1 /* 2 * Copyright (c) 2011 The Chromium OS Authors. 3 * 4 * SPDX-License-Identifier: GPL-2.0+ 5 */ 6 7 /* 8 * The code in this file is based on the article "Writing a TPM Device Driver" 9 * published on http://ptgmedia.pearsoncmg.com. 10 * 11 * One principal difference is that in the simplest config the other than 0 12 * TPM localities do not get mapped by some devices (for instance, by Infineon 13 * slb9635), so this driver provides access to locality 0 only. 14 */ 15 16 #include <common.h> 17 #include <asm/io.h> 18 #include <tis.h> 19 #include <tpm.h> 20 21 #define PREFIX "lpc_tpm: " 22 23 struct tpm_locality { 24 u32 access; 25 u8 padding0[4]; 26 u32 int_enable; 27 u8 vector; 28 u8 padding1[3]; 29 u32 int_status; 30 u32 int_capability; 31 u32 tpm_status; 32 u8 padding2[8]; 33 u8 data; 34 u8 padding3[3803]; 35 u32 did_vid; 36 u8 rid; 37 u8 padding4[251]; 38 }; 39 40 /* 41 * This pointer refers to the TPM chip, 5 of its localities are mapped as an 42 * array. 43 */ 44 #define TPM_TOTAL_LOCALITIES 5 45 static struct tpm_locality *lpc_tpm_dev = 46 (struct tpm_locality *)CONFIG_TPM_TIS_BASE_ADDRESS; 47 48 /* Some registers' bit field definitions */ 49 #define TIS_STS_VALID (1 << 7) /* 0x80 */ 50 #define TIS_STS_COMMAND_READY (1 << 6) /* 0x40 */ 51 #define TIS_STS_TPM_GO (1 << 5) /* 0x20 */ 52 #define TIS_STS_DATA_AVAILABLE (1 << 4) /* 0x10 */ 53 #define TIS_STS_EXPECT (1 << 3) /* 0x08 */ 54 #define TIS_STS_RESPONSE_RETRY (1 << 1) /* 0x02 */ 55 56 #define TIS_ACCESS_TPM_REG_VALID_STS (1 << 7) /* 0x80 */ 57 #define TIS_ACCESS_ACTIVE_LOCALITY (1 << 5) /* 0x20 */ 58 #define TIS_ACCESS_BEEN_SEIZED (1 << 4) /* 0x10 */ 59 #define TIS_ACCESS_SEIZE (1 << 3) /* 0x08 */ 60 #define TIS_ACCESS_PENDING_REQUEST (1 << 2) /* 0x04 */ 61 #define TIS_ACCESS_REQUEST_USE (1 << 1) /* 0x02 */ 62 #define TIS_ACCESS_TPM_ESTABLISHMENT (1 << 0) /* 0x01 */ 63 64 #define TIS_STS_BURST_COUNT_MASK (0xffff) 65 #define TIS_STS_BURST_COUNT_SHIFT (8) 66 67 /* 68 * Error value returned if a tpm register does not enter the expected state 69 * after continuous polling. No actual TPM register reading ever returns -1, 70 * so this value is a safe error indication to be mixed with possible status 71 * register values. 72 */ 73 #define TPM_TIMEOUT_ERR (-1) 74 75 /* Error value returned on various TPM driver errors. */ 76 #define TPM_DRIVER_ERR (1) 77 78 /* 1 second is plenty for anything TPM does. */ 79 #define MAX_DELAY_US (1000 * 1000) 80 81 /* Retrieve burst count value out of the status register contents. */ 82 static u16 burst_count(u32 status) 83 { 84 return (status >> TIS_STS_BURST_COUNT_SHIFT) & TIS_STS_BURST_COUNT_MASK; 85 } 86 87 /* 88 * Structures defined below allow creating descriptions of TPM vendor/device 89 * ID information for run time discovery. The only device the system knows 90 * about at this time is Infineon slb9635. 91 */ 92 struct device_name { 93 u16 dev_id; 94 const char * const dev_name; 95 }; 96 97 struct vendor_name { 98 u16 vendor_id; 99 const char *vendor_name; 100 const struct device_name *dev_names; 101 }; 102 103 static const struct device_name infineon_devices[] = { 104 {0xb, "SLB9635 TT 1.2"}, 105 {0} 106 }; 107 108 static const struct vendor_name vendor_names[] = { 109 {0x15d1, "Infineon", infineon_devices}, 110 }; 111 112 /* 113 * Cached vendor/device ID pair to indicate that the device has been already 114 * discovered. 115 */ 116 static u32 vendor_dev_id; 117 118 /* TPM access wrappers to support tracing */ 119 static u8 tpm_read_byte(const u8 *ptr) 120 { 121 u8 ret = readb(ptr); 122 debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n", 123 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret); 124 return ret; 125 } 126 127 static u32 tpm_read_word(const u32 *ptr) 128 { 129 u32 ret = readl(ptr); 130 debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n", 131 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret); 132 return ret; 133 } 134 135 static void tpm_write_byte(u8 value, u8 *ptr) 136 { 137 debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n", 138 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value); 139 writeb(value, ptr); 140 } 141 142 static void tpm_write_word(u32 value, u32 *ptr) 143 { 144 debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n", 145 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value); 146 writel(value, ptr); 147 } 148 149 /* 150 * tis_wait_reg() 151 * 152 * Wait for at least a second for a register to change its state to match the 153 * expected state. Normally the transition happens within microseconds. 154 * 155 * @reg - pointer to the TPM register 156 * @mask - bitmask for the bitfield(s) to watch 157 * @expected - value the field(s) are supposed to be set to 158 * 159 * Returns the register contents in case the expected value was found in the 160 * appropriate register bits, or TPM_TIMEOUT_ERR on timeout. 161 */ 162 static u32 tis_wait_reg(u32 *reg, u8 mask, u8 expected) 163 { 164 u32 time_us = MAX_DELAY_US; 165 166 while (time_us > 0) { 167 u32 value = tpm_read_word(reg); 168 if ((value & mask) == expected) 169 return value; 170 udelay(1); /* 1 us */ 171 time_us--; 172 } 173 return TPM_TIMEOUT_ERR; 174 } 175 176 /* 177 * Probe the TPM device and try determining its manufacturer/device name. 178 * 179 * Returns 0 on success (the device is found or was found during an earlier 180 * invocation) or TPM_DRIVER_ERR if the device is not found. 181 */ 182 int tis_init(void) 183 { 184 u32 didvid = tpm_read_word(&lpc_tpm_dev[0].did_vid); 185 int i; 186 const char *device_name = "unknown"; 187 const char *vendor_name = device_name; 188 u16 vid, did; 189 190 if (vendor_dev_id) 191 return 0; /* Already probed. */ 192 193 if (!didvid || (didvid == 0xffffffff)) { 194 printf("%s: No TPM device found\n", __func__); 195 return TPM_DRIVER_ERR; 196 } 197 198 vendor_dev_id = didvid; 199 200 vid = didvid & 0xffff; 201 did = (didvid >> 16) & 0xffff; 202 for (i = 0; i < ARRAY_SIZE(vendor_names); i++) { 203 int j = 0; 204 u16 known_did; 205 206 if (vid == vendor_names[i].vendor_id) 207 vendor_name = vendor_names[i].vendor_name; 208 209 while ((known_did = vendor_names[i].dev_names[j].dev_id) != 0) { 210 if (known_did == did) { 211 device_name = 212 vendor_names[i].dev_names[j].dev_name; 213 break; 214 } 215 j++; 216 } 217 break; 218 } 219 220 printf("Found TPM %s by %s\n", device_name, vendor_name); 221 return 0; 222 } 223 224 /* 225 * tis_senddata() 226 * 227 * send the passed in data to the TPM device. 228 * 229 * @data - address of the data to send, byte by byte 230 * @len - length of the data to send 231 * 232 * Returns 0 on success, TPM_DRIVER_ERR on error (in case the device does 233 * not accept the entire command). 234 */ 235 static u32 tis_senddata(const u8 * const data, u32 len) 236 { 237 u32 offset = 0; 238 u16 burst = 0; 239 u32 max_cycles = 0; 240 u8 locality = 0; 241 u32 value; 242 243 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 244 TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY); 245 if (value == TPM_TIMEOUT_ERR) { 246 printf("%s:%d - failed to get 'command_ready' status\n", 247 __FILE__, __LINE__); 248 return TPM_DRIVER_ERR; 249 } 250 burst = burst_count(value); 251 252 while (1) { 253 unsigned count; 254 255 /* Wait till the device is ready to accept more data. */ 256 while (!burst) { 257 if (max_cycles++ == MAX_DELAY_US) { 258 printf("%s:%d failed to feed %d bytes of %d\n", 259 __FILE__, __LINE__, len - offset, len); 260 return TPM_DRIVER_ERR; 261 } 262 udelay(1); 263 burst = burst_count(tpm_read_word(&lpc_tpm_dev 264 [locality].tpm_status)); 265 } 266 267 max_cycles = 0; 268 269 /* 270 * Calculate number of bytes the TPM is ready to accept in one 271 * shot. 272 * 273 * We want to send the last byte outside of the loop (hence 274 * the -1 below) to make sure that the 'expected' status bit 275 * changes to zero exactly after the last byte is fed into the 276 * FIFO. 277 */ 278 count = min((u32)burst, len - offset - 1); 279 while (count--) 280 tpm_write_byte(data[offset++], 281 &lpc_tpm_dev[locality].data); 282 283 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 284 TIS_STS_VALID, TIS_STS_VALID); 285 286 if ((value == TPM_TIMEOUT_ERR) || !(value & TIS_STS_EXPECT)) { 287 printf("%s:%d TPM command feed overflow\n", 288 __FILE__, __LINE__); 289 return TPM_DRIVER_ERR; 290 } 291 292 burst = burst_count(value); 293 if ((offset == (len - 1)) && burst) { 294 /* 295 * We need to be able to send the last byte to the 296 * device, so burst size must be nonzero before we 297 * break out. 298 */ 299 break; 300 } 301 } 302 303 /* Send the last byte. */ 304 tpm_write_byte(data[offset++], &lpc_tpm_dev[locality].data); 305 /* 306 * Verify that TPM does not expect any more data as part of this 307 * command. 308 */ 309 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 310 TIS_STS_VALID, TIS_STS_VALID); 311 if ((value == TPM_TIMEOUT_ERR) || (value & TIS_STS_EXPECT)) { 312 printf("%s:%d unexpected TPM status 0x%x\n", 313 __FILE__, __LINE__, value); 314 return TPM_DRIVER_ERR; 315 } 316 317 /* OK, sitting pretty, let's start the command execution. */ 318 tpm_write_word(TIS_STS_TPM_GO, &lpc_tpm_dev[locality].tpm_status); 319 return 0; 320 } 321 322 /* 323 * tis_readresponse() 324 * 325 * read the TPM device response after a command was issued. 326 * 327 * @buffer - address where to read the response, byte by byte. 328 * @len - pointer to the size of buffer 329 * 330 * On success stores the number of received bytes to len and returns 0. On 331 * errors (misformatted TPM data or synchronization problems) returns 332 * TPM_DRIVER_ERR. 333 */ 334 static u32 tis_readresponse(u8 *buffer, u32 *len) 335 { 336 u16 burst; 337 u32 value; 338 u32 offset = 0; 339 u8 locality = 0; 340 const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID; 341 u32 expected_count = *len; 342 int max_cycles = 0; 343 344 /* Wait for the TPM to process the command. */ 345 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 346 has_data, has_data); 347 if (value == TPM_TIMEOUT_ERR) { 348 printf("%s:%d failed processing command\n", 349 __FILE__, __LINE__); 350 return TPM_DRIVER_ERR; 351 } 352 353 do { 354 while ((burst = burst_count(value)) == 0) { 355 if (max_cycles++ == MAX_DELAY_US) { 356 printf("%s:%d TPM stuck on read\n", 357 __FILE__, __LINE__); 358 return TPM_DRIVER_ERR; 359 } 360 udelay(1); 361 value = tpm_read_word(&lpc_tpm_dev 362 [locality].tpm_status); 363 } 364 365 max_cycles = 0; 366 367 while (burst-- && (offset < expected_count)) { 368 buffer[offset++] = tpm_read_byte(&lpc_tpm_dev 369 [locality].data); 370 371 if (offset == 6) { 372 /* 373 * We got the first six bytes of the reply, 374 * let's figure out how many bytes to expect 375 * total - it is stored as a 4 byte number in 376 * network order, starting with offset 2 into 377 * the body of the reply. 378 */ 379 u32 real_length; 380 memcpy(&real_length, 381 buffer + 2, 382 sizeof(real_length)); 383 expected_count = be32_to_cpu(real_length); 384 385 if ((expected_count < offset) || 386 (expected_count > *len)) { 387 printf("%s:%d bad response size %d\n", 388 __FILE__, __LINE__, 389 expected_count); 390 return TPM_DRIVER_ERR; 391 } 392 } 393 } 394 395 /* Wait for the next portion. */ 396 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 397 TIS_STS_VALID, TIS_STS_VALID); 398 if (value == TPM_TIMEOUT_ERR) { 399 printf("%s:%d failed to read response\n", 400 __FILE__, __LINE__); 401 return TPM_DRIVER_ERR; 402 } 403 404 if (offset == expected_count) 405 break; /* We got all we needed. */ 406 407 } while ((value & has_data) == has_data); 408 409 /* 410 * Make sure we indeed read all there was. The TIS_STS_VALID bit is 411 * known to be set. 412 */ 413 if (value & TIS_STS_DATA_AVAILABLE) { 414 printf("%s:%d wrong receive status %x\n", 415 __FILE__, __LINE__, value); 416 return TPM_DRIVER_ERR; 417 } 418 419 /* Tell the TPM that we are done. */ 420 tpm_write_word(TIS_STS_COMMAND_READY, &lpc_tpm_dev 421 [locality].tpm_status); 422 *len = offset; 423 return 0; 424 } 425 426 int tis_open(void) 427 { 428 u8 locality = 0; /* we use locality zero for everything. */ 429 430 /* now request access to locality. */ 431 tpm_write_word(TIS_ACCESS_REQUEST_USE, &lpc_tpm_dev[locality].access); 432 433 /* did we get a lock? */ 434 if (tis_wait_reg(&lpc_tpm_dev[locality].access, 435 TIS_ACCESS_ACTIVE_LOCALITY, 436 TIS_ACCESS_ACTIVE_LOCALITY) == TPM_TIMEOUT_ERR) { 437 printf("%s:%d - failed to lock locality %d\n", 438 __FILE__, __LINE__, locality); 439 return TPM_DRIVER_ERR; 440 } 441 442 tpm_write_word(TIS_STS_COMMAND_READY, 443 &lpc_tpm_dev[locality].tpm_status); 444 return 0; 445 } 446 447 int tis_close(void) 448 { 449 u8 locality = 0; 450 451 if (tpm_read_word(&lpc_tpm_dev[locality].access) & 452 TIS_ACCESS_ACTIVE_LOCALITY) { 453 tpm_write_word(TIS_ACCESS_ACTIVE_LOCALITY, 454 &lpc_tpm_dev[locality].access); 455 456 if (tis_wait_reg(&lpc_tpm_dev[locality].access, 457 TIS_ACCESS_ACTIVE_LOCALITY, 0) == 458 TPM_TIMEOUT_ERR) { 459 printf("%s:%d - failed to release locality %d\n", 460 __FILE__, __LINE__, locality); 461 return TPM_DRIVER_ERR; 462 } 463 } 464 return 0; 465 } 466 467 int tis_sendrecv(const u8 *sendbuf, size_t send_size, 468 u8 *recvbuf, size_t *recv_len) 469 { 470 if (tis_senddata(sendbuf, send_size)) { 471 printf("%s:%d failed sending data to TPM\n", 472 __FILE__, __LINE__); 473 return TPM_DRIVER_ERR; 474 } 475 476 return tis_readresponse(recvbuf, (u32 *)recv_len); 477 } 478