1 /*- 2 * Copyright (c) 2018 Stormshield. 3 * Copyright (c) 2018 Semihalf. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 19 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 23 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 24 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include "tpm20.h" 30 #include "tpm_if.h" 31 32 /* 33 * TIS register space as defined in 34 * TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22 35 */ 36 #define TPM_ACCESS 0x0 37 #define TPM_INT_ENABLE 0x8 38 #define TPM_INT_VECTOR 0xc 39 #define TPM_INT_STS 0x10 40 #define TPM_INTF_CAPS 0x14 41 #define TPM_STS 0x18 42 #define TPM_DATA_FIFO 0x24 43 #define TPM_INTF_ID 0x30 44 #define TPM_XDATA_FIFO 0x80 45 #define TPM_DID_VID 0xF00 46 #define TPM_RID 0xF04 47 48 #define TPM_ACCESS_LOC_REQ BIT(1) 49 #define TPM_ACCESS_LOC_Seize BIT(3) 50 #define TPM_ACCESS_LOC_ACTIVE BIT(5) 51 #define TPM_ACCESS_LOC_RELINQUISH BIT(5) 52 #define TPM_ACCESS_VALID BIT(7) 53 54 #define TPM_INT_ENABLE_GLOBAL_ENABLE BIT(31) 55 #define TPM_INT_ENABLE_CMD_RDY BIT(7) 56 #define TPM_INT_ENABLE_LOC_CHANGE BIT(2) 57 #define TPM_INT_ENABLE_STS_VALID BIT(1) 58 #define TPM_INT_ENABLE_DATA_AVAIL BIT(0) 59 60 #define TPM_INT_STS_CMD_RDY BIT(7) 61 #define TPM_INT_STS_LOC_CHANGE BIT(2) 62 #define TPM_INT_STS_VALID BIT(1) 63 #define TPM_INT_STS_DATA_AVAIL BIT(0) 64 65 #define TPM_INTF_CAPS_VERSION 0x70000000 66 #define TPM_INTF_CAPS_TPM20 0x30000000 67 68 #define TPM_STS_VALID BIT(7) 69 #define TPM_STS_CMD_RDY BIT(6) 70 #define TPM_STS_CMD_START BIT(5) 71 #define TPM_STS_DATA_AVAIL BIT(4) 72 #define TPM_STS_DATA_EXPECTED BIT(3) 73 #define TPM_STS_BURST_MASK 0xFFFF00 74 #define TPM_STS_BURST_OFFSET 0x8 75 76 static int tpmtis_transmit(device_t dev, size_t length); 77 78 static int tpmtis_detach(device_t dev); 79 80 static void tpmtis_intr_handler(void *arg); 81 82 static void tpmtis_setup_intr(struct tpm_sc *sc); 83 84 static bool tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf); 85 static bool tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf); 86 static bool tpmtis_request_locality(struct tpm_sc *sc, int locality); 87 static void tpmtis_relinquish_locality(struct tpm_sc *sc); 88 static bool tpmtis_go_ready(struct tpm_sc *sc); 89 90 static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, 91 uint32_t mask, uint32_t val, int32_t timeout); 92 93 static uint16_t tpmtis_wait_for_burst(struct tpm_sc *sc); 94 95 int 96 tpmtis_attach(device_t dev) 97 { 98 struct tpm_sc *sc; 99 int result; 100 101 sc = device_get_softc(dev); 102 sc->dev = dev; 103 sc->intr_type = -1; 104 105 sx_init(&sc->dev_lock, "TPM driver lock"); 106 sc->buf = malloc(TPM_BUFSIZE, M_TPM20, M_WAITOK); 107 108 sc->irq_rid = 0; 109 sc->irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &sc->irq_rid, 110 RF_ACTIVE | RF_SHAREABLE); 111 if (sc->irq_res == NULL) 112 goto skip_irq; 113 114 result = bus_setup_intr(dev, sc->irq_res, INTR_TYPE_MISC | INTR_MPSAFE, 115 NULL, tpmtis_intr_handler, sc, &sc->intr_cookie); 116 if (result != 0) { 117 bus_release_resource(dev, SYS_RES_IRQ, sc->irq_rid, sc->irq_res); 118 goto skip_irq; 119 } 120 tpmtis_setup_intr(sc); 121 122 skip_irq: 123 result = tpm20_init(sc); 124 if (result != 0) 125 tpmtis_detach(dev); 126 127 return (result); 128 } 129 130 static int 131 tpmtis_detach(device_t dev) 132 { 133 struct tpm_sc *sc; 134 135 sc = device_get_softc(dev); 136 tpm20_release(sc); 137 138 if (sc->intr_cookie != NULL) 139 bus_teardown_intr(dev, sc->irq_res, sc->intr_cookie); 140 141 if (sc->irq_res != NULL) 142 bus_release_resource(dev, SYS_RES_IRQ, 143 sc->irq_rid, sc->irq_res); 144 145 if (sc->mem_res != NULL) 146 bus_release_resource(dev, SYS_RES_MEMORY, 147 sc->mem_rid, sc->mem_res); 148 149 return (0); 150 } 151 152 /* 153 * Test if the advertisted interrupt actually works. 154 * This sends a simple command. (GetRandom) 155 * Interrupts are then enabled in the handler. 156 */ 157 static void 158 tpmtis_test_intr(struct tpm_sc *sc) 159 { 160 uint8_t cmd[] = { 161 0x80, 0x01, /* TPM_ST_NO_SESSIONS tag*/ 162 0x00, 0x00, 0x00, 0x0c, /* cmd length */ 163 0x00, 0x00, 0x01, 0x7b, /* cmd TPM_CC_GetRandom */ 164 0x00, 0x01 /* number of bytes requested */ 165 }; 166 167 sx_xlock(&sc->dev_lock); 168 memcpy(sc->buf, cmd, sizeof(cmd)); 169 tpmtis_transmit(sc->dev, sizeof(cmd)); 170 sc->pending_data_length = 0; 171 sx_xunlock(&sc->dev_lock); 172 } 173 174 static void 175 tpmtis_setup_intr(struct tpm_sc *sc) 176 { 177 uint32_t reg; 178 uint8_t irq; 179 180 irq = bus_get_resource_start(sc->dev, SYS_RES_IRQ, sc->irq_rid); 181 182 /* 183 * SIRQ has to be between 1 - 15. 184 * I found a system with ACPI table that reported a value of 0x2d. 185 * An attempt to use such value resulted in an interrupt storm. 186 */ 187 if (irq == 0 || irq > 0xF) 188 return; 189 190 if(!tpmtis_request_locality(sc, 0)) 191 sc->interrupts = false; 192 193 TPM_WRITE_1(sc->dev, TPM_INT_VECTOR, irq); 194 195 /* Clear all pending interrupts. */ 196 reg = TPM_READ_4(sc->dev, TPM_INT_STS); 197 TPM_WRITE_4(sc->dev, TPM_INT_STS, reg); 198 199 reg = TPM_READ_4(sc->dev, TPM_INT_ENABLE); 200 reg |= TPM_INT_ENABLE_GLOBAL_ENABLE | 201 TPM_INT_ENABLE_DATA_AVAIL | 202 TPM_INT_ENABLE_LOC_CHANGE | 203 TPM_INT_ENABLE_CMD_RDY | 204 TPM_INT_ENABLE_STS_VALID; 205 TPM_WRITE_4(sc->dev, TPM_INT_ENABLE, reg); 206 207 tpmtis_relinquish_locality(sc); 208 tpmtis_test_intr(sc); 209 } 210 211 static void 212 tpmtis_intr_handler(void *arg) 213 { 214 struct tpm_sc *sc; 215 uint32_t status; 216 217 sc = (struct tpm_sc *)arg; 218 status = TPM_READ_4(sc->dev, TPM_INT_STS); 219 220 TPM_WRITE_4(sc->dev, TPM_INT_STS, status); 221 222 /* Check for stray interrupts. */ 223 if (sc->intr_type == -1 || (sc->intr_type & status) == 0) 224 return; 225 226 sc->interrupts = true; 227 wakeup(sc); 228 } 229 230 static bool 231 tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val, 232 int32_t timeout) 233 { 234 235 /* Check for condition */ 236 if ((TPM_READ_4(sc->dev, off) & mask) == val) 237 return (true); 238 239 /* If interrupts are enabled sleep for timeout duration */ 240 if(sc->interrupts && sc->intr_type != -1) { 241 tsleep(sc, PWAIT, "TPM WITH INTERRUPTS", timeout / tick); 242 243 sc->intr_type = -1; 244 return ((TPM_READ_4(sc->dev, off) & mask) == val); 245 } 246 247 /* If we don't have interrupts poll the device every tick */ 248 while (timeout > 0) { 249 if ((TPM_READ_4(sc->dev, off) & mask) == val) 250 return (true); 251 252 pause("TPM POLLING", 1); 253 timeout -= tick; 254 } 255 return (false); 256 } 257 258 static uint16_t 259 tpmtis_wait_for_burst(struct tpm_sc *sc) 260 { 261 int timeout; 262 uint16_t burst_count; 263 264 timeout = TPM_TIMEOUT_A; 265 266 while (timeout-- > 0) { 267 burst_count = (TPM_READ_4(sc->dev, TPM_STS) & TPM_STS_BURST_MASK) >> 268 TPM_STS_BURST_OFFSET; 269 if (burst_count > 0) 270 break; 271 272 DELAY(1); 273 } 274 return (burst_count); 275 } 276 277 static bool 278 tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf) 279 { 280 uint16_t burst_count; 281 282 while (count > 0) { 283 burst_count = tpmtis_wait_for_burst(sc); 284 if (burst_count == 0) 285 return (false); 286 287 burst_count = MIN(burst_count, count); 288 count -= burst_count; 289 290 while (burst_count-- > 0) 291 *buf++ = TPM_READ_1(sc->dev, TPM_DATA_FIFO); 292 } 293 294 return (true); 295 } 296 297 static bool 298 tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf) 299 { 300 uint16_t burst_count; 301 302 while (count > 0) { 303 burst_count = tpmtis_wait_for_burst(sc); 304 if (burst_count == 0) 305 return (false); 306 307 burst_count = MIN(burst_count, count); 308 count -= burst_count; 309 310 while (burst_count-- > 0) 311 TPM_WRITE_1(sc->dev, TPM_DATA_FIFO, *buf++); 312 } 313 314 return (true); 315 } 316 317 static bool 318 tpmtis_request_locality(struct tpm_sc *sc, int locality) 319 { 320 uint8_t mask; 321 int timeout; 322 323 /* Currently we only support Locality 0 */ 324 if (locality != 0) 325 return (false); 326 327 mask = TPM_ACCESS_LOC_ACTIVE | TPM_ACCESS_VALID; 328 timeout = TPM_TIMEOUT_A; 329 sc->intr_type = TPM_INT_STS_LOC_CHANGE; 330 331 TPM_WRITE_1(sc->dev, TPM_ACCESS, TPM_ACCESS_LOC_REQ); 332 TPM_WRITE_BARRIER(sc->dev, TPM_ACCESS, 1); 333 if(sc->interrupts) { 334 tsleep(sc, PWAIT, "TPMLOCREQUEST with INTR", timeout / tick); 335 return ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask); 336 } else { 337 while(timeout > 0) { 338 if ((TPM_READ_1(sc->dev, TPM_ACCESS) & mask) == mask) 339 return (true); 340 341 pause("TPMLOCREQUEST POLLING", 1); 342 timeout -= tick; 343 } 344 } 345 346 return (false); 347 } 348 349 static void 350 tpmtis_relinquish_locality(struct tpm_sc *sc) 351 { 352 353 /* 354 * Interrupts can only be cleared when a locality is active. 355 * Clear them now in case interrupt handler didn't make it in time. 356 */ 357 if(sc->interrupts) 358 AND4(sc, TPM_INT_STS, TPM_READ_4(sc->dev, TPM_INT_STS)); 359 360 OR1(sc, TPM_ACCESS, TPM_ACCESS_LOC_RELINQUISH); 361 } 362 363 static bool 364 tpmtis_go_ready(struct tpm_sc *sc) 365 { 366 uint32_t mask; 367 368 mask = TPM_STS_CMD_RDY; 369 sc->intr_type = TPM_INT_STS_CMD_RDY; 370 371 TPM_WRITE_4(sc->dev, TPM_STS, TPM_STS_CMD_RDY); 372 TPM_WRITE_BARRIER(sc->dev, TPM_STS, 4); 373 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_B)) 374 return (false); 375 376 return (true); 377 } 378 379 static int 380 tpmtis_transmit(device_t dev, size_t length) 381 { 382 struct tpm_sc *sc; 383 size_t bytes_available; 384 uint32_t mask, curr_cmd; 385 int timeout; 386 387 sc = device_get_softc(dev); 388 sx_assert(&sc->dev_lock, SA_XLOCKED); 389 390 if (!tpmtis_request_locality(sc, 0)) { 391 device_printf(dev, 392 "Failed to obtain locality\n"); 393 return (EIO); 394 } 395 if (!tpmtis_go_ready(sc)) { 396 device_printf(dev, 397 "Failed to switch to ready state\n"); 398 return (EIO); 399 } 400 if (!tpmtis_write_bytes(sc, length, sc->buf)) { 401 device_printf(dev, 402 "Failed to write cmd to device\n"); 403 return (EIO); 404 } 405 406 mask = TPM_STS_VALID; 407 sc->intr_type = TPM_INT_STS_VALID; 408 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) { 409 device_printf(dev, 410 "Timeout while waiting for valid bit\n"); 411 return (EIO); 412 } 413 if (TPM_READ_4(dev, TPM_STS) & TPM_STS_DATA_EXPECTED) { 414 device_printf(dev, 415 "Device expects more data even though we already" 416 " sent everything we had\n"); 417 return (EIO); 418 } 419 420 /* 421 * Calculate timeout for current command. 422 * Command code is passed in bytes 6-10. 423 */ 424 curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6])); 425 timeout = tpm20_get_timeout(curr_cmd); 426 427 TPM_WRITE_4(dev, TPM_STS, TPM_STS_CMD_START); 428 TPM_WRITE_BARRIER(dev, TPM_STS, 4); 429 430 mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID; 431 sc->intr_type = TPM_INT_STS_DATA_AVAIL; 432 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, timeout)) { 433 device_printf(dev, 434 "Timeout while waiting for device to process cmd\n"); 435 /* 436 * Switching to ready state also cancels processing 437 * current command 438 */ 439 if (!tpmtis_go_ready(sc)) 440 return (EIO); 441 442 /* 443 * After canceling a command we should get a response, 444 * check if there is one. 445 */ 446 sc->intr_type = TPM_INT_STS_DATA_AVAIL; 447 if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) 448 return (EIO); 449 } 450 /* Read response header. Length is passed in bytes 2 - 6. */ 451 if(!tpmtis_read_bytes(sc, TPM_HEADER_SIZE, sc->buf)) { 452 device_printf(dev, 453 "Failed to read response header\n"); 454 return (EIO); 455 } 456 bytes_available = be32toh(*(uint32_t *) (&sc->buf[2])); 457 458 if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) { 459 device_printf(dev, 460 "Incorrect response size: %zu\n", 461 bytes_available); 462 return (EIO); 463 } 464 if(!tpmtis_read_bytes(sc, bytes_available - TPM_HEADER_SIZE, 465 &sc->buf[TPM_HEADER_SIZE])) { 466 device_printf(dev, 467 "Failed to read response\n"); 468 return (EIO); 469 } 470 tpmtis_relinquish_locality(sc); 471 sc->pending_data_length = bytes_available; 472 473 return (0); 474 } 475 476 /* ACPI Driver */ 477 static device_method_t tpmtis_methods[] = { 478 DEVMETHOD(device_attach, tpmtis_attach), 479 DEVMETHOD(device_detach, tpmtis_detach), 480 DEVMETHOD(device_shutdown, tpm20_shutdown), 481 DEVMETHOD(device_suspend, tpm20_suspend), 482 DEVMETHOD(tpm_transmit, tpmtis_transmit), 483 DEVMETHOD_END 484 }; 485 486 DEFINE_CLASS_0(tpmtis, tpmtis_driver, tpmtis_methods, sizeof(struct tpm_sc)); 487