From 95a9e1e215832b36d398993a60dbc07f86f8bc4b Mon Sep 17 00:00:00 2001 From: Michael Scire Date: Tue, 18 Dec 2018 15:55:16 -0800 Subject: [PATCH] warmboot: add code for decrypting/restoring tzram. --- exosphere/lp0fw/src/pmc.h | 5 ++++ exosphere/lp0fw/src/se.c | 14 ++++++++++++ exosphere/lp0fw/src/se.h | 1 + exosphere/lp0fw/src/secmon.c | 44 +++++++++++++++++++++++++++++++++++- 4 files changed, 63 insertions(+), 1 deletion(-) diff --git a/exosphere/lp0fw/src/pmc.h b/exosphere/lp0fw/src/pmc.h index d4528e80c..2bee565a3 100644 --- a/exosphere/lp0fw/src/pmc.h +++ b/exosphere/lp0fw/src/pmc.h @@ -51,6 +51,11 @@ #define APBDEV_PMC_SECURE_SCRATCH34_0 MAKE_PMC_REG(0x368) #define APBDEV_PMC_SECURE_SCRATCH35_0 MAKE_PMC_REG(0x36C) +#define APBDEV_PMC_SECURE_SCRATCH112_0 MAKE_PMC_REG(0x718) +#define APBDEV_PMC_SECURE_SCRATCH113_0 MAKE_PMC_REG(0x71C) +#define APBDEV_PMC_SECURE_SCRATCH114_0 MAKE_PMC_REG(0x720) +#define APBDEV_PMC_SECURE_SCRATCH115_0 MAKE_PMC_REG(0x724) + #define APBDEV_PMC_IO_DPD3_REQ_0 MAKE_PMC_REG(0x45C) #define APBDEV_PMC_IO_DPD3_STATUS_0 MAKE_PMC_REG(0x460) diff --git a/exosphere/lp0fw/src/se.c b/exosphere/lp0fw/src/se.c index cb4f1ab98..f6ae15816 100644 --- a/exosphere/lp0fw/src/se.c +++ b/exosphere/lp0fw/src/se.c @@ -236,3 +236,17 @@ void se_compute_aes_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, con void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size) { se_compute_aes_cmac(keyslot, cmac, cmac_size, data, data_size, 0x202); } + +void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size) { + volatile tegra_se_t *se = se_get_regs(); + + if (keyslot >= KEYSLOT_AES_MAX || src_size < 0x10) { + reboot(); + } + + se->CONFIG_REG = (ALG_AES_DEC | DST_MEMORY) | (0x202 << 16); + se->CRYPTO_REG = (keyslot << 24) | 0x66; + clear_aes_keyslot_iv(keyslot); + se->BLOCK_COUNT_REG = (src_size >> 4) - 1; + trigger_se_blocking_op(OP_START, dst, dst_size, src, src_size); +} \ No newline at end of file diff --git a/exosphere/lp0fw/src/se.h b/exosphere/lp0fw/src/se.h index b3e79f6e5..c9de02a99 100644 --- a/exosphere/lp0fw/src/se.h +++ b/exosphere/lp0fw/src/se.h @@ -183,5 +183,6 @@ void clear_rsa_keyslot(unsigned int keyslot); void clear_aes_keyslot_iv(unsigned int keyslot); void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size); +void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size); #endif diff --git a/exosphere/lp0fw/src/secmon.c b/exosphere/lp0fw/src/secmon.c index 1fe3ea78a..d6ec9b1b8 100644 --- a/exosphere/lp0fw/src/secmon.c +++ b/exosphere/lp0fw/src/secmon.c @@ -25,6 +25,7 @@ /* "private" functions. */ static bool secmon_should_clear_aes_keyslot(unsigned int keyslot); static void secmon_clear_unused_keyslots(void); +static void secmon_decrypt_saved_image(void *dst, const void *src, size_t size); void secmon_restore_to_tzram(const uint32_t target_firmware) { /* Newer warmboot binaries clear the untouched keyslots for safety. */ @@ -32,10 +33,51 @@ void secmon_restore_to_tzram(const uint32_t target_firmware) { secmon_clear_unused_keyslots(); } + /* Decrypt Secure Monitor from DRAM into TZRAM. */ + void *tzram_src = (void *)(0x80010000); + void *tzram_dst = (void *)(target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_500 ? 0x7C012000 : 0x7C010000); + const size_t tzram_size = 0xE000; + secmon_decrypt_saved_image(tzram_dst, tzram_src, tzram_size); + + /* Nintendo clears DRAM, but I'm not sure why, given they lock out BPMP access to DRAM. */ + for (size_t i = 0; i < tzram_size/sizeof(uint32_t); i++) { + ((volatile uint32_t *)tzram_src)[i] = 0; + } + + /* Make security engine require secure busmaster. */ + se_get_regs()->_0x4 = 0; + /* TODO: stuff */ } +void secmon_decrypt_saved_image(void *dst, const void *src, size_t size) { + /* First, AES-256-CBC decrypt the image into TZRAM. */ + se_aes_256_cbc_decrypt(KEYSLOT_SWITCH_LP0TZRAMKEY, dst, size, src, size); + + /* Next, calculate CMAC. */ + uint32_t tzram_cmac[4] = {0, 0, 0, 0}; + se_compute_aes_256_cmac(KEYSLOT_SWITCH_LP0TZRAMKEY, tzram_cmac, sizeof(tzram_cmac), dst, size); + + /* Validate the MAC against saved one in PMC scratch. */ + if (tzram_cmac[0] != APBDEV_PMC_SECURE_SCRATCH112_0 || + tzram_cmac[1] != APBDEV_PMC_SECURE_SCRATCH113_0 || + tzram_cmac[2] != APBDEV_PMC_SECURE_SCRATCH114_0 || + tzram_cmac[3] != APBDEV_PMC_SECURE_SCRATCH115_0) { + reboot(); + } + + /* Clear the PMC scratch registers that hold the CMAC. */ + APBDEV_PMC_SECURE_SCRATCH112_0 = 0; + APBDEV_PMC_SECURE_SCRATCH113_0 = 0; + APBDEV_PMC_SECURE_SCRATCH114_0 = 0; + APBDEV_PMC_SECURE_SCRATCH115_0 = 0; + + /* Clear keyslot now that we're done with it. */ + clear_aes_keyslot(KEYSLOT_SWITCH_LP0TZRAMKEY); +} + bool secmon_should_clear_aes_keyslot(unsigned int keyslot) { + /* We'll just compare keyslot against a hardcoded list of keys. */ static const uint8_t saved_keyslots[6] = { KEYSLOT_SWITCH_LP0TZRAMKEY, KEYSLOT_SWITCH_SESSIONKEY, @@ -64,4 +106,4 @@ void secmon_clear_unused_keyslots(void) { for (unsigned int i = 0; i < KEYSLOT_RSA_MAX; i++) { clear_rsa_keyslot(i); } -} \ No newline at end of file +}