From 05187502b31fb924489055028138ed50a3dd16d3 Mon Sep 17 00:00:00 2001 From: Michael Scire Date: Thu, 15 Nov 2018 03:57:55 -0800 Subject: [PATCH] fs.mitm: Implement basic boot0 protection against writes/pubk writes. --- stratosphere/fs_mitm/source/fs_istorage.hpp | 1 - .../fs_mitm/source/fsmitm_boot0storage.cpp | 78 +++++++++++++++++++ .../fs_mitm/source/fsmitm_boot0storage.hpp | 55 ++++++------- .../fs_mitm/source/fsmitm_service.cpp | 2 +- 4 files changed, 101 insertions(+), 35 deletions(-) create mode 100644 stratosphere/fs_mitm/source/fsmitm_boot0storage.cpp diff --git a/stratosphere/fs_mitm/source/fs_istorage.hpp b/stratosphere/fs_mitm/source/fs_istorage.hpp index 8bd44cdd2..82a75619e 100644 --- a/stratosphere/fs_mitm/source/fs_istorage.hpp +++ b/stratosphere/fs_mitm/source/fs_istorage.hpp @@ -61,7 +61,6 @@ class IStorageInterface : public IServiceObject { }; virtual Result Write(InBuffer buffer, u64 offset, u64 size) final { return this->base_storage->Write(buffer.buffer, std::min(buffer.num_elements, size), offset); - }; virtual Result Flush() final { return this->base_storage->Flush(); diff --git a/stratosphere/fs_mitm/source/fsmitm_boot0storage.cpp b/stratosphere/fs_mitm/source/fsmitm_boot0storage.cpp new file mode 100644 index 000000000..e2b25ad40 --- /dev/null +++ b/stratosphere/fs_mitm/source/fsmitm_boot0storage.cpp @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2018 Atmosphère-NX + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include +#include + +#include "fsmitm_boot0storage.hpp" + +static HosMutex g_boot0_mutex; +static u8 g_boot0_bct_buffer[Boot0Storage::BctEndOffset]; + +bool Boot0Storage::AllowWrites() { + return this->title_id < 0x0100000000001000ULL; +} + +bool Boot0Storage::CanModifyBctPubks() { + return this->title_id != 0x010000000000001FULL; +} + +Result Boot0Storage::Read(void *_buffer, size_t size, u64 offset) { + std::scoped_lock lk{g_boot0_mutex}; + + return Base::Read(_buffer, size, offset); +} + +Result Boot0Storage::Write(void *_buffer, size_t size, u64 offset) { + std::scoped_lock lk{g_boot0_mutex}; + + if (!AllowWrites()) { + return 0x313802; + } + + /* We care about protecting autorcm from NS. */ + if (CanModifyBctPubks() || offset >= BctEndOffset || (offset + BctSize >= BctEndOffset && offset % BctSize >= BctPubkEnd)) { + return Base::Write(_buffer, size, offset); + } + + Result rc = 0; + u8 *buffer = static_cast(_buffer); + + /* First, let's deal with the data past the end. */ + if (offset + size >= BctEndOffset) { + const u64 diff = BctEndOffset - offset; + if (R_FAILED((rc = ProxyStorage::Write(buffer + diff, size - diff, BctEndOffset)))) { + return rc; + } + size -= diff; + } + + /* Read in the current BCT region. */ + if (R_FAILED((rc = ProxyStorage::Read(g_boot0_bct_buffer, BctEndOffset, 0)))) { + return rc; + } + + /* Update the bct buffer. */ + for (u64 cur_ofs = offset; cur_ofs < BctEndOffset && cur_ofs < offset + size; cur_ofs++) { + const u64 cur_bct_rel_ofs = cur_ofs % BctSize; + if (cur_bct_rel_ofs < BctPubkStart || BctPubkEnd <= cur_bct_rel_ofs) { + g_boot0_bct_buffer[cur_ofs] = buffer[cur_ofs - offset]; + } + } + + return ProxyStorage::Write(g_boot0_bct_buffer, BctEndOffset, 0); +} diff --git a/stratosphere/fs_mitm/source/fsmitm_boot0storage.hpp b/stratosphere/fs_mitm/source/fsmitm_boot0storage.hpp index a21365ca1..cf53948f4 100644 --- a/stratosphere/fs_mitm/source/fsmitm_boot0storage.hpp +++ b/stratosphere/fs_mitm/source/fsmitm_boot0storage.hpp @@ -16,6 +16,7 @@ #pragma once #include +#include #include #include "fs_istorage.hpp" @@ -42,6 +43,11 @@ class SectoredProxyStorage : public ProxyStorage { u8 *buffer = static_cast(_buffer); this->Seek(offset); + if (this->cur_sector_ofs == 0 && size % SectorSize == 0) { + /* Fast case. */ + return ProxyStorage::Read(buffer, size, offset); + } + if (R_FAILED((rc = ProxyStorage::Read(this->sector_buf, SectorSize, this->cur_seek)))) { return rc; } @@ -80,6 +86,11 @@ class SectoredProxyStorage : public ProxyStorage { u8 *buffer = static_cast(_buffer); this->Seek(offset); + if (this->cur_sector_ofs == 0 && size % SectorSize == 0) { + /* Fast case. */ + return ProxyStorage::Write(buffer, size, offset); + } + if (R_FAILED((rc = ProxyStorage::Read(this->sector_buf, SectorSize, this->cur_seek)))) { return rc; } @@ -124,44 +135,22 @@ class SectoredProxyStorage : public ProxyStorage { /* Represents an RCM-preserving BOOT0 partition. */ class Boot0Storage : public SectoredProxyStorage<0x200> { using Base = SectoredProxyStorage<0x200>; + + public: + static constexpr u64 BctEndOffset = 0xFC000; + static constexpr u64 BctSize = 0x4000; + static constexpr u64 BctPubkStart = 0x210; + static constexpr u64 BctPubkSize = 0x100; + static constexpr u64 BctPubkEnd = BctPubkStart + BctPubkSize; private: u64 title_id; private: - HosMutex *GetMutex() { - static HosMutex s_boot0_mutex; - return &s_boot0_mutex; - } - bool AllowWrites() { - return title_id < 0x0100000000001000ULL; - } - bool CanModifyBctPubks() { - return title_id != 0x010000000000001FULL; - } + bool AllowWrites(); + bool CanModifyBctPubks(); public: Boot0Storage(FsStorage *s, u64 t) : Base(s), title_id(t) { } Boot0Storage(FsStorage s, u64 t) : Base(s), title_id(t) { } public: - virtual Result Read(void *_buffer, size_t size, u64 offset) override { - GetMutex()->Lock(); - ON_SCOPE_EXIT { GetMutex()->Unlock(); }; - - return Base::Read(_buffer, size, offset); - } - - virtual Result Write(void *_buffer, size_t size, u64 offset) override { - GetMutex()->Lock(); - ON_SCOPE_EXIT { GetMutex()->Unlock(); }; - - if (!AllowWrites()) { - return 0x313802; - } - - /* We care about protecting autorcm from NS. */ - if (CanModifyBctPubks()) { - return Base::Write(_buffer, size, offset); - } - - /* TODO */ - return 0x313802; - } + virtual Result Read(void *_buffer, size_t size, u64 offset) override; + virtual Result Write(void *_buffer, size_t size, u64 offset) override; }; \ No newline at end of file diff --git a/stratosphere/fs_mitm/source/fsmitm_service.cpp b/stratosphere/fs_mitm/source/fsmitm_service.cpp index ccf29db94..6fb27f846 100644 --- a/stratosphere/fs_mitm/source/fsmitm_service.cpp +++ b/stratosphere/fs_mitm/source/fsmitm_service.cpp @@ -101,7 +101,7 @@ Result FsMitmService::OpenBisStorage(Out> out if (R_SUCCEEDED(rc)) { const bool allow_writes = this->title_id < 0x0100000000001000; if (bis_partition_id == BisStorageId_Boot0) { - storage = std::make_shared(new Boot0Storage(bis_storage, allow_writes)); + storage = std::make_shared(new Boot0Storage(bis_storage, this->title_id)); } else { if (allow_writes) { storage = std::make_shared(new ROProxyStorage(bis_storage));