Difference between revisions of "TSEC"
(MMIO == CMEM) |
|||
Line 1,705: | Line 1,705: | ||
0x0A: RDM (read data memory) | 0x0A: RDM (read data memory) | ||
0x0B: WDM (write data memory) | 0x0B: WDM (write data memory) | ||
− | 0x0C: RCM (read | + | 0x0C: RCM (read MMIO/configuration memory) |
− | 0x0D: WCM (write | + | 0x0D: WCM (write MMIO/configuration memory) |
0x0E: RSTAT (read status) | 0x0E: RSTAT (read status) | ||
0x0F: SBU | 0x0F: SBU |
Revision as of 19:20, 4 August 2019
TSEC (Tegra Security Co-processor) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.
Driver
A host driver for communicating with the TSEC is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.
Registers
Registers from 0x54500000 to 0x54501000 are used to configure the host interface (HOST1X).
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC and are subdivided into:
- 0x54501400 to 0x54501500: SCP (Secure Co-Processor).
- 0x54501500 to 0x54501600: TRNG (True Random Number Generator).
- 0x54501600 to 0x54501700: TFBIF (Tegra Framebuffer Interface) and CG (Clock Gate).
- 0x54501700 to 0x54501800: BAR0.
- 0x54501800 to 0x54501900: TEGRA (miscellaneous interfaces).
Name | Address | Width |
---|---|---|
TSEC_THI_INCR_SYNCPT | 0x54500000 | 0x04 |
TSEC_THI_INCR_SYNCPT_ERR | 0x54500008 | 0x04 |
TSEC_THI_CTXSW_INCR_SYNCPT | 0x5450000C | 0x04 |
TSEC_THI_CTXSW | 0x54500020 | 0x04 |
TSEC_THI_CONT_SYNCPT_EOF | 0x54500028 | 0x04 |
TSEC_THI_METHOD0 | 0x54500040 | 0x04 |
TSEC_THI_METHOD1 | 0x54500044 | 0x04 |
TSEC_THI_INT_STATUS | 0x54500078 | 0x04 |
TSEC_THI_INT_MASK | 0x5450007C | 0x04 |
TSEC_THI_INT_CLEAR | 0x54500080 | 0x04 |
TSEC_THI_INT_ENABLE | 0x54500084 | 0x04 |
TSEC_THI_SLCG_OVERRIDE_HIGH_A | 0x54500088 | 0x04 |
TSEC_THI_SLCG_OVERRIDE_LOW_A | 0x5450008C | 0x04 |
TSEC_THI_CLK_OVERRIDE | 0x54500E00 | 0x04 |
FALCON_IRQSSET | 0x54501000 | 0x04 |
FALCON_IRQSCLR | 0x54501004 | 0x04 |
FALCON_IRQSTAT | 0x54501008 | 0x04 |
FALCON_IRQMODE | 0x5450100C | 0x04 |
FALCON_IRQMSET | 0x54501010 | 0x04 |
FALCON_IRQMCLR | 0x54501014 | 0x04 |
FALCON_IRQMASK | 0x54501018 | 0x04 |
FALCON_IRQDEST | 0x5450101C | 0x04 |
FALCON_GPTMRINT | 0x54501020 | 0x04 |
FALCON_GPTMRVAL | 0x54501024 | 0x04 |
FALCON_GPTMRCTL | 0x54501028 | 0x04 |
FALCON_PTIMER0 | 0x5450102C | 0x04 |
FALCON_PTIMER1 | 0x54501030 | 0x04 |
FALCON_WDTMRVAL | 0x54501034 | 0x04 |
FALCON_WDTMRCTL | 0x54501038 | 0x04 |
FALCON_UNK_3C | 0x5450103C | 0x04 |
FALCON_MAILBOX0 | 0x54501040 | 0x04 |
FALCON_MAILBOX1 | 0x54501044 | 0x04 |
FALCON_ITFEN | 0x54501048 | 0x04 |
FALCON_IDLESTATE | 0x5450104C | 0x04 |
FALCON_CURCTX | 0x54501050 | 0x04 |
FALCON_NXTCTX | 0x54501054 | 0x04 |
FALCON_CTXACK | 0x54501058 | 0x04 |
FALCON_FHSTATE | 0x5450105C | 0x04 |
FALCON_PRIVSTATE | 0x54501060 | 0x04 |
FALCON_MTHDDATA | 0x54501064 | 0x04 |
FALCON_MTHDID | 0x54501068 | 0x04 |
FALCON_MTHDWDAT | 0x5450106C | 0x04 |
FALCON_MTHDCOUNT | 0x54501070 | 0x04 |
FALCON_MTHDPOP | 0x54501074 | 0x04 |
FALCON_MTHDRAMSZ | 0x54501078 | 0x04 |
FALCON_SFTRESET | 0x5450107C | 0x04 |
FALCON_OS | 0x54501080 | 0x04 |
FALCON_RM | 0x54501084 | 0x04 |
FALCON_SOFT_PM | 0x54501088 | 0x04 |
FALCON_SOFT_MODE | 0x5450108C | 0x04 |
FALCON_DEBUG1 | 0x54501090 | 0x04 |
FALCON_DEBUGINFO | 0x54501094 | 0x04 |
FALCON_IBRKPT1 | 0x54501098 | 0x04 |
FALCON_IBRKPT2 | 0x5450109C | 0x04 |
FALCON_CGCTL | 0x545010A0 | 0x04 |
FALCON_ENGCTL | 0x545010A4 | 0x04 |
FALCON_PMM | 0x545010A8 | 0x04 |
FALCON_ADDR | 0x545010AC | 0x04 |
FALCON_IBRKPT3 | 0x545010B0 | 0x04 |
FALCON_IBRKPT4 | 0x545010B4 | 0x04 |
FALCON_IBRKPT5 | 0x545010B8 | 0x04 |
FALCON_EXCI | 0x545010D0 | 0x04 |
FALCON_UNK_D4 | 0x545010D4 | 0x04 |
FALCON_UNK_D8 | 0x545010D8 | 0x04 |
FALCON_UNK_DC | 0x545010DC | 0x04 |
FALCON_UNK_E0 | 0x545010E0 | 0x04 |
FALCON_CPUCTL | 0x54501100 | 0x04 |
FALCON_BOOTVEC | 0x54501104 | 0x04 |
FALCON_HWCFG | 0x54501108 | 0x04 |
FALCON_DMACTL | 0x5450110C | 0x04 |
FALCON_DMATRFBASE | 0x54501110 | 0x04 |
FALCON_DMATRFMOFFS | 0x54501114 | 0x04 |
FALCON_DMATRFCMD | 0x54501118 | 0x04 |
FALCON_DMATRFFBOFFS | 0x5450111C | 0x04 |
FALCON_DMAPOLL_FB | 0x54501120 | 0x04 |
FALCON_DMAPOLL_CP | 0x54501124 | 0x04 |
FALCON_CPUSTAT | 0x54501128 | 0x04 |
FALCON_HWCFG1 | 0x5450112C | 0x04 |
FALCON_CPUCTL_ALIAS | 0x54501130 | 0x04 |
FALCON_IMCTL | 0x54501140 | 0x04 |
FALCON_IMSTAT | 0x54501144 | 0x04 |
FALCON_TRACEIDX | 0x54501148 | 0x04 |
FALCON_TRACEPC | 0x5450114C | 0x04 |
FALCON_IMFILLRNG0 | 0x54501150 | 0x04 |
FALCON_IMFILLRNG1 | 0x54501154 | 0x04 |
FALCON_IMFILLCTL | 0x54501158 | 0x04 |
FALCON_IMCTL_DEBUG | 0x5450115C | 0x04 |
FALCON_CMEMBASE | 0x54501160 | 0x04 |
FALCON_DMEMAPERT | 0x54501164 | 0x04 |
FALCON_EXTERRADDR | 0x54501168 | 0x04 |
FALCON_EXTERRSTAT | 0x5450116C | 0x04 |
FALCON_CG1_SLCG | 0x5450117C | 0x04 |
FALCON_IMEMC | 0x54501180 | 0x04 |
FALCON_IMEMD | 0x54501184 | 0x04 |
FALCON_IMEMT | 0x54501188 | 0x04 |
FALCON_DMEMC0 | 0x545011C0 | 0x04 |
FALCON_DMEMD0 | 0x545011C4 | 0x04 |
FALCON_DMEMC1 | 0x545011C8 | 0x04 |
FALCON_DMEMD1 | 0x545011CC | 0x04 |
FALCON_DMEMC2 | 0x545011D0 | 0x04 |
FALCON_DMEMD2 | 0x545011D4 | 0x04 |
FALCON_DMEMC3 | 0x545011D8 | 0x04 |
FALCON_DMEMD3 | 0x545011DC | 0x04 |
FALCON_DMEMC4 | 0x545011E0 | 0x04 |
FALCON_DMEMD4 | 0x545011E4 | 0x04 |
FALCON_DMEMC5 | 0x545011E8 | 0x04 |
FALCON_DMEMD5 | 0x545011EC | 0x04 |
FALCON_DMEMC6 | 0x545011F0 | 0x04 |
FALCON_DMEMD6 | 0x545011F4 | 0x04 |
FALCON_DMEMC7 | 0x545011F8 | 0x04 |
FALCON_DMEMD7 | 0x545011FC | 0x04 |
FALCON_ICD_CMD | 0x54501200 | 0x04 |
FALCON_ICD_ADDR | 0x54501204 | 0x04 |
FALCON_ICD_WDATA | 0x54501208 | 0x04 |
FALCON_ICD_RDATA | 0x5450120C | 0x04 |
FALCON_SCTL | 0x54501240 | 0x04 |
FALCON_SCTL_STAT | 0x54501244 | 0x04 |
FALCON_UNK_248 | 0x54501248 | 0x04 |
FALCON_UNK_24C | 0x5450124C | 0x04 |
FALCON_UNK_250 | 0x54501250 | 0x04 |
FALCON_UNK_260 | 0x54501260 | 0x04 |
FALCON_SPROT_IMEM | 0x54501280 | 0x04 |
FALCON_SPROT_DMEM | 0x54501284 | 0x04 |
FALCON_SPROT_CPUCTL | 0x54501288 | 0x04 |
FALCON_SPROT_MISC | 0x5450128C | 0x04 |
FALCON_SPROT_IRQ | 0x54501290 | 0x04 |
FALCON_SPROT_MTHD | 0x54501294 | 0x04 |
FALCON_SPROT_SCTL | 0x54501298 | 0x04 |
FALCON_SPROT_WDTMR | 0x5450129C | 0x04 |
FALCON_UNK_2C0 | 0x545012C0 | 0x04 |
FALCON_UNK_2C4 | 0x545012C4 | 0x04 |
FALCON_UNK_2C8 | 0x545012C8 | 0x04 |
FALCON_UNK_2CC | 0x545012CC | 0x04 |
FALCON_UNK_2E0 | 0x545012E0 | 0x04 |
TSEC_SCP_CTL0 | 0x54501400 | 0x04 |
TSEC_SCP_CTL1 | 0x54501404 | 0x04 |
TSEC_SCP_CTL_STAT | 0x54501408 | 0x04 |
TSEC_SCP_CTL_LOCK | 0x5450140C | 0x04 |
TSEC_SCP_UNK_10 | 0x54501410 | 0x04 |
TSEC_SCP_UNK_14 | 0x54501414 | 0x04 |
TSEC_SCP_CTL_PKEY | 0x54501418 | 0x04 |
TSEC_SCP_UNK_1C | 0x5450141C | 0x04 |
TSEC_SCP_SEQ_CTL | 0x54501420 | 0x04 |
TSEC_SCP_SEQ_VAL | 0x54501424 | 0x04 |
TSEC_SCP_SEQ_STAT | 0x54501428 | 0x04 |
TSEC_SCP_INSN_STAT | 0x54501430 | 0x04 |
TSEC_SCP_UNK_50 | 0x54501450 | 0x04 |
TSEC_SCP_AUTH_STAT | 0x54501454 | 0x04 |
TSEC_SCP_AES_STAT | 0x54501458 | 0x04 |
TSEC_SCP_UNK_70 | 0x54501470 | 0x04 |
TSEC_SCP_IRQSTAT | 0x54501480 | 0x04 |
TSEC_SCP_IRQMASK | 0x54501484 | 0x04 |
TSEC_SCP_ACL_ERR | 0x54501490 | 0x04 |
TSEC_SCP_UNK_94 | 0x54501494 | 0x04 |
TSEC_SCP_INSN_ERR | 0x54501498 | 0x04 |
TSEC_TRNG_CLK_LIMIT_LOW | 0x54501500 | 0x04 |
TSEC_TRNG_CLK_LIMIT_HIGH | 0x54501504 | 0x04 |
TSEC_TRNG_UNK_08 | 0x54501508 | 0x04 |
TSEC_TRNG_TEST_CTL | 0x5450150C | 0x04 |
TSEC_TRNG_TEST_CFG0 | 0x54501510 | 0x04 |
TSEC_TRNG_TEST_SEED0 | 0x54501514 | 0x04 |
TSEC_TRNG_TEST_CFG1 | 0x54501518 | 0x04 |
TSEC_TRNG_TEST_SEED1 | 0x5450151C | 0x04 |
TSEC_TRNG_UNK_20 | 0x54501520 | 0x04 |
TSEC_TRNG_UNK_24 | 0x54501524 | 0x04 |
TSEC_TRNG_UNK_28 | 0x54501528 | 0x04 |
TSEC_TRNG_CTL | 0x5450152C | 0x04 |
TSEC_TFBIF_CTL | 0x54501600 | 0x04 |
TSEC_TFBIF_MCCIF_FIFOCTRL | 0x54501604 | 0x04 |
TSEC_TFBIF_THROTTLE | 0x54501608 | 0x04 |
TSEC_TFBIF_UNK_0C | 0x5450160C | 0x04 |
TSEC_TFBIF_DEBUG_STAT | 0x54501630 | 0x04 |
TSEC_TFBIF_MCCIF_FIFOCTRL1 | 0x54501634 | 0x04 |
TSEC_TFBIF_MMU_PROT | 0x54501640 | 0x04 |
TSEC_TFBIF_MMU_PHYS_SEC | 0x54501644 | 0x04 |
TSEC_TFBIF_MMU_TRANSCFG | 0x54501648 | 0x04 |
TSEC_TFBIF_ACTMON_MAMASK | 0x5450164C | 0x04 |
TSEC_TFBIF_ACTMON_BORPS | 0x54501650 | 0x04 |
TSEC_TFBIF_ACTMON_CTL | 0x54501654 | 0x04 |
TSEC_CG | 0x545016D0 | 0x04 |
TSEC_BAR0_CTL | 0x54501700 | 0x04 |
TSEC_BAR0_ADDR | 0x54501704 | 0x04 |
TSEC_BAR0_DATA | 0x54501708 | 0x04 |
TSEC_BAR0_TIMEOUT | 0x5450170C | 0x04 |
TSEC_TEGRA_FALCON_IP_VER | 0x54501800 | 0x04 |
TSEC_TEGRA_UNK_04 | 0x54501804 | 0x04 |
TSEC_TEGRA_UNK_08 | 0x54501808 | 0x04 |
TSEC_TEGRA_UNK_0C | 0x5450180C | 0x04 |
TSEC_TEGRA_UNK_10 | 0x54501810 | 0x04 |
TSEC_TEGRA_UNK_14 | 0x54501814 | 0x04 |
TSEC_TEGRA_UNK_18 | 0x54501818 | 0x04 |
TSEC_TEGRA_UNK_1C | 0x5450181C | 0x04 |
TSEC_TEGRA_UNK_20 | 0x54501820 | 0x04 |
TSEC_TEGRA_UNK_24 | 0x54501824 | 0x04 |
TSEC_TEGRA_UNK_28 | 0x54501828 | 0x04 |
TSEC_TEGRA_UNK_2C | 0x5450182C | 0x04 |
TSEC_TEGRA_UNK_30 | 0x54501830 | 0x04 |
TSEC_TEGRA_UNK_34 | 0x54501834 | 0x04 |
TSEC_TEGRA_CTL | 0x54501838 | 0x04 |
TSEC_THI_METHOD0
ID | Method |
---|---|
0x200 | SET_APPLICATION_ID |
0x300 | EXECUTE |
0x500 | HDCP_INIT |
0x504 | HDCP_CREATE_SESSION |
0x508 | HDCP_VERIFY_CERT_RX |
0x50C | HDCP_GENERATE_EKM |
0x510 | HDCP_REVOCATION_CHECK |
0x514 | HDCP_VERIFY_HPRIME |
0x518 | HDCP_ENCRYPT_PAIRING_INFO |
0x51C | HDCP_DECRYPT_PAIRING_INFO |
0x520 | HDCP_UPDATE_SESSION |
0x524 | HDCP_GENERATE_LC_INIT |
0x528 | HDCP_VERIFY_LPRIME |
0x52C | HDCP_GENERATE_SKE_INIT |
0x530 | HDCP_VERIFY_VPRIME |
0x534 | HDCP_ENCRYPTION_RUN_CTRL |
0x538 | HDCP_SESSION_CTRL |
0x53C | HDCP_COMPUTE_SPRIME |
0x540 | HDCP_GET_CERT_RX |
0x544 | HDCP_EXCHANGE_INFO |
0x548 | HDCP_DECRYPT_KM |
0x54C | HDCP_GET_HPRIME |
0x550 | HDCP_GENERATE_EKH_KM |
0x554 | HDCP_VERIFY_RTT_CHALLENGE |
0x558 | HDCP_GET_LPRIME |
0x55C | HDCP_DECRYPT_KS |
0x560 | HDCP_DECRYPT |
0x564 | HDCP_GET_RRX |
0x568 | HDCP_DECRYPT_REENCRYPT |
0x56C | |
0x570 | |
0x574 | |
0x578 | |
0x57C | |
0x700 | HDCP_VALIDATE_SRM |
0x704 | HDCP_VALIDATE_STREAM |
0x708 | HDCP_TEST_SECURE_STATUS |
0x70C | HDCP_SET_DCP_KPUB |
0x710 | HDCP_SET_RX_KPUB |
0x714 | HDCP_SET_CERT_RX |
0x718 | HDCP_SET_SCRATCH_BUFFER |
0x71C | HDCP_SET_SRM |
0x720 | HDCP_SET_RECEIVER_ID_LIST |
0x724 | HDCP_SET_SPRIME |
0x728 | HDCP_SET_ENC_INPUT_BUFFER |
0x72C | HDCP_SET_ENC_OUTPUT_BUFFER |
0x730 | HDCP_GET_RTT_CHALLENGE |
0x734 | HDCP_STREAM_MANAGE |
0x738 | HDCP_READ_CAPS |
0x73C | HDCP_ENCRYPT |
0x740 | [6.0.0+] HDCP_GET_CURRENT_NONCE |
Used to encode and send a method's ID over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.
TSEC_THI_METHOD1
Used to encode and send a method's data over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.
TSEC_THI_INT_STATUS
Bits | Description |
---|---|
0 | TSEC_THI_INT_STATUS_FALCON_INT |
TSEC_THI_INT_MASK
Bits | Description |
---|---|
0 | TSEC_THI_INT_MASK_FALCON_INT |
FALCON_IRQSSET
Bits | Description |
---|---|
0 | FALCON_IRQSSET_GPTMR |
1 | FALCON_IRQSSET_WDTMR |
2 | FALCON_IRQSSET_MTHD |
3 | FALCON_IRQSSET_CTXSW |
4 | FALCON_IRQSSET_HALT |
5 | FALCON_IRQSSET_EXTERR |
6 | FALCON_IRQSSET_SWGEN0 |
7 | FALCON_IRQSSET_SWGEN1 |
8-15 | FALCON_IRQSSET_EXT |
Used for setting Falcon's IRQs.
FALCON_IRQSCLR
Bits | Description |
---|---|
0 | FALCON_IRQSCLR_GPTMR |
1 | FALCON_IRQSCLR_WDTMR |
2 | FALCON_IRQSCLR_MTHD |
3 | FALCON_IRQSCLR_CTXSW |
4 | FALCON_IRQSCLR_HALT |
5 | FALCON_IRQSCLR_EXTERR |
6 | FALCON_IRQSCLR_SWGEN0 |
7 | FALCON_IRQSCLR_SWGEN1 |
8-15 | FALCON_IRQSCLR_EXT |
Used for clearing Falcon's IRQs.
FALCON_IRQSTAT
Bits | Description |
---|---|
0 | FALCON_IRQSTAT_GPTMR |
1 | FALCON_IRQSTAT_WDTMR |
2 | FALCON_IRQSTAT_MTHD |
3 | FALCON_IRQSTAT_CTXSW |
4 | FALCON_IRQSTAT_HALT |
5 | FALCON_IRQSTAT_EXTERR |
6 | FALCON_IRQSTAT_SWGEN0 |
7 | FALCON_IRQSTAT_SWGEN1 |
8-15 | FALCON_IRQSTAT_EXT |
Used for getting the status of Falcon's IRQs.
FALCON_IRQMODE
Bits | Description |
---|---|
0 | FALCON_IRQMODE_LVL_GPTMR |
1 | FALCON_IRQMODE_LVL_WDTMR |
2 | FALCON_IRQMODE_LVL_MTHD |
3 | FALCON_IRQMODE_LVL_CTXSW |
4 | FALCON_IRQMODE_LVL_HALT |
5 | FALCON_IRQMODE_LVL_EXTERR |
6 | FALCON_IRQMODE_LVL_SWGEN0 |
7 | FALCON_IRQMODE_LVL_SWGEN1 |
8-15 | FALCON_IRQMODE_LVL_EXT |
Used for changing the mode Falcon's IRQs. A value of 1 means level triggered while a value of 0 means edge triggered.
FALCON_IRQMSET
Bits | Description |
---|---|
0 | FALCON_IRQMSET_GPTMR |
1 | FALCON_IRQMSET_WDTMR |
2 | FALCON_IRQMSET_MTHD |
3 | FALCON_IRQMSET_CTXSW |
4 | FALCON_IRQMSET_HALT |
5 | FALCON_IRQMSET_EXTERR |
6 | FALCON_IRQMSET_SWGEN0 |
7 | FALCON_IRQMSET_SWGEN1 |
8-15 | FALCON_IRQMSET_EXT |
Used for setting the mask for Falcon's IRQs.
FALCON_IRQMCLR
Bits | Description |
---|---|
0 | FALCON_IRQMCLR_GPTMR |
1 | FALCON_IRQMCLR_WDTMR |
2 | FALCON_IRQMCLR_MTHD |
3 | FALCON_IRQMCLR_CTXSW |
4 | FALCON_IRQMCLR_HALT |
5 | FALCON_IRQMCLR_EXTERR |
6 | FALCON_IRQMCLR_SWGEN0 |
7 | FALCON_IRQMCLR_SWGEN1 |
8-15 | FALCON_IRQMCLR_EXT |
Used for clearing the mask for Falcon's IRQs.
FALCON_IRQMASK
Bits | Description |
---|---|
0 | FALCON_IRQMASK_GPTMR |
1 | FALCON_IRQMASK_WDTMR |
2 | FALCON_IRQMASK_MTHD |
3 | FALCON_IRQMASK_CTXSW |
4 | FALCON_IRQMASK_HALT |
5 | FALCON_IRQMASK_EXTERR |
6 | FALCON_IRQMASK_SWGEN0 |
7 | FALCON_IRQMASK_SWGEN1 |
8-15 | FALCON_IRQMASK_EXT |
Used for getting the value of the mask for Falcon's IRQs.
FALCON_IRQDEST
Bits | Description |
---|---|
0 | FALCON_IRQDEST_HOST_GPTMR |
1 | FALCON_IRQDEST_HOST_WDTMR |
2 | FALCON_IRQDEST_HOST_MTHD |
3 | FALCON_IRQDEST_HOST_CTXSW |
4 | FALCON_IRQDEST_HOST_HALT |
5 | FALCON_IRQDEST_HOST_EXTERR |
6 | FALCON_IRQDEST_HOST_SWGEN0 |
7 | FALCON_IRQDEST_HOST_SWGEN1 |
8-15 | FALCON_IRQDEST_HOST_EXT |
16 | FALCON_IRQDEST_TARGET_GPTMR |
17 | FALCON_IRQDEST_TARGET_WDTMR |
18 | FALCON_IRQDEST_TARGET_MTHD |
19 | FALCON_IRQDEST_TARGET_CTXSW |
20 | FALCON_IRQDEST_TARGET_HALT |
21 | FALCON_IRQDEST_TARGET_EXTERR |
22 | FALCON_IRQDEST_TARGET_SWGEN0 |
23 | FALCON_IRQDEST_TARGET_SWGEN1 |
24-31 | FALCON_IRQDEST_TARGET_EXT |
Used for routing Falcon's IRQs.
FALCON_MAILBOX0
Scratch register for reading/writing data to Falcon.
FALCON_MAILBOX1
Scratch register for reading/writing data to Falcon.
FALCON_ITFEN
Bits | Description |
---|---|
0 | FALCON_ITFEN_CTXEN |
1 | FALCON_ITFEN_MTHDEN |
Used for enabling/disabling Falcon interfaces.
FALCON_IDLESTATE
Bits | Description |
---|---|
0 | FALCON_IDLESTATE_FALCON_BUSY |
1-15 | FALCON_IDLESTATE_EXT_BUSY |
Used for detecting if Falcon is busy or not.
FALCON_DEBUG1
Bits | Description |
---|---|
0-15 | FALCON_DEBUG1_MTHD_DRAIN_TIME |
16 | FALCON_DEBUG1_CTXSW_MODE |
FALCON_DEBUGINFO
Used for UCODE self revocation. This register takes the base address of the GSC carveout shifted right by 8.
[6.0.0+] nvservices sets this to 0x8005FF00 >> 8 (physical DRAM address inside the GPU UCODE carveout) before starting the nvhost_tsec firmware.
FALCON_EXCI
Bits | Description |
---|---|
0-19 | PC that originated the exception |
20-23 | Exception type
0x00: Trap 0 0x01: Trap 1 0x02: Trap 2 0x03: Trap 3 0x08: Invalid opcode 0x09: Authentication entry 0x0A: Page fault (no hit) 0x0B: Page fault (multi hit) 0x0F: Breakpoint |
Contains information about raised exceptions.
FALCON_CPUCTL
Bits | Description |
---|---|
0 | FALCON_CPUCTL_IINVAL |
1 | FALCON_CPUCTL_STARTCPU |
2 | FALCON_CPUCTL_SRESET |
3 | FALCON_CPUCTL_HRESET |
4 | FALCON_CPUCTL_HALTED |
5 | FALCON_CPUCTL_STOPPED |
6 | FALCON_CPUCTL_CPUCTL_ALIAS_EN |
Used for signaling the Falcon CPU.
FALCON_BOOTVEC
Takes the Falcon's boot vector address.
FALCON_HWCFG
Bits | Description |
---|---|
0-8 | FALCON_HWCFG_IMEM_SIZE |
9-17 | FALCON_HWCFG_DMEM_SIZE |
18-26 | FALCON_HWCFG_METHODFIFO_DEPTH |
27-31 | FALCON_HWCFG_DMAQUEUE_DEPTH |
FALCON_DMACTL
Bits | Description |
---|---|
0 | FALCON_DMACTL_REQUIRE_CTX |
1 | FALCON_DMACTL_DMEM_SCRUBBING |
2 | FALCON_DMACTL_IMEM_SCRUBBING |
3-6 | FALCON_DMACTL_DMAQ_NUM |
7 | FALCON_DMACTL_SECURE_STAT |
Used for configuring the Falcon's DMA engine.
FALCON_DMATRFBASE
Base address of the external memory buffer, shifted right by 8.
The current transfer address is calculated by adding FALCON_DMATRFFBOFFS to the base.
FALCON_DMATRFMOFFS
For transfers to DMEM: the destination address. For transfers to IMEM: the destination virtual IMEM page.
FALCON_DMATRFCMD
Bits | Description |
---|---|
0 | FALCON_DMATRFCMD_FULL |
1 | FALCON_DMATRFCMD_IDLE |
2-3 | FALCON_DMATRFCMD_SEC |
4 | FALCON_DMATRFCMD_IMEM |
5 | FALCON_DMATRFCMD_WRITE |
8-10 | FALCON_DMATRFCMD_SIZE |
12-14 | FALCON_DMATRFCMD_CTXDMA |
Used for configuring DMA transfers.
FALCON_DMATRFFBOFFS
For transfers to IMEM: the destination physical IMEM page.
FALCON_DMAPOLL_FB
Bits | Description |
---|---|
0 | FALCON_DMAPOLL_FB_FENCE_ACTIVE |
1 | FALCON_DMAPOLL_FB_DMA_ACTIVE |
4 | FALCON_DMAPOLL_FB_CFG_R_FENCE |
5 | FALCON_DMAPOLL_FB_CFG_W_FENCE |
16-23 | FALCON_DMAPOLL_FB_WCOUNT |
24-31 | FALCON_DMAPOLL_FB_RCOUNT |
Contains the status of a DMA transfer between the Falcon and external memory.
FALCON_DMAPOLL_CP
Bits | Description |
---|---|
0 | FALCON_DMAPOLL_CP_FENCE_ACTIVE |
1 | FALCON_DMAPOLL_CP_DMA_ACTIVE |
4 | FALCON_DMAPOLL_CP_CFG_R_FENCE |
5 | FALCON_DMAPOLL_CP_CFG_W_FENCE |
16-23 | FALCON_DMAPOLL_CP_WCOUNT |
24-31 | FALCON_DMAPOLL_CP_RCOUNT |
Contains the status of a DMA transfer between the Falcon and the SCP.
FALCON_HWCFG1
Bits | Description |
---|---|
0-3 | FALCON_HWCFG1_CORE_REV |
4-5 | FALCON_HWCFG1_SECURITY_MODEL |
6-7 | FALCON_HWCFG1_CORE_REV_SUBVERSION |
8-11 | FALCON_HWCFG1_IMEM_PORTS |
12-15 | FALCON_HWCFG1_DMEM_PORTS |
16-20 | FALCON_HWCFG1_TAG_WIDTH |
27 | FALCON_HWCFG1_DBG_PRIV_BUS |
28 | FALCON_HWCFG1_CSB_SIZE_16M |
29 | FALCON_HWCFG1_PRIV_DIRECT |
30 | FALCON_HWCFG1_DMEM_APERTURES |
31 | FALCON_HWCFG1_IMEM_AUTOFILL |
FALCON_IMCTL
Bits | Description |
---|---|
0-23 | Address |
24-26 | Command
0x00: NOP 0x01: IMINV (ITLB) 0x02: IMBLK (PTLB) 0x03: IMTAG (VTLB) |
Controls the Falcon TLB.
FALCON_IMSTAT
Returns the result of the last command from FALCON_IMCTL.
FALCON_TRACEIDX
Bits | Description |
---|---|
0-7 | Index of where to start tracing from |
16-23 | Maximum valid index |
24-31 | Number of trace reads remaining |
Controls the index for tracing with FALCON_TRACEPC.
FALCON_TRACEPC
Returns the PC of the last call or branch executed.
FALCON_IMEMC
Bits | Description |
---|---|
2-7 | Offset in IMEM block to read/write |
8-15 | IMEM block to read/write |
24 | Write auto-increment |
25 | Read auto-increment |
28 | Mark uploaded code as secret |
29 | Secret code upload lockdown status (read-only) |
30 | Secret code upload failure status (read-only) |
31 | Secret code upload reset scrubber status (read-only) |
Used for configuring access to Falcon's IMEM.
FALCON_IMEMD
Returns or takes the value for an IMEM read/write operation.
FALCON_IMEMT
Returns or takes the virtual page index for an IMEM read/write operation.
FALCON_DMEMC0
Bits | Description |
---|---|
2-7 | Offset in DMEM block to read/write |
8-15 | DMEM block to read/write |
24 | Write auto-increment |
25 | Read auto-increment |
Used for configuring access to Falcon's DMEM.
FALCON_DMEMD0
Returns or takes the value for a DMEM read/write operation.
FALCON_ICD_CMD
Bits | Description |
---|---|
0-3 | FALCON_ICD_CMD_OPC
0x00: STOP 0x01: RUN (run from PC) 0x02: JRUN (run from address) 0x03: RUNB (run from PC) 0x04: JRUNB (run from address) 0x05: STEP (step from PC) 0x06: JSTEP (step from address) 0x07: EMASK (set exception mask) 0x08: RREG (read register) 0x09: WREG (write register) 0x0A: RDM (read data memory) 0x0B: WDM (write data memory) 0x0C: RCM (read MMIO/configuration memory) 0x0D: WCM (write MMIO/configuration memory) 0x0E: RSTAT (read status) 0x0F: SBU |
6-7 | FALCON_ICD_CMD_SZ
0x00: B (byte 0x01: HW (half word) 0x02: W (word) |
8-12 | FALCON_ICD_CMD_IDX
0x00: REG0 | RSTAT0 | WB0 0x01: REG1 | RSTAT1 | WB1 0x02: REG2 | RSTAT2 | WB2 0x03: REG3 | RSTAT3 | WB3 0x04: REG4 | RSTAT4 0x05: REG5 | RSTAT5 0x06: REG6 0x07: REG7 0x08: REG8 0x09: REG9 0x0A: REG10 0x0B: REG11 0x0C: REG12 0x0D: REG13 0x0E: REG14 0x0F: REG15 0x10: IV0 0x11: IV1 0x12: UNDEFINED 0x13: EV 0x14: SP 0x15: PC 0x16: IMB 0x17: DMB 0x18: CSW 0x19: CCR 0x1A: SEC 0x1B: CTX 0x1C: EXCI |
14 | FALCON_ICD_CMD_ERROR |
15 | FALCON_ICD_CMD_RDVLD |
16-31 | FALCON_ICD_CMD_PARM
0x0001: EMASK_TRAP0 0x0002: EMASK_TRAP1 0x0004: EMASK_TRAP2 0x0008: EMASK_TRAP3 0x0010: EMASK_EXC_UNIMP 0x0020: EMASK_EXC_IMISS 0x0040: EMASK_EXC_IMHIT 0x0080: EMASK_EXC_IBREAK 0x0100: EMASK_IV0 0x0200: EMASK_IV1 0x0400: EMASK_IV2 0x0800: EMASK_EXT0 0x1000: EMASK_EXT1 0x2000: EMASK_EXT2 0x4000: EMASK_EXT3 0x8000: EMASK_EXT4 |
Used for sending commands to the Falcon's in-chip debugger.
FALCON_ICD_ADDR
Takes the target address for the Falcon's in-chip debugger.
FALCON_ICD_WDATA
Takes the data for writing using the Falcon's in-chip debugger.
FALCON_ICD_RDATA
Returns the data read using the Falcon's in-chip debugger.
When reading from an internal status register (STAT), the following applies:
Bits | Description |
---|---|
0 | RSTAT0_MEM_STALL |
1 | RSTAT0_DMA_STALL |
2 | RSTAT0_FENCE_STALL |
3 | RSTAT0_DIV_STALL |
4 | RSTAT0_DMA_STALL_DMAQ |
5 | RSTAT0_DMA_STALL_DMWAITING |
6 | RSTAT0_DMA_STALL_IMWAITING |
7 | RSTAT0_ANY_STALL |
8 | RSTAT0_SBFULL_STALL |
9 | RSTAT0_SBHIT_STALL |
10 | RSTAT0_FLOW_STALL |
11 | RSTAT0_SP_STALL |
12 | RSTAT0_BL_STALL |
13 | RSTAT0_IPND_STALL |
14 | RSTAT0_LDSTQ_STALL |
16 | RSTAT0_NOINSTR_STALL |
20 | RSTAT0_HALTSTOP_FLUSH |
21 | RSTAT0_AFILL_FLUSH |
22 | RSTAT0_EXC_FLUSH |
23-25 | RSTAT0_IRQ_FLUSH |
28 | RSTAT0_VALIDRD |
29 | RSTAT0_WAITING |
30 | RSTAT0_HALTED |
31 | RSTAT0_MTHD_FULL |
Bits | Description |
---|---|
0-3 | RSTAT1_WB_ALLOC |
4-7 | RSTAT1_WB_VALID |
8-9 | RSTAT1_WB0_SZ |
10-11 | RSTAT1_WB1_SZ |
12-13 | RSTAT1_WB2_SZ |
14-15 | RSTAT1_WB3_SZ |
16-19 | RSTAT1_WB0_IDX |
20-23 | RSTAT1_WB1_IDX |
24-27 | RSTAT1_WB2_IDX |
28-31 | RSTAT1_WB3_IDX |
Bits | Description |
---|---|
0-3 | RSTAT2_DMAQ_NUM |
4 | RSTAT2_DMA_ENABLE |
5-7 | RSTAT2_LDSTQ_NUM |
16-19 | RSTAT2_EM_BUSY |
20-23 | RSTAT2_EM_ACKED |
24-27 | RSTAT2_EM_ISWR |
28-31 | RSTAT2_EM_DVLD |
Bits | Description |
---|---|
0 | RSTAT3_MTHD_IDLE |
1 | RSTAT3_CTXSW_IDLE |
2 | RSTAT3_DMA_IDLE |
3 | RSTAT3_SCP_IDLE |
4 | RSTAT3_LDST_IDLE |
5 | RSTAT3_SBWB_EMPTY |
6-8 | RSTAT3_CSWIE |
10 | RSTAT3_CSWE |
12-14 | RSTAT3_CTXSW_STATE
0x00: IDLE 0x01: SM_CHECK 0x02: SM_SAVE 0x03: SM_SAVE_WAIT 0x04: SM_BLK_BIND 0x05: SM_RESET 0x06: SM_RESETWAIT 0x07: SM_ACK |
15 | RSTAT3_CTXSW_PEND |
17 | RSTAT3_DMA_FBREQ_IDLE |
18 | RSTAT3_DMA_ACKQ_EMPTY |
19 | RSTAT3_DMA_RDQ_EMPTY |
20 | RSTAT3_DMA_WR_BUSY |
21 | RSTAT3_DMA_RD_BUSY |
22 | RSTAT3_LDST_XT_BUSY |
23 | RSTAT3_LDST_XT_BLOCK |
24 | RSTAT3_ENG_IDLE |
Bits | Description |
---|---|
0-1 | RSTAT4_ICD_STATE
0x00: NORMAL 0x01: WAIT_ISSUE_CLEAR 0x02: WAIT_EXLDQ_CLEAR 0x03: FULL_DBG_MODE |
2-3 | RSTAT4_ICD_MODE
0x00: SUPPRESSICD 0x01: ENTERICD_IBRK 0x02: ENTERICD_STEP |
16 | RSTAT4_ICD_EMASK_TRAP0 |
17 | RSTAT4_ICD_EMASK_TRAP1 |
18 | RSTAT4_ICD_EMASK_TRAP2 |
19 | RSTAT4_ICD_EMASK_TRAP3 |
20 | RSTAT4_ICD_EMASK_EXC_UNIMP |
21 | RSTAT4_ICD_EMASK_EXC_IMISS |
22 | RSTAT4_ICD_EMASK_EXC_IMHIT |
23 | RSTAT4_ICD_EMASK_EXC_IBREAK |
24 | RSTAT4_ICD_EMASK_IV0 |
25 | RSTAT4_ICD_EMASK_IV1 |
26 | RSTAT4_ICD_EMASK_IV2 |
27 | RSTAT4_ICD_EMASK_EXT0 |
28 | RSTAT4_ICD_EMASK_EXT1 |
29 | RSTAT4_ICD_EMASK_EXT2 |
30 | RSTAT4_ICD_EMASK_EXT3 |
31 | RSTAT4_ICD_EMASK_EXT4 |
Bits | Description |
---|---|
0-7 | RSTAT5_LRU_STATE |
FALCON_SCTL
Bits | Description |
---|---|
0-1 | FALCON_SCTL_SEC_MODE
0: Non-secure 1: Light Secure 2: Heavy Secure |
4-5 | FALCON_SCTL_OLD_SEC_MODE
0: Non-secure 1: Light Secure 2: Heavy Secure |
12-13 | Unknown |
14 | Initialize the transition to LS mode |
FALCON_SCTL_STAT
Bits | Description |
---|---|
31 | Set on memory protection violation |
FALCON_SPROT_IMEM
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to Falcon IMEM.
FALCON_SPROT_DMEM
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to Falcon DMEM.
FALCON_SPROT_CPUCTL
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the FALCON_CPUCTL register.
FALCON_SPROT_MISC
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_PRIVSTATE
- FALCON_SFTRESET
- FALCON_ADDR
- FALCON_DMACTL
- FALCON_IMCTL
- FALCON_IMSTAT
- FALCON_UNK_250
- FALCON_UNK_2E0
FALCON_SPROT_IRQ
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_IRQMODE
- FALCON_IRQMSET
- FALCON_IRQMCLR
- FALCON_IRQDEST
- FALCON_GPTMRINT
- FALCON_GPTMRVAL
- FALCON_GPTMRCTL
- FALCON_UNK_3C
- FALCON_UNK_E0
FALCON_SPROT_MTHD
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_ITFEN
- FALCON_CURCTX
- FALCON_NXTCTX
- FALCON_CTXACK
- FALCON_MTHDDATA
- FALCON_MTHDID
- FALCON_MTHDWDAT
- FALCON_MTHDCOUNT
- FALCON_MTHDPOP
- FALCON_MTHDRAMSZ
- FALCON_DEBUG1
FALCON_SPROT_SCTL
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the FALCON_SCTL register.
FALCON_SPROT_WDTMR
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_WDTMRVAL
- FALCON_WDTMRCTL
TSEC_SCP_CTL0
Bits | Description |
---|---|
20 | Enable TSEC_SCP_INSN_STAT register |
TSEC_SCP_CTL1
Bits | Description |
---|---|
11 | Enable TRNG testing mode |
12 | Enable the TRNG |
TSEC_SCP_CTL_STAT
Bits | Description |
---|---|
20 | TSEC_SCP_CTL_STAT_DEBUG_MODE |
TSEC_SCP_CTL_LOCK
Bits | Description |
---|---|
0 | Disable reads for the SCP and TRNG register blocks |
1 | Disable reads for the TFBIF register block |
2 | Disable reads for the DMA register block |
3 | Disable reads for the TEGRA register block |
4 | Disable writes for the SCP and TRNG register blocks |
5 | Disable writes for the TFBIF register block |
6 | Disable writes for the DMA register block |
7 | Disable writes for the TEGRA register block |
Locks accesses to sub-engines and can only be cleared in Heavy Secure mode.
TSEC_SCP_CTL_PKEY
Bits | Description |
---|---|
0 | TSEC_SCP_CTL_PKEY_REQUEST_RELOAD |
1 | TSEC_SCP_CTL_PKEY_LOADED |
TSEC_SCP_SEQ_CTL
Bits | Description |
---|---|
0-3 | Sequence's instruction index |
4-7 | Target and control flags |
8-11 | Sequence's size |
Controls the last crypto sequence (cs0 or cs1) created.
TSEC_SCP_SEQ_VAL
Bits | Description |
---|---|
0-3 | Sequence instruction's first operand |
4-9 | Sequence instruction's second operand |
10-14 | Sequence instruction's opcode |
Contains information on the last crypto sequence (cs0 or cs1) created.
TSEC_SCP_SEQ_STAT
Bits | Description |
---|---|
0 | Set if crypto sequence recording (cs0begin/cs1begin) is active |
4-7 | Number of instructions left for the crypto sequence |
12-15 | Active crypto key register |
Contains information on the last crypto sequence (cs0 or cs1) executed.
TSEC_SCP_INSN_STAT
Bits | Description |
---|---|
0-3 | Destination register or immediate value |
8-13 | Source register or immediate value |
20-24 | Operation
0x0: nop (fuc5 opcode 0x00) 0x1: cmov (fuc5 opcode 0x84) 0x2: cxsin (fuc5 opcode 0x88) or xdst (with cxset) 0x3: cxsout (fuc5 opcode 0x8C) or xdld (with cxset) 0x4: crnd (fuc5 opcode 0x90) 0x5: cs0begin (fuc5 opcode 0x94) 0x6: cs0exec (fuc5 opcode 0x98) 0x7: cs1begin (fuc5 opcode 0x9C) 0x8: cs1exec (fuc5 opcode 0xA0) 0x9: invalid (fuc5 opcode 0xA4) 0xA: cchmod (fuc5 opcode 0xA8) 0xB: cxor (fuc5 opcode 0xAC) 0xC: cadd (fuc5 opcode 0xB0) 0xD: cand (fuc5 opcode 0xB4) 0xE: crev (fuc5 opcode 0xB8) 0xF: cprecmac (fuc5 opcode 0xBC) 0x10: csecret (fuc5 opcode 0xC0) 0x11: ckeyreg (fuc5 opcode 0xC4) 0x12: ckexp (fuc5 opcode 0xC8) 0x13: ckrexp (fuc5 opcode 0xCC) 0x14: cenc (fuc5 opcode 0xD0) 0x15: cdec (fuc5 opcode 0xD4) 0x16: csigauth (fuc5 opcode 0xD8) 0x17: csigenc (fuc5 opcode 0xDC) 0x18: csigclr (fuc5 opcode 0xE0) |
28 | Set if the instruction is valid |
31 | Set if running in HS mode |
Contains information on the last crypto instruction executed.
TSEC_SCP_AUTH_STAT
Bits | Description |
---|---|
0-1 | Signature comparison result (3=succeeded, 2=failed) |
Contains information on the last authentication attempt.
TSEC_SCP_AES_STAT
Bits | Description |
---|---|
0-4 | First opcode |
5-9 | Second opcode |
15-16 | AES operation
0: Encryption 1: Decryption 2: Key expansion 3: Key reverse expansion |
Contains information on the last AES sequence executed.
TSEC_SCP_IRQSTAT
Bits | Description |
---|---|
0 | TSEC_SCP_IRQSTAT_TRNG |
8 | TSEC_SCP_IRQSTAT_ACL_ERROR |
12 | Unknown |
16 | TSEC_SCP_IRQSTAT_INSN_ERROR |
20 | TSEC_SCP_IRQSTAT_SINGLE_STEP |
24 | Unknown |
28 | Unknown |
Used for getting the status of crypto IRQs.
TSEC_SCP_IRQMASK
Bits | Description |
---|---|
0 | TSEC_SCP_IRQMASK_TRNG |
8 | TSEC_SCP_IRQMASK_ACL_ERROR |
12 | Unknown |
16 | TSEC_SCP_IRQMASK_INSN_ERROR |
20 | TSEC_SCP_IRQMASK_SINGLE_STEP |
24 | Unknown |
28 | Unknown |
Used for getting the value of the mask for crypto IRQs.
TSEC_SCP_ACL_ERR
Bits | Description |
---|---|
0 | Set when writing to a crypto register without the correct ACL |
4 | Set when reading from a crypto register without the correct ACL |
8 | Set on an invalid ACL change (cchmod) |
31 | An ACL error occurred |
Contains information on the status generated by the TSEC_SCP_IRQSTAT_ACL_ERROR IRQ.
TSEC_SCP_INSN_ERR
Bits | Description |
---|---|
0 | Invalid instruction |
4 | Empty crypto sequence |
8 | Crypto sequence is too long |
12 | Crypto sequence was not finished |
16 | Insecure signature (csigenc, csigclr or csigauth) |
20 | Invalid signature (csigauth in HS mode) |
24 | Forbidden ACL change (cchmod in NS mode) |
Contains information on crypto errors generated by the TSEC_SCP_IRQSTAT_INSN_ERROR IRQ.
TSEC_TFBIF_MCCIF_FIFOCTRL
Bits | Description |
---|---|
0 | TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVERRIDE |
1 | TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVERRIDE |
2 | TSEC_TFBIF_MCCIF_FIFOCTRL_WRCL_MCLE2X |
3 | TSEC_TFBIF_MCCIF_FIFOCTRL_RDMC_RDFAST |
4 | TSEC_TFBIF_MCCIF_FIFOCTRL_WRMC_CLLE2X |
5 | TSEC_TFBIF_MCCIF_FIFOCTRL_RDCL_RDFAST |
6 | TSEC_TFBIF_MCCIF_FIFOCTRL_CCLK_OVERRIDE |
7 | TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVR_MODE |
8 | TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVR_MODE |
TSEC_TFBIF_MCCIF_FIFOCTRL1
Bits | Description |
---|---|
0-15 | TSEC_TFBIF_MCCIF_FIFOCTRL1_SRD2MC_REORDER_DEPTH_LIMIT |
16-31 | TSEC_TFBIF_MCCIF_FIFOCTRL1_SWR2MC_REORDER_DEPTH_LIMIT |
TSEC_TFBIF_MMU_PROT
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to external memory at the MMU level. Accessible in HS mode only.
TSEC_TFBIF_MMU_PHYS_SEC
Bits | Description |
---|---|
0 | Bypass MMU translation on CTXDMA port 0 |
4 | Bypass MMU translation on CTXDMA port 1 |
8 | Bypass MMU translation on CTXDMA port 2 |
12 | Bypass MMU translation on CTXDMA port 3 |
16 | Bypass MMU translation on CTXDMA port 4 |
20 | Bypass MMU translation on CTXDMA port 5 |
24 | Bypass MMU translation on CTXDMA port 6 |
28 | Bypass MMU translation on CTXDMA port 7 |
Controls MMU bypass mode. Accessible in HS mode only.
[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.
TSEC_TFBIF_MMU_TRANSCFG
Bits | Description |
---|---|
0-3 | Transfer configuration for CTXDMA port 0 |
4-7 | Transfer configuration for CTXDMA port 1 |
8-11 | Transfer configuration for CTXDMA port 2 |
12-15 | Transfer configuration for CTXDMA port 3 |
16-19 | Transfer configuration for CTXDMA port 4 |
20-23 | Transfer configuration for CTXDMA port 5 |
24-27 | Transfer configuration for CTXDMA port 6 |
28-31 | Transfer configuration for CTXDMA port 7 |
Controls external memory transfers' configuration at the MMU level. Accessible in HS mode only.
[6.0.0+] The nvhost_tsec firmware sets this register to 0x20 or 0x140 before reading memory from the GPU UCODE carveout.
TSEC_TFBIF_ACTMON_MAMASK
Takes the memory access mask for the Activity Monitor. Disconnected on the TSEC, but available on NVDEC, NVENC and NVJPG.
TSEC_TFBIF_ACTMON_BORPS
Takes the billions of records per second count for the Activity Monitor. Disconnected on the TSEC, but available on NVDEC, NVENC and NVJPG.
TSEC_TFBIF_ACTMON_CTL
Controls the Activity Monitor. Disconnected on the TSEC, but available on NVDEC, NVENC and NVJPG.
TSEC_CG
Bits | Description |
---|---|
0-5 | TSEC_CG_IDLE_CG_DLY_CNT |
6 | TSEC_CG_IDLE_CG_EN |
16-18 | TSEC_CG_WAKEUP_DLY_CNT |
19 | TSEC_CG_WAKEUP_DLY_EN |
TSEC_BAR0_CTL
Bits | Description |
---|---|
0 | TSEC_BAR0_CTL_READ |
1 | TSEC_BAR0_CTL_WRITE |
4-7 | TSEC_BAR0_CTL_BYTE_MASK |
12-13 | TSEC_BAR0_CTL_STATUS
0: Idle 1: Busy 2: Error 3: Disabled |
31 | TSEC_BAR0_CTL_INIT |
A BAR0 DMA read/write operation requires bits TSEC_BAR0_CTL_INIT and TSEC_BAR0_CTL_READ/TSEC_BAR0_CTL_WRITE to be set in TSEC_BAR0_CTL.
During the transfer, TSEC_BAR0_CTL_STATUS is set to "Busy".
Accessing an invalid address sets TSEC_BAR0_CTL_STATUS to "Error".
TSEC_BAR0_ADDR
Takes the address for DMA transfers between TSEC and HOST1X (master and clients).
TSEC_BAR0_DATA
Takes the data for DMA transfers between TSEC and HOST1X (master and clients).
TSEC_BAR0_TIMEOUT
Takes the timeout value for DMA transfers between TSEC and HOST1X (master and clients).
TSEC_TEGRA_CTL
Bits | Description |
---|---|
16 | TSEC_TEGRA_CTL_TKFI_KFUSE |
17 | TSEC_TEGRA_CTL_TKFI_RESTART_FSM_KFUSE |
24 | TSEC_TEGRA_CTL_TMPI_FORCE_IDLE_INPUTS_I2C |
25 | TSEC_TEGRA_CTL_TMPI_RESTART_FSM_HOST1X |
26 | TSEC_TEGRA_CTL_TMPI_RESTART_FSM_APB |
27 | TSEC_TEGRA_CTL_TMPI_DISABLE_OUTPUT_I2C |
SCP
Part of the information here (which hasn't made it into envytools documentation yet) was shared by mwk from reverse engineering falcon processors over the years.
Authenticated Mode
Entry
From non-secure mode, upon jumping to a page marked as secret, a secret fault occurs. This causes the CPU to verify the region specified in $cauth against the MAC loaded in $c6. If the comparison is successful, the valid bit (bit0) is set on all pages in the $cauth region, and $pc is set to the base of the $cauth region. If the comparsion fails, the CPU is halted.
Exit
The CPU automatically goes back to non-secure mode when returning back into non-secret pages. When this happens, the valid bit (bit0) in the TLB flags is cleared for all secret pages.
Implementation
Under certain circumstances, it is possible to observe csigauth being briefly written to TSEC_SCP_INSN_STAT as "csigauth $c4 $c6" while the opcodes in TSEC_SCP_AES_STAT are set to "cxsin" and "csigauth", respectively.
Via TSEC_SCP_SEQ_CTL it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Operations
Opcode | Name | Operand0 | Operand1 | Operation | Condition |
---|---|---|---|---|---|
0 | nop | N/A | N/A | ||
1 | mov | $cX | $cY | $cX = $cY; ACL(X) = ACL(Y); |
|
2 | sin | $cX | N/A | $cX = read_stream(); ACL(X) = ???; |
|
3 | sout | $cX | N/A | write_stream($cX); |
? |
4 | rnd | $cX | N/A | $cX = read_trng(); ACL(X) = ???; |
|
5 | s0begin | immX | N/A | record_macro_for_N_instructions(0, immX); |
|
6 | s0exec | immX | N/A | execute_macro_N_times(0, immX); |
|
7 | s1begin | immX | N/A | record_macro_for_N_instructions(1, immX); |
|
8 | s1exec | immX | N/A | execute_macro_N_times(1, immX); |
|
9 | <invalid> | ||||
0xA | chmod | $cX | immY | Complicated, see ACL. | |
0xB | xor | $cX | $cY | $cX ^= $cY; |
(ACL(X) & 2) && (ACL(Y) & 2)
|
0xC | add | $cX | immY | $cX += immY; |
(ACL(X) & 2)
|
0xD | and | $cX | $cY | $cX &= $cY; |
(ACL(X) & 2) && (ACL(Y) & 2)
|
0xE | rev | $cX | $cY | $cX = endian_swap128($cY); ACL(X) = ACL(Y); |
|
0xF | gfmul | $cX | $cY | $cX = gfmul($cY); ACL(X) = ACL(Y); |
(ACL(Y) & 2)
|
0x10 | secret | $cX | immY | $cX = load_secret(immY); ACL(X) = load_secret_acl(immY); |
|
0x11 | keyreg | immX | N/A | active_key_idx = immX; |
|
0x12 | kexp | $cX | $cY | $cX = aes_kexp($cY); ACL(X) = ACL(Y); |
|
0x13 | krexp | $cX | $cY | $cX = aes_kexp_reverse($cY); ACL(X) = ACL(Y); |
|
0x14 | enc | $cX | $cY | $cX = aes_enc(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y); |
|
0x15 | dec | $cX | $cY | $cX = aes_dec(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y); |
|
0x16 | csigauth | $cX | $cY | if (hash_verify($cX, $cY)) { has_sig = true; current_sig = $cX; } |
? |
0x17 | csigclr | N/A | N/A | has_sig = false; |
|
0x18 | csigenc | $cX | $cY | if (has_sig) { $cX = aes_enc($cY, current_sig); ACL(X) = 0x13; } |
csigauth
00000000: f5 3c XY d8 csigauth $cY $cX
Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.
csigclr
00000000: f5 3c 00 e0 csigclr
This instruction takes no operands and appears to clear the saved cauth signature used by the csigenc instruction.
cchmod
00000000: f5 3c XY a8 cchmod $cY 0X
or 00000000: f5 3c XY a9 cchmod $cY 1X
This instruction takes a crypto register and a 5 bit immediate value which represents the ACL mask to set.
crnd
00000000: f5 3c 0X 90 crnd $cX
This instruction initializes a crypto register with random data.
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
- Write 0x7FFF to TSEC_TRNG_CLK_LIMIT_LOW.
- Write 0x3FF0000 to TSEC_TRNG_CLK_LIMIT_HIGH.
- Write 0xFF00 to TSEC_TRNG_CTL.
- Write 0x1000 to TSEC_SCP_CTL1.
Otherwise it hangs forever.
ACL
Bit | Meaning |
---|---|
0 | Secure key. Forced set if bit1 is set. Once cleared, cannot be set again. |
1 | Secure readable. Once cleared, cannot be set again. |
2 | Insecure key. Forced set if bit3 is set. Forced clear if bit0 is clear. Can be toggled back and forth. |
3 | Insecure readable. Forced clear if bit1 is clear. Can be toggled back and forth. |
4 | Insecure overwritable. Can be toggled back and forth. |
Initial values
On SCP boot, the ACL is 0x1F for all $cX.
Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.
Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.
Loading a secret into $cX sets a per-secret ACL, unconditionally.
cauth
$cauth is a special purpose register in the CPU.
Bits | Description |
---|---|
0-7 | Start of region to authenticate (in 0x100 pages) |
8-15 | Unknown |
16 | Use secret xfers |
17 | Region is encrypted |
18 | Unknown (set in HS mode) |
19 | Block traps and interrupts (set in HS mode) |
20-23 | Unknown |
24-31 | Size of region to authenticate (in 0x100 pages) |
cxset
cxset instruction provides a way to change behavior of a variable amount of successively executed DMA-related instructions.
for example: 000000de: f4 3c 02 cxset 0x2
can be read as: dma_override(type=crypto_reg, count=2)
The argument to cxset specifies the type of behavior change in the top 3 bits, and the number of DMA-related instructions the effect lasts for in the lower 5 bits.
Bits | Description |
---|---|
0-4 | Number of instructions it is valid for (0x1f is a special value meaning infinitely many instructions -- until overriden by another cxset) |
5 | Crypto destination/source select (0=crypto register, 1=crypto stream) |
6 | External memory override (0=Disabled, 1=Enabled) |
7 | Internal memory select (0=DMEM, 1=IMEM) |
DMA-Related Instructions
At least the following instructions may have changed behavior, and count against the cxset "count" argument: xdwait
, xdst
, xdld
.
For example, if override type=0b000, then the "length" argument to xdst
is instead treated as the index of the target $cX register.
Secrets
Falcon's Authenticated Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded by using the $csecret instruction which takes the target crypto register and the key index as arguments.
Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.
Index | ACL | Notes |
---|---|---|
0x00 | 0x13 | Used by Keygen, nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. |
0x01 | 0x10 | Used by nvhost_nvdec_bl020_prod firmware. |
0x02 | 0x10 | |
0x03 | 0x11 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x04 | 0x10 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x05 | 0x13 | Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. |
0x06 | 0x11 | |
0x07 | 0x11 | Used by [6.0.0+] nvhost_tsec firmware. |
0x08 | 0x10 | |
0x09 | 0x13 | Used by nvhost_tsec firmware. |
0x0A | 0x11 | |
0x0B | 0x10 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x0C | 0x13 | |
0x0D | 0x11 | |
0x0E | 0x10 | |
0x0F | 0x13 | Used by nvhost_tsec firmware. |
0x10 | 0x11 | Used by [1.0.0-5.1.0] nvhost_tsec firmware. |
0x11 | 0x10 | |
0x12 | 0x13 | |
0x13 | 0x11 | |
0x14 | 0x10 | |
0x15 | 0x13 | Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares. |
0x16 | 0x11 | |
0x17 | 0x10 | |
0x18 | 0x13 | |
0x19 | 0x11 | |
0x1A | 0x10 | |
0x1B | 0x13 | |
0x1C | 0x11 | |
0x1D | 0x10 | |
0x1E | 0x13 | |
0x1F | 0x11 | |
0x20 | 0x10 | |
0x21 | 0x13 | |
0x22 | 0x11 | |
0x23 | 0x10 | |
0x24 | 0x13 | |
0x25 | 0x11 | |
0x26 | 0x10 | Used by KeygenLdr and SecureBoot |
0x27 | 0x13 | |
0x28 | 0x11 | |
0x29 | 0x10 | |
0x2A | 0x13 | |
0x2B | 0x11 | |
0x2C | 0x10 | |
0x2D | 0x13 | |
0x2E | 0x11 | |
0x2F | 0x10 | |
0x30 | 0x13 | |
0x31 | 0x11 | |
0x32 | 0x10 | |
0x33 | 0x13 | |
0x34 | 0x11 | |
0x35 | 0x10 | |
0x36 | 0x13 | |
0x37 | 0x11 | |
0x38 | 0x10 | |
0x39 | 0x13 | |
0x3A | 0x11 | |
0x3B | 0x10 | |
0x3C | 0x13 | Used by nvhost_tsec firmware. |
0x3D | 0x11 | |
0x3E | 0x10 | |
0x3F | 0x10 | Used by Keygen, nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |