TSEC
TSEC (Tegra Security Co-processor) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.
Driver
A host driver for communicating with the TSEC is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.
Registers
Registers from 0x54500000 to 0x54501000 are used to configure the host interface (HOST1X).
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC and are subdivided into:
- 0x54501400 to 0x54501500: SCP (Secure Crypto Processor?).
- 0x54501500 to 0x54501600: TRNG (True Random Number Generator).
- 0x54501600 to 0x54501700: TFBIF (Tegra Framebuffer Interface) and CG (Clock Gate).
- 0x54501700 to 0x54501800: DMA.
- 0x54501800 to 0x54501900: TEGRA (miscellaneous interfaces).
Name | Address | Width |
---|---|---|
TSEC_THI_INCR_SYNCPT | 0x54500000 | 0x04 |
TSEC_THI_INCR_SYNCPT_ERR | 0x54500008 | 0x04 |
TSEC_THI_CTXSW_INCR_SYNCPT | 0x5450000C | 0x04 |
TSEC_THI_CTXSW | 0x54500020 | 0x04 |
TSEC_THI_CONT_SYNCPT_EOF | 0x54500028 | 0x04 |
TSEC_THI_METHOD0 | 0x54500040 | 0x04 |
TSEC_THI_METHOD1 | 0x54500044 | 0x04 |
TSEC_THI_INT_STATUS | 0x54500078 | 0x04 |
TSEC_THI_INT_MASK | 0x5450007C | 0x04 |
TSEC_THI_INT_CLEAR | 0x54500080 | 0x04 |
TSEC_THI_INT_ENABLE | 0x54500084 | 0x04 |
TSEC_THI_SLCG_OVERRIDE_HIGH_A | 0x54500088 | 0x04 |
TSEC_THI_SLCG_OVERRIDE_LOW_A | 0x5450008C | 0x04 |
TSEC_THI_CLK_OVERRIDE | 0x54500E00 | 0x04 |
FALCON_IRQSSET | 0x54501000 | 0x04 |
FALCON_IRQSCLR | 0x54501004 | 0x04 |
FALCON_IRQSTAT | 0x54501008 | 0x04 |
FALCON_IRQMODE | 0x5450100C | 0x04 |
FALCON_IRQMSET | 0x54501010 | 0x04 |
FALCON_IRQMCLR | 0x54501014 | 0x04 |
FALCON_IRQMASK | 0x54501018 | 0x04 |
FALCON_IRQDEST | 0x5450101C | 0x04 |
FALCON_GPTMR_PERIOD | 0x54501020 | 0x04 |
FALCON_GPTMR_TIME | 0x54501024 | 0x04 |
FALCON_GPTMR_ENABLE | 0x54501028 | 0x04 |
FALCON_TIME_LOW | 0x5450102C | 0x04 |
FALCON_TIME_HIGH | 0x54501030 | 0x04 |
FALCON_WDTMR_TIME | 0x54501034 | 0x04 |
FALCON_WDTMR_ENABLE | 0x54501038 | 0x04 |
FALCON_UNK_3C | 0x5450103C | 0x04 |
FALCON_MAILBOX0 | 0x54501040 | 0x04 |
FALCON_MAILBOX1 | 0x54501044 | 0x04 |
FALCON_ITFEN | 0x54501048 | 0x04 |
FALCON_IDLESTATE | 0x5450104C | 0x04 |
FALCON_CURCTX | 0x54501050 | 0x04 |
FALCON_NXTCTX | 0x54501054 | 0x04 |
FALCON_CMDCTX | 0x54501058 | 0x04 |
FALCON_STATUS_MASK | 0x5450105C | 0x04 |
FALCON_VM_SUPERVISOR | 0x54501060 | 0x04 |
FALCON_MTHD_DATA | 0x54501064 | 0x04 |
FALCON_MTHD_CMD | 0x54501068 | 0x04 |
FALCON_MTHD_DATA_WR | 0x5450106C | 0x04 |
FALCON_MTHD_OCCUPIED | 0x54501070 | 0x04 |
FALCON_MTHD_ACK | 0x54501074 | 0x04 |
FALCON_MTHD_LIMIT | 0x54501078 | 0x04 |
FALCON_SUBENGINE_RESET | 0x5450107C | 0x04 |
FALCON_OS | 0x54501080 | 0x04 |
FALCON_RM | 0x54501084 | 0x04 |
FALCON_PM_SIGNAL | 0x54501088 | 0x04 |
FALCON_PM_MODE | 0x5450108C | 0x04 |
FALCON_DEBUG1 | 0x54501090 | 0x04 |
FALCON_DEBUGINFO | 0x54501094 | 0x04 |
FALCON_BREAKPOINT0 | 0x54501098 | 0x04 |
FALCON_BREAKPOINT1 | 0x5450109C | 0x04 |
FALCON_CGCTL | 0x545010A0 | 0x04 |
FALCON_ENGCTL | 0x545010A4 | 0x04 |
FALCON_PM_SEL | 0x545010A8 | 0x04 |
FALCON_HOST_IO_INDEX | 0x545010AC | 0x04 |
FALCON_BREAKPOINT2 | 0x545010B0 | 0x04 |
FALCON_BREAKPOINT3 | 0x545010B4 | 0x04 |
FALCON_BREAKPOINT4 | 0x545010B8 | 0x04 |
FALCON_EXCI | 0x545010D0 | 0x04 |
FALCON_UNK_D4 | 0x545010D4 | 0x04 |
FALCON_UNK_D8 | 0x545010D8 | 0x04 |
FALCON_UNK_DC | 0x545010DC | 0x04 |
FALCON_UNK_E0 | 0x545010E0 | 0x04 |
FALCON_CPUCTL | 0x54501100 | 0x04 |
FALCON_BOOTVEC | 0x54501104 | 0x04 |
FALCON_HWCFG | 0x54501108 | 0x04 |
FALCON_DMACTL | 0x5450110C | 0x04 |
FALCON_DMATRFBASE | 0x54501110 | 0x04 |
FALCON_DMATRFMOFFS | 0x54501114 | 0x04 |
FALCON_DMATRFCMD | 0x54501118 | 0x04 |
FALCON_DMATRFFBOFFS | 0x5450111C | 0x04 |
FALCON_DMATRFSTAT | 0x54501120 | 0x04 |
FALCON_CRYPTTRFSTAT | 0x54501124 | 0x04 |
FALCON_CPUSTAT | 0x54501128 | 0x04 |
FALCON_HWCFG1 | 0x5450112C | 0x04 |
FALCON_CPUCTL_ALIAS | 0x54501130 | 0x04 |
FALCON_IMCTL | 0x54501140 | 0x04 |
FALCON_IMSTAT | 0x54501144 | 0x04 |
FALCON_TRACEIDX | 0x54501148 | 0x04 |
FALCON_TRACEPC | 0x5450114C | 0x04 |
FALCON_IMFILLRNG0 | 0x54501150 | 0x04 |
FALCON_IMFILLRNG1 | 0x54501154 | 0x04 |
FALCON_IMFILLCTL | 0x54501158 | 0x04 |
FALCON_IMCTL_DEBUG | 0x5450115C | 0x04 |
FALCON_EXTERRWIN | 0x54501160 | 0x04 |
FALCON_EXTERRCFG | 0x54501164 | 0x04 |
FALCON_EXTERRADDR | 0x54501168 | 0x04 |
FALCON_EXTERRSTAT | 0x5450116C | 0x04 |
FALCON_CG2 | 0x5450117C | 0x04 |
FALCON_IMEMC | 0x54501180 | 0x04 |
FALCON_IMEMD | 0x54501184 | 0x04 |
FALCON_IMEMT | 0x54501188 | 0x04 |
FALCON_DMEMC0 | 0x545011C0 | 0x04 |
FALCON_DMEMD0 | 0x545011C4 | 0x04 |
FALCON_DMEMC1 | 0x545011C8 | 0x04 |
FALCON_DMEMD1 | 0x545011CC | 0x04 |
FALCON_DMEMC2 | 0x545011D0 | 0x04 |
FALCON_DMEMD2 | 0x545011D4 | 0x04 |
FALCON_DMEMC3 | 0x545011D8 | 0x04 |
FALCON_DMEMD3 | 0x545011DC | 0x04 |
FALCON_DMEMC4 | 0x545011E0 | 0x04 |
FALCON_DMEMD4 | 0x545011E4 | 0x04 |
FALCON_DMEMC5 | 0x545011E8 | 0x04 |
FALCON_DMEMD5 | 0x545011EC | 0x04 |
FALCON_DMEMC6 | 0x545011F0 | 0x04 |
FALCON_DMEMD6 | 0x545011F4 | 0x04 |
FALCON_DMEMC7 | 0x545011F8 | 0x04 |
FALCON_DMEMD7 | 0x545011FC | 0x04 |
FALCON_ICD_CMD | 0x54501200 | 0x04 |
FALCON_ICD_ADDR | 0x54501204 | 0x04 |
FALCON_ICD_WDATA | 0x54501208 | 0x04 |
FALCON_ICD_RDATA | 0x5450120C | 0x04 |
FALCON_SCTL | 0x54501240 | 0x04 |
FALCON_SCTL_STAT | 0x54501244 | 0x04 |
FALCON_UNK_248 | 0x54501248 | 0x04 |
FALCON_UNK_24C | 0x5450124C | 0x04 |
FALCON_UNK_250 | 0x54501250 | 0x04 |
FALCON_UNK_260 | 0x54501260 | 0x04 |
FALCON_SPROT_IMEM | 0x54501280 | 0x04 |
FALCON_SPROT_DMEM | 0x54501284 | 0x04 |
FALCON_SPROT_CPUCTL | 0x54501288 | 0x04 |
FALCON_SPROT_MISC | 0x5450128C | 0x04 |
FALCON_SPROT_IRQ | 0x54501290 | 0x04 |
FALCON_SPROT_MTHD | 0x54501294 | 0x04 |
FALCON_SPROT_SCTL | 0x54501298 | 0x04 |
FALCON_SPROT_WDTMR | 0x5450129C | 0x04 |
FALCON_UNK_2C0 | 0x545012C0 | 0x04 |
FALCON_UNK_2C4 | 0x545012C4 | 0x04 |
FALCON_UNK_2C8 | 0x545012C8 | 0x04 |
FALCON_UNK_2CC | 0x545012CC | 0x04 |
FALCON_UNK_2E0 | 0x545012E0 | 0x04 |
TSEC_SCP_CTL0 | 0x54501400 | 0x04 |
TSEC_SCP_CTL1 | 0x54501404 | 0x04 |
TSEC_SCP_CTL_STAT | 0x54501408 | 0x04 |
TSEC_SCP_CTL_LOCK | 0x5450140C | 0x04 |
TSEC_SCP_UNK_10 | 0x54501410 | 0x04 |
TSEC_SCP_UNK_14 | 0x54501414 | 0x04 |
TSEC_SCP_CTL_PKEY | 0x54501418 | 0x04 |
TSEC_SCP_UNK_1C | 0x5450141C | 0x04 |
TSEC_SCP_SEQ_CTL | 0x54501420 | 0x04 |
TSEC_SCP_SEQ_VAL | 0x54501424 | 0x04 |
TSEC_SCP_SEQ_STAT | 0x54501428 | 0x04 |
TSEC_SCP_INSN_STAT | 0x54501430 | 0x04 |
TSEC_SCP_UNK_50 | 0x54501450 | 0x04 |
TSEC_SCP_AUTH_STAT | 0x54501454 | 0x04 |
TSEC_SCP_AES_STAT | 0x54501458 | 0x04 |
TSEC_SCP_UNK_70 | 0x54501470 | 0x04 |
TSEC_SCP_IRQSTAT | 0x54501480 | 0x04 |
TSEC_SCP_IRQMASK | 0x54501484 | 0x04 |
TSEC_SCP_ACL_ERR | 0x54501490 | 0x04 |
TSEC_SCP_UNK_94 | 0x54501494 | 0x04 |
TSEC_SCP_INSN_ERR | 0x54501498 | 0x04 |
TSEC_TRNG_CLK_LIMIT_LOW | 0x54501500 | 0x04 |
TSEC_TRNG_CLK_LIMIT_HIGH | 0x54501504 | 0x04 |
TSEC_TRNG_UNK_08 | 0x54501508 | 0x04 |
TSEC_TRNG_TEST_CTL | 0x5450150C | 0x04 |
TSEC_TRNG_TEST_CFG0 | 0x54501510 | 0x04 |
TSEC_TRNG_TEST_SEED0 | 0x54501514 | 0x04 |
TSEC_TRNG_TEST_CFG1 | 0x54501518 | 0x04 |
TSEC_TRNG_TEST_SEED1 | 0x5450151C | 0x04 |
TSEC_TRNG_UNK_20 | 0x54501520 | 0x04 |
TSEC_TRNG_UNK_24 | 0x54501524 | 0x04 |
TSEC_TRNG_UNK_28 | 0x54501528 | 0x04 |
TSEC_TRNG_CTL | 0x5450152C | 0x04 |
TSEC_TFBIF_CTL | 0x54501600 | 0x04 |
TSEC_TFBIF_MCCIF_FIFOCTRL | 0x54501604 | 0x04 |
TSEC_TFBIF_THROTTLE | 0x54501608 | 0x04 |
TSEC_TFBIF_UNK_0C | 0x5450160C | 0x04 |
TSEC_TFBIF_DEBUG_STAT | 0x54501630 | 0x04 |
TSEC_TFBIF_MCCIF_FIFOCTRL1 | 0x54501634 | 0x04 |
TSEC_TFBIF_MMU_PHYS_PROT | 0x54501640 | 0x04 |
TSEC_TFBIF_MMU_PHYS_SEC | 0x54501644 | 0x04 |
TSEC_TFBIF_MMU_PHYS_TRANSCFG | 0x54501648 | 0x04 |
TSEC_TFBIF_ACTMON_MAMASK | 0x5450164C | 0x04 |
TSEC_TFBIF_ACTMON_BORPS | 0x54501650 | 0x04 |
TSEC_TFBIF_ACTMON_CTL | 0x54501654 | 0x04 |
TSEC_CG | 0x545016D0 | 0x04 |
TSEC_DMA_CMD | 0x54501700 | 0x04 |
TSEC_DMA_ADDR | 0x54501704 | 0x04 |
TSEC_DMA_DATA | 0x54501708 | 0x04 |
TSEC_DMA_TIMEOUT | 0x5450170C | 0x04 |
TSEC_TEGRA_FALCON_IP_VER | 0x54501800 | 0x04 |
TSEC_TEGRA_UNK_04 | 0x54501804 | 0x04 |
TSEC_TEGRA_UNK_08 | 0x54501808 | 0x04 |
TSEC_TEGRA_UNK_0C | 0x5450180C | 0x04 |
TSEC_TEGRA_UNK_10 | 0x54501810 | 0x04 |
TSEC_TEGRA_UNK_14 | 0x54501814 | 0x04 |
TSEC_TEGRA_UNK_18 | 0x54501818 | 0x04 |
TSEC_TEGRA_UNK_1C | 0x5450181C | 0x04 |
TSEC_TEGRA_UNK_20 | 0x54501820 | 0x04 |
TSEC_TEGRA_UNK_24 | 0x54501824 | 0x04 |
TSEC_TEGRA_UNK_28 | 0x54501828 | 0x04 |
TSEC_TEGRA_UNK_2C | 0x5450182C | 0x04 |
TSEC_TEGRA_UNK_30 | 0x54501830 | 0x04 |
TSEC_TEGRA_UNK_34 | 0x54501834 | 0x04 |
TSEC_TEGRA_CTL | 0x54501838 | 0x04 |
TSEC_THI_METHOD0
ID | Method |
---|---|
0x200 | SET_APPLICATION_ID |
0x300 | EXECUTE |
0x500 | HDCP_INIT |
0x504 | HDCP_CREATE_SESSION |
0x508 | HDCP_VERIFY_CERT_RX |
0x50C | HDCP_GENERATE_EKM |
0x510 | HDCP_REVOCATION_CHECK |
0x514 | HDCP_VERIFY_HPRIME |
0x518 | HDCP_ENCRYPT_PAIRING_INFO |
0x51C | HDCP_DECRYPT_PAIRING_INFO |
0x520 | HDCP_UPDATE_SESSION |
0x524 | HDCP_GENERATE_LC_INIT |
0x528 | HDCP_VERIFY_LPRIME |
0x52C | HDCP_GENERATE_SKE_INIT |
0x530 | HDCP_VERIFY_VPRIME |
0x534 | HDCP_ENCRYPTION_RUN_CTRL |
0x538 | HDCP_SESSION_CTRL |
0x53C | HDCP_COMPUTE_SPRIME |
0x540 | HDCP_GET_CERT_RX |
0x544 | HDCP_EXCHANGE_INFO |
0x548 | HDCP_DECRYPT_KM |
0x54C | HDCP_GET_HPRIME |
0x550 | HDCP_GENERATE_EKH_KM |
0x554 | HDCP_VERIFY_RTT_CHALLENGE |
0x558 | HDCP_GET_LPRIME |
0x55C | HDCP_DECRYPT_KS |
0x560 | HDCP_DECRYPT |
0x564 | HDCP_GET_RRX |
0x568 | HDCP_DECRYPT_REENCRYPT |
0x56C | |
0x570 | |
0x574 | |
0x578 | |
0x57C | |
0x700 | HDCP_VALIDATE_SRM |
0x704 | HDCP_VALIDATE_STREAM |
0x708 | HDCP_TEST_SECURE_STATUS |
0x70C | HDCP_SET_DCP_KPUB |
0x710 | HDCP_SET_RX_KPUB |
0x714 | HDCP_SET_CERT_RX |
0x718 | HDCP_SET_SCRATCH_BUFFER |
0x71C | HDCP_SET_SRM |
0x720 | HDCP_SET_RECEIVER_ID_LIST |
0x724 | HDCP_SET_SPRIME |
0x728 | HDCP_SET_ENC_INPUT_BUFFER |
0x72C | HDCP_SET_ENC_OUTPUT_BUFFER |
0x730 | HDCP_GET_RTT_CHALLENGE |
0x734 | HDCP_STREAM_MANAGE |
0x738 | HDCP_READ_CAPS |
0x73C | HDCP_ENCRYPT |
0x740 | [6.0.0+] HDCP_GET_CURRENT_NONCE |
Used to encode and send a method's ID over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.
TSEC_THI_METHOD1
Used to encode and send a method's data over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.
TSEC_THI_INT_STATUS
Bits | Description |
---|---|
0 | TSEC_THI_INT_STATUS_FALCON_INT |
TSEC_THI_INT_MASK
Bits | Description |
---|---|
0 | TSEC_THI_INT_MASK_FALCON_INT |
FALCON_IRQSSET
Bits | Description |
---|---|
0 | FALCON_IRQSSET_GPTMR |
1 | FALCON_IRQSSET_WDTMR |
2 | FALCON_IRQSSET_MTHD |
3 | FALCON_IRQSSET_CTXSW |
4 | FALCON_IRQSSET_HALT |
5 | FALCON_IRQSSET_EXTERR |
6 | FALCON_IRQSSET_SWGEN0 |
7 | FALCON_IRQSSET_SWGEN1 |
8-15 | FALCON_IRQSSET_EXT |
Used for setting Falcon's IRQs.
FALCON_IRQSCLR
Bits | Description |
---|---|
0 | FALCON_IRQSCLR_GPTMR |
1 | FALCON_IRQSCLR_WDTMR |
2 | FALCON_IRQSCLR_MTHD |
3 | FALCON_IRQSCLR_CTXSW |
4 | FALCON_IRQSCLR_HALT |
5 | FALCON_IRQSCLR_EXTERR |
6 | FALCON_IRQSCLR_SWGEN0 |
7 | FALCON_IRQSCLR_SWGEN1 |
8-15 | FALCON_IRQSCLR_EXT |
Used for clearing Falcon's IRQs.
FALCON_IRQSTAT
Bits | Description |
---|---|
0 | FALCON_IRQSTAT_GPTMR |
1 | FALCON_IRQSTAT_WDTMR |
2 | FALCON_IRQSTAT_MTHD |
3 | FALCON_IRQSTAT_CTXSW |
4 | FALCON_IRQSTAT_HALT |
5 | FALCON_IRQSTAT_EXTERR |
6 | FALCON_IRQSTAT_SWGEN0 |
7 | FALCON_IRQSTAT_SWGEN1 |
8-15 | FALCON_IRQSTAT_EXT |
Used for getting the status of Falcon's IRQs.
FALCON_IRQMODE
Bits | Description |
---|---|
0 | FALCON_IRQMODE_GPTMR |
1 | FALCON_IRQMODE_WDTMR |
2 | FALCON_IRQMODE_MTHD |
3 | FALCON_IRQMODE_CTXSW |
4 | FALCON_IRQMODE_HALT |
5 | FALCON_IRQMODE_EXTERR |
6 | FALCON_IRQMODE_SWGEN0 |
7 | FALCON_IRQMODE_SWGEN1 |
8-15 | FALCON_IRQMODE_EXT |
Used for changing the mode Falcon's IRQs. A value of 1 means level triggered while a value of 0 means edge triggered.
FALCON_IRQMSET
Bits | Description |
---|---|
0 | FALCON_IRQMSET_GPTMR |
1 | FALCON_IRQMSET_WDTMR |
2 | FALCON_IRQMSET_MTHD |
3 | FALCON_IRQMSET_CTXSW |
4 | FALCON_IRQMSET_HALT |
5 | FALCON_IRQMSET_EXTERR |
6 | FALCON_IRQMSET_SWGEN0 |
7 | FALCON_IRQMSET_SWGEN1 |
8-15 | FALCON_IRQMSET_EXT |
Used for setting the mask for Falcon's IRQs.
FALCON_IRQMCLR
Bits | Description |
---|---|
0 | FALCON_IRQMCLR_GPTMR |
1 | FALCON_IRQMCLR_WDTMR |
2 | FALCON_IRQMCLR_MTHD |
3 | FALCON_IRQMCLR_CTXSW |
4 | FALCON_IRQMCLR_HALT |
5 | FALCON_IRQMCLR_EXTERR |
6 | FALCON_IRQMCLR_SWGEN0 |
7 | FALCON_IRQMCLR_SWGEN1 |
8-15 | FALCON_IRQMCLR_EXT |
Used for clearing the mask for Falcon's IRQs.
FALCON_IRQMASK
Bits | Description |
---|---|
0 | FALCON_IRQMASK_GPTMR |
1 | FALCON_IRQMASK_WDTMR |
2 | FALCON_IRQMASK_MTHD |
3 | FALCON_IRQMASK_CTXSW |
4 | FALCON_IRQMASK_HALT |
5 | FALCON_IRQMASK_EXTERR |
6 | FALCON_IRQMASK_SWGEN0 |
7 | FALCON_IRQMASK_SWGEN1 |
8-15 | FALCON_IRQMASK_EXT |
Used for getting the value of the mask for Falcon's IRQs.
FALCON_IRQDEST
Bits | Description |
---|---|
0 | FALCON_IRQDEST_HOST_GPTMR |
1 | FALCON_IRQDEST_HOST_WDTMR |
2 | FALCON_IRQDEST_HOST_MTHD |
3 | FALCON_IRQDEST_HOST_CTXSW |
4 | FALCON_IRQDEST_HOST_HALT |
5 | FALCON_IRQDEST_HOST_EXTERR |
6 | FALCON_IRQDEST_HOST_SWGEN0 |
7 | FALCON_IRQDEST_HOST_SWGEN1 |
8-15 | FALCON_IRQDEST_HOST_EXT |
16 | FALCON_IRQDEST_TARGET_GPTMR |
17 | FALCON_IRQDEST_TARGET_WDTMR |
18 | FALCON_IRQDEST_TARGET_MTHD |
19 | FALCON_IRQDEST_TARGET_CTXSW |
20 | FALCON_IRQDEST_TARGET_HALT |
21 | FALCON_IRQDEST_TARGET_EXTERR |
22 | FALCON_IRQDEST_TARGET_SWGEN0 |
23 | FALCON_IRQDEST_TARGET_SWGEN1 |
24-31 | FALCON_IRQDEST_TARGET_EXT |
Used for routing Falcon's IRQs.
FALCON_MAILBOX0
Scratch register for reading/writing data to Falcon.
FALCON_MAILBOX1
Scratch register for reading/writing data to Falcon.
FALCON_ITFEN
Bits | Description |
---|---|
0 | FALCON_ITFEN_CTXEN |
1 | FALCON_ITFEN_MTHDEN |
Used for enabling/disabling Falcon interfaces.
FALCON_IDLESTATE
Bits | Description |
---|---|
0 | FALCON_IDLESTATE_FALCON_BUSY |
1-15 | FALCON_IDLESTATE_EXT_BUSY |
Used for detecting if Falcon is busy or not.
FALCON_DEBUG1
Bits | Description |
---|---|
16 | FALCON_DEBUG1_CTXSW_MODE |
FALCON_DEBUGINFO
Used for UCODE self revocation. This register takes the base address of the GSC carveout shifted right by 8.
[6.0.0+] nvservices sets this to 0x8005FF00 >> 8 (physical DRAM address inside the GPU UCODE carveout) before starting the nvhost_tsec firmware.
FALCON_EXCI
Bits | Description |
---|---|
0-19 | PC that originated the exception |
20-23 | Exception type
0x00: Trap 0 0x01: Trap 1 0x02: Trap 2 0x03: Trap 3 0x08: Invalid opcode 0x09: Authentication entry 0x0A: Page fault (no hit) 0x0B: Page fault (multi hit) 0x0F: Breakpoint |
Contains information about raised exceptions.
FALCON_CPUCTL
Bits | Description |
---|---|
0 | FALCON_CPUCTL_IINVAL |
1 | FALCON_CPUCTL_STARTCPU |
2 | FALCON_CPUCTL_SRESET |
3 | FALCON_CPUCTL_HRESET |
4 | FALCON_CPUCTL_HALTED |
5 | FALCON_CPUCTL_STOPPED |
6 | FALCON_CPUCTL_CPUCTL_ALIAS_EN |
Used for signaling the Falcon CPU.
FALCON_BOOTVEC
Takes the Falcon's boot vector address.
FALCON_HWCFG
Bits | Description |
---|---|
0-8 | FALCON_HWCFG_IMEM_SIZE |
9-17 | FALCON_HWCFG_DMEM_SIZE |
18-25 | FALCON_HWCFG_MTHD_SIZE |
26-31 | FALCON_HWCFG_DMATRF_SLOTS |
FALCON_DMACTL
Bits | Description |
---|---|
0 | FALCON_DMACTL_REQUIRE_CTX |
1 | FALCON_DMACTL_DMEM_SCRUBBING |
2 | FALCON_DMACTL_IMEM_SCRUBBING |
3-6 | FALCON_DMACTL_DMAQ_NUM |
7 | FALCON_DMACTL_SECURE_STAT |
Used for configuring the Falcon's DMA engine.
FALCON_DMATRFBASE
Base address of the external memory buffer, shifted right by 8.
The current transfer address is calculated by adding FALCON_DMATRFFBOFFS to the base.
FALCON_DMATRFMOFFS
For transfers to DMEM: the destination address. For transfers to IMEM: the destination virtual IMEM page.
FALCON_DMATRFCMD
Bits | Description |
---|---|
0 | FALCON_DMATRFCMD_FULL |
1 | FALCON_DMATRFCMD_IDLE |
2-3 | FALCON_DMATRFCMD_SEC |
4 | FALCON_DMATRFCMD_IMEM |
5 | FALCON_DMATRFCMD_WRITE |
8-10 | FALCON_DMATRFCMD_SIZE |
12-14 | FALCON_DMATRFCMD_CTXDMA |
Used for configuring DMA transfers.
FALCON_DMATRFFBOFFS
For transfers to IMEM: the destination physical IMEM page.
FALCON_DMATRFSTAT
Bits | Description |
---|---|
0 | FALCON_DMATRFSTAT_PENDING |
16-18 | FALCON_DMATRFSTAT_NUM_STORES_PENDING |
24-26 | FALCON_DMATRFSTAT_NUM_LOADS_PENDING |
FALCON_CRYPTTRFSTAT
Bits | Description |
---|---|
1 | FALCON_CRYPTTRFSTAT_PENDING |
5 | FALCON_CRYPTTRFSTAT_ENABLED |
16-18 | FALCON_CRYPTTRFSTAT_NUM_STORES_PENDING |
24-26 | FALCON_CRYPTTRFSTAT_NUM_LOADS_PENDING |
FALCON_HWCFG1
Bits | Description |
---|---|
0-3 | FALCON_HWCFG1_VERSION |
4-5 | FALCON_HWCFG1_SCP_MODE |
6-7 | FALCON_HWCFG1_SUBVERSION |
8-11 | FALCON_HWCFG1_IMEM_PORTS |
12-15 | FALCON_HWCFG1_DMEM_PORTS |
16-19 | FALCON_HWCFG1_VM_PAGES_LOG2 |
27 | FALCON_HWCFG1_HAS_ICD |
28-29 | FALCON_HWCFG1_IO_ADDR_TYPE |
30 | FALCON_HWCFG1_HAS_EXTERR |
31 | FALCON_HWCFG1_HAS_IMFILL |
FALCON_IMCTL
Bits | Description |
---|---|
0-23 | Address |
24-26 | Command
1: ITLB 2: PTLB 3: VTLB |
Controls the Falcon TLB.
FALCON_IMSTAT
Returns the result of the last command from FALCON_IMCTL.
FALCON_TRACEIDX
Bits | Description |
---|---|
0-7 | Index of where to start tracing from |
16-23 | Maximum valid index |
24-31 | Number of trace reads remaining |
Controls the index for tracing with FALCON_TRACEPC.
FALCON_TRACEPC
Returns the PC of the last call or branch executed.
FALCON_IMEMC
Bits | Description |
---|---|
2-7 | Offset in IMEM block to read/write |
8-15 | IMEM block to read/write |
24 | Write auto-increment |
25 | Read auto-increment |
28 | Mark uploaded code as secret |
29 | Secret code upload lockdown status (read-only) |
30 | Secret code upload failure status (read-only) |
31 | Secret code upload reset scrubber status (read-only) |
Used for configuring access to Falcon's IMEM.
FALCON_IMEMD
Returns or takes the value for an IMEM read/write operation.
FALCON_IMEMT
Returns or takes the virtual page index for an IMEM read/write operation.
FALCON_DMEMC0
Bits | Description |
---|---|
2-7 | Offset in DMEM block to read/write |
8-15 | DMEM block to read/write |
24 | Write auto-increment |
25 | Read auto-increment |
Used for configuring access to Falcon's DMEM.
FALCON_DMEMD0
Returns or takes the value for a DMEM read/write operation.
FALCON_ICD_CMD
Bits | Description |
---|---|
0-3 | FALCON_ICD_CMD_OPC
0x0: BREAK 0x1: CONTINUE_FROM_PC 0x2: CONTINUE_FROM_ADDR 0x3: CONTINUE_UNK1_FROM_PC 0x4: CONTINUE_UNK1_FROM_ADDR 0x5: SINGLE_STEP_FROM_PC 0x6: SINGLE_STEP_FROM_ADDR 0x7: SET_BREAK_MASK 0x8: REG_READ 0x9: REG_WRITE 0xA: DATA_READ 0xB: DATA_WRITE 0xC: IO_READ 0xD: IO_WRITE 0xE: STATUS_READ |
6-7 | FALCON_ICD_CMD_DATA_SIZE |
8-12 | FALCON_ICD_CMD_IDX |
14 | FALCON_ICD_CMD_ERROR |
15 | FALCON_ICD_CMD_DONE |
16-31 | FALCON_ICD_CMD_BREAK_MASK |
FALCON_SCTL
Bits | Description |
---|---|
0-1 | FALCON_SCTL_SEC_MODE
0: Non-secure 1: Light Secure 2: Heavy Secure |
4-5 | FALCON_SCTL_OLD_SEC_MODE
0: Non-secure 1: Light Secure 2: Heavy Secure |
12-13 | Unknown |
14 | Initialize the transition to LS mode |
FALCON_SCTL_STAT
Bits | Description |
---|---|
31 | Set on memory protection violation |
FALCON_SPROT_IMEM
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to Falcon IMEM.
FALCON_SPROT_DMEM
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to Falcon DMEM.
FALCON_SPROT_CPUCTL
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the FALCON_CPUCTL register.
FALCON_SPROT_MISC
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_VM_SUPERVISOR
- FALCON_SUBENGINE_RESET
- FALCON_HOST_IO_INDEX
- FALCON_DMACTL
- FALCON_IMCTL
- FALCON_IMSTAT
- FALCON_UNK_250
- FALCON_UNK_2E0
FALCON_SPROT_IRQ
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_IRQMODE
- FALCON_IRQMSET
- FALCON_IRQMCLR
- FALCON_IRQDEST
- FALCON_GPTMR_PERIOD
- FALCON_GPTMR_TIME
- FALCON_GPTMR_ENABLE
- FALCON_UNK_3C
- FALCON_UNK_E0
FALCON_SPROT_MTHD
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_ITFEN
- FALCON_CURCTX
- FALCON_NXTCTX
- FALCON_CMDCTX
- FALCON_MTHD_DATA
- FALCON_MTHD_CMD
- FALCON_MTHD_DATA_WR
- FALCON_MTHD_OCCUPIED
- FALCON_MTHD_ACK
- FALCON_MTHD_LIMIT
- FALCON_DEBUG1
FALCON_SPROT_SCTL
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the FALCON_SCTL register.
FALCON_SPROT_WDTMR
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to the following registers:
- FALCON_WDTMR_TIME
- FALCON_WDTMR_ENABLE
TSEC_SCP_CTL0
Bits | Description |
---|---|
20 | Enable TSEC_SCP_INSN_STAT register |
TSEC_SCP_CTL1
Bits | Description |
---|---|
11 | Enable TRNG testing mode |
12 | Enable the TRNG |
TSEC_SCP_CTL_STAT
Bits | Description |
---|---|
20 | TSEC_SCP_CTL_STAT_DEBUG_MODE |
TSEC_SCP_CTL_LOCK
Bits | Description |
---|---|
0 | Disable reads for the SCP and TRNG register blocks |
1 | Disable reads for the TFBIF register block |
2 | Disable reads for the DMA register block |
3 | Disable reads for the TEGRA register block |
4 | Disable writes for the SCP and TRNG register blocks |
5 | Disable writes for the TFBIF register block |
6 | Disable writes for the DMA register block |
7 | Disable writes for the TEGRA register block |
Locks accesses to sub-engines and can only be cleared in Heavy Secure mode.
TSEC_SCP_CTL_PKEY
Bits | Description |
---|---|
0 | TSEC_SCP_CTL_PKEY_REQUEST_RELOAD |
1 | TSEC_SCP_CTL_PKEY_LOADED |
TSEC_SCP_SEQ_CTL
Bits | Description |
---|---|
0-3 | Sequence's instruction index |
4-7 | Target and control flags |
8-11 | Sequence's size |
Controls the last crypto sequence (cs0 or cs1) created.
TSEC_SCP_SEQ_VAL
Bits | Description |
---|---|
0-3 | Sequence instruction's first operand |
4-9 | Sequence instruction's second operand |
10-14 | Sequence instruction's opcode |
Contains information on the last crypto sequence (cs0 or cs1) created.
TSEC_SCP_SEQ_STAT
Bits | Description |
---|---|
0 | Set if crypto sequence recording (cs0begin/cs1begin) is active |
4-7 | Number of instructions left for the crypto sequence |
12-15 | Active crypto key register |
Contains information on the last crypto sequence (cs0 or cs1) executed.
TSEC_SCP_INSN_STAT
Bits | Description |
---|---|
0-3 | Destination register or immediate value |
8-13 | Source register or immediate value |
20-24 | Operation
0x0: nop (fuc5 opcode 0x00) 0x1: cmov (fuc5 opcode 0x84) 0x2: cxsin (fuc5 opcode 0x88) or xdst (with cxset) 0x3: cxsout (fuc5 opcode 0x8C) or xdld (with cxset) 0x4: crnd (fuc5 opcode 0x90) 0x5: cs0begin (fuc5 opcode 0x94) 0x6: cs0exec (fuc5 opcode 0x98) 0x7: cs1begin (fuc5 opcode 0x9C) 0x8: cs1exec (fuc5 opcode 0xA0) 0x9: invalid (fuc5 opcode 0xA4) 0xA: cchmod (fuc5 opcode 0xA8) 0xB: cxor (fuc5 opcode 0xAC) 0xC: cadd (fuc5 opcode 0xB0) 0xD: cand (fuc5 opcode 0xB4) 0xE: crev (fuc5 opcode 0xB8) 0xF: cprecmac (fuc5 opcode 0xBC) 0x10: csecret (fuc5 opcode 0xC0) 0x11: ckeyreg (fuc5 opcode 0xC4) 0x12: ckexp (fuc5 opcode 0xC8) 0x13: ckrexp (fuc5 opcode 0xCC) 0x14: cenc (fuc5 opcode 0xD0) 0x15: cdec (fuc5 opcode 0xD4) 0x16: csigauth (fuc5 opcode 0xD8) 0x17: csigenc (fuc5 opcode 0xDC) 0x18: csigclr (fuc5 opcode 0xE0) |
28 | Set if the instruction is valid |
31 | Set if running in HS mode |
Contains information on the last crypto instruction executed.
TSEC_SCP_AUTH_STAT
Bits | Description |
---|---|
0-1 | Signature comparison result (3=succeeded, 2=failed) |
Contains information on the last authentication attempt.
TSEC_SCP_AES_STAT
Bits | Description |
---|---|
0-4 | First opcode |
5-9 | Second opcode |
15-16 | AES operation
0: Encryption 1: Decryption 2: Key expansion 3: Key reverse expansion |
Contains information on the last AES sequence executed.
TSEC_SCP_IRQSTAT
Bits | Description |
---|---|
0 | TSEC_SCP_IRQSTAT_TRNG |
8 | TSEC_SCP_IRQSTAT_ACL_ERROR |
12 | Unknown |
16 | TSEC_SCP_IRQSTAT_INSN_ERROR |
20 | TSEC_SCP_IRQSTAT_SINGLE_STEP |
24 | Unknown |
28 | Unknown |
Used for getting the status of crypto IRQs.
TSEC_SCP_IRQMASK
Bits | Description |
---|---|
0 | TSEC_SCP_IRQMASK_TRNG |
8 | TSEC_SCP_IRQMASK_ACL_ERROR |
12 | Unknown |
16 | TSEC_SCP_IRQMASK_INSN_ERROR |
20 | TSEC_SCP_IRQMASK_SINGLE_STEP |
24 | Unknown |
28 | Unknown |
Used for getting the value of the mask for crypto IRQs.
TSEC_SCP_ACL_ERR
Bits | Description |
---|---|
0 | Set when writing to a crypto register without the correct ACL |
4 | Set when reading from a crypto register without the correct ACL |
8 | Set on an invalid ACL change (cchmod) |
31 | An ACL error occurred |
Contains information on the status generated by the TSEC_SCP_IRQSTAT_ACL_ERROR IRQ.
TSEC_SCP_INSN_ERR
Bits | Description |
---|---|
0 | Invalid instruction |
4 | Empty crypto sequence |
8 | Crypto sequence is too long |
12 | Crypto sequence was not finished |
16 | Insecure signature (csigenc, csigclr or csigauth) |
20 | Invalid signature (csigauth in HS mode) |
24 | Forbidden ACL change (cchmod in NS mode) |
Contains information on crypto errors generated by the TSEC_SCP_IRQSTAT_INSN_ERROR IRQ.
TSEC_TFBIF_MCCIF_FIFOCTRL
Bits | Description |
---|---|
0 | TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVERRIDE |
1 | TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVERRIDE |
2 | TSEC_TFBIF_MCCIF_FIFOCTRL_WRCL_MCLE2X |
3 | TSEC_TFBIF_MCCIF_FIFOCTRL_RDMC_RDFAST |
4 | TSEC_TFBIF_MCCIF_FIFOCTRL_WRMC_CLLE2X |
5 | TSEC_TFBIF_MCCIF_FIFOCTRL_RDCL_RDFAST |
6 | TSEC_TFBIF_MCCIF_FIFOCTRL_CCLK_OVERRIDE |
7 | TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVR_MODE |
8 | TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVR_MODE |
TSEC_TFBIF_MCCIF_FIFOCTRL1
Bits | Description |
---|---|
0-15 | TSEC_TFBIF_MCCIF_FIFOCTRL1_SRD2MC_REORDER_DEPTH_LIMIT |
16-31 | TSEC_TFBIF_MCCIF_FIFOCTRL1_SWR2MC_REORDER_DEPTH_LIMIT |
TSEC_TFBIF_MMU_PHYS_PROT
Bits | Description |
---|---|
0-3 | Read access level |
4-7 | Write access level |
Controls accesses to external memory in MMU physical mode.
TSEC_TFBIF_MMU_PHYS_SEC
Bits | Description |
---|---|
0 | Bypass MMU translation on CTXDMA port 0 |
4 | Bypass MMU translation on CTXDMA port 1 |
8 | Bypass MMU translation on CTXDMA port 2 |
12 | Bypass MMU translation on CTXDMA port 3 |
16 | Bypass MMU translation on CTXDMA port 4 |
20 | Bypass MMU translation on CTXDMA port 5 |
24 | Bypass MMU translation on CTXDMA port 6 |
28 | Bypass MMU translation on CTXDMA port 7 |
Configures MMU physical mode.
[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.
TSEC_TFBIF_MMU_PHYS_TRANSCFG
Bits | Description |
---|---|
0-3 | Transfer configuration for CTXDMA port 0 |
4-7 | Transfer configuration for CTXDMA port 1 |
8-11 | Transfer configuration for CTXDMA port 2 |
12-15 | Transfer configuration for CTXDMA port 3 |
16-19 | Transfer configuration for CTXDMA port 4 |
20-23 | Transfer configuration for CTXDMA port 5 |
24-27 | Transfer configuration for CTXDMA port 6 |
28-31 | Transfer configuration for CTXDMA port 7 |
Controls the transfer configuration for MMU physical mode.
[6.0.0+] The nvhost_tsec firmware sets this register to 0x20 or 0x140 before reading memory from the GPU UCODE carveout.
TSEC_CG
Bits | Description |
---|---|
0-5 | TSEC_CG_IDLE_CG_DLY_CNT |
6 | TSEC_CG_IDLE_CG_EN |
16-18 | TSEC_CG_WAKEUP_DLY_CNT |
19 | TSEC_CG_WAKEUP_DLY_EN |
TSEC_DMA_CMD
Bits | Description |
---|---|
0 | TSEC_DMA_CMD_READ |
1 | TSEC_DMA_CMD_WRITE |
4-7 | TSEC_DMA_CMD_BYTE_MASK |
12-13 | TSEC_DMA_CMD_STATUS
0: Idle 1: Busy 2: Error 3: Disabled |
31 | TSEC_DMA_CMD_INIT |
A DMA read/write operation requires bits TSEC_DMA_CMD_INIT and TSEC_DMA_CMD_READ/TSEC_DMA_CMD_WRITE to be set in TSEC_DMA_CMD.
During the transfer, TSEC_DMA_CMD_STATUS is set to "Busy".
Accessing an invalid address sets TSEC_DMA_CMD_STATUS to "Error".
TSEC_DMA_ADDR
Takes the address for DMA transfers between TSEC and HOST1X (master and clients).
TSEC_DMA_DATA
Takes the data for DMA transfers between TSEC and HOST1X (master and clients).
TSEC_DMA_TIMEOUT
Always 0xFFF.
TSEC_TEGRA_CTL
Bits | Description |
---|---|
16 | TSEC_TEGRA_CTL_TKFI_KFUSE |
17 | TSEC_TEGRA_CTL_TKFI_RESTART_FSM_KFUSE |
24 | TSEC_TEGRA_CTL_TMPI_FORCE_IDLE_INPUTS_I2C |
25 | TSEC_TEGRA_CTL_TMPI_RESTART_FSM_HOST1X |
26 | TSEC_TEGRA_CTL_TMPI_RESTART_FSM_APB |
27 | TSEC_TEGRA_CTL_TMPI_DISABLE_OUTPUT_I2C |
SCP
Part of the information here (which hasn't made it into envytools documentation yet) was shared by mwk from reverse engineering falcon processors over the years.
Authenticated Mode
Entry
From non-secure mode, upon jumping to a page marked as secret, a secret fault occurs. This causes the CPU to verify the region specified in $cauth against the MAC loaded in $c6. If the comparison is successful, the valid bit (bit0) is set on all pages in the $cauth region, and $pc is set to the base of the $cauth region. If the comparsion fails, the CPU is halted.
Exit
The CPU automatically goes back to non-secure mode when returning back into non-secret pages. When this happens, the valid bit (bit0) in the TLB flags is cleared for all secret pages.
Implementation
Under certain circumstances, it is possible to observe csigauth being briefly written to TSEC_SCP_INSN_STAT as "csigauth $c4 $c6" while the opcodes in TSEC_SCP_AES_STAT are set to "cxsin" and "csigauth", respectively.
Via TSEC_SCP_SEQ_CTL it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Operations
Opcode | Name | Operand0 | Operand1 | Operation | Condition |
---|---|---|---|---|---|
0 | nop | N/A | N/A | ||
1 | mov | $cX | $cY | $cX = $cY; ACL(X) = ACL(Y); |
|
2 | sin | $cX | N/A | $cX = read_stream(); ACL(X) = ???; |
|
3 | sout | $cX | N/A | write_stream($cX); |
? |
4 | rnd | $cX | N/A | $cX = read_trng(); ACL(X) = ???; |
|
5 | s0begin | immX | N/A | record_macro_for_N_instructions(0, immX); |
|
6 | s0exec | immX | N/A | execute_macro_N_times(0, immX); |
|
7 | s1begin | immX | N/A | record_macro_for_N_instructions(1, immX); |
|
8 | s1exec | immX | N/A | execute_macro_N_times(1, immX); |
|
9 | <invalid> | ||||
0xA | chmod | $cX | immY | Complicated, see ACL. | |
0xB | xor | $cX | $cY | $cX ^= $cY; |
(ACL(X) & 2) && (ACL(Y) & 2)
|
0xC | add | $cX | immY | $cX += immY; |
(ACL(X) & 2)
|
0xD | and | $cX | $cY | $cX &= $cY; |
(ACL(X) & 2) && (ACL(Y) & 2)
|
0xE | rev | $cX | $cY | $cX = endian_swap128($cY); ACL(X) = ACL(Y); |
|
0xF | gfmul | $cX | $cY | $cX = gfmul($cY); ACL(X) = ACL(Y); |
(ACL(Y) & 2)
|
0x10 | secret | $cX | immY | $cX = load_secret(immY); ACL(X) = load_secret_acl(immY); |
|
0x11 | keyreg | immX | N/A | active_key_idx = immX; |
|
0x12 | kexp | $cX | $cY | $cX = aes_kexp($cY); ACL(X) = ACL(Y); |
|
0x13 | krexp | $cX | $cY | $cX = aes_kexp_reverse($cY); ACL(X) = ACL(Y); |
|
0x14 | enc | $cX | $cY | $cX = aes_enc(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y); |
|
0x15 | dec | $cX | $cY | $cX = aes_dec(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y); |
|
0x16 | csigauth | $cX | $cY | if (hash_verify($cX, $cY)) { has_sig = true; current_sig = $cX; } |
? |
0x17 | csigclr | N/A | N/A | has_sig = false; |
|
0x18 | csigenc | $cX | $cY | if (has_sig) { $cX = aes_enc($cY, current_sig); ACL(X) = 0x13; } |
csigauth
00000000: f5 3c XY d8 csigauth $cY $cX
Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.
csigclr
00000000: f5 3c 00 e0 csigclr
This instruction takes no operands and appears to clear the saved cauth signature used by the csigenc instruction.
cchmod
00000000: f5 3c XY a8 cchmod $cY 0X
or 00000000: f5 3c XY a9 cchmod $cY 1X
This instruction takes a crypto register and a 5 bit immediate value which represents the ACL mask to set.
crnd
00000000: f5 3c 0X 90 crnd $cX
This instruction initializes a crypto register with random data.
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
- Write 0x7FFF to TSEC_TRNG_CLK_LIMIT_LOW.
- Write 0x3FF0000 to TSEC_TRNG_CLK_LIMIT_HIGH.
- Write 0xFF00 to TSEC_TRNG_CTL.
- Write 0x1000 to TSEC_SCP_CTL1.
Otherwise it hangs forever.
ACL
Bit | Meaning |
---|---|
0 | Secure key. Forced set if bit1 is set. Once cleared, cannot be set again. |
1 | Secure readable. Once cleared, cannot be set again. |
2 | Insecure key. Forced set if bit3 is set. Forced clear if bit0 is clear. Can be toggled back and forth. |
3 | Insecure readable. Forced clear if bit1 is clear. Can be toggled back and forth. |
4 | Insecure overwritable. Can be toggled back and forth. |
Initial values
On SCP boot, the ACL is 0x1F for all $cX.
Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.
Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.
Loading a secret into $cX sets a per-secret ACL, unconditionally.
cauth
$cauth is a special purpose register in the CPU.
Bits | Description |
---|---|
0-7 | Start of region to authenticate (in 0x100 pages) |
8-15 | Unknown |
16 | Use secret xfers |
17 | Region is encrypted |
18 | Unknown (set in HS mode) |
19 | Block traps and interrupts (set in HS mode) |
20-23 | Unknown |
24-31 | Size of region to authenticate (in 0x100 pages) |
cxset
cxset instruction provides a way to change behavior of a variable amount of successively executed DMA-related instructions.
for example: 000000de: f4 3c 02 cxset 0x2
can be read as: dma_override(type=crypto_reg, count=2)
The argument to cxset specifies the type of behavior change in the top 3 bits, and the number of DMA-related instructions the effect lasts for in the lower 5 bits.
Bits | Description |
---|---|
0-4 | Number of instructions it is valid for (0x1f is a special value meaning infinitely many instructions -- until overriden by another cxset) |
5 | Crypto destination/source select (0=crypto register, 1=crypto stream) |
6 | External memory override (0=Disabled, 1=Enabled) |
7 | Internal memory select (0=DMEM, 1=IMEM) |
DMA-Related Instructions
At least the following instructions may have changed behavior, and count against the cxset "count" argument: xdwait
, xdst
, xdld
.
For example, if override type=0b000, then the "length" argument to xdst
is instead treated as the index of the target $cX register.
Secrets
Falcon's Authenticated Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded by using the $csecret instruction which takes the target crypto register and the key index as arguments.
Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.
Index | ACL | Notes |
---|---|---|
0x00 | 0x13 | Used by Keygen, nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. |
0x01 | 0x10 | Used by nvhost_nvdec_bl020_prod firmware. |
0x02 | 0x10 | |
0x03 | 0x11 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x04 | 0x10 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x05 | 0x13 | Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. |
0x06 | 0x11 | |
0x07 | 0x11 | Used by [6.0.0+] nvhost_tsec firmware. |
0x08 | 0x10 | |
0x09 | 0x13 | Used by nvhost_tsec firmware. |
0x0A | 0x11 | |
0x0B | 0x10 | Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |
0x0C | 0x13 | |
0x0D | 0x11 | |
0x0E | 0x10 | |
0x0F | 0x13 | Used by nvhost_tsec firmware. |
0x10 | 0x11 | Used by [1.0.0-5.1.0] nvhost_tsec firmware. |
0x11 | 0x10 | |
0x12 | 0x13 | |
0x13 | 0x11 | |
0x14 | 0x10 | |
0x15 | 0x13 | Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares. |
0x16 | 0x11 | |
0x17 | 0x10 | |
0x18 | 0x13 | |
0x19 | 0x11 | |
0x1A | 0x10 | |
0x1B | 0x13 | |
0x1C | 0x11 | |
0x1D | 0x10 | |
0x1E | 0x13 | |
0x1F | 0x11 | |
0x20 | 0x10 | |
0x21 | 0x13 | |
0x22 | 0x11 | |
0x23 | 0x10 | |
0x24 | 0x13 | |
0x25 | 0x11 | |
0x26 | 0x10 | Used by KeygenLdr and SecureBoot |
0x27 | 0x13 | |
0x28 | 0x11 | |
0x29 | 0x10 | |
0x2A | 0x13 | |
0x2B | 0x11 | |
0x2C | 0x10 | |
0x2D | 0x13 | |
0x2E | 0x11 | |
0x2F | 0x10 | |
0x30 | 0x13 | |
0x31 | 0x11 | |
0x32 | 0x10 | |
0x33 | 0x13 | |
0x34 | 0x11 | |
0x35 | 0x10 | |
0x36 | 0x13 | |
0x37 | 0x11 | |
0x38 | 0x10 | |
0x39 | 0x13 | |
0x3A | 0x11 | |
0x3B | 0x10 | |
0x3C | 0x13 | Used by nvhost_tsec firmware. |
0x3D | 0x11 | |
0x3E | 0x10 | |
0x3F | 0x10 | Used by Keygen, nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. |