2,939
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 28:
Line 54: + + + + + + + + + + + + + + + + + + + + + + + + Line 36:
Line 86: + + + + Line 56:
Line 110: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 143:
Line 333: + + + + + + + + + + + + + + + + + + + + + + + Line 475:
Line 688: − + − + + − + − + + − + − + − + − wait_10600 = (*(u32 *)0x00010600 & 0x02); + Line 515:
Line 730: − + + Line 621:
Line 837: − + Line 912:
Line 1,128: − The hardware secret is, presumably, a 16 bytes key located at offset 0x26 inside the KFUSE array. Line 924:
Line 1,139: − + Line 944:
Line 1,159: − + − +
no edit summary
TSEC (Tegra Security Engine Controller) is a NVIDIA Falcon microprocessor with crypto extensions. Therefore, all information in this page related to Falcon is identical for TSEC and vice versa.
TSEC (Tegra Security Engine Controller) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.
= Driver =
= Driver =
A host driver for communicating with the TSEC/Falcon is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.
A host driver for communicating with the TSEC is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.
== Registers ==
== Registers ==
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Name
! Name
! Address
! Address
! Width
! Width
|-
| FALCON_IRQSSET
| 0x54501000
| 0x04
|-
| FALCON_IRQSCLR
| 0x54501004
| 0x04
|-
| FALCON_IRQSTAT
| 0x54501008
| 0x04
|-
| FALCON_IRQMODE
| 0x5450100C
| 0x04
|-
|-
| [[#FALCON_IRQMSET|FALCON_IRQMSET]]
| [[#FALCON_IRQMSET|FALCON_IRQMSET]]
| 0x54501010
| 0x54501010
| 0x04
|-
| FALCON_IRQMCLR
| 0x54501014
| 0x04
|-
| FALCON_IRQMASK
| 0x54501018
| 0x04
| 0x04
|-
|-
| [[#FALCON_ITFEN|FALCON_ITFEN]]
| [[#FALCON_ITFEN|FALCON_ITFEN]]
| 0x54501048
| 0x54501048
| 0x04
|-
| FALCON_IDLESTATE
| 0x5450104C
| 0x04
|-
| FALCON_CURCTX
| 0x54501050
| 0x04
|-
| FALCON_NXTCTX
| 0x54501054
| 0x04
|-
| FALCON_SCRATCH2
| 0x54501080
| 0x04
|-
| FALCON_SCRATCH3
| 0x54501084
| 0x04
|-
| FALCON_ENGCTL
| 0x545010A4
| 0x04
| 0x04
|-
|-
| [[#FALCON_BOOTVEC|FALCON_BOOTVEC]]
| [[#FALCON_BOOTVEC|FALCON_BOOTVEC]]
| 0x54501104
| 0x54501104
| 0x04
|-
| FALCON_HWCFG
| 0x54501108
| 0x04
| 0x04
|-
|-
| [[#FALCON_DMATRFFBOFFS|FALCON_DMATRFFBOFFS]]
| [[#FALCON_DMATRFFBOFFS|FALCON_DMATRFFBOFFS]]
| 0x5450111C
| 0x5450111C
| 0x04
|-
| FALCON_CPUCTL_ALIAS
| 0x54501130
| 0x04
|-
| FALCON_EXTERRADDR
| 0x54501168
| 0x04
|-
| FALCON_EXTERRSTAT
| 0x5450116C
| 0x04
|-
| FALCON_CODE_INDEX
| 0x54501180
| 0x04
|-
| FALCON_CODE
| 0x54501184
| 0x04
|-
| FALCON_CODE_VIRT_ADDR
| 0x54501188
| 0x04
|-
| FALCON_DATA_INDEX0
| 0x545011C0
| 0x04
|-
| FALCON_DATA0
| 0x545011C4
| 0x04
|-
| FALCON_DATA_INDEX1
| 0x545011C8
| 0x04
|-
| FALCON_DATA1
| 0x545011CC
| 0x04
|-
| FALCON_DATA_INDEX2
| 0x545011D0
| 0x04
|-
| FALCON_DATA2
| 0x545011D4
| 0x04
|-
| FALCON_DATA_INDEX3
| 0x545011D8
| 0x04
|-
| FALCON_DATA3
| 0x545011DC
| 0x04
|-
| FALCON_DATA_INDEX4
| 0x545011E0
| 0x04
|-
| FALCON_DATA4
| 0x545011E4
| 0x04
|-
| FALCON_DATA_INDEX5
| 0x545011E8
| 0x04
|-
| FALCON_DATA5
| 0x545011EC
| 0x04
|-
| FALCON_DATA_INDEX6
| 0x545011F0
| 0x04
|-
| FALCON_DATA6
| 0x545011F4
| 0x04
|-
| FALCON_DATA_INDEX7
| 0x545011F8
| 0x04
|-
| FALCON_DATA7
| 0x545011FC
| 0x04
|-
| FALCON_ICD_CMD
| 0x54501200
| 0x04
|-
| FALCON_ICD_ADDR
| 0x54501204
| 0x04
|-
| FALCON_ICD_WDATA
| 0x54501208
| 0x04
|-
| FALCON_ICD_RDATA
| 0x5450120C
| 0x04
|-
| FALCON_SCTL
| 0x54501240
| 0x04
|-
| TSEC_AUTH_MODE
| 0x5450140C
| 0x04
|-
| [[#TSEC_SCP_CTL_PKEY|TSEC_SCP_CTL_PKEY]]
| 0x54501418
| 0x04
|-
| TSEC_DMA_CMD
| 0x54501700
| 0x04
|-
| TSEC_DMA_ADDR
| 0x54501704
| 0x04
|-
| TSEC_DMA_VAL
| 0x54501708
| 0x04
|-
| TSEC_DMA_UNK
| 0x5450170C
| 0x04
|-
| [[#TSEC_TEGRA_CTL|TSEC_TEGRA_CTL]]
| 0x54501838
| 0x04
| 0x04
|-
|-
=== FALCON_DMATRFFBOFFS ===
=== FALCON_DMATRFFBOFFS ===
Takes the offset for Falcon's target memory being transferred.
Takes the offset for Falcon's target memory being transferred.
=== TSEC_SCP_CTL_PKEY ===
{| class="wikitable" border="1"
! Bits
! Description
|-
| 0
| TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
|-
| 1
| TSEC_SCP_CTL_PKEY_LOADED
|-
|}
=== TSEC_TEGRA_CTL ===
{| class="wikitable" border="1"
! Bits
! Description
|-
| 16
| TSEC_TEGRA_CTL_TKFI_KFUSE
|-
|}
= Boot Process =
= Boot Process =
cmov(c7, c0);
cmov(c7, c0);
// Update engine specific IO (crypto?)
// Clear TSEC_TEGRA_CTL_TKFI_KFUSE
*(u32 *)0x00020E00 &= 0xEFFFF;
// This is TSEC_MMIO + 0x1000 + (0x20E00 / 0x40)
*(u32 *)TSEC_TEGRA_CTL &= 0xEFFFF;
// Update engine specific IO (crypto?)
// Set TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
*(u32 *)0x00010600 |= 0x01;
// This is TSEC_MMIO + 0x1000 + (0x10600 / 0x40)
*(u32 *)TSEC_SCP_CTL_PKEY |= 0x01;
u32 wait_10600 = 0;
u32 is_pkey_loaded = 0;
// Wait for some device
// Wait for TSEC_SCP_CTL_PKEY_LOADED
while (wait_10600 == 0)
while (!is_pkey_loaded)
is_pkey_loaded = (*(u32 *)TSEC_SCP_CTL_PKEY & 0x02);
// Read data segment size from IO space
// Read data segment size from IO space
// Exit Authenticated Mode
// Exit Authenticated Mode
*(u32 *)0x00010300 = 0;
// This is TSEC_MMIO + 0x1000 + (0x10300 / 0x40)
*(u32 *)TSEC_AUTH_MODE = 0;
return;
return;
else if (key_version == 0x02) // Use HOVI_COMMON_01
else if (key_version == 0x02) // Use HOVI_COMMON_01
hovi_key_addr = key_buf + 0x60;
hovi_key_addr = key_buf + 0x60;
else if (key_version == 0x03) // Use device key
else if (key_version == 0x03) // Use empty key
hovi_key_addr = key_buf + 0x00;
hovi_key_addr = key_buf + 0x00;
else
else
== Stage 2 ==
== Stage 2 ==
This stage is decrypted by Stage 1 using a key generated by encrypting a seed with an hardware secret (see [[TSEC#keygen|keygen]]).
This stage is decrypted by Stage 1 using a key generated by encrypting a seed with an hardware secret (see [[TSEC#keygen|keygen]]).
== Key data ==
== Key data ==
| 0x00
| 0x00
| 0x10
| 0x10
| Device key
| Empty
|-
|-
| 0x10
| 0x10
| 0x50
| 0x50
| 0x10
| 0x10
| HOVI eks seed
| HOVI EKS seed
|-
|-
| 0x60
| 0x60
| 0x10
| 0x10
| HOVI common seed
| HOVI COMMON seed
|-
|-
| 0x70
| 0x70