1 /* 2 * Copyright (c) 2011 The Chromium OS Authors. 3 * 4 * SPDX-License-Identifier: GPL-2.0+ 5 */ 6 7 /* 8 * The code in this file is based on the article "Writing a TPM Device Driver" 9 * published on http://ptgmedia.pearsoncmg.com. 10 * 11 * One principal difference is that in the simplest config the other than 0 12 * TPM localities do not get mapped by some devices (for instance, by Infineon 13 * slb9635), so this driver provides access to locality 0 only. 14 */ 15 16 #include <common.h> 17 #include <asm/io.h> 18 #include <tpm.h> 19 20 #define PREFIX "lpc_tpm: " 21 22 struct tpm_locality { 23 u32 access; 24 u8 padding0[4]; 25 u32 int_enable; 26 u8 vector; 27 u8 padding1[3]; 28 u32 int_status; 29 u32 int_capability; 30 u32 tpm_status; 31 u8 padding2[8]; 32 u8 data; 33 u8 padding3[3803]; 34 u32 did_vid; 35 u8 rid; 36 u8 padding4[251]; 37 }; 38 39 /* 40 * This pointer refers to the TPM chip, 5 of its localities are mapped as an 41 * array. 42 */ 43 #define TPM_TOTAL_LOCALITIES 5 44 static struct tpm_locality *lpc_tpm_dev = 45 (struct tpm_locality *)CONFIG_TPM_TIS_BASE_ADDRESS; 46 47 /* Some registers' bit field definitions */ 48 #define TIS_STS_VALID (1 << 7) /* 0x80 */ 49 #define TIS_STS_COMMAND_READY (1 << 6) /* 0x40 */ 50 #define TIS_STS_TPM_GO (1 << 5) /* 0x20 */ 51 #define TIS_STS_DATA_AVAILABLE (1 << 4) /* 0x10 */ 52 #define TIS_STS_EXPECT (1 << 3) /* 0x08 */ 53 #define TIS_STS_RESPONSE_RETRY (1 << 1) /* 0x02 */ 54 55 #define TIS_ACCESS_TPM_REG_VALID_STS (1 << 7) /* 0x80 */ 56 #define TIS_ACCESS_ACTIVE_LOCALITY (1 << 5) /* 0x20 */ 57 #define TIS_ACCESS_BEEN_SEIZED (1 << 4) /* 0x10 */ 58 #define TIS_ACCESS_SEIZE (1 << 3) /* 0x08 */ 59 #define TIS_ACCESS_PENDING_REQUEST (1 << 2) /* 0x04 */ 60 #define TIS_ACCESS_REQUEST_USE (1 << 1) /* 0x02 */ 61 #define TIS_ACCESS_TPM_ESTABLISHMENT (1 << 0) /* 0x01 */ 62 63 #define TIS_STS_BURST_COUNT_MASK (0xffff) 64 #define TIS_STS_BURST_COUNT_SHIFT (8) 65 66 /* 67 * Error value returned if a tpm register does not enter the expected state 68 * after continuous polling. No actual TPM register reading ever returns -1, 69 * so this value is a safe error indication to be mixed with possible status 70 * register values. 71 */ 72 #define TPM_TIMEOUT_ERR (-1) 73 74 /* Error value returned on various TPM driver errors. */ 75 #define TPM_DRIVER_ERR (1) 76 77 /* 1 second is plenty for anything TPM does. */ 78 #define MAX_DELAY_US (1000 * 1000) 79 80 /* Retrieve burst count value out of the status register contents. */ 81 static u16 burst_count(u32 status) 82 { 83 return (status >> TIS_STS_BURST_COUNT_SHIFT) & TIS_STS_BURST_COUNT_MASK; 84 } 85 86 /* 87 * Structures defined below allow creating descriptions of TPM vendor/device 88 * ID information for run time discovery. The only device the system knows 89 * about at this time is Infineon slb9635. 90 */ 91 struct device_name { 92 u16 dev_id; 93 const char * const dev_name; 94 }; 95 96 struct vendor_name { 97 u16 vendor_id; 98 const char *vendor_name; 99 const struct device_name *dev_names; 100 }; 101 102 static const struct device_name infineon_devices[] = { 103 {0xb, "SLB9635 TT 1.2"}, 104 {0} 105 }; 106 107 static const struct vendor_name vendor_names[] = { 108 {0x15d1, "Infineon", infineon_devices}, 109 }; 110 111 /* 112 * Cached vendor/device ID pair to indicate that the device has been already 113 * discovered. 114 */ 115 static u32 vendor_dev_id; 116 117 /* TPM access wrappers to support tracing */ 118 static u8 tpm_read_byte(const u8 *ptr) 119 { 120 u8 ret = readb(ptr); 121 debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n", 122 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret); 123 return ret; 124 } 125 126 static u32 tpm_read_word(const u32 *ptr) 127 { 128 u32 ret = readl(ptr); 129 debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n", 130 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret); 131 return ret; 132 } 133 134 static void tpm_write_byte(u8 value, u8 *ptr) 135 { 136 debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n", 137 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value); 138 writeb(value, ptr); 139 } 140 141 static void tpm_write_word(u32 value, u32 *ptr) 142 { 143 debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n", 144 (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value); 145 writel(value, ptr); 146 } 147 148 /* 149 * tis_wait_reg() 150 * 151 * Wait for at least a second for a register to change its state to match the 152 * expected state. Normally the transition happens within microseconds. 153 * 154 * @reg - pointer to the TPM register 155 * @mask - bitmask for the bitfield(s) to watch 156 * @expected - value the field(s) are supposed to be set to 157 * 158 * Returns the register contents in case the expected value was found in the 159 * appropriate register bits, or TPM_TIMEOUT_ERR on timeout. 160 */ 161 static u32 tis_wait_reg(u32 *reg, u8 mask, u8 expected) 162 { 163 u32 time_us = MAX_DELAY_US; 164 165 while (time_us > 0) { 166 u32 value = tpm_read_word(reg); 167 if ((value & mask) == expected) 168 return value; 169 udelay(1); /* 1 us */ 170 time_us--; 171 } 172 return TPM_TIMEOUT_ERR; 173 } 174 175 /* 176 * Probe the TPM device and try determining its manufacturer/device name. 177 * 178 * Returns 0 on success (the device is found or was found during an earlier 179 * invocation) or TPM_DRIVER_ERR if the device is not found. 180 */ 181 int tis_init(void) 182 { 183 u32 didvid = tpm_read_word(&lpc_tpm_dev[0].did_vid); 184 int i; 185 const char *device_name = "unknown"; 186 const char *vendor_name = device_name; 187 u16 vid, did; 188 189 if (vendor_dev_id) 190 return 0; /* Already probed. */ 191 192 if (!didvid || (didvid == 0xffffffff)) { 193 printf("%s: No TPM device found\n", __func__); 194 return TPM_DRIVER_ERR; 195 } 196 197 vendor_dev_id = didvid; 198 199 vid = didvid & 0xffff; 200 did = (didvid >> 16) & 0xffff; 201 for (i = 0; i < ARRAY_SIZE(vendor_names); i++) { 202 int j = 0; 203 u16 known_did; 204 205 if (vid == vendor_names[i].vendor_id) 206 vendor_name = vendor_names[i].vendor_name; 207 208 while ((known_did = vendor_names[i].dev_names[j].dev_id) != 0) { 209 if (known_did == did) { 210 device_name = 211 vendor_names[i].dev_names[j].dev_name; 212 break; 213 } 214 j++; 215 } 216 break; 217 } 218 219 printf("Found TPM %s by %s\n", device_name, vendor_name); 220 return 0; 221 } 222 223 /* 224 * tis_senddata() 225 * 226 * send the passed in data to the TPM device. 227 * 228 * @data - address of the data to send, byte by byte 229 * @len - length of the data to send 230 * 231 * Returns 0 on success, TPM_DRIVER_ERR on error (in case the device does 232 * not accept the entire command). 233 */ 234 static u32 tis_senddata(const u8 * const data, u32 len) 235 { 236 u32 offset = 0; 237 u16 burst = 0; 238 u32 max_cycles = 0; 239 u8 locality = 0; 240 u32 value; 241 242 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 243 TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY); 244 if (value == TPM_TIMEOUT_ERR) { 245 printf("%s:%d - failed to get 'command_ready' status\n", 246 __FILE__, __LINE__); 247 return TPM_DRIVER_ERR; 248 } 249 burst = burst_count(value); 250 251 while (1) { 252 unsigned count; 253 254 /* Wait till the device is ready to accept more data. */ 255 while (!burst) { 256 if (max_cycles++ == MAX_DELAY_US) { 257 printf("%s:%d failed to feed %d bytes of %d\n", 258 __FILE__, __LINE__, len - offset, len); 259 return TPM_DRIVER_ERR; 260 } 261 udelay(1); 262 burst = burst_count(tpm_read_word(&lpc_tpm_dev 263 [locality].tpm_status)); 264 } 265 266 max_cycles = 0; 267 268 /* 269 * Calculate number of bytes the TPM is ready to accept in one 270 * shot. 271 * 272 * We want to send the last byte outside of the loop (hence 273 * the -1 below) to make sure that the 'expected' status bit 274 * changes to zero exactly after the last byte is fed into the 275 * FIFO. 276 */ 277 count = min(burst, len - offset - 1); 278 while (count--) 279 tpm_write_byte(data[offset++], 280 &lpc_tpm_dev[locality].data); 281 282 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 283 TIS_STS_VALID, TIS_STS_VALID); 284 285 if ((value == TPM_TIMEOUT_ERR) || !(value & TIS_STS_EXPECT)) { 286 printf("%s:%d TPM command feed overflow\n", 287 __FILE__, __LINE__); 288 return TPM_DRIVER_ERR; 289 } 290 291 burst = burst_count(value); 292 if ((offset == (len - 1)) && burst) { 293 /* 294 * We need to be able to send the last byte to the 295 * device, so burst size must be nonzero before we 296 * break out. 297 */ 298 break; 299 } 300 } 301 302 /* Send the last byte. */ 303 tpm_write_byte(data[offset++], &lpc_tpm_dev[locality].data); 304 /* 305 * Verify that TPM does not expect any more data as part of this 306 * command. 307 */ 308 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 309 TIS_STS_VALID, TIS_STS_VALID); 310 if ((value == TPM_TIMEOUT_ERR) || (value & TIS_STS_EXPECT)) { 311 printf("%s:%d unexpected TPM status 0x%x\n", 312 __FILE__, __LINE__, value); 313 return TPM_DRIVER_ERR; 314 } 315 316 /* OK, sitting pretty, let's start the command execution. */ 317 tpm_write_word(TIS_STS_TPM_GO, &lpc_tpm_dev[locality].tpm_status); 318 return 0; 319 } 320 321 /* 322 * tis_readresponse() 323 * 324 * read the TPM device response after a command was issued. 325 * 326 * @buffer - address where to read the response, byte by byte. 327 * @len - pointer to the size of buffer 328 * 329 * On success stores the number of received bytes to len and returns 0. On 330 * errors (misformatted TPM data or synchronization problems) returns 331 * TPM_DRIVER_ERR. 332 */ 333 static u32 tis_readresponse(u8 *buffer, u32 *len) 334 { 335 u16 burst; 336 u32 value; 337 u32 offset = 0; 338 u8 locality = 0; 339 const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID; 340 u32 expected_count = *len; 341 int max_cycles = 0; 342 343 /* Wait for the TPM to process the command. */ 344 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 345 has_data, has_data); 346 if (value == TPM_TIMEOUT_ERR) { 347 printf("%s:%d failed processing command\n", 348 __FILE__, __LINE__); 349 return TPM_DRIVER_ERR; 350 } 351 352 do { 353 while ((burst = burst_count(value)) == 0) { 354 if (max_cycles++ == MAX_DELAY_US) { 355 printf("%s:%d TPM stuck on read\n", 356 __FILE__, __LINE__); 357 return TPM_DRIVER_ERR; 358 } 359 udelay(1); 360 value = tpm_read_word(&lpc_tpm_dev 361 [locality].tpm_status); 362 } 363 364 max_cycles = 0; 365 366 while (burst-- && (offset < expected_count)) { 367 buffer[offset++] = tpm_read_byte(&lpc_tpm_dev 368 [locality].data); 369 370 if (offset == 6) { 371 /* 372 * We got the first six bytes of the reply, 373 * let's figure out how many bytes to expect 374 * total - it is stored as a 4 byte number in 375 * network order, starting with offset 2 into 376 * the body of the reply. 377 */ 378 u32 real_length; 379 memcpy(&real_length, 380 buffer + 2, 381 sizeof(real_length)); 382 expected_count = be32_to_cpu(real_length); 383 384 if ((expected_count < offset) || 385 (expected_count > *len)) { 386 printf("%s:%d bad response size %d\n", 387 __FILE__, __LINE__, 388 expected_count); 389 return TPM_DRIVER_ERR; 390 } 391 } 392 } 393 394 /* Wait for the next portion. */ 395 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status, 396 TIS_STS_VALID, TIS_STS_VALID); 397 if (value == TPM_TIMEOUT_ERR) { 398 printf("%s:%d failed to read response\n", 399 __FILE__, __LINE__); 400 return TPM_DRIVER_ERR; 401 } 402 403 if (offset == expected_count) 404 break; /* We got all we needed. */ 405 406 } while ((value & has_data) == has_data); 407 408 /* 409 * Make sure we indeed read all there was. The TIS_STS_VALID bit is 410 * known to be set. 411 */ 412 if (value & TIS_STS_DATA_AVAILABLE) { 413 printf("%s:%d wrong receive status %x\n", 414 __FILE__, __LINE__, value); 415 return TPM_DRIVER_ERR; 416 } 417 418 /* Tell the TPM that we are done. */ 419 tpm_write_word(TIS_STS_COMMAND_READY, &lpc_tpm_dev 420 [locality].tpm_status); 421 *len = offset; 422 return 0; 423 } 424 425 int tis_open(void) 426 { 427 u8 locality = 0; /* we use locality zero for everything. */ 428 429 if (tis_close()) 430 return TPM_DRIVER_ERR; 431 432 /* now request access to locality. */ 433 tpm_write_word(TIS_ACCESS_REQUEST_USE, &lpc_tpm_dev[locality].access); 434 435 /* did we get a lock? */ 436 if (tis_wait_reg(&lpc_tpm_dev[locality].access, 437 TIS_ACCESS_ACTIVE_LOCALITY, 438 TIS_ACCESS_ACTIVE_LOCALITY) == TPM_TIMEOUT_ERR) { 439 printf("%s:%d - failed to lock locality %d\n", 440 __FILE__, __LINE__, locality); 441 return TPM_DRIVER_ERR; 442 } 443 444 tpm_write_word(TIS_STS_COMMAND_READY, 445 &lpc_tpm_dev[locality].tpm_status); 446 return 0; 447 } 448 449 int tis_close(void) 450 { 451 u8 locality = 0; 452 453 if (tpm_read_word(&lpc_tpm_dev[locality].access) & 454 TIS_ACCESS_ACTIVE_LOCALITY) { 455 tpm_write_word(TIS_ACCESS_ACTIVE_LOCALITY, 456 &lpc_tpm_dev[locality].access); 457 458 if (tis_wait_reg(&lpc_tpm_dev[locality].access, 459 TIS_ACCESS_ACTIVE_LOCALITY, 0) == 460 TPM_TIMEOUT_ERR) { 461 printf("%s:%d - failed to release locality %d\n", 462 __FILE__, __LINE__, locality); 463 return TPM_DRIVER_ERR; 464 } 465 } 466 return 0; 467 } 468 469 int tis_sendrecv(const u8 *sendbuf, size_t send_size, 470 u8 *recvbuf, size_t *recv_len) 471 { 472 if (tis_senddata(sendbuf, send_size)) { 473 printf("%s:%d failed sending data to TPM\n", 474 __FILE__, __LINE__); 475 return TPM_DRIVER_ERR; 476 } 477 478 return tis_readresponse(recvbuf, (u32 *)recv_len); 479 } 480