1 /* 2 * Copyright (C) 2014 Intel Corporation 3 * 4 * Authors: 5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> 6 * 7 * Maintained by: <tpmdd-devel@lists.sourceforge.net> 8 * 9 * This device driver implements the TPM interface as defined in 10 * the TCG CRB 2.0 TPM specification. 11 * 12 * This program is free software; you can redistribute it and/or 13 * modify it under the terms of the GNU General Public License 14 * as published by the Free Software Foundation; version 2 15 * of the License. 16 */ 17 18 #include <linux/acpi.h> 19 #include <linux/highmem.h> 20 #include <linux/rculist.h> 21 #include <linux/module.h> 22 #include <linux/pm_runtime.h> 23 #ifdef CONFIG_ARM64 24 #include <linux/arm-smccc.h> 25 #endif 26 #include "tpm.h" 27 28 #define ACPI_SIG_TPM2 "TPM2" 29 30 static const guid_t crb_acpi_start_guid = 31 GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714, 32 0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4); 33 34 enum crb_defaults { 35 CRB_ACPI_START_REVISION_ID = 1, 36 CRB_ACPI_START_INDEX = 1, 37 }; 38 39 enum crb_loc_ctrl { 40 CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0), 41 CRB_LOC_CTRL_RELINQUISH = BIT(1), 42 }; 43 44 enum crb_loc_state { 45 CRB_LOC_STATE_LOC_ASSIGNED = BIT(1), 46 CRB_LOC_STATE_TPM_REG_VALID_STS = BIT(7), 47 }; 48 49 enum crb_ctrl_req { 50 CRB_CTRL_REQ_CMD_READY = BIT(0), 51 CRB_CTRL_REQ_GO_IDLE = BIT(1), 52 }; 53 54 enum crb_ctrl_sts { 55 CRB_CTRL_STS_ERROR = BIT(0), 56 CRB_CTRL_STS_TPM_IDLE = BIT(1), 57 }; 58 59 enum crb_start { 60 CRB_START_INVOKE = BIT(0), 61 }; 62 63 enum crb_cancel { 64 CRB_CANCEL_INVOKE = BIT(0), 65 }; 66 67 struct crb_regs_head { 68 u32 loc_state; 69 u32 reserved1; 70 u32 loc_ctrl; 71 u32 loc_sts; 72 u8 reserved2[32]; 73 u64 intf_id; 74 u64 ctrl_ext; 75 } __packed; 76 77 struct crb_regs_tail { 78 u32 ctrl_req; 79 u32 ctrl_sts; 80 u32 ctrl_cancel; 81 u32 ctrl_start; 82 u32 ctrl_int_enable; 83 u32 ctrl_int_sts; 84 u32 ctrl_cmd_size; 85 u32 ctrl_cmd_pa_low; 86 u32 ctrl_cmd_pa_high; 87 u32 ctrl_rsp_size; 88 u64 ctrl_rsp_pa; 89 } __packed; 90 91 enum crb_status { 92 CRB_DRV_STS_COMPLETE = BIT(0), 93 }; 94 95 enum crb_flags { 96 CRB_FL_ACPI_START = BIT(0), 97 CRB_FL_CRB_START = BIT(1), 98 CRB_FL_CRB_SMC_START = BIT(2), 99 }; 100 101 struct crb_priv { 102 unsigned int flags; 103 void __iomem *iobase; 104 struct crb_regs_head __iomem *regs_h; 105 struct crb_regs_tail __iomem *regs_t; 106 u8 __iomem *cmd; 107 u8 __iomem *rsp; 108 u32 cmd_size; 109 u32 smc_func_id; 110 }; 111 112 struct tpm2_crb_smc { 113 u32 interrupt; 114 u8 interrupt_flags; 115 u8 op_flags; 116 u16 reserved2; 117 u32 smc_func_id; 118 }; 119 120 /** 121 * crb_go_idle - request tpm crb device to go the idle state 122 * 123 * @dev: crb device 124 * @priv: crb private data 125 * 126 * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ 127 * The device should respond within TIMEOUT_C by clearing the bit. 128 * Anyhow, we do not wait here as a consequent CMD_READY request 129 * will be handled correctly even if idle was not completed. 130 * 131 * The function does nothing for devices with ACPI-start method. 132 * 133 * Return: 0 always 134 */ 135 static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) 136 { 137 if ((priv->flags & CRB_FL_ACPI_START) || 138 (priv->flags & CRB_FL_CRB_SMC_START)) 139 return 0; 140 141 iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req); 142 /* we don't really care when this settles */ 143 144 return 0; 145 } 146 147 static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value, 148 unsigned long timeout) 149 { 150 ktime_t start; 151 ktime_t stop; 152 153 start = ktime_get(); 154 stop = ktime_add(start, ms_to_ktime(timeout)); 155 156 do { 157 if ((ioread32(reg) & mask) == value) 158 return true; 159 160 usleep_range(50, 100); 161 } while (ktime_before(ktime_get(), stop)); 162 163 return false; 164 } 165 166 /** 167 * crb_cmd_ready - request tpm crb device to enter ready state 168 * 169 * @dev: crb device 170 * @priv: crb private data 171 * 172 * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ 173 * and poll till the device acknowledge it by clearing the bit. 174 * The device should respond within TIMEOUT_C. 175 * 176 * The function does nothing for devices with ACPI-start method 177 * 178 * Return: 0 on success -ETIME on timeout; 179 */ 180 static int __maybe_unused crb_cmd_ready(struct device *dev, 181 struct crb_priv *priv) 182 { 183 if ((priv->flags & CRB_FL_ACPI_START) || 184 (priv->flags & CRB_FL_CRB_SMC_START)) 185 return 0; 186 187 iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req); 188 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req, 189 CRB_CTRL_REQ_CMD_READY /* mask */, 190 0, /* value */ 191 TPM2_TIMEOUT_C)) { 192 dev_warn(dev, "cmdReady timed out\n"); 193 return -ETIME; 194 } 195 196 return 0; 197 } 198 199 static int crb_request_locality(struct tpm_chip *chip, int loc) 200 { 201 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 202 u32 value = CRB_LOC_STATE_LOC_ASSIGNED | 203 CRB_LOC_STATE_TPM_REG_VALID_STS; 204 205 if (!priv->regs_h) 206 return 0; 207 208 iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl); 209 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value, 210 TPM2_TIMEOUT_C)) { 211 dev_warn(&chip->dev, "TPM_LOC_STATE_x.requestAccess timed out\n"); 212 return -ETIME; 213 } 214 215 return 0; 216 } 217 218 static void crb_relinquish_locality(struct tpm_chip *chip, int loc) 219 { 220 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 221 222 if (!priv->regs_h) 223 return; 224 225 iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl); 226 } 227 228 static u8 crb_status(struct tpm_chip *chip) 229 { 230 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 231 u8 sts = 0; 232 233 if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) != 234 CRB_START_INVOKE) 235 sts |= CRB_DRV_STS_COMPLETE; 236 237 return sts; 238 } 239 240 static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) 241 { 242 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 243 unsigned int expected; 244 245 /* sanity check */ 246 if (count < 6) 247 return -EIO; 248 249 if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR) 250 return -EIO; 251 252 memcpy_fromio(buf, priv->rsp, 6); 253 expected = be32_to_cpup((__be32 *) &buf[2]); 254 if (expected > count || expected < 6) 255 return -EIO; 256 257 memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); 258 259 return expected; 260 } 261 262 static int crb_do_acpi_start(struct tpm_chip *chip) 263 { 264 union acpi_object *obj; 265 int rc; 266 267 obj = acpi_evaluate_dsm(chip->acpi_dev_handle, 268 &crb_acpi_start_guid, 269 CRB_ACPI_START_REVISION_ID, 270 CRB_ACPI_START_INDEX, 271 NULL); 272 if (!obj) 273 return -ENXIO; 274 rc = obj->integer.value == 0 ? 0 : -ENXIO; 275 ACPI_FREE(obj); 276 return rc; 277 } 278 279 #ifdef CONFIG_ARM64 280 /* 281 * This is a TPM Command Response Buffer start method that invokes a 282 * Secure Monitor Call to requrest the firmware to execute or cancel 283 * a TPM 2.0 command. 284 */ 285 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) 286 { 287 struct arm_smccc_res res; 288 289 arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res); 290 if (res.a0 != 0) { 291 dev_err(dev, 292 FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n", 293 res.a0); 294 return -EIO; 295 } 296 297 return 0; 298 } 299 #else 300 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) 301 { 302 dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n"); 303 return -EINVAL; 304 } 305 #endif 306 307 static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) 308 { 309 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 310 int rc = 0; 311 312 /* Zero the cancel register so that the next command will not get 313 * canceled. 314 */ 315 iowrite32(0, &priv->regs_t->ctrl_cancel); 316 317 if (len > priv->cmd_size) { 318 dev_err(&chip->dev, "invalid command count value %zd %d\n", 319 len, priv->cmd_size); 320 return -E2BIG; 321 } 322 323 memcpy_toio(priv->cmd, buf, len); 324 325 /* Make sure that cmd is populated before issuing start. */ 326 wmb(); 327 328 if (priv->flags & CRB_FL_CRB_START) 329 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); 330 331 if (priv->flags & CRB_FL_ACPI_START) 332 rc = crb_do_acpi_start(chip); 333 334 if (priv->flags & CRB_FL_CRB_SMC_START) { 335 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); 336 rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id); 337 } 338 339 return rc; 340 } 341 342 static void crb_cancel(struct tpm_chip *chip) 343 { 344 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 345 346 iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel); 347 348 if ((priv->flags & CRB_FL_ACPI_START) && crb_do_acpi_start(chip)) 349 dev_err(&chip->dev, "ACPI Start failed\n"); 350 } 351 352 static bool crb_req_canceled(struct tpm_chip *chip, u8 status) 353 { 354 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 355 u32 cancel = ioread32(&priv->regs_t->ctrl_cancel); 356 357 return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE; 358 } 359 360 static const struct tpm_class_ops tpm_crb = { 361 .flags = TPM_OPS_AUTO_STARTUP, 362 .status = crb_status, 363 .recv = crb_recv, 364 .send = crb_send, 365 .cancel = crb_cancel, 366 .req_canceled = crb_req_canceled, 367 .request_locality = crb_request_locality, 368 .relinquish_locality = crb_relinquish_locality, 369 .req_complete_mask = CRB_DRV_STS_COMPLETE, 370 .req_complete_val = CRB_DRV_STS_COMPLETE, 371 }; 372 373 static int crb_check_resource(struct acpi_resource *ares, void *data) 374 { 375 struct resource *io_res = data; 376 struct resource_win win; 377 struct resource *res = &(win.res); 378 379 if (acpi_dev_resource_memory(ares, res) || 380 acpi_dev_resource_address_space(ares, &win)) { 381 *io_res = *res; 382 io_res->name = NULL; 383 } 384 385 return 1; 386 } 387 388 static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, 389 struct resource *io_res, u64 start, u32 size) 390 { 391 struct resource new_res = { 392 .start = start, 393 .end = start + size - 1, 394 .flags = IORESOURCE_MEM, 395 }; 396 397 /* Detect a 64 bit address on a 32 bit system */ 398 if (start != new_res.start) 399 return (void __iomem *) ERR_PTR(-EINVAL); 400 401 if (!resource_contains(io_res, &new_res)) 402 return devm_ioremap_resource(dev, &new_res); 403 404 return priv->iobase + (new_res.start - io_res->start); 405 } 406 407 /* 408 * Work around broken BIOSs that return inconsistent values from the ACPI 409 * region vs the registers. Trust the ACPI region. Such broken systems 410 * probably cannot send large TPM commands since the buffer will be truncated. 411 */ 412 static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res, 413 u64 start, u64 size) 414 { 415 if (io_res->start > start || io_res->end < start) 416 return size; 417 418 if (start + size - 1 <= io_res->end) 419 return size; 420 421 dev_err(dev, 422 FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n", 423 io_res, start, size); 424 425 return io_res->end - start + 1; 426 } 427 428 static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, 429 struct acpi_table_tpm2 *buf) 430 { 431 struct list_head resources; 432 struct resource io_res; 433 struct device *dev = &device->dev; 434 u32 pa_high, pa_low; 435 u64 cmd_pa; 436 u32 cmd_size; 437 u64 rsp_pa; 438 u32 rsp_size; 439 int ret; 440 441 INIT_LIST_HEAD(&resources); 442 ret = acpi_dev_get_resources(device, &resources, crb_check_resource, 443 &io_res); 444 if (ret < 0) 445 return ret; 446 acpi_dev_free_resource_list(&resources); 447 448 if (resource_type(&io_res) != IORESOURCE_MEM) { 449 dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n"); 450 return -EINVAL; 451 } 452 453 priv->iobase = devm_ioremap_resource(dev, &io_res); 454 if (IS_ERR(priv->iobase)) 455 return PTR_ERR(priv->iobase); 456 457 /* The ACPI IO region starts at the head area and continues to include 458 * the control area, as one nice sane region except for some older 459 * stuff that puts the control area outside the ACPI IO region. 460 */ 461 if (!(priv->flags & CRB_FL_ACPI_START)) { 462 if (buf->control_address == io_res.start + 463 sizeof(*priv->regs_h)) 464 priv->regs_h = priv->iobase; 465 else 466 dev_warn(dev, FW_BUG "Bad ACPI memory layout"); 467 } 468 469 priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address, 470 sizeof(struct crb_regs_tail)); 471 if (IS_ERR(priv->regs_t)) 472 return PTR_ERR(priv->regs_t); 473 474 /* 475 * PTT HW bug w/a: wake up the device to access 476 * possibly not retained registers. 477 */ 478 ret = crb_cmd_ready(dev, priv); 479 if (ret) 480 return ret; 481 482 pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high); 483 pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low); 484 cmd_pa = ((u64)pa_high << 32) | pa_low; 485 cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa, 486 ioread32(&priv->regs_t->ctrl_cmd_size)); 487 488 dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", 489 pa_high, pa_low, cmd_size); 490 491 priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size); 492 if (IS_ERR(priv->cmd)) { 493 ret = PTR_ERR(priv->cmd); 494 goto out; 495 } 496 497 memcpy_fromio(&rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8); 498 rsp_pa = le64_to_cpu(rsp_pa); 499 rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa, 500 ioread32(&priv->regs_t->ctrl_rsp_size)); 501 502 if (cmd_pa != rsp_pa) { 503 priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); 504 ret = PTR_ERR_OR_ZERO(priv->rsp); 505 goto out; 506 } 507 508 /* According to the PTP specification, overlapping command and response 509 * buffer sizes must be identical. 510 */ 511 if (cmd_size != rsp_size) { 512 dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical"); 513 ret = -EINVAL; 514 goto out; 515 } 516 517 priv->rsp = priv->cmd; 518 519 out: 520 if (!ret) 521 priv->cmd_size = cmd_size; 522 523 crb_go_idle(dev, priv); 524 525 return ret; 526 } 527 528 static int crb_acpi_add(struct acpi_device *device) 529 { 530 struct acpi_table_tpm2 *buf; 531 struct crb_priv *priv; 532 struct tpm_chip *chip; 533 struct device *dev = &device->dev; 534 struct tpm2_crb_smc *crb_smc; 535 acpi_status status; 536 u32 sm; 537 int rc; 538 539 status = acpi_get_table(ACPI_SIG_TPM2, 1, 540 (struct acpi_table_header **) &buf); 541 if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) { 542 dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n"); 543 return -EINVAL; 544 } 545 546 /* Should the FIFO driver handle this? */ 547 sm = buf->start_method; 548 if (sm == ACPI_TPM2_MEMORY_MAPPED) 549 return -ENODEV; 550 551 priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL); 552 if (!priv) 553 return -ENOMEM; 554 555 /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs 556 * report only ACPI start but in practice seems to require both 557 * ACPI start and CRB start. 558 */ 559 if (sm == ACPI_TPM2_COMMAND_BUFFER || sm == ACPI_TPM2_MEMORY_MAPPED || 560 !strcmp(acpi_device_hid(device), "MSFT0101")) 561 priv->flags |= CRB_FL_CRB_START; 562 563 if (sm == ACPI_TPM2_START_METHOD || 564 sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) 565 priv->flags |= CRB_FL_ACPI_START; 566 567 if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) { 568 if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) { 569 dev_err(dev, 570 FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n", 571 buf->header.length, 572 ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC); 573 return -EINVAL; 574 } 575 crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf)); 576 priv->smc_func_id = crb_smc->smc_func_id; 577 priv->flags |= CRB_FL_CRB_SMC_START; 578 } 579 580 rc = crb_map_io(device, priv, buf); 581 if (rc) 582 return rc; 583 584 chip = tpmm_chip_alloc(dev, &tpm_crb); 585 if (IS_ERR(chip)) 586 return PTR_ERR(chip); 587 588 dev_set_drvdata(&chip->dev, priv); 589 chip->acpi_dev_handle = device->handle; 590 chip->flags = TPM_CHIP_FLAG_TPM2; 591 592 rc = crb_cmd_ready(dev, priv); 593 if (rc) 594 return rc; 595 596 pm_runtime_get_noresume(dev); 597 pm_runtime_set_active(dev); 598 pm_runtime_enable(dev); 599 600 rc = tpm_chip_register(chip); 601 if (rc) { 602 crb_go_idle(dev, priv); 603 pm_runtime_put_noidle(dev); 604 pm_runtime_disable(dev); 605 return rc; 606 } 607 608 pm_runtime_put(dev); 609 610 return 0; 611 } 612 613 static int crb_acpi_remove(struct acpi_device *device) 614 { 615 struct device *dev = &device->dev; 616 struct tpm_chip *chip = dev_get_drvdata(dev); 617 618 tpm_chip_unregister(chip); 619 620 pm_runtime_disable(dev); 621 622 return 0; 623 } 624 625 static int __maybe_unused crb_pm_runtime_suspend(struct device *dev) 626 { 627 struct tpm_chip *chip = dev_get_drvdata(dev); 628 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 629 630 return crb_go_idle(dev, priv); 631 } 632 633 static int __maybe_unused crb_pm_runtime_resume(struct device *dev) 634 { 635 struct tpm_chip *chip = dev_get_drvdata(dev); 636 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 637 638 return crb_cmd_ready(dev, priv); 639 } 640 641 static int __maybe_unused crb_pm_suspend(struct device *dev) 642 { 643 int ret; 644 645 ret = tpm_pm_suspend(dev); 646 if (ret) 647 return ret; 648 649 return crb_pm_runtime_suspend(dev); 650 } 651 652 static int __maybe_unused crb_pm_resume(struct device *dev) 653 { 654 int ret; 655 656 ret = crb_pm_runtime_resume(dev); 657 if (ret) 658 return ret; 659 660 return tpm_pm_resume(dev); 661 } 662 663 static const struct dev_pm_ops crb_pm = { 664 SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume) 665 SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) 666 }; 667 668 static const struct acpi_device_id crb_device_ids[] = { 669 {"MSFT0101", 0}, 670 {"", 0}, 671 }; 672 MODULE_DEVICE_TABLE(acpi, crb_device_ids); 673 674 static struct acpi_driver crb_acpi_driver = { 675 .name = "tpm_crb", 676 .ids = crb_device_ids, 677 .ops = { 678 .add = crb_acpi_add, 679 .remove = crb_acpi_remove, 680 }, 681 .drv = { 682 .pm = &crb_pm, 683 }, 684 }; 685 686 module_acpi_driver(crb_acpi_driver); 687 MODULE_AUTHOR("Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>"); 688 MODULE_DESCRIPTION("TPM2 Driver"); 689 MODULE_VERSION("0.1"); 690 MODULE_LICENSE("GPL"); 691