2 * Copyright (C) 2014 Intel Corporation
5 * Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 * Maintained by: <tpmdd-devel@lists.sourceforge.net>
9 * This device driver implements the TPM interface as defined in
10 * the TCG CRB 2.0 TPM specification.
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; version 2
18 #include <linux/acpi.h>
19 #include <linux/highmem.h>
20 #include <linux/rculist.h>
21 #include <linux/module.h>
22 #include <linux/pm_runtime.h>
24 #include <linux/arm-smccc.h>
28 #define ACPI_SIG_TPM2 "TPM2"
30 static const guid_t crb_acpi_start_guid
=
31 GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
32 0xB7, 0xCD, 0xF0, 0x20, 0x3C, 0x03, 0x68, 0xD4);
35 CRB_ACPI_START_REVISION_ID
= 1,
36 CRB_ACPI_START_INDEX
= 1,
40 CRB_LOC_CTRL_REQUEST_ACCESS
= BIT(0),
41 CRB_LOC_CTRL_RELINQUISH
= BIT(1),
45 CRB_LOC_STATE_LOC_ASSIGNED
= BIT(1),
46 CRB_LOC_STATE_TPM_REG_VALID_STS
= BIT(7),
50 CRB_CTRL_REQ_CMD_READY
= BIT(0),
51 CRB_CTRL_REQ_GO_IDLE
= BIT(1),
55 CRB_CTRL_STS_ERROR
= BIT(0),
56 CRB_CTRL_STS_TPM_IDLE
= BIT(1),
60 CRB_START_INVOKE
= BIT(0),
64 CRB_CANCEL_INVOKE
= BIT(0),
67 struct crb_regs_head
{
77 struct crb_regs_tail
{
92 CRB_DRV_STS_COMPLETE
= BIT(0),
99 struct crb_regs_head __iomem
*regs_h
;
100 struct crb_regs_tail __iomem
*regs_t
;
107 struct tpm2_crb_smc
{
115 static bool crb_wait_for_reg_32(u32 __iomem
*reg
, u32 mask
, u32 value
,
116 unsigned long timeout
)
122 stop
= ktime_add(start
, ms_to_ktime(timeout
));
125 if ((ioread32(reg
) & mask
) == value
)
128 usleep_range(50, 100);
129 } while (ktime_before(ktime_get(), stop
));
131 return ((ioread32(reg
) & mask
) == value
);
135 * __crb_go_idle - request tpm crb device to go the idle state
138 * @priv: crb private data
140 * Write CRB_CTRL_REQ_GO_IDLE to TPM_CRB_CTRL_REQ
141 * The device should respond within TIMEOUT_C by clearing the bit.
142 * Anyhow, we do not wait here as a consequent CMD_READY request
143 * will be handled correctly even if idle was not completed.
145 * The function does nothing for devices with ACPI-start method
146 * or SMC-start method.
150 static int __crb_go_idle(struct device
*dev
, struct crb_priv
*priv
)
152 if ((priv
->sm
== ACPI_TPM2_START_METHOD
) ||
153 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD
) ||
154 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC
))
157 iowrite32(CRB_CTRL_REQ_GO_IDLE
, &priv
->regs_t
->ctrl_req
);
159 if (!crb_wait_for_reg_32(&priv
->regs_t
->ctrl_req
,
160 CRB_CTRL_REQ_GO_IDLE
/* mask */,
163 dev_warn(dev
, "goIdle timed out\n");
170 static int crb_go_idle(struct tpm_chip
*chip
)
172 struct device
*dev
= &chip
->dev
;
173 struct crb_priv
*priv
= dev_get_drvdata(dev
);
175 return __crb_go_idle(dev
, priv
);
179 * __crb_cmd_ready - request tpm crb device to enter ready state
182 * @priv: crb private data
184 * Write CRB_CTRL_REQ_CMD_READY to TPM_CRB_CTRL_REQ
185 * and poll till the device acknowledge it by clearing the bit.
186 * The device should respond within TIMEOUT_C.
188 * The function does nothing for devices with ACPI-start method
189 * or SMC-start method.
191 * Return: 0 on success -ETIME on timeout;
193 static int __crb_cmd_ready(struct device
*dev
, struct crb_priv
*priv
)
195 if ((priv
->sm
== ACPI_TPM2_START_METHOD
) ||
196 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD
) ||
197 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC
))
200 iowrite32(CRB_CTRL_REQ_CMD_READY
, &priv
->regs_t
->ctrl_req
);
201 if (!crb_wait_for_reg_32(&priv
->regs_t
->ctrl_req
,
202 CRB_CTRL_REQ_CMD_READY
/* mask */,
205 dev_warn(dev
, "cmdReady timed out\n");
212 static int crb_cmd_ready(struct tpm_chip
*chip
)
214 struct device
*dev
= &chip
->dev
;
215 struct crb_priv
*priv
= dev_get_drvdata(dev
);
217 return __crb_cmd_ready(dev
, priv
);
220 static int __crb_request_locality(struct device
*dev
,
221 struct crb_priv
*priv
, int loc
)
223 u32 value
= CRB_LOC_STATE_LOC_ASSIGNED
|
224 CRB_LOC_STATE_TPM_REG_VALID_STS
;
229 iowrite32(CRB_LOC_CTRL_REQUEST_ACCESS
, &priv
->regs_h
->loc_ctrl
);
230 if (!crb_wait_for_reg_32(&priv
->regs_h
->loc_state
, value
, value
,
232 dev_warn(dev
, "TPM_LOC_STATE_x.requestAccess timed out\n");
239 static int crb_request_locality(struct tpm_chip
*chip
, int loc
)
241 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
243 return __crb_request_locality(&chip
->dev
, priv
, loc
);
246 static int __crb_relinquish_locality(struct device
*dev
,
247 struct crb_priv
*priv
, int loc
)
249 u32 mask
= CRB_LOC_STATE_LOC_ASSIGNED
|
250 CRB_LOC_STATE_TPM_REG_VALID_STS
;
251 u32 value
= CRB_LOC_STATE_TPM_REG_VALID_STS
;
256 iowrite32(CRB_LOC_CTRL_RELINQUISH
, &priv
->regs_h
->loc_ctrl
);
257 if (!crb_wait_for_reg_32(&priv
->regs_h
->loc_state
, mask
, value
,
259 dev_warn(dev
, "TPM_LOC_STATE_x.requestAccess timed out\n");
266 static int crb_relinquish_locality(struct tpm_chip
*chip
, int loc
)
268 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
270 return __crb_relinquish_locality(&chip
->dev
, priv
, loc
);
273 static u8
crb_status(struct tpm_chip
*chip
)
275 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
278 if ((ioread32(&priv
->regs_t
->ctrl_start
) & CRB_START_INVOKE
) !=
280 sts
|= CRB_DRV_STS_COMPLETE
;
285 static int crb_recv(struct tpm_chip
*chip
, u8
*buf
, size_t count
)
287 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
288 unsigned int expected
;
294 if (ioread32(&priv
->regs_t
->ctrl_sts
) & CRB_CTRL_STS_ERROR
)
297 memcpy_fromio(buf
, priv
->rsp
, 6);
298 expected
= be32_to_cpup((__be32
*) &buf
[2]);
299 if (expected
> count
|| expected
< 6)
302 memcpy_fromio(&buf
[6], &priv
->rsp
[6], expected
- 6);
307 static int crb_do_acpi_start(struct tpm_chip
*chip
)
309 union acpi_object
*obj
;
312 obj
= acpi_evaluate_dsm(chip
->acpi_dev_handle
,
313 &crb_acpi_start_guid
,
314 CRB_ACPI_START_REVISION_ID
,
315 CRB_ACPI_START_INDEX
,
319 rc
= obj
->integer
.value
== 0 ? 0 : -ENXIO
;
326 * This is a TPM Command Response Buffer start method that invokes a
327 * Secure Monitor Call to requrest the firmware to execute or cancel
330 static int tpm_crb_smc_start(struct device
*dev
, unsigned long func_id
)
332 struct arm_smccc_res res
;
334 arm_smccc_smc(func_id
, 0, 0, 0, 0, 0, 0, 0, &res
);
337 FW_BUG
"tpm_crb_smc_start() returns res.a0 = 0x%lx\n",
345 static int tpm_crb_smc_start(struct device
*dev
, unsigned long func_id
)
347 dev_err(dev
, FW_BUG
"tpm_crb: incorrect start method\n");
352 static int crb_send(struct tpm_chip
*chip
, u8
*buf
, size_t len
)
354 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
357 /* Zero the cancel register so that the next command will not get
360 iowrite32(0, &priv
->regs_t
->ctrl_cancel
);
362 if (len
> priv
->cmd_size
) {
363 dev_err(&chip
->dev
, "invalid command count value %zd %d\n",
364 len
, priv
->cmd_size
);
368 memcpy_toio(priv
->cmd
, buf
, len
);
370 /* Make sure that cmd is populated before issuing start. */
373 /* The reason for the extra quirk is that the PTT in 4th Gen Core CPUs
374 * report only ACPI start but in practice seems to require both
375 * CRB start, hence invoking CRB start method if hid == MSFT0101.
377 if ((priv
->sm
== ACPI_TPM2_COMMAND_BUFFER
) ||
378 (priv
->sm
== ACPI_TPM2_MEMORY_MAPPED
) ||
379 (!strcmp(priv
->hid
, "MSFT0101")))
380 iowrite32(CRB_START_INVOKE
, &priv
->regs_t
->ctrl_start
);
382 if ((priv
->sm
== ACPI_TPM2_START_METHOD
) ||
383 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD
))
384 rc
= crb_do_acpi_start(chip
);
386 if (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC
) {
387 iowrite32(CRB_START_INVOKE
, &priv
->regs_t
->ctrl_start
);
388 rc
= tpm_crb_smc_start(&chip
->dev
, priv
->smc_func_id
);
394 static void crb_cancel(struct tpm_chip
*chip
)
396 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
398 iowrite32(CRB_CANCEL_INVOKE
, &priv
->regs_t
->ctrl_cancel
);
400 if (((priv
->sm
== ACPI_TPM2_START_METHOD
) ||
401 (priv
->sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_START_METHOD
)) &&
402 crb_do_acpi_start(chip
))
403 dev_err(&chip
->dev
, "ACPI Start failed\n");
406 static bool crb_req_canceled(struct tpm_chip
*chip
, u8 status
)
408 struct crb_priv
*priv
= dev_get_drvdata(&chip
->dev
);
409 u32 cancel
= ioread32(&priv
->regs_t
->ctrl_cancel
);
411 return (cancel
& CRB_CANCEL_INVOKE
) == CRB_CANCEL_INVOKE
;
414 static const struct tpm_class_ops tpm_crb
= {
415 .flags
= TPM_OPS_AUTO_STARTUP
,
416 .status
= crb_status
,
419 .cancel
= crb_cancel
,
420 .req_canceled
= crb_req_canceled
,
421 .go_idle
= crb_go_idle
,
422 .cmd_ready
= crb_cmd_ready
,
423 .request_locality
= crb_request_locality
,
424 .relinquish_locality
= crb_relinquish_locality
,
425 .req_complete_mask
= CRB_DRV_STS_COMPLETE
,
426 .req_complete_val
= CRB_DRV_STS_COMPLETE
,
429 static int crb_check_resource(struct acpi_resource
*ares
, void *data
)
431 struct resource
*io_res
= data
;
432 struct resource_win win
;
433 struct resource
*res
= &(win
.res
);
435 if (acpi_dev_resource_memory(ares
, res
) ||
436 acpi_dev_resource_address_space(ares
, &win
)) {
444 static void __iomem
*crb_map_res(struct device
*dev
, struct crb_priv
*priv
,
445 struct resource
*io_res
, u64 start
, u32 size
)
447 struct resource new_res
= {
449 .end
= start
+ size
- 1,
450 .flags
= IORESOURCE_MEM
,
453 /* Detect a 64 bit address on a 32 bit system */
454 if (start
!= new_res
.start
)
455 return (void __iomem
*) ERR_PTR(-EINVAL
);
457 if (!resource_contains(io_res
, &new_res
))
458 return devm_ioremap_resource(dev
, &new_res
);
460 return priv
->iobase
+ (new_res
.start
- io_res
->start
);
464 * Work around broken BIOSs that return inconsistent values from the ACPI
465 * region vs the registers. Trust the ACPI region. Such broken systems
466 * probably cannot send large TPM commands since the buffer will be truncated.
468 static u64
crb_fixup_cmd_size(struct device
*dev
, struct resource
*io_res
,
471 if (io_res
->start
> start
|| io_res
->end
< start
)
474 if (start
+ size
- 1 <= io_res
->end
)
478 FW_BUG
"ACPI region does not cover the entire command/response buffer. %pr vs %llx %llx\n",
479 io_res
, start
, size
);
481 return io_res
->end
- start
+ 1;
484 static int crb_map_io(struct acpi_device
*device
, struct crb_priv
*priv
,
485 struct acpi_table_tpm2
*buf
)
487 struct list_head resources
;
488 struct resource io_res
;
489 struct device
*dev
= &device
->dev
;
498 INIT_LIST_HEAD(&resources
);
499 ret
= acpi_dev_get_resources(device
, &resources
, crb_check_resource
,
503 acpi_dev_free_resource_list(&resources
);
505 if (resource_type(&io_res
) != IORESOURCE_MEM
) {
506 dev_err(dev
, FW_BUG
"TPM2 ACPI table does not define a memory resource\n");
510 priv
->iobase
= devm_ioremap_resource(dev
, &io_res
);
511 if (IS_ERR(priv
->iobase
))
512 return PTR_ERR(priv
->iobase
);
514 /* The ACPI IO region starts at the head area and continues to include
515 * the control area, as one nice sane region except for some older
516 * stuff that puts the control area outside the ACPI IO region.
518 if ((priv
->sm
== ACPI_TPM2_COMMAND_BUFFER
) ||
519 (priv
->sm
== ACPI_TPM2_MEMORY_MAPPED
)) {
520 if (buf
->control_address
== io_res
.start
+
521 sizeof(*priv
->regs_h
))
522 priv
->regs_h
= priv
->iobase
;
524 dev_warn(dev
, FW_BUG
"Bad ACPI memory layout");
527 ret
= __crb_request_locality(dev
, priv
, 0);
531 priv
->regs_t
= crb_map_res(dev
, priv
, &io_res
, buf
->control_address
,
532 sizeof(struct crb_regs_tail
));
533 if (IS_ERR(priv
->regs_t
)) {
534 ret
= PTR_ERR(priv
->regs_t
);
535 goto out_relinquish_locality
;
539 * PTT HW bug w/a: wake up the device to access
540 * possibly not retained registers.
542 ret
= __crb_cmd_ready(dev
, priv
);
544 goto out_relinquish_locality
;
546 pa_high
= ioread32(&priv
->regs_t
->ctrl_cmd_pa_high
);
547 pa_low
= ioread32(&priv
->regs_t
->ctrl_cmd_pa_low
);
548 cmd_pa
= ((u64
)pa_high
<< 32) | pa_low
;
549 cmd_size
= crb_fixup_cmd_size(dev
, &io_res
, cmd_pa
,
550 ioread32(&priv
->regs_t
->ctrl_cmd_size
));
552 dev_dbg(dev
, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
553 pa_high
, pa_low
, cmd_size
);
555 priv
->cmd
= crb_map_res(dev
, priv
, &io_res
, cmd_pa
, cmd_size
);
556 if (IS_ERR(priv
->cmd
)) {
557 ret
= PTR_ERR(priv
->cmd
);
561 memcpy_fromio(&__rsp_pa
, &priv
->regs_t
->ctrl_rsp_pa
, 8);
562 rsp_pa
= le64_to_cpu(__rsp_pa
);
563 rsp_size
= crb_fixup_cmd_size(dev
, &io_res
, rsp_pa
,
564 ioread32(&priv
->regs_t
->ctrl_rsp_size
));
566 if (cmd_pa
!= rsp_pa
) {
567 priv
->rsp
= crb_map_res(dev
, priv
, &io_res
, rsp_pa
, rsp_size
);
568 ret
= PTR_ERR_OR_ZERO(priv
->rsp
);
572 /* According to the PTP specification, overlapping command and response
573 * buffer sizes must be identical.
575 if (cmd_size
!= rsp_size
) {
576 dev_err(dev
, FW_BUG
"overlapping command and response buffer sizes are not identical");
581 priv
->rsp
= priv
->cmd
;
585 priv
->cmd_size
= cmd_size
;
587 __crb_go_idle(dev
, priv
);
589 out_relinquish_locality
:
591 __crb_relinquish_locality(dev
, priv
, 0);
596 static int crb_acpi_add(struct acpi_device
*device
)
598 struct acpi_table_tpm2
*buf
;
599 struct crb_priv
*priv
;
600 struct tpm_chip
*chip
;
601 struct device
*dev
= &device
->dev
;
602 struct tpm2_crb_smc
*crb_smc
;
607 status
= acpi_get_table(ACPI_SIG_TPM2
, 1,
608 (struct acpi_table_header
**) &buf
);
609 if (ACPI_FAILURE(status
) || buf
->header
.length
< sizeof(*buf
)) {
610 dev_err(dev
, FW_BUG
"failed to get TPM2 ACPI table\n");
614 /* Should the FIFO driver handle this? */
615 sm
= buf
->start_method
;
616 if (sm
== ACPI_TPM2_MEMORY_MAPPED
)
619 priv
= devm_kzalloc(dev
, sizeof(struct crb_priv
), GFP_KERNEL
);
623 if (sm
== ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC
) {
624 if (buf
->header
.length
< (sizeof(*buf
) + sizeof(*crb_smc
))) {
626 FW_BUG
"TPM2 ACPI table has wrong size %u for start method type %d\n",
628 ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC
);
631 crb_smc
= ACPI_ADD_PTR(struct tpm2_crb_smc
, buf
, sizeof(*buf
));
632 priv
->smc_func_id
= crb_smc
->smc_func_id
;
636 priv
->hid
= acpi_device_hid(device
);
638 rc
= crb_map_io(device
, priv
, buf
);
642 chip
= tpmm_chip_alloc(dev
, &tpm_crb
);
644 return PTR_ERR(chip
);
646 dev_set_drvdata(&chip
->dev
, priv
);
647 chip
->acpi_dev_handle
= device
->handle
;
648 chip
->flags
= TPM_CHIP_FLAG_TPM2
;
650 return tpm_chip_register(chip
);
653 static int crb_acpi_remove(struct acpi_device
*device
)
655 struct device
*dev
= &device
->dev
;
656 struct tpm_chip
*chip
= dev_get_drvdata(dev
);
658 tpm_chip_unregister(chip
);
663 static const struct dev_pm_ops crb_pm
= {
664 SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend
, tpm_pm_resume
)
667 static const struct acpi_device_id crb_device_ids
[] = {
671 MODULE_DEVICE_TABLE(acpi
, crb_device_ids
);
673 static struct acpi_driver crb_acpi_driver
= {
675 .ids
= crb_device_ids
,
678 .remove
= crb_acpi_remove
,
685 module_acpi_driver(crb_acpi_driver
);
686 MODULE_AUTHOR("Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>");
687 MODULE_DESCRIPTION("TPM2 Driver");
688 MODULE_VERSION("0.1");
689 MODULE_LICENSE("GPL");
