1 /* $OpenBSD: tpm.c,v 1.19 2024/05/13 01:15:50 jsg Exp $ */ 2 3 /* 4 * Minimal interface to Trusted Platform Module chips implementing the 5 * TPM Interface Spec 1.2, just enough to tell the TPM to save state before 6 * a system suspend. 7 * 8 * Copyright (c) 2008, 2009 Michael Shalayeff 9 * Copyright (c) 2009, 2010 Hans-Joerg Hoexer 10 * Copyright (c) 2016 joshua stein <jcs@openbsd.org> 11 * All rights reserved. 12 * 13 * Permission to use, copy, modify, and distribute this software for any 14 * purpose with or without fee is hereby granted, provided that the above 15 * copyright notice and this permission notice appear in all copies. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 18 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 20 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 21 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN 22 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 23 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/systm.h> 28 #include <sys/device.h> 29 #include <sys/malloc.h> 30 31 #include <machine/bus.h> 32 #include <machine/apmvar.h> 33 34 #include <dev/acpi/acpireg.h> 35 #include <dev/acpi/acpivar.h> 36 #include <dev/acpi/acpidev.h> 37 #include <dev/acpi/amltypes.h> 38 #include <dev/acpi/dsdt.h> 39 40 /* #define TPM_DEBUG */ 41 42 #ifdef TPM_DEBUG 43 #define DPRINTF(x) printf x 44 #else 45 #define DPRINTF(x) 46 #endif 47 48 #define TPM_BUFSIZ 1024 49 #define TPM_HDRSIZE 10 50 #define TPM_PARAM_SIZE 0x0001 51 52 #define TPM_ACCESS 0x0000 /* access register */ 53 #define TPM_ACCESS_ESTABLISHMENT 0x01 /* establishment */ 54 #define TPM_ACCESS_REQUEST_USE 0x02 /* request using locality */ 55 #define TPM_ACCESS_REQUEST_PENDING 0x04 /* pending request */ 56 #define TPM_ACCESS_SEIZE 0x08 /* request locality seize */ 57 #define TPM_ACCESS_SEIZED 0x10 /* locality has been seized */ 58 #define TPM_ACCESS_ACTIVE_LOCALITY 0x20 /* locality is active */ 59 #define TPM_ACCESS_VALID 0x80 /* bits are valid */ 60 #define TPM_ACCESS_BITS \ 61 "\020\01EST\02REQ\03PEND\04SEIZE\05SEIZED\06ACT\010VALID" 62 63 #define TPM_INTERRUPT_ENABLE 0x0008 64 #define TPM_GLOBAL_INT_ENABLE 0x80000000 /* enable ints */ 65 #define TPM_CMD_READY_INT 0x00000080 /* cmd ready enable */ 66 #define TPM_INT_EDGE_FALLING 0x00000018 67 #define TPM_INT_EDGE_RISING 0x00000010 68 #define TPM_INT_LEVEL_LOW 0x00000008 69 #define TPM_INT_LEVEL_HIGH 0x00000000 70 #define TPM_LOCALITY_CHANGE_INT 0x00000004 /* locality change enable */ 71 #define TPM_STS_VALID_INT 0x00000002 /* int on TPM_STS_VALID is set */ 72 #define TPM_DATA_AVAIL_INT 0x00000001 /* int on TPM_STS_DATA_AVAIL is set */ 73 #define TPM_INTERRUPT_ENABLE_BITS \ 74 "\020\040ENA\010RDY\03LOCH\02STSV\01DRDY" 75 76 #define TPM_INT_VECTOR 0x000c /* 8 bit reg for 4 bit irq vector */ 77 #define TPM_INT_STATUS 0x0010 /* bits are & 0x87 from TPM_INTERRUPT_ENABLE */ 78 79 #define TPM_INTF_CAPABILITIES 0x0014 /* capability register */ 80 #define TPM_INTF_BURST_COUNT_STATIC 0x0100 /* TPM_STS_BMASK static */ 81 #define TPM_INTF_CMD_READY_INT 0x0080 /* int on ready supported */ 82 #define TPM_INTF_INT_EDGE_FALLING 0x0040 /* falling edge ints supported */ 83 #define TPM_INTF_INT_EDGE_RISING 0x0020 /* rising edge ints supported */ 84 #define TPM_INTF_INT_LEVEL_LOW 0x0010 /* level-low ints supported */ 85 #define TPM_INTF_INT_LEVEL_HIGH 0x0008 /* level-high ints supported */ 86 #define TPM_INTF_LOCALITY_CHANGE_INT 0x0004 /* locality-change int (mb 1) */ 87 #define TPM_INTF_STS_VALID_INT 0x0002 /* TPM_STS_VALID int supported */ 88 #define TPM_INTF_DATA_AVAIL_INT 0x0001 /* TPM_STS_DATA_AVAIL int supported (mb 1) */ 89 #define TPM_CAPSREQ \ 90 (TPM_INTF_DATA_AVAIL_INT|TPM_INTF_LOCALITY_CHANGE_INT|TPM_INTF_INT_LEVEL_LOW) 91 #define TPM_CAPBITS \ 92 "\020\01IDRDY\02ISTSV\03ILOCH\04IHIGH\05ILOW\06IEDGE\07IFALL\010IRDY\011BCST" 93 94 #define TPM_STS 0x0018 /* status register */ 95 #define TPM_STS_MASK 0x000000ff /* status bits */ 96 #define TPM_STS_BMASK 0x00ffff00 /* ro io burst size */ 97 #define TPM_STS_VALID 0x00000080 /* ro other bits are valid */ 98 #define TPM_STS_CMD_READY 0x00000040 /* rw chip/signal ready */ 99 #define TPM_STS_GO 0x00000020 /* wo start the command */ 100 #define TPM_STS_DATA_AVAIL 0x00000010 /* ro data available */ 101 #define TPM_STS_DATA_EXPECT 0x00000008 /* ro more data to be written */ 102 #define TPM_STS_RESP_RETRY 0x00000002 /* wo resend the response */ 103 #define TPM_STS_BITS "\020\010VALID\07RDY\06GO\05DRDY\04EXPECT\02RETRY" 104 105 #define TPM_DATA 0x0024 106 #define TPM_ID 0x0f00 107 #define TPM_REV 0x0f04 108 #define TPM_SIZE 0x5000 /* five pages of the above */ 109 110 #define TPM_ACCESS_TMO 2000 /* 2sec */ 111 #define TPM_READY_TMO 2000 /* 2sec */ 112 #define TPM_READ_TMO 120000 /* 2 minutes */ 113 #define TPM_BURST_TMO 2000 /* 2sec */ 114 115 #define TPM2_START_METHOD_TIS 6 116 #define TPM2_START_METHOD_CRB 7 117 118 #define TPM_CRB_LOC_STATE 0x0 119 #define TPM_CRB_LOC_CTRL 0x8 120 #define TPM_LOC_STS 0xC 121 #define TPM_CRB_INTF_ID 0x30 122 #define TPM_CRB_CTRL_EXT 0x38 123 #define TPM_CRB_CTRL_REQ 0x40 124 #define TPM_CRB_CTRL_STS 0x44 125 #define TPM_CRB_CTRL_CANCEL 0x48 126 #define TPM_CRB_CTRL_START 0x4C 127 #define TPM_CRB_CTRL_CMD_SIZE 0x58 128 #define TPM_CRB_CTRL_CMD_LADDR 0x5C 129 #define TPM_CRB_CTRL_CMD_HADDR 0x60 130 #define TPM_CRB_CTRL_RSP_SIZE 0x64 131 #define TPM_CRB_CTRL_RSP_LADDR 0x68 132 #define TPM_CRB_CTRL_RSP_HADDR 0x6c 133 #define TPM_CRB_DATA_BUFFER 0x80 134 135 #define TPM_CRB_LOC_STATE_ESTB (1 << 0) 136 #define TPM_CRB_LOC_STATE_ASSIGNED (1 << 1) 137 #define TPM_CRB_LOC_ACTIVE_MASK 0x009c 138 #define TPM_CRB_LOC_VALID (1 << 7) 139 140 #define TPM_CRB_LOC_REQUEST (1 << 0) 141 #define TPM_CRB_LOC_RELEASE (1 << 1) 142 143 #define TPM_CRB_CTRL_REQ_GO_READY (1 << 0) 144 #define TPM_CRB_CTRL_REQ_GO_IDLE (1 << 1) 145 146 #define TPM_CRB_CTRL_STS_ERR_BIT (1 << 0) 147 #define TPM_CRB_CTRL_STS_IDLE_BIT (1 << 1) 148 149 #define TPM_CRB_CTRL_CANCEL_CMD 0x1 150 #define TPM_CRB_CTRL_CANCEL_CLEAR 0x0 151 152 #define TPM_CRB_CTRL_START_CMD (1 << 0) 153 #define TPM_CRB_INT_ENABLED_BIT (1U << 31) 154 155 #define TPM2_RC_SUCCESS 0x0000 156 #define TPM2_RC_INITIALIZE 0x0100 157 #define TPM2_RC_FAILURE 0x0101 158 #define TPM2_RC_DISABLED 0x0120 159 #define TPM2_RC_RETRY 0x0922 160 161 struct tpm_softc { 162 struct device sc_dev; 163 164 bus_space_tag_t sc_bt; 165 bus_space_handle_t sc_bh; 166 bus_size_t sc_bbase; 167 168 struct acpi_softc *sc_acpi; 169 struct aml_node *sc_devnode; 170 171 uint32_t sc_devid; 172 uint32_t sc_rev; 173 174 int sc_tpm20; 175 int sc_tpm_mode; 176 #define TPM_TIS 0 177 #define TPM_CRB 1 178 bus_size_t sc_cmd_off; 179 bus_size_t sc_rsp_off; 180 size_t sc_cmd_sz; 181 size_t sc_rsp_sz; 182 183 int sc_enabled; 184 }; 185 186 const struct { 187 uint32_t devid; 188 char name[32]; 189 } tpm_devs[] = { 190 { 0x000615d1, "Infineon SLD9630 1.1" }, 191 { 0x000b15d1, "Infineon SLB9635 1.2" }, 192 { 0x100214e4, "Broadcom BCM0102" }, 193 { 0x00fe1050, "WEC WPCT200" }, 194 { 0x687119fa, "SNS SSX35" }, 195 { 0x2e4d5453, "STM ST19WP18" }, 196 { 0x32021114, "Atmel 97SC3203" }, 197 { 0x10408086, "Intel INTC0102" }, 198 { 0, "" }, 199 }; 200 201 int tpm_match(struct device *, void *, void *); 202 void tpm_attach(struct device *, struct device *, void *); 203 int tpm_activate(struct device *, int); 204 205 int tpm_probe(bus_space_tag_t, bus_space_handle_t); 206 int tpm_init_tis(struct tpm_softc *); 207 int tpm_init_crb(struct tpm_softc *); 208 int tpm_read_tis(struct tpm_softc *, void *, int, size_t *, int); 209 int tpm_read_crb(struct tpm_softc *, void *, int); 210 int tpm_write_tis(struct tpm_softc *, void *, int); 211 int tpm_write_crb(struct tpm_softc *, void *, int); 212 int tpm_suspend(struct tpm_softc *); 213 int tpm_resume(struct tpm_softc *); 214 215 int tpm_waitfor(struct tpm_softc *, bus_space_handle_t, uint32_t, uint32_t, int); 216 int tpm_waitfor_status(struct tpm_softc *, uint8_t, int); 217 int tpm_request_locality_tis(struct tpm_softc *, int); 218 int tpm_request_locality_crb(struct tpm_softc *, int); 219 void tpm_release_locality_tis(struct tpm_softc *); 220 void tpm_release_locality_crb(struct tpm_softc *); 221 uint8_t tpm_status(struct tpm_softc *); 222 223 uint32_t tpm2_start_method(struct acpi_softc *); 224 225 const struct cfattach tpm_ca = { 226 sizeof(struct tpm_softc), 227 tpm_match, 228 tpm_attach, 229 NULL, 230 tpm_activate 231 }; 232 233 struct cfdriver tpm_cd = { 234 NULL, "tpm", DV_DULL, CD_SKIPHIBERNATE /* XXX */ 235 }; 236 237 const char *tpm_hids[] = { 238 "PNP0C31", 239 "ATM1200", 240 "IFX0102", 241 "BCM0101", 242 "BCM0102", 243 "NSC1200", 244 "ICO0102", 245 "MSFT0101", 246 NULL 247 }; 248 249 int 250 tpm_match(struct device *parent, void *match, void *aux) 251 { 252 struct acpi_attach_args *aa = aux; 253 struct cfdata *cf = match; 254 255 if (aa->aaa_naddr < 1) 256 return 0; 257 return (acpi_matchhids(aa, tpm_hids, cf->cf_driver->cd_name)); 258 } 259 260 void 261 tpm_attach(struct device *parent, struct device *self, void *aux) 262 { 263 struct tpm_softc *sc = (struct tpm_softc *)self; 264 struct acpi_attach_args *aaa = aux; 265 int64_t sta; 266 uint32_t start_method; 267 268 sc->sc_acpi = (struct acpi_softc *)parent; 269 sc->sc_devnode = aaa->aaa_node; 270 sc->sc_enabled = 0; 271 sc->sc_tpm_mode = TPM_TIS; 272 273 printf(" %s", sc->sc_devnode->name); 274 275 if (strcmp(aaa->aaa_dev, "MSFT0101") == 0 || 276 strcmp(aaa->aaa_cdev, "MSFT0101") == 0) { 277 sc->sc_tpm20 = 1; 278 /* Identify if using 1.2 TIS or 2.0's CRB methods */ 279 start_method = tpm2_start_method(sc->sc_acpi); 280 switch (start_method) { 281 case TPM2_START_METHOD_TIS: 282 /* Already default */ 283 break; 284 case TPM2_START_METHOD_CRB: 285 sc->sc_tpm_mode = TPM_CRB; 286 break; 287 default: 288 printf(": unsupported TPM2 start method %d\n", start_method); 289 return; 290 } 291 } 292 293 printf(" %s (%s)", sc->sc_tpm20 ? "2.0" : "1.2", 294 sc->sc_tpm_mode == TPM_TIS ? "TIS" : "CRB"); 295 296 sta = acpi_getsta(sc->sc_acpi, sc->sc_devnode); 297 if ((sta & (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) != 298 (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) { 299 printf(": not enabled\n"); 300 return; 301 } 302 303 printf(" addr 0x%llx/0x%llx", aaa->aaa_addr[0], aaa->aaa_size[0]); 304 sc->sc_bbase = aaa->aaa_addr[0]; 305 306 sc->sc_bt = aaa->aaa_bst[0]; 307 if (bus_space_map(sc->sc_bt, aaa->aaa_addr[0], aaa->aaa_size[0], 308 0, &sc->sc_bh)) { 309 printf(": can't map registers\n"); 310 return; 311 } 312 313 if (sc->sc_tpm_mode == TPM_TIS) { 314 if (!tpm_probe(sc->sc_bt, sc->sc_bh)) { 315 printf(": probe failed\n"); 316 return; 317 } 318 319 if (tpm_init_tis(sc) != 0) { 320 printf(": init failed\n"); 321 return; 322 } 323 } else { 324 if (tpm_init_crb(sc) != 0) { 325 printf(": init failed\n"); 326 return; 327 } 328 } 329 330 printf("\n"); 331 sc->sc_enabled = 1; 332 } 333 334 int 335 tpm_activate(struct device *self, int act) 336 { 337 struct tpm_softc *sc = (struct tpm_softc *)self; 338 339 switch (act) { 340 case DVACT_SUSPEND: 341 if (!sc->sc_enabled) { 342 DPRINTF(("%s: suspend, but not enabled\n", 343 sc->sc_dev.dv_xname)); 344 return 0; 345 } 346 tpm_suspend(sc); 347 break; 348 349 case DVACT_WAKEUP: 350 if (!sc->sc_enabled) { 351 DPRINTF(("%s: wakeup, but not enabled\n", 352 sc->sc_dev.dv_xname)); 353 return 0; 354 } 355 tpm_resume(sc); 356 break; 357 } 358 359 return 0; 360 } 361 362 int 363 tpm_suspend(struct tpm_softc *sc) 364 { 365 uint8_t command1[] = { 366 0, 0xc1, /* TPM_TAG_RQU_COMMAND */ 367 0, 0, 0, 10, /* Length in bytes */ 368 0, 0, 0, 0x98 /* TPM_ORD_SaveStates */ 369 }; 370 uint8_t command2[] = { 371 0x80, 0x01, /* TPM_ST_COMMAND_TAG */ 372 0, 0, 0, 12, /* Length in bytes */ 373 0, 0, 0x01, 0x45, /* TPM_CC_Shutdown */ 374 0x00, 0x01 375 }; 376 uint8_t *command; 377 size_t commandlen; 378 379 DPRINTF(("%s: saving state preparing for suspend\n", 380 sc->sc_dev.dv_xname)); 381 382 if (sc->sc_tpm20) { 383 command = command2; 384 commandlen = sizeof(command2); 385 } else { 386 command = command1; 387 commandlen = sizeof(command1); 388 } 389 390 /* 391 * Tell the chip to save its state so the BIOS can then restore it upon 392 * resume. 393 */ 394 if (sc->sc_tpm_mode == TPM_TIS) { 395 tpm_write_tis(sc, command, commandlen); 396 memset(command, 0, commandlen); 397 tpm_read_tis(sc, command, commandlen, NULL, TPM_HDRSIZE); 398 } else { 399 tpm_write_crb(sc, command, commandlen); 400 memset(command, 0, commandlen); 401 tpm_read_crb(sc, command, commandlen); 402 } 403 return 0; 404 } 405 406 int 407 tpm_resume(struct tpm_softc *sc) 408 { 409 /* 410 * TODO: The BIOS should have restored the chip's state for us already, 411 * but we should tell the chip to do a self-test here (according to the 412 * Linux driver). 413 */ 414 415 DPRINTF(("%s: resume\n", sc->sc_dev.dv_xname)); 416 return 0; 417 } 418 419 uint32_t 420 tpm2_start_method(struct acpi_softc *sc) 421 { 422 struct acpi_q *entry; 423 struct acpi_tpm2 *p_tpm2 = NULL; 424 425 SIMPLEQ_FOREACH(entry, &sc->sc_tables, q_next) { 426 if (memcmp(entry->q_table, TPM2_SIG, 427 sizeof(TPM2_SIG) - 1) == 0) { 428 p_tpm2 = entry->q_table; 429 break; 430 } 431 } 432 433 if (!p_tpm2) { 434 DPRINTF((", no TPM2 table")); 435 return 0; 436 } 437 438 return p_tpm2->start_method; 439 } 440 441 int 442 tpm_probe(bus_space_tag_t bt, bus_space_handle_t bh) 443 { 444 uint32_t r; 445 int tries = 10000; 446 447 /* wait for chip to settle */ 448 while (tries--) { 449 if (bus_space_read_1(bt, bh, TPM_ACCESS) & TPM_ACCESS_VALID) 450 break; 451 else if (!tries) { 452 printf(": timed out waiting for validity\n"); 453 return 1; 454 } 455 456 DELAY(10); 457 } 458 459 r = bus_space_read_4(bt, bh, TPM_INTF_CAPABILITIES); 460 if (r == 0xffffffff) 461 return 0; 462 463 return 1; 464 } 465 466 int 467 tpm_init_tis(struct tpm_softc *sc) 468 { 469 uint32_t r, intmask; 470 int i; 471 472 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTF_CAPABILITIES); 473 if ((r & TPM_CAPSREQ) != TPM_CAPSREQ || 474 !(r & (TPM_INTF_INT_EDGE_RISING | TPM_INTF_INT_LEVEL_LOW))) { 475 DPRINTF((": caps too low (caps=%b)\n", r, TPM_CAPBITS)); 476 return 0; 477 } 478 479 /* ack and disable all interrupts, we'll be using polling only */ 480 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 481 intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | 482 TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; 483 intmask &= ~TPM_GLOBAL_INT_ENABLE; 484 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 485 486 if (tpm_request_locality_tis(sc, 0)) { 487 printf(", requesting locality failed\n"); 488 return 1; 489 } 490 491 sc->sc_devid = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_ID); 492 sc->sc_rev = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_REV); 493 494 for (i = 0; tpm_devs[i].devid; i++) 495 if (tpm_devs[i].devid == sc->sc_devid) 496 break; 497 498 if (tpm_devs[i].devid) 499 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 500 else 501 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 502 503 return 0; 504 } 505 506 int 507 tpm_init_crb(struct tpm_softc *sc) 508 { 509 uint32_t intmask; 510 int i; 511 512 if (tpm_request_locality_crb(sc, 0)) { 513 printf(", request locality failed\n"); 514 return 1; 515 } 516 517 /* ack and disable all interrupts, we'll be using polling only */ 518 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 519 intmask &= ~TPM_CRB_INT_ENABLED_BIT; 520 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 521 522 /* Identify command and response registers and sizes */ 523 sc->sc_cmd_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 524 TPM_CRB_CTRL_CMD_LADDR); 525 sc->sc_cmd_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 526 TPM_CRB_CTRL_CMD_HADDR) << 32); 527 sc->sc_cmd_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 528 TPM_CRB_CTRL_CMD_SIZE); 529 530 sc->sc_rsp_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 531 TPM_CRB_CTRL_RSP_LADDR); 532 sc->sc_rsp_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 533 TPM_CRB_CTRL_RSP_HADDR) << 32); 534 sc->sc_rsp_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 535 TPM_CRB_CTRL_RSP_SIZE); 536 537 DPRINTF((", cmd @ 0x%lx, %ld, rsp @ 0x%lx, %ld", sc->sc_cmd_off, 538 sc->sc_cmd_sz, sc->sc_rsp_off, sc->sc_rsp_sz)); 539 540 sc->sc_cmd_off = sc->sc_cmd_off - sc->sc_bbase; 541 sc->sc_rsp_off = sc->sc_rsp_off - sc->sc_bbase; 542 543 tpm_release_locality_crb(sc); 544 545 /* If it's a unified buffer, the sizes must be the same. */ 546 if (sc->sc_cmd_off == sc->sc_rsp_off) { 547 if (sc->sc_cmd_sz != sc->sc_rsp_sz) { 548 printf(", invalid buffer sizes\n"); 549 return 1; 550 } 551 } 552 553 for (i = 0; tpm_devs[i].devid; i++) 554 if (tpm_devs[i].devid == sc->sc_devid) 555 break; 556 557 if (tpm_devs[i].devid) 558 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 559 else 560 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 561 562 return 0; 563 } 564 565 int 566 tpm_request_locality_tis(struct tpm_softc *sc, int l) 567 { 568 uint32_t r; 569 int to; 570 571 if (l != 0) 572 return EINVAL; 573 574 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 575 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) == 576 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) 577 return 0; 578 579 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 580 TPM_ACCESS_REQUEST_USE); 581 582 to = TPM_ACCESS_TMO * 100; /* steps of 10 microseconds */ 583 584 while ((r = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 585 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 586 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY) && to--) { 587 DELAY(10); 588 } 589 590 if ((r & (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 591 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) { 592 DPRINTF(("%s: %s: access %b\n", sc->sc_dev.dv_xname, __func__, 593 r, TPM_ACCESS_BITS)); 594 return EBUSY; 595 } 596 597 return 0; 598 } 599 600 int 601 tpm_request_locality_crb(struct tpm_softc *sc, int l) 602 { 603 uint32_t r, mask; 604 int to; 605 606 if (l != 0) 607 return EINVAL; 608 609 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 610 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 611 r | TPM_CRB_LOC_REQUEST); 612 613 to = TPM_ACCESS_TMO * 200; 614 mask = TPM_CRB_LOC_STATE_ASSIGNED | TPM_CRB_LOC_VALID; 615 616 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 617 while ((r & mask) != mask && to--) { 618 DELAY(10); 619 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 620 } 621 622 if ((r & mask) != mask) { 623 printf(", CRB loc FAILED"); 624 return EBUSY; 625 } 626 627 return 0; 628 } 629 630 void 631 tpm_release_locality_tis(struct tpm_softc *sc) 632 { 633 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 634 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) == 635 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) { 636 DPRINTF(("%s: releasing locality\n", sc->sc_dev.dv_xname)); 637 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 638 TPM_ACCESS_ACTIVE_LOCALITY); 639 } 640 } 641 642 void 643 tpm_release_locality_crb(struct tpm_softc *sc) 644 { 645 uint32_t r; 646 647 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 648 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 649 r | TPM_CRB_LOC_RELEASE); 650 } 651 652 int 653 tpm_getburst(struct tpm_softc *sc) 654 { 655 int burst, burst2, to; 656 657 to = TPM_BURST_TMO * 100; /* steps of 10 microseconds */ 658 659 burst = 0; 660 while (burst == 0 && to--) { 661 /* 662 * Burst count has to be read from bits 8 to 23 without 663 * touching any other bits, eg. the actual status bits 0 to 7. 664 */ 665 burst = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 1); 666 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 667 __func__, TPM_STS + 1, burst)); 668 burst2 = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 2); 669 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 670 __func__, TPM_STS + 2, burst2)); 671 burst |= burst2 << 8; 672 if (burst) 673 return burst; 674 675 DELAY(10); 676 } 677 678 DPRINTF(("%s: getburst timed out\n", sc->sc_dev.dv_xname)); 679 680 return 0; 681 } 682 683 uint8_t 684 tpm_status(struct tpm_softc *sc) 685 { 686 return bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS) & TPM_STS_MASK; 687 } 688 689 int 690 tpm_waitfor(struct tpm_softc *sc, bus_size_t offset, uint32_t mask, 691 uint32_t val, int msecs) 692 { 693 int usecs; 694 uint32_t r; 695 696 usecs = msecs * 1000; 697 698 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 699 if ((r & mask) == val) 700 return 0; 701 702 while (usecs > 0) { 703 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 704 if ((r & mask) == val) 705 return 0; 706 DELAY(1); 707 usecs--; 708 } 709 710 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 711 sc->sc_dev.dv_xname, __func__, r, mask)); 712 return ETIMEDOUT; 713 } 714 715 int 716 tpm_waitfor_status(struct tpm_softc *sc, uint8_t mask, int msecs) 717 { 718 int usecs; 719 uint8_t status; 720 721 usecs = msecs * 1000; 722 723 while (((status = tpm_status(sc)) & mask) != mask) { 724 if (usecs == 0) { 725 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 726 sc->sc_dev.dv_xname, __func__, status, mask)); 727 return status; 728 } 729 730 usecs--; 731 DELAY(1); 732 } 733 734 return 0; 735 } 736 737 int 738 tpm_read_tis(struct tpm_softc *sc, void *buf, int len, size_t *count, 739 int flags) 740 { 741 uint8_t *p = buf; 742 uint8_t c; 743 size_t cnt; 744 int rv, n, bcnt; 745 746 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 747 748 cnt = 0; 749 while (len > 0) { 750 if ((rv = tpm_waitfor_status(sc, 751 TPM_STS_DATA_AVAIL | TPM_STS_VALID, TPM_READ_TMO))) 752 return rv; 753 754 bcnt = tpm_getburst(sc); 755 n = MIN(len, bcnt); 756 757 for (; n--; len--) { 758 c = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_DATA); 759 DPRINTF((" %02x", c)); 760 *p++ = c; 761 cnt++; 762 } 763 764 if ((flags & TPM_PARAM_SIZE) == 0 && cnt >= 6) 765 break; 766 } 767 768 DPRINTF(("\n")); 769 770 if (count) 771 *count = cnt; 772 773 return 0; 774 } 775 776 int 777 tpm_read_crb(struct tpm_softc *sc, void *buf, int len) 778 { 779 uint8_t *p = buf; 780 uint32_t sz = 0, mask, rc; 781 size_t count = 0; 782 int r; 783 784 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 785 786 if (len < TPM_HDRSIZE) { 787 printf("%s: %s buf len too small\n", sc->sc_dev.dv_xname, 788 __func__); 789 return EINVAL; 790 } 791 792 while (count < TPM_HDRSIZE) { 793 *p = bus_space_read_1(sc->sc_bt, sc->sc_bh, 794 sc->sc_rsp_off + count); 795 DPRINTF((" %02x", *p)); 796 count++; 797 p++; 798 } 799 DPRINTF(("\n")); 800 801 /* Response length is bytes 2-5 in the response header. */ 802 p = buf; 803 sz = be32toh(*(uint32_t *) (p + 2)); 804 if (sz < TPM_HDRSIZE || sz > sc->sc_rsp_sz) { 805 printf("%s: invalid response size %d\n", 806 sc->sc_dev.dv_xname, sz); 807 return EIO; 808 } 809 if (sz > len) 810 printf("%s: response size too large, truncated to %d\n", 811 sc->sc_dev.dv_xname, len); 812 813 /* Response code is bytes 6-9. */ 814 rc = be32toh(*(uint32_t *) (p + 6)); 815 if (rc != TPM2_RC_SUCCESS) { 816 printf("%s: command failed (0x%04x)\n", sc->sc_dev.dv_xname, 817 rc); 818 /* Nothing we can do on failure. Still try to idle the tpm. */ 819 } 820 821 /* Tell the device to go idle. */ 822 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 823 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 824 r | TPM_CRB_CTRL_REQ_GO_IDLE); 825 826 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 827 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 828 printf("%s: failed to transition to idle state after read\n", 829 sc->sc_dev.dv_xname); 830 } 831 832 tpm_release_locality_crb(sc); 833 834 DPRINTF(("%s: %s completed\n", sc->sc_dev.dv_xname, __func__)); 835 return 0; 836 } 837 838 int 839 tpm_write_tis(struct tpm_softc *sc, void *buf, int len) 840 { 841 uint8_t *p = buf; 842 uint8_t status; 843 size_t count = 0; 844 int rv, r; 845 846 if ((rv = tpm_request_locality_tis(sc, 0)) != 0) 847 return rv; 848 849 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 850 for (r = 0; r < len; r++) 851 DPRINTF((" %02x", (uint8_t)(*(p + r)))); 852 DPRINTF(("\n")); 853 854 /* read status */ 855 status = tpm_status(sc); 856 if ((status & TPM_STS_CMD_READY) == 0) { 857 /* abort! */ 858 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, 859 TPM_STS_CMD_READY); 860 if ((rv = tpm_waitfor_status(sc, TPM_STS_CMD_READY, 861 TPM_READ_TMO))) { 862 DPRINTF(("%s: failed waiting for ready after abort " 863 "(0x%x)\n", sc->sc_dev.dv_xname, rv)); 864 return rv; 865 } 866 } 867 868 while (count < len - 1) { 869 for (r = tpm_getburst(sc); r > 0 && count < len - 1; r--) { 870 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", 871 sc->sc_dev.dv_xname, __func__, TPM_DATA, *p)); 872 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p++); 873 count++; 874 } 875 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID | TPM_STS_DATA_EXPECT, 876 TPM_READ_TMO))) { 877 DPRINTF(("%s: %s: failed waiting for next byte (%d)\n", 878 sc->sc_dev.dv_xname, __func__, rv)); 879 return rv; 880 } 881 } 882 883 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", sc->sc_dev.dv_xname, __func__, 884 TPM_DATA, *p)); 885 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p); 886 count++; 887 888 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID, TPM_READ_TMO))) { 889 DPRINTF(("%s: %s: failed after last byte (%d)\n", 890 sc->sc_dev.dv_xname, __func__, rv)); 891 return rv; 892 } 893 894 if ((status = tpm_status(sc)) & TPM_STS_DATA_EXPECT) { 895 DPRINTF(("%s: %s: final status still expecting data: %b\n", 896 sc->sc_dev.dv_xname, __func__, status, TPM_STS_BITS)); 897 return status; 898 } 899 900 DPRINTF(("%s: final status after write: %b\n", sc->sc_dev.dv_xname, 901 status, TPM_STS_BITS)); 902 903 /* XXX: are we ever sending non-command data? */ 904 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, TPM_STS_GO); 905 906 return 0; 907 } 908 909 int 910 tpm_write_crb(struct tpm_softc *sc, void *buf, int len) 911 { 912 uint8_t *p = buf; 913 size_t count = 0; 914 uint32_t r, mask; 915 916 if (len > sc->sc_cmd_sz) { 917 printf("%s: requested write length larger than cmd buffer\n", 918 sc->sc_dev.dv_xname); 919 return EINVAL; 920 } 921 922 if (bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS) 923 & TPM_CRB_CTRL_STS_ERR_BIT) { 924 printf("%s: device error bit set\n", sc->sc_dev.dv_xname); 925 return EIO; 926 } 927 928 if (tpm_request_locality_crb(sc, 0)) { 929 printf("%s: failed to acquire locality\n", sc->sc_dev.dv_xname); 930 return EIO; 931 } 932 933 /* Clear cancellation bit */ 934 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_CANCEL, 935 TPM_CRB_CTRL_CANCEL_CLEAR); 936 937 /* Toggle to idle state (if needed) and then to ready */ 938 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS); 939 if(!(r & TPM_CRB_CTRL_STS_IDLE_BIT)) { 940 printf("%s: asking device to idle\n", sc->sc_dev.dv_xname); 941 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 942 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 943 r | TPM_CRB_CTRL_REQ_GO_IDLE); 944 945 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 946 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 947 printf("%s: failed to transition to idle state before " 948 "write\n", sc->sc_dev.dv_xname); 949 return EIO; 950 } 951 } 952 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 953 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 954 r | TPM_CRB_CTRL_REQ_GO_READY); 955 mask = TPM_CRB_CTRL_REQ_GO_READY; 956 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, !mask, 200)) { 957 printf("%s: failed to transition to ready state\n", 958 sc->sc_dev.dv_xname); 959 return EIO; 960 } 961 962 /* Write the command */ 963 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 964 while (count < len) { 965 DPRINTF((" %02x", (uint8_t)(*p))); 966 bus_space_write_1(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off + count, 967 *p++); 968 count++; 969 } 970 DPRINTF(("\n")); 971 bus_space_barrier(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off, len, 972 BUS_SPACE_BARRIER_WRITE); 973 DPRINTF(("%s: %s wrote %lu bytes\n", sc->sc_dev.dv_xname, __func__, 974 count)); 975 976 /* Send the Start Command request */ 977 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 978 TPM_CRB_CTRL_START_CMD); 979 bus_space_barrier(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 4, 980 BUS_SPACE_BARRIER_WRITE); 981 982 /* Check if command was processed */ 983 mask = ~0; 984 if (tpm_waitfor(sc, TPM_CRB_CTRL_START, mask, ~mask, 200)) { 985 printf("%s: timeout waiting for device to process command\n", 986 sc->sc_dev.dv_xname); 987 return EIO; 988 } 989 990 return 0; 991 } 992