1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (c) 2011 The Chromium OS Authors.
4 */
5
6 /*
7 * The code in this file is based on the article "Writing a TPM Device Driver"
8 * published on http://ptgmedia.pearsoncmg.com.
9 *
10 * One principal difference is that in the simplest config the other than 0
11 * TPM localities do not get mapped by some devices (for instance, by Infineon
12 * slb9635), so this driver provides access to locality 0 only.
13 */
14
15 #include <common.h>
16 #include <dm.h>
17 #include <log.h>
18 #include <mapmem.h>
19 #include <tpm-v1.h>
20 #include <asm/io.h>
21 #include <linux/delay.h>
22
23 #define PREFIX "lpc_tpm: "
24
25 enum i2c_chip_type {
26 SLB9635,
27 AT97SC3204,
28 };
29
30 static const char * const chip_name[] = {
31 [SLB9635] = "Infineon SLB9635 TT 1.2",
32 [AT97SC3204] = "Atmel AT97SC3204",
33 };
34
35 static const u32 chip_didvid[] = {
36 [SLB9635] = 0xb15d1,
37 [AT97SC3204] = 0x32041114,
38 };
39
40 struct tpm_locality {
41 u32 access;
42 u8 padding0[4];
43 u32 int_enable;
44 u8 vector;
45 u8 padding1[3];
46 u32 int_status;
47 u32 int_capability;
48 u32 tpm_status;
49 u8 padding2[8];
50 u8 data;
51 u8 padding3[3803];
52 u32 did_vid;
53 u8 rid;
54 u8 padding4[251];
55 };
56
57 struct tpm_tis_lpc_priv {
58 struct tpm_locality *regs;
59 };
60
61 /*
62 * This pointer refers to the TPM chip, 5 of its localities are mapped as an
63 * array.
64 */
65 #define TPM_TOTAL_LOCALITIES 5
66
67 /* Some registers' bit field definitions */
68 #define TIS_STS_VALID (1 << 7) /* 0x80 */
69 #define TIS_STS_COMMAND_READY (1 << 6) /* 0x40 */
70 #define TIS_STS_TPM_GO (1 << 5) /* 0x20 */
71 #define TIS_STS_DATA_AVAILABLE (1 << 4) /* 0x10 */
72 #define TIS_STS_EXPECT (1 << 3) /* 0x08 */
73 #define TIS_STS_RESPONSE_RETRY (1 << 1) /* 0x02 */
74
75 #define TIS_ACCESS_TPM_REG_VALID_STS (1 << 7) /* 0x80 */
76 #define TIS_ACCESS_ACTIVE_LOCALITY (1 << 5) /* 0x20 */
77 #define TIS_ACCESS_BEEN_SEIZED (1 << 4) /* 0x10 */
78 #define TIS_ACCESS_SEIZE (1 << 3) /* 0x08 */
79 #define TIS_ACCESS_PENDING_REQUEST (1 << 2) /* 0x04 */
80 #define TIS_ACCESS_REQUEST_USE (1 << 1) /* 0x02 */
81 #define TIS_ACCESS_TPM_ESTABLISHMENT (1 << 0) /* 0x01 */
82
83 #define TIS_STS_BURST_COUNT_MASK (0xffff)
84 #define TIS_STS_BURST_COUNT_SHIFT (8)
85
86 /* 1 second is plenty for anything TPM does. */
87 #define MAX_DELAY_US (1000 * 1000)
88
89 /* Retrieve burst count value out of the status register contents. */
burst_count(u32 status)90 static u16 burst_count(u32 status)
91 {
92 return (status >> TIS_STS_BURST_COUNT_SHIFT) &
93 TIS_STS_BURST_COUNT_MASK;
94 }
95
96 /* TPM access wrappers to support tracing */
tpm_read_byte(struct tpm_tis_lpc_priv * priv,const u8 * ptr)97 static u8 tpm_read_byte(struct tpm_tis_lpc_priv *priv, const u8 *ptr)
98 {
99 u8 ret = readb(ptr);
100 debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
101 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
102 return ret;
103 }
104
tpm_read_word(struct tpm_tis_lpc_priv * priv,const u32 * ptr)105 static u32 tpm_read_word(struct tpm_tis_lpc_priv *priv, const u32 *ptr)
106 {
107 u32 ret = readl(ptr);
108 debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
109 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, ret);
110 return ret;
111 }
112
tpm_write_byte(struct tpm_tis_lpc_priv * priv,u8 value,u8 * ptr)113 static void tpm_write_byte(struct tpm_tis_lpc_priv *priv, u8 value, u8 *ptr)
114 {
115 debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
116 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
117 writeb(value, ptr);
118 }
119
tpm_write_word(struct tpm_tis_lpc_priv * priv,u32 value,u32 * ptr)120 static void tpm_write_word(struct tpm_tis_lpc_priv *priv, u32 value,
121 u32 *ptr)
122 {
123 debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
124 (u32)(uintptr_t)ptr - (u32)(uintptr_t)priv->regs, value);
125 writel(value, ptr);
126 }
127
128 /*
129 * tis_wait_reg()
130 *
131 * Wait for at least a second for a register to change its state to match the
132 * expected state. Normally the transition happens within microseconds.
133 *
134 * @reg - pointer to the TPM register
135 * @mask - bitmask for the bitfield(s) to watch
136 * @expected - value the field(s) are supposed to be set to
137 *
138 * Returns the register contents in case the expected value was found in the
139 * appropriate register bits, or -ETIMEDOUT on timeout.
140 */
tis_wait_reg(struct tpm_tis_lpc_priv * priv,u32 * reg,u8 mask,u8 expected)141 static int tis_wait_reg(struct tpm_tis_lpc_priv *priv, u32 *reg, u8 mask,
142 u8 expected)
143 {
144 u32 time_us = MAX_DELAY_US;
145
146 while (time_us > 0) {
147 u32 value = tpm_read_word(priv, reg);
148 if ((value & mask) == expected)
149 return value;
150 udelay(1); /* 1 us */
151 time_us--;
152 }
153
154 return -ETIMEDOUT;
155 }
156
157 /*
158 * Probe the TPM device and try determining its manufacturer/device name.
159 *
160 * Returns 0 on success, -ve on error
161 */
tpm_tis_lpc_probe(struct udevice * dev)162 static int tpm_tis_lpc_probe(struct udevice *dev)
163 {
164 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
165 fdt_addr_t addr;
166 u32 didvid;
167 ulong chip_type = dev_get_driver_data(dev);
168
169 addr = dev_read_addr(dev);
170 if (addr == FDT_ADDR_T_NONE)
171 return -EINVAL;
172 priv->regs = map_sysmem(addr, 0);
173 didvid = tpm_read_word(priv, &priv->regs[0].did_vid);
174
175 if (didvid != chip_didvid[chip_type]) {
176 u32 vid, did;
177 vid = didvid & 0xffff;
178 did = (didvid >> 16) & 0xffff;
179 debug("Invalid vendor/device ID %04x/%04x\n", vid, did);
180 return -ENODEV;
181 }
182
183 debug("Found TPM: %s\n", chip_name[chip_type]);
184
185 return 0;
186 }
187
188 /*
189 * tis_senddata()
190 *
191 * send the passed in data to the TPM device.
192 *
193 * @data - address of the data to send, byte by byte
194 * @len - length of the data to send
195 *
196 * Returns 0 on success, -ve on error (in case the device does not accept
197 * the entire command).
198 */
tis_senddata(struct udevice * dev,const u8 * data,size_t len)199 static int tis_senddata(struct udevice *dev, const u8 *data, size_t len)
200 {
201 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
202 struct tpm_locality *regs = priv->regs;
203 u32 offset = 0;
204 u16 burst = 0;
205 u32 max_cycles = 0;
206 u8 locality = 0;
207 u32 value;
208
209 value = tis_wait_reg(priv, ®s[locality].tpm_status,
210 TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
211 if (value == -ETIMEDOUT) {
212 printf("%s:%d - failed to get 'command_ready' status\n",
213 __FILE__, __LINE__);
214 return value;
215 }
216 burst = burst_count(value);
217
218 while (1) {
219 unsigned count;
220
221 /* Wait till the device is ready to accept more data. */
222 while (!burst) {
223 if (max_cycles++ == MAX_DELAY_US) {
224 printf("%s:%d failed to feed %zd bytes of %zd\n",
225 __FILE__, __LINE__, len - offset, len);
226 return -ETIMEDOUT;
227 }
228 udelay(1);
229 burst = burst_count(tpm_read_word(priv,
230 ®s[locality].tpm_status));
231 }
232
233 max_cycles = 0;
234
235 /*
236 * Calculate number of bytes the TPM is ready to accept in one
237 * shot.
238 *
239 * We want to send the last byte outside of the loop (hence
240 * the -1 below) to make sure that the 'expected' status bit
241 * changes to zero exactly after the last byte is fed into the
242 * FIFO.
243 */
244 count = min((size_t)burst, len - offset - 1);
245 while (count--)
246 tpm_write_byte(priv, data[offset++],
247 ®s[locality].data);
248
249 value = tis_wait_reg(priv, ®s[locality].tpm_status,
250 TIS_STS_VALID, TIS_STS_VALID);
251
252 if ((value == -ETIMEDOUT) || !(value & TIS_STS_EXPECT)) {
253 printf("%s:%d TPM command feed overflow\n",
254 __FILE__, __LINE__);
255 return value == -ETIMEDOUT ? value : -EIO;
256 }
257
258 burst = burst_count(value);
259 if ((offset == (len - 1)) && burst) {
260 /*
261 * We need to be able to send the last byte to the
262 * device, so burst size must be nonzero before we
263 * break out.
264 */
265 break;
266 }
267 }
268
269 /* Send the last byte. */
270 tpm_write_byte(priv, data[offset++], ®s[locality].data);
271 /*
272 * Verify that TPM does not expect any more data as part of this
273 * command.
274 */
275 value = tis_wait_reg(priv, ®s[locality].tpm_status,
276 TIS_STS_VALID, TIS_STS_VALID);
277 if ((value == -ETIMEDOUT) || (value & TIS_STS_EXPECT)) {
278 printf("%s:%d unexpected TPM status 0x%x\n",
279 __FILE__, __LINE__, value);
280 return value == -ETIMEDOUT ? value : -EIO;
281 }
282
283 /* OK, sitting pretty, let's start the command execution. */
284 tpm_write_word(priv, TIS_STS_TPM_GO, ®s[locality].tpm_status);
285 return 0;
286 }
287
288 /*
289 * tis_readresponse()
290 *
291 * read the TPM device response after a command was issued.
292 *
293 * @buffer - address where to read the response, byte by byte.
294 * @len - pointer to the size of buffer
295 *
296 * On success stores the number of received bytes to len and returns 0. On
297 * errors (misformatted TPM data or synchronization problems) returns
298 * -ve value.
299 */
tis_readresponse(struct udevice * dev,u8 * buffer,size_t len)300 static int tis_readresponse(struct udevice *dev, u8 *buffer, size_t len)
301 {
302 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
303 struct tpm_locality *regs = priv->regs;
304 u16 burst;
305 u32 value;
306 u32 offset = 0;
307 u8 locality = 0;
308 const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
309 u32 expected_count = len;
310 int max_cycles = 0;
311
312 /* Wait for the TPM to process the command. */
313 value = tis_wait_reg(priv, ®s[locality].tpm_status,
314 has_data, has_data);
315 if (value == -ETIMEDOUT) {
316 printf("%s:%d failed processing command\n",
317 __FILE__, __LINE__);
318 return value;
319 }
320
321 do {
322 while ((burst = burst_count(value)) == 0) {
323 if (max_cycles++ == MAX_DELAY_US) {
324 printf("%s:%d TPM stuck on read\n",
325 __FILE__, __LINE__);
326 return -EIO;
327 }
328 udelay(1);
329 value = tpm_read_word(priv, ®s[locality].tpm_status);
330 }
331
332 max_cycles = 0;
333
334 while (burst-- && (offset < expected_count)) {
335 buffer[offset++] = tpm_read_byte(priv,
336 ®s[locality].data);
337
338 if (offset == 6) {
339 /*
340 * We got the first six bytes of the reply,
341 * let's figure out how many bytes to expect
342 * total - it is stored as a 4 byte number in
343 * network order, starting with offset 2 into
344 * the body of the reply.
345 */
346 u32 real_length;
347 memcpy(&real_length,
348 buffer + 2,
349 sizeof(real_length));
350 expected_count = be32_to_cpu(real_length);
351
352 if ((expected_count < offset) ||
353 (expected_count > len)) {
354 printf("%s:%d bad response size %d\n",
355 __FILE__, __LINE__,
356 expected_count);
357 return -ENOSPC;
358 }
359 }
360 }
361
362 /* Wait for the next portion. */
363 value = tis_wait_reg(priv, ®s[locality].tpm_status,
364 TIS_STS_VALID, TIS_STS_VALID);
365 if (value == -ETIMEDOUT) {
366 printf("%s:%d failed to read response\n",
367 __FILE__, __LINE__);
368 return value;
369 }
370
371 if (offset == expected_count)
372 break; /* We got all we needed. */
373
374 } while ((value & has_data) == has_data);
375
376 /*
377 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
378 * known to be set.
379 */
380 if (value & TIS_STS_DATA_AVAILABLE) {
381 printf("%s:%d wrong receive status %x\n",
382 __FILE__, __LINE__, value);
383 return -EBADMSG;
384 }
385
386 /* Tell the TPM that we are done. */
387 tpm_write_word(priv, TIS_STS_COMMAND_READY,
388 ®s[locality].tpm_status);
389
390 return offset;
391 }
392
tpm_tis_lpc_close(struct udevice * dev)393 static int tpm_tis_lpc_close(struct udevice *dev)
394 {
395 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
396 struct tpm_locality *regs = priv->regs;
397 u8 locality = 0;
398
399 if (tpm_read_word(priv, ®s[locality].access) &
400 TIS_ACCESS_ACTIVE_LOCALITY) {
401 tpm_write_word(priv, TIS_ACCESS_ACTIVE_LOCALITY,
402 ®s[locality].access);
403
404 if (tis_wait_reg(priv, ®s[locality].access,
405 TIS_ACCESS_ACTIVE_LOCALITY, 0) == -ETIMEDOUT) {
406 printf("%s:%d - failed to release locality %d\n",
407 __FILE__, __LINE__, locality);
408 return -ETIMEDOUT;
409 }
410 }
411 return 0;
412 }
413
tpm_tis_lpc_open(struct udevice * dev)414 static int tpm_tis_lpc_open(struct udevice *dev)
415 {
416 struct tpm_tis_lpc_priv *priv = dev_get_priv(dev);
417 struct tpm_locality *regs = priv->regs;
418 u8 locality = 0; /* we use locality zero for everything. */
419 int ret;
420
421 ret = tpm_tis_lpc_close(dev);
422 if (ret) {
423 printf("%s: Failed to close TPM\n", __func__);
424 return ret;
425 }
426
427 /* now request access to locality. */
428 tpm_write_word(priv, TIS_ACCESS_REQUEST_USE, ®s[locality].access);
429
430 /* did we get a lock? */
431 ret = tis_wait_reg(priv, ®s[locality].access,
432 TIS_ACCESS_ACTIVE_LOCALITY,
433 TIS_ACCESS_ACTIVE_LOCALITY);
434 if (ret == -ETIMEDOUT) {
435 printf("%s:%d - failed to lock locality %d\n",
436 __FILE__, __LINE__, locality);
437 return ret;
438 }
439
440 tpm_write_word(priv, TIS_STS_COMMAND_READY,
441 ®s[locality].tpm_status);
442
443 return 0;
444 }
445
tpm_tis_get_desc(struct udevice * dev,char * buf,int size)446 static int tpm_tis_get_desc(struct udevice *dev, char *buf, int size)
447 {
448 ulong chip_type = dev_get_driver_data(dev);
449
450 if (size < 50)
451 return -ENOSPC;
452
453 return snprintf(buf, size, "1.2 TPM (%s)",
454 chip_name[chip_type]);
455 }
456
457
458 static const struct tpm_ops tpm_tis_lpc_ops = {
459 .open = tpm_tis_lpc_open,
460 .close = tpm_tis_lpc_close,
461 .get_desc = tpm_tis_get_desc,
462 .send = tis_senddata,
463 .recv = tis_readresponse,
464 };
465
466 static const struct udevice_id tpm_tis_lpc_ids[] = {
467 { .compatible = "infineon,slb9635lpc", .data = SLB9635 },
468 { .compatible = "atmel,at97sc3204", .data = AT97SC3204 },
469 { }
470 };
471
472 U_BOOT_DRIVER(tpm_tis_lpc) = {
473 .name = "tpm_tis_lpc",
474 .id = UCLASS_TPM,
475 .of_match = tpm_tis_lpc_ids,
476 .ops = &tpm_tis_lpc_ops,
477 .probe = tpm_tis_lpc_probe,
478 .priv_auto = sizeof(struct tpm_tis_lpc_priv),
479 };
480