Difference between revisions of "Security"

From Vita Development Wiki
Jump to navigation Jump to search
 
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[File:ChainOfTrust.png]]
 
[[File:ChainOfTrust.png]]
  
The red box is secure world ARM. The green box is non-secure kernel mode ARM. The blue box is non-secure user mode ARM. The yellow is F00D processor. Black arrows indicate trust (A -> B means B trusts A). Green arrows means decryption request (A -> B means A requests decryption from B). Red arrow means executable decryption (A -> B means A decrypts B). THIS IS WRONG AND NEEDS TO BE UPDATED
+
Right and down are less trusted. kernel_boot_loader.self does not itself run on F00D but only contains encrypted segments for ARM to run. Unless indicated otherwise, all processes are encrypted and require F00D to decrypt. This diagram reflects current knowledge and may contain inaccuracies (specifically everything on the F00D side is only a best guess).
  
 
== Root Chain of Trust ==
 
== Root Chain of Trust ==
  
ROMs are trusted implicitly. <code>second_loader</code> and <code>secure_kernel</code> are, at update time,  additoinally encrypted (likely with per-console keys). If that is the case, it is likely that the F00D bootrom has the ability to decrypt those two files. It is also predicted that <code>secure_kernel</code> is run on F00D as does <code>second_loader</code> in order to decrypt <code>kernel_boot_loader.self</code> to start the ARM code .
+
The root is F00D's bootrom (First Loader). This is where root keys are seeded and wiped from memory. Either second_loader.enp_ or second_loader.enp are loaded from the eMMC (SLB2 partition). Both .enp files are per-console encrypted (by F00D) during the update process. This is in addition (wraps over) to the already encrypted enp from the update file and is to hinder downgrade attacks (by externally flashing to eMMC a bootloader from another PSVita).
  
 
== Decryption Request ==
 
== Decryption Request ==
  
If something needs to be decrypted from a user/system application ([[PVF]] or [[PUP]] for example), first the request is passed to the kernel. The kernel does some checks (mostly integrity checks) and makes a request to the secure kernel to load a new F00D SELF (to have the right keys and the right program to parse the format). Next the kernel passes the data to the secure kernel to decrypt and the secure kernel passes it to F00D. F00D does the real checks (integrity, signature, format, etc) and decrypts the data directly into the shared DRAM. After clearing the cache, the non-secure kernel has access to the data. F00D will not decrypt if anything fails in its checks.
+
If something needs to be decrypted from a user/system application ([[PVF]], SELF or [[PUP]] for example), first the request is passed to the non-secure kernel. The non-secure kernel does some checks (mostly integrity checks) then makes a request to [[TrustZone]] to load a new [[SM|Secure Module]] (to have the right keys and the right program to parse the data format). Next the non-securekernel passes the data to the secure kernel to decrypt and the secure kernel passes it to F00D. F00D does the real checks (integrity, signature, format, etc) and decrypts the data directly into the shared DRAM. After clearing the cache, the non-secure kernel has access to the data. F00D will not decrypt if anything fails in its checks.
  
 
== Security ==
 
== Security ==
  
The two bootroms are physically burned into the SoC and cannot be changed. The Cortex A9 bootrom loads the first level bootloader and the F00D bootrom is unknown. Every other component can be changed and most can be revoked. Below, we discuss potential outcomes if there is a hack at each level.
+
Since most decryption happens on F00D and a signed revoke list is passed early during startup (in [[TrustZone]] modules initialization), it is possible to revoke just about anything on the system. Any hack that can happen before the revoke list is loaded would likely count as a "permanent hack" that cannot be patched without a hardware revision.
  
 
=== Usermode ===
 
=== Usermode ===
  
If a game/application/system application is hacked, Sony can easily send a firmware update to block the hack. They can also send a game update and depending on the game that is hacked, they could enforce an update and therefore stop the exploit from triggering.
+
If a game/application/system application is hacked, Sony can easily distribute a firmware update to block the hack. They can also ask a game update and depending on the game that is hacked, they could enforce an update and therefore stop the exploit from triggering.
 +
 
 +
There are different sandboxes for applications, the more trusted being [[SceShell]] modules, which consist of the home screen, LiveArea, background menu, and background usermode tasks.
  
 
=== Non-secure Kernel ===
 
=== Non-secure Kernel ===
  
A hack at this level would allow for running unsigned code and also pirated games. Decryption must be done through the secure kernel & F00D, so attempts at decrypting SELFs from past and future firmwares will not work. To counter piracy, Sony can encrypt new games with new keys and prevent them from running on old compromised firmwares. They can also revoke vulnerable kernel versions to prevent downgrades by updating the revoke list in F00D.
+
A hack at this level allows for running unsigned code and also pirated games. Decryption must be done through the secure kernel and F00D, so attempts at loading SELFs from past and future firmwares would not work. To counter piracy, Sony can encrypt new games with new keys and prevent them from running on old compromised firmwares.
 +
 
 +
=== ARM Secure Kernel ===
 +
 
 +
Same level of access and same results as non-secure kernel. Direct access to F00D interrupts could allow for a F00D attack though but there is little gain compared to simply having non-secure kernel code execution.
 +
 
 +
=== Secure/non-secure Kernel Bootloader ===
 +
 
 +
Allows for "non-tethered" hacks. Can be used to load unsigned kernel at an early stage. It does not allow getting more keys than Kernel hacks allowed.
 +
 
 +
=== F00D Secure Modules ===
 +
 
 +
All keys are stored in F00D [[SM|Secure Modules]] SELFs, which are validated and decrypted just like ARM SELFs. If [[SM]]s are compromised, keys can be extracted to decrypt updates, bootloader, kernel SELFs, application SELFs, and more.
 +
 
 +
Sony can revoke most keys by updating slb2:prog_rvk.srvk, keys in SM SELFs, ENC files keys, etc... But SPKG key cannot be changed else older and current firmwares PUPs would not be installable anymore... Once SPKGs are decrypted, filesystem is accessible, but that doesn't mean Certified Files it embeds are decryptable because keys can change.
 +
 
 +
=== cMeP Secure Kernel ===
  
=== Secure Kernel ===
+
[[Secure Kernel]] has ability to freely access F00D and ARM memory, so a hack would allow dumping SMs i.e keys. It so has complete control over F00D and ARM. A hack would also allow to read the content of [[F00D_Key_Ring_Base|Bigmac keyslots]] for which some embed keys.
  
Same level of access and same results as non-secure kernel. Direct access to F00D interrupts could allow for an attack though.
+
=== Second Loader ===
  
=== Secure/non-secure bootloader ===
+
Compare to [[Secure Kernel]], [[Second Loader]] has access to more [[F00D_Key_Ring_Base|Bigmac keyslots]] because they are not locked yet so a hack would allow to get a few more keys. However at the time [[Second Loader]] runs, [[Secure Kernel]] and ARM kernel bootloaders nor kernel are not in memory yet so a Second Loader hack would have to play with Bigmac keyslots or to run Secure Kernel itself in order to get code execution on lower levels.
  
Will allow for "non-tethered" hacks. Can be used to load unsigned kernel at an early stage. Could potentially control F00D revoking by initializing with an older/newer FW, but this is untested. Can be revoked to prevent downgrades by preventing F00D from re-encrypting the (vulnerable) bootloader upon update. If there are additional hardware for this, it could also prevent replay attacks from an older, dumped bootloader.
+
=== First Loader (Boot ROM) ===
  
=== F00D applications ===
+
Boot rom handles the master keys so once it is hacked, most static derived key are computable once for all. As is not updatable (ROM) a First Loader hack
 +
is not patchable. However it is almost impossible to hack First Loader without hardware techniques.
  
All keys are stored as F00D SELFs, which are validated and decrypted just like ARM SELFs. If compromised, keys can be extracted to decrypt updates, bootloader, kernel SELFs, application SELFs, and more. It is unknown whether Sony can revoke keys because it may be possible to just decrypt the update containing new keys.
 
  
 
[[Category:Startup]]
 
[[Category:Startup]]
 
[[Category:Loaders]]
 
[[Category:Loaders]]
 
[[Category:Kernel]]
 
[[Category:Kernel]]

Revision as of 00:45, 7 June 2020

ChainOfTrust.png

Right and down are less trusted. kernel_boot_loader.self does not itself run on F00D but only contains encrypted segments for ARM to run. Unless indicated otherwise, all processes are encrypted and require F00D to decrypt. This diagram reflects current knowledge and may contain inaccuracies (specifically everything on the F00D side is only a best guess).

Root Chain of Trust

The root is F00D's bootrom (First Loader). This is where root keys are seeded and wiped from memory. Either second_loader.enp_ or second_loader.enp are loaded from the eMMC (SLB2 partition). Both .enp files are per-console encrypted (by F00D) during the update process. This is in addition (wraps over) to the already encrypted enp from the update file and is to hinder downgrade attacks (by externally flashing to eMMC a bootloader from another PSVita).

Decryption Request

If something needs to be decrypted from a user/system application (PVF, SELF or PUP for example), first the request is passed to the non-secure kernel. The non-secure kernel does some checks (mostly integrity checks) then makes a request to TrustZone to load a new Secure Module (to have the right keys and the right program to parse the data format). Next the non-securekernel passes the data to the secure kernel to decrypt and the secure kernel passes it to F00D. F00D does the real checks (integrity, signature, format, etc) and decrypts the data directly into the shared DRAM. After clearing the cache, the non-secure kernel has access to the data. F00D will not decrypt if anything fails in its checks.

Security

Since most decryption happens on F00D and a signed revoke list is passed early during startup (in TrustZone modules initialization), it is possible to revoke just about anything on the system. Any hack that can happen before the revoke list is loaded would likely count as a "permanent hack" that cannot be patched without a hardware revision.

Usermode

If a game/application/system application is hacked, Sony can easily distribute a firmware update to block the hack. They can also ask a game update and depending on the game that is hacked, they could enforce an update and therefore stop the exploit from triggering.

There are different sandboxes for applications, the more trusted being SceShell modules, which consist of the home screen, LiveArea, background menu, and background usermode tasks.

Non-secure Kernel

A hack at this level allows for running unsigned code and also pirated games. Decryption must be done through the secure kernel and F00D, so attempts at loading SELFs from past and future firmwares would not work. To counter piracy, Sony can encrypt new games with new keys and prevent them from running on old compromised firmwares.

ARM Secure Kernel

Same level of access and same results as non-secure kernel. Direct access to F00D interrupts could allow for a F00D attack though but there is little gain compared to simply having non-secure kernel code execution.

Secure/non-secure Kernel Bootloader

Allows for "non-tethered" hacks. Can be used to load unsigned kernel at an early stage. It does not allow getting more keys than Kernel hacks allowed.

F00D Secure Modules

All keys are stored in F00D Secure Modules SELFs, which are validated and decrypted just like ARM SELFs. If SMs are compromised, keys can be extracted to decrypt updates, bootloader, kernel SELFs, application SELFs, and more.

Sony can revoke most keys by updating slb2:prog_rvk.srvk, keys in SM SELFs, ENC files keys, etc... But SPKG key cannot be changed else older and current firmwares PUPs would not be installable anymore... Once SPKGs are decrypted, filesystem is accessible, but that doesn't mean Certified Files it embeds are decryptable because keys can change.

cMeP Secure Kernel

Secure Kernel has ability to freely access F00D and ARM memory, so a hack would allow dumping SMs i.e keys. It so has complete control over F00D and ARM. A hack would also allow to read the content of Bigmac keyslots for which some embed keys.

Second Loader

Compare to Secure Kernel, Second Loader has access to more Bigmac keyslots because they are not locked yet so a hack would allow to get a few more keys. However at the time Second Loader runs, Secure Kernel and ARM kernel bootloaders nor kernel are not in memory yet so a Second Loader hack would have to play with Bigmac keyslots or to run Secure Kernel itself in order to get code execution on lower levels.

First Loader (Boot ROM)

Boot rom handles the master keys so once it is hacked, most static derived key are computable once for all. As is not updatable (ROM) a First Loader hack is not patchable. However it is almost impossible to hack First Loader without hardware techniques.

Retrieved from "http://wiki.henkaku.xyz/vita/index.php?title=Security&oldid=14323"