2,787
edits
Changes
no edit summary
== ASLR Implementation ==
== ASLR Implementation ==
The kernel uses a MT19937 random number generator, seeded by a [[SMC#GetRandomBytes|smcGetRandomBytes]]
The kernel uses a MT19937 random number generator, seeded by [[SMC#GetRandomBytes|smcGetRandomBytes]].
=== 1.0.0 ===
=== 1.0.0 ===
KASLR is being used since [[5.0.0]], but not before, with the following pseudocode (might contains some errors):
KASLR is being used since [[5.0.0]], but not before, with the following pseudocode (might contains some errors):
<pre>
DRAM crt0 mapping (ttbr1): offsets DRAM with (rand64ViaSmc() % 0x3FFF0 << 21), allocates exactly (end - _start) + 1GB.
DRAM crt0 mapping (ttbr1): offsets DRAM with (rand64ViaSmc() % 0x3FFF0 << 21), allocates exactly (end - _start) + 1GB.
This is a "linear" mapping. Permissions are set properly.
This is a "linear" mapping. Permissions are set properly.
Map(RandomizePageBoundary(GuardPage + KCoreContext * 4)) -> NextFreePages(4)
Map(RandomizePageBoundary(GuardPage + KCoreContext * 4)) -> NextFreePages(4)
</pre></code>
</pre>
== 1.0.0 ==
== 1.0.0 ==
= Secure Monitor =
= Secure Monitor =
Unless otherwise mentionned, block descriptors (in our case, the one uses for the DRAM identity mapping) are all ORRed by 0x401 and page descriptors by 0x403.
Unless otherwise mentionned, block descriptors (in our case, the one uses for the DRAM identity mapping) are all ORRed by 0x401 and page descriptors by 0x403.
== [[1.0.0]] ==
== [[1.0.0]] ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| Must be empty.
| Must be empty.
|}
|}
= Carveouts =
The MC (Memory Controller) provides multiple configurable memory carveouts which allow to protect and limit access to sensitive DRAM regions. Carveouts work on the physical access level, thus acting as the last protection barrier from unauthorized memory accesses.
A total of 9 programmable carveouts are available from which 4 have a fixed function (TZDRAM, VPR, SEC and MTS) and 5 are generalized carevouts (GSCs 1 to 5).
== TZDRAM Carveout ==
Defines a DRAM region that can only be accessed by TrustZone-secure clients. Currently unused by the Switch.
This carveout is controlled by the following MC registers:
* MC_SECURITY_CFG0
* MC_SECURITY_CFG1
* MC_SECURITY_CFG3
== VPR Carveout ==
Defines a DRAM region that can only be accessed by clients that are part of the video decode and display process (Display, GPU, TSEC, VIC, NVENC, NVDEC and HDA). Currently unused by the Switch.
This carveout is controlled by the following MC registers:
* MC_VIDEO_PROTECT_GPU_OVERRIDE_0
* MC_VIDEO_PROTECT_GPU_OVERRIDE_1
* MC_VIDEO_PROTECT_BOM
* MC_VIDEO_PROTECT_SIZE_MB
* MC_VIDEO_PROTECT_REG_CTRL
== SEC Carveout ==
Defines a DRAM region that can only be accessed by the [[#TSEC|TSEC]]. Deprecated and unused by the Switch.
This carveout is controlled by the following MC registers:
* MC_SEC_CARVEOUT_BOM
* MC_SEC_CARVEOUT_SIZE_MB
* MC_SEC_CARVEOUT_REG_CTRL
== MTS Carveout ==
Defines a DRAM region for Falcon microcode. Deprecated and unused by the Switch.
This carveout is controlled by the following MC registers:
* MC_MTS_CARVEOUT_BOM
* MC_MTS_CARVEOUT_SIZE_MB
* MC_MTS_CARVEOUT_ADR_HI
* MC_MTS_CARVEOUT_REG_CTRL
== Generalized Carveouts ==
These carveouts can be freely configured for any client that supports them. By default, they are assigned as:
* GSC 1: NVDEC
* GSC 2: WPR1 (for GPU)
* GSC 3: WPR2 (for GPU)
* GSC 4: TSECA
* GSC 5: TSECB
However, in the Switch's case they are currently assigned as:
* GSC 1: None
* GSC 2: GPU
* GSC 3: None
* GSC 4: Kernel (active)
* GSC 5: Kernel (unused)
These carveouts are controlled by the following MC registers:
* MC_SECURITY_CARVEOUT1/2/3/4/5_BOM
* MC_SECURITY_CARVEOUT1/2/3/4/5_BOM_HI
* MC_SECURITY_CARVEOUT1/2/3/4/5_SIZE_128KB
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS0
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS1
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS2
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS3
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS4
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS0
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS1
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS2
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS3
* MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS4
* MC_SECURITY_CARVEOUT1/2/3/4/5_CFG0
= Notes =
= Notes =