Changes

4,338 bytes added , 21:02, 21 April 2020

m

Line 1: Line 1:

The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.

−

Security flaws fixed: ~~<fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>~~.

+

Security flaws fixed: Yes.

==Change-log==

Line 52: Line 52:

* 1 new title was added: olsc-sysmodule.

* New services were added, see [[Services_API|here]].

+

[[SSL_services#CertStore|CertStore]] RomFs: "/ssl_CaFingerprints.bdf" was added and "/ssl_TrustedCerts.bdf" was updated.

===[[USB_services|USB-sysmodule]]===

The only sysmodule with any changes for accessible IO in the [[NPDM]] was USB-sysmodule. The IO page for the [[Fuses|fuse registers]] is now accessible by this sysmodule.

+

===[[NV_services|nvservices-sysmodule]]===

+

Among various changes, the [[Switch_System_Flaws#System_Modules|"Transfer Memory leak in nvservices system module"]] system flaw was patched in the following way:

+

* [[NV_services#Initialize|Initialize]] and [[NV_services#InitializeDevtools|InitializeDevtools]] now keep track of the size of the transfer memory supplied by the user.

+

* L_34B90 (nvdrv's destructor) now calls L_B4C30 (memset) on the entire transfer memory region (using the size saved previously) before calling [[SVC#svcUnmapTransferMemory|svcUnmapTransferMemory]].

===olsc-sysmodule===

Line 60: Line 67:

===FIRM===

+

====Secure Monitor====

+

.rwdata was reduced in size from two pages to one page. Additionally:

+

Changes were made relating to security engine usage:

+

* Many functions which previously used an inline GetSecurityEngine() call to get the security engine register address now take in a register base as an argument. This is presumably to facilitate moved Security Engine MMIO on the Mariko SoC.

+

* Keyslots 0-8, 0xA, 0xC-0xE now have flags 0x1FF set, and keyslot 0xB now additionally has flags 0x17F set.

+

* The Test Vector used to ensure keyslot contents do not change during wake-from-sleep now uses 256-bit AES instead of 128-bit AES (thus the high parts of the keyslot contents are now verified).

+

Some changes were made to initial SoC setup:

+

* Additional magic numbers (0x83 = SKU ID, 0x2 = ?, 0x210 = Tegra 210) are now written into the GPU microcode in DRAM for runtime configuration.

+

* The warmboot firmware's firmware revision magic was changed from 0x6 to 0x87.

+

* The GPU microcode carveout setup was moved to later during initialization (after package2 has been fully loaded and verified).

+

* The IRAM addresses from which [[BootConfig]] warmboot firmware are loaded were changed.

+

In addition, there were changes to the [[SMC]] interface:

+

* SMCs which take in a keyslot parameter have been changed to allow use of up to 6 keyslots instead of 4.

+

* smcUnwrapRsaOaepWrappedTitleKey now takes in a "type" parameter, and the kek used in key generation is now selected from an array based on this parameter. (smcUnwrapAesWrappedTitlekey hardcodes type 0.)

+

* GetConfig(HardwareType) now returns 4 when it previously would have returned 3.

+

Additionally, security flaws were addressed in smcCpuSuspend (aiming to further mitigate jamais vu/deja vu):

+

* The number of devices checked to be held in reset at the time of smcCpuSuspend is called is now greatly increased.

+

* BPMP SC7 Entry Firmware is now only started ''after'' the following have been done, instead of before:

+

** TZRAM contents have been encrypted and MAC'd with a random AES-256 key

+

** The PMC scratch registers where the MAC are stored have been verified not to be read or write-locked.

+

** The MAC is written into the PMC scratch registers, which are then write-locked.

+

** The PMC scratch registers are verified to have been write-locked.

+

** The PMC scratch registers are verified to contain the MAC TZ has written into them.

+

** The PMC scratch registers are read-locked.

+

** The PMC scratch registers are verified to be both read and write-locked.

+

** The BPMP's firmware is copied from TZRAM into IRAM

+

** memcmp(BPMP firmware in IRAM, BPMP firmware in TZRAM, sizeof(BPMP firmware)) is verified to be zero.

+

====Kernel====

Line 93: Line 136:

* If svcReturnFromException passes the exception the KDebug, ie. if the argument errorCode is not 0, and if the latter has DontCatchExceptions set, the process is terminated (unless errorCode is 0x10001).

* Performance improvements to svcInvalidateProcessDataCache.

+

* Redundant calls to smcGetConfig(12) have been reduced (12 calls -> 4 calls) during memory setup

+

====FIRM Sysmodules====

+

All FIRM sysmodules were updated. Specific diffs for a few sysmodules are below:

+

=====[[Loader services|Loader]]=====

+

* A single null byte stack overflow due to strcat usage was fixed in content path parsing. See [[Switch System Flaws]] for details.

+

* System Resource Size ([[NPDM]] +0x14) is now allowed to be non-zero for applets in addition to applications.

+

=====[[Process Manager services|PM]]=====

+

Memory management initialization was greatly changed:

+

* PM no longer hardcodes five memory profiles, and no longer calls smcGetConfig to determine which profile to use.

+

* Instead, PM now uses [[SVC|svcGetResourceLimitLimitValue]] to determine how much space the kernel has allotted for Application + Applet regions and [[SVC|svcGetSystemInfo]] to determine the total physical memory available, and sets the System region size to (Total Memory Size - Application region size - Applet region size - 5 MiB).

==See Also==

System update report(s):

* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-18_08-35-09&sys=hac]

+

[[Category:System versions]]

Yellows8

Bureaucrats, Administrators

4,628

edits

Changes

6.0.0 (view source)

Revision as of 21:02, 21 April 2020