Changes

1,129 bytes added ,  02:07, 24 November 2018
6.2.0 keygen details
Line 171: Line 171:  
|}
 
|}
    +
=== [6.2.0]+ Key table after package1ldr/TSEC Payload (Secure Monitor boot) ===
 +
 +
{| class="wikitable" border="1"
 +
|-
 +
! Keyslot
 +
! Name
 +
! Set by
 +
! Per-console
 +
! Per-firmware
 +
|-
 +
| 12
 +
| TsecKey
 +
| [[TSEC#Payload|Package1ldr TSEC Firmware]]
 +
| Yes
 +
| No
 +
|-
 +
| 13
 +
| TsecRootKey
 +
| [[TSEC#Payload|Package1ldr TSEC Firmware]]
 +
| No
 +
| Unknown
 +
|-
 +
| 14
 +
| SecureBootKey
 +
| Bootrom
 +
| Yes
 +
| No
 +
|-
 +
| 15
 +
| SecureStorageKey
 +
| Bootrom
 +
| Yes
 +
| No
 +
|}
      Line 217: Line 251:  
.. and on 4.0.0 it was further moved around:
 
.. and on 4.0.0 it was further moved around:
   −
  old_keyblob_key /* slot15 */ = aes_unwrap(aes_unwrap(df206f59.., tsec_key /* slot13 */), sbk /* slot14 */)
   
   keyblob_key    /* slot13 */ = aes_unwrap(aes_unwrap(wrapped_keyblob_key, tsec_key /* slot13 */), sbk /* slot14 */)
 
   keyblob_key    /* slot13 */ = aes_unwrap(aes_unwrap(wrapped_keyblob_key, tsec_key /* slot13 */), sbk /* slot14 */)
 
   cmac_key        /* slot11 */ = aes_unwrap(59c7fb6f.., keyblob_key)
 
   cmac_key        /* slot11 */ = aes_unwrap(59c7fb6f.., keyblob_key)
Line 232: Line 265:  
   new_per_console_key /* slot13 */ = aes_unwrap(0c9109db.., old_keyblob_key)
 
   new_per_console_key /* slot13 */ = aes_unwrap(0c9109db.., old_keyblob_key)
 
   per_console_key    /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key)
 
   per_console_key    /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key)
 +
 +
.. and on 6.2.0, they moved key generation out of package1ldr, and into the Secure Monitor's boot section:
 +
 +
  clear_keyslots_other_than_12_13_and_14()
 +
 
 +
  old_keyblob_key /* slot15 */ = aes_unwrap(aes_unwrap(df206f59.., tsec_key /* slot12 */), sbk /* slot14 */)
 +
  /* Previously, master_kek was stored at keyblob+0x20) */
 +
  master_kek      /* slot13 */ = aes_unwrap(374b7729.. /* probably firmware specific */, tsec_root_key /* slot13 */)
 +
 
 +
  clear_keyslot(12)
 +
 
 +
  // Final keys:
 +
  new_master_key      /* slot12 */ = aes_unwrap(2dc1f48d.., master_kek)       
 +
  master_key          /* slot13 */ = aes_unwrap(normalseed_retail, master_kek)
 +
  new_per_console_key /* slot14 */ = aes_unwrap(0c9109db.., old_keyblob_key)
 +
  per_console_key    /* slot15 */ = aes_unwrap(4f025f0e.., old_keyblob_key)
 +
    
SBK and SSK keyslots are cleared after keys have been generated.
 
SBK and SSK keyslots are cleared after keys have been generated.
Line 243: Line 293:  
This means that if you have an attack on the bootloader, you need to re-preform it every time they move to a new keyblob.
 
This means that if you have an attack on the bootloader, you need to re-preform it every time they move to a new keyblob.
   −
Dumping the SBK and TSEC key of any single system should be enough to derive all key material on the system.
+
Dumping the SBK and TSEC key of any single system should be enough to derive all key material on the system, prior to 6.2.0.
    
The key-derivation is described in more detail [[Package1#Key_generation|here]].
 
The key-derivation is described in more detail [[Package1#Key_generation|here]].