xref: /openbmc/linux/drivers/char/tpm/tpm_crb.c (revision 47ebd031)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2014 Intel Corporation
4  *
5  * Authors:
6  * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7  *
8  * Maintained by: <tpmdd-devel@lists.sourceforge.net>
9  *
10  * This device driver implements the TPM interface as defined in
11  * the TCG CRB 2.0 TPM specification.
12  */
13 
14 #include <linux/acpi.h>
15 #include <linux/highmem.h>
16 #include <linux/rculist.h>
17 #include <linux/module.h>
18 #include <linux/pm_runtime.h>
19 #ifdef CONFIG_ARM64
20 #include <linux/arm-smccc.h>
21 #endif
22 #include "tpm.h"
23 
24 #define ACPI_SIG_TPM2 "TPM2"
25 #define TPM_CRB_MAX_RESOURCES 3
26 
27 static const guid_t crb_acpi_start_guid =
28 	GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
29 		  0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4);
30 
31 enum crb_defaults {
32 	CRB_ACPI_START_REVISION_ID = 1,
33 	CRB_ACPI_START_INDEX = 1,
34 };
35 
36 enum crb_loc_ctrl {
37 	CRB_LOC_CTRL_REQUEST_ACCESS	= BIT(0),
38 	CRB_LOC_CTRL_RELINQUISH		= BIT(1),
39 };
40 
41 enum crb_loc_state {
42 	CRB_LOC_STATE_LOC_ASSIGNED	= BIT(1),
43 	CRB_LOC_STATE_TPM_REG_VALID_STS	= BIT(7),
44 };
45 
46 enum crb_ctrl_req {
47 	CRB_CTRL_REQ_CMD_READY	= BIT(0),
48 	CRB_CTRL_REQ_GO_IDLE	= BIT(1),
49 };
50 
51 enum crb_ctrl_sts {
52 	CRB_CTRL_STS_ERROR	= BIT(0),
53 	CRB_CTRL_STS_TPM_IDLE	= BIT(1),
54 };
55 
56 enum crb_start {
57 	CRB_START_INVOKE	= BIT(0),
58 };
59 
60 enum crb_cancel {
61 	CRB_CANCEL_INVOKE	= BIT(0),
62 };
63 
64 struct crb_regs_head {
65 	u32 loc_state;
66 	u32 reserved1;
67 	u32 loc_ctrl;
68 	u32 loc_sts;
69 	u8 reserved2[32];
70 	u64 intf_id;
71 	u64 ctrl_ext;
72 } __packed;
73 
74 struct crb_regs_tail {
75 	u32 ctrl_req;
76 	u32 ctrl_sts;
77 	u32 ctrl_cancel;
78 	u32 ctrl_start;
79 	u32 ctrl_int_enable;
80 	u32 ctrl_int_sts;
81 	u32 ctrl_cmd_size;
82 	u32 ctrl_cmd_pa_low;
83 	u32 ctrl_cmd_pa_high;
84 	u32 ctrl_rsp_size;
85 	u64 ctrl_rsp_pa;
86 } __packed;
87 
88 enum crb_status {
89 	CRB_DRV_STS_COMPLETE	= BIT(0),
90 };
91 
92 struct crb_priv {
93 	u32 sm;
94 	const char *hid;
95 	struct crb_regs_head __iomem *regs_h;
96 	struct crb_regs_tail __iomem *regs_t;
97 	u8 __iomem *cmd;
98 	u8 __iomem *rsp;
99 	u32 cmd_size;
100 	u32 smc_func_id;
101 	u32 __iomem *pluton_start_addr;
102 	u32 __iomem *pluton_reply_addr;
103 };
104 
105 struct tpm2_crb_smc {
106 	u32 interrupt;
107 	u8 interrupt_flags;
108 	u8 op_flags;
109 	u16 reserved2;
110 	u32 smc_func_id;
111 };
112 
113 struct tpm2_crb_pluton {
114 	u64 start_addr;
115 	u64 reply_addr;
116 };
117 
118 static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value,
119 				unsigned long timeout)
120 {
121 	ktime_t start;
122 	ktime_t stop;
123 
124 	start = ktime_get();
125 	stop = ktime_add(start, ms_to_ktime(timeout));
126 
127 	do {
128 		if ((ioread32(reg) & mask) == value)
129 			return true;
130 
131 		usleep_range(50, 100);
132 	} while (ktime_before(ktime_get(), stop));
133 
134 	return ((ioread32(reg) & mask) == value);
135 }
136 
137 static int crb_try_pluton_doorbell(struct crb_priv *priv, bool wait_for_complete)
138 {
139 	if (priv->sm != ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
140 		return 0;
141 
142 	if (!crb_wait_for_reg_32(priv->pluton_reply_addr, ~0, 1, TPM2_TIMEOUT_C))
143 		return -ETIME;
144 
145 	iowrite32(1, priv->pluton_start_addr);
146 	if (wait_for_complete == false)
147 		return 0;
148 
149 	if (!crb_wait_for_reg_32(priv->pluton_start_addr,
150 				 0xffffffff, 0, 200))
151 		return -ETIME;
152 
153 	return 0;
154 }
155 
156 /**
157  * __crb_go_idle - request tpm crb device to go the idle state
158  *
159  * @dev:  crb device
160  * @priv: crb private data
161  *
162  * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ
163  * The device should respond within TIMEOUT_C by clearing the bit.
164  * Anyhow, we do not wait here as a consequent CMD_READY request
165  * will be handled correctly even if idle was not completed.
166  *
167  * The function does nothing for devices with ACPI-start method
168  * or SMC-start method.
169  *
170  * Return: 0 always
171  */
172 static int __crb_go_idle(struct device *dev, struct crb_priv *priv)
173 {
174 	int rc;
175 
176 	if ((priv->sm == ACPI_TPM2_START_METHOD) ||
177 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
178 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
179 		return 0;
180 
181 	iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req);
182 
183 	rc = crb_try_pluton_doorbell(priv, true);
184 	if (rc)
185 		return rc;
186 
187 	if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
188 				 CRB_CTRL_REQ_GO_IDLE/* mask */,
189 				 0, /* value */
190 				 TPM2_TIMEOUT_C)) {
191 		dev_warn(dev, "goIdle timed out\n");
192 		return -ETIME;
193 	}
194 
195 	return 0;
196 }
197 
198 static int crb_go_idle(struct tpm_chip *chip)
199 {
200 	struct device *dev = &chip->dev;
201 	struct crb_priv *priv = dev_get_drvdata(dev);
202 
203 	return __crb_go_idle(dev, priv);
204 }
205 
206 /**
207  * __crb_cmd_ready - request tpm crb device to enter ready state
208  *
209  * @dev:  crb device
210  * @priv: crb private data
211  *
212  * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ
213  * and poll till the device acknowledge it by clearing the bit.
214  * The device should respond within TIMEOUT_C.
215  *
216  * The function does nothing for devices with ACPI-start method
217  * or SMC-start method.
218  *
219  * Return: 0 on success -ETIME on timeout;
220  */
221 static int __crb_cmd_ready(struct device *dev, struct crb_priv *priv)
222 {
223 	int rc;
224 
225 	if ((priv->sm == ACPI_TPM2_START_METHOD) ||
226 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
227 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
228 		return 0;
229 
230 	iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req);
231 
232 	rc = crb_try_pluton_doorbell(priv, true);
233 	if (rc)
234 		return rc;
235 
236 	if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
237 				 CRB_CTRL_REQ_CMD_READY /* mask */,
238 				 0, /* value */
239 				 TPM2_TIMEOUT_C)) {
240 		dev_warn(dev, "cmdReady timed out\n");
241 		return -ETIME;
242 	}
243 
244 	return 0;
245 }
246 
247 static int crb_cmd_ready(struct tpm_chip *chip)
248 {
249 	struct device *dev = &chip->dev;
250 	struct crb_priv *priv = dev_get_drvdata(dev);
251 
252 	return __crb_cmd_ready(dev, priv);
253 }
254 
255 static int __crb_request_locality(struct device *dev,
256 				  struct crb_priv *priv, int loc)
257 {
258 	u32 value = CRB_LOC_STATE_LOC_ASSIGNED |
259 		    CRB_LOC_STATE_TPM_REG_VALID_STS;
260 
261 	if (!priv->regs_h)
262 		return 0;
263 
264 	iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl);
265 	if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value,
266 				 TPM2_TIMEOUT_C)) {
267 		dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
268 		return -ETIME;
269 	}
270 
271 	return 0;
272 }
273 
274 static int crb_request_locality(struct tpm_chip *chip, int loc)
275 {
276 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
277 
278 	return __crb_request_locality(&chip->dev, priv, loc);
279 }
280 
281 static int __crb_relinquish_locality(struct device *dev,
282 				     struct crb_priv *priv, int loc)
283 {
284 	u32 mask = CRB_LOC_STATE_LOC_ASSIGNED |
285 		   CRB_LOC_STATE_TPM_REG_VALID_STS;
286 	u32 value = CRB_LOC_STATE_TPM_REG_VALID_STS;
287 
288 	if (!priv->regs_h)
289 		return 0;
290 
291 	iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl);
292 	if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value,
293 				 TPM2_TIMEOUT_C)) {
294 		dev_warn(dev, "TPM_LOC_STATE_x.Relinquish timed out\n");
295 		return -ETIME;
296 	}
297 
298 	return 0;
299 }
300 
301 static int crb_relinquish_locality(struct tpm_chip *chip, int loc)
302 {
303 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
304 
305 	return __crb_relinquish_locality(&chip->dev, priv, loc);
306 }
307 
308 static u8 crb_status(struct tpm_chip *chip)
309 {
310 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
311 	u8 sts = 0;
312 
313 	if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) !=
314 	    CRB_START_INVOKE)
315 		sts |= CRB_DRV_STS_COMPLETE;
316 
317 	return sts;
318 }
319 
320 static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
321 {
322 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
323 	unsigned int expected;
324 
325 	/* A sanity check that the upper layer wants to get at least the header
326 	 * as that is the minimum size for any TPM response.
327 	 */
328 	if (count < TPM_HEADER_SIZE)
329 		return -EIO;
330 
331 	/* If this bit is set, according to the spec, the TPM is in
332 	 * unrecoverable condition.
333 	 */
334 	if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
335 		return -EIO;
336 
337 	/* Read the first 8 bytes in order to get the length of the response.
338 	 * We read exactly a quad word in order to make sure that the remaining
339 	 * reads will be aligned.
340 	 */
341 	memcpy_fromio(buf, priv->rsp, 8);
342 
343 	expected = be32_to_cpup((__be32 *)&buf[2]);
344 	if (expected > count || expected < TPM_HEADER_SIZE)
345 		return -EIO;
346 
347 	memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
348 
349 	return expected;
350 }
351 
352 static int crb_do_acpi_start(struct tpm_chip *chip)
353 {
354 	union acpi_object *obj;
355 	int rc;
356 
357 	obj = acpi_evaluate_dsm(chip->acpi_dev_handle,
358 				&crb_acpi_start_guid,
359 				CRB_ACPI_START_REVISION_ID,
360 				CRB_ACPI_START_INDEX,
361 				NULL);
362 	if (!obj)
363 		return -ENXIO;
364 	rc = obj->integer.value == 0 ? 0 : -ENXIO;
365 	ACPI_FREE(obj);
366 	return rc;
367 }
368 
369 #ifdef CONFIG_ARM64
370 /*
371  * This is a TPM Command Response Buffer start method that invokes a
372  * Secure Monitor Call to requrest the firmware to execute or cancel
373  * a TPM 2.0 command.
374  */
375 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
376 {
377 	struct arm_smccc_res res;
378 
379 	arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res);
380 	if (res.a0 != 0) {
381 		dev_err(dev,
382 			FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n",
383 			res.a0);
384 		return -EIO;
385 	}
386 
387 	return 0;
388 }
389 #else
390 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
391 {
392 	dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n");
393 	return -EINVAL;
394 }
395 #endif
396 
397 static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len)
398 {
399 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
400 	int rc = 0;
401 
402 	/* Zero the cancel register so that the next command will not get
403 	 * canceled.
404 	 */
405 	iowrite32(0, &priv->regs_t->ctrl_cancel);
406 
407 	if (len > priv->cmd_size) {
408 		dev_err(&chip->dev, "invalid command count value %zd %d\n",
409 			len, priv->cmd_size);
410 		return -E2BIG;
411 	}
412 
413 	/* Seems to be necessary for every command */
414 	if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
415 		__crb_cmd_ready(&chip->dev, priv);
416 
417 	memcpy_toio(priv->cmd, buf, len);
418 
419 	/* Make sure that cmd is populated before issuing start. */
420 	wmb();
421 
422 	/* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
423 	 * report only ACPI start but in practice seems to require both
424 	 * CRB start, hence invoking CRB start method if hid == MSFT0101.
425 	 */
426 	if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
427 	    (priv->sm == ACPI_TPM2_MEMORY_MAPPED) ||
428 	    (!strcmp(priv->hid, "MSFT0101")))
429 		iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
430 
431 	if ((priv->sm == ACPI_TPM2_START_METHOD) ||
432 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD))
433 		rc = crb_do_acpi_start(chip);
434 
435 	if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
436 		iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
437 		rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
438 	}
439 
440 	if (rc)
441 		return rc;
442 
443 	return crb_try_pluton_doorbell(priv, false);
444 }
445 
446 static void crb_cancel(struct tpm_chip *chip)
447 {
448 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
449 
450 	iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel);
451 
452 	if (((priv->sm == ACPI_TPM2_START_METHOD) ||
453 	    (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)) &&
454 	     crb_do_acpi_start(chip))
455 		dev_err(&chip->dev, "ACPI Start failed\n");
456 }
457 
458 static bool crb_req_canceled(struct tpm_chip *chip, u8 status)
459 {
460 	struct crb_priv *priv = dev_get_drvdata(&chip->dev);
461 	u32 cancel = ioread32(&priv->regs_t->ctrl_cancel);
462 
463 	return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE;
464 }
465 
466 static const struct tpm_class_ops tpm_crb = {
467 	.flags = TPM_OPS_AUTO_STARTUP,
468 	.status = crb_status,
469 	.recv = crb_recv,
470 	.send = crb_send,
471 	.cancel = crb_cancel,
472 	.req_canceled = crb_req_canceled,
473 	.go_idle  = crb_go_idle,
474 	.cmd_ready = crb_cmd_ready,
475 	.request_locality = crb_request_locality,
476 	.relinquish_locality = crb_relinquish_locality,
477 	.req_complete_mask = CRB_DRV_STS_COMPLETE,
478 	.req_complete_val = CRB_DRV_STS_COMPLETE,
479 };
480 
481 static int crb_check_resource(struct acpi_resource *ares, void *data)
482 {
483 	struct resource *iores_array = data;
484 	struct resource_win win;
485 	struct resource *res = &(win.res);
486 	int i;
487 
488 	if (acpi_dev_resource_memory(ares, res) ||
489 	    acpi_dev_resource_address_space(ares, &win)) {
490 		for (i = 0; i < TPM_CRB_MAX_RESOURCES + 1; ++i) {
491 			if (resource_type(iores_array + i) != IORESOURCE_MEM) {
492 				iores_array[i] = *res;
493 				iores_array[i].name = NULL;
494 				break;
495 			}
496 		}
497 	}
498 
499 	return 1;
500 }
501 
502 static void __iomem *crb_map_res(struct device *dev, struct resource *iores,
503 				 void __iomem **iobase_ptr, u64 start, u32 size)
504 {
505 	struct resource new_res = {
506 		.start	= start,
507 		.end	= start + size - 1,
508 		.flags	= IORESOURCE_MEM,
509 	};
510 
511 	/* Detect a 64 bit address on a 32 bit system */
512 	if (start != new_res.start)
513 		return IOMEM_ERR_PTR(-EINVAL);
514 
515 	if (!iores)
516 		return devm_ioremap_resource(dev, &new_res);
517 
518 	if (!*iobase_ptr) {
519 		*iobase_ptr = devm_ioremap_resource(dev, iores);
520 		if (IS_ERR(*iobase_ptr))
521 			return *iobase_ptr;
522 	}
523 
524 	return *iobase_ptr + (new_res.start - iores->start);
525 }
526 
527 /*
528  * Work around broken BIOSs that return inconsistent values from the ACPI
529  * region vs the registers. Trust the ACPI region. Such broken systems
530  * probably cannot send large TPM commands since the buffer will be truncated.
531  */
532 static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res,
533 			      u64 start, u64 size)
534 {
535 	if (io_res->start > start || io_res->end < start)
536 		return size;
537 
538 	if (start + size - 1 <= io_res->end)
539 		return size;
540 
541 	dev_err(dev,
542 		FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n",
543 		io_res, start, size);
544 
545 	return io_res->end - start + 1;
546 }
547 
548 static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
549 		      struct acpi_table_tpm2 *buf)
550 {
551 	struct list_head acpi_resource_list;
552 	struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} };
553 	void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL};
554 	struct device *dev = &device->dev;
555 	struct resource *iores;
556 	void __iomem **iobase_ptr;
557 	int i;
558 	u32 pa_high, pa_low;
559 	u64 cmd_pa;
560 	u32 cmd_size;
561 	__le64 __rsp_pa;
562 	u64 rsp_pa;
563 	u32 rsp_size;
564 	int ret;
565 
566 	INIT_LIST_HEAD(&acpi_resource_list);
567 	ret = acpi_dev_get_resources(device, &acpi_resource_list,
568 				     crb_check_resource, iores_array);
569 	if (ret < 0)
570 		return ret;
571 	acpi_dev_free_resource_list(&acpi_resource_list);
572 
573 	/* Pluton doesn't appear to define ACPI memory regions */
574 	if (priv->sm != ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON) {
575 		if (resource_type(iores_array) != IORESOURCE_MEM) {
576 			dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n");
577 			return -EINVAL;
578 		} else if (resource_type(iores_array + TPM_CRB_MAX_RESOURCES) ==
579 			   IORESOURCE_MEM) {
580 			dev_warn(dev, "TPM2 ACPI table defines too many memory resources\n");
581 			memset(iores_array + TPM_CRB_MAX_RESOURCES,
582 			       0, sizeof(*iores_array));
583 			iores_array[TPM_CRB_MAX_RESOURCES].flags = 0;
584 		}
585 	}
586 
587 	iores = NULL;
588 	iobase_ptr = NULL;
589 	for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
590 		if (buf->control_address >= iores_array[i].start &&
591 		    buf->control_address + sizeof(struct crb_regs_tail) - 1 <=
592 		    iores_array[i].end) {
593 			iores = iores_array + i;
594 			iobase_ptr = iobase_array + i;
595 			break;
596 		}
597 	}
598 
599 	priv->regs_t = crb_map_res(dev, iores, iobase_ptr, buf->control_address,
600 				   sizeof(struct crb_regs_tail));
601 
602 	if (IS_ERR(priv->regs_t))
603 		return PTR_ERR(priv->regs_t);
604 
605 	/* The ACPI IO region starts at the head area and continues to include
606 	 * the control area, as one nice sane region except for some older
607 	 * stuff that puts the control area outside the ACPI IO region.
608 	 */
609 	if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
610 	    (priv->sm == ACPI_TPM2_MEMORY_MAPPED)) {
611 		if (iores &&
612 		    buf->control_address == iores->start +
613 		    sizeof(*priv->regs_h))
614 			priv->regs_h = *iobase_ptr;
615 		else
616 			dev_warn(dev, FW_BUG "Bad ACPI memory layout");
617 	}
618 
619 	ret = __crb_request_locality(dev, priv, 0);
620 	if (ret)
621 		return ret;
622 
623 	/*
624 	 * PTT HW bug w/a: wake up the device to access
625 	 * possibly not retained registers.
626 	 */
627 	ret = __crb_cmd_ready(dev, priv);
628 	if (ret)
629 		goto out_relinquish_locality;
630 
631 	pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
632 	pa_low  = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
633 	cmd_pa = ((u64)pa_high << 32) | pa_low;
634 	cmd_size = ioread32(&priv->regs_t->ctrl_cmd_size);
635 
636 	iores = NULL;
637 	iobase_ptr = NULL;
638 	for (i = 0; iores_array[i].end; ++i) {
639 		if (cmd_pa >= iores_array[i].start &&
640 		    cmd_pa <= iores_array[i].end) {
641 			iores = iores_array + i;
642 			iobase_ptr = iobase_array + i;
643 			break;
644 		}
645 	}
646 
647 	if (iores)
648 		cmd_size = crb_fixup_cmd_size(dev, iores, cmd_pa, cmd_size);
649 
650 	dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
651 		pa_high, pa_low, cmd_size);
652 
653 	priv->cmd = crb_map_res(dev, iores, iobase_ptr,	cmd_pa, cmd_size);
654 	if (IS_ERR(priv->cmd)) {
655 		ret = PTR_ERR(priv->cmd);
656 		goto out;
657 	}
658 
659 	memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
660 	rsp_pa = le64_to_cpu(__rsp_pa);
661 	rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
662 
663 	iores = NULL;
664 	iobase_ptr = NULL;
665 	for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
666 		if (rsp_pa >= iores_array[i].start &&
667 		    rsp_pa <= iores_array[i].end) {
668 			iores = iores_array + i;
669 			iobase_ptr = iobase_array + i;
670 			break;
671 		}
672 	}
673 
674 	if (iores)
675 		rsp_size = crb_fixup_cmd_size(dev, iores, rsp_pa, rsp_size);
676 
677 	if (cmd_pa != rsp_pa) {
678 		priv->rsp = crb_map_res(dev, iores, iobase_ptr,
679 					rsp_pa, rsp_size);
680 		ret = PTR_ERR_OR_ZERO(priv->rsp);
681 		goto out;
682 	}
683 
684 	/* According to the PTP specification, overlapping command and response
685 	 * buffer sizes must be identical.
686 	 */
687 	if (cmd_size != rsp_size) {
688 		dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical");
689 		ret = -EINVAL;
690 		goto out;
691 	}
692 
693 	priv->rsp = priv->cmd;
694 
695 out:
696 	if (!ret)
697 		priv->cmd_size = cmd_size;
698 
699 	__crb_go_idle(dev, priv);
700 
701 out_relinquish_locality:
702 
703 	__crb_relinquish_locality(dev, priv, 0);
704 
705 	return ret;
706 }
707 
708 static int crb_map_pluton(struct device *dev, struct crb_priv *priv,
709 	       struct acpi_table_tpm2 *buf, struct tpm2_crb_pluton *crb_pluton)
710 {
711 	priv->pluton_start_addr = crb_map_res(dev, NULL, NULL,
712 					      crb_pluton->start_addr, 4);
713 	if (IS_ERR(priv->pluton_start_addr))
714 		return PTR_ERR(priv->pluton_start_addr);
715 
716 	priv->pluton_reply_addr = crb_map_res(dev, NULL, NULL,
717 					      crb_pluton->reply_addr, 4);
718 	if (IS_ERR(priv->pluton_reply_addr))
719 		return PTR_ERR(priv->pluton_reply_addr);
720 
721 	return 0;
722 }
723 
724 static int crb_acpi_add(struct acpi_device *device)
725 {
726 	struct acpi_table_tpm2 *buf;
727 	struct crb_priv *priv;
728 	struct tpm_chip *chip;
729 	struct device *dev = &device->dev;
730 	struct tpm2_crb_smc *crb_smc;
731 	struct tpm2_crb_pluton *crb_pluton;
732 	acpi_status status;
733 	u32 sm;
734 	int rc;
735 
736 	status = acpi_get_table(ACPI_SIG_TPM2, 1,
737 				(struct acpi_table_header **) &buf);
738 	if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) {
739 		dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
740 		return -EINVAL;
741 	}
742 
743 	/* Should the FIFO driver handle this? */
744 	sm = buf->start_method;
745 	if (sm == ACPI_TPM2_MEMORY_MAPPED) {
746 		rc = -ENODEV;
747 		goto out;
748 	}
749 
750 	priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL);
751 	if (!priv) {
752 		rc = -ENOMEM;
753 		goto out;
754 	}
755 
756 	if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
757 		if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) {
758 			dev_err(dev,
759 				FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
760 				buf->header.length,
761 				ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC);
762 			rc = -EINVAL;
763 			goto out;
764 		}
765 		crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf));
766 		priv->smc_func_id = crb_smc->smc_func_id;
767 	}
768 
769 	if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON) {
770 		if (buf->header.length < (sizeof(*buf) + sizeof(*crb_pluton))) {
771 			dev_err(dev,
772 				FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
773 				buf->header.length,
774 				ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON);
775 			return -EINVAL;
776 		}
777 		crb_pluton = ACPI_ADD_PTR(struct tpm2_crb_pluton, buf, sizeof(*buf));
778 		rc = crb_map_pluton(dev, priv, buf, crb_pluton);
779 		if (rc)
780 			return rc;
781 	}
782 
783 	priv->sm = sm;
784 	priv->hid = acpi_device_hid(device);
785 
786 	rc = crb_map_io(device, priv, buf);
787 	if (rc)
788 		goto out;
789 
790 	chip = tpmm_chip_alloc(dev, &tpm_crb);
791 	if (IS_ERR(chip)) {
792 		rc = PTR_ERR(chip);
793 		goto out;
794 	}
795 
796 	dev_set_drvdata(&chip->dev, priv);
797 	chip->acpi_dev_handle = device->handle;
798 	chip->flags = TPM_CHIP_FLAG_TPM2;
799 
800 	rc = tpm_chip_register(chip);
801 
802 out:
803 	acpi_put_table((struct acpi_table_header *)buf);
804 	return rc;
805 }
806 
807 static void crb_acpi_remove(struct acpi_device *device)
808 {
809 	struct device *dev = &device->dev;
810 	struct tpm_chip *chip = dev_get_drvdata(dev);
811 
812 	tpm_chip_unregister(chip);
813 }
814 
815 static const struct dev_pm_ops crb_pm = {
816 	SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume)
817 };
818 
819 static const struct acpi_device_id crb_device_ids[] = {
820 	{"MSFT0101", 0},
821 	{"", 0},
822 };
823 MODULE_DEVICE_TABLE(acpi, crb_device_ids);
824 
825 static struct acpi_driver crb_acpi_driver = {
826 	.name = "tpm_crb",
827 	.ids = crb_device_ids,
828 	.ops = {
829 		.add = crb_acpi_add,
830 		.remove = crb_acpi_remove,
831 	},
832 	.drv = {
833 		.pm = &crb_pm,
834 	},
835 };
836 
837 module_acpi_driver(crb_acpi_driver);
838 MODULE_AUTHOR("Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>");
839 MODULE_DESCRIPTION("TPM2 Driver");
840 MODULE_VERSION("0.1");
841 MODULE_LICENSE("GPL");
842