2,933
edits
Changes
Jump to navigation
Jump to search
Line 1,171:
Line 1,171: − + Line 1,367:
Line 1,367: + + + + + + + + + + + + Line 1,475:
Line 1,487: − + − + − + − + Line 1,508:
Line 1,520: + + + Line 1,738:
Line 1,753: − + − ===== Entry =====+ + + + − ===== Exit =====+ − ===== Implementation =====+ − + − Part of the information here (which hasn't made it into envytools documentation yet) was shared by [https://wiki.0x04.net/wiki/Marcin_Ko%C5%9Bcielnicki mwk] from reverse engineering falcon processors over the years. − − − $cauth is a special purpose register in the CPU. − − {| class="wikitable" border="1" − ! Bits − ! Description − |- − | 0-7 || Start of region to authenticate (in 0x100 pages) − |- − | 8-15 || Unused − |- − | 16 || Use secret xfers (?) − |- − | 17 || Region is signed and encrypted and double the size (?) − |- − | 18 || − |- − | 19 || − |- − | 20-23 || Unused − |- − | 31-24 || Size of region to authenticate (in 0x100 pages) − |} − − == SCP operations == − Line 1,837:
Line 1,827: + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 1,861:
Line 1,879: − === csigauth ===+ − <code>00000000: f5 3c XY d8 csigauth $cY $cX</code> − Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.+ + − + − <code>00000000: f5 3c 00 e0 csigclr</code>+ − + − This instruction takes no operands and appears to clear the saved cauth signature used by the csigenc instruction.+ − + − === cchmod ===+ − <code>00000000: f5 3c XY a8 cchmod $cY 0X</code> or <code>00000000: f5 3c XY a9 cchmod $cY 1X</code>+ − + − This instruction takes a crypto register and a 5 bit immediate value.+ − + − === crng ===+ − <code>00000000: f5 3c 0X 90 crng $cX</code>+ − + − This instruction initializes a crypto register with random data.+ − + − Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:+ − * Write 0x7FFF to TSEC_TRNG_CLKDIV.+ − * Write 0x3FF0000 to TSEC_TRNG_UNK0.+ − * Write 0xFF00 to TSEC_TRNG_UNK7.+ − * Write 0x1000 to [[#TSEC_SCP_CTL_TRNG|TSEC_SCP_CTL_TRNG]].+ − − Otherwise it hangs forever. Line 1,919:
Line 1,935: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − +
no edit summary
|-
|-
| 6
| 6
| FALCON_CPUCTL_SCP_UNK
| FALCON_CPUCTL_START_SCP_LS
|}
|}
1: Light Secure
1: Light Secure
2: Heavy Secure
2: Heavy Secure
|-
| 4-5
| FALCON_SCTL_OLD_SEC_MODE
0: Non-secure
1: Light Secure
2: Heavy Secure
|-
| 12-13
| Unknown
|-
| 14
| Initialize the transition to LS mode
|}
|}
! Description
! Description
|-
|-
| 0-7
| 0-3
| Crypto fuc5 destination register or immediate value
| Crypto fuc5 destination register or immediate value
|-
|-
| 8-15
| 8-13
| Crypto fuc5 source register or immediate value
| Crypto fuc5 source register or immediate value
|-
|-
| 20-24
| 20-24
| Crypto fuc5 operation
| Crypto fuc5 operation
0x0: none (fuc5 opcode 0x00)
0x0: nop (fuc5 opcode 0x00)
0x1: cmov (fuc5 opcode 0x84)
0x1: cmov (fuc5 opcode 0x84)
0x2: cxsin (fuc5 opcode 0x88) or xdst (with cxset)
0x2: cxsin (fuc5 opcode 0x88) or xdst (with cxset)
0x3: cxsout (fuc5 opcode 0x8C) or xdld (with cxset)
0x3: cxsout (fuc5 opcode 0x8C) or xdld (with cxset)
0x4: crng (fuc5 opcode 0x90)
0x4: crnd (fuc5 opcode 0x90)
0x5: cs0begin (fuc5 opcode 0x94)
0x5: cs0begin (fuc5 opcode 0x94)
0x6: cs0exec (fuc5 opcode 0x98)
0x6: cs0exec (fuc5 opcode 0x98)
0x17: csigenc (fuc5 opcode 0xDC)
0x17: csigenc (fuc5 opcode 0xDC)
0x18: csigclr (fuc5 opcode 0xE0)
0x18: csigclr (fuc5 opcode 0xE0)
|-
| 28
| Unknown
|-
|-
| 31
| 31
|}
|}
== Authenticated Mode ==
== SCP ==
Part of the information here (which hasn't made it into envytools documentation yet) was shared by [https://wiki.0x04.net/wiki/Marcin_Ko%C5%9Bcielnicki mwk] from reverse engineering falcon processors over the years.
=== Authenticated Mode ===
==== Entry ====
From non-secure mode, upon jumping to a page marked as secret, a secret fault occurs. This causes the CPU to verify the region specified in $cauth against the MAC loaded in $c6. If the comparison is successful, the valid bit (bit0) is set on all pages in the $cauth region, and $pc is set to the base of the $cauth region. If the comparsion fails, the CPU is halted.
From non-secure mode, upon jumping to a page marked as secret, a secret fault occurs. This causes the CPU to verify the region specified in $cauth against the MAC loaded in $c6. If the comparison is successful, the valid bit (bit0) is set on all pages in the $cauth region, and $pc is set to the base of the $cauth region. If the comparsion fails, the CPU is halted.
==== Exit ====
The CPU automatically goes back to non-secure mode when returning back into non-secret pages. When this happens, the valid bit (bit0) in the TLB flags is cleared for all secret pages.
The CPU automatically goes back to non-secure mode when returning back into non-secret pages. When this happens, the valid bit (bit0) in the TLB flags is cleared for all secret pages.
==== Implementation ====
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]] are set to "cxsin" and "csigauth", respectively.
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]] are set to "cxsin" and "csigauth", respectively.
Via [[#TSEC_SCP_SEQ0_STAT|TSEC_SCP_SEQ0_STAT]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
Via [[#TSEC_SCP_SEQ0_STAT|TSEC_SCP_SEQ0_STAT]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
== Crypto processing ==
=== Operations ===
=== cauth ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Opcode
! Opcode
| 0x18 || csigenc || $cX || $cY || <code>if (has_sig) $cX = aes_enc(current_sig, $cY);</code> || ?
| 0x18 || csigenc || $cX || $cY || <code>if (has_sig) $cX = aes_enc(current_sig, $cY);</code> || ?
|}
|}
==== csigauth ====
<code>00000000: f5 3c XY d8 csigauth $cY $cX</code>
Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.
==== csigclr ====
<code>00000000: f5 3c 00 e0 csigclr</code>
This instruction takes no operands and appears to clear the saved cauth signature used by the csigenc instruction.
==== cchmod ====
<code>00000000: f5 3c XY a8 cchmod $cY 0X</code> or <code>00000000: f5 3c XY a9 cchmod $cY 1X</code>
This instruction takes a crypto register and a 5 bit immediate value which represents the [[#ACL|ACL]] mask to set.
==== crnd ====
<code>00000000: f5 3c 0X 90 crnd $cX</code>
This instruction initializes a crypto register with random data.
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
* Write 0x7FFF to TSEC_TRNG_CLKDIV.
* Write 0x3FF0000 to TSEC_TRNG_UNK0.
* Write 0xFF00 to TSEC_TRNG_UNK7.
* Write 0x1000 to [[#TSEC_SCP_CTL_TRNG|TSEC_SCP_CTL_TRNG]].
Otherwise it hangs forever.
=== ACL ===
=== ACL ===
Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.
Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.
Loading a secret into $cX sets a per-secret ACL, unconditionally.
=== cauth ===
$cauth is a special purpose register in the CPU.
=== csigclr ===
{| class="wikitable" border="1"
! Bits
! Description
|-
| 0-7 || Start of region to authenticate (in 0x100 pages)
|-
| 8-15 || Unused
|-
| 16 || Use secret xfers (?)
|-
| 17 || Region is encrypted (?)
|-
| 18 || Unknown
|-
| 19 || Unknown
|-
| 20-23 || Unused
|-
| 31-24 || Size of region to authenticate (in 0x100 pages)
|}
=== cxset ===
=== cxset ===
{| class=wikitable
{| class=wikitable
! Index || Notes || Console-unique
! Index || ACL || Console-unique || Notes
|-
| 0x00 || 0x07 || No || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
| 0x01 || 0x01 || || Used by nvhost_nvdec_bl020_prod firmware.
|-
| 0x02 || 0x01 || ||
|-
| 0x03 || 0x05 || || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
| 0x04 || 0x01 || || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
| 0x05 || 0x07 || || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
|-
| 0x06 || 0x05 || ||
|-
| 0x07 || 0x05 || || Used by [6.0.0+] nvhost_tsec firmware.
|-
| 0x08 || 0x01 || ||
|-
| 0x09 || 0x07 || || Used by nvhost_tsec firmware.
|-
| 0x0A || 0x05 || ||
|-
| 0x0B || 0x01 || || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|-
| 0x0C || 0x07 || ||
|-
| 0x0D || 0x05 || ||
|-
| 0x0E || 0x01 || ||
|-
| 0x0F || 0x07 || || Used by nvhost_tsec firmware.
|-
| 0x10 || 0x05 || || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
|-
| 0x11 || 0x01 || ||
|-
| 0x12 || 0x07 || ||
|-
| 0x13 || 0x05 || ||
|-
| 0x14 || 0x01 || ||
|-
| 0x15 || 0x07 || || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
|-
| 0x16 || 0x05 || ||
|-
| 0x17 || 0x01 || ||
|-
| 0x18 || 0x07 || ||
|-
| 0x19 || 0x05 || ||
|-
| 0x1A || 0x01 || ||
|-
| 0x1B || 0x07 || ||
|-
| 0x1C || 0x05 || ||
|-
| 0x1D || 0x01 || ||
|-
| 0x1E || 0x07 || ||
|-
| 0x1F || 0x05 || ||
|-
| 0x20 || 0x01 || ||
|-
| 0x21 || 0x07 || ||
|-
| 0x22 || 0x05 || ||
|-
| 0x23 || 0x01 || ||
|-
| 0x24 || 0x07 || ||
|-
| 0x25 || 0x05 || ||
|-
| 0x26 || 0x01 || No || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]].
|-
| 0x27 || 0x07 || ||
|-
| 0x28 || 0x05 || ||
|-
| 0x29 || 0x01 || ||
|-
| 0x2A || 0x07 || ||
|-
| 0x2B || 0x05 || ||
|-
| 0x2C || 0x01 || ||
|-
| 0x2D || 0x07 || ||
|-
| 0x2E || 0x05 || ||
|-
| 0x2F || 0x01 || ||
|-
| 0x30 || 0x07 || ||
|-
| 0x31 || 0x05 || ||
|-
|-
| 0x00 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. || No
| 0x32 || 0x01 || ||
|-
|-
| 0x01 || Used by nvhost_nvdec_bl020_prod firmware. ||
| 0x33 || 0x07 || ||
|-
|-
| 0x03 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. ||
| 0x34 || 0x05 || ||
|-
|-
| 0x04 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. ||
| 0x35 || 0x01 || ||
|-
|-
| 0x05 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares. ||
| 0x36 || 0x07 || ||
|-
|-
| 0x07 || Used by [6.0.0+] nvhost_tsec firmware. ||
| 0x37 || 0x05 || ||
|-
|-
| 0x09 || Used by nvhost_tsec firmware. ||
| 0x38 || 0x01 || ||
|-
|-
| 0x0B || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. ||
| 0x39 || 0x07 || ||
|-
|-
| 0x0F || Used by nvhost_tsec firmware. ||
| 0x3A || 0x05 || ||
|-
|-
| 0x10 || Used by [1.0.0-5.1.0] nvhost_tsec firmware. ||
| 0x3B || 0x01 || ||
|-
|-
| 0x15 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares. ||
| 0x3C || 0x07 || || Used by nvhost_tsec firmware.
|-
|-
| 0x26 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]]. || No
| 0x3D || 0x05 || ||
|-
|-
| 0x3C || Used by nvhost_tsec firmware. ||
| 0x3E || 0x01 || ||
|-
|-
| 0x3F || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares. || Yes
| 0x3F || 0x01 || Yes || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
|}
|}