1 /*- 2 * Copyright (c) 2018 Stormshield. 3 * Copyright (c) 2018 Semihalf. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 19 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 23 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 24 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include "tpm20.h" 30 #include "tpm_if.h" 31 32 /* 33 * TIS register space as defined in 34 * TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22 35 */ 36 #define TPM_ACCESS 0x0 37 #define TPM_INT_ENABLE 0x8 38 #define TPM_INT_VECTOR 0xc 39 #define TPM_INT_STS 0x10 40 #define TPM_INTF_CAPS 0x14 41 #define TPM_STS 0x18 42 #define TPM_DATA_FIFO 0x24 43 #define TPM_INTF_ID 0x30 44 #define TPM_XDATA_FIFO 0x80 45 #define TPM_DID_VID 0xF00 46 #define TPM_RID 0xF04 47 48 #define TPM_ACCESS_LOC_REQ BIT(1) 49 #define TPM_ACCESS_LOC_Seize BIT(3) 50 #define TPM_ACCESS_LOC_ACTIVE BIT(5) 51 #define TPM_ACCESS_LOC_RELINQUISH BIT(5) 52 #define TPM_ACCESS_VALID BIT(7) 53 54 #define TPM_INT_ENABLE_GLOBAL_ENABLE BIT(31) 55 #define TPM_INT_ENABLE_CMD_RDY BIT(7) 56 #define TPM_INT_ENABLE_LOC_CHANGE BIT(2) 57 #define TPM_INT_ENABLE_STS_VALID BIT(1) 58 #define TPM_INT_ENABLE_DATA_AVAIL BIT(0) 59 60 #define TPM_INT_STS_CMD_RDY BIT(7) 61 #define TPM_INT_STS_LOC_CHANGE BIT(2) 62 #define TPM_INT_STS_VALID BIT(1) 63 #define TPM_INT_STS_DATA_AVAIL BIT(0) 64 65 #define TPM_INTF_CAPS_VERSION 0x70000000 66 #define TPM_INTF_CAPS_TPM20 0x30000000 67 68 #define TPM_STS_VALID BIT(7) 69 #define TPM_STS_CMD_RDY BIT(6) 70 #define TPM_STS_CMD_START BIT(5) 71 #define TPM_STS_DATA_AVAIL BIT(4) 72 #define TPM_STS_DATA_EXPECTED BIT(3) 73 #define TPM_STS_BURST_MASK 0xFFFF00 74 #define TPM_STS_BURST_OFFSET 0x8 75 76 static int tpmtis_transmit(device_t dev, size_t length); 77 78 static int tpmtis_detach(device_t dev); 79 80 static void tpmtis_intr_handler(void *arg); 81 82 static void tpmtis_setup_intr(struct tpm_sc *sc); 83 84 static bool tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf); 85 static bool tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf); 86 static bool tpmtis_request_locality(struct tpm_sc *sc, int locality); 87 static void tpmtis_relinquish_locality(struct tpm_sc *sc); 88 static bool tpmtis_go_ready(struct tpm_sc *sc); 89 90 static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, 91 uint32_t mask, uint32_t val, int32_t timeout); 92 93 static uint16_t tpmtis_wait_for_burst(struct tpm_sc *sc); 94 95 int 96 tpmtis_attach(device_t dev) 97 { 98 struct tpm_sc *sc; 99 int result; 100 int poll = 0; 101 102 sc = device_get_softc(dev); 103 sc->dev = dev; 104 sc->intr_type = -1; 105 106 sx_init(&sc->dev_lock, "TPM driver lock"); 107 sc->buf = malloc(TPM_BUFSIZE, M_TPM20, M_WAITOK); 108 109 resource_int_value("tpm", device_get_unit(dev), "use_polling", &poll); 110 if (poll != 0) { 111 device_printf(dev, "Using poll method to get TPM operation status \n"); 112 goto skip_irq; 113 } 114 115 sc->irq_rid = 0; 116 sc->irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &sc->irq_rid, 117 RF_ACTIVE | RF_SHAREABLE); 118 if (sc->irq_res == NULL) 119 goto skip_irq; 120 121 result = bus_setup_intr(dev, sc->irq_res, INTR_TYPE_MISC | INTR_MPSAFE, 122 NULL, tpmtis_intr_handler, sc, &sc->intr_cookie); 123 if (result != 0) { 124 bus_release_resource(dev, SYS_RES_IRQ, sc->irq_rid, sc->irq_res); 125 goto skip_irq; 126 } 127 tpmtis_setup_intr(sc); 128 129 skip_irq: 130 result = tpm20_init(sc); 131 if (result != 0) 132 tpmtis_detach(dev); 133 134 return (result); 135 } 136 137 static int 138 tpmtis_detach(device_t dev) 139 { 140 struct tpm_sc *sc; 141 142 sc = device_get_softc(dev); 143 tpm20_release(sc); 144 145 if (sc->intr_cookie != NULL) 146 bus_teardown_intr(dev, sc->irq_res, sc->intr_cookie); 147 148 if (sc->irq_res != NULL) 149 bus_release_resource(dev, SYS_RES_IRQ, 150 sc->irq_rid, sc->irq_res); 151 152 if (sc->mem_res != NULL) 153 bus_release_resource(dev, SYS_RES_MEMORY, 154 sc->mem_rid, sc->mem_res); 155 156 return (0); 157 } 158 159 /* 160 * Test if the advertisted interrupt actually works. 161 * This sends a simple command. (GetRandom) 162 * Interrupts are then enabled in the handler. 163 */ 164 static void 165 tpmtis_test_intr(struct tpm_sc *sc) 166 { 167 uint8_t cmd[] = { 168 0x80, 0x01, /* TPM_ST_NO_SESSIONS tag*/ 169 0x00, 0x00, 0x00, 0x0c, /* cmd length */ 170 0x00, 0x00, 0x01, 0x7b, /* cmd TPM_CC_GetRandom */ 171 0x00, 0x01 /* number of bytes requested */ 172 }; 173 174 sx_xlock(&sc->dev_lock); 175 memcpy(sc->buf, cmd, sizeof(cmd)); 176 tpmtis_transmit(sc->dev, sizeof(cmd)); 177 sc->pending_data_length = 0; 178 sx_xunlock(&sc->dev_lock); 179 } 180 181 static void 182 tpmtis_setup_intr(struct tpm_sc *sc) 183 { 184 uint32_t reg; 185 uint8_t irq; 186 187 irq = bus_get_resource_start(sc->dev, SYS_RES_IRQ, sc->irq_rid); 188 189 /* 190 * SIRQ has to be between 1 - 15. 191 * I found a system with ACPI table that reported a value of 0x2d. 192 * An attempt to use such value resulted in an interrupt storm. 193 */ 194 if (irq == 0 || irq > 0xF) 195 return; 196 197 if(!tpmtis_request_locality(sc, 0)) 198 sc->interrupts = false; 199 200 TPM_WRITE_1(sc->dev, TPM_INT_VECTOR, irq); 201 202 /* Clear all pending interrupts. */ 203 reg = TPM_READ_4(sc->dev, TPM_INT_STS); 204 TPM_WRITE_4(sc->dev, TPM_INT_STS, reg); 205 206 reg = TPM_READ_4(sc->dev, TPM_INT_ENABLE); 207 reg |= TPM_INT_ENABLE_GLOBAL_ENABLE | 208 TPM_INT_ENABLE_DATA_AVAIL | 209 TPM_INT_ENABLE_LOC_CHANGE | 210 TPM_INT_ENABLE_CMD_RDY | 211 TPM_INT_ENABLE_STS_VALID; 212 TPM_WRITE_4(sc->dev, TPM_INT_ENABLE, reg); 213 214 tpmtis_relinquish_locality(sc); 215 tpmtis_test_intr(sc); 216 } 217 218 static void 219 tpmtis_intr_handler(void *arg) 220 { 221 struct tpm_sc *sc; 222 uint32_t status; 223 224 sc = (struct tpm_sc *)arg; 225 status = TPM_READ_4(sc->dev, TPM_INT_STS); 226 227 TPM_WRITE_4(sc->dev, TPM_INT_STS, status); 228 229 /* Check for stray interrupts. */ 230 if (sc->intr_type == -1 || (sc->intr_type & status) == 0) 231 return; 232 233 sc->interrupts = true; 234 wakeup(sc); 235 } 236 237 static bool 238 tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val, 239 int32_t timeout) 240 { 241 242 /* Check for condition */ 243 if ((TPM_READ_4(sc->dev, off) & mask) == val) 244 return (true); 245 246 /* If interrupts are enabled sleep for timeout duration */ 247 if(sc->interrupts && sc->intr_type != -1) { 248 tsleep(sc, PWAIT, "TPM WITH INTERRUPTS", timeout / tick); 249 250 sc->intr_type = -1; 251 return ((TPM_READ_4(sc->dev, off) & mask) == val); 252 } 253 254 /* If we don't have interrupts poll the device every tick */ 255 while (timeout > 0) { 256 if ((TPM_READ_4(sc->dev, off) & mask) == val) 257 return (true); 258 259 pause("TPM POLLING", 1); 260 timeout -= tick; 261 } 262 return (false); 263 } 264 265 static uint16_t 266 tpmtis_wait_for_burst(struct tpm_sc *sc) 267 { 268 int timeout; 269 uint16_t burst_count; 270 271 timeout = TPM_TIMEOUT_A; 272 273 while (timeout-- > 0) { 274 burst_count = (TPM_READ_4(sc->dev, TPM_STS) & TPM_STS_BURST_MASK) >> 275 TPM_STS_BURST_OFFSET; 276 if (burst_count > 0) 277 break; 278 279 DELAY(1); 280 } 281 return (burst_count); 282 } 283 284 static bool 285 tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf) 286 { 287 uint16_t burst_count; 288 289 while (count > 0) { 290 burst_count = tpmtis_wait_for_burst(sc); 291 if (burst_count == 0) 292 return (false); 293 294 burst_count = MIN(burst_count, count); 295 count -= burst_count; 296 297 while (burst_count-- > 0) 298 *buf++ = TPM_READ_1(sc->dev, TPM_DATA_FIFO); 299 } 300 301 return (true); 302 } 303 304 static bool 305 tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf) 306 { 307 uint16_t burst_count; 308 309 while (count > 0) { 310 burst_count = tpmtis_wait_for_burst(sc); 311 if (burst_count == 0) 312 return (false); 313 314 burst_count = MIN(burst_count, count); 315 count -= burst_count; 316 317 while (burst_count-- > 0) 318 TPM_WRITE_1(sc->dev, TPM_DATA_FIFO, *buf++); 319 } 320 321 return (true); 322 } 323 324 static bool 325 tpmtis_request_locality(struct tpm_sc *sc, int locality) 326 { 327 uint8_t mask; 328 int timeout; 329 330 /* Currently we only support Locality 0 */ 331 if (locality != 0) 332 return (false); 333 334 mask = TPM_ACCESS_LOC_ACTIVE | TPM_ACCESS_VALID; 335 timeout = TPM_TIMEOUT_A; 336 sc->intr_type = TPM_INT_STS_LOC_CHANGE; 337 338 TPM_WRITE_1(sc->dev, TPM_ACCESS, TPM_ACCESS_LOC_REQ); 339 TPM_WRITE_BARRIER(sc->dev, TPM_ACCESS, 1); 340 if(sc->interrupts) { 341 tsleep(sc, PWAIT, "TPMLOCREQUEST with INTR", timeout / tick); 342 return ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask); 343 } else { 344 while(timeout > 0) { 345 if ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask) 346 return (true); 347 348 pause("TPMLOCREQUEST POLLING", 1); 349 timeout -= tick; 350 } 351 } 352 353 return (false); 354 } 355 356 static void 357 tpmtis_relinquish_locality(struct tpm_sc *sc) 358 { 359 360 /* 361 * Interrupts can only be cleared when a locality is active. 362 * Clear them now in case interrupt handler didn't make it in time. 363 */ 364 if(sc->interrupts) 365 AND4(sc, TPM_INT_STS, TPM_READ_4(sc->dev, TPM_INT_STS)); 366 367 OR1(sc, TPM_ACCESS, TPM_ACCESS_LOC_RELINQUISH); 368 } 369 370 static bool 371 tpmtis_go_ready(struct tpm_sc *sc) 372 { 373 uint32_t mask; 374 375 mask = TPM_STS_CMD_RDY; 376 sc->intr_type = TPM_INT_STS_CMD_RDY; 377 378 TPM_WRITE_4(sc->dev, TPM_STS, TPM_STS_CMD_RDY); 379 TPM_WRITE_BARRIER(sc->dev, TPM_STS, 4); 380 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_B)) 381 return (false); 382 383 return (true); 384 } 385 386 static int 387 tpmtis_transmit(device_t dev, size_t length) 388 { 389 struct tpm_sc *sc; 390 size_t bytes_available; 391 uint32_t mask, curr_cmd; 392 int timeout; 393 394 sc = device_get_softc(dev); 395 sx_assert(&sc->dev_lock, SA_XLOCKED); 396 397 if (!tpmtis_request_locality(sc, 0)) { 398 device_printf(dev, 399 "Failed to obtain locality\n"); 400 return (EIO); 401 } 402 if (!tpmtis_go_ready(sc)) { 403 device_printf(dev, 404 "Failed to switch to ready state\n"); 405 return (EIO); 406 } 407 if (!tpmtis_write_bytes(sc, length, sc->buf)) { 408 device_printf(dev, 409 "Failed to write cmd to device\n"); 410 return (EIO); 411 } 412 413 mask = TPM_STS_VALID; 414 sc->intr_type = TPM_INT_STS_VALID; 415 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) { 416 device_printf(dev, 417 "Timeout while waiting for valid bit\n"); 418 return (EIO); 419 } 420 if (TPM_READ_4(dev, TPM_STS) & TPM_STS_DATA_EXPECTED) { 421 device_printf(dev, 422 "Device expects more data even though we already" 423 " sent everything we had\n"); 424 return (EIO); 425 } 426 427 /* 428 * Calculate timeout for current command. 429 * Command code is passed in bytes 6-10. 430 */ 431 curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6])); 432 timeout = tpm20_get_timeout(curr_cmd); 433 434 TPM_WRITE_4(dev, TPM_STS, TPM_STS_CMD_START); 435 TPM_WRITE_BARRIER(dev, TPM_STS, 4); 436 437 mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID; 438 sc->intr_type = TPM_INT_STS_DATA_AVAIL; 439 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, timeout)) { 440 device_printf(dev, 441 "Timeout while waiting for device to process cmd\n"); 442 /* 443 * Switching to ready state also cancels processing 444 * current command 445 */ 446 if (!tpmtis_go_ready(sc)) 447 return (EIO); 448 449 /* 450 * After canceling a command we should get a response, 451 * check if there is one. 452 */ 453 sc->intr_type = TPM_INT_STS_DATA_AVAIL; 454 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) 455 return (EIO); 456 } 457 /* Read response header. Length is passed in bytes 2 - 6. */ 458 if(!tpmtis_read_bytes(sc, TPM_HEADER_SIZE, sc->buf)) { 459 device_printf(dev, 460 "Failed to read response header\n"); 461 return (EIO); 462 } 463 bytes_available = be32toh(*(uint32_t *) (&sc->buf[2])); 464 465 if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) { 466 device_printf(dev, 467 "Incorrect response size: %zu\n", 468 bytes_available); 469 return (EIO); 470 } 471 if(!tpmtis_read_bytes(sc, bytes_available - TPM_HEADER_SIZE, 472 &sc->buf[TPM_HEADER_SIZE])) { 473 device_printf(dev, 474 "Failed to read response\n"); 475 return (EIO); 476 } 477 tpmtis_relinquish_locality(sc); 478 sc->pending_data_length = bytes_available; 479 sc->total_length = bytes_available; 480 481 return (0); 482 } 483 484 /* ACPI Driver */ 485 static device_method_t tpmtis_methods[] = { 486 DEVMETHOD(device_attach, tpmtis_attach), 487 DEVMETHOD(device_detach, tpmtis_detach), 488 DEVMETHOD(device_shutdown, tpm20_shutdown), 489 DEVMETHOD(device_suspend, tpm20_suspend), 490 DEVMETHOD(tpm_transmit, tpmtis_transmit), 491 DEVMETHOD_END 492 }; 493 494 DEFINE_CLASS_0(tpmtis, tpmtis_driver, tpmtis_methods, sizeof(struct tpm_sc)); 495