| [13.0.0+] DisableDynamicSystemResourceAllocation

|-

| 8

Line 723:

Line 771:

'''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).

'''~~PerformanceMonitoringUnit~~''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).

'''EnablePmuAccess''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).

'''~~EnableApplicationExtraThread~~''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.

'''EnableExtraThreadResourceAllocation''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.

'''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.

Line 734:

Line 782:

This tells if the TI Charger (bq24192) is active.

===== ~~IsQuest~~ =====

===== RetailInteractiveDisplayState =====

{| class=wikitable

! Value || Description

|-

| 0 || Disabled

|-

| 1 || Enabled

|}

This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].

Line 772:

Line 828:

===== Package2Hash =====

This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.

===== Bcc =====

This is a 0x320 bytes buffer split across 25 items of 0x20 bytes each. When put together, these form a Boot Certificate Chain (BCC) for Switch 2 remote device attestation.

The format follows the [https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md Open Profile for DICE] from Google and includes the main DK_pub and the following entries (twice, likely for phases 2 and 3):

* codeHash (empty)

* configurationDescriptor ("Security version" set to 0)

* authorityHash (empty)

* mode ("Normal")

* keyUsage ("keyCertSign")

* subjectPublicKey (changes on reboot)

=== ShowError ===

@@ Line 1: / Line 1: @@
-= Secure Monitor Calls =
+= SMC =
 The secure monitor provides two top level handlers of which each provides a range of sub handlers.
@@ Line 31: / Line 31: @@
 | 0xC3000401 || SetConfig
 |-
-| 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]])
+| 0xC3000002 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId1]])
 |-
 | 0xC3000003 || GetResult
@@ Line 39: / Line 39: @@
 | 0xC3000E05 || ModularExponentiate
 |-
-| 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]])
+| 0xC3000006 || [[#GenerateRandomBytes|GenerateRandomBytes]] (same as in [[#FunctionId1]])
 |-
-| 0xC3000007 || [[#GenerateAesKek]]
+| 0xC3000007 || [[#GenerateAesKek|GenerateAesKek]]
 |-
-| 0xC3000008 || [[#LoadAesKey]]
+| 0xC3000008 || [[#LoadAesKey|LoadAesKey]]
 |-
-| 0xC3000009 || [[#ComputeAes]]
+| 0xC3000009 || [[#ComputeAes|ComputeAes]]
 |-
-| 0xC300000A || [[#GenerateSpecificAesKey]]
+| 0xC300000A || [[#GenerateSpecificAesKey|GenerateSpecificAesKey]]
 |-
-| 0xC300040B || [[#ComputeCmac]]
+| 0xC300040B || [[#ComputeCmac|ComputeCmac]]
 |-
-| [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey]]
+| [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey]]
 |-
-| [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData]]
+| [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData]]
 |-
-| 0xC300100D || [[#DecryptDeviceUniqueData]]
+| 0xC300100D || [[#DecryptDeviceUniqueData|DecryptDeviceUniqueData]]
 |-
-| [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey]]
+| [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey|DecryptAndImportLotusKey]]
 |-
-| 0xC300060F || [[#ModularExponentiateByStorageKey]]
+| 0xC300060F || [[#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey]]
 |-
-| 0xC3000610 || [[#PrepareEsDeviceUniqueKey]]
+| 0xC3000610 || [[#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey]]
 |-
-| 0xC3000011 || [[#LoadPreparedAesKey]]
+| 0xC3000011 || [[#LoadPreparedAesKey|LoadPreparedAesKey]]
 |-
-| 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey]]
+| 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey|PrepareEsCommonKey]]
 |}
@@ Line 77: / Line 77: @@
 ** This means: Plaintext kek keys never leave TrustZone.
 ** Further, this means: Actual AES/RSA keys never leave TrustZone.
+=== GenerateRandomBytes ===
+Takes an u64 '''Size'''. Returns [[#Result]] and '''RandomBytes'''.
+'''Size''' is limited to 0x38 (for fitting in return registers).
 === GenerateAesKek ===
@@ Line 155: / Line 160: @@
 ! Value || Name
 |-
-| 0xC4000001 || [[#SuspendCpu]]
+| 0xC4000001 || [[#SuspendCpu|SuspendCpu]]
 |-
-| 0x84000002 || [[#PowerOffCpu]]
+| 0x84000002 || [[#PowerOffCpu|PowerOffCpu]]
 |-
-| 0xC4000003 || [[#PowerOnCpu]]
+| 0xC4000003 || [[#PowerOnCpu|PowerOnCpu]]
 |-
-| 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]])
+| 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]])
 |-
-| 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlock]] (same as in [[#FunctionId0]])
+| 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]]
 |-
-| 0xC3000006 || [[#ShowError]]
+| 0xC3000006 || [[#ShowError|ShowError]]
 |-
-| 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion]]
+| 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion|SetKernelCarveoutRegion]]
 |-
-| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]]
+| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister|ReadWriteRegister]]
 |}
@@ Line 199: / Line 204: @@
 | 1 || [[#DisableProgramVerification]]
 |-
-| 2 || [[#DramId]]
+| 2 || [S1] [[#DramId]]
 |-
 | 3 || [[#SecurityEngineInterruptNumber]]
 |-
-| 4 || [[#FuseVersion]]
+| 4 || [S1] [[#FuseVersion]]
 |-
 | 5 || [[#HardwareType]]
@@ Line 209: / Line 214: @@
 | 6 || [[#HardwareState]]
 |-
-| 7 || [[#IsRecoveryBoot]]
+| 7 || [S1] [[#IsRecoveryBoot]]
 |-
 | 8 || [[#DeviceId]]
@@ Line 221: / Line 226: @@
 | 12 || [[#KernelConfiguration]]
 |-
-| 13 || [[#IsChargerHiZModeEnabled]]
+| 13 || [S1] [[#IsChargerHiZModeEnabled]]
 |-
-| 14 || [4.0.0+] [[#IsQuest]]
+| 14 || [4.0.0+] [[#RetailInteractiveDisplayState]]
 |-
-| 15 || [5.0.0+] [[#RegulatorType]]
+| 15 || [S1] [5.0.0+] [[#RegulatorType]]
 |-
 | 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]
 |-
 | 17 || [5.0.0+] [[#Package2Hash]]
+|-
+| 18 || [S2]
+|-
+| 19 || [S2]
+|-
+| 256-280 || [S2] [[#Bcc]]
 |}
@@ Line 251: / Line 262: @@
 |-
 | 3
-| Reserved
+| [11.0.0+] MarikoIowaHynix1y4gb ([1.0.0-10.2.0] EristaCopperSamsung4gb)
 |-
 | 4
@@ Line 257: / Line 268: @@
 |-
 | 5
-| [4.0.0+] Reserved
+| [12.0.0+] MarikoHoagHynix1y4gb ([4.0.0-11.0.1] EristaCopperHynix4gb)
 |-
 | 6
-| [4.0.0+] Reserved
+| [13.0.0+] MarikoAulaHynix1y4gb ([4.0.0-12.1.0] EristaCopperMicron4gb)
 |-
 | 7
-| [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
+| [15.0.0+] Reserved ([5.0.0-14.1.2] MarikoIowax1x2Samsung4gb, [4.0.0-4.1.0] Reserved)
 |-
 | 8
@@ Line 290: / Line 301: @@
 |-
 | 16
-| [8.0.0+] MarikoIowaSamsung4gbY
+| [15.0.0+] Reserved ([8.0.0-14.1.2] MarikoIowaSamsung4gbY)
 |-
 | 17
@@ Line 302: / Line 313: @@
 |-
 | 20
-| [9.0.0+] MarikoIowaSamsung1y4gbY
+| [14.0.0+] MarikoIowaSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y4gbY)
 |-
 | 21
-| [9.0.0+] MarikoIowaSamsung1y8gbY
+| [14.0.0+] MarikoHoagSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y8gbY)
 |-
 | 22
-| [9.0.0+] MarikoIowaSamsung1y4gbA
+| [14.0.0+] MarikoAulaSamsung1z4gb ([13.0.0-13.2.1] Reserved, [9.0.0-12.1.0] MarikoAulaSamsung1y4gb)
 |-
 | 23
-| [10.0.0+] MarikoUnkSamsung1y8gbX
+| [10.0.0+] MarikoHoagSamsung1y8gbX
 |-
 | 24
-| [10.0.0+] MarikoUnkSamsung1y4gbX
+| [10.0.0+] MarikoAulaSamsung1y4gbX
+|-
+| 25
+| [11.0.0+] MarikoIowaMicron1y4gb
+|-
+| 26
+| [11.0.0+] MarikoHoagMicron1y4gb
+|-
+| 27
+| [11.0.0+] MarikoAulaMicron1y4gb
+|-
+| 28
+| [11.0.0+] MarikoAulaSamsung1y8gbX
+|-
+| 29
+| [16.0.0+] MarikoIowaHynix1a4gb ([15.0.0-15.0.1] MarikoIowax1x2Samsung4gb)
+|-
+| 30
+| [16.0.0+] MarikoHoagHynix1a4gb ([15.0.0-15.0.1] MarikoHoagx1x2Samsung4gb)
+|-
+| 31
+| [16.0.0+] MarikoAulaHynix1a4gb ([15.0.0-15.0.1] MarikoAulax1x2Samsung4gb)
+|-
+| 32
+| [16.0.0+] MarikoIowaMicron1a4gb ([15.0.0-15.0.1] MarikoIowaSamsung4gbY)
+|-
+| 33
+| [16.0.0+] MarikoHoagMicron1a4gb ([15.0.0-15.0.1] MarikoHoagSamsung4gbY)
+|-
+| 34
+| [16.0.0+] MarikoAulaMicron1a4gb ([15.0.0-15.0.1] MarikoAulaSamsung4gbY)
 |}
@@ Line 551: / Line 592: @@
 '''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.
-'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output.
+'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is unreleased. Among other differences, this has extra hardware to support HDMI output.
 [8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.
-[10.0.0+] '''nx-abcd''' was added.
+[10.0.0+] '''nx-abcd''' ('''Aula''') was added for the OLED Model retail and ADEV form factors.
 '''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.
@@ Line 563: / Line 604: @@
 ===== FuseVersion =====
-The current [[Package2#Versions|Package1 Maxver Constant]] - 1.
+The current [[Package2#Versions|bootloader maximum version]] - 1.
 ===== HardwareType =====
@@ Line 579: / Line 620: @@
 | 4 || [8.0.0+] Calcio
 |-
-| 5 || [10.0.0+] Unknown
+| 5 || [10.0.0+] Aula
 |-
 | 15 || Invalid
@@ Line 590: / Line 631: @@
 [7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.
-Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
+Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 1 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 0.
-Hardware is '''Copper''' (Erista prototype) if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
+Hardware is '''Copper''' (unreleased Erista model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.
-[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if new hardware type (bits 16-19) is '''Iowa'''.
+[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 1.
-[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if new hardware type (bits 16-19) is '''Hoag'''.
+[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 2.
-[8.0.0+] Hardware is '''Calcio''' (Mariko prototype) if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
+[8.0.0+] Hardware is '''Calcio''' (unreleased Mariko model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.
-[10.0.0+] Hardware is '''Unknown''' if new hardware type (bits 16-19) is 0x4.
+[10.0.0+] Hardware is '''Aula''' (Mariko OLED Model retail and ADEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 4.
 ===== HardwareState =====
@@ Line 614: / Line 655: @@
 This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
+Hardware is '''Development''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 3 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 0.
+Hardware is '''Production''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 1.
 ===== IsRecoveryBoot =====
@@ Line 705: / Line 750: @@
 |-
 | 2
-| PerformanceMonitoringUnit
+| EnablePmuAccess
 |-
 | 3
-| [8.0.0+] EnableApplicationExtraThread
+| [8.0.0+] EnableExtraThreadResourceAllocation
+|-
+| 4
+| [13.0.0+] DisableDynamicSystemResourceAllocation
 |-
 | 8
@@ Line 723: / Line 771: @@
 '''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).
-'''PerformanceMonitoringUnit''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
+'''EnablePmuAccess''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
-'''EnableApplicationExtraThread''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.
+'''EnableExtraThreadResourceAllocation''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.
 '''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
@@ Line 734: / Line 782: @@
 This tells if the TI Charger (bq24192) is active.
-===== IsQuest =====
+===== RetailInteractiveDisplayState =====
+{| class=wikitable
+! Value || Description
+|-
+| 0 || Disabled
+|-
+| 1 || Enabled
+|}
 This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
@@ Line 772: / Line 828: @@
 ===== Package2Hash =====
 This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
+===== Bcc =====
+This is a 0x320 bytes buffer split across 25 items of 0x20 bytes each. When put together, these form a Boot Certificate Chain (BCC) for Switch 2 remote device attestation.
+The format follows the [https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md Open Profile for DICE] from Google and includes the main DK_pub and the following entries (twice, likely for phases 2 and 3):
+* codeHash (empty)
+* configurationDescriptor ("Security version" set to 0)
+* authorityHash (empty)
+* mode ("Normal")
+* keyUsage ("keyCertSign")
+* subjectPublicKey (changes on reboot)
 === ShowError ===