fusee/sept: changes for exo2 (note: not final)

fusee/fusee-secondary/src/key_derivation.c

@@ -227,9 +227,9 @@ int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, ui
         case ATMOSPHERE_TARGET_FIRMWARE_8_1_0:
         case ATMOSPHERE_TARGET_FIRMWARE_9_0_0:
             decrypt_data_into_keyslot(0xA, 0xF, devicekey_4x_seed, 0x10);
-            decrypt_data_into_keyslot(0xF, 0xF, devicekey_seed, 0x10);
-            decrypt_data_into_keyslot(0xE, 0xC, masterkey_4x_seed, 0x10);
-            decrypt_data_into_keyslot(0xC, 0xC, masterkey_seed, 0x10);
+            decrypt_data_into_keyslot(0xF, 0xF, devicekey_seed,    0x10);
+            decrypt_data_into_keyslot(0xD, 0xC, masterkey_seed,    0x10);
+            decrypt_data_into_keyslot(0xC, 0xC, masterkey_4x_seed, 0x10);
             break;
         default:
             return -1;
@@ -239,12 +239,6 @@ int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, ui
     return mkey_detect_revision(fuse_get_retail_type() != 0);
 }
 
-/* Sets final keyslot flags, for handover to TZ/Exosphere. Setting these will prevent the BPMP from using the device key or master key. */
-void finalize_nx_keydata(uint32_t target_firmware) {
-    set_aes_keyslot_flags(0xC, 0xFF);
-    set_aes_keyslot_flags((target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_4_0_0) ? (KEYSLOT_SWITCH_4XOLDDEVICEKEY) : (KEYSLOT_SWITCH_DEVICEKEY), 0xFF);
-}
-
 static void generate_specific_aes_key(void *dst, const void *wrapped_key, bool should_mask, uint32_t target_firmware, uint32_t generation) {
     unsigned int keyslot = (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_4_0_0) ? (devkey_get_keyslot(generation)) : (KEYSLOT_SWITCH_DEVICEKEY);
 

fusee/fusee-secondary/src/key_derivation.h

@@ -13,7 +13,7 @@
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
- 
+
 #ifndef FUSEE_KEYDERIVATION_H
 #define FUSEE_KEYDERIVATION_H
 
@@ -49,7 +49,6 @@ typedef struct nx_keyblob_t {
 
 int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_key, void *tsec_root_key, unsigned int *out_keygen_type);
 int load_package1_key(uint32_t revision);
-void finalize_nx_keydata(uint32_t target_firmware);
 void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmware);
 
 #endif

fusee/fusee-secondary/src/nxboot.c

@@ -957,7 +957,7 @@ uint32_t nxboot_main(void) {
     if (MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware < ATMOSPHERE_TARGET_FIRMWARE_4_0_0) {
         exosphere_memaddr = (void *)0x4002D000;
     } else {
-        exosphere_memaddr = (void *)0x4002B000;
+        exosphere_memaddr = (void *)0x40030000;
     }
 
     /* Copy Exosphère to a good location or read it directly to it. */

fusee/fusee-secondary/src/nxboot_iram.c

@@ -29,37 +29,6 @@
 
 void nxboot_finish(uint32_t boot_memaddr) {
     uint32_t target_firmware = MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware;
-    volatile tegra_se_t *se = se_get_regs();
-
-    /* Clear used keyslots. */
-    clear_aes_keyslot(KEYSLOT_SWITCH_PACKAGE2KEY);
-    clear_aes_keyslot(KEYSLOT_SWITCH_RNGKEY);
-
-    /* Lock keyslots. */
-    set_aes_keyslot_flags(KEYSLOT_SWITCH_MASTERKEY, 0xFF);
-    if (target_firmware < ATMOSPHERE_TARGET_FIRMWARE_4_0_0) {
-        set_aes_keyslot_flags(KEYSLOT_SWITCH_DEVICEKEY, 0xFF);
-    } else {
-        set_aes_keyslot_flags(KEYSLOT_SWITCH_4XOLDDEVICEKEY, 0xFF);
-    }
-
-    /* Finalize the GPU UCODE carveout. */
-    /* NOTE: [4.0.0+] This is now done in the Secure Monitor. */
-    /* mc_config_carveout_finalize(); */
-
-    /* Lock AES keyslots. */
-    for (uint32_t i = 0; i < 16; i++)
-        set_aes_keyslot_flags(i, 0x15);
-
-    /* Lock RSA keyslots. */
-    for (uint32_t i = 0; i < 2; i++)
-        set_rsa_keyslot_flags(i, 1);
-
-    /* Lock the Security Engine. */
-    se->SE_TZRAM_SECURITY = 0;
-    se->SE_CRYPTO_SECURITY_PERKEY = 0;
-    se->SE_RSA_SECURITY_PERKEY = 0;
-    se->SE_SE_SECURITY &= 0xFFFFFFFB;
 
     /* Boot up Exosphère. */
     MAILBOX_NX_BOOTLOADER_IS_SECMON_AWAKE(target_firmware) = 0;

fusee/fusee-secondary/src/se.h

@@ -26,8 +26,8 @@
 #define KEYSLOT_SWITCH_TEMPKEY 0x9
 #define KEYSLOT_SWITCH_SESSIONKEY 0xA
 #define KEYSLOT_SWITCH_RNGKEY 0xB
-#define KEYSLOT_SWITCH_MASTERKEY 0xC
-#define KEYSLOT_SWITCH_DEVICEKEY 0xD
+#define KEYSLOT_SWITCH_MASTERKEY 0xD
+#define KEYSLOT_SWITCH_DEVICEKEY 0xC
 
 /* This keyslot was added in 4.0.0. */
 #define KEYSLOT_SWITCH_4XNEWDEVICEKEYGENKEY 0xD

sept/sept-secondary/src/key_derivation.c

@@ -63,11 +63,11 @@ void load_keys(const uint8_t *se_state) {
     /* Clear keyslot 0xB. */
     clear_aes_keyslot(0xB);
 
-    /* Copy master key out of state keyslot 0xC into keyslot 0xC. */
-    set_aes_keyslot(0xC, se_state + 0x30 + (0xC * 0x20), 0x10);
+    /* Copy firmware device key out of state keyslot 0xE into keyslot 0xC. */
+    set_aes_keyslot(0xC, se_state + 0x30 + (0xE * 0x20), 0x10);
 
-    /* Copy firmware device key out of state keyslot 0xE into keyslot 0xD. */
-    set_aes_keyslot(0xD, se_state + 0x30 + (0xE * 0x20), 0x10);
+    /* Copy master key out of state keyslot 0xC into keyslot 0xD. */
+    set_aes_keyslot(0xD, se_state + 0x30 + (0xC * 0x20), 0x10);
 
     /* Clear keyslot 0xE. */
     clear_aes_keyslot(0xE);
@@ -77,5 +77,5 @@ void load_keys(const uint8_t *se_state) {
 
     /* Set keyslot flags properly in preparation for secmon. */
     set_aes_keyslot_flags(0xE, 0x15);
-    set_aes_keyslot_flags(0xD, 0x15);
+    set_aes_keyslot_flags(0xC, 0x15);
 }