spl: implement SslService, some of EsService

stratosphere/spl/source/spl_es_service.cpp

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2018-2019 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <switch.h>
+#include <stratosphere.hpp>
+
+#include "spl_es_service.hpp"
+
+Result EsService::ImportEsKey(InPointer<u8> src, AccessKey access_key, KeySource key_source, u32 option) {
+    return this->GetSecureMonitorWrapper()->ImportEsKey(src.pointer, src.num_elements, access_key, key_source, option);
+}
+
+Result EsService::UnwrapTitleKey(Out<AccessKey> out_access_key, InPointer<u8> base, InPointer<u8> mod, InPointer<u8> label_digest, u32 generation) {
+    /* TODO */
+    return ResultKernelConnectionClosed;
+}
+
+Result EsService::UnwrapCommonTitleKey(Out<AccessKey> out_access_key, KeySource key_source, u32 generation) {
+    /* TODO */
+    return ResultKernelConnectionClosed;
+}
+
+Result EsService::ImportDrmKey(InPointer<u8> src, AccessKey access_key, KeySource key_source) {
+    return this->GetSecureMonitorWrapper()->ImportDrmKey(src.pointer, src.num_elements, access_key, key_source);
+}
+
+Result EsService::DrmExpMod(OutPointerWithClientSize<u8> out, InPointer<u8> base, InPointer<u8> mod) {
+    return this->GetSecureMonitorWrapper()->DrmExpMod(out.pointer, out.num_elements, base.pointer, base.num_elements, mod.pointer, mod.num_elements);
+}
+
+Result EsService::UnwrapElicenseKey(Out<AccessKey> out_access_key, InPointer<u8> base, InPointer<u8> mod, InPointer<u8> label_digest, u32 generation) {
+    /* TODO */
+    return ResultKernelConnectionClosed;
+}
+
+Result EsService::LoadElicenseKey(u32 keyslot, AccessKey access_key) {
+    /* TODO */
+    return ResultKernelConnectionClosed;
+}

stratosphere/spl/source/spl_es_service.hpp

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2018-2019 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+#include <switch.h>
+#include <stratosphere.hpp>
+
+#include "spl_types.hpp"
+#include "spl_rsa_service.hpp"
+
+class EsService : public RsaService {
+    public:
+        EsService(SecureMonitorWrapper *sw) : RsaService(sw) {
+            /* ... */
+        }
+
+        virtual ~EsService() {
+            /* ... */
+        }
+    protected:
+        /* Actual commands. */
+        virtual Result ImportEsKey(InPointer<u8> src, AccessKey access_key, KeySource key_source, u32 option);
+        virtual Result UnwrapTitleKey(Out<AccessKey> out_access_key, InPointer<u8> base, InPointer<u8> mod, InPointer<u8> label_digest, u32 generation);
+        virtual Result UnwrapCommonTitleKey(Out<AccessKey> out_access_key, KeySource key_source, u32 generation);
+        virtual Result ImportDrmKey(InPointer<u8> src, AccessKey access_key, KeySource key_source);
+        virtual Result DrmExpMod(OutPointerWithClientSize<u8> out, InPointer<u8> base, InPointer<u8> mod);
+        virtual Result UnwrapElicenseKey(Out<AccessKey> out_access_key, InPointer<u8> base, InPointer<u8> mod, InPointer<u8> label_digest, u32 generation);
+        virtual Result LoadElicenseKey(u32 keyslot, AccessKey access_key);
+    public:
+        DEFINE_SERVICE_DISPATCH_TABLE {
+            MakeServiceCommandMeta<Spl_Cmd_GetConfig, &EsService::GetConfig>(),
+            MakeServiceCommandMeta<Spl_Cmd_ExpMod, &EsService::ExpMod>(),
+            MakeServiceCommandMeta<Spl_Cmd_SetConfig, &EsService::SetConfig>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateRandomBytes, &EsService::GenerateRandomBytes>(),
+            MakeServiceCommandMeta<Spl_Cmd_IsDevelopment, &EsService::IsDevelopment>(),
+            MakeServiceCommandMeta<Spl_Cmd_SetBootReason, &EsService::SetBootReason, FirmwareVersion_300>(),
+            MakeServiceCommandMeta<Spl_Cmd_GetBootReason, &EsService::GetBootReason, FirmwareVersion_300>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateAesKek, &EsService::GenerateAesKek>(),
+            MakeServiceCommandMeta<Spl_Cmd_LoadAesKey, &EsService::LoadAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateAesKey, &EsService::GenerateAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptAesKey, &EsService::DecryptAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_CryptAesCtr, &EsService::CryptAesCtr>(),
+            MakeServiceCommandMeta<Spl_Cmd_ComputeCmac, &EsService::ComputeCmac>(),
+            MakeServiceCommandMeta<Spl_Cmd_AllocateAesKeyslot, &EsService::AllocateAesKeyslot, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_FreeAesKeyslot, &EsService::FreeAesKeyslot, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_GetAesKeyslotAvailableEvent, &EsService::GetAesKeyslotAvailableEvent, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptRsaPrivateKey, &EsService::DecryptRsaPrivateKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_ImportEsKey, &EsService::ImportEsKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_UnwrapTitleKey, &EsService::UnwrapTitleKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_UnwrapCommonTitleKey, &EsService::UnwrapCommonTitleKey, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_ImportDrmKey, &EsService::ImportDrmKey, FirmwareVersion_500>(),
+            MakeServiceCommandMeta<Spl_Cmd_DrmExpMod, &EsService::DrmExpMod, FirmwareVersion_500>(),
+            MakeServiceCommandMeta<Spl_Cmd_UnwrapElicenseKey, &EsService::UnwrapElicenseKey, FirmwareVersion_600>(),
+            MakeServiceCommandMeta<Spl_Cmd_LoadElicenseKey, &EsService::LoadElicenseKey, FirmwareVersion_600>(),
+        };
+};

stratosphere/spl/source/spl_secmon_wrapper.cpp

@@ -555,6 +555,113 @@ Result SecureMonitorWrapper::DecryptRsaPrivateKey(void *dst, size_t dst_size, co
     return ConvertToSplResult(smc_res);
 }
 
+Result SecureMonitorWrapper::ImportSecureExpModKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source, u32 option) {
+    struct ImportSecureExpModKeyLayout {
+        u8 data[RsaPrivateKeyMetaSize + 2 * RsaPrivateKeySize];
+    };
+    ImportSecureExpModKeyLayout *layout = reinterpret_cast<ImportSecureExpModKeyLayout *>(g_work_buffer);
+
+    /* Validate size. */
+    if (src_size > sizeof(ImportSecureExpModKeyLayout)) {
+        return ResultSplInvalidSize;
+    }
+
+    std::memcpy(layout, src, src_size);
+
+    armDCacheFlush(layout, sizeof(*layout));
+    SmcResult smc_res;
+    if (GetRuntimeFirmwareVersion() >= FirmwareVersion_500) {
+        smc_res = SmcWrapper::DecryptOrImportRsaPrivateKey(layout->data, src_size, access_key, key_source, option);
+    } else {
+        smc_res = SmcWrapper::ImportSecureExpModKey(layout->data, src_size, access_key, key_source, option);
+    }
+
+    return ConvertToSplResult(smc_res);
+}
+
+Result SecureMonitorWrapper::SecureExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size, u32 option) {
+    struct SecureExpModLayout {
+        u8 base[0x100];
+        u8 mod[0x100];
+    };
+    SecureExpModLayout *layout = reinterpret_cast<SecureExpModLayout *>(g_work_buffer);
+
+    /* Validate sizes. */
+    if (base_size > sizeof(layout->base)) {
+        return ResultSplInvalidSize;
+    }
+    if (mod_size > sizeof(layout->mod)) {
+        return ResultSplInvalidSize;
+    }
+    if (out_size > MaxWorkBufferSize) {
+        return ResultSplInvalidSize;
+    }
+
+    /* Copy data into work buffer. */
+    const size_t base_ofs = sizeof(layout->base) - base_size;
+    const size_t mod_ofs = sizeof(layout->mod) - mod_size;
+    std::memset(layout, 0, sizeof(*layout));
+    std::memcpy(layout->base + base_ofs, base, base_size);
+    std::memcpy(layout->mod + mod_ofs, mod, mod_size);
+
+    /* Do exp mod operation. */
+    armDCacheFlush(layout, sizeof(*layout));
+    {
+        std::scoped_lock<HosMutex> lk(g_async_op_lock);
+        AsyncOperationKey op_key;
+
+        SmcResult res = SmcWrapper::SecureExpMod(&op_key, layout->base, layout->mod, option);
+        if (res != SmcResult_Success) {
+            return ConvertToSplResult(res);
+        }
+
+        if ((res = WaitGetResult(g_work_buffer, out_size, op_key)) != SmcResult_Success) {
+            return ConvertToSplResult(res);
+        }
+    }
+    armDCacheFlush(g_work_buffer, sizeof(out_size));
+
+    std::memcpy(out, g_work_buffer, out_size);
+    return ResultSuccess;
+}
+
+Result SecureMonitorWrapper::ImportSslKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source) {
+    return ImportSecureExpModKey(src, src_size, access_key, key_source, SmcDecryptOrImportMode_ImportSslKey);
+}
+
+Result SecureMonitorWrapper::SslExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size) {
+    return SecureExpMod(out, out_size, base, base_size, mod, mod_size, SmcSecureExpModMode_Ssl);
+}
+
+Result SecureMonitorWrapper::ImportEsKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source, u32 option) {
+    if (GetRuntimeFirmwareVersion() >= FirmwareVersion_500) {
+        return ImportSecureExpModKey(src, src_size, access_key, key_source, SmcDecryptOrImportMode_ImportEsKey);
+    } else {
+        struct ImportEsKeyLayout {
+            u8 data[RsaPrivateKeyMetaSize + 2 * RsaPrivateKeySize];
+        };
+        ImportEsKeyLayout *layout = reinterpret_cast<ImportEsKeyLayout *>(g_work_buffer);
+
+        /* Validate size. */
+        if (src_size > sizeof(ImportEsKeyLayout)) {
+            return ResultSplInvalidSize;
+        }
+
+        std::memcpy(layout, src, src_size);
+
+        armDCacheFlush(layout, sizeof(*layout));
+        return ConvertToSplResult(SmcWrapper::ImportEsKey(layout->data, src_size, access_key, key_source, option));
+    }
+}
+
+Result SecureMonitorWrapper::ImportDrmKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source) {
+    return ImportSecureExpModKey(src, src_size, access_key, key_source, SmcDecryptOrImportMode_ImportDrmKey);
+}
+
+Result SecureMonitorWrapper::DrmExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size) {
+    return SecureExpMod(out, out_size, base, base_size, mod, mod_size, SmcSecureExpModMode_Drm);
+}
+
 Result SecureMonitorWrapper::FreeAesKeyslots(const void *owner) {
     for (size_t i = 0; i < GetMaxKeyslots(); i++) {
         if (this->keyslot_owners[i] == owner) {

stratosphere/spl/source/spl_secmon_wrapper.hpp

@@ -53,6 +53,8 @@ class SecureMonitorWrapper {
         SmcResult WaitGetResult(void *out_buf, size_t out_buf_size, AsyncOperationKey op_key);
         Result ValidateAesKeyslot(u32 keyslot, const void *owner);
         SmcResult DecryptAesBlock(u32 keyslot, void *dst, const void *src);
+        Result ImportSecureExpModKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source, u32 option);
+        Result SecureExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size, u32 option);
     public:
         /* General. */
         Result GetConfig(u64 *out, SplConfigItem which);
@@ -72,10 +74,19 @@ class SecureMonitorWrapper {
         Result ComputeCmac(Cmac *out_cmac, u32 keyslot, const void *owner, const void *data, size_t size);
         Result AllocateAesKeyslot(u32 *out_keyslot, const void *owner);
         Result FreeAesKeyslot(u32 keyslot, const void *owner);
-        
+
         /* RSA. */
         Result DecryptRsaPrivateKey(void *dst, size_t dst_size, const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source, u32 option);
 
+        /* SSL */
+        Result ImportSslKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source);
+        Result SslExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size);
+
+        /* ES */
+        Result ImportEsKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source, u32 option);
+        Result ImportDrmKey(const void *src, size_t src_size, const AccessKey &access_key, const KeySource &key_source);
+        Result DrmExpMod(void *out, size_t out_size, const void *base, size_t base_size, const void *mod, size_t mod_size);
+
         /* Helper. */
         Result FreeAesKeyslots(const void *owner);
         Handle GetAesKeyslotAvailableEventHandle();

stratosphere/spl/source/spl_ssl_service.cpp

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2018-2019 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <switch.h>
+#include <stratosphere.hpp>
+
+#include "spl_ssl_service.hpp"
+
+Result SslService::ImportSslKey(InPointer<u8> src, AccessKey access_key, KeySource key_source) {
+    return this->GetSecureMonitorWrapper()->ImportSslKey(src.pointer, src.num_elements, access_key, key_source);
+}
+
+Result SslService::SslExpMod(OutPointerWithClientSize<u8> out, InPointer<u8> base, InPointer<u8> mod) {
+    return this->GetSecureMonitorWrapper()->SslExpMod(out.pointer, out.num_elements, base.pointer, base.num_elements, mod.pointer, mod.num_elements);
+}

stratosphere/spl/source/spl_ssl_service.hpp

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2018-2019 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+#include <switch.h>
+#include <stratosphere.hpp>
+
+#include "spl_types.hpp"
+#include "spl_rsa_service.hpp"
+
+class SslService : public RsaService {
+    public:
+        SslService(SecureMonitorWrapper *sw) : RsaService(sw) {
+            /* ... */
+        }
+
+        virtual ~SslService() {
+            /* ... */
+        }
+    protected:
+        /* Actual commands. */
+        virtual Result ImportSslKey(InPointer<u8> src, AccessKey access_key, KeySource key_source);
+        virtual Result SslExpMod(OutPointerWithClientSize<u8> out, InPointer<u8> base, InPointer<u8> mod);
+    public:
+        DEFINE_SERVICE_DISPATCH_TABLE {
+            MakeServiceCommandMeta<Spl_Cmd_GetConfig, &SslService::GetConfig>(),
+            MakeServiceCommandMeta<Spl_Cmd_ExpMod, &SslService::ExpMod>(),
+            MakeServiceCommandMeta<Spl_Cmd_SetConfig, &SslService::SetConfig>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateRandomBytes, &SslService::GenerateRandomBytes>(),
+            MakeServiceCommandMeta<Spl_Cmd_IsDevelopment, &SslService::IsDevelopment>(),
+            MakeServiceCommandMeta<Spl_Cmd_SetBootReason, &SslService::SetBootReason, FirmwareVersion_300>(),
+            MakeServiceCommandMeta<Spl_Cmd_GetBootReason, &SslService::GetBootReason, FirmwareVersion_300>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateAesKek, &SslService::GenerateAesKek>(),
+            MakeServiceCommandMeta<Spl_Cmd_LoadAesKey, &SslService::LoadAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_GenerateAesKey, &SslService::GenerateAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptAesKey, &SslService::DecryptAesKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_CryptAesCtr, &SslService::CryptAesCtr>(),
+            MakeServiceCommandMeta<Spl_Cmd_ComputeCmac, &SslService::ComputeCmac>(),
+            MakeServiceCommandMeta<Spl_Cmd_AllocateAesKeyslot, &SslService::AllocateAesKeyslot, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_FreeAesKeyslot, &SslService::FreeAesKeyslot, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_GetAesKeyslotAvailableEvent, &SslService::GetAesKeyslotAvailableEvent, FirmwareVersion_200>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptRsaPrivateKey, &SslService::DecryptRsaPrivateKey>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptRsaPrivateKey, &SslService::ImportSslKey, FirmwareVersion_500>(),
+            MakeServiceCommandMeta<Spl_Cmd_DecryptRsaPrivateKey, &SslService::SslExpMod, FirmwareVersion_500>(),
+
+        };
+};