1 /*-
2 * Copyright (c) 2018 Stormshield.
3 * Copyright (c) 2018 Semihalf.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
19 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
23 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
24 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25 * POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 #include "tpm20.h"
30 #include "tpm_if.h"
31
32 /*
33 * TIS register space as defined in
34 * TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22
35 */
36 #define TPM_ACCESS 0x0
37 #define TPM_INT_ENABLE 0x8
38 #define TPM_INT_VECTOR 0xc
39 #define TPM_INT_STS 0x10
40 #define TPM_INTF_CAPS 0x14
41 #define TPM_STS 0x18
42 #define TPM_DATA_FIFO 0x24
43 #define TPM_INTF_ID 0x30
44 #define TPM_XDATA_FIFO 0x80
45 #define TPM_DID_VID 0xF00
46 #define TPM_RID 0xF04
47
48 #define TPM_ACCESS_LOC_REQ BIT(1)
49 #define TPM_ACCESS_LOC_Seize BIT(3)
50 #define TPM_ACCESS_LOC_ACTIVE BIT(5)
51 #define TPM_ACCESS_LOC_RELINQUISH BIT(5)
52 #define TPM_ACCESS_VALID BIT(7)
53
54 #define TPM_INT_ENABLE_GLOBAL_ENABLE BIT(31)
55 #define TPM_INT_ENABLE_CMD_RDY BIT(7)
56 #define TPM_INT_ENABLE_LOC_CHANGE BIT(2)
57 #define TPM_INT_ENABLE_STS_VALID BIT(1)
58 #define TPM_INT_ENABLE_DATA_AVAIL BIT(0)
59
60 #define TPM_INT_STS_CMD_RDY BIT(7)
61 #define TPM_INT_STS_LOC_CHANGE BIT(2)
62 #define TPM_INT_STS_VALID BIT(1)
63 #define TPM_INT_STS_DATA_AVAIL BIT(0)
64
65 #define TPM_INTF_CAPS_VERSION 0x70000000
66 #define TPM_INTF_CAPS_TPM20 0x30000000
67
68 #define TPM_STS_VALID BIT(7)
69 #define TPM_STS_CMD_RDY BIT(6)
70 #define TPM_STS_CMD_START BIT(5)
71 #define TPM_STS_DATA_AVAIL BIT(4)
72 #define TPM_STS_DATA_EXPECTED BIT(3)
73 #define TPM_STS_BURST_MASK 0xFFFF00
74 #define TPM_STS_BURST_OFFSET 0x8
75
76 static int tpmtis_transmit(device_t dev, size_t length);
77
78 static int tpmtis_detach(device_t dev);
79
80 static void tpmtis_intr_handler(void *arg);
81
82 static void tpmtis_setup_intr(struct tpm_sc *sc);
83
84 static bool tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf);
85 static bool tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf);
86 static bool tpmtis_request_locality(struct tpm_sc *sc, int locality);
87 static void tpmtis_relinquish_locality(struct tpm_sc *sc);
88 static bool tpmtis_go_ready(struct tpm_sc *sc);
89
90 static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off,
91 uint32_t mask, uint32_t val, int32_t timeout);
92
93 static uint16_t tpmtis_wait_for_burst(struct tpm_sc *sc);
94
95 int
tpmtis_attach(device_t dev)96 tpmtis_attach(device_t dev)
97 {
98 struct tpm_sc *sc;
99 int result;
100 int poll = 0;
101
102 sc = device_get_softc(dev);
103 sc->dev = dev;
104 sc->intr_type = -1;
105
106 sx_init(&sc->dev_lock, "TPM driver lock");
107 sc->buf = malloc(TPM_BUFSIZE, M_TPM20, M_WAITOK);
108
109 resource_int_value("tpm", device_get_unit(dev), "use_polling", &poll);
110 if (poll != 0) {
111 device_printf(dev, "Using poll method to get TPM operation status \n");
112 goto skip_irq;
113 }
114
115 sc->irq_rid = 0;
116 sc->irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &sc->irq_rid,
117 RF_ACTIVE | RF_SHAREABLE);
118 if (sc->irq_res == NULL)
119 goto skip_irq;
120
121 result = bus_setup_intr(dev, sc->irq_res, INTR_TYPE_MISC | INTR_MPSAFE,
122 NULL, tpmtis_intr_handler, sc, &sc->intr_cookie);
123 if (result != 0) {
124 bus_release_resource(dev, SYS_RES_IRQ, sc->irq_rid, sc->irq_res);
125 goto skip_irq;
126 }
127 tpmtis_setup_intr(sc);
128
129 skip_irq:
130 result = tpm20_init(sc);
131 if (result != 0)
132 tpmtis_detach(dev);
133
134 return (result);
135 }
136
137 static int
tpmtis_detach(device_t dev)138 tpmtis_detach(device_t dev)
139 {
140 struct tpm_sc *sc;
141
142 sc = device_get_softc(dev);
143 tpm20_release(sc);
144
145 if (sc->intr_cookie != NULL)
146 bus_teardown_intr(dev, sc->irq_res, sc->intr_cookie);
147
148 if (sc->irq_res != NULL)
149 bus_release_resource(dev, SYS_RES_IRQ,
150 sc->irq_rid, sc->irq_res);
151
152 if (sc->mem_res != NULL)
153 bus_release_resource(dev, SYS_RES_MEMORY,
154 sc->mem_rid, sc->mem_res);
155
156 return (0);
157 }
158
159 /*
160 * Test if the advertisted interrupt actually works.
161 * This sends a simple command. (GetRandom)
162 * Interrupts are then enabled in the handler.
163 */
164 static void
tpmtis_test_intr(struct tpm_sc * sc)165 tpmtis_test_intr(struct tpm_sc *sc)
166 {
167 uint8_t cmd[] = {
168 0x80, 0x01, /* TPM_ST_NO_SESSIONS tag*/
169 0x00, 0x00, 0x00, 0x0c, /* cmd length */
170 0x00, 0x00, 0x01, 0x7b, /* cmd TPM_CC_GetRandom */
171 0x00, 0x01 /* number of bytes requested */
172 };
173
174 sx_xlock(&sc->dev_lock);
175 memcpy(sc->buf, cmd, sizeof(cmd));
176 tpmtis_transmit(sc->dev, sizeof(cmd));
177 sc->pending_data_length = 0;
178 sx_xunlock(&sc->dev_lock);
179 }
180
181 static void
tpmtis_setup_intr(struct tpm_sc * sc)182 tpmtis_setup_intr(struct tpm_sc *sc)
183 {
184 uint32_t reg;
185 uint8_t irq;
186
187 irq = bus_get_resource_start(sc->dev, SYS_RES_IRQ, sc->irq_rid);
188
189 /*
190 * SIRQ has to be between 1 - 15.
191 * I found a system with ACPI table that reported a value of 0x2d.
192 * An attempt to use such value resulted in an interrupt storm.
193 */
194 if (irq == 0 || irq > 0xF)
195 return;
196
197 if(!tpmtis_request_locality(sc, 0))
198 sc->interrupts = false;
199
200 TPM_WRITE_1(sc->dev, TPM_INT_VECTOR, irq);
201
202 /* Clear all pending interrupts. */
203 reg = TPM_READ_4(sc->dev, TPM_INT_STS);
204 TPM_WRITE_4(sc->dev, TPM_INT_STS, reg);
205
206 reg = TPM_READ_4(sc->dev, TPM_INT_ENABLE);
207 reg |= TPM_INT_ENABLE_GLOBAL_ENABLE |
208 TPM_INT_ENABLE_DATA_AVAIL |
209 TPM_INT_ENABLE_LOC_CHANGE |
210 TPM_INT_ENABLE_CMD_RDY |
211 TPM_INT_ENABLE_STS_VALID;
212 TPM_WRITE_4(sc->dev, TPM_INT_ENABLE, reg);
213
214 tpmtis_relinquish_locality(sc);
215 tpmtis_test_intr(sc);
216 }
217
218 static void
tpmtis_intr_handler(void * arg)219 tpmtis_intr_handler(void *arg)
220 {
221 struct tpm_sc *sc;
222 uint32_t status;
223
224 sc = (struct tpm_sc *)arg;
225 status = TPM_READ_4(sc->dev, TPM_INT_STS);
226
227 TPM_WRITE_4(sc->dev, TPM_INT_STS, status);
228
229 /* Check for stray interrupts. */
230 if (sc->intr_type == -1 || (sc->intr_type & status) == 0)
231 return;
232
233 sc->interrupts = true;
234 wakeup(sc);
235 }
236
237 static bool
tpm_wait_for_u32(struct tpm_sc * sc,bus_size_t off,uint32_t mask,uint32_t val,int32_t timeout)238 tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val,
239 int32_t timeout)
240 {
241
242 /* Check for condition */
243 if ((TPM_READ_4(sc->dev, off) & mask) == val)
244 return (true);
245
246 /* If interrupts are enabled sleep for timeout duration */
247 if(sc->interrupts && sc->intr_type != -1) {
248 tsleep(sc, PWAIT, "TPM WITH INTERRUPTS", timeout / tick);
249
250 sc->intr_type = -1;
251 return ((TPM_READ_4(sc->dev, off) & mask) == val);
252 }
253
254 /* If we don't have interrupts poll the device every tick */
255 while (timeout > 0) {
256 if ((TPM_READ_4(sc->dev, off) & mask) == val)
257 return (true);
258
259 pause("TPM POLLING", 1);
260 timeout -= tick;
261 }
262 return (false);
263 }
264
265 static uint16_t
tpmtis_wait_for_burst(struct tpm_sc * sc)266 tpmtis_wait_for_burst(struct tpm_sc *sc)
267 {
268 int timeout;
269 uint16_t burst_count;
270
271 timeout = TPM_TIMEOUT_A;
272
273 while (timeout-- > 0) {
274 burst_count = (TPM_READ_4(sc->dev, TPM_STS) & TPM_STS_BURST_MASK) >>
275 TPM_STS_BURST_OFFSET;
276 if (burst_count > 0)
277 break;
278
279 DELAY(1);
280 }
281 return (burst_count);
282 }
283
284 static bool
tpmtis_read_bytes(struct tpm_sc * sc,size_t count,uint8_t * buf)285 tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf)
286 {
287 uint16_t burst_count;
288
289 while (count > 0) {
290 burst_count = tpmtis_wait_for_burst(sc);
291 if (burst_count == 0)
292 return (false);
293
294 burst_count = MIN(burst_count, count);
295 count -= burst_count;
296
297 while (burst_count-- > 0)
298 *buf++ = TPM_READ_1(sc->dev, TPM_DATA_FIFO);
299 }
300
301 return (true);
302 }
303
304 static bool
tpmtis_write_bytes(struct tpm_sc * sc,size_t count,uint8_t * buf)305 tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf)
306 {
307 uint16_t burst_count;
308
309 while (count > 0) {
310 burst_count = tpmtis_wait_for_burst(sc);
311 if (burst_count == 0)
312 return (false);
313
314 burst_count = MIN(burst_count, count);
315 count -= burst_count;
316
317 while (burst_count-- > 0)
318 TPM_WRITE_1(sc->dev, TPM_DATA_FIFO, *buf++);
319 }
320
321 return (true);
322 }
323
324 static bool
tpmtis_request_locality(struct tpm_sc * sc,int locality)325 tpmtis_request_locality(struct tpm_sc *sc, int locality)
326 {
327 uint8_t mask;
328 int timeout;
329
330 /* Currently we only support Locality 0 */
331 if (locality != 0)
332 return (false);
333
334 mask = TPM_ACCESS_LOC_ACTIVE | TPM_ACCESS_VALID;
335 timeout = TPM_TIMEOUT_A;
336 sc->intr_type = TPM_INT_STS_LOC_CHANGE;
337
338 TPM_WRITE_1(sc->dev, TPM_ACCESS, TPM_ACCESS_LOC_REQ);
339 TPM_WRITE_BARRIER(sc->dev, TPM_ACCESS, 1);
340 if(sc->interrupts) {
341 tsleep(sc, PWAIT, "TPMLOCREQUEST with INTR", timeout / tick);
342 return ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask);
343 } else {
344 while(timeout > 0) {
345 if ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask)
346 return (true);
347
348 pause("TPMLOCREQUEST POLLING", 1);
349 timeout -= tick;
350 }
351 }
352
353 return (false);
354 }
355
356 static void
tpmtis_relinquish_locality(struct tpm_sc * sc)357 tpmtis_relinquish_locality(struct tpm_sc *sc)
358 {
359
360 /*
361 * Interrupts can only be cleared when a locality is active.
362 * Clear them now in case interrupt handler didn't make it in time.
363 */
364 if(sc->interrupts)
365 AND4(sc, TPM_INT_STS, TPM_READ_4(sc->dev, TPM_INT_STS));
366
367 OR1(sc, TPM_ACCESS, TPM_ACCESS_LOC_RELINQUISH);
368 }
369
370 static bool
tpmtis_go_ready(struct tpm_sc * sc)371 tpmtis_go_ready(struct tpm_sc *sc)
372 {
373 uint32_t mask;
374
375 mask = TPM_STS_CMD_RDY;
376 sc->intr_type = TPM_INT_STS_CMD_RDY;
377
378 TPM_WRITE_4(sc->dev, TPM_STS, TPM_STS_CMD_RDY);
379 TPM_WRITE_BARRIER(sc->dev, TPM_STS, 4);
380 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_B))
381 return (false);
382
383 return (true);
384 }
385
386 static int
tpmtis_transmit(device_t dev,size_t length)387 tpmtis_transmit(device_t dev, size_t length)
388 {
389 struct tpm_sc *sc;
390 size_t bytes_available;
391 uint32_t mask, curr_cmd;
392 int timeout;
393
394 sc = device_get_softc(dev);
395 sx_assert(&sc->dev_lock, SA_XLOCKED);
396
397 if (!tpmtis_request_locality(sc, 0)) {
398 device_printf(dev,
399 "Failed to obtain locality\n");
400 return (EIO);
401 }
402 if (!tpmtis_go_ready(sc)) {
403 device_printf(dev,
404 "Failed to switch to ready state\n");
405 return (EIO);
406 }
407 if (!tpmtis_write_bytes(sc, length, sc->buf)) {
408 device_printf(dev,
409 "Failed to write cmd to device\n");
410 return (EIO);
411 }
412
413 mask = TPM_STS_VALID;
414 sc->intr_type = TPM_INT_STS_VALID;
415 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) {
416 device_printf(dev,
417 "Timeout while waiting for valid bit\n");
418 return (EIO);
419 }
420 if (TPM_READ_4(dev, TPM_STS) & TPM_STS_DATA_EXPECTED) {
421 device_printf(dev,
422 "Device expects more data even though we already"
423 " sent everything we had\n");
424 return (EIO);
425 }
426
427 /*
428 * Calculate timeout for current command.
429 * Command code is passed in bytes 6-10.
430 */
431 curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6]));
432 timeout = tpm20_get_timeout(curr_cmd);
433
434 TPM_WRITE_4(dev, TPM_STS, TPM_STS_CMD_START);
435 TPM_WRITE_BARRIER(dev, TPM_STS, 4);
436
437 mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID;
438 sc->intr_type = TPM_INT_STS_DATA_AVAIL;
439 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, timeout)) {
440 device_printf(dev,
441 "Timeout while waiting for device to process cmd\n");
442 /*
443 * Switching to ready state also cancels processing
444 * current command
445 */
446 if (!tpmtis_go_ready(sc))
447 return (EIO);
448
449 /*
450 * After canceling a command we should get a response,
451 * check if there is one.
452 */
453 sc->intr_type = TPM_INT_STS_DATA_AVAIL;
454 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C))
455 return (EIO);
456 }
457 /* Read response header. Length is passed in bytes 2 - 6. */
458 if(!tpmtis_read_bytes(sc, TPM_HEADER_SIZE, sc->buf)) {
459 device_printf(dev,
460 "Failed to read response header\n");
461 return (EIO);
462 }
463 bytes_available = be32toh(*(uint32_t *) (&sc->buf[2]));
464
465 if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) {
466 device_printf(dev,
467 "Incorrect response size: %zu\n",
468 bytes_available);
469 return (EIO);
470 }
471 if(!tpmtis_read_bytes(sc, bytes_available - TPM_HEADER_SIZE,
472 &sc->buf[TPM_HEADER_SIZE])) {
473 device_printf(dev,
474 "Failed to read response\n");
475 return (EIO);
476 }
477 tpmtis_relinquish_locality(sc);
478 sc->pending_data_length = bytes_available;
479 sc->total_length = bytes_available;
480
481 return (0);
482 }
483
484 /* ACPI Driver */
485 static device_method_t tpmtis_methods[] = {
486 DEVMETHOD(device_attach, tpmtis_attach),
487 DEVMETHOD(device_detach, tpmtis_detach),
488 DEVMETHOD(device_shutdown, tpm20_shutdown),
489 DEVMETHOD(device_suspend, tpm20_suspend),
490 DEVMETHOD(tpm_transmit, tpmtis_transmit),
491 DEVMETHOD_END
492 };
493
494 DEFINE_CLASS_0(tpmtis, tpmtis_driver, tpmtis_methods, sizeof(struct tpm_sc));
495