1 /* $OpenBSD: tpm.c,v 1.18 2023/08/15 08:27:29 miod Exp $ */ 2 3 /* 4 * Minimal interface to Trusted Platform Module chips implementing the 5 * TPM Interface Spec 1.2, just enough to tell the TPM to save state before 6 * a system suspend. 7 * 8 * Copyright (c) 2008, 2009 Michael Shalayeff 9 * Copyright (c) 2009, 2010 Hans-Joerg Hoexer 10 * Copyright (c) 2016 joshua stein <jcs@openbsd.org> 11 * All rights reserved. 12 * 13 * Permission to use, copy, modify, and distribute this software for any 14 * purpose with or without fee is hereby granted, provided that the above 15 * copyright notice and this permission notice appear in all copies. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 18 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 20 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 21 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN 22 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 23 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 24 */ 25 26 #include <sys/param.h> 27 #include <sys/systm.h> 28 #include <sys/device.h> 29 #include <sys/malloc.h> 30 31 #include <machine/bus.h> 32 #include <machine/apmvar.h> 33 34 #include <dev/acpi/acpireg.h> 35 #include <dev/acpi/acpivar.h> 36 #include <dev/acpi/acpidev.h> 37 #include <dev/acpi/amltypes.h> 38 #include <dev/acpi/dsdt.h> 39 40 /* #define TPM_DEBUG */ 41 42 #ifdef TPM_DEBUG 43 #define DPRINTF(x) printf x 44 #else 45 #define DPRINTF(x) 46 #endif 47 48 #define TPM_BUFSIZ 1024 49 #define TPM_HDRSIZE 10 50 #define TPM_PARAM_SIZE 0x0001 51 52 #define TPM_ACCESS 0x0000 /* access register */ 53 #define TPM_ACCESS_ESTABLISHMENT 0x01 /* establishment */ 54 #define TPM_ACCESS_REQUEST_USE 0x02 /* request using locality */ 55 #define TPM_ACCESS_REQUEST_PENDING 0x04 /* pending request */ 56 #define TPM_ACCESS_SEIZE 0x08 /* request locality seize */ 57 #define TPM_ACCESS_SEIZED 0x10 /* locality has been seized */ 58 #define TPM_ACCESS_ACTIVE_LOCALITY 0x20 /* locality is active */ 59 #define TPM_ACCESS_VALID 0x80 /* bits are valid */ 60 #define TPM_ACCESS_BITS \ 61 "\020\01EST\02REQ\03PEND\04SEIZE\05SEIZED\06ACT\010VALID" 62 63 #define TPM_INTERRUPT_ENABLE 0x0008 64 #define TPM_GLOBAL_INT_ENABLE 0x80000000 /* enable ints */ 65 #define TPM_CMD_READY_INT 0x00000080 /* cmd ready enable */ 66 #define TPM_INT_EDGE_FALLING 0x00000018 67 #define TPM_INT_EDGE_RISING 0x00000010 68 #define TPM_INT_LEVEL_LOW 0x00000008 69 #define TPM_INT_LEVEL_HIGH 0x00000000 70 #define TPM_LOCALITY_CHANGE_INT 0x00000004 /* locality change enable */ 71 #define TPM_STS_VALID_INT 0x00000002 /* int on TPM_STS_VALID is set */ 72 #define TPM_DATA_AVAIL_INT 0x00000001 /* int on TPM_STS_DATA_AVAIL is set */ 73 #define TPM_INTERRUPT_ENABLE_BITS \ 74 "\020\040ENA\010RDY\03LOCH\02STSV\01DRDY" 75 76 #define TPM_INT_VECTOR 0x000c /* 8 bit reg for 4 bit irq vector */ 77 #define TPM_INT_STATUS 0x0010 /* bits are & 0x87 from TPM_INTERRUPT_ENABLE */ 78 79 #define TPM_INTF_CAPABILITIES 0x0014 /* capability register */ 80 #define TPM_INTF_BURST_COUNT_STATIC 0x0100 /* TPM_STS_BMASK static */ 81 #define TPM_INTF_CMD_READY_INT 0x0080 /* int on ready supported */ 82 #define TPM_INTF_INT_EDGE_FALLING 0x0040 /* falling edge ints supported */ 83 #define TPM_INTF_INT_EDGE_RISING 0x0020 /* rising edge ints supported */ 84 #define TPM_INTF_INT_LEVEL_LOW 0x0010 /* level-low ints supported */ 85 #define TPM_INTF_INT_LEVEL_HIGH 0x0008 /* level-high ints supported */ 86 #define TPM_INTF_LOCALITY_CHANGE_INT 0x0004 /* locality-change int (mb 1) */ 87 #define TPM_INTF_STS_VALID_INT 0x0002 /* TPM_STS_VALID int supported */ 88 #define TPM_INTF_DATA_AVAIL_INT 0x0001 /* TPM_STS_DATA_AVAIL int supported (mb 1) */ 89 #define TPM_CAPSREQ \ 90 (TPM_INTF_DATA_AVAIL_INT|TPM_INTF_LOCALITY_CHANGE_INT|TPM_INTF_INT_LEVEL_LOW) 91 #define TPM_CAPBITS \ 92 "\020\01IDRDY\02ISTSV\03ILOCH\04IHIGH\05ILOW\06IEDGE\07IFALL\010IRDY\011BCST" 93 94 #define TPM_STS 0x0018 /* status register */ 95 #define TPM_STS_MASK 0x000000ff /* status bits */ 96 #define TPM_STS_BMASK 0x00ffff00 /* ro io burst size */ 97 #define TPM_STS_VALID 0x00000080 /* ro other bits are valid */ 98 #define TPM_STS_CMD_READY 0x00000040 /* rw chip/signal ready */ 99 #define TPM_STS_GO 0x00000020 /* wo start the command */ 100 #define TPM_STS_DATA_AVAIL 0x00000010 /* ro data available */ 101 #define TPM_STS_DATA_EXPECT 0x00000008 /* ro more data to be written */ 102 #define TPM_STS_RESP_RETRY 0x00000002 /* wo resend the response */ 103 #define TPM_STS_BITS "\020\010VALID\07RDY\06GO\05DRDY\04EXPECT\02RETRY" 104 105 #define TPM_DATA 0x0024 106 #define TPM_ID 0x0f00 107 #define TPM_REV 0x0f04 108 #define TPM_SIZE 0x5000 /* five pages of the above */ 109 110 #define TPM_ACCESS_TMO 2000 /* 2sec */ 111 #define TPM_READY_TMO 2000 /* 2sec */ 112 #define TPM_READ_TMO 120000 /* 2 minutes */ 113 #define TPM_BURST_TMO 2000 /* 2sec */ 114 115 #define TPM2_START_METHOD_TIS 6 116 #define TPM2_START_METHOD_CRB 7 117 118 #define TPM_CRB_LOC_STATE 0x0 119 #define TPM_CRB_LOC_CTRL 0x8 120 #define TPM_LOC_STS 0xC 121 #define TPM_CRB_INTF_ID 0x30 122 #define TPM_CRB_CTRL_EXT 0x38 123 #define TPM_CRB_CTRL_REQ 0x40 124 #define TPM_CRB_CTRL_STS 0x44 125 #define TPM_CRB_CTRL_CANCEL 0x48 126 #define TPM_CRB_CTRL_START 0x4C 127 #define TPM_CRB_CTRL_CMD_SIZE 0x58 128 #define TPM_CRB_CTRL_CMD_LADDR 0x5C 129 #define TPM_CRB_CTRL_CMD_HADDR 0x60 130 #define TPM_CRB_CTRL_RSP_SIZE 0x64 131 #define TPM_CRB_CTRL_RSP_LADDR 0x68 132 #define TPM_CRB_CTRL_RSP_HADDR 0x6c 133 #define TPM_CRB_DATA_BUFFER 0x80 134 135 #define TPM_CRB_LOC_STATE_ESTB (1 << 0) 136 #define TPM_CRB_LOC_STATE_ASSIGNED (1 << 1) 137 #define TPM_CRB_LOC_ACTIVE_MASK 0x009c 138 #define TPM_CRB_LOC_VALID (1 << 7) 139 140 #define TPM_CRB_LOC_REQUEST (1 << 0) 141 #define TPM_CRB_LOC_RELEASE (1 << 1) 142 143 #define TPM_CRB_CTRL_REQ_GO_READY (1 << 0) 144 #define TPM_CRB_CTRL_REQ_GO_IDLE (1 << 1) 145 146 #define TPM_CRB_CTRL_STS_ERR_BIT (1 << 0) 147 #define TPM_CRB_CTRL_STS_IDLE_BIT (1 << 1) 148 149 #define TPM_CRB_CTRL_CANCEL_CMD 0x1 150 #define TPM_CRB_CTRL_CANCEL_CLEAR 0x0 151 152 #define TPM_CRB_CTRL_START_CMD (1 << 0) 153 #define TPM_CRB_INT_ENABLED_BIT (1U << 31) 154 155 #define TPM2_RC_SUCCESS 0x0000 156 #define TPM2_RC_INITIALIZE 0x0100 157 #define TPM2_RC_FAILURE 0x0101 158 #define TPM2_RC_DISABLED 0x0120 159 #define TPM2_RC_RETRY 0x0922 160 161 struct tpm_softc { 162 struct device sc_dev; 163 164 bus_space_tag_t sc_bt; 165 bus_space_handle_t sc_bh; 166 bus_size_t sc_bbase; 167 168 struct acpi_softc *sc_acpi; 169 struct aml_node *sc_devnode; 170 171 uint32_t sc_devid; 172 uint32_t sc_rev; 173 174 int sc_tpm20; 175 int sc_tpm_mode; 176 #define TPM_TIS 0 177 #define TPM_CRB 1 178 bus_size_t sc_cmd_off; 179 bus_size_t sc_rsp_off; 180 size_t sc_cmd_sz; 181 size_t sc_rsp_sz; 182 183 int sc_enabled; 184 }; 185 186 const struct { 187 uint32_t devid; 188 char name[32]; 189 } tpm_devs[] = { 190 { 0x000615d1, "Infineon SLD9630 1.1" }, 191 { 0x000b15d1, "Infineon SLB9635 1.2" }, 192 { 0x100214e4, "Broadcom BCM0102" }, 193 { 0x00fe1050, "WEC WPCT200" }, 194 { 0x687119fa, "SNS SSX35" }, 195 { 0x2e4d5453, "STM ST19WP18" }, 196 { 0x32021114, "Atmel 97SC3203" }, 197 { 0x10408086, "Intel INTC0102" }, 198 { 0, "" }, 199 }; 200 201 int tpm_match(struct device *, void *, void *); 202 void tpm_attach(struct device *, struct device *, void *); 203 int tpm_activate(struct device *, int); 204 205 int tpm_probe(bus_space_tag_t, bus_space_handle_t); 206 int tpm_init_tis(struct tpm_softc *); 207 int tpm_init_crb(struct tpm_softc *); 208 int tpm_read_tis(struct tpm_softc *, void *, int, size_t *, int); 209 int tpm_read_crb(struct tpm_softc *, void *, int); 210 int tpm_write_tis(struct tpm_softc *, void *, int); 211 int tpm_write_crb(struct tpm_softc *, void *, int); 212 int tpm_suspend(struct tpm_softc *); 213 int tpm_resume(struct tpm_softc *); 214 215 int tpm_waitfor(struct tpm_softc *, bus_space_handle_t, uint32_t, uint32_t, int); 216 int tpm_waitfor_status(struct tpm_softc *, uint8_t, int); 217 int tpm_request_locality_tis(struct tpm_softc *, int); 218 int tpm_request_locality_crb(struct tpm_softc *, int); 219 void tpm_release_locality_tis(struct tpm_softc *); 220 void tpm_release_locality_crb(struct tpm_softc *); 221 int tpm_getburst_tis(struct tpm_softc *); 222 int tpm_getburst_crb(struct tpm_softc *); 223 uint8_t tpm_status(struct tpm_softc *); 224 225 uint32_t tpm2_start_method(struct acpi_softc *); 226 227 const struct cfattach tpm_ca = { 228 sizeof(struct tpm_softc), 229 tpm_match, 230 tpm_attach, 231 NULL, 232 tpm_activate 233 }; 234 235 struct cfdriver tpm_cd = { 236 NULL, "tpm", DV_DULL, CD_SKIPHIBERNATE /* XXX */ 237 }; 238 239 const char *tpm_hids[] = { 240 "PNP0C31", 241 "ATM1200", 242 "IFX0102", 243 "BCM0101", 244 "BCM0102", 245 "NSC1200", 246 "ICO0102", 247 "MSFT0101", 248 NULL 249 }; 250 251 int 252 tpm_match(struct device *parent, void *match, void *aux) 253 { 254 struct acpi_attach_args *aa = aux; 255 struct cfdata *cf = match; 256 257 if (aa->aaa_naddr < 1) 258 return 0; 259 return (acpi_matchhids(aa, tpm_hids, cf->cf_driver->cd_name)); 260 } 261 262 void 263 tpm_attach(struct device *parent, struct device *self, void *aux) 264 { 265 struct tpm_softc *sc = (struct tpm_softc *)self; 266 struct acpi_attach_args *aaa = aux; 267 int64_t sta; 268 uint32_t start_method; 269 270 sc->sc_acpi = (struct acpi_softc *)parent; 271 sc->sc_devnode = aaa->aaa_node; 272 sc->sc_enabled = 0; 273 sc->sc_tpm_mode = TPM_TIS; 274 275 printf(" %s", sc->sc_devnode->name); 276 277 if (strcmp(aaa->aaa_dev, "MSFT0101") == 0 || 278 strcmp(aaa->aaa_cdev, "MSFT0101") == 0) { 279 sc->sc_tpm20 = 1; 280 /* Identify if using 1.2 TIS or 2.0's CRB methods */ 281 start_method = tpm2_start_method(sc->sc_acpi); 282 switch (start_method) { 283 case TPM2_START_METHOD_TIS: 284 /* Already default */ 285 break; 286 case TPM2_START_METHOD_CRB: 287 sc->sc_tpm_mode = TPM_CRB; 288 break; 289 default: 290 printf(": unsupported TPM2 start method %d\n", start_method); 291 return; 292 } 293 } 294 295 printf(" %s (%s)", sc->sc_tpm20 ? "2.0" : "1.2", 296 sc->sc_tpm_mode == TPM_TIS ? "TIS" : "CRB"); 297 298 sta = acpi_getsta(sc->sc_acpi, sc->sc_devnode); 299 if ((sta & (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) != 300 (STA_PRESENT | STA_ENABLED | STA_DEV_OK)) { 301 printf(": not enabled\n"); 302 return; 303 } 304 305 printf(" addr 0x%llx/0x%llx", aaa->aaa_addr[0], aaa->aaa_size[0]); 306 sc->sc_bbase = aaa->aaa_addr[0]; 307 308 sc->sc_bt = aaa->aaa_bst[0]; 309 if (bus_space_map(sc->sc_bt, aaa->aaa_addr[0], aaa->aaa_size[0], 310 0, &sc->sc_bh)) { 311 printf(": can't map registers\n"); 312 return; 313 } 314 315 if (sc->sc_tpm_mode == TPM_TIS) { 316 if (!tpm_probe(sc->sc_bt, sc->sc_bh)) { 317 printf(": probe failed\n"); 318 return; 319 } 320 321 if (tpm_init_tis(sc) != 0) { 322 printf(": init failed\n"); 323 return; 324 } 325 } else { 326 if (tpm_init_crb(sc) != 0) { 327 printf(": init failed\n"); 328 return; 329 } 330 } 331 332 printf("\n"); 333 sc->sc_enabled = 1; 334 } 335 336 int 337 tpm_activate(struct device *self, int act) 338 { 339 struct tpm_softc *sc = (struct tpm_softc *)self; 340 341 switch (act) { 342 case DVACT_SUSPEND: 343 if (!sc->sc_enabled) { 344 DPRINTF(("%s: suspend, but not enabled\n", 345 sc->sc_dev.dv_xname)); 346 return 0; 347 } 348 tpm_suspend(sc); 349 break; 350 351 case DVACT_WAKEUP: 352 if (!sc->sc_enabled) { 353 DPRINTF(("%s: wakeup, but not enabled\n", 354 sc->sc_dev.dv_xname)); 355 return 0; 356 } 357 tpm_resume(sc); 358 break; 359 } 360 361 return 0; 362 } 363 364 int 365 tpm_suspend(struct tpm_softc *sc) 366 { 367 uint8_t command1[] = { 368 0, 0xc1, /* TPM_TAG_RQU_COMMAND */ 369 0, 0, 0, 10, /* Length in bytes */ 370 0, 0, 0, 0x98 /* TPM_ORD_SaveStates */ 371 }; 372 uint8_t command2[] = { 373 0x80, 0x01, /* TPM_ST_COMMAND_TAG */ 374 0, 0, 0, 12, /* Length in bytes */ 375 0, 0, 0x01, 0x45, /* TPM_CC_Shutdown */ 376 0x00, 0x01 377 }; 378 uint8_t *command; 379 size_t commandlen; 380 381 DPRINTF(("%s: saving state preparing for suspend\n", 382 sc->sc_dev.dv_xname)); 383 384 if (sc->sc_tpm20) { 385 command = command2; 386 commandlen = sizeof(command2); 387 } else { 388 command = command1; 389 commandlen = sizeof(command1); 390 } 391 392 /* 393 * Tell the chip to save its state so the BIOS can then restore it upon 394 * resume. 395 */ 396 if (sc->sc_tpm_mode == TPM_TIS) { 397 tpm_write_tis(sc, command, commandlen); 398 memset(command, 0, commandlen); 399 tpm_read_tis(sc, command, commandlen, NULL, TPM_HDRSIZE); 400 } else { 401 tpm_write_crb(sc, command, commandlen); 402 memset(command, 0, commandlen); 403 tpm_read_crb(sc, command, commandlen); 404 } 405 return 0; 406 } 407 408 int 409 tpm_resume(struct tpm_softc *sc) 410 { 411 /* 412 * TODO: The BIOS should have restored the chip's state for us already, 413 * but we should tell the chip to do a self-test here (according to the 414 * Linux driver). 415 */ 416 417 DPRINTF(("%s: resume\n", sc->sc_dev.dv_xname)); 418 return 0; 419 } 420 421 uint32_t 422 tpm2_start_method(struct acpi_softc *sc) 423 { 424 struct acpi_q *entry; 425 struct acpi_tpm2 *p_tpm2 = NULL; 426 427 SIMPLEQ_FOREACH(entry, &sc->sc_tables, q_next) { 428 if (memcmp(entry->q_table, TPM2_SIG, 429 sizeof(TPM2_SIG) - 1) == 0) { 430 p_tpm2 = entry->q_table; 431 break; 432 } 433 } 434 435 if (!p_tpm2) { 436 DPRINTF((", no TPM2 table")); 437 return 0; 438 } 439 440 return p_tpm2->start_method; 441 } 442 443 int 444 tpm_probe(bus_space_tag_t bt, bus_space_handle_t bh) 445 { 446 uint32_t r; 447 int tries = 10000; 448 449 /* wait for chip to settle */ 450 while (tries--) { 451 if (bus_space_read_1(bt, bh, TPM_ACCESS) & TPM_ACCESS_VALID) 452 break; 453 else if (!tries) { 454 printf(": timed out waiting for validity\n"); 455 return 1; 456 } 457 458 DELAY(10); 459 } 460 461 r = bus_space_read_4(bt, bh, TPM_INTF_CAPABILITIES); 462 if (r == 0xffffffff) 463 return 0; 464 465 return 1; 466 } 467 468 int 469 tpm_init_tis(struct tpm_softc *sc) 470 { 471 uint32_t r, intmask; 472 int i; 473 474 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTF_CAPABILITIES); 475 if ((r & TPM_CAPSREQ) != TPM_CAPSREQ || 476 !(r & (TPM_INTF_INT_EDGE_RISING | TPM_INTF_INT_LEVEL_LOW))) { 477 DPRINTF((": caps too low (caps=%b)\n", r, TPM_CAPBITS)); 478 return 0; 479 } 480 481 /* ack and disable all interrupts, we'll be using polling only */ 482 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 483 intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | 484 TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; 485 intmask &= ~TPM_GLOBAL_INT_ENABLE; 486 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 487 488 if (tpm_request_locality_tis(sc, 0)) { 489 printf(", requesting locality failed\n"); 490 return 1; 491 } 492 493 sc->sc_devid = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_ID); 494 sc->sc_rev = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_REV); 495 496 for (i = 0; tpm_devs[i].devid; i++) 497 if (tpm_devs[i].devid == sc->sc_devid) 498 break; 499 500 if (tpm_devs[i].devid) 501 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 502 else 503 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 504 505 return 0; 506 } 507 508 int 509 tpm_init_crb(struct tpm_softc *sc) 510 { 511 uint32_t intmask; 512 int i; 513 514 if (tpm_request_locality_crb(sc, 0)) { 515 printf(", request locality failed\n"); 516 return 1; 517 } 518 519 /* ack and disable all interrupts, we'll be using polling only */ 520 intmask = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE); 521 intmask &= ~TPM_CRB_INT_ENABLED_BIT; 522 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_INTERRUPT_ENABLE, intmask); 523 524 /* Identify command and response registers and sizes */ 525 sc->sc_cmd_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 526 TPM_CRB_CTRL_CMD_LADDR); 527 sc->sc_cmd_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 528 TPM_CRB_CTRL_CMD_HADDR) << 32); 529 sc->sc_cmd_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 530 TPM_CRB_CTRL_CMD_SIZE); 531 532 sc->sc_rsp_off = bus_space_read_4(sc->sc_bt, sc->sc_bh, 533 TPM_CRB_CTRL_RSP_LADDR); 534 sc->sc_rsp_off |= ((uint64_t) bus_space_read_4(sc->sc_bt, sc->sc_bh, 535 TPM_CRB_CTRL_RSP_HADDR) << 32); 536 sc->sc_rsp_sz = bus_space_read_4(sc->sc_bt, sc->sc_bh, 537 TPM_CRB_CTRL_RSP_SIZE); 538 539 DPRINTF((", cmd @ 0x%lx, %ld, rsp @ 0x%lx, %ld", sc->sc_cmd_off, 540 sc->sc_cmd_sz, sc->sc_rsp_off, sc->sc_rsp_sz)); 541 542 sc->sc_cmd_off = sc->sc_cmd_off - sc->sc_bbase; 543 sc->sc_rsp_off = sc->sc_rsp_off - sc->sc_bbase; 544 545 tpm_release_locality_crb(sc); 546 547 /* If it's a unified buffer, the sizes must be the same. */ 548 if (sc->sc_cmd_off == sc->sc_rsp_off) { 549 if (sc->sc_cmd_sz != sc->sc_rsp_sz) { 550 printf(", invalid buffer sizes\n"); 551 return 1; 552 } 553 } 554 555 for (i = 0; tpm_devs[i].devid; i++) 556 if (tpm_devs[i].devid == sc->sc_devid) 557 break; 558 559 if (tpm_devs[i].devid) 560 printf(", %s rev 0x%x", tpm_devs[i].name, sc->sc_rev); 561 else 562 printf(", device 0x%08x rev 0x%x", sc->sc_devid, sc->sc_rev); 563 564 return 0; 565 } 566 567 int 568 tpm_request_locality_tis(struct tpm_softc *sc, int l) 569 { 570 uint32_t r; 571 int to; 572 573 if (l != 0) 574 return EINVAL; 575 576 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 577 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) == 578 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) 579 return 0; 580 581 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 582 TPM_ACCESS_REQUEST_USE); 583 584 to = TPM_ACCESS_TMO * 100; /* steps of 10 microseconds */ 585 586 while ((r = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 587 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 588 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY) && to--) { 589 DELAY(10); 590 } 591 592 if ((r & (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) != 593 (TPM_ACCESS_VALID | TPM_ACCESS_ACTIVE_LOCALITY)) { 594 DPRINTF(("%s: %s: access %b\n", sc->sc_dev.dv_xname, __func__, 595 r, TPM_ACCESS_BITS)); 596 return EBUSY; 597 } 598 599 return 0; 600 } 601 602 int 603 tpm_request_locality_crb(struct tpm_softc *sc, int l) 604 { 605 uint32_t r, mask; 606 int to; 607 608 if (l != 0) 609 return EINVAL; 610 611 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 612 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 613 r | TPM_CRB_LOC_REQUEST); 614 615 to = TPM_ACCESS_TMO * 200; 616 mask = TPM_CRB_LOC_STATE_ASSIGNED | TPM_CRB_LOC_VALID; 617 618 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 619 while ((r & mask) != mask && to--) { 620 DELAY(10); 621 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_STATE); 622 } 623 624 if ((r & mask) != mask) { 625 printf(", CRB loc FAILED"); 626 return EBUSY; 627 } 628 629 return 0; 630 } 631 632 void 633 tpm_release_locality_tis(struct tpm_softc *sc) 634 { 635 if ((bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS) & 636 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) == 637 (TPM_ACCESS_REQUEST_PENDING|TPM_ACCESS_VALID)) { 638 DPRINTF(("%s: releasing locality\n", sc->sc_dev.dv_xname)); 639 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_ACCESS, 640 TPM_ACCESS_ACTIVE_LOCALITY); 641 } 642 } 643 644 void 645 tpm_release_locality_crb(struct tpm_softc *sc) 646 { 647 uint32_t r; 648 649 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL); 650 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_LOC_CTRL, 651 r | TPM_CRB_LOC_RELEASE); 652 } 653 654 int 655 tpm_getburst(struct tpm_softc *sc) 656 { 657 int burst, burst2, to; 658 659 to = TPM_BURST_TMO * 100; /* steps of 10 microseconds */ 660 661 burst = 0; 662 while (burst == 0 && to--) { 663 /* 664 * Burst count has to be read from bits 8 to 23 without 665 * touching any other bits, eg. the actual status bits 0 to 7. 666 */ 667 burst = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 1); 668 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 669 __func__, TPM_STS + 1, burst)); 670 burst2 = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS + 2); 671 DPRINTF(("%s: %s: read1(0x%x): 0x%x\n", sc->sc_dev.dv_xname, 672 __func__, TPM_STS + 2, burst2)); 673 burst |= burst2 << 8; 674 if (burst) 675 return burst; 676 677 DELAY(10); 678 } 679 680 DPRINTF(("%s: getburst timed out\n", sc->sc_dev.dv_xname)); 681 682 return 0; 683 } 684 685 uint8_t 686 tpm_status(struct tpm_softc *sc) 687 { 688 return bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_STS) & TPM_STS_MASK; 689 } 690 691 int 692 tpm_waitfor(struct tpm_softc *sc, bus_size_t offset, uint32_t mask, 693 uint32_t val, int msecs) 694 { 695 int usecs; 696 uint32_t r; 697 698 usecs = msecs * 1000; 699 700 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 701 if ((r & mask) == val) 702 return 0; 703 704 while (usecs > 0) { 705 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, offset); 706 if ((r & mask) == val) 707 return 0; 708 DELAY(1); 709 usecs--; 710 } 711 712 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 713 sc->sc_dev.dv_xname, __func__, r, mask)); 714 return ETIMEDOUT; 715 } 716 717 int 718 tpm_waitfor_status(struct tpm_softc *sc, uint8_t mask, int msecs) 719 { 720 int usecs; 721 uint8_t status; 722 723 usecs = msecs * 1000; 724 725 while (((status = tpm_status(sc)) & mask) != mask) { 726 if (usecs == 0) { 727 DPRINTF(("%s: %s: timed out, status 0x%x != 0x%x\n", 728 sc->sc_dev.dv_xname, __func__, status, mask)); 729 return status; 730 } 731 732 usecs--; 733 DELAY(1); 734 } 735 736 return 0; 737 } 738 739 int 740 tpm_read_tis(struct tpm_softc *sc, void *buf, int len, size_t *count, 741 int flags) 742 { 743 uint8_t *p = buf; 744 uint8_t c; 745 size_t cnt; 746 int rv, n, bcnt; 747 748 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 749 750 cnt = 0; 751 while (len > 0) { 752 if ((rv = tpm_waitfor_status(sc, 753 TPM_STS_DATA_AVAIL | TPM_STS_VALID, TPM_READ_TMO))) 754 return rv; 755 756 bcnt = tpm_getburst(sc); 757 n = MIN(len, bcnt); 758 759 for (; n--; len--) { 760 c = bus_space_read_1(sc->sc_bt, sc->sc_bh, TPM_DATA); 761 DPRINTF((" %02x", c)); 762 *p++ = c; 763 cnt++; 764 } 765 766 if ((flags & TPM_PARAM_SIZE) == 0 && cnt >= 6) 767 break; 768 } 769 770 DPRINTF(("\n")); 771 772 if (count) 773 *count = cnt; 774 775 return 0; 776 } 777 778 int 779 tpm_read_crb(struct tpm_softc *sc, void *buf, int len) 780 { 781 uint8_t *p = buf; 782 uint32_t sz = 0, mask, rc; 783 size_t count = 0; 784 int r; 785 786 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 787 788 if (len < TPM_HDRSIZE) { 789 printf("%s: %s buf len too small\n", sc->sc_dev.dv_xname, 790 __func__); 791 return EINVAL; 792 } 793 794 while (count < TPM_HDRSIZE) { 795 *p = bus_space_read_1(sc->sc_bt, sc->sc_bh, 796 sc->sc_rsp_off + count); 797 DPRINTF((" %02x", *p)); 798 count++; 799 p++; 800 } 801 DPRINTF(("\n")); 802 803 /* Response length is bytes 2-5 in the response header. */ 804 p = buf; 805 sz = be32toh(*(uint32_t *) (p + 2)); 806 if (sz < TPM_HDRSIZE || sz > sc->sc_rsp_sz) { 807 printf("%s: invalid response size %d\n", 808 sc->sc_dev.dv_xname, sz); 809 return EIO; 810 } 811 if (sz > len) 812 printf("%s: response size too large, truncated to %d\n", 813 sc->sc_dev.dv_xname, len); 814 815 /* Response code is bytes 6-9. */ 816 rc = be32toh(*(uint32_t *) (p + 6)); 817 if (rc != TPM2_RC_SUCCESS) { 818 printf("%s: command failed (0x%04x)\n", sc->sc_dev.dv_xname, 819 rc); 820 /* Nothing we can do on failure. Still try to idle the tpm. */ 821 } 822 823 /* Tell the device to go idle. */ 824 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 825 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 826 r | TPM_CRB_CTRL_REQ_GO_IDLE); 827 828 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 829 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 830 printf("%s: failed to transition to idle state after read\n", 831 sc->sc_dev.dv_xname); 832 } 833 834 tpm_release_locality_crb(sc); 835 836 DPRINTF(("%s: %s completed\n", sc->sc_dev.dv_xname, __func__)); 837 return 0; 838 } 839 840 int 841 tpm_write_tis(struct tpm_softc *sc, void *buf, int len) 842 { 843 uint8_t *p = buf; 844 uint8_t status; 845 size_t count = 0; 846 int rv, r; 847 848 if ((rv = tpm_request_locality_tis(sc, 0)) != 0) 849 return rv; 850 851 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 852 for (r = 0; r < len; r++) 853 DPRINTF((" %02x", (uint8_t)(*(p + r)))); 854 DPRINTF(("\n")); 855 856 /* read status */ 857 status = tpm_status(sc); 858 if ((status & TPM_STS_CMD_READY) == 0) { 859 /* abort! */ 860 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, 861 TPM_STS_CMD_READY); 862 if ((rv = tpm_waitfor_status(sc, TPM_STS_CMD_READY, 863 TPM_READ_TMO))) { 864 DPRINTF(("%s: failed waiting for ready after abort " 865 "(0x%x)\n", sc->sc_dev.dv_xname, rv)); 866 return rv; 867 } 868 } 869 870 while (count < len - 1) { 871 for (r = tpm_getburst(sc); r > 0 && count < len - 1; r--) { 872 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", 873 sc->sc_dev.dv_xname, __func__, TPM_DATA, *p)); 874 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p++); 875 count++; 876 } 877 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID | TPM_STS_DATA_EXPECT, 878 TPM_READ_TMO))) { 879 DPRINTF(("%s: %s: failed waiting for next byte (%d)\n", 880 sc->sc_dev.dv_xname, __func__, rv)); 881 return rv; 882 } 883 } 884 885 DPRINTF(("%s: %s: write1(0x%x, 0x%x)\n", sc->sc_dev.dv_xname, __func__, 886 TPM_DATA, *p)); 887 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_DATA, *p); 888 count++; 889 890 if ((rv = tpm_waitfor_status(sc, TPM_STS_VALID, TPM_READ_TMO))) { 891 DPRINTF(("%s: %s: failed after last byte (%d)\n", 892 sc->sc_dev.dv_xname, __func__, rv)); 893 return rv; 894 } 895 896 if ((status = tpm_status(sc)) & TPM_STS_DATA_EXPECT) { 897 DPRINTF(("%s: %s: final status still expecting data: %b\n", 898 sc->sc_dev.dv_xname, __func__, status, TPM_STS_BITS)); 899 return status; 900 } 901 902 DPRINTF(("%s: final status after write: %b\n", sc->sc_dev.dv_xname, 903 status, TPM_STS_BITS)); 904 905 /* XXX: are we ever sending non-command data? */ 906 bus_space_write_1(sc->sc_bt, sc->sc_bh, TPM_STS, TPM_STS_GO); 907 908 return 0; 909 } 910 911 int 912 tpm_write_crb(struct tpm_softc *sc, void *buf, int len) 913 { 914 uint8_t *p = buf; 915 size_t count = 0; 916 uint32_t r, mask; 917 918 if (len > sc->sc_cmd_sz) { 919 printf("%s: requested write length larger than cmd buffer\n", 920 sc->sc_dev.dv_xname); 921 return EINVAL; 922 } 923 924 if (bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS) 925 & TPM_CRB_CTRL_STS_ERR_BIT) { 926 printf("%s: device error bit set\n", sc->sc_dev.dv_xname); 927 return EIO; 928 } 929 930 if (tpm_request_locality_crb(sc, 0)) { 931 printf("%s: failed to acquire locality\n", sc->sc_dev.dv_xname); 932 return EIO; 933 } 934 935 /* Clear cancellation bit */ 936 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_CANCEL, 937 TPM_CRB_CTRL_CANCEL_CLEAR); 938 939 /* Toggle to idle state (if needed) and then to ready */ 940 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_STS); 941 if(!(r & TPM_CRB_CTRL_STS_IDLE_BIT)) { 942 printf("%s: asking device to idle\n", sc->sc_dev.dv_xname); 943 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 944 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 945 r | TPM_CRB_CTRL_REQ_GO_IDLE); 946 947 mask = TPM_CRB_CTRL_STS_IDLE_BIT; 948 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, mask, 200)) { 949 printf("%s: failed to transition to idle state before " 950 "write\n", sc->sc_dev.dv_xname); 951 return EIO; 952 } 953 } 954 r = bus_space_read_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ); 955 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_REQ, 956 r | TPM_CRB_CTRL_REQ_GO_READY); 957 mask = TPM_CRB_CTRL_REQ_GO_READY; 958 if (tpm_waitfor(sc, TPM_CRB_CTRL_STS, mask, !mask, 200)) { 959 printf("%s: failed to transition to ready state\n", 960 sc->sc_dev.dv_xname); 961 return EIO; 962 } 963 964 /* Write the command */ 965 DPRINTF(("%s: %s %d:", sc->sc_dev.dv_xname, __func__, len)); 966 while (count < len) { 967 DPRINTF((" %02x", (uint8_t)(*p))); 968 bus_space_write_1(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off + count, 969 *p++); 970 count++; 971 } 972 DPRINTF(("\n")); 973 bus_space_barrier(sc->sc_bt, sc->sc_bh, sc->sc_cmd_off, len, 974 BUS_SPACE_BARRIER_WRITE); 975 DPRINTF(("%s: %s wrote %lu bytes\n", sc->sc_dev.dv_xname, __func__, 976 count)); 977 978 /* Send the Start Command request */ 979 bus_space_write_4(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 980 TPM_CRB_CTRL_START_CMD); 981 bus_space_barrier(sc->sc_bt, sc->sc_bh, TPM_CRB_CTRL_START, 4, 982 BUS_SPACE_BARRIER_WRITE); 983 984 /* Check if command was processed */ 985 mask = ~0; 986 if (tpm_waitfor(sc, TPM_CRB_CTRL_START, mask, ~mask, 200)) { 987 printf("%s: timeout waiting for device to process command\n", 988 sc->sc_dev.dv_xname); 989 return EIO; 990 } 991 992 return 0; 993 } 994