11.0.0: Difference between revisions
| (19 intermediate revisions by 3 users not shown) | |||
| Line 85: | Line 85: | ||
** Several callsites now verify that last_address != 0xFFFF... | ** Several callsites now verify that last_address != 0xFFFF... | ||
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000. | * KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000. | ||
* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17. | |||
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical. | * "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical. | ||
* New SVC 0x37 "GetResourceLimitPeakValue" | * New SVC 0x37 "GetResourceLimitPeakValue" | ||
| Line 100: | Line 101: | ||
* KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not. | * KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not. | ||
** New nnSdk code relies on this behavior. | ** New nnSdk code relies on this behavior. | ||
* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread. | |||
** This is used for Pointer Authentication changes in web browser. | |||
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread | * KCoreLocalRegion deleted, replaced with pointer-to-current-thread | ||
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack. | ** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack. | ||
| Line 118: | Line 121: | ||
* KPageHeapBitmapRng now has TinyMt as a data member, instead of directly implementing KPageHeap. | * KPageHeapBitmapRng now has TinyMt as a data member, instead of directly implementing KPageHeap. | ||
** This affects how constructor is invoked. | ** This affects how constructor is invoked. | ||
* New InfoType 24 ("FreeThreadCount") was added, gets the number of threads a process can allocate before exhausting its resource limit. | |||
* KMemoryBlock/KMemoryInfo now has extra members tracking u8 non_contig_bitflags, u16 ipc_non_contig_lock_count, u16 device_non_contig_lock_count | * KMemoryBlock/KMemoryInfo now has extra members tracking u8 non_contig_bitflags, u16 ipc_non_contig_lock_count, u16 device_non_contig_lock_count | ||
* KMemoryBlockManager Update now takes non-contig flags to determine where to coalesce (all coalescing must now happen forwards instead of either direction) | * KMemoryBlockManager Update now takes non-contig flags to determine where to coalesce (all coalescing must now happen forwards instead of either direction) | ||
| Line 232: | Line 236: | ||
The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]]. | The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]]. | ||
=== [[HID_services|hid]]-sysmodule === | |||
Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting. | |||
=== [[LDN_services|ldn]]-sysmodule === | === [[LDN_services|ldn]]-sysmodule === | ||
lp2p now supports using standard WPA2-PSK, which is used by [[#LibraryAppletPhotoViewer]]. | lp2p now supports using standard WPA2-PSK, which is used by [[#LibraryAppletPhotoViewer]]. | ||
=== [[SSL_services|ssl]]-sysmodule === | |||
TLS 1.3 is now [[SSL_services#SslVersion|supported]] if the user-process enables it. | |||
See also [[#OSS]]. | |||
=== [[PGL_services|pgl]]-sysmodule === | |||
* pgl now has a new ipc command, which just returns "ResultNotImplemented()" | |||
* pgl now detects when SnapShotDumper crashes, and launches creport in that case. | |||
* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug). | |||
=== [[Creport|creport]]-sysmodule === | === [[Creport|creport]]-sysmodule === | ||
* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion. | |||
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts): | * creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts): | ||
** GetSdCardSpeedMode | ** GetSdCardSpeedMode | ||
| Line 254: | Line 272: | ||
** GetAndClearMemoryReportInfo | ** GetAndClearMemoryReportInfo | ||
** GetAndClearFileSystemProxyErrorInfo | ** GetAndClearFileSystemProxyErrorInfo | ||
=== [[Internet_Browser|Web-applets]] === | |||
These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets. | |||
Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs). | |||
This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract: | |||
* The low 40-bits of x30 are extracted, then multiplied with x18. | |||
* <code>crc32x w17, wzr, x17</code> (which uses the above value) | |||
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40. | |||
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken. | |||
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr. | |||
Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above. | |||
The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb). | |||
This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS). | |||
=== LibraryAppletPhotoViewer === | === LibraryAppletPhotoViewer === | ||