11.0.0: Difference between revisions

(9 intermediate revisions by 3 users not shown)

Line 85:

** Several callsites now verify that last_address != 0xFFFF...

* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.

* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.

* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.

* New SVC 0x37 "GetResourceLimitPeakValue"

Line 101:

Line 102:

** New nnSdk code relies on this behavior.

* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.

** This is used for ~~CFI~~ changes in web browser.

** This is used for Pointer Authentication changes in web browser.

* KCoreLocalRegion deleted, replaced with pointer-to-current-thread

** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.

Line 235:

Line 236:

The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].

=== [[HID_services|hid]]-sysmodule ===

Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.

=== [[LDN_services|ldn]]-sysmodule ===

Line 243:

Line 247:

See also [[#OSS]].

=== [[PGL_services|pgl]]-sysmodule ===

* pgl now has a new ipc command, which just returns "ResultNotImplemented()"

* pgl now detects when SnapShotDumper crashes, and launches creport in that case.

* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).

=== [[Creport|creport]]-sysmodule ===

* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.

* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):

** GetSdCardSpeedMode

Line 264:

Line 274:

=== [[Internet_Browser|Web-applets]] ===

These are now compiled with compiler CFI mitigations enabled. This does not apply to non-web-applets. ~~This~~ uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel.

These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.

Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).

This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:

Line 271:

Line 283:

* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.

blr instructions no longer exist~~: when~~ funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.

The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.

CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.

Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation.

Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.

The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have ~~CFI~~ enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).

The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).

This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).

@@ Line 85: / Line 85: @@
 ** Several callsites now verify that last_address != 0xFFFF...
 * KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
+* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.
 * "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
 * New SVC 0x37 "GetResourceLimitPeakValue"
@@ Line 101: / Line 102: @@
 ** New nnSdk code relies on this behavior.
 * SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
-** This is used for CFI changes in web browser.
+** This is used for Pointer Authentication changes in web browser.
 * KCoreLocalRegion deleted, replaced with pointer-to-current-thread
 ** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
@@ Line 235: / Line 236: @@
 The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
+=== [[HID_services|hid]]-sysmodule ===
+Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.
 === [[LDN_services|ldn]]-sysmodule ===
@@ Line 243: / Line 247: @@
 See also [[#OSS]].
+=== [[PGL_services|pgl]]-sysmodule ===
+* pgl now has a new ipc command, which just returns "ResultNotImplemented()"
+* pgl now detects when SnapShotDumper crashes, and launches creport in that case.
+* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).
 === [[Creport|creport]]-sysmodule ===
+* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.
 * creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
 ** GetSdCardSpeedMode
@@ Line 264: / Line 274: @@
 === [[Internet_Browser|Web-applets]] ===
-These are now compiled with compiler CFI mitigations enabled. This does not apply to non-web-applets. This uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel.
+These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.
+Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).
 This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:
@@ Line 271: / Line 283: @@
 * Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
-blr instructions no longer exist: when funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
+The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.
+CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
-Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation.
+Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.
-The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have CFI enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).
+The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).
 This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).