Not sure how new this is, but it's all stuff from Sony and IBM on security of the PS3. Just in general context. Basically the whole security model is based around the CBE. The FLASH, HDD, and Sony ASIC's are for other stuff.

I had a nice big post built up for this to try and strike up interests in another community where people are posting otheros.bld blitter demos, but the community got locked down.

- PPU controls SPE's, and SPE's get portions of the CBE 256KB for isolated code. The 256KB space and SPE's are where the hypervisor sessions happen after decrypted by the PPU with die key.

- Somewhere in Main RAM or CBE 256KB there exists a Address Translation Table with bits that control SPE security modes(locked or open.) Wether they wipe the vaults when shifted I don't know. The literature suggests they -are- wiped when you shift the bits.

- Locked SPE's can still do BUS I/O with inside code, but the inside code is left to do the security checks. I think it's all DMA.

- Main RAM is all encrypted supposedly. Only plaintext binary on system is in chip vaults, or the non key potions of ELF's(If Sony didn't do more crypto.) If sony didn't do crypto RAM would still be useless for a cracker.

- From outside through the PPU you can only kill a SPE which shifts it's ATT bit, and wipes it's part of the CBE 256KB/"Vault store."

- BD has BD crypto removed before it reaches ASIC's and RAM by the crypto chip on the BD board. This crypto has been cracked on other platforms before the PS3, and only layers the PS3 propriatary(?) cipher.

- The CBE has a not so 'public key' function in it's die somewhere that essentially decrypts -all- encrypted content in Flash, HDD, and game discs. I have to assume all of the CBE's have the same key?

- The boot loader in FLASH/BIOS somehow builds a security model for the entire code base with the 'public key' in the CBE die. It uses a "chain of command" wheres the boot module in BIOS is authenticated somehow against the chip key at power-up, and the CBE then makes the boot module in BIOS a trusted dictator of sorts allowing it to go on to load other modules in an SPE. In this case gameOS or whatever and disk images- with there own keys. I guess the key in die is the not so public 'public key.'

The boot loader supposedly cycles itself an arbritray amount to check itself with the chip key to protect against attacks. On top of this everything the PPU brings to an SPE is checked against the chip key somehow; then decrypted and loaded into a piece of 256KB for a locked SPE session.

- The portions of an ELF binary that do validation with the chip key are supposedly encrypted by the CBE scheme. The other parts are supposedly not(?)- so if they're not showing in hex that probably means there is another cipher in use by Sony.

- The CBE somehow uses it's RNG to create time stamps to protect against man in the middle attacks.

This should explain a lot. I got this info from the IBM cell dev pages, and a Sony response on the playstation forums I found. This is where my chip die analyzing theory came from.

Linux must be ran in a special open mode where the FLASH is the bios and switched to a more liberal SPE assignment state by Sony code.

Last edited by 0m1kr0n (2008-07-10 23:30:26)