Difference between revisions of "Security"
Revision as of 18:11, 27 January 2017
Right and down are less trusted. kernel_boot_loader.self does not itself run on F00D but only contains encrypted segments for ARM to run. Unless indicated otherwise, all processes are encrypted and require F00D to decrypt. This diagram reflects current knowledge and may contain inaccuracies (specifically everything on the F00D side is only a best guess).
Root Chain of Trust
The root is F00D's boot rom. This is likely where root keys are seeded and wiped from memory (if we have to guess using knowledge from similar systems). Either second_loader.enp or secure_kernel.enp are loaded from the eMMC (SLB2 partition) although second_loader.enp is the more likely candidate based on name. Both enp files are per-console encrypted (by F00D) during the update process. This is likely in addition (wraps over) to the already encrypted enp from the update file and is to hinder downgrade attacks (by externally flashing a bootloader from another Vita).
Curiously, secure_kernel.enp is loaded to DRAM by F00D before ARM secure-world bootloader. However on retail units, its address does not seem to be used. If an address is passed in the boot buffer, then the secure-world bootloader could send the address back to F00D (why?) but attempts to fake this process and attempts to replace the enp with older/newer version have failed.
If something needs to be decrypted from a user/system application (PVF or PUP for example), first the request is passed to the kernel. The kernel does some checks (mostly integrity checks) and makes a request to the secure kernel to load a new F00D SELF (to have the right keys and the right program to parse the format). Next the kernel passes the data to the secure kernel to decrypt and the secure kernel passes it to F00D. F00D does the real checks (integrity, signature, format, etc) and decrypts the data directly into the shared DRAM. After clearing the cache, the non-secure kernel has access to the data. F00D will not decrypt if anything fails in its checks.
Since every decryption happens on F00D and an encrypted revoke list is passed early during startup (in secure world bootloader), it is possible to revoke just about anything on the system. Any hack that can happen before the revoke list is loaded would likely count as a "permanent hack" that cannot be patched without a hardware revision.
If a game/application/system application is hacked, Sony can easily send a firmware update to block the hack. They can also send a game update and depending on the game that is hacked, they could enforce an update and therefore stop the exploit from triggering.
A hack at this level would allow for running unsigned code and also pirated games. Decryption must be done through the secure kernel & F00D, so attempts at decrypting SELFs from past and future firmwares will not work. To counter piracy, Sony can encrypt new games with new keys and prevent them from running on old compromised firmwares. They can also revoke vulnerable kernel versions to prevent downgrades by updating the revoke list in F00D.
Same level of access and same results as non-secure kernel. Direct access to F00D interrupts could allow for an attack though.
Will allow for "non-tethered" hacks. Can be used to load unsigned kernel at an early stage. Could potentially control F00D revoking by initializing with an older/newer FW, but this is untested. Can be revoked to prevent downgrades by preventing F00D from re-encrypting the (vulnerable) bootloader upon update. If there are additional hardware for this, it could also prevent replay attacks from an older, dumped bootloader.
All keys are stored as F00D SELFs, which are validated and decrypted just like ARM SELFs. If compromised, keys can be extracted to decrypt updates, bootloader, kernel SELFs, application SELFs, and more. It is unknown whether Sony can revoke keys because it may be possible to just decrypt the update containing new keys.