Nintendo Switch Brew

TSEC: Difference between revisions

← Older editNewer edit →
No edit summary
better names
Line 5: Line 5:


== Registers ==
== Registers ==
Registers from 0x54500000 to 0x54501000 are used to configure the host interface (HOST1X).
The TSEC's MMIO space is divided as follows:
 
* 0x54500000 to 0x54501000: THI (Tegra Host Interface)
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC and are subdivided into:
* 0x54501000 to 0x54501400: FALCON (Falcon microcontroller)
* 0x54501400 to 0x54501500: SCP (Secure Co-Processor).
* 0x54501400 to 0x54501500: SCP (Secure Co-processor)
* 0x54501500 to 0x54501600: TRNG (True Random Number Generator).
* 0x54501500 to 0x54501600: RND (Random Number Generator)
* 0x54501600 to 0x54501700: TFBIF (Tegra Framebuffer Interface) and CG (Clock Gate).
* 0x54501600 to 0x54501680: TFBIF (Tegra Framebuffer Interface)
* 0x54501700 to 0x54501800: BAR0.
* 0x54501680 to 0x54501700: CG (Clock Gate)
* 0x54501800 to 0x54501900: TEGRA (miscellaneous interfaces).
* 0x54501700 to 0x54501800: BAR0 (HOST1X device DMA)
* 0x54501800 to 0x54501900: TEGRA (Miscellaneous interfaces)


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 655: Line 656:
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_10
| TSEC_SCP_CFG
| 0x54501410
| 0x54501410
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_14
| TSEC_SCP_CTL_SCP
| 0x54501414
| 0x54501414
| 0x04
| 0x04
Line 667: Line 668:
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_1C
| TSEC_SCP_CTL_DBG
| 0x5450141C
| 0x5450141C
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_SEQ_CTL|TSEC_SCP_SEQ_CTL]]
| [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]]
| 0x54501420
| 0x54501420
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_SEQ_VAL|TSEC_SCP_SEQ_VAL]]
| [[#TSEC_SCP_DBG1|TSEC_SCP_DBG1]]
| 0x54501424
| 0x54501424
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_SEQ_STAT|TSEC_SCP_SEQ_STAT]]
| [[#TSEC_SCP_DBG2|TSEC_SCP_DBG2]]
| 0x54501428
| 0x54501428
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]]
| [[#TSEC_SCP_CMD|TSEC_SCP_CMD]]
| 0x54501430
| 0x54501430
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_50
| TSEC_SCP_STAT0
| 0x54501450
| 0x54501450
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_AUTH_STAT|TSEC_SCP_AUTH_STAT]]
| [[#TSEC_SCP_STAT1|TSEC_SCP_STAT1]]
| 0x54501454
| 0x54501454
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]]
| [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]]
| 0x54501458
| 0x54501458
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_70
| TSEC_SCP_RND_STAT0
| 0x54501470
| 0x54501470
| 0x04
|-
| TSEC_SCP_RND_STAT1
| 0x54501474
| 0x04
| 0x04
|-
|-
Line 715: Line 720:
| 0x04
| 0x04
|-
|-
| TSEC_SCP_UNK_94
| TSEC_SCP_SEC_ERR
| 0x54501494
| 0x54501494
| 0x04
| 0x04
|-
|-
| [[#TSEC_SCP_INSN_ERR|TSEC_SCP_INSN_ERR]]
| [[#TSEC_SCP_CMD_ERR|TSEC_SCP_CMD_ERR]]
| 0x54501498
| 0x54501498
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_CLK_LIMIT_LOW
| TSEC_RND_CTL0
| 0x54501500
| 0x54501500
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_CLK_LIMIT_HIGH
| TSEC_RND_CTL1
| 0x54501504
| 0x54501504
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_UNK_08
| TSEC_RND_CTL2
| 0x54501508
| 0x54501508
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_TEST_CTL
| TSEC_RND_CTL3
| 0x5450150C
| 0x5450150C
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_TEST_CFG0
| TSEC_RND_CTL4
| 0x54501510
| 0x54501510
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_TEST_SEED0
| TSEC_RND_CTL5
| 0x54501514
| 0x54501514
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_TEST_CFG1
| TSEC_RND_CTL6
| 0x54501518
| 0x54501518
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_TEST_SEED1
| TSEC_RND_CTL7
| 0x5450151C
| 0x5450151C
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_UNK_20
| TSEC_RND_CTL8
| 0x54501520
| 0x54501520
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_UNK_24
| TSEC_RND_CTL9
| 0x54501524
| 0x54501524
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_UNK_28
| TSEC_RND_CTL10
| 0x54501528
| 0x54501528
| 0x04
| 0x04
|-
|-
| TSEC_TRNG_CTL
| TSEC_RND_CTL11
| 0x5450152C
| 0x5450152C
| 0x04
| 0x04
Line 2,464: Line 2,469:
|-
|-
| 20
| 20
| Enable TSEC_SCP_INSN_STAT register
| Enable the CMD interface
|}
|}


Line 2,473: Line 2,478:
|-
|-
| 11
| 11
| Enable TRNG testing mode
| Enable RND testing mode
|-
|-
| 12
| 12
| Enable the TRNG
| Enable the RND interface
|}
|}


Line 2,494: Line 2,499:
|-
|-
| 0
| 0
| Disable reads for the SCP and TRNG register blocks
| Enable lockdown mode
|-
|-
| 1
| 1
| Disable reads for the TFBIF register block
|  
|-
|-
| 2
| 2
| Disable reads for the DMA register block
|  
|-
|-
| 3
| 3
| Disable reads for the TEGRA register block
|  
|-
|-
| 4
| 4
| Disable writes for the SCP and TRNG register blocks
| Lock the SCP and RND
|-
|-
| 5
| 5
| Disable writes for the TFBIF register block
|  
|-
|-
| 6
| 6
| Disable writes for the DMA register block
|  
|-
|-
| 7
| 7
| Disable writes for the TEGRA register block
|  
|}
|}


Locks accesses to sub-engines and can only be cleared in Heavy Secure mode.
Controls lockdown mode and can only be cleared in Heavy Secure mode.


=== TSEC_SCP_CTL_PKEY ===
=== TSEC_SCP_CTL_PKEY ===
Line 2,532: Line 2,537:
|}
|}


=== TSEC_SCP_SEQ_CTL ===
=== TSEC_SCP_DBG0 ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,549: Line 2,554:
Controls the last crypto sequence (cs0 or cs1) created.
Controls the last crypto sequence (cs0 or cs1) created.


=== TSEC_SCP_SEQ_VAL ===
=== TSEC_SCP_DBG1 ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,566: Line 2,571:
Contains information on the last crypto sequence (cs0 or cs1) created.
Contains information on the last crypto sequence (cs0 or cs1) created.


=== TSEC_SCP_SEQ_STAT ===
=== TSEC_SCP_DBG2 ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,583: Line 2,588:
Contains information on the last crypto sequence (cs0 or cs1) executed.
Contains information on the last crypto sequence (cs0 or cs1) executed.


=== TSEC_SCP_INSN_STAT ===
=== TSEC_SCP_CMD ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,623: Line 2,628:
|-
|-
| 28
| 28
| Set if the instruction is valid
| Set if the command is valid
|-
|-
| 31
| 31
Line 2,629: Line 2,634:
|}
|}


Contains information on the last crypto instruction executed.
Contains information on the last crypto command executed.


=== TSEC_SCP_AUTH_STAT ===
=== TSEC_SCP_STAT1 ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,642: Line 2,647:
Contains information on the last authentication attempt.
Contains information on the last authentication attempt.


=== TSEC_SCP_AES_STAT ===
=== TSEC_SCP_STAT2 ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,669: Line 2,674:
|-
|-
| 0
| 0
| TSEC_SCP_IRQSTAT_TRNG
| RND ready
|-
|-
| 8
| 8
| TSEC_SCP_IRQSTAT_ACL_ERROR
| ACL error
|-
|-
| 12
| 12
| Unknown
| SEC error
|-
|-
| 16
| 16
| TSEC_SCP_IRQSTAT_INSN_ERROR
| CMD error
|-
|-
| 20
| 20
| TSEC_SCP_IRQSTAT_SINGLE_STEP
| Single step
|-
|-
| 24
| 24
| Unknown
|  
|-
|-
| 28
| 28
| Unknown
|  
|}
|}


Line 2,698: Line 2,703:
|-
|-
| 0
| 0
| TSEC_SCP_IRQMASK_TRNG
| RND ready
|-
|-
| 8
| 8
| TSEC_SCP_IRQMASK_ACL_ERROR
| ACL error
|-
|-
| 12
| 12
| Unknown
| SEC error
|-
|-
| 16
| 16
| TSEC_SCP_IRQMASK_INSN_ERROR
| CMD error
|-
|-
| 20
| 20
| TSEC_SCP_IRQMASK_SINGLE_STEP
| Single step
|-
|-
| 24
| 24
| Unknown
|  
|-
|-
| 28
| 28
| Unknown
|  
|}
|}


Line 2,739: Line 2,744:
|}
|}


Contains information on the status generated by the [[#TSEC_SCP_IRQSTAT|TSEC_SCP_IRQSTAT_ACL_ERROR]] IRQ.
Contains information on the status generated by the [[#TSEC_SCP_IRQSTAT|ACL error]] IRQ.


=== TSEC_SCP_INSN_ERR ===
=== TSEC_SCP_CMD_ERR ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 2,747: Line 2,752:
|-
|-
| 0
| 0
| Invalid instruction
| Invalid command
|-
|-
| 4
| 4
Line 2,768: Line 2,773:
|}
|}


Contains information on crypto errors generated by the [[#TSEC_SCP_IRQSTAT|TSEC_SCP_IRQSTAT_INSN_ERROR]] IRQ.
Contains information on crypto errors generated by the [[#TSEC_SCP_IRQSTAT|CMD error]] IRQ.


=== TSEC_TFBIF_CTL ===
=== TSEC_TFBIF_CTL ===
Line 3,140: Line 3,145:


==== Implementation ====
==== Implementation ====
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]] are set to "cxsin" and "csigauth", respectively.
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_CMD|TSEC_SCP_CMD]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]] are set to "cxsin" and "csigauth", respectively.


Via [[#TSEC_SCP_SEQ_CTL|TSEC_SCP_SEQ_CTL]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.


=== Operations ===
=== Operations ===
Line 3,225: Line 3,230:


Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
* Write 0x7FFF to TSEC_TRNG_CLK_LIMIT_LOW.
* Write 0x7FFF to TSEC_RND_CTL0.
* Write 0x3FF0000 to TSEC_TRNG_CLK_LIMIT_HIGH.
* Write 0x3FF0000 to TSEC_RND_CTL1.
* Write 0xFF00 to TSEC_TRNG_CTL.
* Write 0xFF00 to TSEC_RND_CTL11.
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].


Retrieved from "https://switchbrew.org/wiki/TSEC"