xref: /openbmc/u-boot/drivers/tpm/tpm_tis_lpc.c (revision 7ca6f363)
1 /*
2  * Copyright (c) 2011 The Chromium OS Authors.
3  *
4  * SPDX-License-Identifier:	GPL-2.0+
5  */
6 
7 /*
8  * The code in this file is based on the article "Writing a TPM Device Driver"
9  * published on http://ptgmedia.pearsoncmg.com.
10  *
11  * One principal difference is that in the simplest config the other than 0
12  * TPM localities do not get mapped by some devices (for instance, by Infineon
13  * slb9635), so this driver provides access to locality 0 only.
14  */
15 
16 #include <common.h>
17 #include <asm/io.h>
18 #include <tpm.h>
19 
20 #define PREFIX "lpc_tpm: "
21 
22 struct tpm_locality {
23 	u32 access;
24 	u8 padding0[4];
25 	u32 int_enable;
26 	u8 vector;
27 	u8 padding1[3];
28 	u32 int_status;
29 	u32 int_capability;
30 	u32 tpm_status;
31 	u8 padding2[8];
32 	u8 data;
33 	u8 padding3[3803];
34 	u32 did_vid;
35 	u8 rid;
36 	u8 padding4[251];
37 };
38 
39 /*
40  * This pointer refers to the TPM chip, 5 of its localities are mapped as an
41  * array.
42  */
43 #define TPM_TOTAL_LOCALITIES	5
44 static struct tpm_locality *lpc_tpm_dev =
45 	(struct tpm_locality *)CONFIG_TPM_TIS_BASE_ADDRESS;
46 
47 /* Some registers' bit field definitions */
48 #define TIS_STS_VALID                  (1 << 7) /* 0x80 */
49 #define TIS_STS_COMMAND_READY          (1 << 6) /* 0x40 */
50 #define TIS_STS_TPM_GO                 (1 << 5) /* 0x20 */
51 #define TIS_STS_DATA_AVAILABLE         (1 << 4) /* 0x10 */
52 #define TIS_STS_EXPECT                 (1 << 3) /* 0x08 */
53 #define TIS_STS_RESPONSE_RETRY         (1 << 1) /* 0x02 */
54 
55 #define TIS_ACCESS_TPM_REG_VALID_STS   (1 << 7) /* 0x80 */
56 #define TIS_ACCESS_ACTIVE_LOCALITY     (1 << 5) /* 0x20 */
57 #define TIS_ACCESS_BEEN_SEIZED         (1 << 4) /* 0x10 */
58 #define TIS_ACCESS_SEIZE               (1 << 3) /* 0x08 */
59 #define TIS_ACCESS_PENDING_REQUEST     (1 << 2) /* 0x04 */
60 #define TIS_ACCESS_REQUEST_USE         (1 << 1) /* 0x02 */
61 #define TIS_ACCESS_TPM_ESTABLISHMENT   (1 << 0) /* 0x01 */
62 
63 #define TIS_STS_BURST_COUNT_MASK       (0xffff)
64 #define TIS_STS_BURST_COUNT_SHIFT      (8)
65 
66 /*
67  * Error value returned if a tpm register does not enter the expected state
68  * after continuous polling. No actual TPM register reading ever returns -1,
69  * so this value is a safe error indication to be mixed with possible status
70  * register values.
71  */
72 #define TPM_TIMEOUT_ERR			(-1)
73 
74 /* Error value returned on various TPM driver errors. */
75 #define TPM_DRIVER_ERR		(1)
76 
77  /* 1 second is plenty for anything TPM does. */
78 #define MAX_DELAY_US	(1000 * 1000)
79 
80 /* Retrieve burst count value out of the status register contents. */
81 static u16 burst_count(u32 status)
82 {
83 	return (status >> TIS_STS_BURST_COUNT_SHIFT) & TIS_STS_BURST_COUNT_MASK;
84 }
85 
86 /*
87  * Structures defined below allow creating descriptions of TPM vendor/device
88  * ID information for run time discovery. The only device the system knows
89  * about at this time is Infineon slb9635.
90  */
91 struct device_name {
92 	u16 dev_id;
93 	const char * const dev_name;
94 };
95 
96 struct vendor_name {
97 	u16 vendor_id;
98 	const char *vendor_name;
99 	const struct device_name *dev_names;
100 };
101 
102 static const struct device_name infineon_devices[] = {
103 	{0xb, "SLB9635 TT 1.2"},
104 	{0}
105 };
106 
107 static const struct vendor_name vendor_names[] = {
108 	{0x15d1, "Infineon", infineon_devices},
109 };
110 
111 /*
112  * Cached vendor/device ID pair to indicate that the device has been already
113  * discovered.
114  */
115 static u32 vendor_dev_id;
116 
117 /* TPM access wrappers to support tracing */
118 static u8 tpm_read_byte(const u8 *ptr)
119 {
120 	u8  ret = readb(ptr);
121 	debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
122 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret);
123 	return ret;
124 }
125 
126 static u32 tpm_read_word(const u32 *ptr)
127 {
128 	u32  ret = readl(ptr);
129 	debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
130 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret);
131 	return ret;
132 }
133 
134 static void tpm_write_byte(u8 value, u8 *ptr)
135 {
136 	debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
137 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value);
138 	writeb(value, ptr);
139 }
140 
141 static void tpm_write_word(u32 value, u32 *ptr)
142 {
143 	debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
144 	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value);
145 	writel(value, ptr);
146 }
147 
148 /*
149  * tis_wait_reg()
150  *
151  * Wait for at least a second for a register to change its state to match the
152  * expected state. Normally the transition happens within microseconds.
153  *
154  * @reg - pointer to the TPM register
155  * @mask - bitmask for the bitfield(s) to watch
156  * @expected - value the field(s) are supposed to be set to
157  *
158  * Returns the register contents in case the expected value was found in the
159  * appropriate register bits, or TPM_TIMEOUT_ERR on timeout.
160  */
161 static u32 tis_wait_reg(u32 *reg, u8 mask, u8 expected)
162 {
163 	u32 time_us = MAX_DELAY_US;
164 
165 	while (time_us > 0) {
166 		u32 value = tpm_read_word(reg);
167 		if ((value & mask) == expected)
168 			return value;
169 		udelay(1); /* 1 us */
170 		time_us--;
171 	}
172 	return TPM_TIMEOUT_ERR;
173 }
174 
175 /*
176  * Probe the TPM device and try determining its manufacturer/device name.
177  *
178  * Returns 0 on success (the device is found or was found during an earlier
179  * invocation) or TPM_DRIVER_ERR if the device is not found.
180  */
181 int tis_init(void)
182 {
183 	u32 didvid = tpm_read_word(&lpc_tpm_dev[0].did_vid);
184 	int i;
185 	const char *device_name = "unknown";
186 	const char *vendor_name = device_name;
187 	u16 vid, did;
188 
189 	if (vendor_dev_id)
190 		return 0;  /* Already probed. */
191 
192 	if (!didvid || (didvid == 0xffffffff)) {
193 		printf("%s: No TPM device found\n", __func__);
194 		return TPM_DRIVER_ERR;
195 	}
196 
197 	vendor_dev_id = didvid;
198 
199 	vid = didvid & 0xffff;
200 	did = (didvid >> 16) & 0xffff;
201 	for (i = 0; i < ARRAY_SIZE(vendor_names); i++) {
202 		int j = 0;
203 		u16 known_did;
204 
205 		if (vid == vendor_names[i].vendor_id)
206 			vendor_name = vendor_names[i].vendor_name;
207 
208 		while ((known_did = vendor_names[i].dev_names[j].dev_id) != 0) {
209 			if (known_did == did) {
210 				device_name =
211 					vendor_names[i].dev_names[j].dev_name;
212 				break;
213 			}
214 			j++;
215 		}
216 		break;
217 	}
218 
219 	printf("Found TPM %s by %s\n", device_name, vendor_name);
220 	return 0;
221 }
222 
223 /*
224  * tis_senddata()
225  *
226  * send the passed in data to the TPM device.
227  *
228  * @data - address of the data to send, byte by byte
229  * @len - length of the data to send
230  *
231  * Returns 0 on success, TPM_DRIVER_ERR on error (in case the device does
232  * not accept the entire command).
233  */
234 static u32 tis_senddata(const u8 * const data, u32 len)
235 {
236 	u32 offset = 0;
237 	u16 burst = 0;
238 	u32 max_cycles = 0;
239 	u8 locality = 0;
240 	u32 value;
241 
242 	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
243 			     TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
244 	if (value == TPM_TIMEOUT_ERR) {
245 		printf("%s:%d - failed to get 'command_ready' status\n",
246 		       __FILE__, __LINE__);
247 		return TPM_DRIVER_ERR;
248 	}
249 	burst = burst_count(value);
250 
251 	while (1) {
252 		unsigned count;
253 
254 		/* Wait till the device is ready to accept more data. */
255 		while (!burst) {
256 			if (max_cycles++ == MAX_DELAY_US) {
257 				printf("%s:%d failed to feed %d bytes of %d\n",
258 				       __FILE__, __LINE__, len - offset, len);
259 				return TPM_DRIVER_ERR;
260 			}
261 			udelay(1);
262 			burst = burst_count(tpm_read_word(&lpc_tpm_dev
263 						     [locality].tpm_status));
264 		}
265 
266 		max_cycles = 0;
267 
268 		/*
269 		 * Calculate number of bytes the TPM is ready to accept in one
270 		 * shot.
271 		 *
272 		 * We want to send the last byte outside of the loop (hence
273 		 * the -1 below) to make sure that the 'expected' status bit
274 		 * changes to zero exactly after the last byte is fed into the
275 		 * FIFO.
276 		 */
277 		count = min(burst, len - offset - 1);
278 		while (count--)
279 			tpm_write_byte(data[offset++],
280 				  &lpc_tpm_dev[locality].data);
281 
282 		value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
283 				     TIS_STS_VALID, TIS_STS_VALID);
284 
285 		if ((value == TPM_TIMEOUT_ERR) || !(value & TIS_STS_EXPECT)) {
286 			printf("%s:%d TPM command feed overflow\n",
287 			       __FILE__, __LINE__);
288 			return TPM_DRIVER_ERR;
289 		}
290 
291 		burst = burst_count(value);
292 		if ((offset == (len - 1)) && burst) {
293 			/*
294 			 * We need to be able to send the last byte to the
295 			 * device, so burst size must be nonzero before we
296 			 * break out.
297 			 */
298 			break;
299 		}
300 	}
301 
302 	/* Send the last byte. */
303 	tpm_write_byte(data[offset++], &lpc_tpm_dev[locality].data);
304 	/*
305 	 * Verify that TPM does not expect any more data as part of this
306 	 * command.
307 	 */
308 	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
309 			     TIS_STS_VALID, TIS_STS_VALID);
310 	if ((value == TPM_TIMEOUT_ERR) || (value & TIS_STS_EXPECT)) {
311 		printf("%s:%d unexpected TPM status 0x%x\n",
312 		       __FILE__, __LINE__, value);
313 		return TPM_DRIVER_ERR;
314 	}
315 
316 	/* OK, sitting pretty, let's start the command execution. */
317 	tpm_write_word(TIS_STS_TPM_GO, &lpc_tpm_dev[locality].tpm_status);
318 	return 0;
319 }
320 
321 /*
322  * tis_readresponse()
323  *
324  * read the TPM device response after a command was issued.
325  *
326  * @buffer - address where to read the response, byte by byte.
327  * @len - pointer to the size of buffer
328  *
329  * On success stores the number of received bytes to len and returns 0. On
330  * errors (misformatted TPM data or synchronization problems) returns
331  * TPM_DRIVER_ERR.
332  */
333 static u32 tis_readresponse(u8 *buffer, u32 *len)
334 {
335 	u16 burst;
336 	u32 value;
337 	u32 offset = 0;
338 	u8 locality = 0;
339 	const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
340 	u32 expected_count = *len;
341 	int max_cycles = 0;
342 
343 	/* Wait for the TPM to process the command. */
344 	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
345 			      has_data, has_data);
346 	if (value == TPM_TIMEOUT_ERR) {
347 		printf("%s:%d failed processing command\n",
348 		       __FILE__, __LINE__);
349 		return TPM_DRIVER_ERR;
350 	}
351 
352 	do {
353 		while ((burst = burst_count(value)) == 0) {
354 			if (max_cycles++ == MAX_DELAY_US) {
355 				printf("%s:%d TPM stuck on read\n",
356 				       __FILE__, __LINE__);
357 				return TPM_DRIVER_ERR;
358 			}
359 			udelay(1);
360 			value = tpm_read_word(&lpc_tpm_dev
361 					      [locality].tpm_status);
362 		}
363 
364 		max_cycles = 0;
365 
366 		while (burst-- && (offset < expected_count)) {
367 			buffer[offset++] = tpm_read_byte(&lpc_tpm_dev
368 							 [locality].data);
369 
370 			if (offset == 6) {
371 				/*
372 				 * We got the first six bytes of the reply,
373 				 * let's figure out how many bytes to expect
374 				 * total - it is stored as a 4 byte number in
375 				 * network order, starting with offset 2 into
376 				 * the body of the reply.
377 				 */
378 				u32 real_length;
379 				memcpy(&real_length,
380 				       buffer + 2,
381 				       sizeof(real_length));
382 				expected_count = be32_to_cpu(real_length);
383 
384 				if ((expected_count < offset) ||
385 				    (expected_count > *len)) {
386 					printf("%s:%d bad response size %d\n",
387 					       __FILE__, __LINE__,
388 					       expected_count);
389 					return TPM_DRIVER_ERR;
390 				}
391 			}
392 		}
393 
394 		/* Wait for the next portion. */
395 		value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
396 				     TIS_STS_VALID, TIS_STS_VALID);
397 		if (value == TPM_TIMEOUT_ERR) {
398 			printf("%s:%d failed to read response\n",
399 			       __FILE__, __LINE__);
400 			return TPM_DRIVER_ERR;
401 		}
402 
403 		if (offset == expected_count)
404 			break;	/* We got all we needed. */
405 
406 	} while ((value & has_data) == has_data);
407 
408 	/*
409 	 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
410 	 * known to be set.
411 	 */
412 	if (value & TIS_STS_DATA_AVAILABLE) {
413 		printf("%s:%d wrong receive status %x\n",
414 		       __FILE__, __LINE__, value);
415 		return TPM_DRIVER_ERR;
416 	}
417 
418 	/* Tell the TPM that we are done. */
419 	tpm_write_word(TIS_STS_COMMAND_READY, &lpc_tpm_dev
420 		  [locality].tpm_status);
421 	*len = offset;
422 	return 0;
423 }
424 
425 int tis_open(void)
426 {
427 	u8 locality = 0; /* we use locality zero for everything. */
428 
429 	if (tis_close())
430 		return TPM_DRIVER_ERR;
431 
432 	/* now request access to locality. */
433 	tpm_write_word(TIS_ACCESS_REQUEST_USE, &lpc_tpm_dev[locality].access);
434 
435 	/* did we get a lock? */
436 	if (tis_wait_reg(&lpc_tpm_dev[locality].access,
437 			 TIS_ACCESS_ACTIVE_LOCALITY,
438 			 TIS_ACCESS_ACTIVE_LOCALITY) == TPM_TIMEOUT_ERR) {
439 		printf("%s:%d - failed to lock locality %d\n",
440 		       __FILE__, __LINE__, locality);
441 		return TPM_DRIVER_ERR;
442 	}
443 
444 	tpm_write_word(TIS_STS_COMMAND_READY,
445 		       &lpc_tpm_dev[locality].tpm_status);
446 	return 0;
447 }
448 
449 int tis_close(void)
450 {
451 	u8 locality = 0;
452 
453 	if (tpm_read_word(&lpc_tpm_dev[locality].access) &
454 	    TIS_ACCESS_ACTIVE_LOCALITY) {
455 		tpm_write_word(TIS_ACCESS_ACTIVE_LOCALITY,
456 			       &lpc_tpm_dev[locality].access);
457 
458 		if (tis_wait_reg(&lpc_tpm_dev[locality].access,
459 				 TIS_ACCESS_ACTIVE_LOCALITY, 0) ==
460 		    TPM_TIMEOUT_ERR) {
461 			printf("%s:%d - failed to release locality %d\n",
462 			       __FILE__, __LINE__, locality);
463 			return TPM_DRIVER_ERR;
464 		}
465 	}
466 	return 0;
467 }
468 
469 int tis_sendrecv(const u8 *sendbuf, size_t send_size,
470 		 u8 *recvbuf, size_t *recv_len)
471 {
472 	if (tis_senddata(sendbuf, send_size)) {
473 		printf("%s:%d failed sending data to TPM\n",
474 		       __FILE__, __LINE__);
475 		return TPM_DRIVER_ERR;
476 	}
477 
478 	return tis_readresponse(recvbuf, (u32 *)recv_len);
479 }
480