2 * Copyright (c) 2018 Stormshield.
3 * Copyright (c) 2018 Semihalf.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
19 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
23 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
24 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25 * POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
34 * CRB register space as defined in
35 * TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22
37 #define TPM_LOC_STATE 0x0
38 #define TPM_LOC_CTRL 0x8
39 #define TPM_LOC_STS 0xC
40 #define TPM_CRB_INTF_ID 0x30
41 #define TPM_CRB_CTRL_EXT 0x38
42 #define TPM_CRB_CTRL_REQ 0x40
43 #define TPM_CRB_CTRL_STS 0x44
44 #define TPM_CRB_CTRL_CANCEL 0x48
45 #define TPM_CRB_CTRL_START 0x4C
46 #define TPM_CRB_INT_ENABLE 0x50
47 #define TPM_CRB_INT_STS 0x54
48 #define TPM_CRB_CTRL_CMD_SIZE 0x58
49 #define TPM_CRB_CTRL_CMD_LADDR 0x5C
50 #define TPM_CRB_CTRL_CMD_HADDR 0x60
51 #define TPM_CRB_CTRL_RSP_SIZE 0x64
52 #define TPM_CRB_CTRL_RSP_ADDR 0x68
53 #define TPM_CRB_CTRL_RSP_HADDR 0x6c
54 #define TPM_CRB_DATA_BUFFER 0x80
56 #define TPM_LOC_STATE_ESTB BIT(0)
57 #define TPM_LOC_STATE_ASSIGNED BIT(1)
58 #define TPM_LOC_STATE_ACTIVE_MASK 0x9C
59 #define TPM_LOC_STATE_VALID BIT(7)
61 #define TPM_CRB_INTF_ID_TYPE_CRB 0x1
62 #define TPM_CRB_INTF_ID_TYPE 0x7
64 #define TPM_LOC_CTRL_REQUEST BIT(0)
65 #define TPM_LOC_CTRL_RELINQUISH BIT(1)
67 #define TPM_CRB_CTRL_REQ_GO_READY BIT(0)
68 #define TPM_CRB_CTRL_REQ_GO_IDLE BIT(1)
70 #define TPM_CRB_CTRL_STS_ERR_BIT BIT(0)
71 #define TPM_CRB_CTRL_STS_IDLE_BIT BIT(1)
73 #define TPM_CRB_CTRL_CANCEL_CMD BIT(0)
75 #define TPM_CRB_CTRL_START_CMD BIT(0)
77 #define TPM_CRB_INT_ENABLE_BIT BIT(31)
88 int tpmcrb_transmit(struct tpm_sc *sc, size_t size);
90 static int tpmcrb_acpi_probe(device_t dev);
91 static int tpmcrb_attach(device_t dev);
92 static int tpmcrb_detach(device_t dev);
94 static ACPI_STATUS tpmcrb_fix_buff_offsets(ACPI_RESOURCE *res, void *arg);
96 static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off,
97 uint32_t mask, uint32_t val, int32_t timeout);
98 static bool tpmcrb_request_locality(struct tpm_sc *sc, int locality);
99 static void tpmcrb_relinquish_locality(struct tpm_sc *sc);
100 static bool tpmcrb_cancel_cmd(struct tpm_sc *sc);
102 char *tpmcrb_ids[] = {"MSFT0101", NULL};
105 tpmcrb_acpi_probe(device_t dev)
108 ACPI_TABLE_TPM23 *tbl;
110 err = ACPI_ID_PROBE(device_get_parent(dev), dev, tpmcrb_ids, NULL);
114 status = AcpiGetTable(ACPI_SIG_TPM2, 1, (ACPI_TABLE_HEADER **) &tbl);
115 if(ACPI_FAILURE(status) ||
116 tbl->StartMethod != TPM2_START_METHOD_CRB)
119 device_set_desc(dev, "Trusted Platform Module 2.0, CRB mode");
124 tpmcrb_fix_buff_offsets(ACPI_RESOURCE *res, void *arg)
126 struct tpmcrb_sc *crb_sc;
130 crb_sc = (struct tpmcrb_sc *)arg;
132 if (res->Type != ACPI_RESOURCE_TYPE_FIXED_MEMORY32)
135 base_addr = res->Data.FixedMemory32.Address;
136 length = res->Data.FixedMemory32.AddressLength;
138 if (crb_sc->cmd_off > base_addr && crb_sc->cmd_off < base_addr + length)
139 crb_sc->cmd_off -= base_addr;
140 if (crb_sc->rsp_off > base_addr && crb_sc->rsp_off < base_addr + length)
141 crb_sc->rsp_off -= base_addr;
147 tpmcrb_attach(device_t dev)
149 struct tpmcrb_sc *crb_sc;
155 crb_sc = device_get_softc(dev);
157 handle = acpi_get_handle(dev);
162 sc->mem_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &sc->mem_rid,
164 if (sc->mem_res == NULL)
167 if(!tpmcrb_request_locality(sc, 0)) {
168 bus_release_resource(dev, SYS_RES_MEMORY,
169 sc->mem_rid, sc->mem_res);
174 * Disable all interrupts for now, since I don't have a device that
175 * works in CRB mode and supports them.
177 AND4(sc, TPM_CRB_INT_ENABLE, ~TPM_CRB_INT_ENABLE_BIT);
178 sc->interrupts = false;
181 * Read addresses of Tx/Rx buffers and their sizes. Note that they
182 * can be implemented by a single buffer. Also for some reason CMD
183 * addr is stored in two 4 byte neighboring registers, whereas RSP is
184 * stored in a single 8 byte one.
187 crb_sc->rsp_off = RD8(sc, TPM_CRB_CTRL_RSP_ADDR);
189 crb_sc->rsp_off = RD4(sc, TPM_CRB_CTRL_RSP_ADDR);
190 crb_sc->rsp_off |= ((uint64_t) RD4(sc, TPM_CRB_CTRL_RSP_HADDR) << 32);
192 crb_sc->cmd_off = RD4(sc, TPM_CRB_CTRL_CMD_LADDR);
193 crb_sc->cmd_off |= ((uint64_t) RD4(sc, TPM_CRB_CTRL_CMD_HADDR) << 32);
194 crb_sc->cmd_buf_size = RD4(sc, TPM_CRB_CTRL_CMD_SIZE);
195 crb_sc->rsp_buf_size = RD4(sc, TPM_CRB_CTRL_RSP_SIZE);
197 tpmcrb_relinquish_locality(sc);
199 /* Emulator returns address in acpi space instead of an offset */
200 status = AcpiWalkResources(handle, "_CRS", tpmcrb_fix_buff_offsets,
202 if (ACPI_FAILURE(status)) {
207 if (crb_sc->rsp_off == crb_sc->cmd_off) {
209 * If Tx/Rx buffers are implemented as one they have to be of
212 if (crb_sc->cmd_buf_size != crb_sc->rsp_buf_size) {
213 device_printf(sc->dev,
214 "Overlapping Tx/Rx buffers have different sizes\n");
220 sc->transmit = tpmcrb_transmit;
222 result = tpm20_init(sc);
230 tpmcrb_detach(device_t dev)
234 sc = device_get_softc(dev);
237 if (sc->mem_res != NULL)
238 bus_release_resource(dev, SYS_RES_MEMORY,
239 sc->mem_rid, sc->mem_res);
245 tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val,
249 /* Check for condition */
250 if ((RD4(sc, off) & mask) == val)
253 while (timeout > 0) {
254 if ((RD4(sc, off) & mask) == val)
257 pause("TPM in polling mode", 1);
264 tpmcrb_request_locality(struct tpm_sc *sc, int locality)
268 /* Currently we only support Locality 0 */
272 mask = TPM_LOC_STATE_VALID | TPM_LOC_STATE_ASSIGNED;
274 OR4(sc, TPM_LOC_CTRL, TPM_LOC_CTRL_REQUEST);
275 if (!tpm_wait_for_u32(sc, TPM_LOC_STATE, mask, mask, TPM_TIMEOUT_C))
282 tpmcrb_relinquish_locality(struct tpm_sc *sc)
285 OR4(sc, TPM_LOC_CTRL, TPM_LOC_CTRL_RELINQUISH);
289 tpmcrb_cancel_cmd(struct tpm_sc *sc)
293 WR4(sc, TPM_CRB_CTRL_CANCEL, TPM_CRB_CTRL_CANCEL_CMD);
294 if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_START,
295 mask, ~mask, TPM_TIMEOUT_B)) {
296 device_printf(sc->dev,
297 "Device failed to cancel command\n");
301 WR4(sc, TPM_CRB_CTRL_CANCEL, !TPM_CRB_CTRL_CANCEL_CMD);
306 tpmcrb_transmit(struct tpm_sc *sc, size_t length)
308 struct tpmcrb_sc *crb_sc;
309 uint32_t mask, curr_cmd;
310 int timeout, bytes_available;
312 crb_sc = (struct tpmcrb_sc *)sc;
314 sx_assert(&sc->dev_lock, SA_XLOCKED);
316 if (length > crb_sc->cmd_buf_size) {
317 device_printf(sc->dev,
318 "Requested transfer is bigger than buffer size\n");
322 if (RD4(sc, TPM_CRB_CTRL_STS) & TPM_CRB_CTRL_STS_ERR_BIT) {
323 device_printf(sc->dev,
324 "Device has Error bit set\n");
327 if (!tpmcrb_request_locality(sc, 0)) {
328 device_printf(sc->dev,
329 "Failed to obtain locality\n");
332 /* Clear cancellation bit */
333 WR4(sc, TPM_CRB_CTRL_CANCEL, !TPM_CRB_CTRL_CANCEL_CMD);
335 /* Switch device to idle state if necessary */
336 if (!(RD4(sc, TPM_CRB_CTRL_STS) & TPM_CRB_CTRL_STS_IDLE_BIT)) {
337 OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_IDLE);
339 mask = TPM_CRB_CTRL_STS_IDLE_BIT;
340 if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_STS,
341 mask, mask, TPM_TIMEOUT_C)) {
342 device_printf(sc->dev,
343 "Failed to transition to idle state\n");
347 /* Switch to ready state */
348 OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_READY);
350 mask = TPM_CRB_CTRL_REQ_GO_READY;
351 if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_STS,
352 mask, !mask, TPM_TIMEOUT_C)) {
353 device_printf(sc->dev,
354 "Failed to transition to ready state\n");
359 * Calculate timeout for current command.
360 * Command code is passed in bytes 6-10.
362 curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6]));
363 timeout = tpm20_get_timeout(curr_cmd);
365 /* Send command and tell device to process it. */
366 bus_write_region_stream_1(sc->mem_res, crb_sc->cmd_off,
368 bus_barrier(sc->mem_res, crb_sc->cmd_off,
369 length, BUS_SPACE_BARRIER_WRITE);
371 WR4(sc, TPM_CRB_CTRL_START, TPM_CRB_CTRL_START_CMD);
372 bus_barrier(sc->mem_res, TPM_CRB_CTRL_START,
373 4, BUS_SPACE_BARRIER_WRITE);
376 if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_START, mask, ~mask, timeout)) {
377 device_printf(sc->dev,
378 "Timeout while waiting for device to process cmd\n");
379 if (!tpmcrb_cancel_cmd(sc))
383 /* Read response header. Length is passed in bytes 2 - 6. */
384 bus_read_region_stream_1(sc->mem_res, crb_sc->rsp_off,
385 sc->buf, TPM_HEADER_SIZE);
386 bytes_available = be32toh(*(uint32_t *) (&sc->buf[2]));
388 if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) {
389 device_printf(sc->dev,
390 "Incorrect response size: %d\n",
395 bus_read_region_stream_1(sc->mem_res, crb_sc->rsp_off + TPM_HEADER_SIZE,
396 &sc->buf[TPM_HEADER_SIZE], bytes_available - TPM_HEADER_SIZE);
398 OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_IDLE);
400 tpmcrb_relinquish_locality(sc);
401 sc->pending_data_length = bytes_available;
407 static device_method_t tpmcrb_methods[] = {
408 DEVMETHOD(device_probe, tpmcrb_acpi_probe),
409 DEVMETHOD(device_attach, tpmcrb_attach),
410 DEVMETHOD(device_detach, tpmcrb_detach),
411 DEVMETHOD(device_shutdown, tpm20_shutdown),
412 DEVMETHOD(device_suspend, tpm20_suspend),
415 static driver_t tpmcrb_driver = {
416 "tpmcrb", tpmcrb_methods, sizeof(struct tpmcrb_sc),
419 devclass_t tpmcrb_devclass;
420 DRIVER_MODULE(tpmcrb, acpi, tpmcrb_driver, tpmcrb_devclass, 0, 0);