Changes

TSEC (view source)

Revision as of 19:53, 29 August 2019

781 bytes removed , 19:53, 29 August 2019

better names

Line 5: Line 5:

== Registers ==

−

~~Registers from~~ 0x54500000 to 0x54501000 ~~are used to configure the host interface~~ (~~HOST1X~~).

+

The TSEC's MMIO space is divided as follows:

−

+

* 0x54500000 to 0x54501000: THI (Tegra Host Interface)

−

~~Registers from~~ 0x54501000 to ~~0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from~~ 0x54501400 ~~to 0x54501FE8 are specific to the TSEC and are subdivided into~~:

+

* 0x54501000 to 0x54501400: FALCON (Falcon microcontroller)

−

* 0x54501400 to 0x54501500: SCP (Secure Co-~~Processor~~).

+

* 0x54501400 to 0x54501500: SCP (Secure Co-processor)

−

* 0x54501500 to 0x54501600: ~~TRNG~~ (~~True~~ Random Number Generator).

+

* 0x54501500 to 0x54501600: RND (Random Number Generator)

−

* 0x54501600 to ~~0x54501700~~: TFBIF (Tegra Framebuffer Interface) ~~and~~ CG (Clock Gate).

+

* 0x54501600 to 0x54501680: TFBIF (Tegra Framebuffer Interface)

−

* 0x54501700 to 0x54501800: BAR0.

+

* 0x54501680 to 0x54501700: CG (Clock Gate)

−

* 0x54501800 to 0x54501900: TEGRA (~~miscellaneous~~ interfaces).

+

* 0x54501700 to 0x54501800: BAR0 (HOST1X device DMA)

+

* 0x54501800 to 0x54501900: TEGRA (Miscellaneous interfaces)

{| class="wikitable" border="1"

Line 655: Line 656:

| 0x04

|-

−

| ~~TSEC_SCP_UNK_10~~

+

| TSEC_SCP_CFG

| 0x54501410

| 0x04

|-

−

| ~~TSEC_SCP_UNK_14~~

+

| TSEC_SCP_CTL_SCP

| 0x54501414

| 0x04

Line 667: Line 668:

| 0x04

|-

−

| ~~TSEC_SCP_UNK_1C~~

+

| TSEC_SCP_CTL_DBG

| 0x5450141C

| 0x04

|-

−

| [[#~~TSEC_SCP_SEQ_CTL~~|~~TSEC_SCP_SEQ_CTL~~]]

+

| [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]]

| 0x54501420

| 0x04

|-

−

| [[#~~TSEC_SCP_SEQ_VAL~~|~~TSEC_SCP_SEQ_VAL~~]]

+

| [[#TSEC_SCP_DBG1|TSEC_SCP_DBG1]]

| 0x54501424

| 0x04

|-

−

| [[#~~TSEC_SCP_SEQ_STAT~~|~~TSEC_SCP_SEQ_STAT~~]]

+

| [[#TSEC_SCP_DBG2|TSEC_SCP_DBG2]]

| 0x54501428

| 0x04

|-

−

| [[#~~TSEC_SCP_INSN_STAT~~|~~TSEC_SCP_INSN_STAT~~]]

+

| [[#TSEC_SCP_CMD|TSEC_SCP_CMD]]

| 0x54501430

| 0x04

|-

−

| ~~TSEC_SCP_UNK_50~~

+

| TSEC_SCP_STAT0

| 0x54501450

| 0x04

|-

−

| [[#~~TSEC_SCP_AUTH_STAT~~|~~TSEC_SCP_AUTH_STAT~~]]

+

| [[#TSEC_SCP_STAT1|TSEC_SCP_STAT1]]

| 0x54501454

| 0x04

|-

−

| [[#~~TSEC_SCP_AES_STAT~~|~~TSEC_SCP_AES_STAT~~]]

+

| [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]]

| 0x54501458

| 0x04

|-

−

| ~~TSEC_SCP_UNK_70~~

+

| TSEC_SCP_RND_STAT0

| 0x54501470

+

| 0x04

+

|-

+

| TSEC_SCP_RND_STAT1

+

| 0x54501474

| 0x04

|-

Line 715: Line 720:

| 0x04

|-

−

| ~~TSEC_SCP_UNK_94~~

+

| TSEC_SCP_SEC_ERR

| 0x54501494

| 0x04

|-

−

| [[#~~TSEC_SCP_INSN_ERR~~|~~TSEC_SCP_INSN_ERR~~]]

+

| [[#TSEC_SCP_CMD_ERR|TSEC_SCP_CMD_ERR]]

| 0x54501498

| 0x04

|-

−

| ~~TSEC_TRNG_CLK_LIMIT_LOW~~

+

| TSEC_RND_CTL0

| 0x54501500

| 0x04

|-

−

| ~~TSEC_TRNG_CLK_LIMIT_HIGH~~

+

| TSEC_RND_CTL1

| 0x54501504

| 0x04

|-

−

| ~~TSEC_TRNG_UNK_08~~

+

| TSEC_RND_CTL2

| 0x54501508

| 0x04

|-

−

| ~~TSEC_TRNG_TEST_CTL~~

+

| TSEC_RND_CTL3

| 0x5450150C

| 0x04

|-

−

| ~~TSEC_TRNG_TEST_CFG0~~

+

| TSEC_RND_CTL4

| 0x54501510

| 0x04

|-

−

| ~~TSEC_TRNG_TEST_SEED0~~

+

| TSEC_RND_CTL5

| 0x54501514

| 0x04

|-

−

| ~~TSEC_TRNG_TEST_CFG1~~

+

| TSEC_RND_CTL6

| 0x54501518

| 0x04

|-

−

| ~~TSEC_TRNG_TEST_SEED1~~

+

| TSEC_RND_CTL7

| 0x5450151C

| 0x04

|-

−

| ~~TSEC_TRNG_UNK_20~~

+

| TSEC_RND_CTL8

| 0x54501520

| 0x04

|-

−

| ~~TSEC_TRNG_UNK_24~~

+

| TSEC_RND_CTL9

| 0x54501524

| 0x04

|-

−

| ~~TSEC_TRNG_UNK_28~~

+

| TSEC_RND_CTL10

| 0x54501528

| 0x04

|-

−

| ~~TSEC_TRNG_CTL~~

+

| TSEC_RND_CTL11

| 0x5450152C

| 0x04

Line 2,464: Line 2,469:

|-

| 20

−

| Enable ~~TSEC_SCP_INSN_STAT register~~

+

| Enable the CMD interface

|}

Line 2,473: Line 2,478:

|-

| 11

−

| Enable ~~TRNG~~ testing mode

+

| Enable RND testing mode

|-

| 12

−

| Enable the ~~TRNG~~

+

| Enable the RND interface

|}

Line 2,494: Line 2,499:

|-

| 0

−

| ~~Disable reads for the SCP and TRNG register blocks~~

+

| Enable lockdown mode

|-

| 1

−

| ~~Disable reads for the TFBIF register block~~

+

|

|-

| 2

−

| ~~Disable reads for the DMA register block~~

+

|

|-

| 3

−

| ~~Disable reads for the TEGRA register block~~

+

|

|-

| 4

−

| ~~Disable writes for~~ the SCP and ~~TRNG register blocks~~

+

| Lock the SCP and RND

|-

| 5

−

| ~~Disable writes for the TFBIF register block~~

+

|

|-

| 6

−

| ~~Disable writes for the DMA register block~~

+

|

|-

| 7

−

| ~~Disable writes for the TEGRA register block~~

+

|

|}

−

~~Locks accesses to sub-engines~~ and can only be cleared in Heavy Secure mode.

+

Controls lockdown mode and can only be cleared in Heavy Secure mode.

=== TSEC_SCP_CTL_PKEY ===

Line 2,532: Line 2,537:

|}

−

=== ~~TSEC_SCP_SEQ_CTL~~ ===

+

=== TSEC_SCP_DBG0 ===

{| class="wikitable" border="1"

! Bits

Line 2,549: Line 2,554:

Controls the last crypto sequence (cs0 or cs1) created.

−

=== ~~TSEC_SCP_SEQ_VAL~~ ===

+

=== TSEC_SCP_DBG1 ===

{| class="wikitable" border="1"

! Bits

Line 2,566: Line 2,571:

Contains information on the last crypto sequence (cs0 or cs1) created.

−

=== ~~TSEC_SCP_SEQ_STAT~~ ===

+

=== TSEC_SCP_DBG2 ===

{| class="wikitable" border="1"

! Bits

Line 2,583: Line 2,588:

Contains information on the last crypto sequence (cs0 or cs1) executed.

−

=== ~~TSEC_SCP_INSN_STAT~~ ===

+

=== TSEC_SCP_CMD ===

{| class="wikitable" border="1"

! Bits

Line 2,623: Line 2,628:

|-

| 28

−

| Set if the ~~instruction~~ is valid

+

| Set if the command is valid

|-

| 31

Line 2,629: Line 2,634:

|}

−

Contains information on the last crypto ~~instruction~~ executed.

+

Contains information on the last crypto command executed.

−

=== ~~TSEC_SCP_AUTH_STAT~~ ===

+

=== TSEC_SCP_STAT1 ===

{| class="wikitable" border="1"

! Bits

Line 2,642: Line 2,647:

Contains information on the last authentication attempt.

−

=== ~~TSEC_SCP_AES_STAT~~ ===

+

=== TSEC_SCP_STAT2 ===

{| class="wikitable" border="1"

! Bits

Line 2,669: Line 2,674:

|-

| 0

−

| ~~TSEC_SCP_IRQSTAT_TRNG~~

+

| RND ready

|-

| 8

−

| ~~TSEC_SCP_IRQSTAT_ACL_ERROR~~

+

| ACL error

|-

| 12

−

| ~~Unknown~~

+

| SEC error

|-

| 16

−

| ~~TSEC_SCP_IRQSTAT_INSN_ERROR~~

+

| CMD error

|-

| 20

−

| ~~TSEC_SCP_IRQSTAT_SINGLE_STEP~~

+

| Single step

|-

| 24

−

| ~~Unknown~~

+

|

|-

| 28

−

| ~~Unknown~~

+

|

|}

Line 2,698: Line 2,703:

|-

| 0

−

| ~~TSEC_SCP_IRQMASK_TRNG~~

+

| RND ready

|-

| 8

−

| ~~TSEC_SCP_IRQMASK_ACL_ERROR~~

+

| ACL error

|-

| 12

−

| ~~Unknown~~

+

| SEC error

|-

| 16

−

| ~~TSEC_SCP_IRQMASK_INSN_ERROR~~

+

| CMD error

|-

| 20

−

| ~~TSEC_SCP_IRQMASK_SINGLE_STEP~~

+

| Single step

|-

| 24

−

| ~~Unknown~~

+

|

|-

| 28

−

| ~~Unknown~~

+

|

|}

Line 2,739: Line 2,744:

|}

−

Contains information on the status generated by the [[#TSEC_SCP_IRQSTAT|~~TSEC_SCP_IRQSTAT_ACL_ERROR~~]] IRQ.

+

Contains information on the status generated by the [[#TSEC_SCP_IRQSTAT|ACL error]] IRQ.

−

=== ~~TSEC_SCP_INSN_ERR~~ ===

+

=== TSEC_SCP_CMD_ERR ===

{| class="wikitable" border="1"

! Bits

Line 2,747: Line 2,752:

|-

| 0

−

| Invalid ~~instruction~~

+

| Invalid command

|-

| 4

Line 2,768: Line 2,773:

|}

−

Contains information on crypto errors generated by the [[#TSEC_SCP_IRQSTAT|~~TSEC_SCP_IRQSTAT_INSN_ERROR~~]] IRQ.

+

Contains information on crypto errors generated by the [[#TSEC_SCP_IRQSTAT|CMD error]] IRQ.

=== TSEC_TFBIF_CTL ===

Line 3,140: Line 3,145:

==== Implementation ====

−

Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#~~TSEC_SCP_INSN_STAT~~|~~TSEC_SCP_INSN_STAT~~]] as "csigauth $c4 $c6" while the opcodes in [[#~~TSEC_SCP_AES_STAT~~|~~TSEC_SCP_AES_STAT~~]] are set to "cxsin" and "csigauth", respectively.

+

Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_CMD|TSEC_SCP_CMD]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_STAT2|TSEC_SCP_STAT2]] are set to "cxsin" and "csigauth", respectively.

−

Via [[#~~TSEC_SCP_SEQ_CTL~~|~~TSEC_SCP_SEQ_CTL~~]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.

+

Via [[#TSEC_SCP_DBG0|TSEC_SCP_DBG0]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.

=== Operations ===

Line 3,225: Line 3,230:

Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:

−

* Write 0x7FFF to ~~TSEC_TRNG_CLK_LIMIT_LOW~~.

+

* Write 0x7FFF to TSEC_RND_CTL0.

−

* Write 0x3FF0000 to ~~TSEC_TRNG_CLK_LIMIT_HIGH~~.

+

* Write 0x3FF0000 to TSEC_RND_CTL1.

−

* Write 0xFF00 to ~~TSEC_TRNG_CTL~~.

+

* Write 0xFF00 to TSEC_RND_CTL11.

* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].

Hexkyz

Bureaucrats, Administrators

2,787

edits