blob: 6c494eb98a339c5b77859bdbc1ccbd8e6a6a6ff5 [file] [log] [blame]
Vadim Bendebury5e124722011-10-17 08:36:14 +00001/*
2 * Copyright (c) 2011 The Chromium OS Authors.
3 *
4 * See file CREDITS for list of people who contributed to this
5 * project.
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 of
10 * the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
20 * MA 02111-1307 USA
21 */
22
23/*
24 * The code in this file is based on the article "Writing a TPM Device Driver"
25 * published on http://ptgmedia.pearsoncmg.com.
26 *
27 * One principal difference is that in the simplest config the other than 0
28 * TPM localities do not get mapped by some devices (for instance, by Infineon
29 * slb9635), so this driver provides access to locality 0 only.
30 */
31
32#include <common.h>
33#include <asm/io.h>
34#include <tpm.h>
35
36#define PREFIX "lpc_tpm: "
37
38struct tpm_locality {
39 u32 access;
40 u8 padding0[4];
41 u32 int_enable;
42 u8 vector;
43 u8 padding1[3];
44 u32 int_status;
45 u32 int_capability;
46 u32 tpm_status;
47 u8 padding2[8];
48 u8 data;
49 u8 padding3[3803];
50 u32 did_vid;
51 u8 rid;
52 u8 padding4[251];
53};
54
55/*
56 * This pointer refers to the TPM chip, 5 of its localities are mapped as an
57 * array.
58 */
59#define TPM_TOTAL_LOCALITIES 5
60static struct tpm_locality *lpc_tpm_dev =
61 (struct tpm_locality *)CONFIG_TPM_TIS_BASE_ADDRESS;
62
63/* Some registers' bit field definitions */
64#define TIS_STS_VALID (1 << 7) /* 0x80 */
65#define TIS_STS_COMMAND_READY (1 << 6) /* 0x40 */
66#define TIS_STS_TPM_GO (1 << 5) /* 0x20 */
67#define TIS_STS_DATA_AVAILABLE (1 << 4) /* 0x10 */
68#define TIS_STS_EXPECT (1 << 3) /* 0x08 */
69#define TIS_STS_RESPONSE_RETRY (1 << 1) /* 0x02 */
70
71#define TIS_ACCESS_TPM_REG_VALID_STS (1 << 7) /* 0x80 */
72#define TIS_ACCESS_ACTIVE_LOCALITY (1 << 5) /* 0x20 */
73#define TIS_ACCESS_BEEN_SEIZED (1 << 4) /* 0x10 */
74#define TIS_ACCESS_SEIZE (1 << 3) /* 0x08 */
75#define TIS_ACCESS_PENDING_REQUEST (1 << 2) /* 0x04 */
76#define TIS_ACCESS_REQUEST_USE (1 << 1) /* 0x02 */
77#define TIS_ACCESS_TPM_ESTABLISHMENT (1 << 0) /* 0x01 */
78
79#define TIS_STS_BURST_COUNT_MASK (0xffff)
80#define TIS_STS_BURST_COUNT_SHIFT (8)
81
82/*
83 * Error value returned if a tpm register does not enter the expected state
84 * after continuous polling. No actual TPM register reading ever returns -1,
85 * so this value is a safe error indication to be mixed with possible status
86 * register values.
87 */
88#define TPM_TIMEOUT_ERR (-1)
89
90/* Error value returned on various TPM driver errors. */
91#define TPM_DRIVER_ERR (1)
92
93 /* 1 second is plenty for anything TPM does. */
94#define MAX_DELAY_US (1000 * 1000)
95
96/* Retrieve burst count value out of the status register contents. */
97static u16 burst_count(u32 status)
98{
99 return (status >> TIS_STS_BURST_COUNT_SHIFT) & TIS_STS_BURST_COUNT_MASK;
100}
101
102/*
103 * Structures defined below allow creating descriptions of TPM vendor/device
104 * ID information for run time discovery. The only device the system knows
105 * about at this time is Infineon slb9635.
106 */
107struct device_name {
108 u16 dev_id;
109 const char * const dev_name;
110};
111
112struct vendor_name {
113 u16 vendor_id;
114 const char *vendor_name;
115 const struct device_name *dev_names;
116};
117
118static const struct device_name infineon_devices[] = {
119 {0xb, "SLB9635 TT 1.2"},
120 {0}
121};
122
123static const struct vendor_name vendor_names[] = {
124 {0x15d1, "Infineon", infineon_devices},
125};
126
127/*
128 * Cached vendor/device ID pair to indicate that the device has been already
129 * discovered.
130 */
131static u32 vendor_dev_id;
132
133/* TPM access wrappers to support tracing */
134static u8 tpm_read_byte(const u8 *ptr)
135{
136 u8 ret = readb(ptr);
137 debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
138 (u32)ptr - (u32)lpc_tpm_dev, ret);
139 return ret;
140}
141
142static u32 tpm_read_word(const u32 *ptr)
143{
144 u32 ret = readl(ptr);
145 debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
146 (u32)ptr - (u32)lpc_tpm_dev, ret);
147 return ret;
148}
149
150static void tpm_write_byte(u8 value, u8 *ptr)
151{
152 debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
153 (u32)ptr - (u32)lpc_tpm_dev, value);
154 writeb(value, ptr);
155}
156
157static void tpm_write_word(u32 value, u32 *ptr)
158{
159 debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
160 (u32)ptr - (u32)lpc_tpm_dev, value);
161 writel(value, ptr);
162}
163
164/*
165 * tis_wait_reg()
166 *
167 * Wait for at least a second for a register to change its state to match the
168 * expected state. Normally the transition happens within microseconds.
169 *
170 * @reg - pointer to the TPM register
171 * @mask - bitmask for the bitfield(s) to watch
172 * @expected - value the field(s) are supposed to be set to
173 *
174 * Returns the register contents in case the expected value was found in the
175 * appropriate register bits, or TPM_TIMEOUT_ERR on timeout.
176 */
177static u32 tis_wait_reg(u32 *reg, u8 mask, u8 expected)
178{
179 u32 time_us = MAX_DELAY_US;
180
181 while (time_us > 0) {
182 u32 value = tpm_read_word(reg);
183 if ((value & mask) == expected)
184 return value;
185 udelay(1); /* 1 us */
186 time_us--;
187 }
188 return TPM_TIMEOUT_ERR;
189}
190
191/*
192 * Probe the TPM device and try determining its manufacturer/device name.
193 *
194 * Returns 0 on success (the device is found or was found during an earlier
195 * invocation) or TPM_DRIVER_ERR if the device is not found.
196 */
197int tis_init(void)
198{
199 u32 didvid = tpm_read_word(&lpc_tpm_dev[0].did_vid);
200 int i;
201 const char *device_name = "unknown";
202 const char *vendor_name = device_name;
203 u16 vid, did;
204
205 if (vendor_dev_id)
206 return 0; /* Already probed. */
207
208 if (!didvid || (didvid == 0xffffffff)) {
209 printf("%s: No TPM device found\n", __func__);
210 return TPM_DRIVER_ERR;
211 }
212
213 vendor_dev_id = didvid;
214
215 vid = didvid & 0xffff;
216 did = (didvid >> 16) & 0xffff;
217 for (i = 0; i < ARRAY_SIZE(vendor_names); i++) {
218 int j = 0;
219 u16 known_did;
220
221 if (vid == vendor_names[i].vendor_id)
222 vendor_name = vendor_names[i].vendor_name;
223
224 while ((known_did = vendor_names[i].dev_names[j].dev_id) != 0) {
225 if (known_did == did) {
226 device_name =
227 vendor_names[i].dev_names[j].dev_name;
228 break;
229 }
230 j++;
231 }
232 break;
233 }
234
235 printf("Found TPM %s by %s\n", device_name, vendor_name);
236 return 0;
237}
238
239/*
240 * tis_senddata()
241 *
242 * send the passed in data to the TPM device.
243 *
244 * @data - address of the data to send, byte by byte
245 * @len - length of the data to send
246 *
247 * Returns 0 on success, TPM_DRIVER_ERR on error (in case the device does
248 * not accept the entire command).
249 */
250static u32 tis_senddata(const u8 * const data, u32 len)
251{
252 u32 offset = 0;
253 u16 burst = 0;
254 u32 max_cycles = 0;
255 u8 locality = 0;
256 u32 value;
257
258 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
259 TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
260 if (value == TPM_TIMEOUT_ERR) {
261 printf("%s:%d - failed to get 'command_ready' status\n",
262 __FILE__, __LINE__);
263 return TPM_DRIVER_ERR;
264 }
265 burst = burst_count(value);
266
267 while (1) {
268 unsigned count;
269
270 /* Wait till the device is ready to accept more data. */
271 while (!burst) {
272 if (max_cycles++ == MAX_DELAY_US) {
273 printf("%s:%d failed to feed %d bytes of %d\n",
274 __FILE__, __LINE__, len - offset, len);
275 return TPM_DRIVER_ERR;
276 }
277 udelay(1);
278 burst = burst_count(tpm_read_word(&lpc_tpm_dev
279 [locality].tpm_status));
280 }
281
282 max_cycles = 0;
283
284 /*
285 * Calculate number of bytes the TPM is ready to accept in one
286 * shot.
287 *
288 * We want to send the last byte outside of the loop (hence
289 * the -1 below) to make sure that the 'expected' status bit
290 * changes to zero exactly after the last byte is fed into the
291 * FIFO.
292 */
293 count = min(burst, len - offset - 1);
294 while (count--)
295 tpm_write_byte(data[offset++],
296 &lpc_tpm_dev[locality].data);
297
298 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
299 TIS_STS_VALID, TIS_STS_VALID);
300
301 if ((value == TPM_TIMEOUT_ERR) || !(value & TIS_STS_EXPECT)) {
302 printf("%s:%d TPM command feed overflow\n",
303 __FILE__, __LINE__);
304 return TPM_DRIVER_ERR;
305 }
306
307 burst = burst_count(value);
308 if ((offset == (len - 1)) && burst) {
309 /*
310 * We need to be able to send the last byte to the
311 * device, so burst size must be nonzero before we
312 * break out.
313 */
314 break;
315 }
316 }
317
318 /* Send the last byte. */
319 tpm_write_byte(data[offset++], &lpc_tpm_dev[locality].data);
320 /*
321 * Verify that TPM does not expect any more data as part of this
322 * command.
323 */
324 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
325 TIS_STS_VALID, TIS_STS_VALID);
326 if ((value == TPM_TIMEOUT_ERR) || (value & TIS_STS_EXPECT)) {
327 printf("%s:%d unexpected TPM status 0x%x\n",
328 __FILE__, __LINE__, value);
329 return TPM_DRIVER_ERR;
330 }
331
332 /* OK, sitting pretty, let's start the command execution. */
333 tpm_write_word(TIS_STS_TPM_GO, &lpc_tpm_dev[locality].tpm_status);
334 return 0;
335}
336
337/*
338 * tis_readresponse()
339 *
340 * read the TPM device response after a command was issued.
341 *
342 * @buffer - address where to read the response, byte by byte.
343 * @len - pointer to the size of buffer
344 *
345 * On success stores the number of received bytes to len and returns 0. On
346 * errors (misformatted TPM data or synchronization problems) returns
347 * TPM_DRIVER_ERR.
348 */
349static u32 tis_readresponse(u8 *buffer, u32 *len)
350{
351 u16 burst;
352 u32 value;
353 u32 offset = 0;
354 u8 locality = 0;
355 const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
356 u32 expected_count = *len;
357 int max_cycles = 0;
358
359 /* Wait for the TPM to process the command. */
360 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
361 has_data, has_data);
362 if (value == TPM_TIMEOUT_ERR) {
363 printf("%s:%d failed processing command\n",
364 __FILE__, __LINE__);
365 return TPM_DRIVER_ERR;
366 }
367
368 do {
369 while ((burst = burst_count(value)) == 0) {
370 if (max_cycles++ == MAX_DELAY_US) {
371 printf("%s:%d TPM stuck on read\n",
372 __FILE__, __LINE__);
373 return TPM_DRIVER_ERR;
374 }
375 udelay(1);
376 value = tpm_read_word(&lpc_tpm_dev
377 [locality].tpm_status);
378 }
379
380 max_cycles = 0;
381
382 while (burst-- && (offset < expected_count)) {
383 buffer[offset++] = tpm_read_byte(&lpc_tpm_dev
384 [locality].data);
385
386 if (offset == 6) {
387 /*
388 * We got the first six bytes of the reply,
389 * let's figure out how many bytes to expect
390 * total - it is stored as a 4 byte number in
391 * network order, starting with offset 2 into
392 * the body of the reply.
393 */
394 u32 real_length;
395 memcpy(&real_length,
396 buffer + 2,
397 sizeof(real_length));
398 expected_count = be32_to_cpu(real_length);
399
400 if ((expected_count < offset) ||
401 (expected_count > *len)) {
402 printf("%s:%d bad response size %d\n",
403 __FILE__, __LINE__,
404 expected_count);
405 return TPM_DRIVER_ERR;
406 }
407 }
408 }
409
410 /* Wait for the next portion. */
411 value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
412 TIS_STS_VALID, TIS_STS_VALID);
413 if (value == TPM_TIMEOUT_ERR) {
414 printf("%s:%d failed to read response\n",
415 __FILE__, __LINE__);
416 return TPM_DRIVER_ERR;
417 }
418
419 if (offset == expected_count)
420 break; /* We got all we needed. */
421
422 } while ((value & has_data) == has_data);
423
424 /*
425 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
426 * known to be set.
427 */
428 if (value & TIS_STS_DATA_AVAILABLE) {
429 printf("%s:%d wrong receive status %x\n",
430 __FILE__, __LINE__, value);
431 return TPM_DRIVER_ERR;
432 }
433
434 /* Tell the TPM that we are done. */
435 tpm_write_word(TIS_STS_COMMAND_READY, &lpc_tpm_dev
436 [locality].tpm_status);
437 *len = offset;
438 return 0;
439}
440
441int tis_open(void)
442{
443 u8 locality = 0; /* we use locality zero for everything. */
444
445 if (tis_close())
446 return TPM_DRIVER_ERR;
447
448 /* now request access to locality. */
449 tpm_write_word(TIS_ACCESS_REQUEST_USE, &lpc_tpm_dev[locality].access);
450
451 /* did we get a lock? */
452 if (tis_wait_reg(&lpc_tpm_dev[locality].access,
453 TIS_ACCESS_ACTIVE_LOCALITY,
454 TIS_ACCESS_ACTIVE_LOCALITY) == TPM_TIMEOUT_ERR) {
455 printf("%s:%d - failed to lock locality %d\n",
456 __FILE__, __LINE__, locality);
457 return TPM_DRIVER_ERR;
458 }
459
460 tpm_write_word(TIS_STS_COMMAND_READY,
461 &lpc_tpm_dev[locality].tpm_status);
462 return 0;
463}
464
465int tis_close(void)
466{
467 u8 locality = 0;
468
469 if (tpm_read_word(&lpc_tpm_dev[locality].access) &
470 TIS_ACCESS_ACTIVE_LOCALITY) {
471 tpm_write_word(TIS_ACCESS_ACTIVE_LOCALITY,
472 &lpc_tpm_dev[locality].access);
473
474 if (tis_wait_reg(&lpc_tpm_dev[locality].access,
475 TIS_ACCESS_ACTIVE_LOCALITY, 0) ==
476 TPM_TIMEOUT_ERR) {
477 printf("%s:%d - failed to release locality %d\n",
478 __FILE__, __LINE__, locality);
479 return TPM_DRIVER_ERR;
480 }
481 }
482 return 0;
483}
484
485int tis_sendrecv(const u8 *sendbuf, size_t send_size,
486 u8 *recvbuf, size_t *recv_len)
487{
488 if (tis_senddata(sendbuf, send_size)) {
489 printf("%s:%d failed sending data to TPM\n",
490 __FILE__, __LINE__);
491 return TPM_DRIVER_ERR;
492 }
493
494 return tis_readresponse(recvbuf, recv_len);
495}