TSEC: Difference between revisions

Vale (talk | contribs)
m Rename cprecmac occurence to cgfmul
No edit summary
Line 723: Line 723:
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL2
| [[#TSEC_SCP_RND_CTL2|TSEC_SCP_RND_CTL2]]
| 0x54501508
| 0x54501508
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL3
| [[#TSEC_SCP_RND_CTL3|TSEC_SCP_RND_CTL3]]
| 0x5450150C
| 0x5450150C
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL4
| [[#TSEC_SCP_RND_CTL4|TSEC_SCP_RND_CTL4]]
| 0x54501510
| 0x54501510
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL5
| [[#TSEC_SCP_RND_CTL5|TSEC_SCP_RND_CTL5]]
| 0x54501514
| 0x54501514
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL6
| [[#TSEC_SCP_RND_CTL6|TSEC_SCP_RND_CTL6]]
| 0x54501518
| 0x54501518
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL7
| [[#TSEC_SCP_RND_CTL7|TSEC_SCP_RND_CTL7]]
| 0x5450151C
| 0x5450151C
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL8
| [[#TSEC_SCP_RND_CTL8|TSEC_SCP_RND_CTL8]]
| 0x54501520
| 0x54501520
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL9
| [[#TSEC_SCP_RND_CTL9|TSEC_SCP_RND_CTL9]]
| 0x54501524
| 0x54501524
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL10
| [[#TSEC_SCP_RND_CTL10|TSEC_SCP_RND_CTL10]]
| 0x54501528
| 0x54501528
| 0x04
| 0x04
|-
|-
| TSEC_SCP_RND_CTL11
| [[#TSEC_SCP_RND_CTL11|TSEC_SCP_RND_CTL11]]
| 0x5450152C
| 0x5450152C
| 0x04
| 0x04
Line 3,577: Line 3,577:
|-
|-
| 10
| 10
| Enable the [[#LOAD|LOAD]] block's interface
| Enable [[#LOAD|Falcon<->LOAD]] interface
|-
|-
| 12
| 12
| Enable the [[#STORE|STORE]] block's interface
| Enable [[#STORE|Falcon<->STORE]] interface
|-
|-
| 14
| 14
| Enable the [[#CMD|CMD]] block's interface
| Enable [[#CMD|Falcon<->CMD]] interface
|-
|-
| 16
| 16
| Enable the [[#SEQ|SEQ]] block
| Enable [[#SEQ|SEQ]]
|-
|-
| 20
| 20
| Enable the [[#CTL|CTL]] block
| Enable [[#CTL|CTL]]
|}
|}


Line 3,598: Line 3,598:
|-
|-
| 0
| 0
| Clear [[#SEQ|SEQ]] block's pipeline
| Clear [[#SEQ|SEQ]]
|-
|-
| 8
| 8
| Clear the main [[#SCP|SCP]] pipeline
| Clear [[#SCP|SCP]]'s internal pipeline
|-
|-
| 11
| 11
| Enable [[#RNG|RNG]] block's test mode
| Enable [[#RNG|RNG]]'s test mode
|-
|-
| 12
| 12
| Enable the [[#RNG|RNG]] block
| Enable [[#RNG|RNG]]
|-
|-
| 16
| 16
| Enable [[#LOAD|LOAD]] block's interface dummy mode (all reads return 0)
| Enable [[#LOAD|Falcon<->LOAD]] interface's dummy mode (all reads return 0)
|-
|-
| 20
| 20
| Enable [[#LOAD|LOAD]] block's interface bypassing (all reads are dropped)
| Enable [[#LOAD|Falcon<->LOAD]] interface bypassing (all reads are dropped)
|-
|-
| 24
| 24
| Enable [[#STORE|STORE]] block's interface bypassing (all writes are dropped)
| Enable [[#STORE|Falcon<->STORE]] interface bypassing (all writes are dropped)
|}
|}


Line 3,635: Line 3,635:
| 0
| 0
| Enable lockdown mode (locks IMEM and DMEM)
| Enable lockdown mode (locks IMEM and DMEM)
|-
| 1
| Unknown
|-
| 2
| Unknown
|-
| 3
| Unknown
|-
|-
| 4
| 4
| Lock the [[#SCP|SCP]]
| Lock [[#SCP|SCP]]'s MMIO register space
|-
| 5
| Unknown
|-
| 6
| Unknown
|-
| 7
| Unknown
|}
|}


Line 3,666: Line 3,648:
|-
|-
| 0
| 0
| Unknown
| Endianness for ADD
0: Little
1: Big
|-
|-
| 1
| 1
| Unknown
| Endianness for GFMUL
0: Little
1: Big
|-
|-
| 2
| 2
| Unknown
| Endianness for [[#LOAD|LOAD]]
0: Little
1: Big
|-
|-
| 3
| 3
| Unknown
| Endianness for [[#STORE|STORE]]
0: Little
1: Big
|-
|-
| 4
| 4
| [[#AES|AES]] block's endianness
| Endianness for [[#AES|AES]]
  0: Little
  0: Little
  1: Big
  1: Big
|-
|-
| 8
| 8
| Flush [[#CMD|CMD]] block's pipeline
| Flush [[#CMD|CMD]]
|-
|-
| 12-13
| 12-13
| Carry chain size
| Carry chain's size
  0: 32 bits
  0: 32 bits
  1: 64 bits
  1: 64 bits
Line 3,693: Line 3,683:
|-
|-
| 16-31
| 16-31
| Timeout value
| [[#SCP|SCP]]'s internal pipeline stall timeout value
|}
|}


Line 3,702: Line 3,692:
|-
|-
| 0
| 0
| Swap [[#SCP|SCP]] master
| Swap [[#SCP|SCP]]'s master
|-
|-
| 1
| 1
| Current [[#SCP|SCP]] master
| Current [[#SCP|SCP]]'s master
  0: Falcon
  0: Falcon
  1: External
  1: External
Line 3,759: Line 3,749:
|-
|-
| 8-12
| 8-12
| [[#SEQ|SEQ]] block's current sequence size
| [[#SEQ|SEQ]]'s current sequence's size
|-
|-
| 13-16
| 13-16
| [[#SEQ|SEQ]] block's current instruction address
| [[#SEQ|SEQ]]'s current instruction's address
|-
|-
| 17
| 17
| [[#SEQ|SEQ]] block's current instruction is valid
| [[#SEQ|SEQ]]'s current instruction is valid
|-
|-
| 18
| 18
| [[#SEQ|SEQ]] block is running in HS mode
| [[#SEQ|SEQ]] is running in HS mode
|-
|-
| 19-22
| 19-22
| [[#LOAD|LOAD]] block's pipeline size
| [[#LOAD|LOAD]]'s queue's size
|-
|-
| 23
| 23
| [[#LOAD|LOAD]] block's current operation is valid
| [[#LOAD|LOAD]]'s current operation is valid
|-
|-
| 24
| 24
| [[#LOAD|LOAD]] block is running in HS mode
| [[#LOAD|LOAD]] is running in HS mode
|-
|-
| 25-26
| 25-26
| [[#STORE|STORE]] block's pipeline size
| [[#STORE|STORE]]'s queue's size
|-
|-
| 30
| 30
| [[#STORE|STORE]] block's current operation is valid
| [[#STORE|STORE]]'s current operation is valid
|-
|-
| 31
| 31
| [[#STORE|STORE]] block is running in HS mode
| [[#STORE|STORE]] is running in HS mode
|}
|}


Line 3,796: Line 3,786:
!  Description
!  Description
|-
|-
| 0-3
| 0-31
| [[#SEQ|SEQ]] block's current instruction's first operand
| Data
|-
If target is SEQ:
| 4-9
  Bits 0-3: current instruction's first operand
| [[#SEQ|SEQ]] block's current instruction's second operand
  Bits 4-9: current instruction's second operand
|-
  Bits 10-14: current instruction's opcode
| 10-14
| [[#SEQ|SEQ]] block's current instruction's opcode
|}
|}


Used for retrieving debug data. Contains information on the last crypto sequence created when debugging the SEQ controller.
Used for retrieving debug data. Contains information on the last crypto sequence created when debugging the [[#SEQ|SEQ]] block.


=== TSEC_SCP_DBG2 ===
=== TSEC_SCP_DBG2 ===
Line 3,814: Line 3,802:
|-
|-
| 0-1
| 0-1
| [[#SEQ|SEQ]] block's state
| [[#SEQ|SEQ]]'s state
  0: Idle
  0: Idle
  1: Recording is active (cs0begin/cs1begin)
  1: Recording is active (cs0begin/cs1begin)
|-
|-
| 4-7
| 4-7
| Number of [[#SEQ|SEQ]] block's instructions left
| Number of instructions left in [[#SEQ|SEQ]]
|-
|-
| 12-15
| 12-15
| Active crypto key register
| Active crypto key register (ckeyreg)
|}
|}


Line 3,867: Line 3,855:
|-
|-
| 28
| 28
| [[#CMD|CMD]] block's current instruction is valid
| [[#CMD|CMD]]'s current instruction is valid
|-
|-
| 31
| 31
| [[#CMD|CMD]] block is running in HS mode
| [[#CMD|CMD]] is running in HS mode
|}
|}


Line 3,884: Line 3,872:
|-
|-
| 2
| 2
| [[#CMD|CMD]] block's interface is active
| [[#CMD|CMD]] is active
|-
|-
| 4
| 4
| [[#STORE|STORE]] block's interface is active
| [[#STORE|STORE]] is active
|-
|-
| 6
| 6
| [[#SEQ|SEQ]] block is active
| [[#SEQ|SEQ]] is active
|-
|-
| 8
| 8
| [[#CTL|CTL]] block is active
| [[#CTL|CTL]] is active
|-
|-
| 10
| 10
| [[#LOAD|LOAD]] block's interface is active
| [[#LOAD|LOAD]] is active
|-
|-
| 14
| 14
| [[#AES|AES]] block is active
| [[#AES|AES]] is active
|-
|-
| 16
| 16
| [[#RNG|RNG]] block is active
| [[#RNG|RNG]] is active
|}
|}


Contains the status of the hardware blocks and interfaces.
Contains the statuses of hardware blocks.


=== TSEC_SCP_STAT1 ===
=== TSEC_SCP_STAT1 ===
Line 3,920: Line 3,908:
|-
|-
| 4
| 4
| [[#LOAD|LOAD]] block's interface is running in HS mode
| [[#LOAD|Falcon<->LOAD]] interface is running in HS mode
|-
|-
| 6
| 6
| [[#LOAD|LOAD]] block's interface is ready
| [[#LOAD|Falcon<->LOAD]] interface is ready
|-
|-
| 8
| 8
| [[#STORE|STORE]] block's interface is running in HS mode
| [[#STORE|Falcon<->STORE]] interface is running in HS mode
|-
|-
| 10
| 10
| [[#STORE|STORE]] block's interface received a valid operation
| [[#STORE|Falcon<->STORE]] interface received a valid operation
|-
|-
| 12
| 12
| [[#CMD|CMD]] block's interface is running in HS mode
| [[#CMD|Falcon<->CMD]] interface is running in HS mode
|-
|-
| 14
| 14
| [[#CMD|CMD]] block's interface received a valid instruction
| [[#CMD|Falcon<->CMD]] interface received a valid instruction
|}
|}


Contains the status of the last authentication attempt and other miscellaneous statuses.
Contains the statuses of hardware interfaces and the result of the last authentication attempt.


=== TSEC_SCP_STAT2 ===
=== TSEC_SCP_STAT2 ===
Line 3,946: Line 3,934:
|-
|-
| 0-4
| 0-4
| Current [[#SEQ|SEQ]] block opcode
| Current opcode in [[#SEQ|SEQ]]
|-
|-
| 5-9
| 5-9
| Current [[#CMD|CMD]] block's interface opcode
| Current opcode in [[#CMD|Falcon<->CMD]] interface
|-
|-
| 10-14
| 10-14
| Pending [[#CMD|CMD]] block opcode
| Pending opcode in [[#CMD|CMD]]
|-
|-
| 15-16
| 15-16
| Current [[#AES|AES]] block operation
| Current opcode in [[#AES|AES]]
  0: Encryption
  0: Encryption
  1: Decryption
  1: Decryption
Line 3,962: Line 3,950:
|-
|-
| 24
| 24
| Unknown
| [[#SCP|SCP]]'s internal pipeline is stalled on hazard
|-
|-
| 25
| 25
| [[#STORE|STORE]] block is stalled
| [[#STORE|STORE]] is stalled
|-
|-
| 26
| 26
| [[#LOAD|LOAD]] block is stalled
| [[#LOAD|LOAD]] is stalled
|-
|-
| 27
| 27
| [[#RNG|RNG]] block is stalled
| [[#RNG|RNG]] is stalled
|-
|-
| 28
| 28
| Unknown
| [[#SCP|SCP]]'s internal pipeline is stalled on writeback
|-
|-
| 29
| 29
| [[#AES|AES]] block is stalled
| [[#AES|AES]] is stalled
|}
|}


Line 3,988: Line 3,976:
|-
|-
| 0
| 0
| [[#RND|RND]] block is ready
| [[#RND|RND]] is ready
|-
|-
| 4-7
| 4-7
Line 4,036: Line 4,024:
|-
|-
| 24
| 24
| [[#RND|RND]] operation
| [[#RND|RND]] clock trigger
|-
|-
| 28
| 28
| Timeout
| Stall timeout
|}
|}
Used for getting the status of crypto IRQs.


=== TSEC_SCP_IRQMASK ===
=== TSEC_SCP_IRQMASK ===
Line 4,065: Line 4,051:
|-
|-
| 24
| 24
| [[#RND|RND]] operation
| [[#RND|RND]] clock trigger
|-
|-
| 28
| 28
| Timeout
| Stall timeout
|}
|}
Used for getting the value of the mask for crypto IRQs.


=== TSEC_SCP_ACL_ERR ===
=== TSEC_SCP_ACL_ERR ===
Line 4,131: Line 4,115:
| SEC error occurred
| SEC error occurred
|}
|}
Contains information on errors generated by the [[#TSEC_SCP_IRQSTAT|SEC error]] IRQ.


=== TSEC_SCP_CMD_ERR ===
=== TSEC_SCP_CMD_ERR ===
Line 4,138: Line 4,124:
|-
|-
| 0
| 0
| Invalid [[#CMD|CMD]] command
| [[#CMD|CMD]]'s instruction is invalid
|-
|-
| 4
| 4
| Empty [[#SEQ|SEQ]] sequence
| [[#SEQ|SEQ]]'s sequence is empty
|-
|-
| 8
| 8
| [[#SEQ|SEQ]] sequence is too long
| [[#SEQ|SEQ]]'s sequence is too long
|-
|-
| 12
| 12
| [[#SEQ|SEQ]] sequence was not finished
| [[#SEQ|SEQ]]'s sequence was not finished
|-
|-
| 16
| 16
Line 4,167: Line 4,153:
|-
|-
| 0-31
| 0-31
| [[#RND|RND]] clock trigger lower limit
| [[#RND|RND]] clock trigger's lower limit
|}
|}


Line 4,176: Line 4,162:
|-
|-
| 0-15
| 0-15
| [[#RND|RND]] clock trigger upper limit
| [[#RND|RND]] clock trigger's upper limit
|-
|-
| 16-31
| 16-31
| [[#RND|RND]] clock trigger mask
| [[#RND|RND]] clock trigger's mask
|}
 
=== TSEC_SCP_RND_CTL2 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-15
| Unknown
|}
 
=== TSEC_SCP_RND_CTL3 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 12
| Trigger first LFSR
|-
| 16
| Trigger second LFSR
|}
 
=== TSEC_SCP_RND_CTL4 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-31
| First LFSR's polynomial for [[#RNG|RNG]]'s test mode
|}
 
=== TSEC_SCP_RND_CTL5 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-31
| First LFSR's initial state for [[#RNG|RNG]]'s test mode
|}
 
=== TSEC_SCP_RND_CTL6 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-31
| Second LFSR's polynomial for [[#RNG|RNG]]'s test mode
|}
 
=== TSEC_SCP_RND_CTL7 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-31
| Second LFSR's initial state for [[#RNG|RNG]]'s test mode
|}
 
=== TSEC_SCP_RND_CTL8 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-15
| Unknown
|-
| 16-31
| Unknown
|}
 
=== TSEC_SCP_RND_CTL9 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-15
| Unknown
|-
| 16-31
| Unknown
|}
 
=== TSEC_SCP_RND_CTL10 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0-15
| Unknown
|-
| 16-31
| Unknown
|}
 
=== TSEC_SCP_RND_CTL11 ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| Unknown
|-
| 1
| Unknown
|-
| 2
| Unknown
|-
| 3
| Unknown
|-
| 4-5
| First sampler's source
0: Oscillator
1: Unknown
2: LFSR
3: Dummy
|-
| 6-7
| Second sampler's source
0: Oscillator
1: Unknown
2: LFSR
3: Dummy
|-
| 8-11
| First sampler's tap value
|-
| 12-15
| Second sampler's tap value
|-
| 16-19
| Unknown
|-
| 20-23
| Unknown
|-
| 24-30
| Unknown
|-
| 31
| Unknown
|}
|}


Line 5,136: Line 5,265:
* Write 0x7FFF to [[#TSEC_SCP_RND_CTL0|TSEC_SCP_RND_CTL0]].
* Write 0x7FFF to [[#TSEC_SCP_RND_CTL0|TSEC_SCP_RND_CTL0]].
* Write 0x3FF0000 to [[#TSEC_SCP_RND_CTL1|TSEC_SCP_RND_CTL1]].
* Write 0x3FF0000 to [[#TSEC_SCP_RND_CTL1|TSEC_SCP_RND_CTL1]].
* Write 0xFF00 to TSEC_SCP_RND_CTL11.
* Write 0xFF00 to [[#TSEC_SCP_RND_CTL11|TSEC_SCP_RND_CTL11]].
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].


Line 5,148: Line 5,277:
!  Description
!  Description
|-
|-
| 0 || Secure key. Forced set if bit1 is set. Once cleared, cannot be set again.
| 0 || Secure Keyable (forced set if bit1 is set; once cleared, cannot be set again)
|-
|-
| 1 || Secure readable. Once cleared, cannot be set again.
| 1 || Secure Readable (once cleared, cannot be set again)
|-
|-
| 2 || Insecure key. Forced set if bit3 is set. Forced clear if bit0 is clear. Can be toggled back and forth.
| 2 || Keyable (forced set if bit3 is set; forced clear if bit0 is clear; can be toggled back and forth)
|-
|-
| 3 || Insecure readable. Forced clear if bit1 is clear. Can be toggled back and forth.
| 3 || Readable (forced clear if bit1 is clear; can be toggled back and forth)
|-
|-
| 4 || Insecure overwritable. Can be toggled back and forth.
| 4 || Writeable (can be toggled back and forth)
|}
|}


On boot, the ACL is 0x1F for all $cX.
On boot, the ACL is 0x1F for all $cX.


Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.
Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for heavy secure and non-secure mode respectively.


Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.
Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for heavy secure and non-secure mode respectively.


Loading a secret into $cX sets a per-secret ACL, unconditionally.
Loading a secret into $cX sets a per-secret ACL, unconditionally.
Line 5,177: Line 5,306:
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
|-
| 0x01 || 0x10 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] for the signature generation algorithm.
| 0x01 || 0x00 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] for the signature generation algorithm.
|-
|-
| 0x02 || 0x10 ||
| 0x02 || 0x00 ||
|-
|-
| 0x03 || 0x11 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x03 || 0x01 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
|-
| 0x04 || 0x10 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x04 || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
|-
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
|-
| 0x06 || 0x11 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC]] register).
| 0x06 || 0x01 || Used by Falcon's [[#Secure BootROM|Secure BootROM]] as key to decrypt data during authentication (decided by bit 17 in the [[#SEC|SEC]] register).
|-
|-
| 0x07 || 0x11 || Used by [6.0.0+] nvhost_tsec firmware.
| 0x07 || 0x01 || Used by [6.0.0+] nvhost_tsec firmware.
|-
|-
| 0x08 || 0x10 ||
| 0x08 || 0x00 ||
|-
|-
| 0x09 || 0x13 || Used by nvhost_tsec firmware.
| 0x09 || 0x13 || Used by nvhost_tsec firmware.
|-
|-
| 0x0A || 0x11 ||
| 0x0A || 0x01 ||
|-
|-
| 0x0B || 0x10 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x0B || 0x00 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
|-
| 0x0C || 0x13 ||
| 0x0C || 0x13 ||
|-
|-
| 0x0D || 0x11 ||
| 0x0D || 0x01 ||
|-
|-
| 0x0E || 0x10 ||
| 0x0E || 0x00 ||
|-
|-
| 0x0F || 0x13 || Used by nvhost_tsec firmware.
| 0x0F || 0x13 || Used by nvhost_tsec firmware.
|-
|-
| 0x10 || 0x11 || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
| 0x10 || 0x01 || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
|-
|-
| 0x11 || 0x10 ||
| 0x11 || 0x00 ||
|-
|-
| 0x12 || 0x13 ||
| 0x12 || 0x13 ||
|-
|-
| 0x13 || 0x11 ||
| 0x13 || 0x01 ||
|-
|-
| 0x14 || 0x10 ||
| 0x14 || 0x00 ||
|-
|-
| 0x15 || 0x13 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
| 0x15 || 0x13 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
|-
|-
| 0x16 || 0x11 ||
| 0x16 || 0x01 ||
|-
|-
| 0x17 || 0x10 || Used by [11.0.0+] nvhost_tsec firmware.
| 0x17 || 0x00 || Used by [11.0.0+] nvhost_tsec firmware.
|-
|-
| 0x18 || 0x13 ||
| 0x18 || 0x13 ||
|-
|-
| 0x19 || 0x11 ||
| 0x19 || 0x01 ||
|-
|-
| 0x1A || 0x10 ||
| 0x1A || 0x00 ||
|-
|-
| 0x1B || 0x13 ||
| 0x1B || 0x13 ||
|-
|-
| 0x1C || 0x11 ||
| 0x1C || 0x01 ||
|-
|-
| 0x1D || 0x10 ||
| 0x1D || 0x00 ||
|-
|-
| 0x1E || 0x13 ||
| 0x1E || 0x13 ||
|-
|-
| 0x1F || 0x11 ||
| 0x1F || 0x01 ||
|-
|-
| 0x20 || 0x10 ||
| 0x20 || 0x00 ||
|-
|-
| 0x21 || 0x13 ||
| 0x21 || 0x13 ||
|-
|-
| 0x22 || 0x11 ||
| 0x22 || 0x01 ||
|-
|-
| 0x23 || 0x10 ||
| 0x23 || 0x00 ||
|-
|-
| 0x24 || 0x13 ||
| 0x24 || 0x13 ||
|-
|-
| 0x25 || 0x11 ||
| 0x25 || 0x01 ||
|-
|-
| 0x26 || 0x10 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]] and [[TSEC_Firmware#SecureBoot|SecureBoot]]
| 0x26 || 0x00 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]] and [[TSEC_Firmware#SecureBoot|SecureBoot]]
|-
|-
| 0x27 || 0x13 ||
| 0x27 || 0x13 ||
|-
|-
| 0x28 || 0x11 ||
| 0x28 || 0x01 ||
|-
|-
| 0x29 || 0x10 ||
| 0x29 || 0x00 ||
|-
|-
| 0x2A || 0x13 ||
| 0x2A || 0x13 ||
|-
|-
| 0x2B || 0x11 ||
| 0x2B || 0x01 ||
|-
|-
| 0x2C || 0x10 ||
| 0x2C || 0x00 ||
|-
|-
| 0x2D || 0x13 ||
| 0x2D || 0x13 ||
|-
|-
| 0x2E || 0x11 ||
| 0x2E || 0x01 ||
|-
|-
| 0x2F || 0x10 ||
| 0x2F || 0x00 ||
|-
|-
| 0x30 || 0x13 ||
| 0x30 || 0x13 ||
|-
|-
| 0x31 || 0x11 ||
| 0x31 || 0x01 ||
|-
|-
| 0x32 || 0x10 ||
| 0x32 || 0x00 ||
|-
|-
| 0x33 || 0x13 ||
| 0x33 || 0x13 ||
|-
|-
| 0x34 || 0x11 ||
| 0x34 || 0x01 ||
|-
|-
| 0x35 || 0x10 ||
| 0x35 || 0x00 ||
|-
|-
| 0x36 || 0x13 ||
| 0x36 || 0x13 ||
|-
|-
| 0x37 || 0x11 ||
| 0x37 || 0x01 ||
|-
|-
| 0x38 || 0x10 ||
| 0x38 || 0x00 ||
|-
|-
| 0x39 || 0x13 ||
| 0x39 || 0x13 ||
|-
|-
| 0x3A || 0x11 ||
| 0x3A || 0x01 ||
|-
|-
| 0x3B || 0x10 ||
| 0x3B || 0x00 ||
|-
|-
| 0x3C || 0x13 || Used by nvhost_tsec firmware.
| 0x3C || 0x13 || Used by nvhost_tsec firmware.
|-
|-
| 0x3D || 0x11 ||
| 0x3D || 0x01 ||
|-
|-
| 0x3E || 0x10 ||
| 0x3E || 0x00 ||
|-
|-
| 0x3F || 0x10 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
| 0x3F || 0x00 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|}
|}