sept-s: Implement key derivation

This commit is contained in:
Michael Scire 2019-02-20 11:31:36 -08:00
parent fb2baa8c8d
commit f1068d6c3f
4 changed files with 141 additions and 16 deletions

View file

@ -28,6 +28,7 @@
#include "mc.h" #include "mc.h"
#include "se.h" #include "se.h"
#include "pmc.h" #include "pmc.h"
#include "emc.h"
#include "fuse.h" #include "fuse.h"
#include "i2c.h" #include "i2c.h"
#include "ips.h" #include "ips.h"
@ -308,6 +309,12 @@ static void nxboot_move_bootconfig() {
free(bootconfig); free(bootconfig);
} }
static bool get_and_clear_has_run_sept(void) {
bool has_run_sept = (MAKE_EMC_REG(EMC_SCRATCH0) & 0x80000000) != 0;
MAKE_EMC_REG(EMC_SCRATCH0) &= ~0x80000000;
return has_run_sept;
}
/* This is the main function responsible for booting Horizon. */ /* This is the main function responsible for booting Horizon. */
static nx_keyblob_t __attribute__((aligned(16))) g_keyblobs[32]; static nx_keyblob_t __attribute__((aligned(16))) g_keyblobs[32];
uint32_t nxboot_main(void) { uint32_t nxboot_main(void) {
@ -412,23 +419,15 @@ uint32_t nxboot_main(void) {
} }
} }
if (target_firmware == ATMOSPHERE_TARGET_FIRMWARE_700) {
/* TODO: Detect when we have been loaded by sept-secondary, and thus have keys provided for us. */
reboot_to_sept(tsec_fw, tsec_fw_size, sept_secondary_enc, sept_secondary_enc_size);
}
print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Loaded firmware from eMMC...\n"); print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Loaded firmware from eMMC...\n");
/* Get the TSEC keys. */ /* Get the TSEC keys. */
uint8_t tsec_key[0x10] = {0}; uint8_t tsec_key[0x10] = {0};
uint8_t tsec_root_keys[0x20][0x10] = {0}; uint8_t tsec_root_keys[0x20][0x10] = {0};
if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_700) { if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_700) {
/* TODO: what else to do here? */ /* Detect whether we need to run sept-secondary in order to derive keys. */
if (!get_and_clear_has_run_sept()) {
/* Patch TSEC firmware to exit after generating TSEC key. */ reboot_to_sept(tsec_fw, tsec_fw_size, sept_secondary_enc, sept_secondary_enc_size);
*((volatile uint16_t *)((uintptr_t)tsec_fw + 0x2DB5)) = 0x02F8;
if (tsec_get_key(tsec_key, 1, tsec_fw, tsec_fw_size) != 0) {
fatal_error("[NXBOOT]: Failed to get TSEC key!\n");
} }
} else if (target_firmware == ATMOSPHERE_TARGET_FIRMWARE_620) { } else if (target_firmware == ATMOSPHERE_TARGET_FIRMWARE_620) {
uint8_t tsec_keys[0x20] = {0}; uint8_t tsec_keys[0x20] = {0};
@ -446,11 +445,13 @@ uint32_t nxboot_main(void) {
} }
} }
/* Derive keydata. */ /* Derive keydata. If on 7.0.0+, sept has already derived keys for us. */
unsigned int keygen_type = 0; unsigned int keygen_type = 0;
if (target_firmware < ATMOSPHERE_TARGET_FIRMWARE_700) {
if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_keys, &keygen_type) != 0) { if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_keys, &keygen_type) != 0) {
fatal_error("[NXBOOT]: Key derivation failed!\n"); fatal_error("[NXBOOT]: Key derivation failed!\n");
} }
}
/* Setup boot configuration for Exosphère. */ /* Setup boot configuration for Exosphère. */
nxboot_configure_exosphere(target_firmware, keygen_type); nxboot_configure_exosphere(target_firmware, keygen_type);

View file

@ -0,0 +1,85 @@
/*
* Copyright (c) 2018 Atmosphère-NX
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdio.h>
#include "key_derivation.h"
#include "se.h"
#include "fuse.h"
#include "utils.h"
#define AL16 ALIGN(16)
static const uint8_t AL16 keyblob_seed_00[0x10] = {
0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3
};
static const uint8_t AL16 masterkey_seed[0x10] = {
0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C
};
static const uint8_t AL16 devicekey_seed[0x10] = {
0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78
};
static const uint8_t AL16 devicekey_4x_seed[0x10] = {
0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28
};
static const uint8_t AL16 masterkey_4x_seed[0x10] = {
0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66
};
static const uint8_t AL16 new_master_kek_seed_7x[0x10] = {
0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C
};
void derive_7x_keys(const void *tsec_key, void *tsec_root_key) {
uint8_t AL16 work_buffer[0x10];
uint8_t AL16 master_kek[0x10];
/* Set keyslot flags properly in preparation of derivation. */
set_aes_keyslot_flags(0xE, 0x15);
set_aes_keyslot_flags(0xD, 0x15);
/* Set the TSEC key. */
set_aes_keyslot(0xD, tsec_key, 0x10);
/* Derive keyblob key 0. */
se_aes_ecb_decrypt_block(0xD, work_buffer, 0x10, keyblob_seed_00, 0x10);
decrypt_data_into_keyslot(0xF, 0xE, work_buffer, 0x10);
/* Derive the master kek. */
set_aes_keyslot(0xC, tsec_root_key, 0x10);
se_aes_ecb_decrypt_block(0xC, master_kek, 0x10, new_master_kek_seed_7x, 0x10);
/* Clear the SBK. */
clear_aes_keyslot(0xE);
/* Set master kek. */
set_aes_keyslot(0xC, master_kek, 0x10);
/* Derive keys for exosphere. */
decrypt_data_into_keyslot(0xA, 0xF, devicekey_4x_seed, 0x10);
decrypt_data_into_keyslot(0xF, 0xF, devicekey_seed, 0x10);
decrypt_data_into_keyslot(0xE, 0xC, masterkey_4x_seed, 0x10);
decrypt_data_into_keyslot(0xC, 0xC, masterkey_seed, 0x10);
/* Clear master kek from memory. */
for (size_t i = 0; i < sizeof(master_kek); i++) {
master_kek[i] = 0xCC;
work_buffer[i] = 0xCC;
}
}

View file

@ -0,0 +1,26 @@
/*
* Copyright (c) 2018 Atmosphère-NX
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef SEPT_KEYDERIVATION_H
#define SEPT_KEYDERIVATION_H
#include <stddef.h>
#include <stdbool.h>
#include <stdint.h>
void derive_7x_keys(const void *tsec_key, void *tsec_root_key);
#endif

View file

@ -21,6 +21,8 @@
#include "di.h" #include "di.h"
#include "se.h" #include "se.h"
#include "pmc.h" #include "pmc.h"
#include "emc.h"
#include "key_derivation.h"
#include "timers.h" #include "timers.h"
#include "fs_utils.h" #include "fs_utils.h"
#include "stage2.h" #include "stage2.h"
@ -151,9 +153,20 @@ int main(void) {
/* Say hello. */ /* Say hello. */
print(SCREEN_LOG_LEVEL_MANDATORY, "Welcome to Atmosph\xe8re sept-secondary!\n"); print(SCREEN_LOG_LEVEL_MANDATORY, "Welcome to Atmosph\xe8re sept-secondary!\n");
while (true) { }
/* TODO: Derive keys. */ /* Derive keys. */
derive_7x_keys(g_tsec_key, g_tsec_root_key);
/* Cleanup keys in memory. */
for (size_t i = 0; i < 0x10; i += 4) {
g_tsec_root_key[i/4] = 0xCCCCCCCC;
g_tsec_key[i/4] = 0xCCCCCCCC;
}
/* Mark EMC scratch to say that sept has run. */
MAKE_EMC_REG(EMC_SCRATCH0) |= 0x80000000;
while (true) { }
/* TODO: Chainload to payload. */ /* TODO: Chainload to payload. */