mirror of
https://github.com/Atmosphere-NX/Atmosphere.git
synced 2024-11-22 20:06:40 +00:00
fusee/exo: correct device key management for newer consoles (closes #1053)
This commit is contained in:
parent
a5447dd72d
commit
1473adf5c4
4 changed files with 32 additions and 31 deletions
|
@ -218,6 +218,9 @@ namespace ams::secmon::boot {
|
||||||
/* Get the current key generation. */
|
/* Get the current key generation. */
|
||||||
const int current_generation = secmon::GetKeyGeneration();
|
const int current_generation = secmon::GetKeyGeneration();
|
||||||
|
|
||||||
|
/* Get the kek slot. */
|
||||||
|
const int kek_slot = fuse::GetSocType() == fuse::SocType_Mariko ? pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko : pkg1::AesKeySlot_DeviceMasterKeySourceKekErista;
|
||||||
|
|
||||||
/* Iterate for all generations. */
|
/* Iterate for all generations. */
|
||||||
for (int i = 0; i < pkg1::OldDeviceMasterKeyCount; ++i) {
|
for (int i = 0; i < pkg1::OldDeviceMasterKeyCount; ++i) {
|
||||||
const int generation = pkg1::KeyGeneration_4_0_0 + i;
|
const int generation = pkg1::KeyGeneration_4_0_0 + i;
|
||||||
|
@ -229,7 +232,7 @@ namespace ams::secmon::boot {
|
||||||
se::SetEncryptedAesKey128(pkg1::AesKeySlot_Temporary, pkg1::AesKeySlot_Temporary, is_prod ? DeviceMasterKekSourcesProd[i] : DeviceMasterKekSourcesDev[i], se::AesBlockSize);
|
se::SetEncryptedAesKey128(pkg1::AesKeySlot_Temporary, pkg1::AesKeySlot_Temporary, is_prod ? DeviceMasterKekSourcesProd[i] : DeviceMasterKekSourcesDev[i], se::AesBlockSize);
|
||||||
|
|
||||||
/* Decrypt the device master key source into the work block. */
|
/* Decrypt the device master key source into the work block. */
|
||||||
se::DecryptAes128(work_block, se::AesBlockSize, pkg1::AesKeySlot_DeviceMasterKeySourceKek, DeviceMasterKeySourceSources[i], se::AesBlockSize);
|
se::DecryptAes128(work_block, se::AesBlockSize, kek_slot, DeviceMasterKeySourceSources[i], se::AesBlockSize);
|
||||||
|
|
||||||
/* If we're decrypting the current device master key, decrypt into the keyslot. */
|
/* If we're decrypting the current device master key, decrypt into the keyslot. */
|
||||||
if (generation == current_generation) {
|
if (generation == current_generation) {
|
||||||
|
@ -244,8 +247,8 @@ namespace ams::secmon::boot {
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Clear and lock the Device Master Key Source Kek. */
|
/* Clear and lock the Device Master Key Source Kek. */
|
||||||
se::ClearAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKek);
|
se::ClearAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko);
|
||||||
se::LockAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKek, se::KeySlotLockFlags_AllLockKek);
|
se::LockAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko, se::KeySlotLockFlags_AllLockKek);
|
||||||
}
|
}
|
||||||
|
|
||||||
void DeriveAllKeys() {
|
void DeriveAllKeys() {
|
||||||
|
|
|
@ -273,7 +273,10 @@ void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmwa
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const uint32_t bis_key_generation = fuse_get_5x_key_generation();
|
uint32_t bis_key_generation = fuse_get_5x_key_generation();
|
||||||
|
if (bis_key_generation > 0) {
|
||||||
|
bis_key_generation -= 1;
|
||||||
|
}
|
||||||
|
|
||||||
static const uint8_t AL16 bis_kek_source[0x10] = {0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
|
static const uint8_t AL16 bis_kek_source[0x10] = {0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
|
||||||
switch (partition_id) {
|
switch (partition_id) {
|
||||||
|
|
|
@ -838,13 +838,7 @@ uint32_t nxboot_main(void) {
|
||||||
|
|
||||||
/* Derive new device keys. */
|
/* Derive new device keys. */
|
||||||
{
|
{
|
||||||
if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_5_0_0) {
|
derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY, target_firmware);
|
||||||
derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY, target_firmware);
|
|
||||||
} else if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_4_0_0) {
|
|
||||||
derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_4XNEWDEVICEKEYGENKEY, target_firmware);
|
|
||||||
} else {
|
|
||||||
/* No new keys to derive */
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Set the system partition's keys. */
|
/* Set the system partition's keys. */
|
||||||
|
|
|
@ -19,34 +19,35 @@
|
||||||
namespace ams::pkg1 {
|
namespace ams::pkg1 {
|
||||||
|
|
||||||
enum AesKeySlot {
|
enum AesKeySlot {
|
||||||
AesKeySlot_UserStart = 0,
|
AesKeySlot_UserStart = 0,
|
||||||
|
|
||||||
AesKeySlot_TzramSaveKek = 2,
|
AesKeySlot_TzramSaveKek = 2,
|
||||||
AesKeySlot_TzramSaveKey = 3,
|
AesKeySlot_TzramSaveKey = 3,
|
||||||
|
|
||||||
AesKeySlot_UserLast = 5,
|
AesKeySlot_UserLast = 5,
|
||||||
AesKeySlot_UserEnd = AesKeySlot_UserLast + 1,
|
AesKeySlot_UserEnd = AesKeySlot_UserLast + 1,
|
||||||
|
|
||||||
AesKeySlot_SecmonStart = 8,
|
AesKeySlot_SecmonStart = 8,
|
||||||
|
|
||||||
AesKeySlot_Temporary = 8,
|
AesKeySlot_Temporary = 8,
|
||||||
AesKeySlot_Smc = 9,
|
AesKeySlot_Smc = 9,
|
||||||
AesKeySlot_RandomForUserWrap = 10,
|
AesKeySlot_RandomForUserWrap = 10,
|
||||||
AesKeySlot_RandomForKeyStorageWrap = 11,
|
AesKeySlot_RandomForKeyStorageWrap = 11,
|
||||||
AesKeySlot_DeviceMaster = 12,
|
AesKeySlot_DeviceMaster = 12,
|
||||||
AesKeySlot_Master = 13,
|
AesKeySlot_Master = 13,
|
||||||
AesKeySlot_Device = 15,
|
AesKeySlot_Device = 15,
|
||||||
|
|
||||||
AesKeySlot_SecmonEnd = 16,
|
AesKeySlot_SecmonEnd = 16,
|
||||||
|
|
||||||
/* Used only during boot. */
|
/* Used only during boot. */
|
||||||
AesKeySlot_Tsec = 12,
|
AesKeySlot_Tsec = 12,
|
||||||
AesKeySlot_TsecRoot = 13,
|
AesKeySlot_TsecRoot = 13,
|
||||||
AesKeySlot_SecureBoot = 14,
|
AesKeySlot_SecureBoot = 14,
|
||||||
AesKeySlot_SecureStorage = 15,
|
AesKeySlot_SecureStorage = 15,
|
||||||
|
|
||||||
AesKeySlot_MasterKek = 13,
|
AesKeySlot_DeviceMasterKeySourceKekErista = 10,
|
||||||
AesKeySlot_DeviceMasterKeySourceKek = 14,
|
AesKeySlot_MasterKek = 13,
|
||||||
|
AesKeySlot_DeviceMasterKeySourceKekMariko = 14,
|
||||||
};
|
};
|
||||||
|
|
||||||
enum RsaKeySlot {
|
enum RsaKeySlot {
|
||||||
|
|
Loading…
Reference in a new issue