Changes

Jump to navigation Jump to search
1,667 bytes added ,  21:50, 23 March 2018
no edit summary
SPL is responsible for handling all cryptographic operations within the system and relaying them to the [[#SMC|Secure Monitor]] when necessary.
 
During [1.0.0-3.0.2], the only existing services were "csrng" and "spl:". However, in [4.0.0+] the "spl:" service was refactored and split into new services with different permission levels. Each service exposes the IPC command list differently in order to prevent cryptographic operations to take place in the wrong context.
 
= csrng =
This is "nn::spl::detail::IRandomInterface".
== GetRandomBytes ==
Takes a type-6 buffer and fills it with random datafrom [[SMC#GetRandomBytes|GetRandomBytes SMC]]. Same command for "spl:" and "csrng" services.
= spl: , spl:mig, spl:fs, spl:ssl, spl:es, spl:manu =This is These are "nn::spl::detail::IGeneralInterface", "nn::spl::detail::ICryptoInterface", "nn::spl::detail::IFsInterface", "nn::spl::detail::ISslInterface", "nn::spl::detail::IEsInterface" and "nn::spl::detail::IManuInterface"(?).
[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.
{| class="wikitable" border="1"
|-
! Cmd || Name || NotesPermissions|-| 0 || [[#GetConfig]] || spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu|-| 1 || [[#UserExpMod]] || spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 0 2 || [[#GetConfigGenerateAesKek]] || Wrapper for [[SMC#GetConfig|GetConfig SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 1 3 || [[#UserExpModLoadAesKey]] || Speculative name. Wrapper for [[SMC#ExpMod|ExpMod SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 2 4 || [[#GenerateAesKekGenerateAesKey]] || Wrapper for [[SMC#GenerateAesKek|GenerateAesKek SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 3 5 || [[#LoadAesKeySetConfig]] || Wrapper for [[SMC#LoadAesKey|LoadAesKey SMC]].spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 4 7 || [[#GenerateAesKeyGetRandomBytes]] || Decrypts 0x10 bytes using AES ECB and uses [[SMC#LoadAesKey|LoadAesKey SMC]] with a fixed Y.spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 5 9 || [[#SetConfigLoadSecureExpModKey]] || Wrapper for [[SMC#SetConfig|SetConfig SMC]].spl:fs
|-
| 7 10 || [[#GetRandomBytesSecureExpMod]] || Uses [[SMC#GetRandomBytes|GetRandomBytes SMC]].spl:fs
|-
| 9 11 || [[#LoadSecureExpModKeyIsDevelopment]] || Speculative name. Wrapper for [[SMC#LoadSecureExpModKey|LoadSecureExpModKey SMC]].spl:, spl:mig, spl:fs, spl:ssl spl:es, spl:manu
|-
| 10 12 || [[#SecureExpModGenerateSpecificAesKey]] || Speculative name. Uses [[SMC#SecureExpMod|SecureExpModSMC]].spl:fs
|-
| 11 13 || [[#IsDevelopmentDecryptRsaPrivateKey]] ||spl:ssl, spl:es, spl:manu
|-
| 12 14 || [[#GenerateSpecificAesKeyDecryptAesKey]] || Wrapper for [[SMC#GenerateSpecificAesKey|GenerateSpecificAesKey SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 13 15 || [[#DecryptPrivkDecryptAesCtr]] || Speculative name. Wrapper for [[SMC#PrivateRsa|PrivateRsa SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 14 16 || [[#DecryptAesKeyComputeCmac]] || Decrypts 0x10 bytes using AES ECB and uses [[SMC#LoadAesKey|LoadAesKey SMC]] with fixed X and Y.spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 15 17 || [[#DecryptAesCtrLoadRsaOaepKey]] || Wrapper for [[SMC#CryptAes|CryptAes SMC]].spl:es
|-
| 16 18 || [[#ComputeCmacUnwrapRsaOaepWrappedTitleKey]] || Wrapper for [[SMC#ComputeCmac|ComputeCmac SMC]].spl:es
|-
| 17 19 || [[#LoadRsaOaepKeyLoadTitleKey]] || Speculative name. Wrapper for [[SMC#LoadRsaOaepKey|LoadRsaOaepKey SMC]].spl:fs
|-
| 18 20 || [2.0.0+] [[#UnwrapRsaOaepWrappedTitleKeyUnwrapAesWrappedTitleKey ]] || Speculative name. Wrapper for [[SMC#UnwrapRsaOaepWrappedTitleKey|UnwrapRsaOaepWrappedTitleKey SMC]].spl:es
|-
| 19 21 || [2.0.0+] [[#LoadTitleKeyLockAesEngine]] || Wrapper for [[SMC#LoadTitleKey|LoadTitleKey SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 20 22 || [2.0.0+] [[#UnwrapAesWrappedTitleKey UnlockAesEngine]] || Wrapper for [[SMC#UnwrapAesWrappedTitleKey|UnwrapAesWrappedTitleKey SMC]].spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 21 23 || [2.0.0+] [[#LockAesEngineGetSplWaitEvent]] ||spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 22 24 || [23.0.0+] [[#UnlockAesEngineSetSharedData]] ||spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 23 25 || [23.0.0+] [[#GetSplWaitEventGetSharedData]] ||spl:, spl:mig, spl:fs, spl:ssl, spl:es, spl:manu
|-
| 24 26 || [35.0.0+] [[#SetSharedData]] ImportSslRsaKey ||spl:ssl
|-
| 25 27 || [35.0.0+] SecureExpModWithSslKey || spl:ssl|-| 28 || [5.0.0+] ImportEsRsaKey || spl:es|-| 29 || [5.0.0+] SecureExpModWithEsKey || spl:es|-| 30 || [#GetSharedData5.0.0+]EncryptManuRsaKeyForImport || spl:manu|-| 31 || [5.0.0+] GetPackage2Hash ||spl:fs
|}
== GetConfig ==
Wrapper for [[SMC#GetConfig|GetConfig SMC]].
 
Takes a u32 ('''ConfigItem'''), and returns one or more u64s ('''ConfigVal''').
== UserExpMod ==
Wrapper for [[SMC#ExpMod|ExpMod SMC]].
 
Takes one type-10 (C descriptor) buffer ('''data_out_buf''') and 3 type-9 (X descriptor) buffers ('''data_in_buf''', '''exp_in_buf''' and '''mod_in_buf''').
== GenerateAesKek ==
Wrapper for [[SMC#GenerateAesKek|GenerateAesKek SMC]].
 
Takes a 16-byte EKS ('''Encryption Key Source''') and two words ('''KeyGeneration''' and '''option''') as input.
'''KeyGeneration''' ranges from 0 to 2.
Returns a scrambled sealed KEK ('''Key Encryption Key''' used as '''key_x''').
== LoadAesKey ==
Wrapper for [[SMC#LoadAesKey|LoadAesKey SMC]].
 
Takes a u32 ('''keyslot''') and two 16-byte keys ('''key_x''' and '''key_y''').
Takes a 16-byte KEK ('''key_x''') and a 16-byte encrypted key ('''enc_key''').
Generates a new key by decrypting (AES-ECB) '''enc_key''' with a key generated from the supplied '''key_x''' and a fixed '''key_y'''set with [[SMC#LoadAesKey|LoadAesKey SMC]].
[2.0.0+] Previously, it always used engine 0. Now it tries to allocate an engine to be used and returns 0xD01A if they're all busy. When the command is done, the engine is released.
== SetConfig ==
Wrapper for [[SMC#SetConfig|SetConfig SMC]].
 
Takes a u32 ('''ConfigItem''') and a u64 ('''ConfigVal''').
Any other '''ConfigItem''', besides 13, can't be set.
== LoadRsaOaepKey LoadSecureExpModKey ==Wrapper for [[SMC#LoadSecureExpModKey|LoadSecureExpModKey SMC]]. 
Takes one type-9 (X descriptor) buffer ('''enc_privk_in_buf'''), a 16-byte KEK ('''key_x'''), a 16-byte key ('''key_y''') and a u32 ('''version''').
'''version''' is 0 for normal keys or 1 for extended keys.
Decrypts '''enc_privk_in_buf''' with a key generated from '''key_x''' and '''key_y''' and imports it for later usage.
[5.0.0+] This now calls [[SMC#EncryptRsaKeyForImport|EncryptRsaKeyForImport SMC]] instead. == UnwrapRsaOaepWrappedTitleKey SecureExpMod ==Takes one type-10 (C descriptor) buffer ('''data_out_buf''') and 3 type-9 (X descriptor) buffers ('''data_in_buf''', '''mod_in_buf''' and '''label_hash_in_bufparam0_in_buf''').
Decrypts Uses [[SMC#SecureExpMod|SecureExpMod SMC]] to decrypt '''data_in_buf''' into '''data_out_buf''' using the private key imported with [[#UnwrapRsaOaepWrappedTitleKeyLoadSecureExpModKey]] and the supplied '''mod_in_buf'''. Afterwards, verifies RSA-OAEP encoding using and '''label_hash_in_bufparam0_in_buf'''.
Returns an u32 ('''dec_data_size''')Generates and returns a 16-byte sealed titlekey.
== IsDevelopment ==
== GenerateSpecificAesKey ==
Wrapper for [[SMC#GenerateSpecificAesKey|GenerateSpecificAesKey SMC]].
 
Takes a 16-byte seed ('''key_seed''') and two words ('''KeyGeneration''' and '''option''') as input.
'''KeyGeneration''' ranges from 0 to 2.
Returns a scrambled key ('''key_a''').
== DecryptPrivk DecryptRsaPrivateKey ==Wrapper for [[SMC#DecryptRsaPrivateKey|DecryptRsaPrivateKey SMC]]. 
Takes one type-10 (C descriptor) buffer ('''dec_privk_out_buf'''), one type-9 (X descriptor) buffer ('''enc_privk_in_buf'''), a 16-byte KEK ('''key_x'''), a 16-byte key ('''key_y''') and a u32 ('''version''').
'''version''' is 0 for normal keys or 1 for extended keys.
Used by [[SSL_services|SSL]]-sysmodule for TLS client-privk.
 
[5.0.0+] This now calls [[SMC#DecryptOrImportRsaKey|DecryptOrImportRsaKey SMC]] instead.
== DecryptAesKey ==
Takes a 16-byte encrypted key ('''enc_key''') and two words ('''KeyGeneration''' and '''option''') as input.
'''KeyGeneration''' ranges from 0 to 2.
Decrypts (AES-ECB) '''enc_key''' with a key generated from fixed '''key_x''' and '''key_y''' set with [[SMC#LoadAesKey|LoadAesKey SMC]] and returns a 16-byte decrypted key ('''dec_key''').
[2.0.0+] Introduced same engine allocation code as for [[#GenerateAesKey]].
Takes a type-0x46 (B descriptor) buffer ('''data_out_buf'''), a u32 ('''keyslot'''), a type-0x45 (A descriptor) buffer ('''data_in_buf''') and a 16-byte CTR ('''aes_ctr''').
Decrypts Uses [[SMC#CryptAes|CryptAes SMC]] to decrypt '''data_in_buf''' into '''data_out_buf''' , using the key set in the specified '''keyslot'''.
[2.0.0+] Verifies the engine is locked by current session.
== ComputeCmac ==
Wrapper for [[SMC#ComputeCmac|ComputeCmac SMC]].
 
Takes one type-9 (X descriptor) buffer ('''data_in_buf''') and a u32 ('''type?''').
[2.0.0+] Verifies the engine is locked by current session.
== LoadSecureExpModKey LoadRsaOaepKey ==Wrapper for [[SMC#LoadRsaOaepKey|LoadRsaOaepKey SMC]]. Takes one type-9 (X descriptor) buffer ('''enc_privk_in_buf'''), a 16-byte KEK ('''key_x'''), a 16-byte key ('''key_y''') and a u32 ('''version''').'''version''' is 0 for normal keys or 1 for extended keys. Decrypts enc_privk_in_buf with a key generated from key_x and key_y and imports it for later usage.
Decrypts '''enc_privk_in_buf''' with a key generated from '''key_x''' and '''key_y''' and imports it == UnwrapRsaOaepWrappedTitleKey ==Wrapper for later usage[[SMC#UnwrapRsaOaepWrappedTitleKey|UnwrapRsaOaepWrappedTitleKey SMC]].
== SecureExpMod ==Takes one type-10 (C descriptor) buffer ('''data_out_buf''') and 3 type-9 (X descriptor) buffers ('''data_in_buf''', '''mod_in_buf''' and '''param0_in_buflabel_hash_in_buf''').
Decrypts '''data_in_buf''' into '''data_out_buf''' using the private key imported with [[#LoadSecureExpModKeyLoadRsaOaepKey]] and the supplied '''mod_in_buf''' and . Afterwards, verifies RSA-OAEP encoding using '''param0_in_buflabel_hash_in_buf'''.
Generates and returns a 16-byte sealed titlekeyReturns an u32 ('''dec_data_size''').
== LoadTitleKey ==
Wrapper for [[SMC#LoadTitleKey|LoadTitleKey SMC]].
 
Takes a u32 ('''keyslot''') and a 16-byte sealed titlekey.
== UnwrapAesWrappedTitleKey ==
Wrapper for [[SMC#UnwrapAesWrappedTitleKey|UnwrapAesWrappedTitleKey SMC]].
 
Takes a 16-byte EKS ('''Encryption Key Source''').

Navigation menu