2,956
edits
Changes
no edit summary
Line 22:
Line 22:
+
If bit ''n'' is set in the argument type then parameter X''n'' is treated as a pointer and the kernel will setup address translation for it in [[SVC#svcCallSecureMonitor|svcCallSecureMonitor]].
If bit ''n'' is set in the argument type then parameter X''n'' is treated as a pointer and the kernel will setup address translation for it in [[SVC#svcCallSecureMonitor|svcCallSecureMonitor]].
−== Id 0 ==
+SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
+== ID 0 ==
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]].
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]].
{| class=wikitable
{| class=wikitable
−! Sub-Id || Name || In || Out
+! Sub-ID || Name || In || Out
|-
|-
| 0xC3000401 || SetConfig || ||
| 0xC3000401 || SetConfig || ||
|-
|-
−| 0xC3000002 || GetConfig (Same as Id 1 Sub-Id 4.) || ||
+| 0xC3000002 || GetConfig (Same as ID 1, Sub-ID 4) || ||
|-
|-
| 0xC3000003 || CheckStatus || ||
| 0xC3000003 || CheckStatus || ||
Line 38:
Line 40:
| 0xC3000E05 || ExpMod || ||
| 0xC3000E05 || ExpMod || ||
|-
|-
−| 0xC3000006 || GetRandomBytes (Same as Id 1 Sub-Id 5.) || ||
+| 0xC3000006 || GetRandomBytes (Same as ID 1, Sub-ID 5) || ||
|-
|-
| 0xC3000007 || [[#GenerateAesKek]] || ||
| 0xC3000007 || [[#GenerateAesKek]] || ||
Line 58:
Line 60:
| 0xC300060F || [[#PublicRsa]] || ||
| 0xC300060F || [[#PublicRsa]] || ||
|-
|-
−| 0xC3000610 || [[#UnwrapRsaEncryptedAesKey]] || ||
+| 0xC3000610 || [[#UnwrapPreparedAesKey]] || ||
|-
|-
−| 0xC3000011 || [[#LoadRsaWrappedAesKey]] || ||
+| 0xC3000011 || [[#LoadPreparedAesKey]] || ||
|-
|-
−| 0xC3000012 || [2.0.0+] GenerateRsaWrappedAesKek || ||
+| 0xC3000012 || [2.0.0+] GeneratePreparedAesKek || ||
|}
|}
Line 74:
Line 76:
** This means: Plaintext kek keys never leave TrustZone.
** This means: Plaintext kek keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
+
+Note:
+The [[#CryptoUsecase|CryptoUsecase_PreparedAesKey]] represents a RSA wrapped AES key.
=== GenerateAesKek ===
=== GenerateAesKek ===
Line 113:
Line 118:
Key must be set prior using the [[#LoadRsaPublicKey]] command.
Key must be set prior using the [[#LoadRsaPublicKey]] command.
−=== UnwrapRsaEncryptedAesKey ===
+=== UnwrapPreparedAesKey ===
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
−Returns a session-unique AES key especially for use in [[#LoadRsaWrappedAesKey]].
+Returns a session-unique AES key especially for use in [[#LoadPreparedAesKey]].
−The session kek must have been created with CryptoUsecase_RsaWrappedAesKey.
+The session kek must have been created with CryptoUsecase_PreparedAesKey.
−=== LoadRsaWrappedAesKey ===
+=== LoadPreparedAesKey ===
−Takes a session-unique AES key from [[#UnwrapRsaEncryptedAesKey]].
+Takes a session-unique AES key from [[#UnwrapPreparedAesKey]].
=== enum CryptoUsecase ===
=== enum CryptoUsecase ===
Line 133:
Line 138:
| 2 || CryptoUsecase_PublicRsa
| 2 || CryptoUsecase_PublicRsa
|-
|-
−| 3 || CryptoUsecase_RsaWrappedAesKey
+| 3 || CryptoUsecase_PreparedAesKey
|}
|}
−== Id 1 ==
+== ID 1 ==
Functions exposed to the kernel internally.
Functions exposed to the kernel internally.
{| class=wikitable
{| class=wikitable
−! Sub-Id || Name || In || Out
+! Sub-ID || Name || In || Out
|-
|-
−| 0xC4000001 || CpuSuspend || X1=power_state, X2=entrypoint_addr, X3=context_addr || None
+| 0xC4000001 || [[#CpuSuspend]] || X1=power_state, X2=entrypoint_addr, X3=context_id || None
|-
|-
−| 0x84000002 || CpuOff || None || None
+| 0x84000002 || [[#CpuOff]] || None || None
|-
|-
−| 0xC4000003 || CpuOn || ||
+| 0xC4000003 || [[#CpuOn]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 || X0=result
|-
|-
−| 0xC3000004 || GetConfig (Same as Id 0 Sub-Id 2.) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
+| 0xC3000004 || [[#GetConfig]] (Same as ID 0, Sub-ID 2) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
|-
|-
−| 0xC3000005 || GetRandomBytes (Same as Id 0 Sub-Id 6.) || X1=dst_addr, X2,X3,X4,X5,X6,X7=0 ||
+| 0xC3000005 || [[#GetRandomBytes]] (Same as ID 0, Sub-ID 6) || X1=size, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
|-
|-
−| 0xC3000006 || Panic || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result
+| 0xC3000006 || [[#Panic]] || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result
|-
|-
| 0xC3000007 || [2.0.0+] ProtectKernelRegion || ||
| 0xC3000007 || [2.0.0+] ProtectKernelRegion || ||
Line 158:
Line 163:
| 0xC3000008 || [2.0.0+] ReadWriteRegister || ||
| 0xC3000008 || [2.0.0+] ReadWriteRegister || ||
|}
|}
+
+=== CpuSuspend ===
+Standard ARM PCSI SMC. Suspends the CPU (CPU0).
+
+The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
+
+=== CpuOff ===
+Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).
+
+=== CpuOn ===
+Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).
+
+=== GetConfig ===
+Takes a '''config_item''' and returns an associated '''config_val'''.
+
+=== GetRandomBytes ===
+Takes a '''size''' and returns '''rand_bytes'''.
+
+The kernel limits '''size''' to 0x38 (for fitting in return registers).
+
+=== Panic ===
+Issues a system panic.
+
+The kernel always calls this with '''unk''' set to 0xF00.
= Errors =
= Errors =
−2: Invalid input
+{| class=wikitable
−3: Busy
+! Value || Description
+|-
+| 2 || Invalid input
+|-
+| 3 || Busy
+|}