fusee: Add full 6.2.0 support via SMMU virtualization.

This commit is contained in:
hexkyz 2018-11-29 23:32:31 +00:00
parent e321f0ac04
commit ed37706915
11 changed files with 495 additions and 74 deletions

View file

@ -36,8 +36,10 @@
#define MC_SMMU_PTB_DATA 0x20 #define MC_SMMU_PTB_DATA 0x20
#define MC_SMMU_TLB_FLUSH 0x30 #define MC_SMMU_TLB_FLUSH 0x30
#define MC_SMMU_PTC_FLUSH 0x34 #define MC_SMMU_PTC_FLUSH 0x34
#define MC_SMMU_ASID_SECURITY 0x38
#define MC_SMMU_AFI_ASID 0x238 #define MC_SMMU_AFI_ASID 0x238
#define MC_SMMU_AVPC_ASID 0x23c #define MC_SMMU_AVPC_ASID 0x23c
#define MC_SMMU_TSEC_ASID 0x294
#define MC_SMMU_PPCS1_ASID 0x298 #define MC_SMMU_PPCS1_ASID 0x298
#define MC_SMMU_TRANSLATION_ENABLE_0 0x228 #define MC_SMMU_TRANSLATION_ENABLE_0 0x228
#define MC_SMMU_TRANSLATION_ENABLE_1 0x22c #define MC_SMMU_TRANSLATION_ENABLE_1 0x22c

View file

@ -20,7 +20,6 @@
#include "se.h" #include "se.h"
#include "exocfg.h" #include "exocfg.h"
#include "fuse.h" #include "fuse.h"
#include "tsec.h"
#include "extkeys.h" #include "extkeys.h"
#include "utils.h" #include "utils.h"
@ -61,10 +60,6 @@ static const uint8_t AL16 new_master_kek_seeds[1][0x10] = {
static nx_dec_keyblob_t AL16 g_dec_keyblobs[32]; static nx_dec_keyblob_t AL16 g_dec_keyblobs[32];
static int get_tsec_key(void *dst, const void *tsec_fw, size_t tsec_fw_size, uint32_t tsec_key_id) {
return tsec_get_key(dst, tsec_key_id, tsec_fw, tsec_fw_size);
}
static int get_keyblob(nx_keyblob_t *dst, uint32_t revision, const nx_keyblob_t *keyblobs, uint32_t available_revision) { static int get_keyblob(nx_keyblob_t *dst, uint32_t revision, const nx_keyblob_t *keyblobs, uint32_t available_revision) {
if (revision >= 0x20) { if (revision >= 0x20) {
return -1; return -1;
@ -123,20 +118,18 @@ int load_package1_key(uint32_t revision) {
} }
/* Derive all Switch keys. */ /* Derive all Switch keys. */
int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_fw, size_t tsec_fw_size, unsigned int *out_keygen_type) { int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_key, void *tsec_root_key, unsigned int *out_keygen_type) {
uint8_t AL16 tsec_key[0x10];
uint8_t AL16 work_buffer[0x10]; uint8_t AL16 work_buffer[0x10];
uint8_t AL16 zeroes[0x10] = {0}; uint8_t AL16 zeroes[0x10] = {0};
/* Initialize keygen type. */
*out_keygen_type = 0;
/* TODO: Set keyslot flags properly in preparation of derivation. */ /* TODO: Set keyslot flags properly in preparation of derivation. */
set_aes_keyslot_flags(0xE, 0x15); set_aes_keyslot_flags(0xE, 0x15);
set_aes_keyslot_flags(0xD, 0x15); set_aes_keyslot_flags(0xD, 0x15);
/* Set TSEC key. */ /* Set the TSEC key. */
if (get_tsec_key(tsec_key, tsec_fw, tsec_fw_size, 1) != 0) {
return -1;
}
set_aes_keyslot(0xD, tsec_key, 0x10); set_aes_keyslot(0xD, tsec_key, 0x10);
/* Decrypt all keyblobs, setting keyslot 0xF correctly. */ /* Decrypt all keyblobs, setting keyslot 0xF correctly. */
@ -147,10 +140,17 @@ int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, ui
} }
} }
/* Do 6.2.0+ keygen. */
/* TODO: Eventually do 6.2.0+ keygen properly? */
*out_keygen_type = 0;
if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) { if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
/* We got a valid key from emulation. */
set_aes_keyslot(0xC, tsec_root_key, 0x10);
for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
}
} else {
/* Try reading the keys from a file. */
const char *keyfile = fuse_get_retail_type() != 0 ? "atmosphere/prod.keys" : "atmosphere/dev.keys"; const char *keyfile = fuse_get_retail_type() != 0 ? "atmosphere/prod.keys" : "atmosphere/dev.keys";
FILE *extkey_file = fopen(keyfile, "r"); FILE *extkey_file = fopen(keyfile, "r");
AL16 fusee_extkeys_t extkeys = {0}; AL16 fusee_extkeys_t extkeys = {0};
@ -171,6 +171,7 @@ int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, ui
memcpy(g_dec_keyblobs[rev].master_kek, extkeys.master_keks[rev], 0x10); memcpy(g_dec_keyblobs[rev].master_kek, extkeys.master_keks[rev], 0x10);
} }
} }
}
if (memcmp(g_dec_keyblobs[available_revision].master_kek, zeroes, 0x10) == 0) { if (memcmp(g_dec_keyblobs[available_revision].master_kek, zeroes, 0x10) == 0) {
fatal_error("Error: failed to derive master_kek_%02x!", available_revision); fatal_error("Error: failed to derive master_kek_%02x!", available_revision);

View file

@ -47,7 +47,7 @@ typedef struct nx_keyblob_t {
}; };
} nx_keyblob_t; } nx_keyblob_t;
int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_fw, size_t tsec_fw_size, unsigned int *out_keygen_type); int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_key, void *tsec_root_key, unsigned int *out_keygen_type);
int load_package1_key(uint32_t revision); int load_package1_key(uint32_t revision);
void finalize_nx_keydata(uint32_t target_firmware); void finalize_nx_keydata(uint32_t target_firmware);
void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmware); void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmware);

View file

@ -36,8 +36,10 @@
#define MC_SMMU_PTB_DATA 0x20 #define MC_SMMU_PTB_DATA 0x20
#define MC_SMMU_TLB_FLUSH 0x30 #define MC_SMMU_TLB_FLUSH 0x30
#define MC_SMMU_PTC_FLUSH 0x34 #define MC_SMMU_PTC_FLUSH 0x34
#define MC_SMMU_ASID_SECURITY 0x38
#define MC_SMMU_AFI_ASID 0x238 #define MC_SMMU_AFI_ASID 0x238
#define MC_SMMU_AVPC_ASID 0x23c #define MC_SMMU_AVPC_ASID 0x23c
#define MC_SMMU_TSEC_ASID 0x294
#define MC_SMMU_PPCS1_ASID 0x298 #define MC_SMMU_PPCS1_ASID 0x298
#define MC_SMMU_TRANSLATION_ENABLE_0 0x228 #define MC_SMMU_TRANSLATION_ENABLE_0 0x228
#define MC_SMMU_TRANSLATION_ENABLE_1 0x22c #define MC_SMMU_TRANSLATION_ENABLE_1 0x22c

View file

@ -36,6 +36,8 @@
#include "key_derivation.h" #include "key_derivation.h"
#include "package1.h" #include "package1.h"
#include "package2.h" #include "package2.h"
#include "smmu.h"
#include "tsec.h"
#include "loader.h" #include "loader.h"
#include "splash_screen.h" #include "splash_screen.h"
#include "exocfg.h" #include "exocfg.h"
@ -311,9 +313,28 @@ uint32_t nxboot_main(void) {
print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Loaded firmware from eMMC...\n"); print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Loaded firmware from eMMC...\n");
/* Get the TSEC keys. */
uint8_t tsec_key[0x10] = {0};
uint8_t tsec_root_key[0x10] = {0};
if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
uint8_t tsec_keys[0x20] = {0};
/* Emulate the TSEC payload on 6.2.0+. */
smmu_emulate_tsec((void *)tsec_keys, package1loader, package1loader_size, package1loader);
/* Copy back the keys. */
memcpy((void *)tsec_key, (void *)tsec_keys, 0x10);
memcpy((void *)tsec_root_key, (void *)tsec_keys + 0x10, 0x10);
} else {
/* Run the TSEC payload and get the key. */
if (tsec_get_key(tsec_key, 1, tsec_fw, tsec_fw_size) != 0) {
fatal_error("[NXBOOT]: Failed to get TSEC key!\n");
}
}
/* Derive keydata. */ /* Derive keydata. */
unsigned int keygen_type = 0; unsigned int keygen_type = 0;
if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_fw, tsec_fw_size, &keygen_type) != 0) { if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_key, &keygen_type) != 0) {
fatal_error("[NXBOOT]: Key derivation failed!\n"); fatal_error("[NXBOOT]: Key derivation failed!\n");
} }
@ -343,6 +364,15 @@ uint32_t nxboot_main(void) {
fatal_error("[NXBOOT]: Could not read the warmboot firmware from %s!\n", loader_ctx->warmboot_path); fatal_error("[NXBOOT]: Could not read the warmboot firmware from %s!\n", loader_ctx->warmboot_path);
} }
} else { } else {
if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
/* Package1 was decrypted during TSEC emulation. */
const uint8_t *package1_hdr = (const uint8_t *)package1loader + 0x7000 - 0x20;
package1 = (package1_header_t *)(package1_hdr + 0x20);
package1_size = *(uint32_t *)package1_hdr;
warmboot_fw = package1_get_warmboot_fw(package1);
warmboot_fw_size = package1->warmboot_size;
} else {
/* Decrypt package1 and extract the warmboot firmware. */
uint8_t ctr[16]; uint8_t ctr[16];
package1_size = package1_get_encrypted_package1(&package1, ctr, package1loader, package1loader_size); package1_size = package1_get_encrypted_package1(&package1, ctr, package1loader, package1loader_size);
if (package1_decrypt(package1, package1_size, ctr)) { if (package1_decrypt(package1, package1_size, ctr)) {
@ -352,6 +382,7 @@ uint32_t nxboot_main(void) {
warmboot_fw = NULL; warmboot_fw = NULL;
warmboot_fw_size = 0; warmboot_fw_size = 0;
} }
}
if (warmboot_fw_size == 0) { if (warmboot_fw_size == 0) {
fatal_error("[NXBOOT]: Could not read the warmboot firmware from Package1!\n"); fatal_error("[NXBOOT]: Could not read the warmboot firmware from Package1!\n");

View file

@ -23,7 +23,9 @@
#include "mc.h" #include "mc.h"
#include "nxboot.h" #include "nxboot.h"
#include "se.h" #include "se.h"
#include "smmu.h"
#include "timers.h" #include "timers.h"
#include "sysreg.h"
void nxboot_finish(uint32_t boot_memaddr) { void nxboot_finish(uint32_t boot_memaddr) {
volatile tegra_se_t *se = se_get_regs(); volatile tegra_se_t *se = se_get_regs();
@ -69,8 +71,21 @@ void nxboot_finish(uint32_t boot_memaddr) {
/* Terminate the display. */ /* Terminate the display. */
display_end(); display_end();
/* Check if SMMU emulation has been used. */
uint32_t smmu_magic = *(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC);
if (smmu_magic == 0xDEADC0DE) {
/* Clear the magic. */
*(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC) = 0;
/* Pass the boot address to the already running payload. */
*(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xF0) = boot_memaddr;
/* Wait a while. */
mdelay(500);
} else {
/* Boot CPU0. */ /* Boot CPU0. */
cluster_boot_cpu0(boot_memaddr); cluster_boot_cpu0(boot_memaddr);
}
/* Wait for Exosphère to wake up. */ /* Wait for Exosphère to wake up. */
while (MAILBOX_NX_BOOTLOADER_IS_SECMON_AWAKE == 0) { while (MAILBOX_NX_BOOTLOADER_IS_SECMON_AWAKE == 0) {

View file

@ -131,7 +131,7 @@ void *package1_get_warmboot_fw(const package1_header_t *package1) {
https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/nvidia/tegra/common/aarch64/tegra_helpers.S#L312 https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/nvidia/tegra/common/aarch64/tegra_helpers.S#L312
and thus by 0xD5034FDF. and thus by 0xD5034FDF.
Nx-bootloader seems to always start by 0xE328F0C0 (msr cpsr_f, 0xc0). Nx-bootloader starts by 0xE328F0C0 (msr cpsr_f, 0xc0) before 6.2.0 and by 0xF0C0A7F0 afterwards.
*/ */
const uint32_t *data = (const uint32_t *)package1->data; const uint32_t *data = (const uint32_t *)package1->data;
for (size_t i = 0; i < 3; i++) { for (size_t i = 0; i < 3; i++) {
@ -140,6 +140,7 @@ void *package1_get_warmboot_fw(const package1_header_t *package1) {
data += package1->secmon_size / 4; data += package1->secmon_size / 4;
break; break;
case 0xE328F0C0: case 0xE328F0C0:
case 0xF0C0A7F0:
data += package1->nx_bootloader_size / 4; data += package1->nx_bootloader_size / 4;
break; break;
default: default:

View file

@ -0,0 +1,259 @@
/*
* Copyright (c) 2018 Atmosphère-NX
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "smmu.h"
#include "cluster.h"
#include "mc.h"
#include "timers.h"
#include "tsec.h"
void *smmu_heap = (void *)SMMU_HEAP_BASE_ADDR;
static void safe_memcpy(void *dst, void *src, uint32_t sz) {
/* Aligned memcpy to read MMIO correctly. */
for (size_t i = 0; i < (sz/4); i++) {
((volatile uint32_t *)dst)[i] = ((volatile uint32_t *)src)[i];
}
}
static void smmu_flush_ppsb() {
/* Read-back barrier for interactions between the PPSB and the APB/AHB. */
(void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
}
static void smmu_flush_regs() {
/* Flush all TLB and PTC entries. */
MAKE_MC_REG(MC_SMMU_PTC_FLUSH) = 0;
smmu_flush_ppsb();
MAKE_MC_REG(MC_SMMU_TLB_FLUSH) = 0;
smmu_flush_ppsb();
}
static void *smmu_alloc_page(uint32_t page_count) {
void *cur_page = smmu_heap;
smmu_heap += (page_count * SMMU_PAGE_SIZE);
memset(cur_page, 0, (page_count * SMMU_PAGE_SIZE));
return cur_page;
}
static uint32_t *smmu_alloc_pdir() {
uint32_t *pdir = (uint32_t *)smmu_alloc_page(1);
for (int pdn = 0; pdn < SMMU_PDIR_COUNT; pdn++) {
pdir[pdn] = _PDE_VACANT(pdn);
}
return pdir;
}
static uint32_t *smmu_locate_pte(uint32_t *pdir_page, uint32_t iova) {
uint32_t ptn = SMMU_ADDR_TO_PFN(iova);
uint32_t pdn = SMMU_ADDR_TO_PDN(iova);
uint32_t *pdir = pdir_page;
uint32_t *ptbl;
if (pdir[pdn] != _PDE_VACANT(pdn)) {
/* Mapped entry table already exists. */
ptbl = (uint32_t *)SMMU_EX_PTBL_PAGE(pdir[pdn]);
} else {
/* Allocate page table. */
ptbl = (uint32_t *)smmu_alloc_page(1);
uint32_t addr = SMMU_PDN_TO_ADDR(pdn);
for (int pn = 0; pn < SMMU_PTBL_COUNT; pn++, addr += SMMU_PAGE_SIZE) {
ptbl[pn] = _PTE_VACANT(addr);
}
pdir[pdn] = SMMU_MK_PDE((uint32_t)ptbl, _PDE_ATTR | _PDE_NEXT);
smmu_flush_regs();
}
return &ptbl[ptn % SMMU_PTBL_COUNT];
}
static void smmu_map(uint32_t *pdir, uint32_t addr, uint32_t ptpage, int pcount, uint32_t pte_attr) {
for (int i = 0; i < pcount; i++) {
uint32_t *pte = smmu_locate_pte(pdir, addr);
*pte = SMMU_PFN_TO_PTE(SMMU_ADDR_TO_PFN(ptpage), pte_attr);
addr += SMMU_PAGE_SIZE;
ptpage += SMMU_PAGE_SIZE;
}
smmu_flush_regs();
}
static uint32_t *smmu_setup_tsec_as(uint32_t asid) {
/* Allocate the page directory. */
uint32_t *pdir_page = smmu_alloc_pdir();
/* Set the PTB ASID and point it to the PDIR. */
MAKE_MC_REG(MC_SMMU_PTB_ASID) = asid;
MAKE_MC_REG(MC_SMMU_PTB_DATA) = SMMU_MK_PDIR((uint32_t)pdir_page, _PDIR_ATTR);
smmu_flush_ppsb();
/* Assign the ASID to TSEC. */
MAKE_MC_REG(MC_SMMU_TSEC_ASID) = SMMU_ASID_ENABLE((asid << 24) | (asid << 16) | (asid << 8) | asid);
smmu_flush_ppsb();
return pdir_page;
}
static void smmu_clear_tsec_as(uint32_t asid) {
/* Set the PTB ASID and clear it's data. */
MAKE_MC_REG(MC_SMMU_PTB_ASID) = asid;
MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0;
/* Clear the ASID from TSEC. */
MAKE_MC_REG(MC_SMMU_TSEC_ASID) = SMMU_ASID_DISABLE;
smmu_flush_ppsb();
}
static void smmu_enable() {
/* AARCH64 payload for enabling the SMMU. */
/* Write 1 to MC_SMMU_CONFIG, read back and write the result to 0x40003F80. */
/* This will leave the CPU waiting until 0x40003FF0 is set to Exosphère's address. */
static const uint32_t aarch64_payload[20] = {
0x52800020, 0x58000162, 0x58000183, 0xB9000040,
0xB9400041, 0xB9000061, 0x58000142, 0xF9400040,
0xF100001F, 0x54FFFFA0, 0xD61F0000, 0x00000000,
0x70019010, 0x00000000, 0x40003F80, 0x00000000,
0x40003FF0, 0x00000000, 0x00000000, 0x00000000
};
/* Reset Translation Enable Registers. */
MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_0) = 0xFFFFFFFF;
MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_1) = 0xFFFFFFFF;
MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_2) = 0xFFFFFFFF;
MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_3) = 0xFFFFFFFF;
MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_4) = 0xFFFFFFFF;
/* Setup initial TLB and PTC configuration. */
MAKE_MC_REG(MC_SMMU_PTB_ASID) = 0;
MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0;
MAKE_MC_REG(MC_SMMU_TLB_CONFIG) = 0x30000030;
MAKE_MC_REG(MC_SMMU_PTC_CONFIG) = 0x2800003F;
smmu_flush_regs();
/* Power on the CCPLEX to enable the SMMU globally (requires a secure write). */
volatile uint32_t *aarch64_payload_res = (volatile uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0x80);
memset((void *)SMMU_AARCH64_PAYLOAD_ADDR, 0, 0x100);
memcpy((void *)SMMU_AARCH64_PAYLOAD_ADDR, aarch64_payload, 20 * 4);
cluster_boot_cpu0(SMMU_AARCH64_PAYLOAD_ADDR);
mdelay(500);
if (*aarch64_payload_res != 1) {
fatal_error("[SMMU]: Failed to enable SMMU!\n");
}
/* Write magic for nxboot. */
*(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC) = 0xDEADC0DE;
/* Flush TLB and PTC entries. */
smmu_flush_regs();
}
void smmu_emulate_tsec(void *tsec_keys, const void *package1, size_t package1_size, void *package1_dec) {
volatile tegra_tsec_t *tsec = tsec_get_regs();
/* Backup IRAM to DRAM. */
memcpy((void *)SMMU_IRAM_BACKUP_ADDR, (void *)0x40010000, 0x30000);
/* Copy package1 into IRAM. */
memcpy((void *)0x40010000, package1, package1_size);
/* Load the TSEC firmware from IRAM. */
if (tsec_load_fw((void *)(0x40010000 + 0xE00), 0x2900) < 0) {
fatal_error("[SMMU]: Failed to load TSEC firmware!\n");
}
/* Disable the aperture since it has precedence over the SMMU. */
mc_disable_ahb_redirect();
/* Setup TSEC's address space. */
uint32_t *pdir = smmu_setup_tsec_as(1);
/* Allocate pages for MMIO and IRAM. */
volatile uint32_t *car_page = smmu_alloc_page(1);
volatile uint32_t *fuse_page = smmu_alloc_page(1);
volatile uint32_t *pmc_page = smmu_alloc_page(1);
volatile uint32_t *flow_page = smmu_alloc_page(1);
volatile uint32_t *se_page = smmu_alloc_page(1);
volatile uint32_t *mc_page = smmu_alloc_page(1);
volatile uint32_t *iram_pages = smmu_alloc_page(48);
volatile uint32_t *expv_page = smmu_alloc_page(1);
/* Copy CAR, MC and FUSE. */
safe_memcpy((void *)car_page, (void *)0x60006000, 0x1000);
safe_memcpy((void *)mc_page, (void *)0x70019000, 0x1000);
safe_memcpy((void *)&fuse_page[0x800/4], (void *)0x7000F800, 0x400);
/* Copy IRAM. */
memcpy((void *)iram_pages, (void *)0x40010000, 0x30000);
/* TSEC wants CLK_RST_CONTROLLER_CLK_SOURCE_TSEC_0 to be equal to 2. */
car_page[0x1F4/4] = 2;
/* TSEC wants the aperture fully open. */
mc_page[0x65C/4] = 0;
mc_page[0x660/4] = 0x80000000;
/* Map all necessary pages. */
smmu_map(pdir, 0x60006000, (uint32_t)car_page, 1, _READABLE | _WRITABLE | _NONSECURE);
smmu_map(pdir, 0x7000F000, (uint32_t)fuse_page, 1, _READABLE | _NONSECURE);
smmu_map(pdir, 0x7000E000, (uint32_t)pmc_page, 1, _READABLE | _NONSECURE);
smmu_map(pdir, 0x60007000, (uint32_t)flow_page, 1, _WRITABLE | _NONSECURE);
smmu_map(pdir, 0x70012000, (uint32_t)se_page, 1, _READABLE | _WRITABLE | _NONSECURE);
smmu_map(pdir, 0x70019000, (uint32_t)mc_page, 1, _READABLE | _NONSECURE);
smmu_map(pdir, 0x40010000, (uint32_t)iram_pages, 48, _READABLE | _WRITABLE | _NONSECURE);
smmu_map(pdir, 0x6000F000, (uint32_t)expv_page, 1, _READABLE | _WRITABLE | _NONSECURE);
/* Enable the SMMU. */
smmu_enable();
/* Run the TSEC firmware. */
tsec_run_fw();
/* Extract the keys from SE. */
uint32_t key_buf[0x20/4] = {0};
volatile uint32_t *key_data = (volatile uint32_t *)((void *)se_page + 0x320);
uint32_t old_key_data = *key_data;
uint32_t buf_counter = 0;
while (!(tsec->FALCON_CPUCTL & 0x10)) {
if (*key_data != old_key_data) {
old_key_data = *key_data;
key_buf[buf_counter] = *key_data;
buf_counter++;
}
}
/* Check if the TSEC firmware wrote over the exception vectors. */
volatile uint32_t *tsec_done_check = (volatile uint32_t *)((void *)expv_page + 0x200);
if (!(*tsec_done_check)) {
fatal_error("[SMMU]: Failed to emulate the TSEC firmware!\n");
}
/* Copy back the extracted keys. */
memcpy((void *)tsec_keys, (void *)key_buf, 0x20);
/* Manually disable TSEC clocks. */
tsec_disable_clkrst();
/* Clear TSEC's address space. */
smmu_clear_tsec_as(1);
/* Enable back the aperture. */
mc_enable_ahb_redirect();
/* Return the decrypted package1 from emulated IRAM. */
memcpy(package1_dec, (void *)iram_pages, package1_size);
/* Restore IRAM from DRAM. */
memcpy((void *)0x40010000, (void *)SMMU_IRAM_BACKUP_ADDR, 0x30000);
}

View file

@ -0,0 +1,63 @@
/*
* Copyright (c) 2018 Atmosphère-NX
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef FUSEE_SMMU_H_
#define FUSEE_SMMU_H_
#include <stddef.h>
#include <stdint.h>
#include <stdbool.h>
#define SMMU_HEAP_BASE_ADDR 0x81000000
#define SMMU_IRAM_BACKUP_ADDR 0x82000000
#define SMMU_AARCH64_PAYLOAD_ADDR 0x40003F00
#define SMMU_PAGE_SHIFT 12
#define SMMU_PAGE_SIZE (1 << SMMU_PAGE_SHIFT)
#define SMMU_PDIR_COUNT 1024
#define SMMU_PDIR_SIZE (sizeof(uint32_t) * SMMU_PDIR_COUNT)
#define SMMU_PTBL_COUNT 1024
#define SMMU_PTBL_SIZE (sizeof(uint32_t) * SMMU_PTBL_COUNT)
#define SMMU_PDIR_SHIFT 12
#define SMMU_PDE_SHIFT 12
#define SMMU_PTE_SHIFT 12
#define SMMU_PFN_MASK 0x000fffff
#define SMMU_PDE_NEXT_SHIFT 28
#define SMMU_ADDR_TO_PFN(addr) ((addr) >> 12)
#define SMMU_ADDR_TO_PDN(addr) ((addr) >> 22)
#define SMMU_PDN_TO_ADDR(pdn) ((pdn) << 22)
#define _READABLE (1 << 31)
#define _WRITABLE (1 << 30)
#define _NONSECURE (1 << 29)
#define _PDE_NEXT (1 << SMMU_PDE_NEXT_SHIFT)
#define _MASK_ATTR (_READABLE | _WRITABLE | _NONSECURE)
#define _PDIR_ATTR (_READABLE | _WRITABLE | _NONSECURE)
#define _PDE_ATTR (_READABLE | _WRITABLE | _NONSECURE)
#define _PDE_ATTR_N (_PDE_ATTR | _PDE_NEXT)
#define _PDE_VACANT(pdn) (((pdn) << 10) | _PDE_ATTR)
#define _PTE_ATTR (_READABLE | _WRITABLE | _NONSECURE)
#define _PTE_VACANT(addr) (((addr) >> SMMU_PAGE_SHIFT) | _PTE_ATTR)
#define SMMU_MK_PDIR(page, attr) (((page) >> SMMU_PDIR_SHIFT) | (attr))
#define SMMU_MK_PDE(page, attr) (((page) >> SMMU_PDE_SHIFT) | (attr))
#define SMMU_EX_PTBL_PAGE(pde) (((pde) & SMMU_PFN_MASK) << SMMU_PDIR_SHIFT)
#define SMMU_PFN_TO_PTE(pfn, attr) ((pfn) | (attr))
#define SMMU_ASID_ENABLE(asid) ((asid) | (1 << 31))
#define SMMU_ASID_DISABLE 0
#define SMMU_ASID_ASID(n) ((n) & ~SMMU_ASID_ENABLE(0))
void smmu_emulate_tsec(void *tsec_keys, const void *package1, size_t package1_size, void *package1_dec);
#endif

View file

@ -49,17 +49,34 @@ static int tsec_dma_phys_to_flcn(bool is_imem, uint32_t flcn_offset, uint32_t ph
return tsec_dma_wait_idle(); return tsec_dma_wait_idle();
} }
int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size) void tsec_enable_clkrst()
{ {
volatile tegra_tsec_t *tsec = tsec_get_regs(); /* Enable all devices used by TSEC. */
/* Enable clocks. */
clkrst_reboot(CARDEVICE_HOST1X); clkrst_reboot(CARDEVICE_HOST1X);
clkrst_reboot(CARDEVICE_TSEC); clkrst_reboot(CARDEVICE_TSEC);
clkrst_reboot(CARDEVICE_SOR_SAFE); clkrst_reboot(CARDEVICE_SOR_SAFE);
clkrst_reboot(CARDEVICE_SOR0); clkrst_reboot(CARDEVICE_SOR0);
clkrst_reboot(CARDEVICE_SOR1); clkrst_reboot(CARDEVICE_SOR1);
clkrst_reboot(CARDEVICE_KFUSE); clkrst_reboot(CARDEVICE_KFUSE);
}
void tsec_disable_clkrst()
{
/* Disable all devices used by TSEC. */
clkrst_disable(CARDEVICE_KFUSE);
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
}
int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size)
{
volatile tegra_tsec_t *tsec = tsec_get_regs();
/* Enable clocks. */
tsec_enable_clkrst();
/* Configure Falcon. */ /* Configure Falcon. */
tsec->FALCON_DMACTL = 0; tsec->FALCON_DMACTL = 0;
@ -70,12 +87,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
if (!tsec_dma_wait_idle()) if (!tsec_dma_wait_idle())
{ {
/* Disable clocks. */ /* Disable clocks. */
clkrst_disable(CARDEVICE_KFUSE); tsec_disable_clkrst();
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
return -1; return -1;
} }
@ -87,12 +99,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
if (!tsec_dma_phys_to_flcn(true, addr, addr)) if (!tsec_dma_phys_to_flcn(true, addr, addr))
{ {
/* Disable clocks. */ /* Disable clocks. */
clkrst_disable(CARDEVICE_KFUSE); tsec_disable_clkrst();
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
return -2; return -2;
} }
@ -110,12 +117,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
if (!tsec_dma_wait_idle()) if (!tsec_dma_wait_idle())
{ {
/* Disable clocks. */ /* Disable clocks. */
clkrst_disable(CARDEVICE_KFUSE); tsec_disable_clkrst();
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
return -3; return -3;
} }
@ -126,12 +128,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
if (get_time_ms() > timeout) if (get_time_ms() > timeout)
{ {
/* Disable clocks. */ /* Disable clocks. */
clkrst_disable(CARDEVICE_KFUSE); tsec_disable_clkrst();
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
return -4; return -4;
} }
@ -140,12 +137,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
if (tsec->FALCON_SCRATCH1 != 0xB0B0B0B0) if (tsec->FALCON_SCRATCH1 != 0xB0B0B0B0)
{ {
/* Disable clocks. */ /* Disable clocks. */
clkrst_disable(CARDEVICE_KFUSE); tsec_disable_clkrst();
clkrst_disable(CARDEVICE_SOR1);
clkrst_disable(CARDEVICE_SOR0);
clkrst_disable(CARDEVICE_SOR_SAFE);
clkrst_disable(CARDEVICE_TSEC);
clkrst_disable(CARDEVICE_HOST1X);
return -5; return -5;
} }
@ -171,3 +163,54 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw
return 0; return 0;
} }
int tsec_load_fw(const void *tsec_fw, size_t tsec_fw_size)
{
volatile tegra_tsec_t *tsec = tsec_get_regs();
/* Enable clocks. */
tsec_enable_clkrst();
/* Configure Falcon. */
tsec->FALCON_DMACTL = 0;
tsec->FALCON_IRQMSET = 0xFFF2;
tsec->FALCON_IRQDEST = 0xFFF0;
tsec->FALCON_ITFEN = 3;
if (!tsec_dma_wait_idle())
{
/* Disable clocks. */
tsec_disable_clkrst();
return -1;
}
/* Load firmware. */
tsec->FALCON_DMATRFBASE = (uint32_t)tsec_fw >> 8;
for (uint32_t addr = 0; addr < tsec_fw_size; addr += 0x100)
{
if (!tsec_dma_phys_to_flcn(true, addr, addr))
{
/* Disable clocks. */
tsec_disable_clkrst();
return -2;
}
}
return 0;
}
void tsec_run_fw()
{
volatile tegra_tsec_t *tsec = tsec_get_regs();
/* Unknown host1x write. */
MAKE_HOST1X_REG(0x3300) = 0x34C2E1DA;
/* Execute firmware. */
tsec->FALCON_SCRATCH1 = 0;
tsec->FALCON_SCRATCH0 = 1;
tsec->FALCON_BOOTVEC = 0;
tsec->FALCON_CPUCTL = 2;
}

View file

@ -109,6 +109,10 @@ static inline volatile tegra_tsec_t *tsec_get_regs(void)
return (volatile tegra_tsec_t *)TSEC_BASE; return (volatile tegra_tsec_t *)TSEC_BASE;
} }
void tsec_enable_clkrst();
void tsec_disable_clkrst();
int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size); int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size);
int tsec_load_fw(const void *tsec_fw, size_t tsec_fw_size);
void tsec_run_fw();
#endif #endif