TSEC

From Nintendo Switch Brew
(Redirected from Falcon)
Jump to navigation Jump to search

TSEC (Tegra Security Co-processor) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.

Driver

A host driver for communicating with the TSEC is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.

Registers

The TSEC's MMIO space is divided as follows:

  • 0x54500000 to 0x54501000: THI (Tegra Host Interface)
  • 0x54501000 to 0x54501400: FALCON (Falcon microcontroller)
  • 0x54501400 to 0x54501600: SCP (Secure coprocessor)
  • 0x54501600 to 0x54501680: TFBIF (Tegra Framebuffer Interface)
  • 0x54501680 to 0x54501700: CG (Clock Gate)
  • 0x54501700 to 0x54501800: BAR0 (HOST1X device DMA)
  • 0x54501800 to 0x54501900: TEGRA (Miscellaneous interfaces)
Name Address Width
TSEC_THI_INCR_SYNCPT 0x54500000 0x04
TSEC_THI_INCR_SYNCPT_CTRL 0x54500004 0x04
TSEC_THI_INCR_SYNCPT_ERR 0x54500008 0x04
TSEC_THI_CTXSW_INCR_SYNCPT 0x5450000C 0x04
TSEC_THI_CTXSW 0x54500020 0x04
TSEC_THI_CTXSW_NEXT 0x54500024 0x04
TSEC_THI_CONT_SYNCPT_EOF 0x54500028 0x04
TSEC_THI_CONT_SYNCPT_L1 0x5450002C 0x04
TSEC_THI_METHOD0 0x54500040 0x04
TSEC_THI_METHOD1 0x54500044 0x04
TSEC_THI_CONTEXT_SWITCH 0x54500060 0x04
TSEC_THI_INT_STATUS 0x54500078 0x04
TSEC_THI_INT_MASK 0x5450007C 0x04
TSEC_THI_CONFIG0 0x54500080 0x04
TSEC_THI_DBG_MISC 0x54500084 0x04
TSEC_THI_SLCG_OVERRIDE_HIGH_A 0x54500088 0x04
TSEC_THI_SLCG_OVERRIDE_LOW_A 0x5450008C 0x04
TSEC_THI_CLK_OVERRIDE 0x54500E00 0x04
TSEC_FALCON_IRQSSET 0x54501000 0x04
TSEC_FALCON_IRQSCLR 0x54501004 0x04
TSEC_FALCON_IRQSTAT 0x54501008 0x04
TSEC_FALCON_IRQMODE 0x5450100C 0x04
TSEC_FALCON_IRQMSET 0x54501010 0x04
TSEC_FALCON_IRQMCLR 0x54501014 0x04
TSEC_FALCON_IRQMASK 0x54501018 0x04
TSEC_FALCON_IRQDEST 0x5450101C 0x04
TSEC_FALCON_GPTMRINT 0x54501020 0x04
TSEC_FALCON_GPTMRVAL 0x54501024 0x04
TSEC_FALCON_GPTMRCTL 0x54501028 0x04
TSEC_FALCON_PTIMER0 0x5450102C 0x04
TSEC_FALCON_PTIMER1 0x54501030 0x04
TSEC_FALCON_WDTMRVAL 0x54501034 0x04
TSEC_FALCON_WDTMRCTL 0x54501038 0x04
TSEC_FALCON_IRQDEST2 0x5450103C 0x04
TSEC_FALCON_MAILBOX0 0x54501040 0x04
TSEC_FALCON_MAILBOX1 0x54501044 0x04
TSEC_FALCON_ITFEN 0x54501048 0x04
TSEC_FALCON_IDLESTATE 0x5450104C 0x04
TSEC_FALCON_CURCTX 0x54501050 0x04
TSEC_FALCON_NXTCTX 0x54501054 0x04
TSEC_FALCON_CTXACK 0x54501058 0x04
TSEC_FALCON_FHSTATE 0x5450105C 0x04
TSEC_FALCON_PRIVSTATE 0x54501060 0x04
TSEC_FALCON_MTHDDATA 0x54501064 0x04
TSEC_FALCON_MTHDID 0x54501068 0x04
TSEC_FALCON_MTHDWDAT 0x5450106C 0x04
TSEC_FALCON_MTHDCOUNT 0x54501070 0x04
TSEC_FALCON_MTHDPOP 0x54501074 0x04
TSEC_FALCON_MTHDRAMSZ 0x54501078 0x04
TSEC_FALCON_SFTRESET 0x5450107C 0x04
TSEC_FALCON_OS 0x54501080 0x04
TSEC_FALCON_RM 0x54501084 0x04
TSEC_FALCON_SOFT_PM 0x54501088 0x04
TSEC_FALCON_SOFT_MODE 0x5450108C 0x04
TSEC_FALCON_DEBUG1 0x54501090 0x04
TSEC_FALCON_DEBUGINFO 0x54501094 0x04
TSEC_FALCON_IBRKPT1 0x54501098 0x04
TSEC_FALCON_IBRKPT2 0x5450109C 0x04
TSEC_FALCON_CGCTL 0x545010A0 0x04
TSEC_FALCON_ENGCTL 0x545010A4 0x04
TSEC_FALCON_PMM 0x545010A8 0x04
TSEC_FALCON_ADDR 0x545010AC 0x04
TSEC_FALCON_IBRKPT3 0x545010B0 0x04
TSEC_FALCON_IBRKPT4 0x545010B4 0x04
TSEC_FALCON_IBRKPT5 0x545010B8 0x04
TSEC_FALCON_EXCI 0x545010D0 0x04
TSEC_FALCON_SVEC_SPR 0x545010D4 0x04
TSEC_FALCON_RSTAT0 0x545010D8 0x04
TSEC_FALCON_RSTAT3 0x545010DC 0x04
TSEC_FALCON_SIRQMASK 0x545010E0 0x04
TSEC_FALCON_CPUCTL 0x54501100 0x04
TSEC_FALCON_BOOTVEC 0x54501104 0x04
TSEC_FALCON_HWCFG 0x54501108 0x04
TSEC_FALCON_DMACTL 0x5450110C 0x04
TSEC_FALCON_DMATRFBASE 0x54501110 0x04
TSEC_FALCON_DMATRFMOFFS 0x54501114 0x04
TSEC_FALCON_DMATRFCMD 0x54501118 0x04
TSEC_FALCON_DMATRFFBOFFS 0x5450111C 0x04
TSEC_FALCON_DMAPOLL_FB 0x54501120 0x04
TSEC_FALCON_DMAPOLL_CP 0x54501124 0x04
TSEC_FALCON_HWCFG1 0x5450112C 0x04
TSEC_FALCON_CPUCTL_ALIAS 0x54501130 0x04
TSEC_FALCON_STACKCFG 0x54501138 0x04
TSEC_FALCON_IMCTL 0x54501140 0x04
TSEC_FALCON_IMSTAT 0x54501144 0x04
TSEC_FALCON_TRACEIDX 0x54501148 0x04
TSEC_FALCON_TRACEPC 0x5450114C 0x04
TSEC_FALCON_IMFILLRNG0 0x54501150 0x04
TSEC_FALCON_IMFILLRNG1 0x54501154 0x04
TSEC_FALCON_IMFILLCTL 0x54501158 0x04
TSEC_FALCON_IMCTL_DEBUG 0x5450115C 0x04
TSEC_FALCON_CMEMBASE 0x54501160 0x04
TSEC_FALCON_DMEMAPERT 0x54501164 0x04
TSEC_FALCON_EXTERRADDR 0x54501168 0x04
TSEC_FALCON_EXTERRSTAT 0x5450116C 0x04
TSEC_FALCON_CG2 0x5450117C 0x04
TSEC_FALCON_IMEMC0 0x54501180 0x04
TSEC_FALCON_IMEMD0 0x54501184 0x04
TSEC_FALCON_IMEMT0 0x54501188 0x04
TSEC_FALCON_IMEMC1 0x54501190 0x04
TSEC_FALCON_IMEMD1 0x54501194 0x04
TSEC_FALCON_IMEMT1 0x54501198 0x04
TSEC_FALCON_IMEMC2 0x545011A0 0x04
TSEC_FALCON_IMEMD2 0x545011A4 0x04
TSEC_FALCON_IMEMT2 0x545011A8 0x04
TSEC_FALCON_IMEMC3 0x545011B0 0x04
TSEC_FALCON_IMEMD3 0x545011B4 0x04
TSEC_FALCON_IMEMT3 0x545011B8 0x04
TSEC_FALCON_DMEMC0 0x545011C0 0x04
TSEC_FALCON_DMEMD0 0x545011C4 0x04
TSEC_FALCON_DMEMC1 0x545011C8 0x04
TSEC_FALCON_DMEMD1 0x545011CC 0x04
TSEC_FALCON_DMEMC2 0x545011D0 0x04
TSEC_FALCON_DMEMD2 0x545011D4 0x04
TSEC_FALCON_DMEMC3 0x545011D8 0x04
TSEC_FALCON_DMEMD3 0x545011DC 0x04
TSEC_FALCON_DMEMC4 0x545011E0 0x04
TSEC_FALCON_DMEMD4 0x545011E4 0x04
TSEC_FALCON_DMEMC5 0x545011E8 0x04
TSEC_FALCON_DMEMD5 0x545011EC 0x04
TSEC_FALCON_DMEMC6 0x545011F0 0x04
TSEC_FALCON_DMEMD6 0x545011F4 0x04
TSEC_FALCON_DMEMC7 0x545011F8 0x04
TSEC_FALCON_DMEMD7 0x545011FC 0x04
TSEC_FALCON_ICD_CMD 0x54501200 0x04
TSEC_FALCON_ICD_ADDR 0x54501204 0x04
TSEC_FALCON_ICD_WDATA 0x54501208 0x04
TSEC_FALCON_ICD_RDATA 0x5450120C 0x04
TSEC_FALCON_SCTL 0x54501240 0x04
TSEC_FALCON_SERRSTAT 0x54501244 0x04
TSEC_FALCON_SERRVAL 0x54501248 0x04
TSEC_FALCON_SERRADDR 0x5450124C 0x04
TSEC_FALCON_SCTL1 0x54501250 0x04
TSEC_FALCON_STEST 0x54501258 0x04
TSEC_FALCON_SICD 0x54501260 0x04
TSEC_FALCON_SPROT_IMEM 0x54501280 0x04
TSEC_FALCON_SPROT_DMEM 0x54501284 0x04
TSEC_FALCON_SPROT_CPUCTL 0x54501288 0x04
TSEC_FALCON_SPROT_MISC 0x5450128C 0x04
TSEC_FALCON_SPROT_IRQ 0x54501290 0x04
TSEC_FALCON_SPROT_MTHD 0x54501294 0x04
TSEC_FALCON_SPROT_SCTL 0x54501298 0x04
TSEC_FALCON_SPROT_WDTMR 0x5450129C 0x04
TSEC_FALCON_DMAINFO_FINISHED_FBRD_LOW 0x545012C0 0x04
TSEC_FALCON_DMAINFO_FINISHED_FBRD_HIGH 0x545012C4 0x04
TSEC_FALCON_DMAINFO_FINISHED_FBWR_LOW 0x545012C8 0x04
TSEC_FALCON_DMAINFO_FINISHED_FBWR_HIGH 0x545012CC 0x04
TSEC_FALCON_DMAINFO_CURRENT_FBRD_LOW 0x545012D0 0x04
TSEC_FALCON_DMAINFO_CURRENT_FBRD_HIGH 0x545012D4 0x04
TSEC_FALCON_DMAINFO_CURRENT_FBWR_LOW 0x545012D8 0x04
TSEC_FALCON_DMAINFO_CURRENT_FBWR_HIGH 0x545012DC 0x04
TSEC_FALCON_DMAINFO_CTL 0x545012E0 0x04
TSEC_SCP_CTL0 0x54501400 0x04
TSEC_SCP_CTL1 0x54501404 0x04
TSEC_SCP_CTL_STAT 0x54501408 0x04
TSEC_SCP_CTL_LOCK 0x5450140C 0x04
TSEC_SCP_CFG 0x54501410 0x04
TSEC_SCP_CTL_SCP 0x54501414 0x04
TSEC_SCP_CTL_PKEY 0x54501418 0x04
TSEC_SCP_CTL_DBG 0x5450141C 0x04
TSEC_SCP_DBG0 0x54501420 0x04
TSEC_SCP_DBG1 0x54501424 0x04
TSEC_SCP_DBG2 0x54501428 0x04
TSEC_SCP_CMD 0x54501430 0x04
TSEC_SCP_STAT0 0x54501450 0x04
TSEC_SCP_STAT1 0x54501454 0x04
TSEC_SCP_STAT2 0x54501458 0x04
TSEC_SCP_RNG_STAT0 0x54501470 0x04
TSEC_SCP_RNG_STAT1 0x54501474 0x04
TSEC_SCP_IRQSTAT 0x54501480 0x04
TSEC_SCP_IRQMASK 0x54501484 0x04
TSEC_SCP_ACL_ERR 0x54501490 0x04
TSEC_SCP_SEC_ERR 0x54501494 0x04
TSEC_SCP_CMD_ERR 0x54501498 0x04
TSEC_SCP_RND_CTL0 0x54501500 0x04
TSEC_SCP_RND_CTL1 0x54501504 0x04
TSEC_SCP_RND_CTL2 0x54501508 0x04
TSEC_SCP_RND_CTL3 0x5450150C 0x04
TSEC_SCP_RND_CTL4 0x54501510 0x04
TSEC_SCP_RND_CTL5 0x54501514 0x04
TSEC_SCP_RND_CTL6 0x54501518 0x04
TSEC_SCP_RND_CTL7 0x5450151C 0x04
TSEC_SCP_RND_CTL8 0x54501520 0x04
TSEC_SCP_RND_CTL9 0x54501524 0x04
TSEC_SCP_RND_CTL10 0x54501528 0x04
TSEC_SCP_RND_CTL11 0x5450152C 0x04
TSEC_TFBIF_CTL 0x54501600 0x04
TSEC_TFBIF_MCCIF_FIFOCTRL 0x54501604 0x04
TSEC_TFBIF_THROTTLE 0x54501608 0x04
TSEC_TFBIF_DBG_STAT0 0x5450160C 0x04
TSEC_TFBIF_DBG_STAT1 0x54501610 0x04
TSEC_TFBIF_DBG_RDCOUNT_LO 0x54501614 0x04
TSEC_TFBIF_DBG_RDCOUNT_HI 0x54501618 0x04
TSEC_TFBIF_DBG_WRCOUNT_LO 0x5450161C 0x04
TSEC_TFBIF_DBG_WRCOUNT_HI 0x54501620 0x04
TSEC_TFBIF_DBG_R32COUNT 0x54501624 0x04
TSEC_TFBIF_DBG_R64COUNT 0x54501628 0x04
TSEC_TFBIF_DBG_R128COUNT 0x5450162C 0x04
TSEC_TFBIF_MCCIF_FIFOCTRL1 0x54501634 0x04
TSEC_TFBIF_SPROT_EMEM 0x54501640 0x04
TSEC_TFBIF_TRANSCFG 0x54501644 0x04
TSEC_TFBIF_REGIONCFG 0x54501648 0x04
TSEC_CG 0x545016D0 0x04
TSEC_BAR0_CTL 0x54501700 0x04
TSEC_BAR0_ADDR 0x54501704 0x04
TSEC_BAR0_DATA 0x54501708 0x04
TSEC_BAR0_TIMEOUT 0x5450170C 0x04
TSEC_VERSION 0x54501800 0x04
TSEC_SCRATCH0 0x54501804 0x04
TSEC_SCRATCH1 0x54501808 0x04
TSEC_SCRATCH2 0x5450180C 0x04
TSEC_SCRATCH3 0x54501810 0x04
TSEC_SCRATCH4 0x54501814 0x04
TSEC_SCRATCH5 0x54501818 0x04
TSEC_SCRATCH6 0x5450181C 0x04
TSEC_SCRATCH7 0x54501820 0x04
TSEC_GPTMRINT 0x54501824 0x04
TSEC_GPTMRVAL 0x54501828 0x04
TSEC_GPTMRCTL 0x5450182C 0x04
TSEC_ITFEN 0x54501830 0x04
TSEC_ITFSTAT 0x54501834 0x04
TSEC_TEGRA_CTL 0x54501838 0x04

TSEC_THI_INCR_SYNCPT

Bits Description
0-9 TSEC_THI_INCR_SYNCPT_INDX
10-17 TSEC_THI_INCR_SYNCPT_COND

TSEC_THI_INCR_SYNCPT_CTRL

Bits Description
0 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET
8 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL
16 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET_0
17 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL_0
18 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET_1
19 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL_1
20 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET_2
21 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL_2
22 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET_3
23 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL_3
24 TSEC_THI_INCR_SYNCPT_CTRL_SOFT_RESET_4
25 TSEC_THI_INCR_SYNCPT_CTRL_NO_STALL_4

TSEC_THI_INCR_SYNCPT_ERR

Bits Description
0 TSEC_THI_INCR_SYNCPT_ERR_COND_STS_IMM
1 TSEC_THI_INCR_SYNCPT_ERR_COND_STS_OPDONE
2 TSEC_THI_INCR_SYNCPT_ERR_COND_STS_RD_DONE
3 TSEC_THI_INCR_SYNCPT_ERR_COND_STS_REG_WR_SAFE
4 TSEC_THI_INCR_SYNCPT_ERR_COND_STS_ENGINE_IDLE

TSEC_THI_CTXSW_INCR_SYNCPT

Bits Description
0-9 TSEC_THI_CTXSW_INCR_SYNCPT_INDX

TSEC_THI_CTXSW

Bits Description
0-9 TSEC_THI_CTXSW_CURR_CLASS
10 TSEC_THI_CTXSW_AUTO_ACK
11-20 TSEC_THI_CTXSW_CURR_CHANNEL

TSEC_THI_CTXSW_NEXT

Bits Description
0-9 TSEC_THI_CTXSW_NEXT_NEXT_CLASS
10-19 TSEC_THI_CTXSW_NEXT_NEXT_CHANNEL

TSEC_THI_CONT_SYNCPT_EOF

Bits Description
0-9 TSEC_THI_CONT_SYNCPT_EOF_INDEX
10 TSEC_THI_CONT_SYNCPT_EOF_COND

TSEC_THI_CONT_SYNCPT_L1

Bits Description
0-9 TSEC_THI_CONT_SYNCPT_L1_INDEX
10 TSEC_THI_CONT_SYNCPT_L1_COND

TSEC_THI_METHOD0

Bits Description
0-11 TSEC_THI_METHOD0_OFFSET

Used to encode and send a method's ID over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.

The following methods are available:

ID Method
0x100 NOP
0x140 PM_TRIGGER
0x200 SET_APPLICATION_ID
0x204 SET_WATCHDOG_TIMER
0x240 SEMAPHORE_A
0x244 SEMAPHORE_B
0x248 SEMAPHORE_C
0x24C CTX_SAVE_AREA
0x250 CTX_SWITCH
0x300 EXECUTE
0x304 SEMAPHORE_D
0x500 HDCP_INIT
0x504 HDCP_CREATE_SESSION
0x508 HDCP_VERIFY_CERT_RX
0x50C HDCP_GENERATE_EKM
0x510 HDCP_REVOCATION_CHECK
0x514 HDCP_VERIFY_HPRIME
0x518 HDCP_ENCRYPT_PAIRING_INFO
0x51C HDCP_DECRYPT_PAIRING_INFO
0x520 HDCP_UPDATE_SESSION
0x524 HDCP_GENERATE_LC_INIT
0x528 HDCP_VERIFY_LPRIME
0x52C HDCP_GENERATE_SKE_INIT
0x530 HDCP_VERIFY_VPRIME
0x534 HDCP_ENCRYPTION_RUN_CTRL
0x538 HDCP_SESSION_CTRL
0x53C HDCP_COMPUTE_SPRIME
0x540 HDCP_GET_CERT_RX
0x544 HDCP_EXCHANGE_INFO
0x548 HDCP_DECRYPT_KM
0x54C HDCP_GET_HPRIME
0x550 HDCP_GENERATE_EKH_KM
0x554 HDCP_VERIFY_RTT_CHALLENGE
0x558 HDCP_GET_LPRIME
0x55C HDCP_DECRYPT_KS
0x560 HDCP_DECRYPT
0x564 HDCP_GET_RRX
0x568 HDCP_DECRYPT_REENCRYPT
0x56C
0x570
0x574 HDCP_DECRYPT_STORED_KM
0x578 HDCP_GET_CURRENT_RESOLUTION
0x57C HDCP_GET_CURRENT_VERSION
0x700 HDCP_VALIDATE_SRM
0x704 HDCP_VALIDATE_STREAM
0x708 HDCP_TEST_SECURE_STATUS
0x70C HDCP_SET_DCP_KPUB
0x710 HDCP_SET_RX_KPUB
0x714 HDCP_SET_CERT_RX
0x718 HDCP_SET_SCRATCH_BUFFER
0x71C HDCP_SET_SRM
0x720 HDCP_SET_RECEIVER_ID_LIST
0x724 HDCP_SET_SPRIME
0x728 HDCP_SET_ENC_INPUT_BUFFER
0x72C HDCP_SET_ENC_OUTPUT_BUFFER
0x730 HDCP_GET_RTT_CHALLENGE
0x734 HDCP_STREAM_MANAGE
0x738 HDCP_READ_CAPS
0x73C HDCP_ENCRYPT
0x740 [6.0.0+] HDCP_GET_CURRENT_NONCE
0x1114 PM_TRIGGER_END

TSEC_THI_METHOD1

Bits Description
0-31 TSEC_THI_METHOD1_DATA

Used to encode and send a method's data over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.

TSEC_THI_CONTEXT_SWITCH

Bits Description
0-27 TSEC_THI_CONTEXT_SWITCH_PTR
30-31 TSEC_THI_CONTEXT_SWITCH_TARGET

TSEC_THI_INT_STATUS

Bits Description
0 TSEC_THI_INT_STATUS_FALCON_INT

TSEC_THI_INT_MASK

Bits Description
0 TSEC_THI_INT_MASK_FALCON_INT

TSEC_THI_CONFIG0

Bits Description
0 TSEC_THI_CONFIG0_RETURN_SYNCPT_ON_ERR
4 TSEC_THI_CONFIG0_IDLE_SYNCPT_INC_ENG

TSEC_THI_DBG_MISC

Bits Description
0 TSEC_THI_DBG_MISC_CLIENT_IDLE_STATUS
1 TSEC_THI_DBG_MISC_THI_IDLE_STATUS
2 TSEC_THI_DBG_MISC_THI_SYNCPT_PENDING_STATUS
3 TSEC_THI_DBG_MISC_THI_IDLE_EN

TSEC_THI_SLCG_OVERRIDE_HIGH_A

Bits Description
0-7 TSEC_THI_SLCG_OVERRIDE_HIGH_A_REG

TSEC_THI_SLCG_OVERRIDE_LOW_A

Bits Description
0-31 TSEC_THI_SLCG_OVERRIDE_LOW_A_REG

TSEC_THI_CLK_OVERRIDE

Bits Description
0-31 TSEC_THI_CLK_OVERRIDE_CYA

TSEC_FALCON_IRQSSET

Bits Description
0 TSEC_FALCON_IRQSSET_GPTMR
1 TSEC_FALCON_IRQSSET_WDTMR
2 TSEC_FALCON_IRQSSET_MTHD
3 TSEC_FALCON_IRQSSET_CTXSW
4 TSEC_FALCON_IRQSSET_HALT
5 TSEC_FALCON_IRQSSET_EXTERR
6 TSEC_FALCON_IRQSSET_SWGEN0
7 TSEC_FALCON_IRQSSET_SWGEN1
8-15 TSEC_FALCON_IRQSSET_EXT
16 TSEC_FALCON_IRQSSET_DMA

Used for setting Falcon's IRQs.

TSEC_FALCON_IRQSCLR

Bits Description
0 TSEC_FALCON_IRQSCLR_GPTMR
1 TSEC_FALCON_IRQSCLR_WDTMR
2 TSEC_FALCON_IRQSCLR_MTHD
3 TSEC_FALCON_IRQSCLR_CTXSW
4 TSEC_FALCON_IRQSCLR_HALT
5 TSEC_FALCON_IRQSCLR_EXTERR
6 TSEC_FALCON_IRQSCLR_SWGEN0
7 TSEC_FALCON_IRQSCLR_SWGEN1
8-15 TSEC_FALCON_IRQSCLR_EXT
16 TSEC_FALCON_IRQSCLR_DMA

Used for clearing Falcon's IRQs.

TSEC_FALCON_IRQSTAT

Bits Description
0 TSEC_FALCON_IRQSTAT_GPTMR
1 TSEC_FALCON_IRQSTAT_WDTMR
2 TSEC_FALCON_IRQSTAT_MTHD
3 TSEC_FALCON_IRQSTAT_CTXSW
4 TSEC_FALCON_IRQSTAT_HALT
5 TSEC_FALCON_IRQSTAT_EXTERR
6 TSEC_FALCON_IRQSTAT_SWGEN0
7 TSEC_FALCON_IRQSTAT_SWGEN1
8-15 TSEC_FALCON_IRQSTAT_EXT
16 TSEC_FALCON_IRQSTAT_DMA

Used for getting the status of Falcon's IRQs.

TSEC_FALCON_IRQMODE

Bits Description
0 TSEC_FALCON_IRQMODE_LVL_GPTMR
1 TSEC_FALCON_IRQMODE_LVL_WDTMR
2 TSEC_FALCON_IRQMODE_LVL_MTHD
3 TSEC_FALCON_IRQMODE_LVL_CTXSW
4 TSEC_FALCON_IRQMODE_LVL_HALT
5 TSEC_FALCON_IRQMODE_LVL_EXTERR
6 TSEC_FALCON_IRQMODE_LVL_SWGEN0
7 TSEC_FALCON_IRQMODE_LVL_SWGEN1
8-15 TSEC_FALCON_IRQMODE_LVL_EXT
16 TSEC_FALCON_IRQMODE_LVL_DMA

Used for changing the mode Falcon's IRQs. A value of 1 means level triggered while a value of 0 means edge triggered.

TSEC_FALCON_IRQMSET

Bits Description
0 TSEC_FALCON_IRQMSET_GPTMR
1 TSEC_FALCON_IRQMSET_WDTMR
2 TSEC_FALCON_IRQMSET_MTHD
3 TSEC_FALCON_IRQMSET_CTXSW
4 TSEC_FALCON_IRQMSET_HALT
5 TSEC_FALCON_IRQMSET_EXTERR
6 TSEC_FALCON_IRQMSET_SWGEN0
7 TSEC_FALCON_IRQMSET_SWGEN1
8-15 TSEC_FALCON_IRQMSET_EXT
16 TSEC_FALCON_IRQMSET_DMA

Used for setting the mask for Falcon's IRQs.

TSEC_FALCON_IRQMCLR

Bits Description
0 TSEC_FALCON_IRQMCLR_GPTMR
1 TSEC_FALCON_IRQMCLR_WDTMR
2 TSEC_FALCON_IRQMCLR_MTHD
3 TSEC_FALCON_IRQMCLR_CTXSW
4 TSEC_FALCON_IRQMCLR_HALT
5 TSEC_FALCON_IRQMCLR_EXTERR
6 TSEC_FALCON_IRQMCLR_SWGEN0
7 TSEC_FALCON_IRQMCLR_SWGEN1
8-15 TSEC_FALCON_IRQMCLR_EXT
16 TSEC_FALCON_IRQMCLR_DMA

Used for clearing the mask for Falcon's IRQs.

TSEC_FALCON_IRQMASK

Bits Description
0 TSEC_FALCON_IRQMASK_GPTMR
1 TSEC_FALCON_IRQMASK_WDTMR
2 TSEC_FALCON_IRQMASK_MTHD
3 TSEC_FALCON_IRQMASK_CTXSW
4 TSEC_FALCON_IRQMASK_HALT
5 TSEC_FALCON_IRQMASK_EXTERR
6 TSEC_FALCON_IRQMASK_SWGEN0
7 TSEC_FALCON_IRQMASK_SWGEN1
8-15 TSEC_FALCON_IRQMASK_EXT
16 TSEC_FALCON_IRQMASK_DMA

Used for getting the value of the mask for Falcon's IRQs.

TSEC_FALCON_IRQDEST

Bits Description
0 TSEC_FALCON_IRQDEST_HOST_GPTMR
1 TSEC_FALCON_IRQDEST_HOST_WDTMR
2 TSEC_FALCON_IRQDEST_HOST_MTHD
3 TSEC_FALCON_IRQDEST_HOST_CTXSW
4 TSEC_FALCON_IRQDEST_HOST_HALT
5 TSEC_FALCON_IRQDEST_HOST_EXTERR
6 TSEC_FALCON_IRQDEST_HOST_SWGEN0
7 TSEC_FALCON_IRQDEST_HOST_SWGEN1
8-15 TSEC_FALCON_IRQDEST_HOST_EXT
16 TSEC_FALCON_IRQDEST_TARGET_GPTMR
17 TSEC_FALCON_IRQDEST_TARGET_WDTMR
18 TSEC_FALCON_IRQDEST_TARGET_MTHD
19 TSEC_FALCON_IRQDEST_TARGET_CTXSW
20 TSEC_FALCON_IRQDEST_TARGET_HALT
21 TSEC_FALCON_IRQDEST_TARGET_EXTERR
22 TSEC_FALCON_IRQDEST_TARGET_SWGEN0
23 TSEC_FALCON_IRQDEST_TARGET_SWGEN1
24-31 TSEC_FALCON_IRQDEST_TARGET_EXT

Used for routing Falcon's IRQs.

TSEC_FALCON_GPTMRINT

Bits Description
0-31 TSEC_FALCON_GPTMRINT_VAL

TSEC_FALCON_GPTMRVAL

Bits Description
0-31 TSEC_FALCON_GPTMRVAL_VAL

TSEC_FALCON_GPTMRCTL

Bits Description
0 TSEC_FALCON_GPTMRCTL_GPTMREN

TSEC_FALCON_PTIMER0

Bits Description
0-31 TSEC_FALCON_PTIMER0_VAL

TSEC_FALCON_PTIMER1

Bits Description
0-31 TSEC_FALCON_PTIMER1_VAL

TSEC_FALCON_WDTMRVAL

Bits Description
0-31 TSEC_FALCON_WDTMRVAL_VAL

TSEC_FALCON_WDTMRCTL

Bits Description
0 TSEC_FALCON_WDTMRCTL_WDTMREN

TSEC_FALCON_IRQDEST2

Bits Description
0 TSEC_FALCON_IRQDEST2_HOST_DMA
16 TSEC_FALCON_IRQDEST2_TARGET_DMA

Used for routing Falcon's IRQs.

TSEC_FALCON_MAILBOX0

Bits Description
0-31 TSEC_FALCON_MAILBOX0_DATA

Scratch register for reading/writing data to Falcon.

TSEC_FALCON_MAILBOX1

Bits Description
0-31 TSEC_FALCON_MAILBOX1_DATA

Scratch register for reading/writing data to Falcon.

TSEC_FALCON_ITFEN

Bits Description
0 TSEC_FALCON_ITFEN_CTXEN
1 TSEC_FALCON_ITFEN_MTHDEN

Used for enabling/disabling Falcon interfaces.

TSEC_FALCON_IDLESTATE

Bits Description
0 TSEC_FALCON_IDLESTATE_FALCON_BUSY
1-15 TSEC_FALCON_IDLESTATE_EXT_BUSY

Used for detecting if Falcon is busy or not.

TSEC_FALCON_CURCTX

Bits Description
0-27 TSEC_FALCON_CURCTX_CTXPTR
28-29 TSEC_FALCON_CURCTX_CTXTGT
30 TSEC_FALCON_CURCTX_CTXVLD

TSEC_FALCON_NXTCTX

Bits Description
0-27 TSEC_FALCON_NXTCTX_CTXPTR
28-29 TSEC_FALCON_NXTCTX_CTXTGT
30 TSEC_FALCON_NXTCTX_CTXVLD

TSEC_FALCON_CTXACK

Bits Description
0 TSEC_FALCON_CTXACK_SAVE_ACK
1 TSEC_FALCON_CTXACK_REST_ACK

TSEC_FALCON_FHSTATE

Bits Description
0 TSEC_FALCON_FHSTATE_FALCON_HALTED
1-15 TSEC_FALCON_FHSTATE_EXT_HALTED
16 TSEC_FALCON_FHSTATE_ENGINE_FAULTED
17 TSEC_FALCON_FHSTATE_STALL_REQ

TSEC_FALCON_PRIVSTATE

Bits Description
0 TSEC_FALCON_PRIVSTATE_PRIV

TSEC_FALCON_MTHDDATA

Bits Description
0-31 TSEC_FALCON_MTHDDATA_DATA

TSEC_FALCON_MTHDID

Bits Description
0-11 TSEC_FALCON_MTHDID_ID
12-14 TSEC_FALCON_MTHDID_SUBCH
15 TSEC_FALCON_MTHDID_PRIV
16 TSEC_FALCON_MTHDID_WPEND

TSEC_FALCON_MTHDWDAT

Bits Description
0-31 TSEC_FALCON_MTHDWDAT_DATA

TSEC_FALCON_MTHDCOUNT

Bits Description
0-15 TSEC_FALCON_MTHDCOUNT_COUNT

TSEC_FALCON_MTHDPOP

Bits Description
0 TSEC_FALCON_MTHDPOP_POP

TSEC_FALCON_MTHDRAMSZ

Bits Description
0-15 TSEC_FALCON_MTHDRAMSZ_RAMSZ

TSEC_FALCON_SFTRESET

Bits Description
0 TSEC_FALCON_SFTRESET_EXT

TSEC_FALCON_OS

Bits Description
0-31 TSEC_FALCON_OS_VERSION

TSEC_FALCON_RM

Bits Description
0-31 TSEC_FALCON_RM_CONFIG

TSEC_FALCON_SOFT_PM

Bits Description
0-5 TSEC_FALCON_SOFT_PM_PROBE
16 TSEC_FALCON_SOFT_PM_TRIGGER_END
17 TSEC_FALCON_SOFT_PM_TRIGGER_START

TSEC_FALCON_SOFT_MODE

Bits Description
0-5 TSEC_FALCON_SOFT_MODE_PROBE

TSEC_FALCON_DEBUG1

Bits Description
0-15 TSEC_FALCON_DEBUG1_MTHD_DRAIN_TIME
16 TSEC_FALCON_DEBUG1_CTXSW_MODE

TSEC_FALCON_DEBUGINFO

Bits Description
0-31 TSEC_FALCON_DEBUGINFO_DATA

Used for UCODE self revocation. This register takes the base address of the GSC carveout shifted right by 8.

[6.0.0+] nvservices sets this to 0x8005FF00 >> 8 (physical DRAM address inside the GPU UCODE carveout) before starting the nvhost_tsec firmware.

TSEC_FALCON_IBRKPT1

Bits Description
0-23 TSEC_FALCON_IBRKPT1_PC
29 TSEC_FALCON_IBRKPT1_SUPPRESS
30 TSEC_FALCON_IBRKPT1_SKIP
31 TSEC_FALCON_IBRKPT1_EN

TSEC_FALCON_IBRKPT2

Bits Description
0-23 TSEC_FALCON_IBRKPT2_PC
29 TSEC_FALCON_IBRKPT2_SUPPRESS
30 TSEC_FALCON_IBRKPT2_SKIP
31 TSEC_FALCON_IBRKPT2_EN

TSEC_FALCON_CGCTL

Bits Description
0 TSEC_FALCON_CGCTL_CG_OVERRIDE

TSEC_FALCON_ENGCTL

Bits Description
0 TSEC_FALCON_ENGCTL_INV_CONTEXT
1 TSEC_FALCON_ENGCTL_SET_STALLREQ
2 TSEC_FALCON_ENGCTL_CLR_STALLREQ
3 TSEC_FALCON_ENGCTL_SWITCH_CONTEXT
8 TSEC_FALCON_ENGCTL_STALLREQ
9 TSEC_FALCON_ENGCTL_STALLACK

TSEC_FALCON_PMM

Bits Description
0-4 TSEC_FALCON_PMM_FALCON_STALL_SEL
0x00: ANY
0x01: CODE
0x02: DMAQ
0x03: DMFENCE
0x04: DMWAIT
0x05: IMWAIT
0x06: IPND
0x07: LDSTQ
0x08: SB
0x09: ANY_SC
0x0A: CODE_SC
0x0B: DMAQ_SC
0x0C: DMFENCE_SC
0x0D: DMWAIT_SC
0x0E: IMWAIT_SC
0x0F: IPND_SC
0x10: LDSTQ_SC
0x11: SB_SC
5-7 TSEC_FALCON_PMM_FALCON_IDLE_SEL
0x00: WAITING
0x01: ENG_IDLE
0x02: MTHD_FULL
0x03: WAITING_SC
0x04: ENG_IDLE_SC
0x05: MTHD_FULL_SC
8-11 TSEC_FALCON_PMM_FALCON_SOFTPM0_SEL
0x00: 0
0x01: 1
0x02: 2
0x03: 3
0x04: 4
0x05: 5
0x06: 0_SC
0x07: 1_SC
0x08: 2_SC
0x09: 3_SC
0x0A: 4_SC
0x0B: 5_SC
12-15 TSEC_FALCON_PMM_FALCON_SOFTPM1_SEL
0x00: 0
17-19 TSEC_FALCON_PMM_TFBIF_DSTAT_SEL
0x00: 1KTRANSFER
0x01: RREQ
0x02: WREQ
0x03: TWREQ
0x04: 1KTRANSFER_SC
0x05: RREQ_SC
0x06: WREQ_SC
0x07: TWREQ_SC
20-23 TSEC_FALCON_PMM_TFBIF_STALL0_SEL
0x00: RDATQ_FULL
0x01: RACKQ_FULL
0x02: WREQQ_FULL
0x03: WDATQ_FULL
0x04: WACKQ_FULL
0x05: MREQQ_FULL
0x06: RREQ_PEND
0x07: WREQ_PEND
0x08: RDATQ_FULL_SC
0x09: RACKQ_FULL_SC
0x0A: WREQQ_FULL_SC
0x0B: WDATQ_FULL_SC
0x0C: WACKQ_FULL_SC
0x0D: MREQQ_FULL_SC
0x0E: RREQ_PEND_SC
0x0F: WREQ_PEND_SC
24-27 TSEC_FALCON_PMM_TFBIF_STALL1_SEL
0x00: RDATQ_FULL
28-31 TSEC_FALCON_PMM_TFBIF_STALL2_SEL
0x00: RDATQ_FULL

TSEC_FALCON_ADDR

Bits Description
0-5 TSEC_FALCON_ADDR_LSB
6-11 TSEC_FALCON_ADDR_MSB

TSEC_FALCON_IBRKPT3

Bits Description
0-23 TSEC_FALCON_IBRKPT3_PC
29 TSEC_FALCON_IBRKPT3_SUPPRESS
30 TSEC_FALCON_IBRKPT3_SKIP
31 TSEC_FALCON_IBRKPT3_EN

TSEC_FALCON_IBRKPT4

Bits Description
0-23 TSEC_FALCON_IBRKPT4_PC
29 TSEC_FALCON_IBRKPT4_SUPPRESS
30 TSEC_FALCON_IBRKPT4_SKIP
31 TSEC_FALCON_IBRKPT4_EN

TSEC_FALCON_IBRKPT5

Bits Description
0-23 TSEC_FALCON_IBRKPT5_PC
29 TSEC_FALCON_IBRKPT5_SUPPRESS
30 TSEC_FALCON_IBRKPT5_SKIP
31 TSEC_FALCON_IBRKPT5_EN

TSEC_FALCON_EXCI

Bits Description
0-19 TSEC_FALCON_EXCI_EXPC
20-23 TSEC_FALCON_EXCI_EXCAUSE
0x00: TRAP0
0x01: TRAP1
0x02: TRAP2
0x03: TRAP3
0x08: ILL_INS (invalid opcode)
0x09: INV_INS (authentication entry)
0x0A: MISS_INS (page miss)
0x0B: DHIT_INS (page multiple hit)
0x0F: BRKPT_INS (breakpoint hit)

Contains information about raised exceptions.

TSEC_FALCON_SVEC_SPR

Bits Description
18 TSEC_FALCON_SVEC_SPR_SIGPASS

TSEC_FALCON_RSTAT0

Mirror of the ICD status register 0.

TSEC_FALCON_RSTAT3

Mirror of the ICD status register 3.

TSEC_FALCON_SIRQMASK

Unofficial name.

Same as TSEC_FALCON_IRQMASK, but for LS mode.

TSEC_FALCON_CPUCTL

Bits Description
0 TSEC_FALCON_CPUCTL_IINVAL
1 TSEC_FALCON_CPUCTL_STARTCPU
2 TSEC_FALCON_CPUCTL_SRESET
3 TSEC_FALCON_CPUCTL_HRESET
4 TSEC_FALCON_CPUCTL_HALTED
5 TSEC_FALCON_CPUCTL_STOPPED
6 TSEC_FALCON_CPUCTL_ALIAS_EN

Used for signaling the Falcon CPU.

TSEC_FALCON_BOOTVEC

Bits Description
0-31 TSEC_FALCON_BOOTVEC_VEC

Takes the Falcon's boot vector address.

TSEC_FALCON_HWCFG

Bits Description
0-8 TSEC_FALCON_HWCFG_IMEM_SIZE
9-17 TSEC_FALCON_HWCFG_DMEM_SIZE
18-26 TSEC_FALCON_HWCFG_METHODFIFO_DEPTH
27-31 TSEC_FALCON_HWCFG_DMAQUEUE_DEPTH

TSEC_FALCON_DMACTL

Bits Description
0 TSEC_FALCON_DMACTL_REQUIRE_CTX
1 TSEC_FALCON_DMACTL_DMEM_SCRUBBING
2 TSEC_FALCON_DMACTL_IMEM_SCRUBBING
3-6 TSEC_FALCON_DMACTL_DMAQ_NUM
7 TSEC_FALCON_DMACTL_SECURE_STAT

Used for configuring the Falcon's DMA engine.

TSEC_FALCON_DMATRFBASE

Bits Description
0-31 TSEC_FALCON_DMATRFBASE_BASE

Base address of the external memory buffer, shifted right by 8.

The current transfer address is calculated by adding TSEC_FALCON_DMATRFFBOFFS to the base.

TSEC_FALCON_DMATRFMOFFS

Bits Description
0-15 TSEC_FALCON_DMATRFMOFFS_OFFS

For transfers to DMEM: the destination address. For transfers to IMEM: the destination virtual IMEM page.

TSEC_FALCON_DMATRFCMD

Bits Description
0 TSEC_FALCON_DMATRFCMD_FULL
1 TSEC_FALCON_DMATRFCMD_IDLE
2-3 TSEC_FALCON_DMATRFCMD_SEC
4 TSEC_FALCON_DMATRFCMD_IMEM
5 TSEC_FALCON_DMATRFCMD_WRITE
8-10 TSEC_FALCON_DMATRFCMD_SIZE
12-14 TSEC_FALCON_DMATRFCMD_CTXDMA

Used for configuring DMA transfers.

TSEC_FALCON_DMATRFFBOFFS

Bits Description
0-31 TSEC_FALCON_DMATRFFBOFFS_OFFS

For transfers to IMEM: the destination physical IMEM page.

TSEC_FALCON_DMAPOLL_FB

Bits Description
0 TSEC_FALCON_DMAPOLL_FB_FENCE_ACTIVE
1 TSEC_FALCON_DMAPOLL_FB_DMA_ACTIVE
4 TSEC_FALCON_DMAPOLL_FB_CFG_R_FENCE
5 TSEC_FALCON_DMAPOLL_FB_CFG_W_FENCE
16-23 TSEC_FALCON_DMAPOLL_FB_WCOUNT
24-31 TSEC_FALCON_DMAPOLL_FB_RCOUNT

Contains the status of a DMA transfer between the Falcon and external memory.

TSEC_FALCON_DMAPOLL_CP

Bits Description
0 TSEC_FALCON_DMAPOLL_CP_FENCE_ACTIVE
1 TSEC_FALCON_DMAPOLL_CP_DMA_ACTIVE
4 TSEC_FALCON_DMAPOLL_CP_CFG_R_FENCE
5 TSEC_FALCON_DMAPOLL_CP_CFG_W_FENCE
16-23 TSEC_FALCON_DMAPOLL_CP_WCOUNT
24-31 TSEC_FALCON_DMAPOLL_CP_RCOUNT

Contains the status of a DMA transfer between the Falcon and the SCP.

TSEC_FALCON_HWCFG1

Bits Description
0-3 TSEC_FALCON_HWCFG1_CORE_REV
4-5 TSEC_FALCON_HWCFG1_SECURITY_MODEL
6-7 TSEC_FALCON_HWCFG1_CORE_REV_SUBVERSION
8-11 TSEC_FALCON_HWCFG1_IMEM_PORTS
12-15 TSEC_FALCON_HWCFG1_DMEM_PORTS
16-20 TSEC_FALCON_HWCFG1_TAG_WIDTH
27 TSEC_FALCON_HWCFG1_DBG_PRIV_BUS
28 TSEC_FALCON_HWCFG1_CSB_SIZE_16M
29 TSEC_FALCON_HWCFG1_PRIV_DIRECT
30 TSEC_FALCON_HWCFG1_DMEM_APERTURES
31 TSEC_FALCON_HWCFG1_IMEM_AUTOFILL

TSEC_FALCON_CPUCTL_ALIAS

Bits Description
1 TSEC_FALCON_CPUCTL_ALIAS_STARTCPU

TSEC_FALCON_STACKCFG

Bits Description
0-15 TSEC_FALCON_STACKCFG_BOTTOM
31 TSEC_FALCON_STACKCFG_SPEXC

TSEC_FALCON_IMCTL

Bits Description
0-23 TSEC_FALCON_IMCTL_ADDR_BLK
24-26 TSEC_FALCON_IMCTL_CMD
0x00: NOP
0x01: IMINV (ITLB)
0x02: IMBLK (PTLB)
0x03: IMTAG (VTLB)
0x04: IMTAG_SETVLD

Controls the Falcon TLB.

TSEC_FALCON_IMSTAT

Bits Description
0-31 TSEC_FALCON_IMSTAT_VAL

Returns the result of the last command from TSEC_FALCON_IMCTL.

TSEC_FALCON_TRACEIDX

Bits Description
0-7 TSEC_FALCON_TRACEIDX_IDX
16-23 TSEC_FALCON_TRACEIDX_MAXIDX
24-31 TSEC_FALCON_TRACEIDX_CNT

Controls the index for tracing with TSEC_FALCON_TRACEPC.

TSEC_FALCON_TRACEPC

Bits Description
0-23 TSEC_FALCON_TRACEPC_PC

Returns the PC of the last call or branch executed.

TSEC_FALCON_IMFILLRNG0

Bits Description
0-15 TSEC_FALCON_IMFILLRNG0_TAG_LO
16-31 TSEC_FALCON_IMFILLRNG0_TAG_HI

TSEC_FALCON_IMFILLRNG1

Bits Description
0-15 TSEC_FALCON_IMFILLRNG1_TAG_LO
16-31 TSEC_FALCON_IMFILLRNG1_TAG_HI

TSEC_FALCON_IMFILLCTL

Bits Description
0-7 TSEC_FALCON_IMFILLCTL_NBLOCKS

TSEC_FALCON_IMCTL_DEBUG

Bits Description
0-23 TSEC_FALCON_IMCTL_DEBUG_ADDR_BLK
24-26 TSEC_FALCON_IMCTL_DEBUG_CMD
0x00: NOP
0x02: IMBLK
0x03: IMTAG

TSEC_FALCON_CMEMBASE

Bits Description
18-31 TSEC_FALCON_CMEMBASE_VAL

TSEC_FALCON_DMEMAPERT

Bits Description
0-7 TSEC_FALCON_DMEMAPERT_TIME_OUT
8-11 TSEC_FALCON_DMEMAPERT_TIME_UNIT
16 TSEC_FALCON_DMEMAPERT_ENABLE
17-19 TSEC_FALCON_DMEMAPERT_LDSTQ_NUM

TSEC_FALCON_EXTERRADDR

Bits Description
0-31 TSEC_FALCON_EXTERRADDR_ADDR

TSEC_FALCON_EXTERRSTAT

Bits Description
0-23 TSEC_FALCON_EXTERRSTAT_PC
24-27 TSEC_FALCON_EXTERRSTAT_STAT
31 TSEC_FALCON_EXTERRSTAT_VALID

TSEC_FALCON_CG2

Bits Description
1 TSEC_FALCON_CG2_SLCG_FALCON_DMA
2 TSEC_FALCON_CG2_SLCG_FALCON_GC6_SR_FSM
3 TSEC_FALCON_CG2_SLCG_FALCON_PIPE
4 TSEC_FALCON_CG2_SLCG_FALCON_DIV
5 TSEC_FALCON_CG2_SLCG_FALCON_ICD
6 TSEC_FALCON_CG2_SLCG_FALCON_CFG
7 TSEC_FALCON_CG2_SLCG_FALCON_CTXSW
8 TSEC_FALCON_CG2_SLCG_FALCON_PMB
9 TSEC_FALCON_CG2_SLCG_FALCON_RF
10 TSEC_FALCON_CG2_SLCG_FALCON_MUL
11 TSEC_FALCON_CG2_SLCG_FALCON_LDST
12 TSEC_FALCON_CG2_SLCG_FALCON_TSYNC
13 TSEC_FALCON_CG2_SLCG_FALCON_GPTMR
14 TSEC_FALCON_CG2_SLCG_FALCON_WDTMR
15 TSEC_FALCON_CG2_SLCG_FALCON_IRQSTAT
16 TSEC_FALCON_CG2_SLCG_FALCON_TOP
17 TSEC_FALCON_CG2_SLCG_FBIF

TSEC_FALCON_IMEMC

Bits Description
2-7 TSEC_FALCON_IMEMC_OFFS
8-15 TSEC_FALCON_IMEMC_BLK
24 TSEC_FALCON_IMEMC_AINCW
25 TSEC_FALCON_IMEMC_AINCR
28 TSEC_FALCON_IMEMC_SECURE
29 TSEC_FALCON_IMEMC_SEC_ATOMIC
30 TSEC_FALCON_IMEMC_SEC_WR_VIO
31 TSEC_FALCON_IMEMC_SEC_LOCK

Used for configuring access to Falcon's IMEM.

TSEC_FALCON_IMEMD

Bits Description
0-31 TSEC_FALCON_IMEMD_DATA

Returns or takes the value for an IMEM read/write operation.

TSEC_FALCON_IMEMT

Bits Description
0-15 TSEC_FALCON_IMEMT_TAG

Returns or takes the virtual page index for an IMEM read/write operation.

TSEC_FALCON_DMEMC

Bits Description
2-7 TSEC_FALCON_DMEMC_OFFS
8-15 TSEC_FALCON_DMEMC_BLK
24 TSEC_FALCON_DMEMC_AINCW
25 TSEC_FALCON_DMEMC_AINCR

Used for configuring access to Falcon's DMEM.

TSEC_FALCON_DMEMD

Bits Description
0-31 TSEC_FALCON_DMEMD_DATA

Returns or takes the value for a DMEM read/write operation.

TSEC_FALCON_ICD_CMD

Bits Description
0-3 TSEC_FALCON_ICD_CMD_OPC
0x00: STOP
0x01: RUN (run from PC)
0x02: JRUN (run from address)
0x03: RUNB (run from PC)
0x04: JRUNB (run from address)
0x05: STEP (step from PC)
0x06: JSTEP (step from address)
0x07: EMASK (set exception mask)
0x08: RREG (read register)
0x09: WREG (write register)
0x0A: RDM (read data memory)
0x0B: WDM (write data memory)
0x0C: RCM (read MMIO/configuration memory)
0x0D: WCM (write MMIO/configuration memory)
0x0E: RSTAT (read status)
0x0F: SBU (store buffer update)
6-7 TSEC_FALCON_ICD_CMD_SZ
0x00: B (byte)
0x01: HW (half word)
0x02: W (word)
8-12 TSEC_FALCON_ICD_CMD_IDX
0x00: REG0 | RSTAT0 | WB0
0x01: REG1 | RSTAT1 | WB1
0x02: REG2 | RSTAT2 | WB2
0x03: REG3 | RSTAT3 | WB3
0x04: REG4 | RSTAT4
0x05: REG5 | RSTAT5
0x06: REG6
0x07: REG7
0x08: REG8
0x09: REG9
0x0A: REG10
0x0B: REG11
0x0C: REG12
0x0D: REG13
0x0E: REG14
0x0F: REG15
0x10: IV0
0x11: IV1
0x12: UNDEFINED
0x13: EV
0x14: SP
0x15: PC
0x16: IMB
0x17: DMB
0x18: CSW
0x19: CCR
0x1A: SEC
0x1B: CTX
0x1C: EXCI
0x1D: SEC1
0x1E: IMB1
0x1F: DMB1
14 TSEC_FALCON_ICD_CMD_ERROR
15 TSEC_FALCON_ICD_CMD_RDVLD
16-31 TSEC_FALCON_ICD_CMD_PARM
0x0001: EMASK_TRAP0
0x0002: EMASK_TRAP1
0x0004: EMASK_TRAP2
0x0008: EMASK_TRAP3
0x0010: EMASK_EXC_UNIMP
0x0020: EMASK_EXC_IMISS
0x0040: EMASK_EXC_IMHIT
0x0080: EMASK_EXC_IBREAK
0x0100: EMASK_IV0
0x0200: EMASK_IV1
0x0400: EMASK_IV2
0x0800: EMASK_EXT0
0x1000: EMASK_EXT1
0x2000: EMASK_EXT2
0x4000: EMASK_EXT3
0x8000: EMASK_EXT4

Used for sending commands to the Falcon's in-chip debugger.

TSEC_FALCON_ICD_ADDR

Bits Description
0-31 TSEC_FALCON_ICD_ADDR_ADDR

Takes the target address for the Falcon's in-chip debugger.

TSEC_FALCON_ICD_WDATA

Bits Description
0-31 TSEC_FALCON_ICD_WDATA_DATA

Takes the data for writing using the Falcon's in-chip debugger.

TSEC_FALCON_ICD_RDATA

Bits Description
0-31 TSEC_FALCON_ICD_RDATA_DATA

Returns the data read using the Falcon's in-chip debugger.

When reading from an internal status register (STAT), the following applies:

Bits Description
0 RSTAT0_MEM_STALL
1 RSTAT0_DMA_STALL
2 RSTAT0_FENCE_STALL
3 RSTAT0_DIV_STALL
4 RSTAT0_DMA_STALL_DMAQ
5 RSTAT0_DMA_STALL_DMWAITING
6 RSTAT0_DMA_STALL_IMWAITING
7 RSTAT0_ANY_STALL
8 RSTAT0_SBFULL_STALL
9 RSTAT0_SBHIT_STALL
10 RSTAT0_FLOW_STALL
11 RSTAT0_SP_STALL
12 RSTAT0_BL_STALL
13 RSTAT0_IPND_STALL
14 RSTAT0_LDSTQ_STALL
16 RSTAT0_NOINSTR_STALL
20 RSTAT0_HALTSTOP_FLUSH
21 RSTAT0_AFILL_FLUSH
22 RSTAT0_EXC_FLUSH
23-25 RSTAT0_IRQ_FLUSH
28 RSTAT0_VALIDRD
29 RSTAT0_WAITING
30 RSTAT0_HALTED
31 RSTAT0_MTHD_FULL
Bits Description
0-3 RSTAT1_WB_ALLOC
4-7 RSTAT1_WB_VALID
8-9 RSTAT1_WB0_SZ
10-11 RSTAT1_WB1_SZ
12-13 RSTAT1_WB2_SZ
14-15 RSTAT1_WB3_SZ
16-19 RSTAT1_WB0_IDX
20-23 RSTAT1_WB1_IDX
24-27 RSTAT1_WB2_IDX
28-31 RSTAT1_WB3_IDX
Bits Description
0-3 RSTAT2_DMAQ_NUM
4 RSTAT2_DMA_ENABLE
5-7 RSTAT2_LDSTQ_NUM
16-19 RSTAT2_EM_BUSY
20-23 RSTAT2_EM_ACKED
24-27 RSTAT2_EM_ISWR
28-31 RSTAT2_EM_DVLD
Bits Description
0 RSTAT3_MTHD_IDLE
1 RSTAT3_CTXSW_IDLE
2 RSTAT3_DMA_IDLE
3 RSTAT3_SCP_IDLE
4 RSTAT3_LDST_IDLE
5 RSTAT3_SBWB_EMPTY
6-8 RSTAT3_CSWIE
10 RSTAT3_CSWE
12-14 RSTAT3_CTXSW_STATE
0x00: IDLE
0x01: SM_CHECK
0x02: SM_SAVE
0x03: SM_SAVE_WAIT
0x04: SM_BLK_BIND
0x05: SM_RESET
0x06: SM_RESETWAIT
0x07: SM_ACK
15 RSTAT3_CTXSW_PEND
17 RSTAT3_DMA_FBREQ_IDLE
18 RSTAT3_DMA_ACKQ_EMPTY
19 RSTAT3_DMA_RDQ_EMPTY
20 RSTAT3_DMA_WR_BUSY
21 RSTAT3_DMA_RD_BUSY
22 RSTAT3_LDST_XT_BUSY
23 RSTAT3_LDST_XT_BLOCK
24 RSTAT3_ENG_IDLE
Bits Description
0-1 RSTAT4_ICD_STATE
0x00: NORMAL
0x01: WAIT_ISSUE_CLEAR
0x02: WAIT_EXLDQ_CLEAR
0x03: FULL_DBG_MODE
2-3 RSTAT4_ICD_MODE
0x00: SUPPRESSICD
0x01: ENTERICD_IBRK
0x02: ENTERICD_STEP
16 RSTAT4_ICD_EMASK_TRAP0
17 RSTAT4_ICD_EMASK_TRAP1
18 RSTAT4_ICD_EMASK_TRAP2
19 RSTAT4_ICD_EMASK_TRAP3
20 RSTAT4_ICD_EMASK_EXC_UNIMP
21 RSTAT4_ICD_EMASK_EXC_IMISS
22 RSTAT4_ICD_EMASK_EXC_IMHIT
23 RSTAT4_ICD_EMASK_EXC_IBREAK
24 RSTAT4_ICD_EMASK_IV0
25 RSTAT4_ICD_EMASK_IV1
26 RSTAT4_ICD_EMASK_IV2
27 RSTAT4_ICD_EMASK_EXT0
28 RSTAT4_ICD_EMASK_EXT1
29 RSTAT4_ICD_EMASK_EXT2
30 RSTAT4_ICD_EMASK_EXT3
31 RSTAT4_ICD_EMASK_EXT4
Bits Description
0-7 RSTAT5_LRU_STATE

TSEC_FALCON_SCTL

Bits Description
0 TSEC_FALCON_SCTL_LSMODE
1 TSEC_FALCON_SCTL_HSMODE
4-5 Current access level
8-9 Unknown access level
12 Unknown
13 Unknown
14 Initialize the transition to LS mode

TSEC_FALCON_SERRSTAT

Bits Description
0-23 Unknown
30 Unknown
31 Set on memory protection violation

Unofficial name.

Used for detecting invalid CSB accesses in LS mode.

TSEC_FALCON_SERRVAL

Bits Description
0-31 Error code

Unofficial name.

TSEC_FALCON_SERRADDR

Bits Description
0-31 Error address

Unofficial name.

TSEC_FALCON_SCTL1

Bits Description
0-1 CSB access level
2-3 Unknown access level

Unofficial name.

TSEC_FALCON_STEST

Bits Description
0-31 Unknown

Unofficial name.

TSEC_FALCON_SICD

Bits Description
0 Enable access to ICD command STOP
1 Enable access to ICD command RUN
2 Enable access to ICD command RUNB
3 Enable access to ICD command STEP
4 Enable access to ICD command EMASK
5 Enable access to ICD command RREG (only for SPRs)
6 Enable access to ICD command RSTAT
7 Enable access to IBRKPT registers
8 Enable access to ICD command RREG (only for GPRs)
9 Enable access to ICD command RDM

Unofficial name.

Controls access to the ICD in LS mode.

TSEC_FALCON_SPROT_IMEM

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to Falcon IMEM.

TSEC_FALCON_SPROT_DMEM

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to Falcon DMEM.

TSEC_FALCON_SPROT_CPUCTL

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the TSEC_FALCON_CPUCTL register.

TSEC_FALCON_SPROT_MISC

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the following registers:

TSEC_FALCON_SPROT_IRQ

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the following registers:

TSEC_FALCON_SPROT_MTHD

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the following registers:

TSEC_FALCON_SPROT_SCTL

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the TSEC_FALCON_SCTL register.

TSEC_FALCON_SPROT_WDTMR

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to the following registers:

TSEC_FALCON_DMAINFO_FINISHED_FBRD_LOW

Bits Description
0-31 TSEC_FALCON_DMAINFO_FINISHED_FBRD_LOW_VAL

TSEC_FALCON_DMAINFO_FINISHED_FBRD_HIGH

Bits Description
0-30 TSEC_FALCON_DMAINFO_FINISHED_FBRD_HIGH_VAL
31 TSEC_FALCON_DMAINFO_FINISHED_FBRD_HIGH_OBIT

TSEC_FALCON_DMAINFO_FINISHED_FBWR_LOW

Bits Description
0-31 TSEC_FALCON_DMAINFO_FINISHED_FBWR_LOW_VAL

TSEC_FALCON_DMAINFO_FINISHED_FBWR_HIGH

Bits Description
0-30 TSEC_FALCON_DMAINFO_FINISHED_FBWR_HIGH_VAL
31 TSEC_FALCON_DMAINFO_FINISHED_FBWR_HIGH_OBIT

TSEC_FALCON_DMAINFO_CURRENT_FBRD_LOW

Bits Description
0-31 TSEC_FALCON_DMAINFO_CURRENT_FBRD_LOW_VAL

TSEC_FALCON_DMAINFO_CURRENT_FBRD_HIGH

Bits Description
0-30 TSEC_FALCON_DMAINFO_CURRENT_FBRD_HIGH_VAL
31 TSEC_FALCON_DMAINFO_CURRENT_FBRD_HIGH_OBIT

TSEC_FALCON_DMAINFO_CURRENT_FBWR_LOW

Bits Description
0-31 TSEC_FALCON_DMAINFO_CURRENT_FBWR_LOW_VAL

TSEC_FALCON_DMAINFO_CURRENT_FBWR_HIGH

Bits Description
0-30 TSEC_FALCON_DMAINFO_CURRENT_FBWR_HIGH_VAL
31 TSEC_FALCON_DMAINFO_CURRENT_FBWR_HIGH_OBIT

TSEC_FALCON_DMAINFO_CTL

Bits Description
0 TSEC_FALCON_DMAINFO_CTL_CLR_FBRD
1 TSEC_FALCON_DMAINFO_CTL_CLR_FBWR

TSEC_SCP_CTL0

Bits Description
10 Enable Falcon<->LOAD interface
12 Enable Falcon<->STORE interface
14 Enable Falcon<->CMD interface
16 Enable SEQ
20 Enable CTL

Unofficial name.

TSEC_SCP_CTL1

Bits Description
0 Clear SEQ
8 Clear SCP's internal pipeline
11 Enable RNG's test mode
12 Enable RNG
16 Enable Falcon<->LOAD interface's dummy mode (all reads return 0)
20 Enable Falcon<->LOAD interface bypassing (all reads are dropped)
24 Enable Falcon<->STORE interface bypassing (all writes are dropped)

Unofficial name.

TSEC_SCP_CTL_STAT

Bits Description
20 TSEC_SCP_CTL_STAT_DEBUG_MODE

TSEC_SCP_CTL_LOCK

Bits Description
0 Enable lockdown mode (locks IMEM and DMEM)
1 Lockdown has pending exit request
2 Lockdown has been enabled before
4 Enable SCP lockdown mode (locks SCP's MMIO register space)
6 SCP lockdown has been enabled before

Unofficial name.

Controls lockdown mode. Can only be cleared in HS mode.

TSEC_SCP_CFG

Bits Description
0 Endianness for ADD
0: Little
1: Big
1 Endianness for GFMUL
0: Little
1: Big
2 Endianness for LOAD
0: Little
1: Big
3 Endianness for STORE
0: Little
1: Big
4 Endianness for AES
0: Little
1: Big
8 Flush CMD
12-13 Carry chain's size
0: 32 bits
1: 64 bits
2: 96 bits
3: 128 bits
16-31 SCP's internal pipeline stall timeout value

Unofficial name.

TSEC_SCP_CTL_SCP

Bits Description
0 Swap SCP's master
1 Current SCP's master
0: Falcon
1: External

Unofficial name.

TSEC_SCP_CTL_PKEY

Bits Description
0 TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
1 TSEC_SCP_CTL_PKEY_LOADED

TSEC_SCP_CTL_DBG

Bits Description
4 Disable lockdown mode
8 Disable SCP lockdown mode

Unofficial name.

Overrides lockdown mode. Can only be set in debug mode.

TSEC_SCP_DBG0

Bits Description
0-3 Index
4 Auto-increment
5-6 Target
0: None
1: STORE
2: LOAD
3: SEQ
8-12 SEQ's current sequence's size
13-16 SEQ's current instruction's address
17 SEQ's current instruction is valid
18 SEQ is running in HS mode
19-22 LOAD's queue's size
23 LOAD's current operation is valid
24 LOAD is running in HS mode
25-26 STORE's queue's size
30 STORE's current operation is valid
31 STORE is running in HS mode

Unofficial name.

Used for debugging the LOAD, STORE and SEQ blocks.

TSEC_SCP_DBG1

Bits Description
0-31 Data
If target is SEQ:
  Bits 0-3: current instruction's first operand
  Bits 4-9: current instruction's second operand
  Bits 10-14: current instruction's opcode

Unofficial name.

Used for retrieving debug data. Contains information on the last crypto sequence created when debugging the SEQ block.

TSEC_SCP_DBG2

Bits Description
0-1 SEQ's state
0: Idle
1: Recording (cs0begin/cs1begin)
2: Executing (cs0exec/cs1exec)
4-7 Number of cycles left for SEQ's current sequence
12-15 Active crypto key register (ckeyreg)

Unofficial name.

Used for retrieving additional debug data associated with the SEQ block.

TSEC_SCP_CMD

Bits Description
0-3 Destination register
8-13 Source register or immediate value
20-24 Command opcode
0x0:  nop (fuc5 opcode 0x00) 
0x1:  cmov (fuc5 opcode 0x84)
0x2:  cxsin (fuc5 opcode 0x88) or xdst (with cxset)
0x3:  cxsout (fuc5 opcode 0x8C) or xdld (with cxset) 
0x4:  crnd (fuc5 opcode 0x90)
0x5:  cs0begin (fuc5 opcode 0x94)
0x6:  cs0exec (fuc5 opcode 0x98)
0x7:  cs1begin (fuc5 opcode 0x9C)
0x8:  cs1exec (fuc5 opcode 0xA0)
0x9:  invalid (fuc5 opcode 0xA4)
0xA:  cchmod (fuc5 opcode 0xA8)
0xB:  cxor (fuc5 opcode 0xAC)
0xC:  cadd (fuc5 opcode 0xB0)
0xD:  cand (fuc5 opcode 0xB4)
0xE:  crev (fuc5 opcode 0xB8)
0xF:  cgfmul (fuc5 opcode 0xBC)
0x10: csecret (fuc5 opcode 0xC0)
0x11: ckeyreg (fuc5 opcode 0xC4)
0x12: ckexp (fuc5 opcode 0xC8)
0x13: ckrexp (fuc5 opcode 0xCC)
0x14: cenc (fuc5 opcode 0xD0)
0x15: cdec (fuc5 opcode 0xD4)
0x16: csigcmp (fuc5 opcode 0xD8)
0x17: csigenc (fuc5 opcode 0xDC)
0x18: csigclr (fuc5 opcode 0xE0)
28 CMD's current instruction is valid
31 CMD is running in HS mode

Unofficial name.

Contains information on the last crypto command executed.

TSEC_SCP_STAT0

Bits Description
0 SCP is active
2 CMD is active
4 STORE is active
6 SEQ is active
8 CTL is active
10 LOAD is active
14 AES is active
16 RNG is active

Unofficial name.

Contains the statuses of hardware blocks.

TSEC_SCP_STAT1

Bits Description
0-1 Signature comparison result
0: None
1: Running
2: Failed
3: Succeeded
4 Falcon<->LOAD interface is running in HS mode
6 Falcon<->LOAD interface is ready
8 Falcon<->STORE interface is running in HS mode
10 Falcon<->STORE interface received a valid operation
12 Falcon<->CMD interface is running in HS mode
14 Falcon<->CMD interface received a valid instruction

Unofficial name.

Contains the statuses of hardware interfaces and the result of the last authentication attempt.

TSEC_SCP_STAT2

Bits Description
0-4 Current opcode in SEQ
5-9 Current opcode in Falcon<->CMD interface
10-14 Pending opcode in CMD
15-16 Current opcode in AES
0: Encryption
1: Decryption
2: Key expansion
3: Key reverse expansion
24 SCP's internal pipeline is stalled on hazard
25 STORE is stalled
26 LOAD is stalled
27 RNG is stalled
28 SCP's internal pipeline is stalled on writeback
29 AES is stalled

Unofficial name.

Contains the status of crypto operations.

TSEC_SCP_RNG_STAT0

Bits Description
0 RND is ready
4-7 Unknown
8-11 Unknown
16 Unknown
20 Unknown

Unofficial name.

TSEC_SCP_RNG_STAT1

Bits Description
0-15 Unknown
16-31 Unknown

Unofficial name.

TSEC_SCP_IRQSTAT

Bits Description
0 RND ready
8 ACL error
12 SEC error
16 CMD error
20 Single step
24 RND clock trigger
28 Stall timeout

Unofficial name.

TSEC_SCP_IRQMASK

Bits Description
0 RND ready
8 ACL error
12 SEC error
16 CMD error
20 Single step
24 RND clock trigger
28 Stall timeout

Unofficial name.

TSEC_SCP_ACL_ERR

Bits Description
0 Writing to a crypto register without the correct ACL
4 Reading from a crypto register without the correct ACL
8 Invalid ACL change (cchmod)
31 ACL error occurred

Unofficial name.

Contains information on errors generated by the ACL error IRQ.

TSEC_SCP_SEC_ERR

Bits Description
0 Security mode changed during sequence execution (cs0exec/cs1exec)
1-2 Security mode at the beginning of sequence execution
0: Non-secure
1: Heavy Secure
4 Security mode changed during sequence recording (cs0begin/cs1begin)
5-6 Security mode at the beginning of sequence recording
0: Non-secure
1: Heavy Secure
16 Security mode changed while reading from crypto register/stream (cxsout or xdld)
17-18 Security mode at the beginning of reading from crypto register/stream
0: Non-secure
1: Heavy Secure
20 Security mode and memory source changed while writing to crypto register/stream (cxsin or xdst)
21-22 Security mode when memory source changed while writing to crypto register/stream
0: Non-secure
1: Heavy Secure
24 Security mode changed while writing to crypto register/stream (cxsin or xdst)
25-26 Security mode at the beginning of writing to crypto register/stream
0: Non-secure
1: Heavy Secure
31 SEC error occurred

Unofficial name.

Contains information on errors generated by the SEC error IRQ.

TSEC_SCP_CMD_ERR

Bits Description
0 CMD's instruction is invalid
4 SEQ's sequence is empty
8 SEQ's sequence is too long
12 SEQ's sequence was not finished
16 Forbidden signature operation (csigcmp, csigenc or csigclr in NS mode)
20 Invalid signature operation (csigcmp in HS mode)
24 Forbidden ACL change (cchmod in NS mode)

Unofficial name.

Contains information on errors generated by the CMD error IRQ.

TSEC_SCP_RND_CTL0

Bits Description
0-31 RND clock trigger's lower limit

Unofficial name.

TSEC_SCP_RND_CTL1

Bits Description
0-15 RND clock trigger's upper limit
16-31 RND clock trigger's mask

Unofficial name.

TSEC_SCP_RND_CTL2

Bits Description
0-15 Unknown

Unofficial name.

TSEC_SCP_RND_CTL3

Bits Description
12 Trigger first LFSR
16 Trigger second LFSR

Unofficial name.

TSEC_SCP_RND_CTL4

Bits Description
0-31 First LFSR's polynomial for RNG's test mode

Unofficial name.

TSEC_SCP_RND_CTL5

Bits Description
0-31 First LFSR's initial state for RNG's test mode

Unofficial name.

TSEC_SCP_RND_CTL6

Bits Description
0-31 Second LFSR's polynomial for RNG's test mode

Unofficial name.

TSEC_SCP_RND_CTL7

Bits Description
0-31 Second LFSR's initial state for RNG's test mode

Unofficial name.

TSEC_SCP_RND_CTL8

Bits Description
0-15 Unknown
16-31 Unknown

Unofficial name.

TSEC_SCP_RND_CTL9

Bits Description
0-15 Unknown
16-31 Unknown

Unofficial name.

TSEC_SCP_RND_CTL10

Bits Description
0-15 Unknown
16-31 Unknown

Unofficial name.

TSEC_SCP_RND_CTL11

Bits Description
0 Unknown
1 Unknown
2 Unknown
3 Unknown
4-5 First sampler's source
0: Oscillator
1: Unknown
2: LFSR
3: Dummy
6-7 Second sampler's source
0: Oscillator
1: Unknown
2: LFSR
3: Dummy
8-11 First sampler's tap value
12-15 Second sampler's tap value
16-19 Unknown
20-23 Unknown
24-30 Unknown
31 Unknown

Unofficial name.

TSEC_TFBIF_CTL

Bits Description
0 TSEC_TFBIF_CTL_CLR_BWCOUNT
1 TSEC_TFBIF_CTL_ENABLE
2 TSEC_TFBIF_CTL_CLR_IDLEWDERR
3 TSEC_TFBIF_CTL_RESET
4 TSEC_TFBIF_CTL_IDLE
5 TSEC_TFBIF_CTL_IDLEWDERR
6 TSEC_TFBIF_CTL_SRTOUT
7 TSEC_TFBIF_CTL_CLR_SRTOUT
8-11 TSEC_TFBIF_CTL_SRTOVAL
12 TSEC_TFBIF_CTL_VPR

TSEC_TFBIF_MCCIF_FIFOCTRL

Bits Description
0 TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVERRIDE
1 TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVERRIDE
2 TSEC_TFBIF_MCCIF_FIFOCTRL_WRCL_MCLE2X
3 TSEC_TFBIF_MCCIF_FIFOCTRL_RDMC_RDFAST
4 TSEC_TFBIF_MCCIF_FIFOCTRL_WRMC_CLLE2X
5 TSEC_TFBIF_MCCIF_FIFOCTRL_RDCL_RDFAST
6 TSEC_TFBIF_MCCIF_FIFOCTRL_CCLK_OVERRIDE
7 TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVR_MODE
8 TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVR_MODE

TSEC_TFBIF_THROTTLE

Bits Description
0-11 TSEC_TFBIF_THROTTLE_BUCKET_SIZE
16-27 TSEC_TFBIF_THROTTLE_LEAK_COUNT
30-31 TSEC_TFBIF_THROTTLE_LEAK_SIZE

TSEC_TFBIF_DBG_STAT0

Bits Description
0 TSEC_TFBIF_DBG_STAT0_1K_TRANSFER
1 TSEC_TFBIF_DBG_STAT0_RREQ_ISSUED
2 TSEC_TFBIF_DBG_STAT0_WREQ_ISSUED
3 TSEC_TFBIF_DBG_STAT0_TAGQ_ISSUED
4 TSEC_TFBIF_DBG_STAT0_STALL_RDATQ
5 TSEC_TFBIF_DBG_STAT0_STALL_RACKQ
6 TSEC_TFBIF_DBG_STAT0_STALL_WREQQ
7 TSEC_TFBIF_DBG_STAT0_STALL_WDATQ
8 TSEC_TFBIF_DBG_STAT0_STALL_WACKQ
9 TSEC_TFBIF_DBG_STAT0_STALL_RREQ_PENDING
10 TSEC_TFBIF_DBG_STAT0_STALL_WREQ_PENDING
11 TSEC_TFBIF_DBG_STAT0_STALL_MREQ
12 TSEC_TFBIF_DBG_STAT0_ENGINE_IDLE
13 TSEC_TFBIF_DBG_STAT0_RMCCIF_IDLE
14 TSEC_TFBIF_DBG_STAT0_WMCCIF_IDLE
15 TSEC_TFBIF_DBG_STAT0_CSB_IDLE
16 TSEC_TFBIF_DBG_STAT0_RU_IDLE
17 TSEC_TFBIF_DBG_STAT0_WU_IDLE
19 TSEC_TFBIF_DBG_STAT0_UNWEIGHT_ACTMON_ACTIVE
20 TSEC_TFBIF_DBG_STAT0_UNWEIGHT_ACTMON_MCB

TSEC_TFBIF_DBG_STAT1

Bits Description
0-31 TSEC_TFBIF_DBG_STAT1_DATA

TSEC_TFBIF_DBG_RDCOUNT_LO

Bits Description
0-31 TSEC_TFBIF_DBG_RDCOUNT_LO_DATA

TSEC_TFBIF_DBG_RDCOUNT_HI

Bits Description
0-31 TSEC_TFBIF_DBG_RDCOUNT_HI_DATA

TSEC_TFBIF_DBG_WRCOUNT_LO

Bits Description
0-31 TSEC_TFBIF_DBG_WRCOUNT_LO_DATA

TSEC_TFBIF_DBG_WRCOUNT_HI

Bits Description
0-31 TSEC_TFBIF_DBG_WRCOUNT_HI_DATA

TSEC_TFBIF_DBG_R32COUNT

Bits Description
0-31 TSEC_TFBIF_DBG_R32COUNT_DATA

TSEC_TFBIF_DBG_R64COUNT

Bits Description
0-31 TSEC_TFBIF_DBG_R64COUNT_DATA

TSEC_TFBIF_DBG_R128COUNT

Bits Description
0-31 TSEC_TFBIF_DBG_R128COUNT_DATA

TSEC_TFBIF_MCCIF_FIFOCTRL1

Bits Description
0-15 TSEC_TFBIF_MCCIF_FIFOCTRL1_SRD2MC_REORDER_DEPTH_LIMIT
16-31 TSEC_TFBIF_MCCIF_FIFOCTRL1_SWR2MC_REORDER_DEPTH_LIMIT

TSEC_TFBIF_SPROT_EMEM

Bits Description
0-2 Read access level
3 Set on memory read access violation
4-6 Write access level
7 Set on memory write access violation

Unofficial name.

Controls accesses to external memory regions. Accessible in HS mode only.

TSEC_TFBIF_TRANSCFG

Bits Description
0 TSEC_TFBIF_TRANSCFG_ATT0_SWID
4 TSEC_TFBIF_TRANSCFG_ATT1_SWID
8 TSEC_TFBIF_TRANSCFG_ATT2_SWID
12 TSEC_TFBIF_TRANSCFG_ATT3_SWID
16 TSEC_TFBIF_TRANSCFG_ATT4_SWID
20 TSEC_TFBIF_TRANSCFG_ATT5_SWID
24 TSEC_TFBIF_TRANSCFG_ATT6_SWID
28 TSEC_TFBIF_TRANSCFG_ATT7_SWID

Configures the software ID per CTXDMA port for memory transactions. Software ID 0 (HW_SWID) forces all transactions to go through the SMMU while software ID 1 (PHY_SWID) bypasses it. Accessible in HS mode only.

[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.

TSEC_TFBIF_REGIONCFG

Bits Description
0-2 TSEC_TFBIF_REGIONCFG_T0_APERT_ID
3 TSEC_TFBIF_REGIONCFG_T0_VPR
4-6 TSEC_TFBIF_REGIONCFG_T1_APERT_ID
7 TSEC_TFBIF_REGIONCFG_T1_VPR
8-10 TSEC_TFBIF_REGIONCFG_T2_APERT_ID
11 TSEC_TFBIF_REGIONCFG_T2_VPR
12-14 TSEC_TFBIF_REGIONCFG_T3_APERT_ID
15 TSEC_TFBIF_REGIONCFG_T3_VPR
16-18 TSEC_TFBIF_REGIONCFG_T4_APERT_ID
19 TSEC_TFBIF_REGIONCFG_T4_VPR
20-22 TSEC_TFBIF_REGIONCFG_T5_APERT_ID
23 TSEC_TFBIF_REGIONCFG_T5_VPR
24-26 TSEC_TFBIF_REGIONCFG_T6_APERT_ID
27 TSEC_TFBIF_REGIONCFG_T6_VPR
28-30 TSEC_TFBIF_REGIONCFG_T7_APERT_ID
31 TSEC_TFBIF_REGIONCFG_T7_VPR

Configures the aperture ID and VPR mode per CTXDMA port for memory region accessing. Accessible in HS mode only.

[6.0.0+] The nvhost_tsec firmware sets this register to 0x20 or 0x140 before reading memory from the GPU UCODE carveout.

TSEC_CG

Bits Description
0-5 TSEC_CG_IDLE_CG_DLY_CNT
6 TSEC_CG_IDLE_CG_EN
16-18 TSEC_CG_WAKEUP_DLY_CNT
19 TSEC_CG_WAKEUP_DLY_EN

TSEC_BAR0_CTL

Bits Description
0 TSEC_BAR0_CTL_READ
1 TSEC_BAR0_CTL_WRITE
4-7 TSEC_BAR0_CTL_BYTE_MASK
12-13 TSEC_BAR0_CTL_STATUS
0: Idle
1: Busy
2: Error
3: Disabled
16-17 TSEC_BAR0_CTL_SEC_MODE
0: Non-secure
1: Invalid
2: Light Secure
3: Heavy Secure
31 TSEC_BAR0_CTL_INIT

Unofficial name.

Controls DMA transfers between TSEC and HOST1X (master and clients).

Starting a transfer over BAR0 automatically sets TSEC_BAR0_CTL_SEC_MODE to the current Falcon security mode. Once set, any attempts to start a transfer from a lower security level will fail.

TSEC_BAR0_ADDR

Bits Description
0-31 TSEC_BAR0_ADDR_VAL

Unofficial name.

Takes the address for DMA transfers between TSEC and HOST1X (master and clients).

TSEC_BAR0_DATA

Bits Description
0-31 TSEC_BAR0_DATA_VAL

Unofficial name.

Takes the data for DMA transfers between TSEC and HOST1X (master and clients).

TSEC_BAR0_TIMEOUT

Bits Description
0-31 TSEC_BAR0_TIMEOUT_VAL

Unofficial name.

Takes the timeout value for DMA transfers between TSEC and HOST1X (master and clients).

TSEC_VERSION

Bits Description
0-31 Version

Unofficial name.

TSEC_SCRATCH0

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH1

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH2

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH3

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH4

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH5

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH6

Bits Description
0-31 Value

Unofficial name.

TSEC_SCRATCH7

Bits Description
0-31 Value

Unofficial name.

TSEC_GPTMRINT

Unofficial name.

Same as TSEC_FALCON_GPTMRINT, but for an unknown hardware block.

TSEC_GPTMRVAL

Unofficial name.

Same as TSEC_FALCON_GPTMRVAL, but for an unknown hardware block.

TSEC_GPTMRCTL

Unofficial name.

Same as TSEC_FALCON_GPTMRCTL, but for an unknown hardware block.

TSEC_ITFEN

Bits Description
0 Enable TSEC_GPTMRINT
1 Unknown
2 Unknown
3 Unknown

Unofficial name.

TSEC_ITFSTAT

Bits Description
0 TSEC_GPTMRINT is enabled
1 Unknown
2 Unknown
3 Unknown

Unofficial name.

TSEC_TEGRA_CTL

Bits Description
16 TSEC_TEGRA_CTL_TKFI_KFUSE
17 TSEC_TEGRA_CTL_TKFI_RESTART_FSM_KFUSE
24 TSEC_TEGRA_CTL_TMPI_FORCE_IDLE_INPUTS_I2C
25 TSEC_TEGRA_CTL_TMPI_RESTART_FSM_HOST1X
26 TSEC_TEGRA_CTL_TMPI_RESTART_FSM_APB
27 TSEC_TEGRA_CTL_TMPI_DISABLE_OUTPUT_I2C

Falcon

"Falcon" (FAst Logic CONtroller) is a proprietary general purpose CPU which can be found inside various hardware blocks that require some sort of logic processing such as TSEC (TSECA and TSECB), NVDEC, NVENC, NVJPG, VIC, GPU PMU and XUSB.

Processor Registers

A total of 32 processor registers are available in the Falcon CPU.

REG0-REG15

These are 16 32-bit GPRs (general purpose registers).

IV0

This is a SPR (special purpose register) that holds the address for interrupt vector 0. Only bits 0 to 15 are used.

IV1

This is a SPR (special purpose register) that holds the address for interrupt vector 1. Only bits 0 to 15 are used.

IV2

This is a SPR (special purpose register) that holds the address for interrupt vector 2. This register is considered "UNDEFINED" and appears to be unused.

EV

This is a SPR (special purpose register) that holds the address for the exception vector. Only bits 0 to 15 are used.

Alternative name (envytools): "tv".

SP

This is a SPR (special purpose register) that holds the current stack pointer. Only bits 0 to 15 are used.

PC

This is a SPR (special purpose register) that holds the current program counter. Only bits 0 to 15 are used.

IMB

This is a SPR (special purpose register) that holds the external base address for IMEM transfers.

Alternative name (envytools): "xcbase".

DMB

This is a SPR (special purpose register) that holds the external base address for DMEM transfers.

Alternative name (envytools): "xdbase".

CSW

This is a SPR (special purpose register) that holds various flag bits.

Bits Description
0-7 General purpose predicates
8 ALU carry flag
9 ALU signed overflow flag
10 ALU sign flag
11 ALU zero flag
16 Interrupt 0 enable
17 Interrupt 1 enable
18 Interrupt 2 enable (undefined)
20 Interrupt 0 saved enable
21 Interrupt 1 saved enable
22 Interrupt 2 saved enable (undefined)
24 Exception active
26-31 Unknown

Alternative name (envytools): "flags".

CCR

This is a SPR (special purpose register) that holds configuration bits for the SCP DMA override functionality. The value of this register is set using the "cxset" instruction which provides a way to change the behavior of a variable amount of successively executed DMA-related instructions ("xdwait", "xdst" and "xdld").

Bits Description
0-4 Number of instructions the override is valid for (0x1F means infinite)
5 Crypto source/destination select
0: Crypto register
1: Crypto stream
6 Bypass mode
0: Disabled
1: Enabled
7 Internal memory select
0: DMEM
1: IMEM

Alternative name (envytools): "cx".

SEC

This is a SPR (special purpose register) that holds configuration bits for the SCP authentication process.

Bits Description
0-7 Start of region to authenticate (in pages of 0x100 bytes)
16 Force secure DMA transfers
17 Decrypt region to authenticate
18 Signature check passed
19 Suppress interrupts and exceptions
24-31 Size of region to authenticate (in pages of 0x100 bytes)

Alternative name (envytools): "cauth".

CTX

This is a SPR (special purpose register) that holds configuration bits for the CTXDMA ports.

Bits Description
0-2 CTXDMA port for code loads (xcld)
4-6 CTXDMA port for code stores (invalid)
8-10 CTXDMA port for data loads (xdld)
12-14 CTXDMA port for data stores (xdst)

Alternative name (envytools): "xtargets".

EXCI

This is a SPR (special purpose register) that holds information on raised exceptions.

Bits Description
0-19 Exception PC
20-23 Exception cause

Alternative name (envytools): "tstatus".

SEC1

Only available in Falcon v6+ CPUs, marked as "RESERVED" for v5.

IMB1

Only available in Falcon v6+ CPUs, marked as "RESERVED" for v5.

DMB1

Only available in Falcon v6+ CPUs, marked as "RESERVED" for v5.

Secure BootROM

Certain Falcon CPUs may have an optional "Secure BootROM", but contrary to the common purpose of bootrom code, this doesn't execute while booting the CPU. In fact, being a microprocessor, Falcon is designed to execute user supplied code right off the bat in a clean slate state. However, Falcon can be paired with a secure co-processor and provide a cryptosystem for any hardware block that may require it, originating what is known as a "secretful" unit.

Secretful Falcon CPUs have TSEC_FALCON_HWCFG1_SECURITY_MODEL set to 3, which means they support "Heavy Secure" mode (or "HS" for short). While in HS mode, the Falcon's DMEM and IMEM regions are protected from read and write operations, which effectively hides code and data from attackers.

Entering HS mode first requires uploading code marked as "secure" to Falcon, which can be done from MMIO using TSEC_FALCON_IMEMC with the TSEC_FALCON_IMEMC_SECURE bit set. Upon jumping to a page marked as secret, the INV_INS exception is raised which tells the Falcon to start executing the secure bootrom code.

The secure bootrom lives in a hidden ROM region, instead of IMEM, and is mapped as --x at address 0. On Falcon v5 CPUs its size is 0x367 bytes.

Initialization

The first instructions of the secure bootrom simply save each GPR to the stack and check the contents of the SEC SPR.

Authentication

The main purpose of the secure bootrom is to authenticate the code pages marked as "secure". This is done by first extracting the base address and size of the region to authenticate from the SEC SPR, then calculating a signature over this region and finally comparing it to the value of the SCP register $c6.

If the comparison is successful, bit 18 of SEC SPR is set (which is mirrored in TSEC_FALCON_SVEC_SPR), the signature comparison result in TSEC_SCP_STAT1 is set to 3 and each page from the region to authenticate is marked as valid. Bit 19 of SEC SPR is also automatically set, preventing any interrupts or exceptions from being raised while in HS mode, but contrary to bit 18 this one can be manually cleared by authenticated code.

Below is the authentication algorithm's pseudocode:

...
// This runs in a loop for each 0x100 bytes page.
cs0begin 0x03
cxsin $c4
cenc $c3 $c5
cxor $c5 $c3
ckeyreg $c4
cxor $c5 $c5
cs0exec 0x11
...
// Use secret 0x01 as key and $c7 as seed.
csecret $c3 1
ckeyreg $c3
cenc $c3 $c7
ckeyreg $c3
cenc $c4 $c5
csigcmp $c4 $c6
...

Decryption

If bit 17 is set in the SEC SPR, the secure bootrom will additionally attempt to decrypt the region to authenticate.

Below is the decryption algorithm's pseudocode:

...
// Use secret 0x06 as key.
cs0begin 0x03
cxsin $c3
cdec $c4 $c3
cxsout $c4
csecret $c5 0x06
ckexp $c5 $c5
cs0exec 0x10
ckeyreg $c5
...

Exit

The secure bootrom finishes by restoring each GPR from stack and returning from the exception state. This will result in the authenticated code region being executed in HS mode until the current PC points to an address outside of the authenticated region. When this happens, each page from the authenticated region is automatically marked as invalid without any involvement of the secure bootrom, meaning that the secure bootrom is only invoked when entering HS mode.

SCP

"SCP" (Secure Co-Processor) is a proprietary coprocessor which can be found inside every Falcon that supports Heavy Secure Mode. On the Tegra X1 these are TSECA, TSECB, NVDEC and the GPU's PMU.

Hardware

SCP is subdivided into several specialized hardware blocks and interfaces.

LOAD

Block for handling memory reads from SCP to Falcon. It communicates with Falcon over a dedicated interface.

The interface can be enabled or disabled by register TSEC_SCP_CTL0.

STORE

Block for handling memory writes from Falcon to SCP. It communicates with Falcon over a dedicated interface.

The interface can be enabled or disabled by register TSEC_SCP_CTL0.

CMD

Block for translating Falcon crypto operands into SCP commands. It communicates with Falcon over a dedicated interface.

The interface can be enabled or disabled by register TSEC_SCP_CTL0. The status of the current command is reported through register TSEC_SCP_CMD.

SEQ

Block for recording and executing sequences of crypto operations in the form of macros.

Can be enabled or disabled by register TSEC_SCP_CTL0.

CTL

Overseer block for controlling certain SCP features.

Can be enabled or disabled by register TSEC_SCP_CTL0.

Registers TSEC_SCP_CTL_STAT, TSEC_SCP_CTL_LOCK, TSEC_SCP_CTL_SCP, TSEC_SCP_CTL_PKEY and TSEC_SCP_CTL_DBG refer to this block.

AES

Block for providing AES-128-ECB functionality.

RNG

Block for encapsulating and controlling the internal random number generator.

Can be enabled or disabled by register TSEC_SCP_CTL1 and reports the status of the internal random number generator through registers TSEC_SCP_RNG_STAT0 and TSEC_SCP_RNG_STAT1.

RND

Internal random number generator.

Can be configured by the TSEC_SCP_RND_CTLx registers.

Operations

Opcode Name Operand0 Operand1 Operation Precondition Postcondition
0 nop N/A N/A N/A N/A N/A
1 mov $cX $cY $cX = $cY; N/A ACL($cX) = ACL($cY);
2 xsin $cX N/A $cX = read_from_stream(); N/A ACL($cX) = is_mode_hs ? 0x3 : 0x1F;
3 xsout $cX N/A write_to_stream($cX); ((is_mode_hs && (ACL($cX) & 0x2)) || (!is_mode_hs && (ACL($cX) & 0xA))) N/A
4 rnd $cX N/A $cX = read_from_rnd(); N/A ACL($cX) = is_mode_hs ? 0x3 : 0x1F;
5 s0begin immX N/A record_macro_for_N_instructions(0, immX); N/A N/A
6 s0exec immX N/A execute_macro_N_times(0, immX); N/A N/A
7 s1begin immX N/A record_macro_for_N_instructions(1, immX); N/A N/A
8 s1exec immX N/A execute_macro_N_times(1, immX); N/A N/A
9 <invalid> N/A N/A N/A N/A N/A
0xA chmod $cX immY ACL($cX) = immY; See ACLs N/A
0xB xor $cX $cY $cX ^= $cY; ((is_mode_hs && (ACL($cX) & 0x2) && (ACL($cY) & 0x2)) || (!is_mode_hs && (ACL($cX) & 0x1A) && (ACL($cY) & 0xA))) ACL($cX) = ACL($cY);
0xC add $cX immY $cX += immY; ((is_mode_hs && (ACL($cX) & 0x2)) || (!is_mode_hs && (ACL($cX) & 0x1A))) N/A
0xD and $cX $cY $cX &= $cY; ((is_mode_hs && (ACL($cX) & 0x2) && (ACL($cY) & 0x2)) || (!is_mode_hs && (ACL($cX) & 0x1A) && (ACL($cY) & 0xA))) ACL($cX) = ACL($cY);
0xE rev $cX $cY $cX = endian_swap128($cY); (is_mode_hs || (!is_mode_hs && (ACL($cX) & 0x10))) ACL($cX) = ACL($cY);
0xF gfmul $cX $cY $cX = gfmul($cY); ((is_mode_hs && (ACL($cX) & 0x2) && (ACL($cY) & 0x2)) || (!is_mode_hs && (ACL($cX) & 0x1A) && (ACL($cY) & 0xA))) ACL($cX) = ACL($cY);
0x10 secret $cX immY $cX = load_secret(immY); N/A ACL($cX) = load_secret_acl(immY);
0x11 keyreg $cX N/A active_key = $cX; N/A N/A
0x12 kexp $cX $cY $cX = aes_key_expand($cY); (is_mode_hs || (!is_mode_hs && (ACL($cX) & 0x10))) ACL($cX) = ACL($cY);
0x13 krexp $cX $cY $cX = aes_key_reverse_expand($cY); (is_mode_hs || (!is_mode_hs && (ACL($cX) & 0x10))) ACL($cX) = ACL($cY);
0x14 enc $cX $cY $cX = aes_enc(active_key, $cY); N/A ACL($cX) = (ACL(active_key) & ACL($cY));
0x15 dec $cX $cY $cX = aes_dec(active_key, $cY); N/A ACL($cX) = (ACL(active_key) & ACL($cY));
0x16 sigcmp $cX $cY current_sig = memcmp($cX, $cY) ? NULL : $cX; (is_mode_secure_bootrom && (ACL($cY) & 0x2)) is_mode_hs = has_sig = (current_sig != NULL);
0x17 sigenc $cX $cY $cX = aes_enc($cY, current_sig); (is_mode_hs && has_sig) ACL($cX) = 0x3;
0x18 sigclr N/A N/A current_sig = NULL; (is_mode_hs && has_sig) has_sig = false;

rnd

00000000: f5 3c 0X 90 crnd $cX

This instruction initializes a crypto register with random data.

Executing this instruction only succeeds if the RNG controller is enabled for the SCP, which requires taking the following steps:

Otherwise it hangs forever.

chmod

00000000: f5 3c XY a8 cchmod $cY 0X or 00000000: f5 3c XY a9 cchmod $cY 1X

This instruction takes a crypto register and a 5 bit immediate value which represents the ACLs mask to set.

sigcmp

00000000: f5 3c XY d8 csigcmp $cY $cX

Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.

sigclr

00000000: f5 3c 00 e0 csigclr

This instruction takes no operands and clears the saved cauth signature used by the csigenc instruction.

ACLs

Each crypto register has an associated access control list with the following format:

Bit Description
0 Secure Keyable
1 Secure Readable
2 Insecure Keyable
3 Insecure Readable
4 Insecure Writeable

On boot, every crypto register has an ACL value of 0x1F.

In HS mode, STORE can always write to a crypto register. In NS and LS modes, STORE can only write to a crypto register if it has the Insecure Writeable access mode.

In HS mode, LOAD can only retrieve a crypto register's value if it has the Secure Readable access mode. In NS and LS modes, LOAD can only retrieve a crypto register's value if it has the Insecure Readable and Secure Readable access modes.

Loading a secret into a crypto register sets a per-secret ACL, unconditionally.

Secure Keyable

Controls if a crypto register can be used as key in HS mode.

Forced set if the crypto register has Secure Readable access. Once cleared, this access mode cannot be set again.

Secure Readable

Controls if a crypto register can be read in HS mode.

Once cleared, this access mode cannot be set again.

Insecure Keyable

Controls if a crypto register can be used as key in NS and LS modes.

Forced set if the crypto register has Insecure Readable access. This access mode cannot be set if the crypto register doesn't have Secure Keyable access.

Insecure Readable

Controls if a crypto register can be read in NS and LS modes.

This access mode cannot be set if the crypto register doesn't have Secure Readable access.

Insecure Writeable

Controls if a crypto register can be written to in NS and LS modes.

This access mode has no effect in HS mode.

Secrets

Heavy Secure Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded using the $csecret instruction which takes the target crypto register and the key index as arguments.

Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.

Index ACL Description
0x00 0x03 Used by Keygen, nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
0x01 0x00 Used by Falcon's Secure BootROM for the signature generation algorithm.
0x02 0x00
0x03 0x01 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x04 0x00 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x05 0x03 Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
0x06 0x01 Used by Falcon's Secure BootROM as key to decrypt data during authentication (decided by bit 17 in the SEC register).
0x07 0x01 Used by [6.0.0+] nvhost_tsec firmware.
0x08 0x00
0x09 0x03 Used by nvhost_tsec firmware.
0x0A 0x01
0x0B 0x00 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x0C 0x03
0x0D 0x01
0x0E 0x00
0x0F 0x03 Used by nvhost_tsec firmware.
0x10 0x01 Used by [1.0.0-5.1.0] nvhost_tsec firmware.
0x11 0x00
0x12 0x03
0x13 0x01
0x14 0x00
0x15 0x03 Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
0x16 0x01
0x17 0x00 Used by [11.0.0+] nvhost_tsec firmware.
0x18 0x03
0x19 0x01
0x1A 0x00
0x1B 0x03
0x1C 0x01
0x1D 0x00
0x1E 0x03
0x1F 0x01
0x20 0x00
0x21 0x03
0x22 0x01
0x23 0x00
0x24 0x03
0x25 0x01
0x26 0x00 Used by KeygenLdr and SecureBoot
0x27 0x03
0x28 0x01
0x29 0x00
0x2A 0x03
0x2B 0x01
0x2C 0x00
0x2D 0x03
0x2E 0x01
0x2F 0x00
0x30 0x03
0x31 0x01
0x32 0x00
0x33 0x03
0x34 0x01
0x35 0x00
0x36 0x03
0x37 0x01
0x38 0x00
0x39 0x03
0x3A 0x01
0x3B 0x00
0x3C 0x03 Used by nvhost_tsec firmware.
0x3D 0x01
0x3E 0x00
0x3F 0x00 Used by Keygen, nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.