1 /* $OpenBSD: tpm.c,v 1.14 2021/12/07 16:07:56 deraadt Exp $ */ 2 3 /* 4 * Minimal interface to Trusted Platform Module chips implementing the 5 * TPM Interface Spec 1.2, just enough to tell the TPM to save state before 6 * a system suspend. 7 * 8 * Copyright (c) 2008, 2009 Michael Shalayeff 9 * Copyright (c) 2009, 2010 Hans-Joerg Hoexer 10 * Copyright (c) 2016 joshua stein <jcs@openbsd.org> 11 * All rights reserved. 12 * 13 * Permission to use, copy, modify, and distribute this software for any 14 * purpose with or without fee is hereby granted, provided that the above 15 * copyright notice and this permission notice appear in all copies. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 18 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 20 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 21 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN 22 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 23 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/systm.h> 28 #include <sys/device.h> 29 #include <sys/malloc.h> 30 31 #include <machine/bus.h> 32 #include <machine/apmvar.h> 33 34 #include <dev/acpi/acpireg.h> 35 #include <dev/acpi/acpivar.h> 36 #include <dev/acpi/acpidev.h> 37 #include <dev/acpi/amltypes.h> 38 #include <dev/acpi/dsdt.h> 39 40 /* #define TPM_DEBUG */ 41 42 #ifdef TPM_DEBUG 43 #define DPRINTF(x) printf x 44 #else 45 #define DPRINTF(x) 46 #endif 47 48 #define TPM_BUFSIZ 1024 49 #define TPM_HDRSIZE 10 50 #define TPM_PARAM_SIZE 0x0001 51 52 #define TPM_ACCESS 0x0000 /* access register */ 53 #define TPM_ACCESS_ESTABLISHMENT 0x01 /* establishment */ 54 #define TPM_ACCESS_REQUEST_USE 0x02 /* request using locality */ 55 #define TPM_ACCESS_REQUEST_PENDING 0x04 /* pending request */ 56 #define TPM_ACCESS_SEIZE 0x08 /* request locality seize */ 57 #define TPM_ACCESS_SEIZED 0x10 /* locality has been seized */ 58 #define TPM_ACCESS_ACTIVE_LOCALITY 0x20 /* locality is active */ 59 #define TPM_ACCESS_VALID 0x80 /* bits are valid */ 60 #define TPM_ACCESS_BITS \ 61 "\020\01EST\02REQ\03PEND\04SEIZE\05SEIZED\06ACT\010VALID" 62 63 #define TPM_INTERRUPT_ENABLE 0x0008 64 #define TPM_GLOBAL_INT_ENABLE 0x80000000 /* enable ints */ 65 #define TPM_CMD_READY_INT 0x00000080 /* cmd ready enable */ 66 #define TPM_INT_EDGE_FALLING 0x00000018 67 #define TPM_INT_EDGE_RISING 0x00000010 68 #define TPM_INT_LEVEL_LOW 0x00000008 69 #define TPM_INT_LEVEL_HIGH 0x00000000 70 #define TPM_LOCALITY_CHANGE_INT 0x00000004 /* locality change enable */ 71 #define TPM_STS_VALID_INT 0x00000002 /* int on TPM_STS_VALID is set */ 72 #define TPM_DATA_AVAIL_INT 0x00000001 /* int on TPM_STS_DATA_AVAIL is set */ 73 #define TPM_INTERRUPT_ENABLE_BITS \ 74 "\020\040ENA\010RDY\03LOCH\02STSV\01DRDY" 75 76 #define TPM_INT_VECTOR 0x000c /* 8 bit reg for 4 bit irq vector */ 77 #define TPM_INT_STATUS 0x0010 /* bits are & 0x87 from TPM_INTERRUPT_ENABLE */ 78 79 #define TPM_INTF_CAPABILITIES 0x0014 /* capability register */ 80 #define TPM_INTF_BURST_COUNT_STATIC 0x0100 /* TPM_STS_BMASK static */ 81 #define TPM_INTF_CMD_READY_INT 0x0080 /* int on ready supported */ 82 #define TPM_INTF_INT_EDGE_FALLING 0x0040 /* falling edge ints supported */ 83 #define TPM_INTF_INT_EDGE_RISING 0x0020 /* rising edge ints supported */ 84 #define TPM_INTF_INT_LEVEL_LOW 0x0010 /* level-low ints supported */ 85 #define TPM_INTF_INT_LEVEL_HIGH 0x0008 /* level-high ints supported */ 86 #define TPM_INTF_LOCALITY_CHANGE_INT 0x0004 /* locality-change int (mb 1) */ 87 #define TPM_INTF_STS_VALID_INT 0x0002 /* TPM_STS_VALID int supported */ 88 #define TPM_INTF_DATA_AVAIL_INT 0x0001 /* TPM_STS_DATA_AVAIL int supported (mb 1) */ 89 #define TPM_CAPSREQ \ 90 (TPM_INTF_DATA_AVAIL_INT|TPM_INTF_LOCALITY_CHANGE_INT|TPM_INTF_INT_LEVEL_LOW) 91 #define TPM_CAPBITS \ 92 "\020\01IDRDY\02ISTSV\03ILOCH\04IHIGH\05ILOW\06IEDGE\07IFALL\010IRDY\011BCST" 93 94 #define TPM_STS 0x0018 /* status register */ 95 #define TPM_STS_MASK 0x000000ff /* status bits */ 96 #define TPM_STS_BMASK 0x00ffff00 /* ro io burst size */ 97 #define TPM_STS_VALID 0x00000080 /* ro other bits are valid */ 98 #define TPM_STS_CMD_READY 0x00000040 /* rw chip/signal ready */ 99 #define TPM_STS_GO 0x00000020 /* wo start the command */ 100 #define TPM_STS_DATA_AVAIL 0x00000010 /* ro data available */ 101 #define TPM_STS_DATA_EXPECT 0x00000008 /* ro more data to be written */ 102 #define TPM_STS_RESP_RETRY 0x00000002 /* wo resend the response */ 103 #define TPM_STS_BITS "\020\010VALID\07RDY\06GO\05DRDY\04EXPECT\02RETRY" 104 105 #define TPM_DATA 0x0024 106 #define TPM_ID 0x0f00 107 #define TPM_REV 0x0f04 108 #define TPM_SIZE 0x5000 /* five pages of the above */ 109 110 #define TPM_ACCESS_TMO 2000 /* 2sec */ 111 #define TPM_READY_TMO 2000 /* 2sec */ 112 #define TPM_READ_TMO 120000 /* 2 minutes */ 113 #define TPM_BURST_TMO 2000 /* 2sec */ 114 115 #define TPM2_START_METHOD_TIS 6 116 #define TPM2_START_METHOD_CRB 7 117 118 #define TPM_CRB_LOC_STATE 0x0 119 #define TPM_CRB_LOC_CTRL 0x8 120 #define TPM_LOC_STS 0xC 121 #define TPM_CRB_INTF_ID 0x30 122 #define TPM_CRB_CTRL_EXT 0x38 123 #define TPM_CRB_CTRL_REQ 0x40 124 #define TPM_CRB_CTRL_STS 0x44 125 #define TPM_CRB_CTRL_CANCEL 0x48 126 #define TPM_CRB_CTRL_START 0x4C 127 #define TPM_CRB_CTRL_CMD_SIZE 0x58 128 #define TPM_CRB_CTRL_CMD_LADDR 0x5C 129 #define TPM_CRB_CTRL_CMD_HADDR 0x60 130 #define TPM_CRB_CTRL_RSP_SIZE 0x64 131 #define TPM_CRB_CTRL_RSP_LADDR 0x68 132 #define TPM_CRB_CTRL_RSP_HADDR 0x6c 133 #define TPM_CRB_DATA_BUFFER 0x80 134 135 #define TPM_CRB_LOC_STATE_ESTB (1 << 0) 136 #define TPM_CRB_LOC_STATE_ASSIGNED (1 << 1) 137 #define TPM_CRB_LOC_ACTIVE_MASK 0x009c 138 #define TPM_CRB_LOC_VALID (1 << 7) 139 140 #define TPM_CRB_LOC_REQUEST (1 << 0) 141 #define TPM_CRB_LOC_RELEASE (1 << 1) 142 143 #define TPM_CRB_CTRL_REQ_GO_READY (1 << 0) 144 #define TPM_CRB_CTRL_REQ_GO_IDLE (1 << 1) 145 146 #define TPM_CRB_CTRL_STS_ERR_BIT (1 << 0) 147 #define TPM_CRB_CTRL_STS_IDLE_BIT (1 << 1) 148 149 #define TPM_CRB_CTRL_CANCEL_CMD 0x1 150 #define TPM_CRB_CTRL_CANCEL_CLEAR 0x0 151 152 #define TPM_CRB_CTRL_START_CMD (1 << 0) 153 #define TPM_CRB_INT_ENABLED_BIT (1 << 31) 154 155 #define TPM2_RC_SUCCESS 0x0000 156 #define TPM2_RC_INITIALIZE 0x0100 157 #define TPM2_RC_FAILURE 0x0101 158 #define TPM2_RC_DISABLED 0x0120 159 #define TPM2_RC_RETRY 0x0922 160 161 struct tpm_softc { 162 struct device sc_dev; 163 164 bus_space_tag_t sc_bt; 165 bus_space_handle_t sc_bh; 166 bus_size_t sc_bbase; 167 168 struct acpi_softc *sc_acpi; 169 struct aml_node *sc_devnode; 170 171 uint32_t sc_devid; 172 uint32_t sc_rev; 173 174 int sc_tpm20; 175 int sc_tpm_mode; 176 #define TPM_TIS 0 177 #define TPM_CRB 1 178 bus_size_t sc_cmd_off; 179 bus_size_t sc_rsp_off; 180 size_t sc_cmd_sz; 181 size_t sc_rsp_sz; 182 183 int sc_enabled; 184 }; 185 186 const struct { 187 uint32_t devid; 188 char name[32]; 189 } tpm_devs[] = { 190 { 0x000615d1, "Infineon SLD9630 1.1" }, 191 { 0x000b15d1, "Infineon SLB9635 1.2" }, 192 { 0x100214e4, "Broadcom BCM0102" }, 193 { 0x00fe1050, "WEC WPCT200" }, 194 { 0x687119fa, "SNS SSX35" }, 195 { 0x2e4d5453, "STM ST19WP18" }, 196 { 0x32021114, "Atmel 97SC3203" }, 197 { 0x10408086, "Intel INTC0102" }, 198 { 0, "" }, 199 }; 200 201 int tpm_match(struct device *, void *, void *); 202 void tpm_attach(struct device *, struct device *, void *); 203 int tpm_activate(struct device *, int); 204 205 int tpm_probe(bus_space_tag_t, bus_space_handle_t); 206 int tpm_init_tis(struct tpm_softc *); 207 int tpm_init_crb(struct tpm_softc *); 208 int tpm_read_tis(struct tpm_softc *, void *, int, size_t *, int); 209 int tpm_read_crb(struct tpm_softc *, void *, int); 210 int tpm_write_tis(struct tpm_softc *, void *, int); 211 int tpm_write_crb(struct tpm_softc *, void *, int); 212 int tpm_suspend(struct tpm_softc *); 213 int tpm_resume(struct tpm_softc *); 214 215 int tpm_waitfor(struct tpm_softc *, bus_space_handle_t, uint32_t, uint32_t, int); 216 int tpm_waitfor_status(struct tpm_softc *, uint8_t, int); 217 int tpm_request_locality_tis(struct tpm_softc *, int); 218 int tpm_request_locality_crb(struct tpm_softc *, int); 219 void tpm_release_locality_tis(struct tpm_softc *); 220 void tpm_release_locality_crb(struct tpm_softc *); 221 int tpm_getburst_tis(struct tpm_softc *); 222 int tpm_getburst_crb(struct tpm_softc *); 223 uint8_t tpm_status(struct tpm_softc *); 224 225 uint32_t tpm2_start_method(struct acpi_softc *); 226 227 struct cfattach tpm_ca = { 228 sizeof(struct tpm_softc), 229 tpm_match, 230 tpm_attach, 231 NULL, 232 tpm_activate 233 }; 234 235 struct cfdriver tpm_cd = { 236 NULL, "tpm", DV_DULL 237 }; 238 239 const char *tpm_hids[] = { 240 "PNP0C31", 241 "ATM1200", 242 "IFX0102", 243 "BCM0101", 244 "BCM0102", 245 "NSC1200", 246 "ICO0102", 247 "MSFT0101", 248 NULL 249 }; 250 251 int 252 tpm_match(struct device *parent, void *match, void *aux) 253 { 254 struct acpi_attach_args *aa = aux; 255 struct cfdata *cf = match; 256 257 return (acpi_matchhids(aa, tpm_hids, cf->cf_driver->cd_name)); 258 } 259 260 void 261 tpm_attach(struct device *parent, struct device *self, void *aux) 262 { 263 struct tpm_softc *sc = (struct tpm_softc *)self; 264 struct acpi_attach_args *aaa = aux; 265 int64_t sta; 266 uint32_t start_method; 267 268 sc->sc_acpi = (struct acpi_softc *)parent; 269 sc->sc_devnode = aaa->aaa_node; 270 sc->sc_enabled = 0; 271 sc->sc_tpm_mode = TPM_TIS; 272 273 printf(" %s", sc->sc_devnode->name); 274 275 if (strcmp(aaa->aaa_dev, "MSFT0101") == 0 || 276 strcmp(aaa->aaa_cdev, "MSFT0101") == 0) { 277 sc->sc_tpm20 = 1; 278 /* Identify if using 1.2 TIS or 2.0's CRB methods */ 279 start_method = tpm2_start_method(sc->sc_acpi); 280 switch (start_method) { 281 case TPM2_START_METHOD_TIS: 282 /* Already default */ 283 break; 284 case TPM2_START_METHOD_CRB: 285 sc->sc_tpm_mode = TPM_CRB; 286 break; 287 default: 288 printf(": unsupported TPM2 start method %d\n", start_method); 289 return; 290 } 291 } 292 293 printf(" %s (%s)", sc->sc_tpm20 ? "2.0" : "1.2", 294 sc->sc_tpm_mode == TPM_TIS ? "TIS" : "CRB"); 295 296 sta = acpi_getsta(sc->sc_acpi, sc->sc_devnode); 297 if ((sta & (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) != 298 (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) { 299 printf(": not enabled\n"); 300 return; 301 } 302 303 if (aaa->aaa_naddr < 1) { 304 printf(": no registers\n"); 305 return; 306 } 307 308 printf(" addr 0x%llx/0x%llx", aaa->aaa_addr[0], aaa->aaa_size[0]); 309 sc->sc_bbase = aaa->aaa_addr[0]; 310 311 sc->sc_bt = aaa->aaa_bst[0]; 312 if (bus_space_map(sc->sc_bt, aaa->aaa_addr[0], aaa->aaa_size[0], 313 0, &sc->sc_bh)) { 314 printf(": can't map registers\n"); 315 return; 316 } 317 318 if (sc->sc_tpm_mode == TPM_TIS) { 319 if (!tpm_probe(sc->sc_bt, sc->sc_bh)) { 320 printf(": probe failed\n"); 321 return; 322 } 323 324 if (tpm_init_tis(sc) != 0) { 325 printf(": init failed\n"); 326 return; 327 } 328 } else { 329 if (tpm_init_crb(sc) != 0) { 330 printf(": init failed\n"); 331 return; 332 } 333 } 334 335 printf("\n"); 336 sc->sc_enabled = 1; 337 } 338 339 int 340 tpm_activate(struct device *self, int act) 341 { 342 struct tpm_softc *sc = (struct tpm_softc *)self; 343 344 switch (act) { 345 case DVACT_SUSPEND: 346 if (!sc->sc_enabled) { 347 DPRINTF(("%s: suspend, but not enabled\n", 348 sc->sc_dev.dv_xname)); 349 return 0; 350 } 351 tpm_suspend(sc); 352 break; 353 354 case DVACT_WAKEUP: 355 if (!sc->sc_enabled) { 356 DPRINTF(("%s: wakeup, but not enabled\n", 357 sc->sc_dev.dv_xname)); 358 return 0; 359 } 360 tpm_resume(sc); 361 break; 362 } 363 364 return 0; 365 } 366 367 int 368 tpm_suspend(struct tpm_softc *sc) 369 { 370 uint8_t command1[] = { 371 0, 0xc1, /* TPM_TAG_RQU_COMMAND */ 372 0, 0, 0, 10, /* Length in bytes */ 373 0, 0, 0, 0x98 /* TPM_ORD_SaveStates */ 374 }; 375 uint8_t command2[] = { 376 0x80, 0x01, /* TPM_ST_COMMAND_TAG */ 377 0, 0, 0, 12, /* Length in bytes */ 378 0, 0, 0x01, 0x45, /* TPM_CC_Shutdown */ 379 0x00, 0x01 380 }; 381 uint8_t *command; 382 size_t commandlen; 383 384 DPRINTF(("%s: saving state preparing for suspend\n", 385 sc->sc_dev.dv_xname)); 386 387 if (sc->sc_tpm20) { 388 command = command2; 389 commandlen = sizeof(command2); 390 } else { 391 command = command1; 392 commandlen = sizeof(command1); 393 } 394 395 /* 396 * Tell the chip to save its state so the BIOS can then restore it upon 397 * resume. 398 */ 399 if (sc->sc_tpm_mode == TPM_TIS) { 400 tpm_write_tis(sc, command, commandlen); 401 memset(command, 0, commandlen); 402 tpm_read_tis(sc, command, commandlen, NULL, TPM_HDRSIZE); 403 } else { 404 tpm_write_crb(sc, command, commandlen); 405 memset(command, 0, commandlen); 406 tpm_read_crb(sc, command, commandlen); 407 } 408 return 0; 409 } 410 411 int 412 tpm_resume(struct tpm_softc *sc) 413 { 414 /* 415 * TODO: The BIOS should have restored the chip's state for us already, 416 * but we should tell the chip to do a self-test here (according to the 417 * Linux driver). 418 */ 419 420 DPRINTF(("%s: resume\n", sc->sc_dev.dv_xname)); 421 return 0; 422 } 423 424 uint32_t 425 tpm2_start_method(struct acpi_softc *sc) 426 { 427 struct acpi_q *entry; 428 struct acpi_tpm2 *p_tpm2 = NULL; 429 430 SIMPLEQ_FOREACH(entry, &sc->sc_tables, q_next) { 431 if (memcmp(entry->q_table, TPM2_SIG, 432 sizeof(TPM2_SIG) - 1) == 0) { 433 p_tpm2 = entry->q_table; 434 break; 435 } 436 } 437 438 if (!p_tpm2) { 439 DPRINTF((", no TPM2 table")); 440 return 0; 441 } 442 443 return p_tpm2->start_method; 444 } 445 446 int 447 tpm_probe(bus_space_tag_t bt, bus_space_handle_t bh) 448 { 449 uint32_t r; 450 int tries = 10000; 451 452 /* wait for chip to settle */ 453 while (tries--) { 454 if (bus_space_read_1(bt, bh, TPM_ACCESS) & TPM_ACCESS_VALID) 455 break; 456 else if (!tries) { 457 printf(": timed out waiting for validity\n"); 458 return 1; 459 } 460 461 DELAY(10); 462 } 463 464 r = bus_space_read_4(bt, bh, TPM_INTF_CAPABILITIES); 465 if (r == 0xffffffff) 466 return 0; 467 468 return 1; 469 } 470 471 int 472 tpm_init_tis(struct tpm_softc *sc) 473 { 474 uint32_t r, intmask; 475 int i; 476 477 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTF_CAPABILITIES); 478 if ((r & TPM_CAPSREQ) != TPM_CAPSREQ || 479 !(r & (TPM_INTF_INT_EDGE_RISING | TPM_INTF_INT_LEVEL_LOW))) { 480 DPRINTF((": caps too low (caps=%b)\n", r, TPM_CAPBITS)); 481 return 0; 482 } 483 484 /* ack and disable all interrupts, we'll be using polling only */ 485 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 486 intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | 487 TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; 488 intmask &= ~TPM_GLOBAL_INT_ENABLE; 489 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 490 491 if (tpm_request_locality_tis(sc, 0)) { 492 printf(", requesting locality failed\n"); 493 return 1; 494 } 495 496 sc->sc_devid = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_ID); 497 sc->sc_rev = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_REV); 498 499 for (i = 0; tpm_devs[i].devid; i++) 500 if (tpm_devs[i].devid == sc->sc_devid) 501 break; 502 503 if (tpm_devs[i].devid) 504 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 505 else 506 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 507 508 return 0; 509 } 510 511 int 512 tpm_init_crb(struct tpm_softc *sc) 513 { 514 uint32_t intmask; 515 int i; 516 517 if (tpm_request_locality_crb(sc, 0)) { 518 printf(", request locality failed\n"); 519 return 1; 520 } 521 522 /* ack and disable all interrupts, we'll be using polling only */ 523 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 524 intmask &= ~TPM_CRB_INT_ENABLED_BIT; 525 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 526 527 /* Identify command and response registers and sizes */ 528 sc->sc_cmd_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 529 TPM_CRB_CTRL_CMD_LADDR); 530 sc->sc_cmd_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 531 TPM_CRB_CTRL_CMD_HADDR) << 32); 532 sc->sc_cmd_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 533 TPM_CRB_CTRL_CMD_SIZE); 534 535 sc->sc_rsp_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 536 TPM_CRB_CTRL_RSP_LADDR); 537 sc->sc_rsp_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 538 TPM_CRB_CTRL_RSP_HADDR) << 32); 539 sc->sc_rsp_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 540 TPM_CRB_CTRL_RSP_SIZE); 541 542 DPRINTF((", cmd @ 0x%lx, %ld, rsp @ 0x%lx, %ld", sc->sc_cmd_off, 543 sc->sc_cmd_sz, sc->sc_rsp_off, sc->sc_rsp_sz)); 544 545 sc->sc_cmd_off = sc->sc_cmd_off - sc->sc_bbase; 546 sc->sc_rsp_off = sc->sc_rsp_off - sc->sc_bbase; 547 548 tpm_release_locality_crb(sc); 549 550 /* If it's a unified buffer, the sizes must be the same. */ 551 if (sc->sc_cmd_off == sc->sc_rsp_off) { 552 if (sc->sc_cmd_sz != sc->sc_rsp_sz) { 553 printf(", invalid buffer sizes\n"); 554 return 1; 555 } 556 } 557 558 for (i = 0; tpm_devs[i].devid; i++) 559 if (tpm_devs[i].devid == sc->sc_devid) 560 break; 561 562 if (tpm_devs[i].devid) 563 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 564 else 565 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 566 567 return 0; 568 } 569 570 int 571 tpm_request_locality_tis(struct tpm_softc *sc, int l) 572 { 573 uint32_t r; 574 int to; 575 576 if (l != 0) 577 return EINVAL; 578 579 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 580 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) == 581 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) 582 return 0; 583 584 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 585 TPM_ACCESS_REQUEST_USE); 586 587 to = TPM_ACCESS_TMO * 100; /* steps of 10 microseconds */ 588 589 while ((r = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 590 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 591 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY) && to--) { 592 DELAY(10); 593 } 594 595 if ((r & (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 596 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) { 597 DPRINTF(("%s: %s: access %b\n", sc->sc_dev.dv_xname, __func__, 598 r, TPM_ACCESS_BITS)); 599 return EBUSY; 600 } 601 602 return 0; 603 } 604 605 int 606 tpm_request_locality_crb(struct tpm_softc *sc, int l) 607 { 608 uint32_t r, mask; 609 int to; 610 611 if (l != 0) 612 return EINVAL; 613 614 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 615 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 616 r | TPM_CRB_LOC_REQUEST); 617 618 to = TPM_ACCESS_TMO * 200; 619 mask = TPM_CRB_LOC_STATE_ASSIGNED | TPM_CRB_LOC_VALID; 620 621 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 622 while ((r & mask) != mask && to--) { 623 DELAY(10); 624 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 625 } 626 627 if ((r & mask) != mask) { 628 printf(", CRB loc FAILED"); 629 return EBUSY; 630 } 631 632 return 0; 633 } 634 635 void 636 tpm_release_locality_tis(struct tpm_softc *sc) 637 { 638 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 639 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) == 640 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) { 641 DPRINTF(("%s: releasing locality\n", sc->sc_dev.dv_xname)); 642 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 643 TPM_ACCESS_ACTIVE_LOCALITY); 644 } 645 } 646 647 void 648 tpm_release_locality_crb(struct tpm_softc *sc) 649 { 650 uint32_t r; 651 652 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 653 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 654 r | TPM_CRB_LOC_RELEASE); 655 } 656 657 int 658 tpm_getburst(struct tpm_softc *sc) 659 { 660 int burst, burst2, to; 661 662 to = TPM_BURST_TMO * 100; /* steps of 10 microseconds */ 663 664 burst = 0; 665 while (burst == 0 && to--) { 666 /* 667 * Burst count has to be read from bits 8 to 23 without 668 * touching any other bits, eg. the actual status bits 0 to 7. 669 */ 670 burst = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 1); 671 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 672 __func__, TPM_STS + 1, burst)); 673 burst2 = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 2); 674 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 675 __func__, TPM_STS + 2, burst2)); 676 burst |= burst2 << 8; 677 if (burst) 678 return burst; 679 680 DELAY(10); 681 } 682 683 DPRINTF(("%s: getburst timed out\n", sc->sc_dev.dv_xname)); 684 685 return 0; 686 } 687 688 uint8_t 689 tpm_status(struct tpm_softc *sc) 690 { 691 return bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS) & TPM_STS_MASK; 692 } 693 694 int 695 tpm_waitfor(struct tpm_softc *sc, bus_size_t offset, uint32_t mask, 696 uint32_t val, int msecs) 697 { 698 int usecs; 699 uint32_t r; 700 701 usecs = msecs * 1000; 702 703 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 704 if ((r & mask) == val) 705 return 0; 706 707 while (usecs > 0) { 708 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 709 if ((r & mask) == val) 710 return 0; 711 DELAY(1); 712 usecs--; 713 } 714 715 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 716 sc->sc_dev.dv_xname, __func__, r, mask)); 717 return ETIMEDOUT; 718 } 719 720 int 721 tpm_waitfor_status(struct tpm_softc *sc, uint8_t mask, int msecs) 722 { 723 int usecs; 724 uint8_t status; 725 726 usecs = msecs * 1000; 727 728 while (((status = tpm_status(sc)) & mask) != mask) { 729 if (usecs == 0) { 730 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 731 sc->sc_dev.dv_xname, __func__, status, mask)); 732 return status; 733 } 734 735 usecs--; 736 DELAY(1); 737 } 738 739 return 0; 740 } 741 742 int 743 tpm_read_tis(struct tpm_softc *sc, void *buf, int len, size_t *count, 744 int flags) 745 { 746 uint8_t *p = buf; 747 uint8_t c; 748 size_t cnt; 749 int rv, n, bcnt; 750 751 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 752 753 cnt = 0; 754 while (len > 0) { 755 if ((rv = tpm_waitfor_status(sc, 756 TPM_STS_DATA_AVAIL | TPM_STS_VALID, TPM_READ_TMO))) 757 return rv; 758 759 bcnt = tpm_getburst(sc); 760 n = MIN(len, bcnt); 761 762 for (; n--; len--) { 763 c = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_DATA); 764 DPRINTF((" %02x", c)); 765 *p++ = c; 766 cnt++; 767 } 768 769 if ((flags & TPM_PARAM_SIZE) == 0 && cnt >= 6) 770 break; 771 } 772 773 DPRINTF(("\n")); 774 775 if (count) 776 *count = cnt; 777 778 return 0; 779 } 780 781 int 782 tpm_read_crb(struct tpm_softc *sc, void *buf, int len) 783 { 784 uint8_t *p = buf; 785 uint32_t sz = 0, mask, rc; 786 size_t count = 0; 787 int r; 788 789 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 790 791 if (len < TPM_HDRSIZE) { 792 printf("%s: %s buf len too small\n", sc->sc_dev.dv_xname, 793 __func__); 794 return EINVAL; 795 } 796 797 while (count < TPM_HDRSIZE) { 798 *p = bus_space_read_1(sc->sc_bt, sc->sc_bh, 799 sc->sc_rsp_off + count); 800 DPRINTF((" %02x", *p)); 801 count++; 802 p++; 803 } 804 DPRINTF(("\n")); 805 806 /* Response length is bytes 2-5 in the response header. */ 807 p = buf; 808 sz = be32toh(*(uint32_t *) (p + 2)); 809 if (sz < TPM_HDRSIZE || sz > sc->sc_rsp_sz) { 810 printf("%s: invalid response size %d\n", 811 sc->sc_dev.dv_xname, sz); 812 return EIO; 813 } 814 if (sz > len) 815 printf("%s: response size too large, truncated to %d\n", 816 sc->sc_dev.dv_xname, len); 817 818 /* Response code is bytes 6-9. */ 819 rc = be32toh(*(uint32_t *) (p + 6)); 820 if (rc != TPM2_RC_SUCCESS) { 821 printf("%s: command failed (0x%04x)\n", sc->sc_dev.dv_xname, 822 rc); 823 /* Nothing we can do on failure. Still try to idle the tpm. */ 824 } 825 826 /* Tell the device to go idle. */ 827 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 828 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 829 r | TPM_CRB_CTRL_REQ_GO_IDLE); 830 831 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 832 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 833 printf("%s: failed to transition to idle state after read\n", 834 sc->sc_dev.dv_xname); 835 } 836 837 tpm_release_locality_crb(sc); 838 839 DPRINTF(("%s: %s completed\n", sc->sc_dev.dv_xname, __func__)); 840 return 0; 841 } 842 843 int 844 tpm_write_tis(struct tpm_softc *sc, void *buf, int len) 845 { 846 uint8_t *p = buf; 847 uint8_t status; 848 size_t count = 0; 849 int rv, r; 850 851 if ((rv = tpm_request_locality_tis(sc, 0)) != 0) 852 return rv; 853 854 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 855 for (r = 0; r < len; r++) 856 DPRINTF((" %02x", (uint8_t)(*(p + r)))); 857 DPRINTF(("\n")); 858 859 /* read status */ 860 status = tpm_status(sc); 861 if ((status & TPM_STS_CMD_READY) == 0) { 862 /* abort! */ 863 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, 864 TPM_STS_CMD_READY); 865 if ((rv = tpm_waitfor_status(sc, TPM_STS_CMD_READY, 866 TPM_READ_TMO))) { 867 DPRINTF(("%s: failed waiting for ready after abort " 868 "(0x%x)\n", sc->sc_dev.dv_xname, rv)); 869 return rv; 870 } 871 } 872 873 while (count < len - 1) { 874 for (r = tpm_getburst(sc); r > 0 && count < len - 1; r--) { 875 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", 876 sc->sc_dev.dv_xname, __func__, TPM_DATA, *p)); 877 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p++); 878 count++; 879 } 880 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID | TPM_STS_DATA_EXPECT, 881 TPM_READ_TMO))) { 882 DPRINTF(("%s: %s: failed waiting for next byte (%d)\n", 883 sc->sc_dev.dv_xname, __func__, rv)); 884 return rv; 885 } 886 } 887 888 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", sc->sc_dev.dv_xname, __func__, 889 TPM_DATA, *p)); 890 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p); 891 count++; 892 893 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID, TPM_READ_TMO))) { 894 DPRINTF(("%s: %s: failed after last byte (%d)\n", 895 sc->sc_dev.dv_xname, __func__, rv)); 896 return rv; 897 } 898 899 if ((status = tpm_status(sc)) & TPM_STS_DATA_EXPECT) { 900 DPRINTF(("%s: %s: final status still expecting data: %b\n", 901 sc->sc_dev.dv_xname, __func__, status, TPM_STS_BITS)); 902 return status; 903 } 904 905 DPRINTF(("%s: final status after write: %b\n", sc->sc_dev.dv_xname, 906 status, TPM_STS_BITS)); 907 908 /* XXX: are we ever sending non-command data? */ 909 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, TPM_STS_GO); 910 911 return 0; 912 } 913 914 int 915 tpm_write_crb(struct tpm_softc *sc, void *buf, int len) 916 { 917 uint8_t *p = buf; 918 size_t count = 0; 919 uint32_t r, mask; 920 921 if (len > sc->sc_cmd_sz) { 922 printf("%s: requested write length larger than cmd buffer\n", 923 sc->sc_dev.dv_xname); 924 return EINVAL; 925 } 926 927 if (bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS) 928 & TPM_CRB_CTRL_STS_ERR_BIT) { 929 printf("%s: device error bit set\n", sc->sc_dev.dv_xname); 930 return EIO; 931 } 932 933 if (tpm_request_locality_crb(sc, 0)) { 934 printf("%s: failed to acquire locality\n", sc->sc_dev.dv_xname); 935 return EIO; 936 } 937 938 /* Clear cancellation bit */ 939 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_CANCEL, 940 TPM_CRB_CTRL_CANCEL_CLEAR); 941 942 /* Toggle to idle state (if needed) and then to ready */ 943 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS); 944 if(!(r & TPM_CRB_CTRL_STS_IDLE_BIT)) { 945 printf("%s: asking device to idle\n", sc->sc_dev.dv_xname); 946 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 947 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 948 r | TPM_CRB_CTRL_REQ_GO_IDLE); 949 950 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 951 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 952 printf("%s: failed to transition to idle state before " 953 "write\n", sc->sc_dev.dv_xname); 954 return EIO; 955 } 956 } 957 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 958 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 959 r | TPM_CRB_CTRL_REQ_GO_READY); 960 mask = TPM_CRB_CTRL_REQ_GO_READY; 961 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, !mask, 200)) { 962 printf("%s: failed to transition to ready state\n", 963 sc->sc_dev.dv_xname); 964 return EIO; 965 } 966 967 /* Write the command */ 968 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 969 while (count < len) { 970 DPRINTF((" %02x", (uint8_t)(*p))); 971 bus_space_write_1(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off + count, 972 *p++); 973 count++; 974 } 975 DPRINTF(("\n")); 976 bus_space_barrier(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off, len, 977 BUS_SPACE_BARRIER_WRITE); 978 DPRINTF(("%s: %s wrote %lu bytes\n", sc->sc_dev.dv_xname, __func__, 979 count)); 980 981 /* Send the Start Command request */ 982 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 983 TPM_CRB_CTRL_START_CMD); 984 bus_space_barrier(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 4, 985 BUS_SPACE_BARRIER_WRITE); 986 987 /* Check if command was processed */ 988 mask = ~0; 989 if (tpm_waitfor(sc, TPM_CRB_CTRL_START, mask, ~mask, 200)) { 990 printf("%s: timeout waiting for device to process command\n", 991 sc->sc_dev.dv_xname); 992 return EIO; 993 } 994 995 return 0; 996 } 997