warmboot: add code for decrypting/restoring tzram.

This commit is contained in:
Michael Scire 2018-12-18 15:55:16 -08:00
parent 3924a2ef76
commit 95a9e1e215
4 changed files with 63 additions and 1 deletions

View file

@ -51,6 +51,11 @@
#define APBDEV_PMC_SECURE_SCRATCH34_0 MAKE_PMC_REG(0x368) #define APBDEV_PMC_SECURE_SCRATCH34_0 MAKE_PMC_REG(0x368)
#define APBDEV_PMC_SECURE_SCRATCH35_0 MAKE_PMC_REG(0x36C) #define APBDEV_PMC_SECURE_SCRATCH35_0 MAKE_PMC_REG(0x36C)
#define APBDEV_PMC_SECURE_SCRATCH112_0 MAKE_PMC_REG(0x718)
#define APBDEV_PMC_SECURE_SCRATCH113_0 MAKE_PMC_REG(0x71C)
#define APBDEV_PMC_SECURE_SCRATCH114_0 MAKE_PMC_REG(0x720)
#define APBDEV_PMC_SECURE_SCRATCH115_0 MAKE_PMC_REG(0x724)
#define APBDEV_PMC_IO_DPD3_REQ_0 MAKE_PMC_REG(0x45C) #define APBDEV_PMC_IO_DPD3_REQ_0 MAKE_PMC_REG(0x45C)
#define APBDEV_PMC_IO_DPD3_STATUS_0 MAKE_PMC_REG(0x460) #define APBDEV_PMC_IO_DPD3_STATUS_0 MAKE_PMC_REG(0x460)

View file

@ -236,3 +236,17 @@ void se_compute_aes_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, con
void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size) { void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size) {
se_compute_aes_cmac(keyslot, cmac, cmac_size, data, data_size, 0x202); se_compute_aes_cmac(keyslot, cmac, cmac_size, data, data_size, 0x202);
} }
void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size) {
volatile tegra_se_t *se = se_get_regs();
if (keyslot >= KEYSLOT_AES_MAX || src_size < 0x10) {
reboot();
}
se->CONFIG_REG = (ALG_AES_DEC | DST_MEMORY) | (0x202 << 16);
se->CRYPTO_REG = (keyslot << 24) | 0x66;
clear_aes_keyslot_iv(keyslot);
se->BLOCK_COUNT_REG = (src_size >> 4) - 1;
trigger_se_blocking_op(OP_START, dst, dst_size, src, src_size);
}

View file

@ -183,5 +183,6 @@ void clear_rsa_keyslot(unsigned int keyslot);
void clear_aes_keyslot_iv(unsigned int keyslot); void clear_aes_keyslot_iv(unsigned int keyslot);
void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size); void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size);
void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size);
#endif #endif

View file

@ -25,6 +25,7 @@
/* "private" functions. */ /* "private" functions. */
static bool secmon_should_clear_aes_keyslot(unsigned int keyslot); static bool secmon_should_clear_aes_keyslot(unsigned int keyslot);
static void secmon_clear_unused_keyslots(void); static void secmon_clear_unused_keyslots(void);
static void secmon_decrypt_saved_image(void *dst, const void *src, size_t size);
void secmon_restore_to_tzram(const uint32_t target_firmware) { void secmon_restore_to_tzram(const uint32_t target_firmware) {
/* Newer warmboot binaries clear the untouched keyslots for safety. */ /* Newer warmboot binaries clear the untouched keyslots for safety. */
@ -32,10 +33,51 @@ void secmon_restore_to_tzram(const uint32_t target_firmware) {
secmon_clear_unused_keyslots(); secmon_clear_unused_keyslots();
} }
/* Decrypt Secure Monitor from DRAM into TZRAM. */
void *tzram_src = (void *)(0x80010000);
void *tzram_dst = (void *)(target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_500 ? 0x7C012000 : 0x7C010000);
const size_t tzram_size = 0xE000;
secmon_decrypt_saved_image(tzram_dst, tzram_src, tzram_size);
/* Nintendo clears DRAM, but I'm not sure why, given they lock out BPMP access to DRAM. */
for (size_t i = 0; i < tzram_size/sizeof(uint32_t); i++) {
((volatile uint32_t *)tzram_src)[i] = 0;
}
/* Make security engine require secure busmaster. */
se_get_regs()->_0x4 = 0;
/* TODO: stuff */ /* TODO: stuff */
} }
void secmon_decrypt_saved_image(void *dst, const void *src, size_t size) {
/* First, AES-256-CBC decrypt the image into TZRAM. */
se_aes_256_cbc_decrypt(KEYSLOT_SWITCH_LP0TZRAMKEY, dst, size, src, size);
/* Next, calculate CMAC. */
uint32_t tzram_cmac[4] = {0, 0, 0, 0};
se_compute_aes_256_cmac(KEYSLOT_SWITCH_LP0TZRAMKEY, tzram_cmac, sizeof(tzram_cmac), dst, size);
/* Validate the MAC against saved one in PMC scratch. */
if (tzram_cmac[0] != APBDEV_PMC_SECURE_SCRATCH112_0 ||
tzram_cmac[1] != APBDEV_PMC_SECURE_SCRATCH113_0 ||
tzram_cmac[2] != APBDEV_PMC_SECURE_SCRATCH114_0 ||
tzram_cmac[3] != APBDEV_PMC_SECURE_SCRATCH115_0) {
reboot();
}
/* Clear the PMC scratch registers that hold the CMAC. */
APBDEV_PMC_SECURE_SCRATCH112_0 = 0;
APBDEV_PMC_SECURE_SCRATCH113_0 = 0;
APBDEV_PMC_SECURE_SCRATCH114_0 = 0;
APBDEV_PMC_SECURE_SCRATCH115_0 = 0;
/* Clear keyslot now that we're done with it. */
clear_aes_keyslot(KEYSLOT_SWITCH_LP0TZRAMKEY);
}
bool secmon_should_clear_aes_keyslot(unsigned int keyslot) { bool secmon_should_clear_aes_keyslot(unsigned int keyslot) {
/* We'll just compare keyslot against a hardcoded list of keys. */
static const uint8_t saved_keyslots[6] = { static const uint8_t saved_keyslots[6] = {
KEYSLOT_SWITCH_LP0TZRAMKEY, KEYSLOT_SWITCH_LP0TZRAMKEY,
KEYSLOT_SWITCH_SESSIONKEY, KEYSLOT_SWITCH_SESSIONKEY,
@ -64,4 +106,4 @@ void secmon_clear_unused_keyslots(void) {
for (unsigned int i = 0; i < KEYSLOT_RSA_MAX; i++) { for (unsigned int i = 0; i < KEYSLOT_RSA_MAX; i++) {
clear_rsa_keyslot(i); clear_rsa_keyslot(i);
} }
} }