2,787
edits
Changes
no edit summary
* 0x54500000 to 0x54501000: THI (Tegra Host Interface)
* 0x54500000 to 0x54501000: THI (Tegra Host Interface)
* 0x54501000 to 0x54501400: [[#Falcon|FALCON (Falcon microcontroller)]]
* 0x54501000 to 0x54501400: [[#Falcon|FALCON (Falcon microcontroller)]]
* 0x54501400 to 0x54501600: [[#SCP|SCP (Secure Co-processor)]]
* 0x54501400 to 0x54501600: [[#SCP|SCP (Secure coprocessor)]]
* 0x54501600 to 0x54501680: TFBIF (Tegra Framebuffer Interface)
* 0x54501600 to 0x54501680: TFBIF (Tegra Framebuffer Interface)
* 0x54501680 to 0x54501700: CG (Clock Gate)
* 0x54501680 to 0x54501700: CG (Clock Gate)
|-
|-
| 10
| 10
| Enable the LOAD interface
| Enable the [[#LOAD|LOAD]] interface
|-
|-
| 12
| 12
| Enable the STORE interface
| Enable the [[#STORE|STORE]] interface
|-
|-
| 14
| 14
| Enable the CMD interface
| Enable the [[#CMD|CMD]] interface
|-
|-
| 16
| 16
| Enable the SEQ controller
| Enable the [[#SEQ|SEQ]] block
|-
|-
| 20
| 20
| Enable the CTL controller
| Enable the [[#CTL|CTL]] block
|}
|}
|-
|-
| 0
| 0
| Flush the SEQ controller
| Clear all [[#SEQ|SEQ]] block's instructions
|-
|-
| 8
| 8
|-
|-
| 11
| 11
| Enable RNG test mode
| Enable [[#RNG|RNG]] block's test mode
|-
|-
| 12
| 12
| Enable the RNG controller
| Enable the [[#RNG|RNG]] block
|-
|-
| 16
| 16
| Enable LOAD interface dummy mode (all reads return 0)
| Enable [[#LOAD|LOAD]] interface's dummy mode (all reads return 0)
|-
|-
| 20
| 20
| Enable LOAD interface bypassing (all reads are dropped)
| Enable [[#LOAD|LOAD]] interface bypassing (all reads are dropped)
|-
|-
| 24
| 24
| Enable STORE interface bypassing (all writes are dropped)
| Enable [[#STORE|STORE]] interface bypassing (all writes are dropped)
|}
|}
|-
|-
| 4
| 4
| Lock the SCP
| Lock the [[#SCP|SCP]]
|-
|-
| 5
| 5
|-
|-
| 8
| 8
| Flush the CMD interface
| Flush the [[#CMD|CMD]] interface
|-
|-
| 12-13
| 12-13
|-
|-
| 0
| 0
| Swap SCP master
| Swap [[#SCP|SCP]] master
|-
|-
| 1
| 1
| Current SCP master
| Current [[#SCP|SCP]] master
0: Falcon
0: Falcon
1: External
1: External
|-
|-
| 8-12
| 8-12
| SEQ size
| [[#SEQ|SEQ]] block's current sequence size
|-
|-
| 13-16
| 13-16
| SEQ instruction's address
| [[#SEQ|SEQ]] block's current instruction address
|-
|-
| 17
| 17
| SEQ instruction is valid
| [[#SEQ|SEQ]] block's current instruction is valid
|-
|-
| 18
| 18
| SEQ controller is running in HS mode
| [[#SEQ|SEQ]] block is running in HS mode
|-
|-
| 19-22
| 19-22
| LOAD size
| [[#LOAD|LOAD]] interface's pipeline size
|-
|-
| 23
| 23
| LOAD instruction is valid
| [[#LOAD|LOAD]] interface's current instruction is valid
|-
|-
| 24
| 24
| LOAD interface is running in HS mode
| [[#LOAD|LOAD]] interface is running in HS mode
|-
|-
| 25-26
| 25-26
| STORE size
| [[#STORE|STORE]] interface's pipeline size
|-
|-
| 30
| 30
| STORE instruction is valid
| [[#STORE|STORE]] interface's current instruction is valid
|-
|-
| 31
| 31
| STORE interface is running in HS mode
| [[#STORE|STORE]] interface is running in HS mode
|}
|}
Used for debugging crypto controllers such as the SEQ (crypto sequence).
Used for debugging the [[#LOAD|LOAD]], [[#STORE|STORE]] and [[#SEQ|SEQ]] blocks.
=== TSEC_SCP_DBG1 ===
=== TSEC_SCP_DBG1 ===
|-
|-
| 0-3
| 0-3
| SEQ instruction's first operand
| [[#SEQ|SEQ]] block's current instruction's first operand
|-
|-
| 4-9
| 4-9
| SEQ instruction's second operand
| [[#SEQ|SEQ]] block's current instruction's second operand
|-
|-
| 10-14
| 10-14
| SEQ instruction's opcode
| [[#SEQ|SEQ]] block's current instruction's opcode
|}
|}
|-
|-
| 0-1
| 0-1
| SEQ controller's state
| [[#SEQ|SEQ]] block's state
0: Idle
0: Idle
1: Recording is active (cs0begin/cs1begin)
1: Recording is active (cs0begin/cs1begin)
|-
|-
| 4-7
| 4-7
| Number of SEQ instructions left
| Number of [[#SEQ|SEQ]] block's instructions left
|-
|-
| 12-15
| 12-15
|}
|}
Used for retrieving additional debug data associated with the SEQ controller.
Used for retrieving additional debug data associated with the [[#SEQ|SEQ]] block.
=== TSEC_SCP_CMD ===
=== TSEC_SCP_CMD ===
|-
|-
| 28
| 28
| CMD instruction is valid
| [[#CMD|CMD]] interface's current instruction is valid
|-
|-
| 31
| 31
| CMD interface is running in HS mode
| [[#CMD|CMD]] interface is running in HS mode
|}
|}
|-
|-
| 0
| 0
| SCP is active
| [[#SCP|SCP]] is active
|-
|-
| 2
| 2
| CMD interface is active
| [[#CMD|CMD]] interface is active
|-
|-
| 4
| 4
| STORE interface is active
| [[#STORE|STORE]] interface is active
|-
|-
| 6
| 6
| SEQ controller is active
| [[#SEQ|SEQ]] block is active
|-
|-
| 8
| 8
| CTL controller is active
| [[#CTL|CTL]] block is active
|-
|-
| 10
| 10
| LOAD interface is active
| [[#LOAD|LOAD]] interface is active
|-
|-
| 14
| 14
| AES controller is active
| [[#AES|AES]] block is active
|-
|-
| 16
| 16
| RNG controller is active
| [[#RNG|RNG]] block is active
|}
|}
Contains the status of the crypto controllers and interfaces.
Contains the status of the hardware blocks and interfaces.
=== TSEC_SCP_STAT1 ===
=== TSEC_SCP_STAT1 ===
|-
|-
| 4
| 4
| LOAD interface is running in HS mode
| [[#LOAD|LOAD]] interface is running in HS mode
|-
|-
| 6
| 6
| LOAD interface is ready
| [[#LOAD|LOAD]] interface is ready
|-
|-
| 8
| 8
| STORE interface is running in HS mode
| [[#STORE|STORE]] interface is running in HS mode
|-
|-
| 10
| 10
| STORE interface received a valid instruction
| [[#STORE|STORE]] interface received a valid instruction
|-
|-
| 12
| 12
| CMD interface is running in HS mode
| [[#CMD|CMD]] interface is running in HS mode
|-
|-
| 14
| 14
| CMD interface received a valid instruction
| [[#CMD|CMD]] interface received a valid instruction
|}
|}
==== DMB1 ====
==== DMB1 ====
Unknown. Marked as "RESERVED".
Unknown. Marked as "RESERVED".
=== Heavy Secure Mode ===
=== Heavy Secure Mode ===
Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
== SCP ==
"SCP" (Secure Co-Processor) is a proprietary coprocessor which can be found inside every [[#Falcon|Falcon]] that supports [[#Heavy_Secure_Mode|Heavy Secure Mode]]. On the Tegra X1 these are TSECA, TSECB, NVDEC and the GPU's PMU.
=== Hardware ===
SCP is subdivided into several specialized hardware blocks and interfaces.
==== LOAD ====
Interface for handling memory reads from SCP to Falcon.
Can be enabled or disabled by register [[#TSEC_SCP_CTL0|TSEC_SCP_CTL0]].
==== STORE ====
Interface for handling memory writes from Falcon to SCP.
Can be enabled or disabled by register [[#TSEC_SCP_CTL0|TSEC_SCP_CTL0]].
==== CMD ====
Interface for translating Falcon crypto operands into SCP commands.
Can be enabled or disabled by register [[#TSEC_SCP_CTL0|TSEC_SCP_CTL0]] and reports the status of the current command through register [[#TSEC_SCP_CMD|TSEC_SCP_CMD]].
==== SEQ ====
Configurable block for recording and executing sequences of crypto operations in the form of macros.
Can be enabled or disabled by register [[#TSEC_SCP_CTL0|TSEC_SCP_CTL0]].
==== CTL ====
Overseer block for controlling certain SCP features.
Can be enabled or disabled by register [[#TSEC_SCP_CTL0|TSEC_SCP_CTL0]].
Registers [[#TSEC_SCP_CTL_STAT|TSEC_SCP_CTL_STAT]], [[#TSEC_SCP_CTL_LOCK|TSEC_SCP_CTL_LOCK]], [[#TSEC_SCP_CTL_SCP|TSEC_SCP_CTL_SCP]], [[#TSEC_SCP_CTL_PKEY|TSEC_SCP_CTL_PKEY]] and [[#TSEC_SCP_CTL_DBG|TSEC_SCP_CTL_DBG]] refer to this block.
==== AES ====
Block for providing AES-128-ECB functionality.
==== RNG ====
Block for encapsulating and controlling the internal random number generator.
Can be enabled or disabled by register [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]] and reports the status of the internal random number generator through registers [[#TSEC_SCP_RNG_STAT0|TSEC_SCP_RNG_STAT0]] and [[#TSEC_SCP_RNG_STAT1|TSEC_SCP_RNG_STAT1]].
===== RND =====
Internal random number generator.
Can be configured by the [[#TSEC_SCP_RND_CTL0|TSEC_SCP_RND_CTLx]] registers.
=== Operations ===
=== Operations ===
Otherwise it hangs forever.
Otherwise it hangs forever.
=== ACL ===
=== ACLs ===
Each crypto register has an associated access control list with the following format:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bit
! Bit
! Meaning
! Description
|-
|-
| 0 || Secure key. Forced set if bit1 is set. Once cleared, cannot be set again.
| 0 || Secure key. Forced set if bit1 is set. Once cleared, cannot be set again.
|}
|}
On boot, the ACL is 0x1F for all $cX.
On SCP boot, the ACL is 0x1F for all $cX.
Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.
Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.
=== Secrets ===
=== Secrets ===
[[#Heavy_Secure_Mode|Heavy Secure Mode]] has access to 64 128-bit keys which are burned at factory. These keys can be loaded using the $csecret instruction which takes the target crypto register and the key index as arguments.
Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.
Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.
{| class=wikitable
{| class=wikitable
! Index || ACL || Notes
! Index || ACL || Description
|-
|-
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
|-
| 0x06 || 0x11 || Used by Falcon's Secure Boot ROM as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC/cauth]] register).
| 0x06 || 0x11 || Used by Falcon's Secure Boot ROM as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC]] register).
|-
|-
| 0x07 || 0x11 || Used by [6.0.0+] nvhost_tsec firmware.
| 0x07 || 0x11 || Used by [6.0.0+] nvhost_tsec firmware.