xref: /openbmc/u-boot/drivers/tpm/tpm_tis_lpc.c (revision 1f4e25780a827de9526b5f60b8a574b1e4f45b9c)
1 /*
2  * Copyright (c) 2011 The Chromium OS Authors.
3  *
4  * SPDX-License-Identifier:	GPL-2.0+
5  */
6 
7 /*
8  * The code in this file is based on the article "Writing a TPM Device Driver"
9  * published on http://ptgmedia.pearsoncmg.com.
10  *
11  * One principal difference is that in the simplest config the other than 0
12  * TPM localities do not get mapped by some devices (for instance, by Infineon
13  * slb9635), so this driver provides access to locality 0 only.
14  */
15 
16 #include <common.h>
17 #include <dm.h>
18 #include <mapmem.h>
19 #include <tpm.h>
20 #include <asm/io.h>
21 
22 #define PREFIX "lpc_tpm: "
23 
24 enum i2c_chip_type {
25 	SLB9635,
26 	AT97SC3204,
27 };
28 
29 static const char * const chip_name[] = {
30 	[SLB9635] = "Infineon SLB9635 TT 1.2",
31 	[AT97SC3204] = "Atmel AT97SC3204",
32 };
33 
34 static const u32 chip_didvid[] = {
35 	[SLB9635] = 0xb15d1,
36 	[AT97SC3204] = 0x32041114,
37 };
38 
39 struct tpm_locality {
40 	u32 access;
41 	u8 padding0[4];
42 	u32 int_enable;
43 	u8 vector;
44 	u8 padding1[3];
45 	u32 int_status;
46 	u32 int_capability;
47 	u32 tpm_status;
48 	u8 padding2[8];
49 	u8 data;
50 	u8 padding3[3803];
51 	u32 did_vid;
52 	u8 rid;
53 	u8 padding4[251];
54 };
55 
56 struct tpm_tis_lpc_priv {
57 	struct tpm_locality *regs;
58 };
59 
60 /*
61  * This pointer refers to the TPM chip, 5 of its localities are mapped as an
62  * array.
63  */
64 #define TPM_TOTAL_LOCALITIES	5
65 
66 /* Some registers' bit field definitions */
67 #define TIS_STS_VALID                  (1 << 7) /* 0x80 */
68 #define TIS_STS_COMMAND_READY          (1 << 6) /* 0x40 */
69 #define TIS_STS_TPM_GO                 (1 << 5) /* 0x20 */
70 #define TIS_STS_DATA_AVAILABLE         (1 << 4) /* 0x10 */
71 #define TIS_STS_EXPECT                 (1 << 3) /* 0x08 */
72 #define TIS_STS_RESPONSE_RETRY         (1 << 1) /* 0x02 */
73 
74 #define TIS_ACCESS_TPM_REG_VALID_STS   (1 << 7) /* 0x80 */
75 #define TIS_ACCESS_ACTIVE_LOCALITY     (1 << 5) /* 0x20 */
76 #define TIS_ACCESS_BEEN_SEIZED         (1 << 4) /* 0x10 */
77 #define TIS_ACCESS_SEIZE               (1 << 3) /* 0x08 */
78 #define TIS_ACCESS_PENDING_REQUEST     (1 << 2) /* 0x04 */
79 #define TIS_ACCESS_REQUEST_USE         (1 << 1) /* 0x02 */
80 #define TIS_ACCESS_TPM_ESTABLISHMENT   (1 << 0) /* 0x01 */
81 
82 #define TIS_STS_BURST_COUNT_MASK       (0xffff)
83 #define TIS_STS_BURST_COUNT_SHIFT      (8)
84 
85  /* 1 second is plenty for anything TPM does. */
86 #define MAX_DELAY_US	(1000 * 1000)
87 
88 /* Retrieve burst count value out of the status register contents. */
89 static u16 burst_count(u32 status)
90 {
91 	return (status >> TIS_STS_BURST_COUNT_SHIFT) &
92 			TIS_STS_BURST_COUNT_MASK;
93 }
94 
95 /* TPM access wrappers to support tracing */
96 static u8 tpm_read_byte(struct tpm_tis_lpc_priv *priv, const u8 *ptr)
97 {
98 	u8  ret = readb(ptr);
99 	debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
100 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
101 	return ret;
102 }
103 
104 static u32 tpm_read_word(struct tpm_tis_lpc_priv *priv, const u32 *ptr)
105 {
106 	u32  ret = readl(ptr);
107 	debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
108 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
109 	return ret;
110 }
111 
112 static void tpm_write_byte(struct tpm_tis_lpc_priv *priv, u8 value, u8 *ptr)
113 {
114 	debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
115 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
116 	writeb(value, ptr);
117 }
118 
119 static void tpm_write_word(struct tpm_tis_lpc_priv *priv, u32 value,
120 			   u32 *ptr)
121 {
122 	debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
123 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
124 	writel(value, ptr);
125 }
126 
127 /*
128  * tis_wait_reg()
129  *
130  * Wait for at least a second for a register to change its state to match the
131  * expected state. Normally the transition happens within microseconds.
132  *
133  * @reg - pointer to the TPM register
134  * @mask - bitmask for the bitfield(s) to watch
135  * @expected - value the field(s) are supposed to be set to
136  *
137  * Returns the register contents in case the expected value was found in the
138  * appropriate register bits, or -ETIMEDOUT on timeout.
139  */
140 static int tis_wait_reg(struct tpm_tis_lpc_priv *priv, u32 *reg, u8 mask,
141 			u8 expected)
142 {
143 	u32 time_us = MAX_DELAY_US;
144 
145 	while (time_us > 0) {
146 		u32 value = tpm_read_word(priv, reg);
147 		if ((value & mask) == expected)
148 			return value;
149 		udelay(1); /* 1 us */
150 		time_us--;
151 	}
152 
153 	return -ETIMEDOUT;
154 }
155 
156 /*
157  * Probe the TPM device and try determining its manufacturer/device name.
158  *
159  * Returns 0 on success, -ve on error
160  */
161 static int tpm_tis_lpc_probe(struct udevice *dev)
162 {
163 	struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
164 	fdt_addr_t addr;
165 	u32 didvid;
166 	ulong chip_type = dev_get_driver_data(dev);
167 
168 	addr = devfdt_get_addr(dev);
169 	if (addr == FDT_ADDR_T_NONE)
170 		return -EINVAL;
171 	priv->regs = map_sysmem(addr, 0);
172 	didvid = tpm_read_word(priv, &priv->regs[0].did_vid);
173 
174 	if (didvid != chip_didvid[chip_type]) {
175 		u32 vid, did;
176 		vid = didvid & 0xffff;
177 		did = (didvid >> 16) & 0xffff;
178 		debug("Invalid vendor/device ID %04x/%04x\n", vid, did);
179 		return -ENODEV;
180 	}
181 
182 	debug("Found TPM: %s\n", chip_name[chip_type]);
183 
184 	return 0;
185 }
186 
187 /*
188  * tis_senddata()
189  *
190  * send the passed in data to the TPM device.
191  *
192  * @data - address of the data to send, byte by byte
193  * @len - length of the data to send
194  *
195  * Returns 0 on success, -ve on error (in case the device does not accept
196  * the entire command).
197  */
198 static int tis_senddata(struct udevice *dev, const u8 *data, size_t len)
199 {
200 	struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
201 	struct tpm_locality *regs = priv->regs;
202 	u32 offset = 0;
203 	u16 burst = 0;
204 	u32 max_cycles = 0;
205 	u8 locality = 0;
206 	u32 value;
207 
208 	value = tis_wait_reg(priv, &regs[locality].tpm_status,
209 			     TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
210 	if (value == -ETIMEDOUT) {
211 		printf("%s:%d - failed to get 'command_ready' status\n",
212 		       __FILE__, __LINE__);
213 		return value;
214 	}
215 	burst = burst_count(value);
216 
217 	while (1) {
218 		unsigned count;
219 
220 		/* Wait till the device is ready to accept more data. */
221 		while (!burst) {
222 			if (max_cycles++ == MAX_DELAY_US) {
223 				printf("%s:%d failed to feed %zd bytes of %zd\n",
224 				       __FILE__, __LINE__, len - offset, len);
225 				return -ETIMEDOUT;
226 			}
227 			udelay(1);
228 			burst = burst_count(tpm_read_word(priv,
229 					&regs[locality].tpm_status));
230 		}
231 
232 		max_cycles = 0;
233 
234 		/*
235 		 * Calculate number of bytes the TPM is ready to accept in one
236 		 * shot.
237 		 *
238 		 * We want to send the last byte outside of the loop (hence
239 		 * the -1 below) to make sure that the 'expected' status bit
240 		 * changes to zero exactly after the last byte is fed into the
241 		 * FIFO.
242 		 */
243 		count = min((size_t)burst, len - offset - 1);
244 		while (count--)
245 			tpm_write_byte(priv, data[offset++],
246 				       &regs[locality].data);
247 
248 		value = tis_wait_reg(priv, &regs[locality].tpm_status,
249 				     TIS_STS_VALID, TIS_STS_VALID);
250 
251 		if ((value == -ETIMEDOUT) || !(value & TIS_STS_EXPECT)) {
252 			printf("%s:%d TPM command feed overflow\n",
253 			       __FILE__, __LINE__);
254 			return value == -ETIMEDOUT ? value : -EIO;
255 		}
256 
257 		burst = burst_count(value);
258 		if ((offset == (len - 1)) && burst) {
259 			/*
260 			 * We need to be able to send the last byte to the
261 			 * device, so burst size must be nonzero before we
262 			 * break out.
263 			 */
264 			break;
265 		}
266 	}
267 
268 	/* Send the last byte. */
269 	tpm_write_byte(priv, data[offset++], &regs[locality].data);
270 	/*
271 	 * Verify that TPM does not expect any more data as part of this
272 	 * command.
273 	 */
274 	value = tis_wait_reg(priv, &regs[locality].tpm_status,
275 			     TIS_STS_VALID, TIS_STS_VALID);
276 	if ((value == -ETIMEDOUT) || (value & TIS_STS_EXPECT)) {
277 		printf("%s:%d unexpected TPM status 0x%x\n",
278 		       __FILE__, __LINE__, value);
279 		return value == -ETIMEDOUT ? value : -EIO;
280 	}
281 
282 	/* OK, sitting pretty, let's start the command execution. */
283 	tpm_write_word(priv, TIS_STS_TPM_GO, &regs[locality].tpm_status);
284 	return 0;
285 }
286 
287 /*
288  * tis_readresponse()
289  *
290  * read the TPM device response after a command was issued.
291  *
292  * @buffer - address where to read the response, byte by byte.
293  * @len - pointer to the size of buffer
294  *
295  * On success stores the number of received bytes to len and returns 0. On
296  * errors (misformatted TPM data or synchronization problems) returns
297  * -ve value.
298  */
299 static int tis_readresponse(struct udevice *dev, u8 *buffer, size_t len)
300 {
301 	struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
302 	struct tpm_locality *regs = priv->regs;
303 	u16 burst;
304 	u32 value;
305 	u32 offset = 0;
306 	u8 locality = 0;
307 	const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
308 	u32 expected_count = len;
309 	int max_cycles = 0;
310 
311 	/* Wait for the TPM to process the command. */
312 	value = tis_wait_reg(priv, &regs[locality].tpm_status,
313 			      has_data, has_data);
314 	if (value == -ETIMEDOUT) {
315 		printf("%s:%d failed processing command\n",
316 		       __FILE__, __LINE__);
317 		return value;
318 	}
319 
320 	do {
321 		while ((burst = burst_count(value)) == 0) {
322 			if (max_cycles++ == MAX_DELAY_US) {
323 				printf("%s:%d TPM stuck on read\n",
324 				       __FILE__, __LINE__);
325 				return -EIO;
326 			}
327 			udelay(1);
328 			value = tpm_read_word(priv, &regs[locality].tpm_status);
329 		}
330 
331 		max_cycles = 0;
332 
333 		while (burst-- && (offset < expected_count)) {
334 			buffer[offset++] = tpm_read_byte(priv,
335 						&regs[locality].data);
336 
337 			if (offset == 6) {
338 				/*
339 				 * We got the first six bytes of the reply,
340 				 * let's figure out how many bytes to expect
341 				 * total - it is stored as a 4 byte number in
342 				 * network order, starting with offset 2 into
343 				 * the body of the reply.
344 				 */
345 				u32 real_length;
346 				memcpy(&real_length,
347 				       buffer + 2,
348 				       sizeof(real_length));
349 				expected_count = be32_to_cpu(real_length);
350 
351 				if ((expected_count < offset) ||
352 				    (expected_count > len)) {
353 					printf("%s:%d bad response size %d\n",
354 					       __FILE__, __LINE__,
355 					       expected_count);
356 					return -ENOSPC;
357 				}
358 			}
359 		}
360 
361 		/* Wait for the next portion. */
362 		value = tis_wait_reg(priv, &regs[locality].tpm_status,
363 				     TIS_STS_VALID, TIS_STS_VALID);
364 		if (value == -ETIMEDOUT) {
365 			printf("%s:%d failed to read response\n",
366 			       __FILE__, __LINE__);
367 			return value;
368 		}
369 
370 		if (offset == expected_count)
371 			break;	/* We got all we needed. */
372 
373 	} while ((value & has_data) == has_data);
374 
375 	/*
376 	 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
377 	 * known to be set.
378 	 */
379 	if (value & TIS_STS_DATA_AVAILABLE) {
380 		printf("%s:%d wrong receive status %x\n",
381 		       __FILE__, __LINE__, value);
382 		return -EBADMSG;
383 	}
384 
385 	/* Tell the TPM that we are done. */
386 	tpm_write_word(priv, TIS_STS_COMMAND_READY,
387 		       &regs[locality].tpm_status);
388 
389 	return offset;
390 }
391 
392 static int tpm_tis_lpc_open(struct udevice *dev)
393 {
394 	struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
395 	struct tpm_locality *regs = priv->regs;
396 	u8 locality = 0; /* we use locality zero for everything. */
397 	int ret;
398 
399 	/* now request access to locality. */
400 	tpm_write_word(priv, TIS_ACCESS_REQUEST_USE, &regs[locality].access);
401 
402 	/* did we get a lock? */
403 	ret = tis_wait_reg(priv, &regs[locality].access,
404 			 TIS_ACCESS_ACTIVE_LOCALITY,
405 			 TIS_ACCESS_ACTIVE_LOCALITY);
406 	if (ret == -ETIMEDOUT) {
407 		printf("%s:%d - failed to lock locality %d\n",
408 		       __FILE__, __LINE__, locality);
409 		return ret;
410 	}
411 
412 	tpm_write_word(priv, TIS_STS_COMMAND_READY,
413 		       &regs[locality].tpm_status);
414 	return 0;
415 }
416 
417 static int tpm_tis_lpc_close(struct udevice *dev)
418 {
419 	struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
420 	struct tpm_locality *regs = priv->regs;
421 	u8 locality = 0;
422 
423 	if (tpm_read_word(priv, &regs[locality].access) &
424 	    TIS_ACCESS_ACTIVE_LOCALITY) {
425 		tpm_write_word(priv, TIS_ACCESS_ACTIVE_LOCALITY,
426 			       &regs[locality].access);
427 
428 		if (tis_wait_reg(priv, &regs[locality].access,
429 				 TIS_ACCESS_ACTIVE_LOCALITY, 0) == -ETIMEDOUT) {
430 			printf("%s:%d - failed to release locality %d\n",
431 			       __FILE__, __LINE__, locality);
432 			return -ETIMEDOUT;
433 		}
434 	}
435 	return 0;
436 }
437 
438 static int tpm_tis_get_desc(struct udevice *dev, char *buf, int size)
439 {
440 	ulong chip_type = dev_get_driver_data(dev);
441 
442 	if (size < 50)
443 		return -ENOSPC;
444 
445 	return snprintf(buf, size, "1.2 TPM (%s)",
446 			chip_name[chip_type]);
447 }
448 
449 
450 static const struct tpm_ops tpm_tis_lpc_ops = {
451 	.open		= tpm_tis_lpc_open,
452 	.close		= tpm_tis_lpc_close,
453 	.get_desc	= tpm_tis_get_desc,
454 	.send		= tis_senddata,
455 	.recv		= tis_readresponse,
456 };
457 
458 static const struct udevice_id tpm_tis_lpc_ids[] = {
459 	{ .compatible = "infineon,slb9635lpc", .data = SLB9635 },
460 	{ .compatible = "atmel,at97sc3204", .data = AT97SC3204 },
461 	{ }
462 };
463 
464 U_BOOT_DRIVER(tpm_tis_lpc) = {
465 	.name   = "tpm_tis_lpc",
466 	.id     = UCLASS_TPM,
467 	.of_match = tpm_tis_lpc_ids,
468 	.ops    = &tpm_tis_lpc_ops,
469 	.probe	= tpm_tis_lpc_probe,
470 	.priv_auto_alloc_size = sizeof(struct tpm_tis_lpc_priv),
471 };
472