1
0
Fork 0
mirror of https://github.com/Atmosphere-NX/Atmosphere.git synced 2024-11-22 20:06:40 +00:00

fusee/exo: correct device key management for newer consoles (closes #1053)

This commit is contained in:
Michael Scire 2020-06-28 05:37:51 -07:00
parent a5447dd72d
commit 1473adf5c4
4 changed files with 32 additions and 31 deletions

View file

@ -218,6 +218,9 @@ namespace ams::secmon::boot {
/* Get the current key generation. */ /* Get the current key generation. */
const int current_generation = secmon::GetKeyGeneration(); const int current_generation = secmon::GetKeyGeneration();
/* Get the kek slot. */
const int kek_slot = fuse::GetSocType() == fuse::SocType_Mariko ? pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko : pkg1::AesKeySlot_DeviceMasterKeySourceKekErista;
/* Iterate for all generations. */ /* Iterate for all generations. */
for (int i = 0; i < pkg1::OldDeviceMasterKeyCount; ++i) { for (int i = 0; i < pkg1::OldDeviceMasterKeyCount; ++i) {
const int generation = pkg1::KeyGeneration_4_0_0 + i; const int generation = pkg1::KeyGeneration_4_0_0 + i;
@ -229,7 +232,7 @@ namespace ams::secmon::boot {
se::SetEncryptedAesKey128(pkg1::AesKeySlot_Temporary, pkg1::AesKeySlot_Temporary, is_prod ? DeviceMasterKekSourcesProd[i] : DeviceMasterKekSourcesDev[i], se::AesBlockSize); se::SetEncryptedAesKey128(pkg1::AesKeySlot_Temporary, pkg1::AesKeySlot_Temporary, is_prod ? DeviceMasterKekSourcesProd[i] : DeviceMasterKekSourcesDev[i], se::AesBlockSize);
/* Decrypt the device master key source into the work block. */ /* Decrypt the device master key source into the work block. */
se::DecryptAes128(work_block, se::AesBlockSize, pkg1::AesKeySlot_DeviceMasterKeySourceKek, DeviceMasterKeySourceSources[i], se::AesBlockSize); se::DecryptAes128(work_block, se::AesBlockSize, kek_slot, DeviceMasterKeySourceSources[i], se::AesBlockSize);
/* If we're decrypting the current device master key, decrypt into the keyslot. */ /* If we're decrypting the current device master key, decrypt into the keyslot. */
if (generation == current_generation) { if (generation == current_generation) {
@ -244,8 +247,8 @@ namespace ams::secmon::boot {
} }
/* Clear and lock the Device Master Key Source Kek. */ /* Clear and lock the Device Master Key Source Kek. */
se::ClearAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKek); se::ClearAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko);
se::LockAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKek, se::KeySlotLockFlags_AllLockKek); se::LockAesKeySlot(pkg1::AesKeySlot_DeviceMasterKeySourceKekMariko, se::KeySlotLockFlags_AllLockKek);
} }
void DeriveAllKeys() { void DeriveAllKeys() {

View file

@ -273,7 +273,10 @@ void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmwa
} }
}; };
const uint32_t bis_key_generation = fuse_get_5x_key_generation(); uint32_t bis_key_generation = fuse_get_5x_key_generation();
if (bis_key_generation > 0) {
bis_key_generation -= 1;
}
static const uint8_t AL16 bis_kek_source[0x10] = {0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F}; static const uint8_t AL16 bis_kek_source[0x10] = {0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
switch (partition_id) { switch (partition_id) {

View file

@ -838,13 +838,7 @@ uint32_t nxboot_main(void) {
/* Derive new device keys. */ /* Derive new device keys. */
{ {
if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_5_0_0) { derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY, target_firmware);
derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY, target_firmware);
} else if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_4_0_0) {
derive_new_device_keys(fuse_get_retail_type() != 0, KEYSLOT_SWITCH_4XNEWDEVICEKEYGENKEY, target_firmware);
} else {
/* No new keys to derive */
}
} }
/* Set the system partition's keys. */ /* Set the system partition's keys. */

View file

@ -19,34 +19,35 @@
namespace ams::pkg1 { namespace ams::pkg1 {
enum AesKeySlot { enum AesKeySlot {
AesKeySlot_UserStart = 0, AesKeySlot_UserStart = 0,
AesKeySlot_TzramSaveKek = 2, AesKeySlot_TzramSaveKek = 2,
AesKeySlot_TzramSaveKey = 3, AesKeySlot_TzramSaveKey = 3,
AesKeySlot_UserLast = 5, AesKeySlot_UserLast = 5,
AesKeySlot_UserEnd = AesKeySlot_UserLast + 1, AesKeySlot_UserEnd = AesKeySlot_UserLast + 1,
AesKeySlot_SecmonStart = 8, AesKeySlot_SecmonStart = 8,
AesKeySlot_Temporary = 8, AesKeySlot_Temporary = 8,
AesKeySlot_Smc = 9, AesKeySlot_Smc = 9,
AesKeySlot_RandomForUserWrap = 10, AesKeySlot_RandomForUserWrap = 10,
AesKeySlot_RandomForKeyStorageWrap = 11, AesKeySlot_RandomForKeyStorageWrap = 11,
AesKeySlot_DeviceMaster = 12, AesKeySlot_DeviceMaster = 12,
AesKeySlot_Master = 13, AesKeySlot_Master = 13,
AesKeySlot_Device = 15, AesKeySlot_Device = 15,
AesKeySlot_SecmonEnd = 16, AesKeySlot_SecmonEnd = 16,
/* Used only during boot. */ /* Used only during boot. */
AesKeySlot_Tsec = 12, AesKeySlot_Tsec = 12,
AesKeySlot_TsecRoot = 13, AesKeySlot_TsecRoot = 13,
AesKeySlot_SecureBoot = 14, AesKeySlot_SecureBoot = 14,
AesKeySlot_SecureStorage = 15, AesKeySlot_SecureStorage = 15,
AesKeySlot_MasterKek = 13, AesKeySlot_DeviceMasterKeySourceKekErista = 10,
AesKeySlot_DeviceMasterKeySourceKek = 14, AesKeySlot_MasterKek = 13,
AesKeySlot_DeviceMasterKeySourceKekMariko = 14,
}; };
enum RsaKeySlot { enum RsaKeySlot {