1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2014 Intel Corporation
10 * This device driver implements the TPM interface as defined in
11 * the TCG CRB 2.0 TPM specification.
14 #include <linux/acpi.h>
15 #include <linux/highmem.h>
16 #include <linux/rculist.h>
17 #include <linux/module.h>
18 #include <linux/pm_runtime.h>
20 #include <linux/arm-smccc.h>
24 #define ACPI_SIG_TPM2 "TPM2"
25 #define TPM_CRB_MAX_RESOURCES 3
27 static const guid_t crb_acpi_start_guid =
28 GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
29 0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4);
32 CRB_ACPI_START_REVISION_ID = 1,
33 CRB_ACPI_START_INDEX = 1,
37 CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0),
38 CRB_LOC_CTRL_RELINQUISH = BIT(1),
42 CRB_LOC_STATE_LOC_ASSIGNED = BIT(1),
43 CRB_LOC_STATE_TPM_REG_VALID_STS = BIT(7),
47 CRB_CTRL_REQ_CMD_READY = BIT(0),
48 CRB_CTRL_REQ_GO_IDLE = BIT(1),
52 CRB_CTRL_STS_ERROR = BIT(0),
53 CRB_CTRL_STS_TPM_IDLE = BIT(1),
57 CRB_START_INVOKE = BIT(0),
61 CRB_CANCEL_INVOKE = BIT(0),
64 struct crb_regs_head {
74 struct crb_regs_tail {
89 CRB_DRV_STS_COMPLETE = BIT(0),
95 struct crb_regs_head __iomem *regs_h;
96 struct crb_regs_tail __iomem *regs_t;
101 u32 __iomem *pluton_start_addr;
102 u32 __iomem *pluton_reply_addr;
105 struct tpm2_crb_smc {
113 struct tpm2_crb_pluton {
118 static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value,
119 unsigned long timeout)
125 stop = ktime_add(start, ms_to_ktime(timeout));
128 if ((ioread32(reg) & mask) == value)
131 usleep_range(50, 100);
132 } while (ktime_before(ktime_get(), stop));
134 return ((ioread32(reg) & mask) == value);
137 static int crb_try_pluton_doorbell(struct crb_priv *priv, bool wait_for_complete)
139 if (priv->sm != ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
142 if (!crb_wait_for_reg_32(priv->pluton_reply_addr, ~0, 1, TPM2_TIMEOUT_C))
145 iowrite32(1, priv->pluton_start_addr);
146 if (wait_for_complete == false)
149 if (!crb_wait_for_reg_32(priv->pluton_start_addr,
157 * __crb_go_idle - request tpm crb device to go the idle state
160 * @priv: crb private data
162 * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ
163 * The device should respond within TIMEOUT_C by clearing the bit.
164 * Anyhow, we do not wait here as a consequent CMD_READY request
165 * will be handled correctly even if idle was not completed.
167 * The function does nothing for devices with ACPI-start method
168 * or SMC-start method.
172 static int __crb_go_idle(struct device *dev, struct crb_priv *priv)
176 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
177 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
178 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
181 iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req);
183 rc = crb_try_pluton_doorbell(priv, true);
187 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
188 CRB_CTRL_REQ_GO_IDLE/* mask */,
191 dev_warn(dev, "goIdle timed out\n");
198 static int crb_go_idle(struct tpm_chip *chip)
200 struct device *dev = &chip->dev;
201 struct crb_priv *priv = dev_get_drvdata(dev);
203 return __crb_go_idle(dev, priv);
207 * __crb_cmd_ready - request tpm crb device to enter ready state
210 * @priv: crb private data
212 * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ
213 * and poll till the device acknowledge it by clearing the bit.
214 * The device should respond within TIMEOUT_C.
216 * The function does nothing for devices with ACPI-start method
217 * or SMC-start method.
219 * Return: 0 on success -ETIME on timeout;
221 static int __crb_cmd_ready(struct device *dev, struct crb_priv *priv)
225 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
226 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
227 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
230 iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req);
232 rc = crb_try_pluton_doorbell(priv, true);
236 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
237 CRB_CTRL_REQ_CMD_READY /* mask */,
240 dev_warn(dev, "cmdReady timed out\n");
247 static int crb_cmd_ready(struct tpm_chip *chip)
249 struct device *dev = &chip->dev;
250 struct crb_priv *priv = dev_get_drvdata(dev);
252 return __crb_cmd_ready(dev, priv);
255 static int __crb_request_locality(struct device *dev,
256 struct crb_priv *priv, int loc)
258 u32 value = CRB_LOC_STATE_LOC_ASSIGNED |
259 CRB_LOC_STATE_TPM_REG_VALID_STS;
264 iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl);
265 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value,
267 dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
274 static int crb_request_locality(struct tpm_chip *chip, int loc)
276 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
278 return __crb_request_locality(&chip->dev, priv, loc);
281 static int __crb_relinquish_locality(struct device *dev,
282 struct crb_priv *priv, int loc)
284 u32 mask = CRB_LOC_STATE_LOC_ASSIGNED |
285 CRB_LOC_STATE_TPM_REG_VALID_STS;
286 u32 value = CRB_LOC_STATE_TPM_REG_VALID_STS;
291 iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl);
292 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value,
294 dev_warn(dev, "TPM_LOC_STATE_x.Relinquish timed out\n");
301 static int crb_relinquish_locality(struct tpm_chip *chip, int loc)
303 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
305 return __crb_relinquish_locality(&chip->dev, priv, loc);
308 static u8 crb_status(struct tpm_chip *chip)
310 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
313 if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) !=
315 sts |= CRB_DRV_STS_COMPLETE;
320 static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
322 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
323 unsigned int expected;
325 /* A sanity check that the upper layer wants to get at least the header
326 * as that is the minimum size for any TPM response.
328 if (count < TPM_HEADER_SIZE)
331 /* If this bit is set, according to the spec, the TPM is in
332 * unrecoverable condition.
334 if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
337 /* Read the first 8 bytes in order to get the length of the response.
338 * We read exactly a quad word in order to make sure that the remaining
339 * reads will be aligned.
341 memcpy_fromio(buf, priv->rsp, 8);
343 expected = be32_to_cpup((__be32 *)&buf[2]);
344 if (expected > count || expected < TPM_HEADER_SIZE)
347 memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
352 static int crb_do_acpi_start(struct tpm_chip *chip)
354 union acpi_object *obj;
357 obj = acpi_evaluate_dsm(chip->acpi_dev_handle,
358 &crb_acpi_start_guid,
359 CRB_ACPI_START_REVISION_ID,
360 CRB_ACPI_START_INDEX,
364 rc = obj->integer.value == 0 ? 0 : -ENXIO;
371 * This is a TPM Command Response Buffer start method that invokes a
372 * Secure Monitor Call to requrest the firmware to execute or cancel
375 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
377 struct arm_smccc_res res;
379 arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res);
382 FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n",
390 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
392 dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n");
397 static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len)
399 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
402 /* Zero the cancel register so that the next command will not get
405 iowrite32(0, &priv->regs_t->ctrl_cancel);
407 if (len > priv->cmd_size) {
408 dev_err(&chip->dev, "invalid command count value %zd %d\n",
409 len, priv->cmd_size);
413 /* Seems to be necessary for every command */
414 if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON)
415 __crb_cmd_ready(&chip->dev, priv);
417 memcpy_toio(priv->cmd, buf, len);
419 /* Make sure that cmd is populated before issuing start. */
422 /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
423 * report only ACPI start but in practice seems to require both
424 * CRB start, hence invoking CRB start method if hid == MSFT0101.
426 if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
427 (priv->sm == ACPI_TPM2_MEMORY_MAPPED) ||
428 (!strcmp(priv->hid, "MSFT0101")))
429 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
431 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
432 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD))
433 rc = crb_do_acpi_start(chip);
435 if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
436 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
437 rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
443 return crb_try_pluton_doorbell(priv, false);
446 static void crb_cancel(struct tpm_chip *chip)
448 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
450 iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel);
452 if (((priv->sm == ACPI_TPM2_START_METHOD) ||
453 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)) &&
454 crb_do_acpi_start(chip))
455 dev_err(&chip->dev, "ACPI Start failed\n");
458 static bool crb_req_canceled(struct tpm_chip *chip, u8 status)
460 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
461 u32 cancel = ioread32(&priv->regs_t->ctrl_cancel);
463 return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE;
466 static const struct tpm_class_ops tpm_crb = {
467 .flags = TPM_OPS_AUTO_STARTUP,
468 .status = crb_status,
471 .cancel = crb_cancel,
472 .req_canceled = crb_req_canceled,
473 .go_idle = crb_go_idle,
474 .cmd_ready = crb_cmd_ready,
475 .request_locality = crb_request_locality,
476 .relinquish_locality = crb_relinquish_locality,
477 .req_complete_mask = CRB_DRV_STS_COMPLETE,
478 .req_complete_val = CRB_DRV_STS_COMPLETE,
481 static int crb_check_resource(struct acpi_resource *ares, void *data)
483 struct resource *iores_array = data;
484 struct resource_win win;
485 struct resource *res = &(win.res);
488 if (acpi_dev_resource_memory(ares, res) ||
489 acpi_dev_resource_address_space(ares, &win)) {
490 for (i = 0; i < TPM_CRB_MAX_RESOURCES + 1; ++i) {
491 if (resource_type(iores_array + i) != IORESOURCE_MEM) {
492 iores_array[i] = *res;
493 iores_array[i].name = NULL;
502 static void __iomem *crb_map_res(struct device *dev, struct resource *iores,
503 void __iomem **iobase_ptr, u64 start, u32 size)
505 struct resource new_res = {
507 .end = start + size - 1,
508 .flags = IORESOURCE_MEM,
511 /* Detect a 64 bit address on a 32 bit system */
512 if (start != new_res.start)
513 return IOMEM_ERR_PTR(-EINVAL);
516 return devm_ioremap_resource(dev, &new_res);
519 *iobase_ptr = devm_ioremap_resource(dev, iores);
520 if (IS_ERR(*iobase_ptr))
524 return *iobase_ptr + (new_res.start - iores->start);
528 * Work around broken BIOSs that return inconsistent values from the ACPI
529 * region vs the registers. Trust the ACPI region. Such broken systems
530 * probably cannot send large TPM commands since the buffer will be truncated.
532 static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res,
535 if (io_res->start > start || io_res->end < start)
538 if (start + size - 1 <= io_res->end)
542 FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n",
543 io_res, start, size);
545 return io_res->end - start + 1;
548 static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
549 struct acpi_table_tpm2 *buf)
551 struct list_head acpi_resource_list;
552 struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} };
553 void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL};
554 struct device *dev = &device->dev;
555 struct resource *iores;
556 void __iomem **iobase_ptr;
566 INIT_LIST_HEAD(&acpi_resource_list);
567 ret = acpi_dev_get_resources(device, &acpi_resource_list,
568 crb_check_resource, iores_array);
571 acpi_dev_free_resource_list(&acpi_resource_list);
573 /* Pluton doesn't appear to define ACPI memory regions */
574 if (priv->sm != ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON) {
575 if (resource_type(iores_array) != IORESOURCE_MEM) {
576 dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n");
578 } else if (resource_type(iores_array + TPM_CRB_MAX_RESOURCES) ==
580 dev_warn(dev, "TPM2 ACPI table defines too many memory resources\n");
581 memset(iores_array + TPM_CRB_MAX_RESOURCES,
582 0, sizeof(*iores_array));
583 iores_array[TPM_CRB_MAX_RESOURCES].flags = 0;
589 for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
590 if (buf->control_address >= iores_array[i].start &&
591 buf->control_address + sizeof(struct crb_regs_tail) - 1 <=
592 iores_array[i].end) {
593 iores = iores_array + i;
594 iobase_ptr = iobase_array + i;
599 priv->regs_t = crb_map_res(dev, iores, iobase_ptr, buf->control_address,
600 sizeof(struct crb_regs_tail));
602 if (IS_ERR(priv->regs_t))
603 return PTR_ERR(priv->regs_t);
605 /* The ACPI IO region starts at the head area and continues to include
606 * the control area, as one nice sane region except for some older
607 * stuff that puts the control area outside the ACPI IO region.
609 if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
610 (priv->sm == ACPI_TPM2_MEMORY_MAPPED)) {
612 buf->control_address == iores->start +
613 sizeof(*priv->regs_h))
614 priv->regs_h = *iobase_ptr;
616 dev_warn(dev, FW_BUG "Bad ACPI memory layout");
619 ret = __crb_request_locality(dev, priv, 0);
624 * PTT HW bug w/a: wake up the device to access
625 * possibly not retained registers.
627 ret = __crb_cmd_ready(dev, priv);
629 goto out_relinquish_locality;
631 pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
632 pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
633 cmd_pa = ((u64)pa_high << 32) | pa_low;
634 cmd_size = ioread32(&priv->regs_t->ctrl_cmd_size);
638 for (i = 0; iores_array[i].end; ++i) {
639 if (cmd_pa >= iores_array[i].start &&
640 cmd_pa <= iores_array[i].end) {
641 iores = iores_array + i;
642 iobase_ptr = iobase_array + i;
648 cmd_size = crb_fixup_cmd_size(dev, iores, cmd_pa, cmd_size);
650 dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
651 pa_high, pa_low, cmd_size);
653 priv->cmd = crb_map_res(dev, iores, iobase_ptr, cmd_pa, cmd_size);
654 if (IS_ERR(priv->cmd)) {
655 ret = PTR_ERR(priv->cmd);
659 memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
660 rsp_pa = le64_to_cpu(__rsp_pa);
661 rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
665 for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
666 if (rsp_pa >= iores_array[i].start &&
667 rsp_pa <= iores_array[i].end) {
668 iores = iores_array + i;
669 iobase_ptr = iobase_array + i;
675 rsp_size = crb_fixup_cmd_size(dev, iores, rsp_pa, rsp_size);
677 if (cmd_pa != rsp_pa) {
678 priv->rsp = crb_map_res(dev, iores, iobase_ptr,
680 ret = PTR_ERR_OR_ZERO(priv->rsp);
684 /* According to the PTP specification, overlapping command and response
685 * buffer sizes must be identical.
687 if (cmd_size != rsp_size) {
688 dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical");
693 priv->rsp = priv->cmd;
697 priv->cmd_size = cmd_size;
699 __crb_go_idle(dev, priv);
701 out_relinquish_locality:
703 __crb_relinquish_locality(dev, priv, 0);
708 static int crb_map_pluton(struct device *dev, struct crb_priv *priv,
709 struct acpi_table_tpm2 *buf, struct tpm2_crb_pluton *crb_pluton)
711 priv->pluton_start_addr = crb_map_res(dev, NULL, NULL,
712 crb_pluton->start_addr, 4);
713 if (IS_ERR(priv->pluton_start_addr))
714 return PTR_ERR(priv->pluton_start_addr);
716 priv->pluton_reply_addr = crb_map_res(dev, NULL, NULL,
717 crb_pluton->reply_addr, 4);
718 if (IS_ERR(priv->pluton_reply_addr))
719 return PTR_ERR(priv->pluton_reply_addr);
724 static int crb_acpi_add(struct acpi_device *device)
726 struct acpi_table_tpm2 *buf;
727 struct crb_priv *priv;
728 struct tpm_chip *chip;
729 struct device *dev = &device->dev;
730 struct tpm2_crb_smc *crb_smc;
731 struct tpm2_crb_pluton *crb_pluton;
736 status = acpi_get_table(ACPI_SIG_TPM2, 1,
737 (struct acpi_table_header **) &buf);
738 if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) {
739 dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
743 /* Should the FIFO driver handle this? */
744 sm = buf->start_method;
745 if (sm == ACPI_TPM2_MEMORY_MAPPED) {
750 priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL);
756 if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
757 if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) {
759 FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
761 ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC);
765 crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf));
766 priv->smc_func_id = crb_smc->smc_func_id;
769 if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON) {
770 if (buf->header.length < (sizeof(*buf) + sizeof(*crb_pluton))) {
772 FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
774 ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON);
777 crb_pluton = ACPI_ADD_PTR(struct tpm2_crb_pluton, buf, sizeof(*buf));
778 rc = crb_map_pluton(dev, priv, buf, crb_pluton);
784 priv->hid = acpi_device_hid(device);
786 rc = crb_map_io(device, priv, buf);
790 chip = tpmm_chip_alloc(dev, &tpm_crb);
796 dev_set_drvdata(&chip->dev, priv);
797 chip->acpi_dev_handle = device->handle;
798 chip->flags = TPM_CHIP_FLAG_TPM2;
800 rc = tpm_chip_register(chip);
803 acpi_put_table((struct acpi_table_header *)buf);
807 static void crb_acpi_remove(struct acpi_device *device)
809 struct device *dev = &device->dev;
810 struct tpm_chip *chip = dev_get_drvdata(dev);
812 tpm_chip_unregister(chip);
815 static const struct dev_pm_ops crb_pm = {
816 SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume)
819 static const struct acpi_device_id crb_device_ids[] = {
823 MODULE_DEVICE_TABLE(acpi, crb_device_ids);
825 static struct acpi_driver crb_acpi_driver = {
827 .ids = crb_device_ids,
830 .remove = crb_acpi_remove,
837 module_acpi_driver(crb_acpi_driver);
839 MODULE_DESCRIPTION("TPM2 Driver");
840 MODULE_VERSION("0.1");
841 MODULE_LICENSE("GPL");