keys: Make more readability tweaks

This commit is contained in:
shchmue 2022-11-05 16:40:15 -07:00
parent dcf4bca30c
commit 43be4ef19f
3 changed files with 41 additions and 41 deletions

View file

@ -35,14 +35,15 @@ int key_exists(const void *data) {
return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0;
}
int run_ams_keygen(key_storage_t *keys) {
int run_ams_keygen() {
tsec_ctxt_t tsec_ctxt;
tsec_ctxt.fw = tsec_keygen;
tsec_ctxt.size = sizeof(tsec_keygen);
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
u32 retries = 0;
while (tsec_query(keys->temp_key, &tsec_ctxt) < 0) {
u32 temp_key[SE_KEY_128_SIZE / 4];
while (tsec_query(temp_key, &tsec_ctxt) < 0) {
retries++;
if (retries > 15) {
return -1;

View file

@ -21,6 +21,7 @@
#include "../hos/hos.h"
#include <sec/se_t210.h>
#include "../storage/nx_emmc.h"
#include <utils/types.h>
#include <string.h>
@ -136,17 +137,20 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
#define RSA_PUBLIC_EXPONENT 65537
#define KEYBLOB_UNK_DATA_SIZE 0x70
#define KEYBLOB_UNUSED_SIZE (NX_EMMC_BLOCKSIZE - SE_AES_CMAC_DIGEST_SIZE - SE_AES_IV_SIZE - sizeof(keyblob_t))
typedef struct {
u8 master_kek[SE_KEY_128_SIZE];
u8 data[0x70];
u8 data[KEYBLOB_UNK_DATA_SIZE];
u8 package1_key[SE_KEY_128_SIZE];
} keyblob_t;
typedef struct {
u8 cmac[0x10];
u8 iv[0x10];
u8 cmac[SE_AES_CMAC_DIGEST_SIZE];
u8 iv[SE_AES_IV_SIZE];
keyblob_t key_data;
u8 unused[0x150];
u8 unused[KEYBLOB_UNUSED_SIZE];
} encrypted_keyblob_t;
typedef struct {
@ -177,7 +181,7 @@ typedef struct {
titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
tsec_key[SE_KEY_128_SIZE],
tsec_root_key[SE_KEY_128_SIZE];
u32 sbk[4];
u32 secure_boot_key[4];
keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
eticket_rsa_keypair_t eticket_rsa_keypair;
} key_storage_t;
@ -203,7 +207,7 @@ typedef enum {
int key_exists(const void *data);
int run_ams_keygen(key_storage_t *keys);
int run_ams_keygen();
bool check_keyslot_access();

View file

@ -120,33 +120,28 @@ static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev
static void _derive_keyblob_keys(key_storage_t *keys) {
minerva_periodic_training();
u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE);
u32 keyblob_mac[SE_KEY_128_SIZE / 4] = {0};
encrypted_keyblob_t *keyblob_buffer = (encrypted_keyblob_t *)calloc(KB_FIRMWARE_VERSION_600 + 1, sizeof(encrypted_keyblob_t));
u32 keyblob_mac[SE_AES_CMAC_DIGEST_SIZE / 4] = {0};
bool have_keyblobs = true;
if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) {
u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
free(aes_keys);
} else {
keys->sbk[0] = FUSE(FUSE_PRIVATE_KEY0);
keys->sbk[1] = FUSE(FUSE_PRIVATE_KEY1);
keys->sbk[2] = FUSE(FUSE_PRIVATE_KEY2);
keys->sbk[3] = FUSE(FUSE_PRIVATE_KEY3);
if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
keys->secure_boot_key[0] = FUSE(FUSE_PRIVATE_KEY0);
keys->secure_boot_key[1] = FUSE(FUSE_PRIVATE_KEY1);
keys->secure_boot_key[2] = FUSE(FUSE_PRIVATE_KEY2);
keys->secure_boot_key[3] = FUSE(FUSE_PRIVATE_KEY3);
}
if (!emmc_storage.initialized) {
have_keyblobs = false;
} else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_block)) {
} else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_buffer)) {
EPRINTF("Unable to read keyblobs.");
have_keyblobs = false;
} else {
have_keyblobs = true;
}
encrypted_keyblob_t *current_keyblob = (encrypted_keyblob_t *)keyblob_block;
for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++, current_keyblob++) {
encrypted_keyblob_t *current_keyblob = keyblob_buffer;
for (u32 i = 0; i < ARRAY_SIZE(keyblob_key_sources); i++, current_keyblob++) {
minerva_periodic_training();
se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]);
se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]);
@ -178,7 +173,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
}
}
free(keyblob_block);
free(keyblob_buffer);
}
static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
@ -188,7 +183,7 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
_derive_master_keys_mariko(keys, is_dev);
_derive_master_keys_from_latest_key(keys, is_dev);
} else {
if (run_ams_keygen(keys)) {
if (run_ams_keygen()) {
EPRINTF("Failed to run keygen.");
return;
}
@ -196,8 +191,13 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&dev_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
memcpy(&dev_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
free(aes_keys);
_derive_master_keys_from_latest_key(prod_keys, false);
@ -410,7 +410,7 @@ static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
return true;
}
static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
// Set BIS keys.
// PRODINFO/PRODINFOF
se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE);
@ -424,16 +424,14 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
EPRINTF("Unable to set partition.");
return false;
return;
}
bool res = decrypt_ssl_rsa_key(keys, titlekey_buffer);
if (!res) {
if (!decrypt_ssl_rsa_key(keys, titlekey_buffer)) {
EPRINTF("Unable to derive SSL key.");
}
res = decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
if (!res) {
if (!decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) {
EPRINTF("Unable to derive ETicket key.");
}
@ -445,7 +443,7 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
if (!system_part) {
EPRINTF("Unable to locate System partition.");
nx_emmc_gpt_free(&gpt);
return false;
return;
}
nx_emmc_bis_init(system_part);
@ -453,7 +451,7 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
if (f_mount(&emmc_fs, "bis:", 1)) {
EPRINTF("Unable to mount system partition.");
nx_emmc_gpt_free(&gpt);
return false;
return;
}
if (!sd_mount()) {
@ -462,15 +460,12 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
EPRINTF("Unable to get SD seed.");
}
res = _derive_titlekeys(keys, titlekey_buffer, is_dev);
if (!res) {
if (!_derive_titlekeys(keys, titlekey_buffer, is_dev)) {
EPRINTF("Unable to derive titlekeys.");
}
f_mount(NULL, "bis:", 1);
nx_emmc_gpt_free(&gpt);
return res;
}
// The security engine supports partial key override for locked keyslots
@ -611,9 +606,9 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
SAVE_KEY_FAMILY_VAR(keyblob_mac_key, keys->keyblob_mac_key, 0);
SAVE_KEY(keyblob_mac_key_source);
if (is_dev) {
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, 5);
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, KB_FIRMWARE_VERSION_600);
} else {
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, 5);
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, KB_FIRMWARE_VERSION_600);
}
SAVE_KEY_FAMILY_VAR(master_kek, keys->master_kek, 0);
SAVE_KEY_FAMILY_VAR(master_kek_source, master_kek_sources, KB_FIRMWARE_VERSION_620);
@ -634,7 +629,7 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
SAVE_KEY(sd_card_nca_key_source);
SAVE_KEY(sd_card_save_key_source);
SAVE_KEY_VAR(sd_seed, keys->sd_seed);
SAVE_KEY_VAR(secure_boot_key, keys->sbk);
SAVE_KEY_VAR(secure_boot_key, keys->secure_boot_key);
SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek);
SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized);
if (is_dev) {