1 /* 2 * Copyright (C) 2014 Intel Corporation 3 * 4 * Authors: 5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> 6 * 7 * Maintained by: <tpmdd-devel@lists.sourceforge.net> 8 * 9 * This device driver implements the TPM interface as defined in 10 * the TCG CRB 2.0 TPM specification. 11 * 12 * This program is free software; you can redistribute it and/or 13 * modify it under the terms of the GNU General Public License 14 * as published by the Free Software Foundation; version 2 15 * of the License. 16 */ 17 18 #include <linux/acpi.h> 19 #include <linux/highmem.h> 20 #include <linux/rculist.h> 21 #include <linux/module.h> 22 #include <linux/pm_runtime.h> 23 #ifdef CONFIG_ARM64 24 #include <linux/arm-smccc.h> 25 #endif 26 #include "tpm.h" 27 28 #define ACPI_SIG_TPM2 "TPM2" 29 30 static const u8 CRB_ACPI_START_UUID[] = { 31 /* 0000 */ 0xAB, 0x6C, 0xBF, 0x6B, 0x63, 0x54, 0x14, 0x47, 32 /* 0008 */ 0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4 33 }; 34 35 enum crb_defaults { 36 CRB_ACPI_START_REVISION_ID = 1, 37 CRB_ACPI_START_INDEX = 1, 38 }; 39 40 enum crb_loc_ctrl { 41 CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0), 42 CRB_LOC_CTRL_RELINQUISH = BIT(1), 43 }; 44 45 enum crb_loc_state { 46 CRB_LOC_STATE_LOC_ASSIGNED = BIT(1), 47 CRB_LOC_STATE_TPM_REG_VALID_STS = BIT(7), 48 }; 49 50 enum crb_ctrl_req { 51 CRB_CTRL_REQ_CMD_READY = BIT(0), 52 CRB_CTRL_REQ_GO_IDLE = BIT(1), 53 }; 54 55 enum crb_ctrl_sts { 56 CRB_CTRL_STS_ERROR = BIT(0), 57 CRB_CTRL_STS_TPM_IDLE = BIT(1), 58 }; 59 60 enum crb_start { 61 CRB_START_INVOKE = BIT(0), 62 }; 63 64 enum crb_cancel { 65 CRB_CANCEL_INVOKE = BIT(0), 66 }; 67 68 struct crb_regs_head { 69 u32 loc_state; 70 u32 reserved1; 71 u32 loc_ctrl; 72 u32 loc_sts; 73 u8 reserved2[32]; 74 u64 intf_id; 75 u64 ctrl_ext; 76 } __packed; 77 78 struct crb_regs_tail { 79 u32 ctrl_req; 80 u32 ctrl_sts; 81 u32 ctrl_cancel; 82 u32 ctrl_start; 83 u32 ctrl_int_enable; 84 u32 ctrl_int_sts; 85 u32 ctrl_cmd_size; 86 u32 ctrl_cmd_pa_low; 87 u32 ctrl_cmd_pa_high; 88 u32 ctrl_rsp_size; 89 u64 ctrl_rsp_pa; 90 } __packed; 91 92 enum crb_status { 93 CRB_DRV_STS_COMPLETE = BIT(0), 94 }; 95 96 enum crb_flags { 97 CRB_FL_ACPI_START = BIT(0), 98 CRB_FL_CRB_START = BIT(1), 99 CRB_FL_CRB_SMC_START = BIT(2), 100 }; 101 102 struct crb_priv { 103 unsigned int flags; 104 void __iomem *iobase; 105 struct crb_regs_head __iomem *regs_h; 106 struct crb_regs_tail __iomem *regs_t; 107 u8 __iomem *cmd; 108 u8 __iomem *rsp; 109 u32 cmd_size; 110 u32 smc_func_id; 111 }; 112 113 struct tpm2_crb_smc { 114 u32 interrupt; 115 u8 interrupt_flags; 116 u8 op_flags; 117 u16 reserved2; 118 u32 smc_func_id; 119 }; 120 121 /** 122 * crb_go_idle - request tpm crb device to go the idle state 123 * 124 * @dev: crb device 125 * @priv: crb private data 126 * 127 * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ 128 * The device should respond within TIMEOUT_C by clearing the bit. 129 * Anyhow, we do not wait here as a consequent CMD_READY request 130 * will be handled correctly even if idle was not completed. 131 * 132 * The function does nothing for devices with ACPI-start method. 133 * 134 * Return: 0 always 135 */ 136 static int __maybe_unused crb_go_idle(struct device *dev, struct crb_priv *priv) 137 { 138 if ((priv->flags & CRB_FL_ACPI_START) || 139 (priv->flags & CRB_FL_CRB_SMC_START)) 140 return 0; 141 142 iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req); 143 /* we don't really care when this settles */ 144 145 return 0; 146 } 147 148 static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value, 149 unsigned long timeout) 150 { 151 ktime_t start; 152 ktime_t stop; 153 154 start = ktime_get(); 155 stop = ktime_add(start, ms_to_ktime(timeout)); 156 157 do { 158 if ((ioread32(reg) & mask) == value) 159 return true; 160 161 usleep_range(50, 100); 162 } while (ktime_before(ktime_get(), stop)); 163 164 return false; 165 } 166 167 /** 168 * crb_cmd_ready - request tpm crb device to enter ready state 169 * 170 * @dev: crb device 171 * @priv: crb private data 172 * 173 * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ 174 * and poll till the device acknowledge it by clearing the bit. 175 * The device should respond within TIMEOUT_C. 176 * 177 * The function does nothing for devices with ACPI-start method 178 * 179 * Return: 0 on success -ETIME on timeout; 180 */ 181 static int __maybe_unused crb_cmd_ready(struct device *dev, 182 struct crb_priv *priv) 183 { 184 if ((priv->flags & CRB_FL_ACPI_START) || 185 (priv->flags & CRB_FL_CRB_SMC_START)) 186 return 0; 187 188 iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req); 189 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req, 190 CRB_CTRL_REQ_CMD_READY /* mask */, 191 0, /* value */ 192 TPM2_TIMEOUT_C)) { 193 dev_warn(dev, "cmdReady timed out\n"); 194 return -ETIME; 195 } 196 197 return 0; 198 } 199 200 static int crb_request_locality(struct tpm_chip *chip, int loc) 201 { 202 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 203 u32 value = CRB_LOC_STATE_LOC_ASSIGNED | 204 CRB_LOC_STATE_TPM_REG_VALID_STS; 205 206 if (!priv->regs_h) 207 return 0; 208 209 iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl); 210 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value, 211 TPM2_TIMEOUT_C)) { 212 dev_warn(&chip->dev, "TPM_LOC_STATE_x.requestAccess timed out\n"); 213 return -ETIME; 214 } 215 216 return 0; 217 } 218 219 static void crb_relinquish_locality(struct tpm_chip *chip, int loc) 220 { 221 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 222 223 if (!priv->regs_h) 224 return; 225 226 iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl); 227 } 228 229 static u8 crb_status(struct tpm_chip *chip) 230 { 231 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 232 u8 sts = 0; 233 234 if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) != 235 CRB_START_INVOKE) 236 sts |= CRB_DRV_STS_COMPLETE; 237 238 return sts; 239 } 240 241 static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) 242 { 243 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 244 unsigned int expected; 245 246 /* sanity check */ 247 if (count < 6) 248 return -EIO; 249 250 if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR) 251 return -EIO; 252 253 memcpy_fromio(buf, priv->rsp, 6); 254 expected = be32_to_cpup((__be32 *) &buf[2]); 255 if (expected > count || expected < 6) 256 return -EIO; 257 258 memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); 259 260 return expected; 261 } 262 263 static int crb_do_acpi_start(struct tpm_chip *chip) 264 { 265 union acpi_object *obj; 266 int rc; 267 268 obj = acpi_evaluate_dsm(chip->acpi_dev_handle, 269 CRB_ACPI_START_UUID, 270 CRB_ACPI_START_REVISION_ID, 271 CRB_ACPI_START_INDEX, 272 NULL); 273 if (!obj) 274 return -ENXIO; 275 rc = obj->integer.value == 0 ? 0 : -ENXIO; 276 ACPI_FREE(obj); 277 return rc; 278 } 279 280 #ifdef CONFIG_ARM64 281 /* 282 * This is a TPM Command Response Buffer start method that invokes a 283 * Secure Monitor Call to requrest the firmware to execute or cancel 284 * a TPM 2.0 command. 285 */ 286 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) 287 { 288 struct arm_smccc_res res; 289 290 arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res); 291 if (res.a0 != 0) { 292 dev_err(dev, 293 FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n", 294 res.a0); 295 return -EIO; 296 } 297 298 return 0; 299 } 300 #else 301 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id) 302 { 303 dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n"); 304 return -EINVAL; 305 } 306 #endif 307 308 static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len) 309 { 310 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 311 int rc = 0; 312 313 /* Zero the cancel register so that the next command will not get 314 * canceled. 315 */ 316 iowrite32(0, &priv->regs_t->ctrl_cancel); 317 318 if (len > priv->cmd_size) { 319 dev_err(&chip->dev, "invalid command count value %zd %d\n", 320 len, priv->cmd_size); 321 return -E2BIG; 322 } 323 324 memcpy_toio(priv->cmd, buf, len); 325 326 /* Make sure that cmd is populated before issuing start. */ 327 wmb(); 328 329 if (priv->flags & CRB_FL_CRB_START) 330 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); 331 332 if (priv->flags & CRB_FL_ACPI_START) 333 rc = crb_do_acpi_start(chip); 334 335 if (priv->flags & CRB_FL_CRB_SMC_START) { 336 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start); 337 rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id); 338 } 339 340 return rc; 341 } 342 343 static void crb_cancel(struct tpm_chip *chip) 344 { 345 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 346 347 iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel); 348 349 if ((priv->flags & CRB_FL_ACPI_START) && crb_do_acpi_start(chip)) 350 dev_err(&chip->dev, "ACPI Start failed\n"); 351 } 352 353 static bool crb_req_canceled(struct tpm_chip *chip, u8 status) 354 { 355 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 356 u32 cancel = ioread32(&priv->regs_t->ctrl_cancel); 357 358 return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE; 359 } 360 361 static const struct tpm_class_ops tpm_crb = { 362 .flags = TPM_OPS_AUTO_STARTUP, 363 .status = crb_status, 364 .recv = crb_recv, 365 .send = crb_send, 366 .cancel = crb_cancel, 367 .req_canceled = crb_req_canceled, 368 .request_locality = crb_request_locality, 369 .relinquish_locality = crb_relinquish_locality, 370 .req_complete_mask = CRB_DRV_STS_COMPLETE, 371 .req_complete_val = CRB_DRV_STS_COMPLETE, 372 }; 373 374 static int crb_check_resource(struct acpi_resource *ares, void *data) 375 { 376 struct resource *io_res = data; 377 struct resource_win win; 378 struct resource *res = &(win.res); 379 380 if (acpi_dev_resource_memory(ares, res) || 381 acpi_dev_resource_address_space(ares, &win)) { 382 *io_res = *res; 383 io_res->name = NULL; 384 } 385 386 return 1; 387 } 388 389 static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, 390 struct resource *io_res, u64 start, u32 size) 391 { 392 struct resource new_res = { 393 .start = start, 394 .end = start + size - 1, 395 .flags = IORESOURCE_MEM, 396 }; 397 398 /* Detect a 64 bit address on a 32 bit system */ 399 if (start != new_res.start) 400 return (void __iomem *) ERR_PTR(-EINVAL); 401 402 if (!resource_contains(io_res, &new_res)) 403 return devm_ioremap_resource(dev, &new_res); 404 405 return priv->iobase + (new_res.start - io_res->start); 406 } 407 408 /* 409 * Work around broken BIOSs that return inconsistent values from the ACPI 410 * region vs the registers. Trust the ACPI region. Such broken systems 411 * probably cannot send large TPM commands since the buffer will be truncated. 412 */ 413 static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res, 414 u64 start, u64 size) 415 { 416 if (io_res->start > start || io_res->end < start) 417 return size; 418 419 if (start + size - 1 <= io_res->end) 420 return size; 421 422 dev_err(dev, 423 FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n", 424 io_res, start, size); 425 426 return io_res->end - start + 1; 427 } 428 429 static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, 430 struct acpi_table_tpm2 *buf) 431 { 432 struct list_head resources; 433 struct resource io_res; 434 struct device *dev = &device->dev; 435 u32 pa_high, pa_low; 436 u64 cmd_pa; 437 u32 cmd_size; 438 u64 rsp_pa; 439 u32 rsp_size; 440 int ret; 441 442 INIT_LIST_HEAD(&resources); 443 ret = acpi_dev_get_resources(device, &resources, crb_check_resource, 444 &io_res); 445 if (ret < 0) 446 return ret; 447 acpi_dev_free_resource_list(&resources); 448 449 if (resource_type(&io_res) != IORESOURCE_MEM) { 450 dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n"); 451 return -EINVAL; 452 } 453 454 priv->iobase = devm_ioremap_resource(dev, &io_res); 455 if (IS_ERR(priv->iobase)) 456 return PTR_ERR(priv->iobase); 457 458 /* The ACPI IO region starts at the head area and continues to include 459 * the control area, as one nice sane region except for some older 460 * stuff that puts the control area outside the ACPI IO region. 461 */ 462 if (!(priv->flags & CRB_FL_ACPI_START)) { 463 if (buf->control_address == io_res.start + 464 sizeof(*priv->regs_h)) 465 priv->regs_h = priv->iobase; 466 else 467 dev_warn(dev, FW_BUG "Bad ACPI memory layout"); 468 } 469 470 priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address, 471 sizeof(struct crb_regs_tail)); 472 if (IS_ERR(priv->regs_t)) 473 return PTR_ERR(priv->regs_t); 474 475 /* 476 * PTT HW bug w/a: wake up the device to access 477 * possibly not retained registers. 478 */ 479 ret = crb_cmd_ready(dev, priv); 480 if (ret) 481 return ret; 482 483 pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high); 484 pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low); 485 cmd_pa = ((u64)pa_high << 32) | pa_low; 486 cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa, 487 ioread32(&priv->regs_t->ctrl_cmd_size)); 488 489 dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", 490 pa_high, pa_low, cmd_size); 491 492 priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size); 493 if (IS_ERR(priv->cmd)) { 494 ret = PTR_ERR(priv->cmd); 495 goto out; 496 } 497 498 memcpy_fromio(&rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8); 499 rsp_pa = le64_to_cpu(rsp_pa); 500 rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa, 501 ioread32(&priv->regs_t->ctrl_rsp_size)); 502 503 if (cmd_pa != rsp_pa) { 504 priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); 505 ret = PTR_ERR_OR_ZERO(priv->rsp); 506 goto out; 507 } 508 509 /* According to the PTP specification, overlapping command and response 510 * buffer sizes must be identical. 511 */ 512 if (cmd_size != rsp_size) { 513 dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical"); 514 ret = -EINVAL; 515 goto out; 516 } 517 518 priv->cmd_size = cmd_size; 519 520 priv->rsp = priv->cmd; 521 522 out: 523 crb_go_idle(dev, priv); 524 525 return ret; 526 } 527 528 static int crb_acpi_add(struct acpi_device *device) 529 { 530 struct acpi_table_tpm2 *buf; 531 struct crb_priv *priv; 532 struct tpm_chip *chip; 533 struct device *dev = &device->dev; 534 struct tpm2_crb_smc *crb_smc; 535 acpi_status status; 536 u32 sm; 537 int rc; 538 539 status = acpi_get_table(ACPI_SIG_TPM2, 1, 540 (struct acpi_table_header **) &buf); 541 if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) { 542 dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n"); 543 return -EINVAL; 544 } 545 546 /* Should the FIFO driver handle this? */ 547 sm = buf->start_method; 548 if (sm == ACPI_TPM2_MEMORY_MAPPED) 549 return -ENODEV; 550 551 priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL); 552 if (!priv) 553 return -ENOMEM; 554 555 /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs 556 * report only ACPI start but in practice seems to require both 557 * ACPI start and CRB start. 558 */ 559 if (sm == ACPI_TPM2_COMMAND_BUFFER || sm == ACPI_TPM2_MEMORY_MAPPED || 560 !strcmp(acpi_device_hid(device), "MSFT0101")) 561 priv->flags |= CRB_FL_CRB_START; 562 563 if (sm == ACPI_TPM2_START_METHOD || 564 sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) 565 priv->flags |= CRB_FL_ACPI_START; 566 567 if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_SMC) { 568 if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) { 569 dev_err(dev, 570 FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n", 571 buf->header.length, 572 ACPI_TPM2_COMMAND_BUFFER_WITH_SMC); 573 return -EINVAL; 574 } 575 crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf)); 576 priv->smc_func_id = crb_smc->smc_func_id; 577 priv->flags |= CRB_FL_CRB_SMC_START; 578 } 579 580 rc = crb_map_io(device, priv, buf); 581 if (rc) 582 return rc; 583 584 chip = tpmm_chip_alloc(dev, &tpm_crb); 585 if (IS_ERR(chip)) 586 return PTR_ERR(chip); 587 588 dev_set_drvdata(&chip->dev, priv); 589 chip->acpi_dev_handle = device->handle; 590 chip->flags = TPM_CHIP_FLAG_TPM2; 591 592 rc = crb_cmd_ready(dev, priv); 593 if (rc) 594 return rc; 595 596 pm_runtime_get_noresume(dev); 597 pm_runtime_set_active(dev); 598 pm_runtime_enable(dev); 599 600 rc = tpm_chip_register(chip); 601 if (rc) { 602 crb_go_idle(dev, priv); 603 pm_runtime_put_noidle(dev); 604 pm_runtime_disable(dev); 605 return rc; 606 } 607 608 pm_runtime_put(dev); 609 610 return 0; 611 } 612 613 static int crb_acpi_remove(struct acpi_device *device) 614 { 615 struct device *dev = &device->dev; 616 struct tpm_chip *chip = dev_get_drvdata(dev); 617 618 tpm_chip_unregister(chip); 619 620 pm_runtime_disable(dev); 621 622 return 0; 623 } 624 625 static int __maybe_unused crb_pm_runtime_suspend(struct device *dev) 626 { 627 struct tpm_chip *chip = dev_get_drvdata(dev); 628 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 629 630 return crb_go_idle(dev, priv); 631 } 632 633 static int __maybe_unused crb_pm_runtime_resume(struct device *dev) 634 { 635 struct tpm_chip *chip = dev_get_drvdata(dev); 636 struct crb_priv *priv = dev_get_drvdata(&chip->dev); 637 638 return crb_cmd_ready(dev, priv); 639 } 640 641 static int __maybe_unused crb_pm_suspend(struct device *dev) 642 { 643 int ret; 644 645 ret = tpm_pm_suspend(dev); 646 if (ret) 647 return ret; 648 649 return crb_pm_runtime_suspend(dev); 650 } 651 652 static int __maybe_unused crb_pm_resume(struct device *dev) 653 { 654 int ret; 655 656 ret = crb_pm_runtime_resume(dev); 657 if (ret) 658 return ret; 659 660 return tpm_pm_resume(dev); 661 } 662 663 static const struct dev_pm_ops crb_pm = { 664 SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume) 665 SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL) 666 }; 667 668 static struct acpi_device_id crb_device_ids[] = { 669 {"MSFT0101", 0}, 670 {"", 0}, 671 }; 672 MODULE_DEVICE_TABLE(acpi, crb_device_ids); 673 674 static struct acpi_driver crb_acpi_driver = { 675 .name = "tpm_crb", 676 .ids = crb_device_ids, 677 .ops = { 678 .add = crb_acpi_add, 679 .remove = crb_acpi_remove, 680 }, 681 .drv = { 682 .pm = &crb_pm, 683 }, 684 }; 685 686 module_acpi_driver(crb_acpi_driver); 687 MODULE_AUTHOR("Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>"); 688 MODULE_DESCRIPTION("TPM2 Driver"); 689 MODULE_VERSION("0.1"); 690 MODULE_LICENSE("GPL"); 691