1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2014 Intel Corporation
10 * This device driver implements the TPM interface as defined in
11 * the TCG CRB 2.0 TPM specification.
14 #include <linux/acpi.h>
15 #include <linux/highmem.h>
16 #include <linux/rculist.h>
17 #include <linux/module.h>
18 #include <linux/pm_runtime.h>
20 #include <linux/arm-smccc.h>
24 #define ACPI_SIG_TPM2 "TPM2"
26 static const guid_t crb_acpi_start_guid =
27 GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
28 0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4);
31 CRB_ACPI_START_REVISION_ID = 1,
32 CRB_ACPI_START_INDEX = 1,
36 CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0),
37 CRB_LOC_CTRL_RELINQUISH = BIT(1),
41 CRB_LOC_STATE_LOC_ASSIGNED = BIT(1),
42 CRB_LOC_STATE_TPM_REG_VALID_STS = BIT(7),
46 CRB_CTRL_REQ_CMD_READY = BIT(0),
47 CRB_CTRL_REQ_GO_IDLE = BIT(1),
51 CRB_CTRL_STS_ERROR = BIT(0),
52 CRB_CTRL_STS_TPM_IDLE = BIT(1),
56 CRB_START_INVOKE = BIT(0),
60 CRB_CANCEL_INVOKE = BIT(0),
63 struct crb_regs_head {
73 struct crb_regs_tail {
88 CRB_DRV_STS_COMPLETE = BIT(0),
95 struct crb_regs_head __iomem *regs_h;
96 struct crb_regs_tail __iomem *regs_t;
103 struct tpm2_crb_smc {
111 static bool crb_wait_for_reg_32(u32 __iomem *reg, u32 mask, u32 value,
112 unsigned long timeout)
118 stop = ktime_add(start, ms_to_ktime(timeout));
121 if ((ioread32(reg) & mask) == value)
124 usleep_range(50, 100);
125 } while (ktime_before(ktime_get(), stop));
127 return ((ioread32(reg) & mask) == value);
131 * __crb_go_idle - request tpm crb device to go the idle state
134 * @priv: crb private data
136 * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ
137 * The device should respond within TIMEOUT_C by clearing the bit.
138 * Anyhow, we do not wait here as a consequent CMD_READY request
139 * will be handled correctly even if idle was not completed.
141 * The function does nothing for devices with ACPI-start method
142 * or SMC-start method.
146 static int __crb_go_idle(struct device *dev, struct crb_priv *priv)
148 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
149 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
150 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
153 iowrite32(CRB_CTRL_REQ_GO_IDLE, &priv->regs_t->ctrl_req);
155 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
156 CRB_CTRL_REQ_GO_IDLE/* mask */,
159 dev_warn(dev, "goIdle timed out\n");
166 static int crb_go_idle(struct tpm_chip *chip)
168 struct device *dev = &chip->dev;
169 struct crb_priv *priv = dev_get_drvdata(dev);
171 return __crb_go_idle(dev, priv);
175 * __crb_cmd_ready - request tpm crb device to enter ready state
178 * @priv: crb private data
180 * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ
181 * and poll till the device acknowledge it by clearing the bit.
182 * The device should respond within TIMEOUT_C.
184 * The function does nothing for devices with ACPI-start method
185 * or SMC-start method.
187 * Return: 0 on success -ETIME on timeout;
189 static int __crb_cmd_ready(struct device *dev, struct crb_priv *priv)
191 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
192 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD) ||
193 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC))
196 iowrite32(CRB_CTRL_REQ_CMD_READY, &priv->regs_t->ctrl_req);
197 if (!crb_wait_for_reg_32(&priv->regs_t->ctrl_req,
198 CRB_CTRL_REQ_CMD_READY /* mask */,
201 dev_warn(dev, "cmdReady timed out\n");
208 static int crb_cmd_ready(struct tpm_chip *chip)
210 struct device *dev = &chip->dev;
211 struct crb_priv *priv = dev_get_drvdata(dev);
213 return __crb_cmd_ready(dev, priv);
216 static int __crb_request_locality(struct device *dev,
217 struct crb_priv *priv, int loc)
219 u32 value = CRB_LOC_STATE_LOC_ASSIGNED |
220 CRB_LOC_STATE_TPM_REG_VALID_STS;
225 iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS, &priv->regs_h->loc_ctrl);
226 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, value, value,
228 dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
235 static int crb_request_locality(struct tpm_chip *chip, int loc)
237 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
239 return __crb_request_locality(&chip->dev, priv, loc);
242 static int __crb_relinquish_locality(struct device *dev,
243 struct crb_priv *priv, int loc)
245 u32 mask = CRB_LOC_STATE_LOC_ASSIGNED |
246 CRB_LOC_STATE_TPM_REG_VALID_STS;
247 u32 value = CRB_LOC_STATE_TPM_REG_VALID_STS;
252 iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl);
253 if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value,
255 dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
262 static int crb_relinquish_locality(struct tpm_chip *chip, int loc)
264 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
266 return __crb_relinquish_locality(&chip->dev, priv, loc);
269 static u8 crb_status(struct tpm_chip *chip)
271 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
274 if ((ioread32(&priv->regs_t->ctrl_start) & CRB_START_INVOKE) !=
276 sts |= CRB_DRV_STS_COMPLETE;
281 static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
283 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
284 unsigned int expected;
286 /* A sanity check that the upper layer wants to get at least the header
287 * as that is the minimum size for any TPM response.
289 if (count < TPM_HEADER_SIZE)
292 /* If this bit is set, according to the spec, the TPM is in
293 * unrecoverable condition.
295 if (ioread32(&priv->regs_t->ctrl_sts) & CRB_CTRL_STS_ERROR)
298 /* Read the first 8 bytes in order to get the length of the response.
299 * We read exactly a quad word in order to make sure that the remaining
300 * reads will be aligned.
302 memcpy_fromio(buf, priv->rsp, 8);
304 expected = be32_to_cpup((__be32 *)&buf[2]);
305 if (expected > count || expected < TPM_HEADER_SIZE)
308 memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8);
313 static int crb_do_acpi_start(struct tpm_chip *chip)
315 union acpi_object *obj;
318 obj = acpi_evaluate_dsm(chip->acpi_dev_handle,
319 &crb_acpi_start_guid,
320 CRB_ACPI_START_REVISION_ID,
321 CRB_ACPI_START_INDEX,
325 rc = obj->integer.value == 0 ? 0 : -ENXIO;
332 * This is a TPM Command Response Buffer start method that invokes a
333 * Secure Monitor Call to requrest the firmware to execute or cancel
336 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
338 struct arm_smccc_res res;
340 arm_smccc_smc(func_id, 0, 0, 0, 0, 0, 0, 0, &res);
343 FW_BUG "tpm_crb_smc_start() returns res.a0 = 0x%lx\n",
351 static int tpm_crb_smc_start(struct device *dev, unsigned long func_id)
353 dev_err(dev, FW_BUG "tpm_crb: incorrect start method\n");
358 static int crb_send(struct tpm_chip *chip, u8 *buf, size_t len)
360 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
363 /* Zero the cancel register so that the next command will not get
366 iowrite32(0, &priv->regs_t->ctrl_cancel);
368 if (len > priv->cmd_size) {
369 dev_err(&chip->dev, "invalid command count value %zd %d\n",
370 len, priv->cmd_size);
374 memcpy_toio(priv->cmd, buf, len);
376 /* Make sure that cmd is populated before issuing start. */
379 /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
380 * report only ACPI start but in practice seems to require both
381 * CRB start, hence invoking CRB start method if hid == MSFT0101.
383 if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
384 (priv->sm == ACPI_TPM2_MEMORY_MAPPED) ||
385 (!strcmp(priv->hid, "MSFT0101")))
386 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
388 if ((priv->sm == ACPI_TPM2_START_METHOD) ||
389 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD))
390 rc = crb_do_acpi_start(chip);
392 if (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
393 iowrite32(CRB_START_INVOKE, &priv->regs_t->ctrl_start);
394 rc = tpm_crb_smc_start(&chip->dev, priv->smc_func_id);
400 static void crb_cancel(struct tpm_chip *chip)
402 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
404 iowrite32(CRB_CANCEL_INVOKE, &priv->regs_t->ctrl_cancel);
406 if (((priv->sm == ACPI_TPM2_START_METHOD) ||
407 (priv->sm == ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD)) &&
408 crb_do_acpi_start(chip))
409 dev_err(&chip->dev, "ACPI Start failed\n");
412 static bool crb_req_canceled(struct tpm_chip *chip, u8 status)
414 struct crb_priv *priv = dev_get_drvdata(&chip->dev);
415 u32 cancel = ioread32(&priv->regs_t->ctrl_cancel);
417 return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE;
420 static const struct tpm_class_ops tpm_crb = {
421 .flags = TPM_OPS_AUTO_STARTUP,
422 .status = crb_status,
425 .cancel = crb_cancel,
426 .req_canceled = crb_req_canceled,
427 .go_idle = crb_go_idle,
428 .cmd_ready = crb_cmd_ready,
429 .request_locality = crb_request_locality,
430 .relinquish_locality = crb_relinquish_locality,
431 .req_complete_mask = CRB_DRV_STS_COMPLETE,
432 .req_complete_val = CRB_DRV_STS_COMPLETE,
435 static int crb_check_resource(struct acpi_resource *ares, void *data)
437 struct resource *io_res = data;
438 struct resource_win win;
439 struct resource *res = &(win.res);
441 if (acpi_dev_resource_memory(ares, res) ||
442 acpi_dev_resource_address_space(ares, &win)) {
450 static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
451 struct resource *io_res, u64 start, u32 size)
453 struct resource new_res = {
455 .end = start + size - 1,
456 .flags = IORESOURCE_MEM,
459 /* Detect a 64 bit address on a 32 bit system */
460 if (start != new_res.start)
461 return (void __iomem *) ERR_PTR(-EINVAL);
463 if (!resource_contains(io_res, &new_res))
464 return devm_ioremap_resource(dev, &new_res);
466 return priv->iobase + (new_res.start - io_res->start);
470 * Work around broken BIOSs that return inconsistent values from the ACPI
471 * region vs the registers. Trust the ACPI region. Such broken systems
472 * probably cannot send large TPM commands since the buffer will be truncated.
474 static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res,
477 if (io_res->start > start || io_res->end < start)
480 if (start + size - 1 <= io_res->end)
484 FW_BUG "ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n",
485 io_res, start, size);
487 return io_res->end - start + 1;
490 static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
491 struct acpi_table_tpm2 *buf)
493 struct list_head resources;
494 struct resource io_res;
495 struct device *dev = &device->dev;
504 INIT_LIST_HEAD(&resources);
505 ret = acpi_dev_get_resources(device, &resources, crb_check_resource,
509 acpi_dev_free_resource_list(&resources);
511 if (resource_type(&io_res) != IORESOURCE_MEM) {
512 dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n");
516 priv->iobase = devm_ioremap_resource(dev, &io_res);
517 if (IS_ERR(priv->iobase))
518 return PTR_ERR(priv->iobase);
520 /* The ACPI IO region starts at the head area and continues to include
521 * the control area, as one nice sane region except for some older
522 * stuff that puts the control area outside the ACPI IO region.
524 if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
525 (priv->sm == ACPI_TPM2_MEMORY_MAPPED)) {
526 if (buf->control_address == io_res.start +
527 sizeof(*priv->regs_h))
528 priv->regs_h = priv->iobase;
530 dev_warn(dev, FW_BUG "Bad ACPI memory layout");
533 ret = __crb_request_locality(dev, priv, 0);
537 priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address,
538 sizeof(struct crb_regs_tail));
539 if (IS_ERR(priv->regs_t)) {
540 ret = PTR_ERR(priv->regs_t);
541 goto out_relinquish_locality;
545 * PTT HW bug w/a: wake up the device to access
546 * possibly not retained registers.
548 ret = __crb_cmd_ready(dev, priv);
550 goto out_relinquish_locality;
552 pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
553 pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
554 cmd_pa = ((u64)pa_high << 32) | pa_low;
555 cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa,
556 ioread32(&priv->regs_t->ctrl_cmd_size));
558 dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
559 pa_high, pa_low, cmd_size);
561 priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size);
562 if (IS_ERR(priv->cmd)) {
563 ret = PTR_ERR(priv->cmd);
567 memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
568 rsp_pa = le64_to_cpu(__rsp_pa);
569 rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa,
570 ioread32(&priv->regs_t->ctrl_rsp_size));
572 if (cmd_pa != rsp_pa) {
573 priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size);
574 ret = PTR_ERR_OR_ZERO(priv->rsp);
578 /* According to the PTP specification, overlapping command and response
579 * buffer sizes must be identical.
581 if (cmd_size != rsp_size) {
582 dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical");
587 priv->rsp = priv->cmd;
591 priv->cmd_size = cmd_size;
593 __crb_go_idle(dev, priv);
595 out_relinquish_locality:
597 __crb_relinquish_locality(dev, priv, 0);
602 static int crb_acpi_add(struct acpi_device *device)
604 struct acpi_table_tpm2 *buf;
605 struct crb_priv *priv;
606 struct tpm_chip *chip;
607 struct device *dev = &device->dev;
608 struct tpm2_crb_smc *crb_smc;
613 status = acpi_get_table(ACPI_SIG_TPM2, 1,
614 (struct acpi_table_header **) &buf);
615 if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) {
616 dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
620 /* Should the FIFO driver handle this? */
621 sm = buf->start_method;
622 if (sm == ACPI_TPM2_MEMORY_MAPPED)
625 priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL);
629 if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
630 if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) {
632 FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
634 ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC);
637 crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf));
638 priv->smc_func_id = crb_smc->smc_func_id;
642 priv->hid = acpi_device_hid(device);
644 rc = crb_map_io(device, priv, buf);
648 chip = tpmm_chip_alloc(dev, &tpm_crb);
650 return PTR_ERR(chip);
652 dev_set_drvdata(&chip->dev, priv);
653 chip->acpi_dev_handle = device->handle;
654 chip->flags = TPM_CHIP_FLAG_TPM2;
656 return tpm_chip_register(chip);
659 static int crb_acpi_remove(struct acpi_device *device)
661 struct device *dev = &device->dev;
662 struct tpm_chip *chip = dev_get_drvdata(dev);
664 tpm_chip_unregister(chip);
669 static const struct dev_pm_ops crb_pm = {
670 SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume)
673 static const struct acpi_device_id crb_device_ids[] = {
677 MODULE_DEVICE_TABLE(acpi, crb_device_ids);
679 static struct acpi_driver crb_acpi_driver = {
681 .ids = crb_device_ids,
684 .remove = crb_acpi_remove,
691 module_acpi_driver(crb_acpi_driver);
693 MODULE_DESCRIPTION("TPM2 Driver");
694 MODULE_VERSION("0.1");
695 MODULE_LICENSE("GPL");
projects / linux.git / blob