1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (c) 2011 The Chromium OS Authors.
4 */
5
6 /*
7 * The code in this file is based on the article "Writing a TPM Device Driver"
8 * published on http://ptgmedia.pearsoncmg.com.
9 *
10 * One principal difference is that in the simplest config the other than 0
11 * TPM localities do not get mapped by some devices (for instance, by Infineon
12 * slb9635), so this driver provides access to locality 0 only.
13 */
14
15 #include <common.h>
16 #include <dm.h>
17 #include <mapmem.h>
18 #include <tpm-v1.h>
19 #include <asm/io.h>
20
21 #define PREFIX "lpc_tpm: "
22
23 enum i2c_chip_type {
24 SLB9635,
25 AT97SC3204,
26 };
27
28 static const char * const chip_name[] = {
29 [SLB9635] = "Infineon SLB9635 TT 1.2",
30 [AT97SC3204] = "Atmel AT97SC3204",
31 };
32
33 static const u32 chip_didvid[] = {
34 [SLB9635] = 0xb15d1,
35 [AT97SC3204] = 0x32041114,
36 };
37
38 struct tpm_locality {
39 u32 access;
40 u8 padding0[4];
41 u32 int_enable;
42 u8 vector;
43 u8 padding1[3];
44 u32 int_status;
45 u32 int_capability;
46 u32 tpm_status;
47 u8 padding2[8];
48 u8 data;
49 u8 padding3[3803];
50 u32 did_vid;
51 u8 rid;
52 u8 padding4[251];
53 };
54
55 struct tpm_tis_lpc_priv {
56 struct tpm_locality *regs;
57 };
58
59 /*
60 * This pointer refers to the TPM chip, 5 of its localities are mapped as an
61 * array.
62 */
63 #define TPM_TOTAL_LOCALITIES 5
64
65 /* Some registers' bit field definitions */
66 #define TIS_STS_VALID (1 << 7) /* 0x80 */
67 #define TIS_STS_COMMAND_READY (1 << 6) /* 0x40 */
68 #define TIS_STS_TPM_GO (1 << 5) /* 0x20 */
69 #define TIS_STS_DATA_AVAILABLE (1 << 4) /* 0x10 */
70 #define TIS_STS_EXPECT (1 << 3) /* 0x08 */
71 #define TIS_STS_RESPONSE_RETRY (1 << 1) /* 0x02 */
72
73 #define TIS_ACCESS_TPM_REG_VALID_STS (1 << 7) /* 0x80 */
74 #define TIS_ACCESS_ACTIVE_LOCALITY (1 << 5) /* 0x20 */
75 #define TIS_ACCESS_BEEN_SEIZED (1 << 4) /* 0x10 */
76 #define TIS_ACCESS_SEIZE (1 << 3) /* 0x08 */
77 #define TIS_ACCESS_PENDING_REQUEST (1 << 2) /* 0x04 */
78 #define TIS_ACCESS_REQUEST_USE (1 << 1) /* 0x02 */
79 #define TIS_ACCESS_TPM_ESTABLISHMENT (1 << 0) /* 0x01 */
80
81 #define TIS_STS_BURST_COUNT_MASK (0xffff)
82 #define TIS_STS_BURST_COUNT_SHIFT (8)
83
84 /* 1 second is plenty for anything TPM does. */
85 #define MAX_DELAY_US (1000 * 1000)
86
87 /* Retrieve burst count value out of the status register contents. */
burst_count(u32 status)88 static u16 burst_count(u32 status)
89 {
90 return (status >> TIS_STS_BURST_COUNT_SHIFT) &
91 TIS_STS_BURST_COUNT_MASK;
92 }
93
94 /* TPM access wrappers to support tracing */
tpm_read_byte(struct tpm_tis_lpc_priv * priv,const u8 * ptr)95 static u8 tpm_read_byte(struct tpm_tis_lpc_priv *priv, const u8 *ptr)
96 {
97 u8 ret = readb(ptr);
98 debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
99 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
100 return ret;
101 }
102
tpm_read_word(struct tpm_tis_lpc_priv * priv,const u32 * ptr)103 static u32 tpm_read_word(struct tpm_tis_lpc_priv *priv, const u32 *ptr)
104 {
105 u32 ret = readl(ptr);
106 debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
107 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
108 return ret;
109 }
110
tpm_write_byte(struct tpm_tis_lpc_priv * priv,u8 value,u8 * ptr)111 static void tpm_write_byte(struct tpm_tis_lpc_priv *priv, u8 value, u8 *ptr)
112 {
113 debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
114 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
115 writeb(value, ptr);
116 }
117
tpm_write_word(struct tpm_tis_lpc_priv * priv,u32 value,u32 * ptr)118 static void tpm_write_word(struct tpm_tis_lpc_priv *priv, u32 value,
119 u32 *ptr)
120 {
121 debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
122 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
123 writel(value, ptr);
124 }
125
126 /*
127 * tis_wait_reg()
128 *
129 * Wait for at least a second for a register to change its state to match the
130 * expected state. Normally the transition happens within microseconds.
131 *
132 * @reg - pointer to the TPM register
133 * @mask - bitmask for the bitfield(s) to watch
134 * @expected - value the field(s) are supposed to be set to
135 *
136 * Returns the register contents in case the expected value was found in the
137 * appropriate register bits, or -ETIMEDOUT on timeout.
138 */
tis_wait_reg(struct tpm_tis_lpc_priv * priv,u32 * reg,u8 mask,u8 expected)139 static int tis_wait_reg(struct tpm_tis_lpc_priv *priv, u32 *reg, u8 mask,
140 u8 expected)
141 {
142 u32 time_us = MAX_DELAY_US;
143
144 while (time_us > 0) {
145 u32 value = tpm_read_word(priv, reg);
146 if ((value & mask) == expected)
147 return value;
148 udelay(1); /* 1 us */
149 time_us--;
150 }
151
152 return -ETIMEDOUT;
153 }
154
155 /*
156 * Probe the TPM device and try determining its manufacturer/device name.
157 *
158 * Returns 0 on success, -ve on error
159 */
tpm_tis_lpc_probe(struct udevice * dev)160 static int tpm_tis_lpc_probe(struct udevice *dev)
161 {
162 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
163 fdt_addr_t addr;
164 u32 didvid;
165 ulong chip_type = dev_get_driver_data(dev);
166
167 addr = dev_read_addr(dev);
168 if (addr == FDT_ADDR_T_NONE)
169 return -EINVAL;
170 priv->regs = map_sysmem(addr, 0);
171 didvid = tpm_read_word(priv, &priv->regs[0].did_vid);
172
173 if (didvid != chip_didvid[chip_type]) {
174 u32 vid, did;
175 vid = didvid & 0xffff;
176 did = (didvid >> 16) & 0xffff;
177 debug("Invalid vendor/device ID %04x/%04x\n", vid, did);
178 return -ENODEV;
179 }
180
181 debug("Found TPM: %s\n", chip_name[chip_type]);
182
183 return 0;
184 }
185
186 /*
187 * tis_senddata()
188 *
189 * send the passed in data to the TPM device.
190 *
191 * @data - address of the data to send, byte by byte
192 * @len - length of the data to send
193 *
194 * Returns 0 on success, -ve on error (in case the device does not accept
195 * the entire command).
196 */
tis_senddata(struct udevice * dev,const u8 * data,size_t len)197 static int tis_senddata(struct udevice *dev, const u8 *data, size_t len)
198 {
199 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
200 struct tpm_locality *regs = priv->regs;
201 u32 offset = 0;
202 u16 burst = 0;
203 u32 max_cycles = 0;
204 u8 locality = 0;
205 u32 value;
206
207 value = tis_wait_reg(priv, ®s[locality].tpm_status,
208 TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
209 if (value == -ETIMEDOUT) {
210 printf("%s:%d - failed to get 'command_ready' status\n",
211 __FILE__, __LINE__);
212 return value;
213 }
214 burst = burst_count(value);
215
216 while (1) {
217 unsigned count;
218
219 /* Wait till the device is ready to accept more data. */
220 while (!burst) {
221 if (max_cycles++ == MAX_DELAY_US) {
222 printf("%s:%d failed to feed %zd bytes of %zd\n",
223 __FILE__, __LINE__, len - offset, len);
224 return -ETIMEDOUT;
225 }
226 udelay(1);
227 burst = burst_count(tpm_read_word(priv,
228 ®s[locality].tpm_status));
229 }
230
231 max_cycles = 0;
232
233 /*
234 * Calculate number of bytes the TPM is ready to accept in one
235 * shot.
236 *
237 * We want to send the last byte outside of the loop (hence
238 * the -1 below) to make sure that the 'expected' status bit
239 * changes to zero exactly after the last byte is fed into the
240 * FIFO.
241 */
242 count = min((size_t)burst, len - offset - 1);
243 while (count--)
244 tpm_write_byte(priv, data[offset++],
245 ®s[locality].data);
246
247 value = tis_wait_reg(priv, ®s[locality].tpm_status,
248 TIS_STS_VALID, TIS_STS_VALID);
249
250 if ((value == -ETIMEDOUT) || !(value & TIS_STS_EXPECT)) {
251 printf("%s:%d TPM command feed overflow\n",
252 __FILE__, __LINE__);
253 return value == -ETIMEDOUT ? value : -EIO;
254 }
255
256 burst = burst_count(value);
257 if ((offset == (len - 1)) && burst) {
258 /*
259 * We need to be able to send the last byte to the
260 * device, so burst size must be nonzero before we
261 * break out.
262 */
263 break;
264 }
265 }
266
267 /* Send the last byte. */
268 tpm_write_byte(priv, data[offset++], ®s[locality].data);
269 /*
270 * Verify that TPM does not expect any more data as part of this
271 * command.
272 */
273 value = tis_wait_reg(priv, ®s[locality].tpm_status,
274 TIS_STS_VALID, TIS_STS_VALID);
275 if ((value == -ETIMEDOUT) || (value & TIS_STS_EXPECT)) {
276 printf("%s:%d unexpected TPM status 0x%x\n",
277 __FILE__, __LINE__, value);
278 return value == -ETIMEDOUT ? value : -EIO;
279 }
280
281 /* OK, sitting pretty, let's start the command execution. */
282 tpm_write_word(priv, TIS_STS_TPM_GO, ®s[locality].tpm_status);
283 return 0;
284 }
285
286 /*
287 * tis_readresponse()
288 *
289 * read the TPM device response after a command was issued.
290 *
291 * @buffer - address where to read the response, byte by byte.
292 * @len - pointer to the size of buffer
293 *
294 * On success stores the number of received bytes to len and returns 0. On
295 * errors (misformatted TPM data or synchronization problems) returns
296 * -ve value.
297 */
tis_readresponse(struct udevice * dev,u8 * buffer,size_t len)298 static int tis_readresponse(struct udevice *dev, u8 *buffer, size_t len)
299 {
300 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
301 struct tpm_locality *regs = priv->regs;
302 u16 burst;
303 u32 value;
304 u32 offset = 0;
305 u8 locality = 0;
306 const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
307 u32 expected_count = len;
308 int max_cycles = 0;
309
310 /* Wait for the TPM to process the command. */
311 value = tis_wait_reg(priv, ®s[locality].tpm_status,
312 has_data, has_data);
313 if (value == -ETIMEDOUT) {
314 printf("%s:%d failed processing command\n",
315 __FILE__, __LINE__);
316 return value;
317 }
318
319 do {
320 while ((burst = burst_count(value)) == 0) {
321 if (max_cycles++ == MAX_DELAY_US) {
322 printf("%s:%d TPM stuck on read\n",
323 __FILE__, __LINE__);
324 return -EIO;
325 }
326 udelay(1);
327 value = tpm_read_word(priv, ®s[locality].tpm_status);
328 }
329
330 max_cycles = 0;
331
332 while (burst-- && (offset < expected_count)) {
333 buffer[offset++] = tpm_read_byte(priv,
334 ®s[locality].data);
335
336 if (offset == 6) {
337 /*
338 * We got the first six bytes of the reply,
339 * let's figure out how many bytes to expect
340 * total - it is stored as a 4 byte number in
341 * network order, starting with offset 2 into
342 * the body of the reply.
343 */
344 u32 real_length;
345 memcpy(&real_length,
346 buffer + 2,
347 sizeof(real_length));
348 expected_count = be32_to_cpu(real_length);
349
350 if ((expected_count < offset) ||
351 (expected_count > len)) {
352 printf("%s:%d bad response size %d\n",
353 __FILE__, __LINE__,
354 expected_count);
355 return -ENOSPC;
356 }
357 }
358 }
359
360 /* Wait for the next portion. */
361 value = tis_wait_reg(priv, ®s[locality].tpm_status,
362 TIS_STS_VALID, TIS_STS_VALID);
363 if (value == -ETIMEDOUT) {
364 printf("%s:%d failed to read response\n",
365 __FILE__, __LINE__);
366 return value;
367 }
368
369 if (offset == expected_count)
370 break; /* We got all we needed. */
371
372 } while ((value & has_data) == has_data);
373
374 /*
375 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
376 * known to be set.
377 */
378 if (value & TIS_STS_DATA_AVAILABLE) {
379 printf("%s:%d wrong receive status %x\n",
380 __FILE__, __LINE__, value);
381 return -EBADMSG;
382 }
383
384 /* Tell the TPM that we are done. */
385 tpm_write_word(priv, TIS_STS_COMMAND_READY,
386 ®s[locality].tpm_status);
387
388 return offset;
389 }
390
tpm_tis_lpc_close(struct udevice * dev)391 static int tpm_tis_lpc_close(struct udevice *dev)
392 {
393 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
394 struct tpm_locality *regs = priv->regs;
395 u8 locality = 0;
396
397 if (tpm_read_word(priv, ®s[locality].access) &
398 TIS_ACCESS_ACTIVE_LOCALITY) {
399 tpm_write_word(priv, TIS_ACCESS_ACTIVE_LOCALITY,
400 ®s[locality].access);
401
402 if (tis_wait_reg(priv, ®s[locality].access,
403 TIS_ACCESS_ACTIVE_LOCALITY, 0) == -ETIMEDOUT) {
404 printf("%s:%d - failed to release locality %d\n",
405 __FILE__, __LINE__, locality);
406 return -ETIMEDOUT;
407 }
408 }
409 return 0;
410 }
411
tpm_tis_lpc_open(struct udevice * dev)412 static int tpm_tis_lpc_open(struct udevice *dev)
413 {
414 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
415 struct tpm_locality *regs = priv->regs;
416 u8 locality = 0; /* we use locality zero for everything. */
417 int ret;
418
419 ret = tpm_tis_lpc_close(dev);
420 if (ret) {
421 printf("%s: Failed to close TPM\n", __func__);
422 return ret;
423 }
424
425 /* now request access to locality. */
426 tpm_write_word(priv, TIS_ACCESS_REQUEST_USE, ®s[locality].access);
427
428 /* did we get a lock? */
429 ret = tis_wait_reg(priv, ®s[locality].access,
430 TIS_ACCESS_ACTIVE_LOCALITY,
431 TIS_ACCESS_ACTIVE_LOCALITY);
432 if (ret == -ETIMEDOUT) {
433 printf("%s:%d - failed to lock locality %d\n",
434 __FILE__, __LINE__, locality);
435 return ret;
436 }
437
438 tpm_write_word(priv, TIS_STS_COMMAND_READY,
439 ®s[locality].tpm_status);
440
441 return 0;
442 }
443
tpm_tis_get_desc(struct udevice * dev,char * buf,int size)444 static int tpm_tis_get_desc(struct udevice *dev, char *buf, int size)
445 {
446 ulong chip_type = dev_get_driver_data(dev);
447
448 if (size < 50)
449 return -ENOSPC;
450
451 return snprintf(buf, size, "1.2 TPM (%s)",
452 chip_name[chip_type]);
453 }
454
455
456 static const struct tpm_ops tpm_tis_lpc_ops = {
457 .open = tpm_tis_lpc_open,
458 .close = tpm_tis_lpc_close,
459 .get_desc = tpm_tis_get_desc,
460 .send = tis_senddata,
461 .recv = tis_readresponse,
462 };
463
464 static const struct udevice_id tpm_tis_lpc_ids[] = {
465 { .compatible = "infineon,slb9635lpc", .data = SLB9635 },
466 { .compatible = "atmel,at97sc3204", .data = AT97SC3204 },
467 { }
468 };
469
470 U_BOOT_DRIVER(tpm_tis_lpc) = {
471 .name = "tpm_tis_lpc",
472 .id = UCLASS_TPM,
473 .of_match = tpm_tis_lpc_ids,
474 .ops = &tpm_tis_lpc_ops,
475 .probe = tpm_tis_lpc_probe,
476 .priv_auto_alloc_size = sizeof(struct tpm_tis_lpc_priv),
477 };
478