Secure Monitor: Difference between revisions
|  fix LoadRsaPrivateKey | |||
| (58 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| = Secure Monitor Calls = | = Secure Monitor Calls = | ||
| The secure monitor provides two top level handlers of which each provides a range of sub handlers. | The secure monitor provides two top level handlers of which each provides a range of sub handlers. | ||
| Secure Monitor  | Secure Monitor calls follow the ARM SMC calling convention with a small change: | ||
| {| class=wikitable | {| class=wikitable | ||
| !  | ! Bits || Description | ||
| |- | |- | ||
| |  | | 0-7 || Function Number | ||
| |- | |- | ||
| |  | | 8-15 || Argument Type | ||
| |- | |- | ||
| |  | | 16-23 || Reserved | ||
| |- | |- | ||
| |  | | 24-29 || Call Range | ||
| |- | |- | ||
| |  | | 30 || Call Convention (0 = SMC32, 1 = SMC64) | ||
| |- | |- | ||
| |  | | 31 || Call Type (0 = Yielding Call, 1 = Fast Call) | ||
| |} | |} | ||
| Line 24: | Line 23: | ||
| SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call. | SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call. | ||
| ==  | == FunctionId0 == | ||
| Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. | Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs). | ||
| {| class=wikitable | {| class=wikitable | ||
| !  | ! Value || Name | ||
| |- | |||
| | 0xC3000401 || SetConfig | |||
| |- | |- | ||
| |  | | 0xC3000002 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId1]]) | ||
| |- | |- | ||
| |  | | 0xC3000003 || GetResult | ||
| |- | |- | ||
| |  | | 0xC3000404 || GetResultData | ||
| |- | |- | ||
| |  | | 0xC3000E05 || ModularExponentiate | ||
| |- | |- | ||
| |  | | 0xC3000006 || [[#GenerateRandomBytes|GenerateRandomBytes]] (same as in [[#FunctionId1]]) | ||
| |- | |- | ||
| |  | | 0xC3000007 || [[#GenerateAesKek|GenerateAesKek]] | ||
| |- | |- | ||
| |  | | 0xC3000008 || [[#LoadAesKey|LoadAesKey]] | ||
| |- | |- | ||
| |  | | 0xC3000009 || [[#ComputeAes|ComputeAes]] | ||
| |- | |- | ||
| |  | | 0xC300000A || [[#GenerateSpecificAesKey|GenerateSpecificAesKey]] | ||
| |- | |- | ||
| |  | | 0xC300040B || [[#ComputeCmac|ComputeCmac]] | ||
| |- | |- | ||
| |  | | [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey]] | ||
| |- | |- | ||
| |  | | [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData]] | ||
| |- | |- | ||
| | 0xC300100D || [[# | | 0xC300100D || [[#DecryptDeviceUniqueData|DecryptDeviceUniqueData]] | ||
| |- | |- | ||
| | 0xC300100E || [[# | | [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey|DecryptAndImportLotusKey]] | ||
| |- | |- | ||
| | 0xC300060F || [[# | | 0xC300060F || [[#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey]] | ||
| |- | |- | ||
| | 0xC3000610 || [[# | | 0xC3000610 || [[#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey]] | ||
| |- | |- | ||
| | 0xC3000011 || [[#LoadPreparedAesKey]]  | | 0xC3000011 || [[#LoadPreparedAesKey|LoadPreparedAesKey]] | ||
| |- | |- | ||
| | 0xC3000012 || [2.0.0+]  | | 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey|PrepareEsCommonKey]] | ||
| |} | |} | ||
| Line 77: | Line 78: | ||
| ** Further, this means: Actual AES/RSA keys never leave TrustZone. | ** Further, this means: Actual AES/RSA keys never leave TrustZone. | ||
| === GenerateRandomBytes === | |||
| Takes an u64 '''Size'''. Returns [[#Result]] and '''RandomBytes'''. | |||
| '''Size''' is limited to 0x38 (for fitting in return registers). | |||
| === GenerateAesKek === | === GenerateAesKek === | ||
| Line 88: | Line 91: | ||
| Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key. | Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key. | ||
| The session kek must have been created with  | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase Aes]]. | ||
| ===  | === ComputeAes === | ||
| Encrypts/decrypts using  | Encrypts/decrypts using AES (CTR and CBC). Takes an [[#CipherMode]]. | ||
| Key must be set prior using one of the [[#LoadAesKey]] | Key must be set prior using one of the [[#LoadAesKey]] or [[#GenerateSpecificAesKey]] commands. | ||
| === GenerateSpecificAesKey === | === GenerateSpecificAesKey === | ||
| Takes a wrapped AES key and decrypts it using static data. | |||
| === ComputeCmac === | |||
| Calculates CMAC over input data. | |||
| ===  | === DecryptAndImportEsDeviceKey === | ||
| Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | ||
| The session kek must have been created with  | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]]. | ||
| [5.0.0] This function was removed and replaced with [[#ReencryptDeviceUniqueData]]. | |||
| === ReencryptDeviceUniqueData === | |||
| Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key. | |||
| ===  | Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid. | ||
| Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | |||
| The re-encrypted key is then passed to the user, for use with [[#DecryptDeviceUniqueData]]. | |||
| === DecryptDeviceUniqueData === | |||
| Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key. | |||
| The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaPrivate]]. | |||
| [4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr. | |||
| [5.0.0+] This function now takes an additional input [[#DecryptOrImportMode]]. This extends the original functionality to enable importing private keys into the security engine instead of decrypting them. | |||
| === DecryptAndImportLotusKey === | |||
| Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key. | |||
| The session kek must have been created with  | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaSecureExpMod]]. | ||
| [5.0.0] This function was removed. | |||
| === ModularExponentiateByStorageKey === | |||
| Performs an ExpMod operation using an exponent previously loaded with the [[#DecryptAndImportLotusKey]] command. | |||
| [5.0.0+] This now uses any exponent previously loaded with [[#DecryptDeviceUniqueData]] and takes an [[#SecureExpModMode]]. | |||
| Key  | === PrepareEsDeviceUniqueKey === | ||
| Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash. | |||
| Performs an ExpMod operation using an exponent previously loaded with the [[#DecryptAndImportEsDeviceKey]] command, and then validates/extracts a Titlekey from the resulting message. | |||
| Returns a session-unique AES key especially for use in [[# | Returns a session-unique AES key especially for use in [[#LoadTitleKey]]. | ||
| [5.0.0+] This now uses any exponent previously loaded with [[#DecryptDeviceUniqueData]]. | |||
| === LoadPreparedAesKey === | === LoadPreparedAesKey === | ||
| Takes a session-unique AES key from [[# | Takes a session-unique AES key from [[#PrepareEsCommonKey]] or [[#PrepareEsDeviceUniqueKey]]. | ||
| === PrepareEsCommonKey === | |||
| Takes an AES-wrapped common TitleKey and returns a sealed AES key. | |||
| == FunctionId1 == | |||
| Functions exposed to the kernel internally. | |||
| {| class=wikitable | {| class=wikitable | ||
| ! Value || Name | ! Value || Name | ||
| |- | |- | ||
| | 0 ||  | | 0xC4000001 || [[#SuspendCpu|SuspendCpu]] | ||
| |- | |||
| | 0x84000002 || [[#PowerOffCpu|PowerOffCpu]] | |||
| |- | |||
| | 0xC4000003 || [[#PowerOnCpu|PowerOnCpu]] | |||
| |- | |||
| | 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]]) | |||
| |- | |||
| | 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]] | |||
| |- | |||
| | 0xC3000006 || [[#ShowError|ShowError]] | |||
| |- | |||
| | 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion|SetKernelCarveoutRegion]] | |||
| |- | |||
| | 0xC3000008 || [2.0.0+] [[#ReadWriteRegister|ReadWriteRegister]] | |||
| |} | |||
| === SuspendCpu === | |||
| Takes an u64 '''PowerState''', an u64 '''EntrypointAddress''' and an u64 '''ContextId'''. No output. | |||
| Suspends the CPU (CPU0). | |||
| The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B). | |||
| === PowerOffCpu === | |||
| No input/output. | |||
| Turns off the CPU (CPU1, CPU2 or CPU3). | |||
| === PowerOnCpu === | |||
| Takes an u64 '''TargetCpu''', an u64 '''EntrypointAddress''' and an u64 '''ContextId'''. Returns [[#Result]]. | |||
| Turns on the CPU (CPU1, CPU2 or CPU3). | |||
| === GetConfig === | |||
| Takes a [[#ConfigItem]]. Returns [[#Result]] and a '''ConfigValue'''. | |||
| ==== ConfigItem ==== | |||
| {| class="wikitable" border="1" | |||
| |- | |||
| ! Value || Name | |||
| |- | |||
| | 1 || [[#DisableProgramVerification]] | |||
| |- | |||
| | 2 || [[#DramId]] | |||
| |- | |||
| | 3 || [[#SecurityEngineInterruptNumber]] | |||
| |- | |||
| | 4 || [[#FuseVersion]] | |||
| |- | |||
| | 5 || [[#HardwareType]] | |||
| |- | |||
| | 6 || [[#HardwareState]] | |||
| |- | |||
| | 7 || [[#IsRecoveryBoot]] | |||
| |- | |||
| | 8 || [[#DeviceId]] | |||
| |- | |||
| | 9 || [1.0.0-4.0.0] [[#BootReason]] | |||
| |- | |||
| | 10 || [[#MemoryMode]] | |||
| |- | |||
| | 11 || [[#IsDevelopmentFunctionEnabled]] | |||
| |- | |||
| | 12 || [[#KernelConfiguration]] | |||
| |- | |||
| | 13 || [[#IsChargerHiZModeEnabled]] | |||
| |- | |||
| | 14 || [4.0.0+] [[#QuestState]] | |||
| |- | |||
| | 15 || [5.0.0+] [[#RegulatorType]] | |||
| |- | |||
| | 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]] | |||
| |- | |||
| | 17 || [5.0.0+] [[#Package2Hash]] | |||
| |} | |||
| ===== DisableProgramVerification ===== | |||
| [[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false). | |||
| ===== DramId ===== | |||
| {| class="wikitable" border="1" | |||
| |- | |||
| ! Value | |||
| ! Description | |||
| |- | |||
| | 0 | |||
| | EristaIcosaSamsung4gb | |||
| |- | |||
| | 1 | |||
| | EristaIcosaHynix4gb | |||
| |- | |||
| | 2 | |||
| | EristaIcosaMicron4gb | |||
| |- | |||
| | 3 | |||
| | EristaCopperSamsung4gb | |||
| |- | |||
| | 4 | |||
| | EristaIcosaSamsung6gb | |||
| |- | |||
| | 5 | |||
| | [4.0.0+] EristaCopperHynix4gb | |||
| |- | |||
| | 6 | |||
| | [4.0.0+] EristaCopperMicron4gb | |||
| |- | |||
| | 7 | |||
| | [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved) | |||
| |- | |||
| | 8 | |||
| | [5.0.0+] MarikoIowaSamsung4gb | |||
| |- | |||
| | 9 | |||
| | [5.0.0+] MarikoIowaSamsung8gb | |||
| |- | |||
| | 10 | |||
| | [6.0.0+] MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved) | |||
| |- | |||
| | 11 | |||
| | [7.0.0+] MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved) | |||
| |- | |||
| | 12 | |||
| | [5.0.0+] MarikoHoagSamsung4gb | |||
| |- | |||
| | 13 | |||
| | [5.0.0+] MarikoHoagSamsung8gb | |||
| |- | |||
| | 14 | |||
| | [7.0.0+] MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved) | |||
| |- | |||
| | 15 | |||
| | [7.0.0+] MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved) | |||
| |- | |||
| | 16 | |||
| | [8.0.0+] MarikoIowaSamsung4gbY | |||
| |- | |||
| | 17 | |||
| | [9.0.0+] MarikoIowaSamsung1y4gbX | |||
| |- | |||
| | 18 | |||
| | [9.0.0+] MarikoIowaSamsung1y8gbX | |||
| |- | |||
| | 19 | |||
| | [9.0.0+] MarikoHoagSamsung1y4gbX | |||
| |- | |||
| | 20 | |||
| | [9.0.0+] MarikoIowaSamsung1y4gbY | |||
| |- | |||
| | 21 | |||
| | [9.0.0+] MarikoIowaSamsung1y8gbY | |||
| |- | |||
| | 22 | |||
| | [9.0.0+] MarikoIowaSamsung1y4gbA | |||
| |- | |||
| | 23 | |||
| | [10.0.0+] MarikoUnkSamsung1y8gbX | |||
| |- | |||
| | 24 | |||
| | [10.0.0+] MarikoUnkSamsung1y4gbX | |||
| |} | |||
| This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | |||
| [[PCV_services|PCV]] selects memory training tables based on DramId. | |||
| {| class="wikitable" border="1" | |||
| |- | |||
| ! SocType | |||
| ! Platform | |||
| ! DramId | |||
| ! Revision | |||
| ! DVFS | |||
| |- | |||
| | Erista | |||
| | jetson-tx1 | |||
| | N/A | |||
| | 0x07 | |||
| | | |||
|  11_40800_01_V9.8.3_V1.6 | |||
|  11_68000_01_V9.8.3_V1.6 | |||
|  11_102000_01_V9.8.3_V1.6 | |||
|  11_204000_05_V9.8.3_V1.6 | |||
|  11_408000_02_V9.8.3_V1.6 | |||
|  11_665600_03_V9.8.3_V1.6 | |||
|  11_800000_01_V9.8.3_V1.6 | |||
|  11_1065600_01_V9.8.3_V1.6 | |||
|  11_1331200_01_V9.8.3_V1.6 | |||
|  11_1600000_02_V9.8.3_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abcb | |||
| | EristaIcosaSamsung4gb | |||
| | 0x07 | |||
| | | |||
|  10_40800_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.7_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abcb | |||
| | EristaIcosaMicron4gb | |||
| | 0x07 | |||
| | | |||
|  10_40800_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.4_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abcb | |||
| | EristaIcosaHynix4gb | |||
| | 0x07 | |||
| | | |||
|  10_40800_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.4_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.4_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abca2 | |||
| | EristaIcosaSamsung4gb, EristaIcosaMicron4gb | |||
| | 0x07 | |||
| |  | |||
|  10_40800_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.7_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abca2 | |||
| | EristaIcosaHynix4gb | |||
| | 0x07 | |||
| | | |||
|  10_40800_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.7_V1.6 | |||
| |- | |||
| | Erista | |||
| | nx-abca2 | |||
| | EristaIcosaSamsung6gb | |||
| | 0x07 | |||
| | | |||
|  10_40800_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_68000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_102000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_204000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_408000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_665600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_800000_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1065600_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1331200_NoCfgVersion_V9.8.7_V1.6 | |||
|  10_1600000_NoCfgVersion_V9.8.7_V1.6 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowax1x2Samsung4gb | |||
| | 0x03 | |||
| | | |||
|  01_204000_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.3.1_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung4gb, MarikoHoagSamsung4gb | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.3.1_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung8gb, MarikoHoagSamsung8gb | |||
| | 0x03 | |||
| | | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaHynix4gb, MarikoHoagHynix4gb | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.3.1_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.3.1_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaMicron4gb, MarikoHoagMicron4gb | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung4gbY | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung1y4gbX | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung1y8gbX | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoHoagSamsung1y4gbX | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung1y4gbY | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung1y8gbY | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.2_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.2_V2.0 | |||
| |- | |||
| | Mariko | |||
| | nx-abca2, nx-abcb, nx-abcc, nx-abcd | |||
| | MarikoIowaSamsung1y4gbA | |||
| | 0x03 | |||
| |   | |||
|  01_204000_NoCfgVersion_V0.4.5_V2.0 | |||
|  01_1331200.0_NoCfgVersion_V0.4.5_V2.0 | |||
|  01_1600000_NoCfgVersion_V0.4.5_V2.0 | |||
| |} | |||
| '''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors. | |||
| '''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output. | |||
| [8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors. | |||
| [10.0.0+] '''nx-abcd''' was added. | |||
| '''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X. | |||
| ===== SecurityEngineInterruptNumber ===== | |||
| SPL uses this for setting up the security engine IRQ. | |||
| ===== FuseVersion ===== | |||
| The current [[Package2#Versions|bootloader maximum version]] - 1. | |||
| ===== HardwareType ===== | |||
| {| class=wikitable | |||
| ! Value || Description | |||
| |- | |||
| | 0 || Icosa | |||
| |- | |||
| | 1 || Copper | |||
| |- | |||
| | 2 || [8.0.0+] Hoag ([1.0.0-7.0.1] Invalid) | |||
| |- | |||
| | 3 || [4.0.0+] Iowa | |||
| |- | |||
| | 4 || [8.0.0+] Calcio | |||
| |- | |||
| | 5 || [10.0.0+] Unknown | |||
| |- | |||
| | 15 || Invalid | |||
| |} | |||
| [1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | |||
| [4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | |||
| [7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units. | |||
| Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 1 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 0. | |||
| Hardware is '''Copper''' (Erista prototype) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1. | |||
| [4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 1. | |||
| [8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 2. | |||
| [8.0.0+] Hardware is '''Calcio''' (Mariko prototype) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1. | |||
| [10.0.0+] Hardware is '''Unknown''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 4. | |||
| ===== HardwareState ===== | |||
| {| class=wikitable | |||
| ! Value || Description | |||
| |- | |- | ||
| |  | | 0 || Development | ||
| |- | |- | ||
| |  | | 1 || Production | ||
| |- | |- | ||
| |  | | 2 || Invalid | ||
| |} | |} | ||
| ==  | This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | ||
| Hardware is '''Development''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 3 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 0. | |||
| Hardware is '''Production''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 1. | |||
| ===== IsRecoveryBoot ===== | |||
| Used to determine if the system is booting from SafeMode firmware. | |||
| Under normal circumstances, this just returns bit 0 of the active [[BCT#bootloader0_info|bootloader info]]'s attribute field. | |||
| ===== DeviceId ===== | |||
| [[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown. | |||
| ===== BootReason ===== | |||
| {| class=wikitable | {| class=wikitable | ||
| !  | ! Value || Description | ||
| |- | |||
| | 0 || Invalid | |||
| |- | |||
| | 1 || AcOk | |||
| |- | |||
| | 2 || OnKey | |||
| |- | |||
| | 3 || RtcAlarm1 | |||
| |- | |||
| | 4 || RtcAlarm2 | |||
| |} | |||
| Used to determine how the system booted. | |||
| ===== MemoryMode ===== | |||
| {| class="wikitable" border="1" | |||
| |- | |||
| ! Bits | |||
| ! Description | |||
| |- | |||
| | 0-3 | |||
| | Purpose (0 = None, 1 = ForStandard, 2 = ForAppletDev, 3 = ForSystemDev) | |||
| |- | |||
| | 4-7 | |||
| | Size (0 = 4GB, 1 = 6GB, 2 = 8GB) | |||
| |} | |||
| [[Process Manager services|PM]] and the kernel decide memory arrangement based on MemoryMode. | |||
| {| class="wikitable" border="1" | |||
| |- | |- | ||
| |  | ! MemoryArrange | ||
| ! MemoryMode | |||
| ! Description | |||
| |- | |||
| | 0 | |||
| | 0x01 | |||
| | Standard  | |||
| |- | |||
| | 1 | |||
| | 0x02 | |||
| | StandardForAppletDev | |||
| |- | |||
| | 2 | |||
| | 0x03 | |||
| | StandardForSystemDev | |||
| |- | |||
| | 3 | |||
| | 0x11 | |||
| | Expanded | |||
| |- | |||
| | 4 | |||
| | 0x12 | |||
| | ExpandedForAppletDev | |||
| |- | |||
| | 5 | |||
| | 0x21 | |||
| | ExpandedForMarikoDev | |||
| |} | |||
| ===== IsDevelopmentFunctionEnabled ===== | |||
| Kernel uses this to determine behavior of [[SVC#svcBreak|svcBreak]] positive arguments. It will break instead of just force-exiting the process which is what happens on retail. | |||
| [2.0.0+] This is also used with certain debug [[SVC|SVCs]]. | |||
| [3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed. | |||
| ===== KernelConfiguration ===== | |||
| {| class="wikitable" border="1" | |||
| |- | |- | ||
| ! Bits | |||
| ! Description | |||
| |- | |- | ||
| |  | | 0 | ||
| | EnableNonZeroFillMemory | |||
| |- | |- | ||
| |  | | 1 | ||
| | EnableUserExceptionHandler | |||
| |- | |- | ||
| |  | | 2 | ||
| | PerformanceMonitoringUnit | |||
| |- | |- | ||
| |  | | 3 | ||
| | [8.0.0+] EnableApplicationExtraThread | |||
| |- | |- | ||
| |  | | 8 | ||
| | CallShowErrorOnPanic | |||
| |- | |- | ||
| |  | | 16-17 | ||
| | MemorySize | |||
| |} | |} | ||
| == | Kernel reads this when setting up memory-related code. | ||
| '''EnableNonZeroFillMemory''' is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. | |||
| '''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers). | |||
| '''PerformanceMonitoringUnit''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0). | |||
| '''EnableApplicationExtraThread''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads. | |||
| '''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping. | |||
| ===  | '''MemorySize''' determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB. | ||
| ===  | ===== IsChargerHiZModeEnabled ===== | ||
| Takes a ''' | This tells if the TI Charger (bq24192) is active. | ||
| ===== QuestState ===== | |||
| {| class=wikitable | |||
| ! Value || Description | |||
| |- | |||
| | 0 || Disabled | |||
| |- | |||
| | 1 || Enabled | |||
| |} | |||
| This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | |||
| [4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores. | |||
| ===== RegulatorType ===== | |||
| {| class="wikitable" border="1" | |||
| |- | |||
| ! Value | |||
| ! SocType | |||
| ! GPU | |||
| ! Power Blocks | |||
| |- | |||
| | 0 | |||
| | Erista | |||
| | GM20B (0x12B) | |||
| | max77620_sd0, max77621_cpu and max77621_gpu | |||
| |- | |||
| | 1 | |||
| | Mariko | |||
| | GM20B_B (0x12E) | |||
| | max77620_sd0, max77812_cpu and max77812_gpu | |||
| |- | |||
| | 2 | |||
| | Mariko | |||
| | GM20B_B (0x12E) | |||
| | max77620_sd0, max77812_cpu and max77812_gpu | |||
| |} | |||
| [5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware. | |||
| ===== DeviceUniqueKeyGeneration ===== | |||
| This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2. | |||
| [5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey". | |||
| ===== Package2Hash ===== | |||
| This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead. | |||
| === ShowError === | |||
| Takes an u32 '''Color''' and issues a system panic. | |||
| The kernel always calls this with '''Color''' set to 0xF00. | |||
| === SetKernelCarveoutRegion === | |||
| Takes an u64 '''Index''', an u64 '''Address''' and an u64 '''Size'''. Returns [[#Result]]. | |||
| If '''Index''' is 0, '''Address''' and '''Size''' are used to configure '''MC_SECURITY_CARVEOUT4'''. | |||
| If '''Index''' is 1, '''Address''' and '''Size''' are used to configure '''MC_SECURITY_CARVEOUT5'''. | |||
| Any other '''Index''' values are invalid. | |||
| The kernel calls this with '''Index''' set to 0, '''Address''' set to 0x80060000 and '''Size''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions. | |||
| === ReadWriteRegister === | |||
| Takes an u64 '''Register''', an u32 '''Mask''' and an u32 '''InValue'''. Returns [[#Result]] and an u32 '''OutValue'''. | |||
| Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor. | |||
| = CryptoUsecase = | |||
| {| class=wikitable | |||
| ! Value || Name | |||
| |- | |||
| | 0 || Aes | |||
| |- | |||
| | 1 || RsaPrivate | |||
| |- | |||
| | 2 || SecureExpMod | |||
| |- | |||
| | 3 || RsaOaep | |||
| |- | |||
| | 4 || [5.0.0+] RsaImport | |||
| |- | |||
| | 5 || [5.0.0+] | |||
| |- | |||
| | 6 || [5.0.0+] | |||
| |} | |||
| =  | = CipherMode = | ||
| {| class=wikitable | |||
| ! Value || Name | |||
| |- | |||
| | 0 || CbcEncrypt | |||
| |- | |||
| | 1 || CbcDecrypt | |||
| |- | |||
| | 2 || Ctr | |||
| |} | |||
| = DecryptOrImportMode = | |||
| {| class=wikitable | |||
| ! Value || Name | |||
| |- | |||
| | 0 || DecryptRsaPrivateKey | |||
| |- | |||
| | 1 || ImportLotusKey | |||
| |- | |||
| | 2 || ImportEsKey | |||
| |- | |||
| | 3 || ImportSslKey | |||
| |- | |||
| | 4 || ImportDrmKey | |||
| |} | |||
| = SecureExpModMode = | |||
| {| class=wikitable | |||
| ! Value || Name | |||
| |- | |||
| | 0 || Lotus | |||
| |- | |||
| | 1 || Ssl | |||
| |- | |||
| | 2 || Drm | |||
| |} | |||
| = EsKeyType = | |||
| {| class=wikitable | |||
| ! Value || Name | |||
| |- | |||
| | 0 || TitleKey | |||
| |- | |||
| | 1 || ElicenseKey | |||
| |} | |||
| = Result = | |||
| {| class=wikitable | {| class=wikitable | ||
| ! Value || Description | ! Value || Description | ||
| |- | |- | ||
| | 2 || Invalid  | | 0 || Success | ||
| |- | |||
| | 1 || Not implemented | |||
| |- | |||
| | 2 || Invalid argument | |||
| |- | |||
| | 3 || In progress | |||
| |- | |||
| | 4 || No async operation | |||
| |- | |||
| | 5 || Invalid async operation | |||
| |- | |- | ||
| |  | | 6 || [8.0.0+] Not permitted | ||
| |} | |} | ||