key_manager: Add support for KEK and SD seed derivation

src/core/crypto/key_manager.cpp

@@ -12,11 +12,105 @@
 #include "common/file_util.h"
 #include "common/hex_util.h"
 #include "common/logging/log.h"
+#include "core/crypto/aes_util.h"
 #include "core/crypto/key_manager.h"
 #include "core/settings.h"
 
 namespace Core::Crypto {
 
+Key128 GenerateKeyEncryptionKey(Key128 source, Key128 master, Key128 kek_seed, Key128 key_seed) {
+    Key128 out{};
+
+    AESCipher<Key128> cipher1(master, Mode::ECB);
+    cipher1.Transcode(kek_seed.data(), kek_seed.size(), out.data(), Op::Decrypt);
+    AESCipher<Key128> cipher2(out, Mode::ECB);
+    cipher2.Transcode(source.data(), source.size(), out.data(), Op::Decrypt);
+
+    if (key_seed != Key128{}) {
+        AESCipher<Key128> cipher3(out, Mode::ECB);
+        cipher3.Transcode(key_seed.data(), key_seed.size(), out.data(), Op::Decrypt);
+    }
+
+    return out;
+}
+
+boost::optional<Key128> DeriveSDSeed() {
+    const FileUtil::IOFile save_43(FileUtil::GetUserPath(FileUtil::UserPath::NANDDir) +
+                                       "/system/save/8000000000000043",
+                                   "rb+");
+    if (!save_43.IsOpen())
+        return boost::none;
+    const FileUtil::IOFile sd_private(
+        FileUtil::GetUserPath(FileUtil::UserPath::SDMCDir) + "/Nintendo/Contents/private", "rb+");
+    if (!sd_private.IsOpen())
+        return boost::none;
+
+    sd_private.Seek(0, SEEK_SET);
+    std::array<u8, 0x10> private_seed{};
+    if (sd_private.ReadBytes(private_seed.data(), private_seed.size()) != 0x10)
+        return boost::none;
+
+    std::array<u8, 0x10> buffer{};
+    size_t offset = 0;
+    for (; offset + 0x10 < save_43.GetSize(); ++offset) {
+        save_43.Seek(offset, SEEK_SET);
+        save_43.ReadBytes(buffer.data(), buffer.size());
+        if (buffer == private_seed)
+            break;
+    }
+
+    if (offset + 0x10 >= save_43.GetSize())
+        return boost::none;
+
+    Key128 seed{};
+    save_43.Seek(offset + 0x10, SEEK_SET);
+    save_43.ReadBytes(seed.data(), seed.size());
+    return seed;
+}
+
+Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManager& keys) {
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK)))
+        return Loader::ResultStatus::ErrorMissingSDKEKSource;
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration)))
+        return Loader::ResultStatus::ErrorMissingAESKEKGenerationSource;
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration)))
+        return Loader::ResultStatus::ErrorMissingAESKeyGenerationSource;
+
+    const auto sd_kek_source =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK));
+    const auto aes_kek_gen =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration));
+    const auto aes_key_gen =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration));
+    const auto master_00 = keys.GetKey(S128KeyType::Master);
+    const auto sd_kek =
+        GenerateKeyEncryptionKey(sd_kek_source, master_00, aes_kek_gen, aes_key_gen);
+
+    if (!keys.HasKey(S128KeyType::SDSeed))
+        return Loader::ResultStatus::ErrorMissingSDSeed;
+    const auto sd_seed = keys.GetKey(S128KeyType::SDSeed);
+
+    if (!keys.HasKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save)))
+        return Loader::ResultStatus::ErrorMissingSDSaveKeySource;
+    if (!keys.HasKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA)))
+        return Loader::ResultStatus::ErrorMissingSDNCAKeySource;
+
+    std::array<Key256, 2> sd_key_sources{
+        keys.GetKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save)),
+        keys.GetKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA)),
+    };
+
+    AESCipher<Key128> cipher(sd_kek, Mode::ECB);
+    for (size_t i = 0; i < 2; ++i) {
+        for (size_t j = 0; j < 0x20; ++j)
+            sd_key_sources[i][j] ^= sd_seed[j & 0xF];
+        cipher.Transcode(sd_key_sources[i].data(), sd_key_sources[i].size(), sd_keys[i].data(),
+                         Op::Decrypt);
+    }
+
+    return Loader::ResultStatus::Success;
+}
+
 KeyManager::KeyManager() {
     // Initialize keys
     const std::string hactool_keys_dir = FileUtil::GetHactoolConfigurationPath();
@@ -24,12 +118,15 @@ KeyManager::KeyManager() {
     if (Settings::values.use_dev_keys) {
         dev_mode = true;
         AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "dev.keys", false);
+        AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "dev.keys_autogenerated", false);
     } else {
         dev_mode = false;
         AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "prod.keys", false);
+        AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "prod.keys_autogenerated", false);
     }
 
     AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "title.keys", true);
+    AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "title.keys_autogenerated", false);
 }
 
 void KeyManager::LoadFromFile(const std::string& filename, bool is_title_keys) {
@@ -126,6 +223,13 @@ bool KeyManager::KeyFileExists(bool title) {
 }
 
 void KeyManager::DeriveSDSeedLazy() {
+    if (!HasKey(S128KeyType::SDSeed)) {
+        const auto res = DeriveSDSeed();
+        if (res != boost::none)
+            SetKey(S128KeyType::SDSeed, res.get());
+    }
+}
+
 const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_file_id = {
     {"master_key_00", {S128KeyType::Master, 0, 0}},
     {"master_key_01", {S128KeyType::Master, 1, 0}},
@@ -168,11 +272,17 @@ const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager:
     {"key_area_key_system_02", {S128KeyType::KeyArea, 2, static_cast<u64>(KeyAreaKeyType::System)}},
     {"key_area_key_system_03", {S128KeyType::KeyArea, 3, static_cast<u64>(KeyAreaKeyType::System)}},
     {"key_area_key_system_04", {S128KeyType::KeyArea, 4, static_cast<u64>(KeyAreaKeyType::System)}},
+    {"sd_card_kek_source", {S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK), 0}},
+    {"aes_kek_generation_source",
+     {S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration), 0}},
+    {"aes_key_generation_source",
+     {S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration), 0}},
+    {"sd_seed", {S128KeyType::SDSeed, 0, 0}},
 };
 
 const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> KeyManager::s256_file_id = {
     {"header_key", {S256KeyType::Header, 0, 0}},
-    {"sd_card_save_key", {S256KeyType::SDSave, 0, 0}},
-    {"sd_card_nca_key", {S256KeyType::SDNCA, 0, 0}},
+    {"sd_card_save_key_source", {S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save), 0}},
+    {"sd_card_nca_key_source", {S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA), 0}},
 };
 } // namespace Core::Crypto

src/core/crypto/key_manager.h

@@ -23,9 +23,8 @@ static_assert(sizeof(Key128) == 16, "Key128 must be 128 bytes big.");
 static_assert(sizeof(Key256) == 32, "Key128 must be 128 bytes big.");
 
 enum class S256KeyType : u64 {
-    Header, //
-    SDSave, //
-    SDNCA,  //
+    Header,      //
+    SDKeySource, // f1=SDKeyType
 };
 
 enum class S128KeyType : u64 {
@@ -37,6 +36,7 @@ enum class S128KeyType : u64 {
     KeyArea,       // f1=crypto revision f2=type {app, ocean, system}
     SDSeed,        //
     Titlekey,      // f1=rights id LSB f2=rights id MSB
+    Source,        // f1=source type, f2= sub id
 };
 
 enum class KeyAreaKeyType : u8 {
@@ -45,6 +45,17 @@ enum class KeyAreaKeyType : u8 {
     System,
 };
 
+enum class SourceKeyType : u8 {
+    SDKEK,
+    AESKEKGeneration,
+    AESKeyGeneration,
+};
+
+enum class SDKeyType : u8 {
+    Save,
+    NCA,
+};
+
 template <typename KeyType>
 struct KeyIndex {
     KeyType type;
@@ -83,6 +94,10 @@ public:
 
     static bool KeyFileExists(bool title);
 
+    // Call before using the sd seed to attempt to derive it if it dosen't exist. Needs system save
+    // 8*43 and the private file to exist.
+    void DeriveSDSeedLazy();
+
 private:
     boost::container::flat_map<KeyIndex<S128KeyType>, Key128> s128_keys;
     boost::container::flat_map<KeyIndex<S256KeyType>, Key256> s256_keys;
@@ -95,4 +110,9 @@ private:
     static const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
     static const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
 };
+
+Key128 GenerateKeyEncryptionKey(Key128 source, Key128 master, Key128 kek_seed, Key128 key_seed);
+boost::optional<Key128> DeriveSDSeed();
+Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManager& keys);
+
 } // namespace Core::Crypto