Changes

615 bytes added , 22:29, 7 November 2020

→‎Versions: fix M1-M4

Line 1: Line 1: −

== BootROM ==

+

= BootROM =

The bootrom initializes two keyslots in the hardware engine:

* the SBK (Secure Boot Key) in keyslot 14

−

* the SSK (Secure ~~System~~ Key) in keyslot 15.

+

* the SSK (Secure Storage Key) in keyslot 15.

Reads from both of these keyslots are disabled by the bootROM.

Line 48: Line 48:

}

−

== Falcon coprocessor ==

+

= Falcon coprocessor =

The falcon processor (TSEC) generates a special console-unique key (that will be referred to as the "tsec key").

This is presumably using data stored in fuses that only microcode authenticated by NVidia has access to.

−

== Package1ldr ==

+

= Package1ldr =

−

+

== Key table ==

−

=== Key table ~~during package1ldr =~~==

+

[1.0.0-3.0.2] During package1ldr:

−

{| class="wikitable" border="1"

|-

Line 78: Line 77:

|-

| 15

−

| ~~SecureSystemKey~~

+

| SecureStorageKey

| Bootrom

| Yes

Line 84: Line 83:

|}

−

~~===~~ [1.0.0-3.0.2] ~~Key table after~~ package1ldr ~~===~~

+

[1.0.0-3.0.2] After package1ldr:

−

{| class="wikitable" border="1"

|-

Line 107: Line 105:

|}

−

~~===~~ [4.0.0]~~+ Key table after~~ package1ldr (Secure Monitor boot) ~~===~~

+

[4.0.0+] After package1ldr (Secure Monitor boot):

−

{| class="wikitable" border="1"

|-

Line 142: Line 139:

|}

−

~~===~~ [4.0.0]~~+ Key table after~~ package1ldr (Secure Monitor runtime) ~~===~~

+

[4.0.0+] After package1ldr (Secure Monitor runtime):

−

{| class="wikitable" border="1"

|-

Line 171: Line 167:

|}

−

~~===~~ [6.2.0]~~+ Key table after~~ package1ldr/TSEC Payload (Secure Monitor boot) ~~===~~

+

[6.2.0+] After package1ldr/TSEC Payload (Secure Monitor boot):

−

{| class="wikitable" border="1"

|-

Line 200: Line 195:

|-

| 15

−

| ~~SecureSystemKey~~

+

| SecureStorageKey

| Bootrom

| Yes

Line 206: Line 201:

|}

−

+

== Key generation ==

−

=== Key generation ===

Note: aes_unwrap(wrapped_key, wrap_key) is just another name for a single AES-128 block decryption.

Line 297: Line 291:

The key-derivation is described in more detail [[Package1#Key_generation|here]].

−

==== Keyblob ====

+

=== Keyblob ===

There are 32 keyblobs written to NAND at factory, with each keyblob encrypted with a console-unique key derived from the console's SBK, the console's tsec key, and a constant specific to each keyblob.

Despite being encrypted with console unique keys, though, the decrypted keyblob contents are shared for all consoles.

−

~~==== Seeds ====~~

+

Used keyblobs are as follows:

−

~~normalseed_retail = d8a2410a...~~

−

~~[1.0.0] wrapped_keyblob_key = df206f59...~~

−

~~[1.0.0] simpleseed_dev0 = aff11423...~~

−

~~[1.0.0] simpleseed_dev1 = 5e177ee1...~~

−

~~[1.0.0] normalseed_dev = 0542a0fd...~~

−

~~[3.0.0] wrapped_keyblob_key = 0c25615d...~~

−

~~[3.0.0] simpleseed_dev0 = de00216a...~~

−

~~[3.0.0] simpleseed_dev1 = 2db7c0a1...~~

−

~~[3.0.0] normalseed_dev = 678c5a03...~~

−

~~[3.0.1] wrapped_keyblob_key = 337685ee...~~

−

~~[3.0.1] simpleseed_dev0 = e045f5ba...~~

−

~~[3.0.1] simpleseed_dev1 = 84d92e0d...~~

−

~~[3.0.1] normalseed_dev = cd88155b...~~

−

~~[4.0.0] wrapped_keyblob_key = 2d1f4880...~~

−

~~==== Table of used~~ keyblobs ~~====~~

{| class="wikitable" border="1"

Line 357: Line 331:

Starting from 6.2.0, key generation no longer uses keyblobs.

−

== Secure Monitor Init ==

+

=== Seeds ===

+

normalseed_retail = d8a2410a...

+

[1.0.0] wrapped_keyblob_key = df206f59...

+

[1.0.0] simpleseed_dev0 = aff11423...

+

[1.0.0] simpleseed_dev1 = 5e177ee1...

+

[1.0.0] normalseed_dev = 0542a0fd...

+

[3.0.0] wrapped_keyblob_key = 0c25615d...

+

[3.0.0] simpleseed_dev0 = de00216a...

+

[3.0.0] simpleseed_dev1 = 2db7c0a1...

+

[3.0.0] normalseed_dev = 678c5a03...

+

[3.0.1] wrapped_keyblob_key = 337685ee...

+

[3.0.1] simpleseed_dev0 = e045f5ba...

+

[3.0.1] simpleseed_dev1 = 84d92e0d...

+

[3.0.1] normalseed_dev = cd88155b...

+

[4.0.0] wrapped_keyblob_key = 2d1f4880...

+

=== Versions ===

+

The key generation system has historically been revised several times. Each version is bound to a specific BCT public key and can be identified by its first byte as follows:

+

{| class="wikitable" border="1"

+

|-

+

! Version

+

! BCT public key's first byte

+

! Description

+

|-

+

| K1

+

| 0x11

+

| Erista prototype development

+

|-

+

| K2

+

| 0xFB

+

| Erista prototype development

+

|-

+

| K3

+

| 0x4F

+

| Erista prototype development

+

|-

+

| K4

+

|

+

| Erista prototype retail

+

|-

+

| K5

+

| 0x37

+

| Erista development

+

|-

+

| K6

+

| 0xF7

+

| Erista retail

+

|-

+

| M1

+

| 0x19

+

| Mariko prototype development

+

|-

+

| M2

+

| 0xC3

+

| Mariko development

+

|-

+

| M3

+

| 0xDD

+

| Mariko prototype retail (pre-6.0.0)

+

|-

+

| M4

+

| 0x9B

+

| Mariko retail

+

|}

+

= Secure Monitor Init =

On all versions, the key to decrypt [[Package2]] is generated by decrypting a constant seed with the master key. The key is erased after use.

Additionally, starting from 4.0.0, the Secure Monitor init will decrypt another constant seed successively with a special per console key and a special static key passed by package1loader, to generate the firmware specific per-console key. The operation will erase these special keys passed by package1loader.

−

== Secure Monitor ==

+

= Secure Monitor =

The secure monitor performs some runtime cryptographic operations. See [[SMC]] for what operations it provides.

SciresM

Bureaucrats, Administrators

885

edits

Changes

Cryptosystem (view source)

Revision as of 22:29, 7 November 2020

Navigation menu

Search