Difference between revisions of "Security Engine"

From Nintendo Switch Brew
Jump to navigation Jump to search
m
Line 1: Line 1:
The security engine (SE) is responsible for the crypto done on the switch. SE is mapped to physical address 0x70012000.
+
The Nintendo Switch uses Tegra's Security Engine (SE) for handling cryptographic opearations at the system's lowest level.
  
= SE registers =
+
The SE driver is mapped to physical address 0x70012000 with a total size of 0x2000 bytes and exposes several registers for programming the Security Engine.
 +
 
 +
= Registers =
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Register
+
! Name
! Offset
+
! Address
|-
 
| OPERATION_REG_OFFSET
 
| 0x008
 
|-
 
| INT_ENABLE_REG_OFFSET
 
| 0x00C
 
|-
 
| INT_STATUS_REG_OFFSET
 
| 0x010
 
|-
 
| CONFIG_REG_OFFSET
 
| 0x014
 
 
|-
 
|-
| IN_LL_ADDR_REG_OFFSET
+
| SE_OPERATION_UNK0
| 0x018
+
| 0x70012000
 
|-
 
|-
| OUT_LL_ADDR_REG_OFFSET
+
| SE_OPERATION_UNK1
| 0x024
+
| 0x70012004
 
|-
 
|-
| HASH_RESULT_REG_OFFSET
+
| SE_OPERATION
| 0x030
+
| 0x70012008
 
|-
 
|-
| CONTEXT_SAVE_CONFIG_REG_OFFSET
+
| SE_INT_ENABLE
| 0x070
+
| 0x7001200C
 
|-
 
|-
| SHA_CONFIG_REG
+
| SE_INT_STATUS
| 0x200
+
| 0x70012010
 
|-
 
|-
| SHA_MSG_LENGTH_REG
+
| SE_CONFIG
| 0x204
+
| 0x70012014
 
|-
 
|-
| SHA_MSG_LEFT_REG
+
| SE_IN_LL_ADDR
| 0x214
+
| 0x70012018
 
|-
 
|-
| KEYSLOT_1
+
| SE_OUT_LL_ADDR
| 0x284
+
| 0x70012024
 
|-
 
|-
| KEYSLOT_2
+
| SE_HASH_RESULT
| 0x288
+
| 0x70012030
 
|-
 
|-
| KEYSLOT_3
+
| SE_CONTEXT_SAVE_CONFIG
| 0x28C
+
| 0x70012070
 
|-
 
|-
| KEYSLOT_4
+
| SE_SHA_CONFIG
| 0x290
+
| 0x70012200
 
|-
 
|-
| KEYSLOT_5
+
| SE_SHA_MSG_LENGTH
| 0x294
+
| 0x70012204
 
|-
 
|-
| KEYSLOT_6
+
| SE_SHA_MSG_UNK0
| 0x298
+
| 0x70012208
 
|-
 
|-
| KEYSLOT_7
+
| SE_SHA_MSG_UNK1
| 0x29C
+
| 0x7001220C
 
|-
 
|-
| KEYSLOT_8
+
| SE_SHA_MSG_UNK2
| 0x2A0
+
| 0x70012210
 
|-
 
|-
| KEYSLOT_9
+
| SE_SHA_MSG_LEFT
| 0x2A4
+
| 0x70012214
 
|-
 
|-
| KEYSLOT_10
+
| SE_SHA_MSG_UNK3
| 0x2A8
+
| 0x70012218
 
|-
 
|-
| KEYSLOT_11
+
| SE_SHA_MSG_UNK4
| 0x2AC
+
| 0x7001221C
 
|-
 
|-
| KEYSLOT_12
+
| SE_SHA_MSG_UNK5
| 0x2B0
+
| 0x70012220
 
|-
 
|-
| KEYSLOT_13
+
| SE_AES_KEY_READ_DISABLE
| 0x2B4
+
| 0x70012280
 
|-
 
|-
| KEYSLOT_14
+
| SE_AES_KEYTABLE_ACCESS
| 0x2B8
+
| 0x70012284
 
|-
 
|-
| KEYSLOT_15
+
| SE_CRYPTO
| 0x2BC
+
| 0x70012304
 
|-
 
|-
| KEYSLOT_16
+
| SE_CRYPTO_CTR
| 0x2C0
+
| 0x70012308
 
|-
 
|-
| CRYPTO_REG
+
| SE_BLOCK_COUNT
| 0x304
+
| 0x70012318
 
|-
 
|-
| CRYPTO_CTR_REG
+
| SE_AES_KEYTABLE_ADDR
| 0x308
+
| 0x7001231C
 
|-
 
|-
| BLOCK_COUNT_REG
+
| SE_AES_KEYTABLE_DATA
| 0x318
+
| 0x70012320
 
|-
 
|-
| KEYTABLE_REG
+
| SE_CRYPTO_KEYTABLE_DST
| 0x31C
+
| 0x70012330
 
|-
 
|-
| KEYTABLE_DATA0_REG
+
| SE_RNG_CONFIG
| 0x320
+
| 0x70012340
 
|-
 
|-
| CRYPTO_KEYTABLE_DST_REG
+
| SE_RNG_SRC_CONFIG
| 0x330
+
| 0x70012344
 
|-
 
|-
| RNG_CONFIG_REG
+
| SE_RNG_RESEED_INTERVAL
| 0x340
+
| 0x70012348
 
|-
 
|-
| RNG_SRC_CONFIG_REG
+
| SE_RSA_CONFIG
| 0x344
+
| 0x70012400
 
|-
 
|-
| RNG_RESEED_INTERVAL_REG
+
| SE_RSA_KEY_SIZE
| 0x348
+
| 0x70012404
 
|-
 
|-
| RSA_CONFIG
+
| SE_RSA_EXP_SIZE
| 0x400
+
| 0x70012408
 
|-
 
|-
| RSA_KEY_SIZE_REG_OFFSET
+
| SE_RSA_KEY_READ_DISABLE
| 0x404
+
| 0x7001240C
 
|-
 
|-
| RSA_EXP_SIZE_REG_OFFSET
+
| SE_RSA_KEYTABLE_ACCESS
| 0x408
+
| 0x70012410
 
|-
 
|-
| RSA_KEYSLOT_1
+
| SE_RSA_KEYTABLE_ADDR
| 0x410
+
| 0x70012420
 
|-
 
|-
| RSA_KEYSLOT_2
+
| SE_RSA_KEYTABLE_DATA
| 0x414
+
| 0x70012424
 
|-
 
|-
| RSA_KEYTABLE_ADDR
+
| SE_RSA_OUTPUT
| 0x420
+
| 0x70012428
 
|-
 
|-
| RSA_KEYTABLE_DATA
+
| SE_STATUS_FLAGS
| 0x424
+
| 0x70012800
 
|-
 
|-
| RSA_OUTPUT
+
| SE_ERR_STATUS
| 0x428
+
| 0x70012804
 
|-
 
|-
| SPARE_0_REG_OFFSET
+
| SE_SPARE_0
| 0x80C
+
| 0x7001280C
 
|}
 
|}

Revision as of 21:05, 10 April 2018

The Nintendo Switch uses Tegra's Security Engine (SE) for handling cryptographic opearations at the system's lowest level.

The SE driver is mapped to physical address 0x70012000 with a total size of 0x2000 bytes and exposes several registers for programming the Security Engine.

Registers

Name Address
SE_OPERATION_UNK0 0x70012000
SE_OPERATION_UNK1 0x70012004
SE_OPERATION 0x70012008
SE_INT_ENABLE 0x7001200C
SE_INT_STATUS 0x70012010
SE_CONFIG 0x70012014
SE_IN_LL_ADDR 0x70012018
SE_OUT_LL_ADDR 0x70012024
SE_HASH_RESULT 0x70012030
SE_CONTEXT_SAVE_CONFIG 0x70012070
SE_SHA_CONFIG 0x70012200
SE_SHA_MSG_LENGTH 0x70012204
SE_SHA_MSG_UNK0 0x70012208
SE_SHA_MSG_UNK1 0x7001220C
SE_SHA_MSG_UNK2 0x70012210
SE_SHA_MSG_LEFT 0x70012214
SE_SHA_MSG_UNK3 0x70012218
SE_SHA_MSG_UNK4 0x7001221C
SE_SHA_MSG_UNK5 0x70012220
SE_AES_KEY_READ_DISABLE 0x70012280
SE_AES_KEYTABLE_ACCESS 0x70012284
SE_CRYPTO 0x70012304
SE_CRYPTO_CTR 0x70012308
SE_BLOCK_COUNT 0x70012318
SE_AES_KEYTABLE_ADDR 0x7001231C
SE_AES_KEYTABLE_DATA 0x70012320
SE_CRYPTO_KEYTABLE_DST 0x70012330
SE_RNG_CONFIG 0x70012340
SE_RNG_SRC_CONFIG 0x70012344
SE_RNG_RESEED_INTERVAL 0x70012348
SE_RSA_CONFIG 0x70012400
SE_RSA_KEY_SIZE 0x70012404
SE_RSA_EXP_SIZE 0x70012408
SE_RSA_KEY_READ_DISABLE 0x7001240C
SE_RSA_KEYTABLE_ACCESS 0x70012410
SE_RSA_KEYTABLE_ADDR 0x70012420
SE_RSA_KEYTABLE_DATA 0x70012424
SE_RSA_OUTPUT 0x70012428
SE_STATUS_FLAGS 0x70012800
SE_ERR_STATUS 0x70012804
SE_SPARE_0 0x7001280C
Retrieved from "https://switchbrew.org/w/index.php?title=Security_Engine&oldid=4445"