exo2: implement through boot config load/validate

exosphere2/program/source/boot/secmon_boot.hpp

@@ -22,4 +22,10 @@ namespace ams::secmon::boot {
 
     void InitializeColdBoot();
 
+    bool VerifySignature(void *sig, size_t sig_size, const void *mod, size_t mod_size, const void *msg, size_t msg_size);
+    bool VerifyHash(const void *hash, uintptr_t msg, size_t msg_size);
+
+    bool VerifyBootConfigSignature(pkg1::BootConfig &bc, const void *mod, size_t mod_size);
+    bool VerifyBootConfigEcid(const pkg1::BootConfig &bc);
+
 }

exosphere2/program/source/boot/secmon_boot_config.cpp

@@ -14,9 +14,21 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 #include <exosphere.hpp>
+#include "secmon_boot.hpp"
 
 namespace ams::secmon::boot {
 
-    /* TODO */
+    bool VerifyBootConfigSignature(pkg1::BootConfig &bc, const void *mod, size_t mod_size) {
+        return VerifySignature(std::addressof(bc.signature), sizeof(bc.signature), mod, mod_size, std::addressof(bc.signed_data), sizeof(bc.signed_data));
+    }
 
-}
+    bool VerifyBootConfigEcid(const pkg1::BootConfig &bc) {
+        /* Get the ecid. */
+        br::BootEcid ecid;
+        fuse::GetEcid(std::addressof(ecid));
+
+        /* Verify it matches. */
+        return crypto::IsSameBytes(std::addressof(ecid), bc.signed_data.ecid, sizeof(ecid));
+    }
+
+}

exosphere2/program/source/boot/secmon_boot_functions.cpp

@@ -14,13 +14,94 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 #include <exosphere.hpp>
+#include "secmon_boot.hpp"
 #include "secmon_boot_functions.hpp"
 
 namespace ams::secmon::boot {
 
+    namespace {
+
+        constexpr inline uintptr_t SYSCTR0 = MemoryRegionVirtualDeviceSysCtr0.GetAddress();
+
+        constinit const u8 BootConfigRsaPublicModulus[se::RsaSize] = {
+            0xB5, 0x96, 0x87, 0x31, 0x39, 0xAA, 0xBB, 0x3C, 0x28, 0xF3, 0xF0, 0x65, 0xF1, 0x50, 0x70, 0x64,
+            0xE6, 0x6C, 0x97, 0x50, 0xCD, 0xA6, 0xEE, 0xEA, 0xC3, 0x8F, 0xE6, 0xB5, 0x81, 0x54, 0x65, 0x33,
+            0x1B, 0x88, 0x4B, 0xCE, 0x9F, 0x53, 0xDF, 0xE4, 0xF6, 0xAD, 0xC3, 0x78, 0xD7, 0x3C, 0xD1, 0xDB,
+            0x27, 0x21, 0xA0, 0x24, 0x30, 0x2D, 0x98, 0x41, 0xA8, 0xDF, 0x50, 0x7D, 0xAB, 0xCE, 0x00, 0xD9,
+            0xCB, 0xAC, 0x8F, 0x37, 0xF5, 0x53, 0xE4, 0x97, 0x1F, 0x13, 0x3C, 0x19, 0xFF, 0x05, 0xA7, 0x3B,
+            0xF6, 0xF4, 0x01, 0xDE, 0xF0, 0xC3, 0x77, 0x7B, 0x83, 0xBA, 0xAF, 0x99, 0x30, 0x94, 0x87, 0x25,
+            0x4E, 0x54, 0x42, 0x3F, 0xAC, 0x27, 0xF9, 0xCC, 0x87, 0xDD, 0xAE, 0xF2, 0x54, 0xF3, 0x97, 0x49,
+            0xF4, 0xB0, 0xF8, 0x6D, 0xDA, 0x60, 0xE0, 0xFD, 0x57, 0xAE, 0x55, 0xA9, 0x76, 0xEA, 0x80, 0x24,
+            0xA0, 0x04, 0x7D, 0xBE, 0xD1, 0x81, 0xD3, 0x0C, 0x95, 0xCF, 0xB7, 0xE0, 0x2D, 0x21, 0x21, 0xFF,
+            0x97, 0x1E, 0xB3, 0xD7, 0x9F, 0xBB, 0x33, 0x0C, 0x23, 0xC5, 0x88, 0x4A, 0x33, 0xB9, 0xC9, 0x4E,
+            0x1E, 0x65, 0x51, 0x45, 0xDE, 0xF9, 0x64, 0x7C, 0xF0, 0xBF, 0x11, 0xB4, 0x93, 0x8D, 0x5D, 0xC6,
+            0xAB, 0x37, 0x9E, 0xE9, 0x39, 0xC1, 0xC8, 0xDB, 0xB9, 0xFE, 0x45, 0xCE, 0x7B, 0xDD, 0x72, 0xD9,
+            0x6F, 0x68, 0x13, 0xC0, 0x4B, 0xBA, 0x00, 0xF4, 0x1E, 0x89, 0x71, 0x91, 0x26, 0xA6, 0x46, 0x12,
+            0xDF, 0x29, 0x6B, 0xC2, 0x5A, 0x53, 0xAF, 0xB9, 0x5B, 0xFD, 0x13, 0x9F, 0xD1, 0x8A, 0x7C, 0xB5,
+            0x04, 0xFD, 0x69, 0xEA, 0x23, 0xB4, 0x6D, 0x16, 0x21, 0x98, 0x54, 0xB4, 0xDF, 0xE6, 0xAB, 0x93,
+            0x36, 0xB6, 0xD2, 0x43, 0xCF, 0x2B, 0x98, 0x1D, 0x45, 0xC9, 0xBB, 0x20, 0x42, 0xB1, 0x9D, 0x1D
+        };
+
+    }
+
     void ClearIram() {
         /* Clear the boot code image from where it was loaded in IRAM. */
         util::ClearMemory(MemoryRegionPhysicalIramBootCodeImage.GetPointer(), MemoryRegionPhysicalIramBootCodeImage.GetSize());
     }
 
+    void WaitForNxBootloader(const pkg1::SecureMonitorParameters &params, pkg1::BootloaderState state) {
+        /* Check NX Bootloader's state once per microsecond until it's advanced enough. */
+        while (params.bootloader_state < state) {
+            util::WaitMicroSeconds(1);
+        }
+    }
+
+    void LoadBootConfig(const void *src) {
+        pkg1::BootConfig * const dst = secmon::impl::GetBootConfigStorage();
+
+        if (pkg1::IsProduction()) {
+            std::memset(dst, 0, sizeof(*dst));
+        } else {
+            hw::FlushDataCache(src, sizeof(*dst));
+            hw::DataSynchronizationBarrierInnerShareable();
+            std::memcpy(dst, src, sizeof(*dst));
+        }
+    }
+
+    void VerifyOrClearBootConfig() {
+        /* On production hardware, the boot config is already cleared. */
+        if (pkg1::IsProduction()) {
+            return;
+        }
+
+        pkg1::BootConfig * const bc = secmon::impl::GetBootConfigStorage();
+
+        /* Determine if the bc is valid for the device. */
+        bool valid_for_device = false;
+        {
+            const bool valid_signature = secmon::boot::VerifyBootConfigSignature(*bc, BootConfigRsaPublicModulus, util::size(BootConfigRsaPublicModulus));
+            if (valid_signature) {
+                valid_for_device = secmon::boot::VerifyBootConfigEcid(*bc);
+            }
+        }
+
+        /* If the boot config is not valid for the device, clear its signed data. */
+        if (!valid_for_device) {
+            util::ClearMemory(std::addressof(bc->signed_data), sizeof(bc->signed_data));
+        }
+    }
+
+    void EnableTsc(u64 initial_tsc_value) {
+        /* Write the initial value to the CNTCV registers. */
+        const u32 lo = static_cast<u32>(initial_tsc_value >>  0);
+        const u32 hi = static_cast<u32>(initial_tsc_value >> 32);
+
+        reg::Write(SYSCTR0 + SYSCTR0_CNTCV0, lo);
+        reg::Write(SYSCTR0 + SYSCTR0_CNTCV1, hi);
+
+        /* Configure the system counter control register. */
+        reg::Write(SYSCTR0 + SYSCTR0_CNTCR, SYSCTR0_REG_BITS_ENUM(CNTCR_HDBG, ENABLE),
+                                            SYSCTR0_REG_BITS_ENUM(CNTCR_EN,   ENABLE));
+    }
+
 }

exosphere2/program/source/boot/secmon_boot_functions.hpp

@@ -20,4 +20,11 @@ namespace ams::secmon::boot {
 
     void ClearIram();
 
+    void WaitForNxBootloader(const pkg1::SecureMonitorParameters &params, pkg1::BootloaderState state);
+
+    void LoadBootConfig(const void *src);
+    void VerifyOrClearBootConfig();
+
+    void EnableTsc(u64 initial_tsc_value);
+
 }

exosphere2/program/source/boot/secmon_boot_rsa.cpp

@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 2018-2020 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#include <exosphere.hpp>
+#include "secmon_boot.hpp"
+
+namespace ams::secmon::boot {
+
+    namespace {
+
+        constinit const u8 RsaPublicKeyExponent[] = {
+            0x00, 0x01, 0x00, 0x01,
+        };
+
+        constexpr inline u8 TailMagic = 0xBC;
+
+        bool VerifyRsaPssSha256(const u8 *sig, const void *msg, size_t msg_size) {
+            /* Define constants. */
+            constexpr int EmBits  = 2047;
+            constexpr int EmLen   = util::DivideUp(EmBits, BITSIZEOF(u8));
+            constexpr int SaltLen = 0x20;
+            constexpr int HashLen = se::Sha256HashSize;
+
+            /* Define a work buffer. */
+            u8 work[EmLen];
+            ON_SCOPE_EXIT { util::ClearMemory(work, sizeof(work)); };
+
+            /* Calculate the message hash, first flushing cache to ensure SE sees correct data. */
+            se::Sha256Hash msg_hash;
+            hw::FlushDataCache(msg, msg_size);
+            hw::DataSynchronizationBarrierInnerShareable();
+            se::CalculateSha256(std::addressof(msg_hash), msg, msg_size);
+
+            /* Verify the tail magic. */
+            bool is_valid = sig[EmLen - 1] == TailMagic;
+
+            /* Determine extents of masked db and h. */
+            const u8 *masked_db = std::addressof(sig[0]);
+            const u8 *h         = std::addressof(sig[EmLen - HashLen - 1]);
+
+            /* Verify the extra bits are zero. */
+            is_valid &= (masked_db[0] >> (BITSIZEOF(u8) - (BITSIZEOF(u8) * EmLen - EmBits))) == 0;
+
+            /* Calculate the db mask. */
+            {
+                constexpr int MaskLen   = EmLen - HashLen - 1;
+                constexpr int HashIters = util::DivideUp(MaskLen, HashLen);
+
+                u8 mgf1_buf[sizeof(u32) + HashLen];
+
+                std::memcpy(std::addressof(mgf1_buf[0]), h, HashLen);
+                std::memset(std::addressof(mgf1_buf[HashLen]), 0, sizeof(u32));
+
+                for (int i = 0; i < HashIters; ++i) {
+                    /* Set the counter for this iteration. */
+                    mgf1_buf[sizeof(mgf1_buf) - 1] = i;
+
+                    /* Calculate the sha256 to the appropriate place in the work buffer. */
+                    auto *mgf1_dst = reinterpret_cast<se::Sha256Hash *>(std::addressof(work[HashLen * i]));
+
+                    hw::FlushDataCache(mgf1_buf, sizeof(mgf1_buf));
+                    hw::DataSynchronizationBarrierInnerShareable();
+                    se::CalculateSha256(mgf1_dst, mgf1_buf, sizeof(mgf1_buf));
+                }
+            }
+
+            /* Decrypt masked db using the mask we just generated. */
+            for (int i = 0; i < EmLen - HashLen - 1; ++i) {
+                work[i] ^= masked_db[i];
+            }
+
+            /* Mask out the top bits. */
+            u8 *db = work;
+            db[0] &= 0xFF >> (BITSIZEOF(u8) * EmLen - EmBits);
+
+            /* Verify that DB is of the form 0000...0001 */
+            constexpr int DbLen = EmLen - HashLen - 1;
+            int salt_ofs = 0;
+            {
+                int looking_for_one = 1;
+                int invalid_db_padding = 0;
+                int is_zero;
+                int is_one;
+                for (size_t i = 0; i < DbLen; /* ... */) {
+                    is_zero = (db[i] == 0);
+                    is_one  = (db[i] == 1);
+                    salt_ofs += (looking_for_one & is_one) * (static_cast<s32>(++i));
+                    looking_for_one &= ~is_one;
+                    invalid_db_padding |= (looking_for_one & ~is_zero);
+                }
+
+                is_valid &= (invalid_db_padding == 0);
+            }
+
+            /* Verify salt. */
+            is_valid &= (DbLen - salt_ofs) == SaltLen;
+
+            /* Setup the message to verify. */
+            const u8 *salt = std::addressof(db[DbLen - SaltLen]);
+            u8 verif_msg[8 + HashLen + SaltLen];
+            ON_SCOPE_EXIT { util::ClearMemory(verif_msg, sizeof(verif_msg)); };
+
+            util::ClearMemory(std::addressof(verif_msg[0]), 8);
+            std::memcpy(std::addressof(verif_msg[8]), std::addressof(msg_hash), HashLen);
+            std::memcpy(std::addressof(verif_msg[8 + HashLen]), salt, SaltLen);
+
+            /* Verify the final hash. */
+            return VerifyHash(h, reinterpret_cast<uintptr_t>(std::addressof(verif_msg[0])), sizeof(verif_msg));
+        }
+
+        bool VerifyRsaPssSha256(int slot, void *sig, size_t sig_size, const void *msg, size_t msg_size) {
+            /* Exponentiate the signature, using the signature as the destination buffer. */
+            se::ModularExponentiate(sig, sig_size, slot, sig, sig_size);
+
+            /* Verify the pss padding. */
+            return VerifyRsaPssSha256(static_cast<const u8 *>(sig), msg, msg_size);
+        }
+
+    }
+
+    bool VerifySignature(void *sig, size_t sig_size, const void *mod, size_t mod_size, const void *msg, size_t msg_size) {
+        /* Load the public key into a temporary keyslot. */
+        const int slot = pkg1::RsaKeySlot_Temporary;
+        se::SetRsaKey(slot, mod, mod_size, RsaPublicKeyExponent, util::size(RsaPublicKeyExponent));
+
+        return VerifyRsaPssSha256(slot, sig, sig_size, msg, msg_size);
+    }
+
+    bool VerifyHash(const void *hash, uintptr_t msg, size_t msg_size) {
+        /* Zero-sized messages are always valid. */
+        if (msg_size == 0) {
+            return true;
+        }
+
+        /* Ensure that the SE sees correct data for the message. */
+        hw::FlushDataCache(reinterpret_cast<void *>(msg), msg_size);
+        hw::DataSynchronizationBarrierInnerShareable();
+
+        /* Calculate the hash. */
+        se::Sha256Hash calc_hash;
+        se::CalculateSha256(std::addressof(calc_hash), reinterpret_cast<void *>(msg), msg_size);
+
+        /* Verify the result. */
+        return crypto::IsSameBytes(std::addressof(calc_hash), hash, sizeof(calc_hash));
+    }
+
+}

exosphere2/program/source/boot/secmon_main.cpp

@@ -26,7 +26,7 @@ namespace ams::secmon {
         /* Set library register addresses. */
         /*   actmon::SetRegisterAddress(MemoryRegionVirtualDeviceActivityMonitor.GetAddress()); */
              clkrst::SetRegisterAddress(MemoryRegionVirtualDeviceClkRst.GetAddress());
-        /* flowctrl::SetRegisterAddress(); */
+               flow::SetRegisterAddress(MemoryRegionVirtualDeviceFlowController.GetAddress());
                fuse::SetRegisterAddress(MemoryRegionVirtualDeviceFuses.GetAddress());
                 gic::SetRegisterAddress(MemoryRegionVirtualDeviceGicDistributor.GetAddress(), MemoryRegionVirtualDeviceGicCpuInterface.GetAddress());
                 i2c::SetRegisterAddress(i2c::Port_1, MemoryRegionVirtualDeviceI2c1.GetAddress());
@@ -69,6 +69,26 @@ namespace ams::secmon {
             /* Initialize the random cache. */
             secmon::smc::FillRandomCache();
         }
+
+        /* Wait for NX Bootloader to finish loading the BootConfig. */
+        secmon::boot::WaitForNxBootloader(secmon_params, pkg1::BootloaderState_LoadedBootConfig);
+        hw::DataSynchronizationBarrierInnerShareable();
+
+        /* Load the bootconfig. */
+        secmon::boot::LoadBootConfig(MemoryRegionPhysicalIramBootConfig.GetPointer());
+
+        /* Verify or clear the boot config. */
+        secmon::boot::VerifyOrClearBootConfig();
+
+        /* Get the boot config. */
+        const auto &bc = secmon::GetBootConfig();
+
+        /* Set the tsc value by the boot config. */
+        {
+            constexpr u64 TscMask = (static_cast<u64>(1) << 55) - 1;
+
+            secmon::boot::EnableTsc(bc.data.GetInitialTscValue() & TscMask);
+        }
     }
 
 }