Changes

Jump to navigation Jump to search
1,098 bytes added ,  20:10, 7 December 2017
no edit summary
If bit ''n'' is set in the argument type then parameter X''n'' is treated as a pointer and the kernel will setup address translation for it in [[SVC#svcCallSecureMonitor|svcCallSecureMonitor]].
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call. == Id ID 0 ==
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]].
{| class=wikitable
! Sub-Id ID || Name || In || Out
|-
| 0xC3000401 || SetConfig || ||
|-
| 0xC3000002 || GetConfig (Same as Id ID 1 , Sub-Id ID 4.) || ||
|-
| 0xC3000003 || CheckStatus || ||
| 0xC3000E05 || ExpMod || ||
|-
| 0xC3000006 || GetRandomBytes (Same as Id ID 1 , Sub-Id ID 5.) || ||
|-
| 0xC3000007 || [[#GenerateAesKek]] || ||
| 0xC300060F || [[#PublicRsa]] || ||
|-
| 0xC3000610 || [[#UnwrapRsaEncryptedAesKeyUnwrapPreparedAesKey]] || ||
|-
| 0xC3000011 || [[#LoadRsaWrappedAesKeyLoadPreparedAesKey]] || ||
|-
| 0xC3000012 || [2.0.0+] GenerateRsaWrappedAesKek GeneratePreparedAesKek || ||
|}
** This means: Plaintext kek keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
 
Note:
The [[#CryptoUsecase|CryptoUsecase_PreparedAesKey]] represents a RSA wrapped AES key.
=== GenerateAesKek ===
Key must be set prior using the [[#LoadRsaPublicKey]] command.
=== UnwrapRsaEncryptedAesKey UnwrapPreparedAesKey ===
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
Returns a session-unique AES key especially for use in [[#LoadRsaWrappedAesKeyLoadPreparedAesKey]].
The session kek must have been created with CryptoUsecase_RsaWrappedAesKeyCryptoUsecase_PreparedAesKey.
=== LoadRsaWrappedAesKey LoadPreparedAesKey ===Takes a session-unique AES key from [[#UnwrapRsaEncryptedAesKeyUnwrapPreparedAesKey]].
=== enum CryptoUsecase ===
| 2 || CryptoUsecase_PublicRsa
|-
| 3 || CryptoUsecase_RsaWrappedAesKeyCryptoUsecase_PreparedAesKey
|}
== Id ID 1 ==
Functions exposed to the kernel internally.
{| class=wikitable
! Sub-Id ID || Name || In || Out
|-
| 0xC4000001 || [[#CpuSuspend ]] || X1=power_state, X2=entrypoint_addr, X3=context_addr context_id || None
|-
| 0x84000002 || [[#CpuOff ]] || None || None
|-
| 0xC4000003 || [[#CpuOn ]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 ||X0=result
|-
| 0xC3000004 || [[#GetConfig ]] (Same as Id ID 0 , Sub-Id ID 2.) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
|-
| 0xC3000005 || [[#GetRandomBytes ]] (Same as Id ID 0 , Sub-Id ID 6.) || X1=dst_addrsize, X2,X3,X4,X5,X6,X7=0 ||X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
|-
| 0xC3000006 || [[#Panic ]] || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result
|-
| 0xC3000007 || [2.0.0+] ProtectKernelRegion || ||
| 0xC3000008 || [2.0.0+] ReadWriteRegister || ||
|}
 
=== CpuSuspend ===
Standard ARM PCSI SMC. Suspends the CPU (CPU0).
 
The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
 
=== CpuOff ===
Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).
 
=== CpuOn ===
Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).
 
=== GetConfig ===
Takes a '''config_item''' and returns an associated '''config_val'''.
 
=== GetRandomBytes ===
Takes a '''size''' and returns '''rand_bytes'''.
 
The kernel limits '''size''' to 0x38 (for fitting in return registers).
 
=== Panic ===
Issues a system panic.
 
The kernel always calls this with '''unk''' set to 0xF00.
= Errors =
{| class=wikitable! Value || Description|-| 2: || Invalid input|-| 3: || Busy|}

Navigation menu