Nintendo Switch Brew

Secure Monitor: Difference between revisions

← Older editNewer edit →
No edit summary
Line 22: Line 22:
If bit ''n'' is set in the argument type then parameter X''n'' is treated as a pointer and the kernel will setup address translation for it in [[SVC#svcCallSecureMonitor|svcCallSecureMonitor]].
If bit ''n'' is set in the argument type then parameter X''n'' is treated as a pointer and the kernel will setup address translation for it in [[SVC#svcCallSecureMonitor|svcCallSecureMonitor]].


== Id 0 ==
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
 
== ID 0 ==
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]].
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]].


{| class=wikitable
{| class=wikitable
! Sub-Id || Name || In || Out
! Sub-ID || Name || In || Out
|-
|-
| 0xC3000401 || SetConfig || ||
| 0xC3000401 || SetConfig || ||
|-
|-
| 0xC3000002 || GetConfig (Same as Id 1 Sub-Id 4.) || ||
| 0xC3000002 || GetConfig (Same as ID 1, Sub-ID 4) || ||
|-
|-
| 0xC3000003 || CheckStatus || ||
| 0xC3000003 || CheckStatus || ||
Line 38: Line 40:
| 0xC3000E05 || ExpMod || ||
| 0xC3000E05 || ExpMod || ||
|-
|-
| 0xC3000006 || GetRandomBytes (Same as Id 1 Sub-Id 5.) || ||
| 0xC3000006 || GetRandomBytes (Same as ID 1, Sub-ID 5) || ||
|-
|-
| 0xC3000007 || [[#GenerateAesKek]] || ||
| 0xC3000007 || [[#GenerateAesKek]] || ||
Line 58: Line 60:
| 0xC300060F || [[#PublicRsa]] || ||
| 0xC300060F || [[#PublicRsa]] || ||
|-
|-
| 0xC3000610 || [[#UnwrapRsaEncryptedAesKey]] || ||
| 0xC3000610 || [[#UnwrapPreparedAesKey]] || ||
|-
|-
| 0xC3000011 || [[#LoadRsaWrappedAesKey]] || ||
| 0xC3000011 || [[#LoadPreparedAesKey]] || ||
|-
|-
| 0xC3000012 || [2.0.0+] GenerateRsaWrappedAesKek || ||
| 0xC3000012 || [2.0.0+] GeneratePreparedAesKek || ||
|}
|}


Line 74: Line 76:
** This means: Plaintext kek keys never leave TrustZone.
** This means: Plaintext kek keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
Note:
The [[#CryptoUsecase|CryptoUsecase_PreparedAesKey]] represents a RSA wrapped AES key.


=== GenerateAesKek ===
=== GenerateAesKek ===
Line 113: Line 118:
Key must be set prior using the [[#LoadRsaPublicKey]] command.
Key must be set prior using the [[#LoadRsaPublicKey]] command.


=== UnwrapRsaEncryptedAesKey ===
=== UnwrapPreparedAesKey ===
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.


Returns a session-unique AES key especially for use in [[#LoadRsaWrappedAesKey]].
Returns a session-unique AES key especially for use in [[#LoadPreparedAesKey]].


The session kek must have been created with CryptoUsecase_RsaWrappedAesKey.
The session kek must have been created with CryptoUsecase_PreparedAesKey.


=== LoadRsaWrappedAesKey ===
=== LoadPreparedAesKey ===
Takes a session-unique AES key from [[#UnwrapRsaEncryptedAesKey]].
Takes a session-unique AES key from [[#UnwrapPreparedAesKey]].


=== enum CryptoUsecase ===
=== enum CryptoUsecase ===
Line 133: Line 138:
| 2 || CryptoUsecase_PublicRsa
| 2 || CryptoUsecase_PublicRsa
|-
|-
| 3 || CryptoUsecase_RsaWrappedAesKey
| 3 || CryptoUsecase_PreparedAesKey
|}
|}


== Id 1 ==
== ID 1 ==
Functions exposed to the kernel internally.
Functions exposed to the kernel internally.


{| class=wikitable
{| class=wikitable
! Sub-Id || Name || In || Out
! Sub-ID || Name || In || Out
|-
|-
| 0xC4000001 || CpuSuspend || X1=power_state, X2=entrypoint_addr, X3=context_addr || None
| 0xC4000001 || [[#CpuSuspend]] || X1=power_state, X2=entrypoint_addr, X3=context_id || None
|-
|-
| 0x84000002 || CpuOff || None || None
| 0x84000002 || [[#CpuOff]] || None || None
|-
|-
| 0xC4000003 || CpuOn || ||
| 0xC4000003 || [[#CpuOn]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 || X0=result
|-
|-
| 0xC3000004 || GetConfig (Same as Id 0 Sub-Id 2.) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
| 0xC3000004 || [[#GetConfig]] (Same as ID 0, Sub-ID 2) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
|-
|-
| 0xC3000005 || GetRandomBytes (Same as Id 0 Sub-Id 6.) || X1=dst_addr, X2,X3,X4,X5,X6,X7=0 ||
| 0xC3000005 || [[#GetRandomBytes]] (Same as ID 0, Sub-ID 6) || X1=size, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
|-
|-
| 0xC3000006 || Panic || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result
| 0xC3000006 || [[#Panic]] || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result
|-
|-
| 0xC3000007 || [2.0.0+] ProtectKernelRegion || ||
| 0xC3000007 || [2.0.0+] ProtectKernelRegion || ||
Line 158: Line 163:
| 0xC3000008 || [2.0.0+] ReadWriteRegister || ||
| 0xC3000008 || [2.0.0+] ReadWriteRegister || ||
|}
|}
=== CpuSuspend ===
Standard ARM PCSI SMC. Suspends the CPU (CPU0).
The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
=== CpuOff ===
Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).
=== CpuOn ===
Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).
=== GetConfig ===
Takes a '''config_item''' and returns an associated '''config_val'''.
=== GetRandomBytes ===
Takes a '''size''' and returns '''rand_bytes'''.
The kernel limits '''size''' to 0x38 (for fitting in return registers).
=== Panic ===
Issues a system panic.
The kernel always calls this with '''unk''' set to 0xF00.


= Errors =
= Errors =
2: Invalid input
{| class=wikitable
3: Busy
! Value || Description
|-
| 2 || Invalid input
|-
| 3 || Busy
|}
Retrieved from "https://switchbrew.org/wiki/Secure_Monitor"