3
edits
Changes
Jump to navigation
Jump to search
mLine 22:
Line 22: − <check back later for diff>+ + + + + + + + + + + + + Line 28:
Line 40: − + + + Line 63:
Line 77: − SM was not updated.+ + + + + + + + + + + + + + + + + + + + + + − + + + + + Line 78:
Line 117: + + + +
→See Also
The Secure Monitor was updated.
The Secure Monitor was updated.
* The SE key read disable function no longer writes zero to AES_KEY_READ_DISABLE/RSA_KEY_READ_DISABLE.
* Functions for locking/checking PMC secure scratch now have additional bitmasks 0x40/0x80 for locking more secure scratch registers.
* NVDEC/TSECB access to the kernel carveout was removed.
* On suspend (SC7 Entry), SWR_USBD_RST is now checked, and AHB arbitration disable is now checked to be COP, ARC, USB, USB2.
** This further mitigates against Deja Vu.
* TZ/SE context save logic has been changed.
** The context save function now first generates 16 random bytes, and securely saves them to scratch (using the usual write-writelock-check-readlock-checklocked pattern).
** It then generates a random aes-256 key, and derives an actual encryption/MAC key by decrypting the random data with that key.
*** Previously, it generated a random aes-256 key and used it directly.
*** This prevents attacks that might coerce the usage of a specific aes-256 key instead of a random one.
** Calls into the check scratch locked/lock scratch function which previously passed one bitmask at a time now pass multiple
*** Accordingly, the lock/check locked functions now support multiple bitmasks instead of single bitmasks at a time.
* The function that initializes the SE/derives keys now sets flag 0x100 on AES keyslots 8-15, and RSA keyslots 0-1.
====Kernel====
====Kernel====
====Warmboot====
====Warmboot====
<check back later for diff>
* The firmware revision magic was changed from 0x129 to 0x14A.
* Security Engine state validation was changed (first six keyslots now expected to read zeroes instead of FFs).
* <check back for more diffs later>
====FIRM Sysmodules====
====FIRM Sysmodules====
=====[[SPL services|SPL]]=====
=====[[SPL services|SPL]]=====
SPL was not updated.
==System Titles==
==System Titles==
Updated titles:
* Sysmodules:
** settings Rebuilt.
** bus Identical codebin.
** bcat .text updated.
** hid .text updated.
** audio Identical codebin.
** wlan .text updated.
** nvservices Only GNU build hash was updated.
** nvnflinger .text updated.
** account .text updated.
** ns .text updated.
** am .text updated.
** ssl Rebuilt.
** vi .text updated.
** es .text updated.
** fatal .text updated.
** creport Identical codebin.
** ro Identical codebin.
** grc .text updated.
* ErrorMessage, BrowserDll, [[System_Version_Title]], FIRM, qlaunch, web-applets (main codebin rebuilt), and RebootlessSystemUpdateVersion.
No changes with IPC service commands.
No changes with IPC service commands.
Titles' RomFS changes:
Titles' RomFS changes, besides [[System_Version_Title]]:
* ErrorMessage: Error 2124-4517 was updated with actual strings etc. "/2181/4017/common" and "/DatabaseInfo" were updated.
* BrowserDll: the NROs and buildinfo were updated.
* BrowserDll: the NROs and buildinfo were updated.
* RebootlessSystemUpdateVersion: The "/version" file was updated.
* qlaunch: "/lyt/Notification.szs" was updated.
* Web-applets: "/buildinfo/buildinfo.dat" and "/.nrr/netfront.nrr" were updated.
==Keys==
==Keys==
System update report(s):
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=06-17-19_08-05-09&sys=hac]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=06-17-19_08-05-09&sys=hac]
{{NavboxVersions}}
[[Category:System versions]]