warmboot: add code for decrypting/restoring tzram.

exosphere/lp0fw/src/pmc.h

@@ -51,6 +51,11 @@
 #define APBDEV_PMC_SECURE_SCRATCH34_0 MAKE_PMC_REG(0x368)
 #define APBDEV_PMC_SECURE_SCRATCH35_0 MAKE_PMC_REG(0x36C)
 
+#define APBDEV_PMC_SECURE_SCRATCH112_0 MAKE_PMC_REG(0x718)
+#define APBDEV_PMC_SECURE_SCRATCH113_0 MAKE_PMC_REG(0x71C)
+#define APBDEV_PMC_SECURE_SCRATCH114_0 MAKE_PMC_REG(0x720)
+#define APBDEV_PMC_SECURE_SCRATCH115_0 MAKE_PMC_REG(0x724)
+
 #define APBDEV_PMC_IO_DPD3_REQ_0     MAKE_PMC_REG(0x45C)
 #define APBDEV_PMC_IO_DPD3_STATUS_0  MAKE_PMC_REG(0x460)
 

exosphere/lp0fw/src/se.c

@@ -236,3 +236,17 @@ void se_compute_aes_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, con
 void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size) {
     se_compute_aes_cmac(keyslot, cmac, cmac_size, data, data_size, 0x202);
 }
+
+void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size) {
+    volatile tegra_se_t *se = se_get_regs();
+    
+    if (keyslot >= KEYSLOT_AES_MAX || src_size < 0x10) {
+        reboot();
+    }
+
+    se->CONFIG_REG = (ALG_AES_DEC | DST_MEMORY) | (0x202 << 16);
+    se->CRYPTO_REG = (keyslot << 24) | 0x66;
+    clear_aes_keyslot_iv(keyslot);
+    se->BLOCK_COUNT_REG = (src_size >> 4) - 1;
+    trigger_se_blocking_op(OP_START, dst, dst_size, src, src_size);
+}

exosphere/lp0fw/src/se.h

@@ -183,5 +183,6 @@ void clear_rsa_keyslot(unsigned int keyslot);
 void clear_aes_keyslot_iv(unsigned int keyslot);
 
 void se_compute_aes_256_cmac(unsigned int keyslot, void *cmac, size_t cmac_size, const void *data, size_t data_size);
+void se_aes_256_cbc_decrypt(unsigned int keyslot, void *dst, size_t dst_size, const void *src, size_t src_size);
 
 #endif

exosphere/lp0fw/src/secmon.c

@@ -25,6 +25,7 @@
 /* "private" functions. */
 static bool secmon_should_clear_aes_keyslot(unsigned int keyslot);
 static void secmon_clear_unused_keyslots(void);
+static void secmon_decrypt_saved_image(void *dst, const void *src, size_t size);
 
 void secmon_restore_to_tzram(const uint32_t target_firmware) {
     /* Newer warmboot binaries clear the untouched keyslots for safety. */
@@ -32,10 +33,51 @@ void secmon_restore_to_tzram(const uint32_t target_firmware) {
         secmon_clear_unused_keyslots();
     }
 
+    /* Decrypt Secure Monitor from DRAM into TZRAM. */
+    void *tzram_src = (void *)(0x80010000);
+    void *tzram_dst = (void *)(target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_500 ? 0x7C012000 : 0x7C010000);
+    const size_t tzram_size = 0xE000;
+    secmon_decrypt_saved_image(tzram_dst, tzram_src, tzram_size);
+
+    /* Nintendo clears DRAM, but I'm not sure why, given they lock out BPMP access to DRAM. */
+    for (size_t i = 0; i < tzram_size/sizeof(uint32_t); i++) {
+        ((volatile uint32_t *)tzram_src)[i] = 0;
+    }
+
+    /* Make security engine require secure busmaster. */
+    se_get_regs()->_0x4 = 0;
+
     /* TODO: stuff */
 }
 
+void secmon_decrypt_saved_image(void *dst, const void *src, size_t size) {
+    /* First, AES-256-CBC decrypt the image into TZRAM. */
+    se_aes_256_cbc_decrypt(KEYSLOT_SWITCH_LP0TZRAMKEY, dst, size, src, size);
+
+    /* Next, calculate CMAC. */
+    uint32_t tzram_cmac[4] = {0, 0, 0, 0};
+    se_compute_aes_256_cmac(KEYSLOT_SWITCH_LP0TZRAMKEY, tzram_cmac, sizeof(tzram_cmac), dst, size);
+
+    /* Validate the MAC against saved one in PMC scratch. */
+    if (tzram_cmac[0] != APBDEV_PMC_SECURE_SCRATCH112_0 ||
+        tzram_cmac[1] != APBDEV_PMC_SECURE_SCRATCH113_0 ||
+        tzram_cmac[2] != APBDEV_PMC_SECURE_SCRATCH114_0 ||
+        tzram_cmac[3] != APBDEV_PMC_SECURE_SCRATCH115_0) {
+        reboot();
+    }
+
+    /* Clear the PMC scratch registers that hold the CMAC. */
+    APBDEV_PMC_SECURE_SCRATCH112_0 = 0;
+    APBDEV_PMC_SECURE_SCRATCH113_0 = 0;
+    APBDEV_PMC_SECURE_SCRATCH114_0 = 0;
+    APBDEV_PMC_SECURE_SCRATCH115_0 = 0;
+
+    /* Clear keyslot now that we're done with it. */
+    clear_aes_keyslot(KEYSLOT_SWITCH_LP0TZRAMKEY);
+}
+
 bool secmon_should_clear_aes_keyslot(unsigned int keyslot) {
+    /* We'll just compare keyslot against a hardcoded list of keys. */
     static const uint8_t saved_keyslots[6] = {
         KEYSLOT_SWITCH_LP0TZRAMKEY,
         KEYSLOT_SWITCH_SESSIONKEY,
@@ -64,4 +106,4 @@ void secmon_clear_unused_keyslots(void) {
     for (unsigned int i = 0; i < KEYSLOT_RSA_MAX; i++) {
         clear_rsa_keyslot(i);
     }
-}
+}