d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce driver for TPM 2.0 in CRB and FIFO (TIS) modes

Browse Source 
It was written basing on:
TCG PC Client Platform TPM Profile (PTP) Specification Version 22, Revision 1.03.
It only supports Locality 0. Interrupts are only supported in FIFO mode.

The driver in FIFO mode was tested on x86 with Infineon SLB9665 discrete TPM chip.
Driver in both modes was also tested on qemu with swtpm running on host.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D18048
This commit is contained in:
Marcin Wojtas 2018-12-14 16:14:36 +00:00
parent 92a1d56ccc
commit a2d5ed9442
5 changed files with 1384 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/conf/files.amd64
View File

@ -491,6 +491,9 @@ dev/syscons/scvesactl.c optional sc vga vesa
dev/syscons/scvgarndr.c optional sc vga
dev/syscons/scvtb.c optional sc
dev/tpm/tpm.c optional tpm
dev/tpm/tpm20.c optional tpm
dev/tpm/tpm_crb.c optional tpm acpi
dev/tpm/tpm_tis.c optional tpm acpi
dev/tpm/tpm_acpi.c optional tpm acpi
dev/tpm/tpm_isa.c optional tpm isa
dev/uart/uart_cpu_x86.c optional uart

260
sys/dev/tpm/tpm20.c Normal file
View File

@ -0,0 +1,260 @@
/*-
* Copyright (c) 2018 Stormshield.
* Copyright (c) 2018 Semihalf.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "tpm20.h"
MALLOC_DECLARE(M_TPM20);
MALLOC_DEFINE(M_TPM20, "tpm_buffer", "buffer for tpm 2.0 driver");
static void tpm20_discard_buffer(void *arg);
static int tpm20_save_state(device_t dev, bool suspend);
int
tpm20_read(struct cdev *dev, struct uio *uio, int flags)
{
struct tpm_sc *sc;
size_t bytes_to_transfer;
int result = 0;
sc = (struct tpm_sc *)dev->si_drv1;
callout_stop(&sc->discard_buffer_callout);
sx_xlock(&sc->dev_lock);
bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
if (bytes_to_transfer > 0) {
result = uiomove((caddr_t) sc->buf, bytes_to_transfer, uio);
memset(sc->buf, 0, TPM_BUFSIZE);
sc->pending_data_length = 0;
cv_signal(&sc->buf_cv);
} else {
result = ETIMEDOUT;
}
sx_xunlock(&sc->dev_lock);
return (result);
}
int
tpm20_write(struct cdev *dev, struct uio *uio, int flags)
{
struct tpm_sc *sc;
size_t byte_count;
int result = 0;
sc = (struct tpm_sc *)dev->si_drv1;
byte_count = uio->uio_resid;
if (byte_count < TPM_HEADER_SIZE) {
device_printf(sc->dev,
"Requested transfer is too small\n");
return (EINVAL);
}
if (byte_count > TPM_BUFSIZE) {
device_printf(sc->dev,
"Requested transfer is too large\n");
return (E2BIG);
}
sx_xlock(&sc->dev_lock);
while (sc->pending_data_length != 0)
cv_wait(&sc->buf_cv, &sc->dev_lock);
result = uiomove(sc->buf, byte_count, uio);
if (result != 0) {
sx_xunlock(&sc->dev_lock);
return (result);
}
result = sc->transmit(sc, byte_count);
if (result == 0)
callout_reset(&sc->discard_buffer_callout,
TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
sx_xunlock(&sc->dev_lock);
return (result);
}
static void tpm20_discard_buffer(void *arg)
{
struct tpm_sc *sc;
sc = (struct tpm_sc *)arg;
if (callout_pending(&sc->discard_buffer_callout))
return;
sx_xlock(&sc->dev_lock);
memset(sc->buf, 0, TPM_BUFSIZE);
sc->pending_data_length = 0;
cv_signal(&sc->buf_cv);
sx_xunlock(&sc->dev_lock);
device_printf(sc->dev,
"User failed to read buffer in time\n");
}
int
tpm20_open(struct cdev *dev, int flag, int mode, struct thread *td)
{
return (0);
}
int
tpm20_close(struct cdev *dev, int flag, int mode, struct thread *td)
{
return (0);
}
int
tpm20_ioctl(struct cdev *dev, u_long cmd, caddr_t data,
int flags, struct thread *td)
{
return (ENOTTY);
}
int
tpm20_init(struct tpm_sc *sc)
{
struct make_dev_args args;
int result;
sc->buf = malloc(TPM_BUFSIZE, M_TPM20, M_WAITOK);
sx_init(&sc->dev_lock, "TPM driver lock");
cv_init(&sc->buf_cv, "TPM buffer cv");
callout_init(&sc->discard_buffer_callout, 1);
sc->pending_data_length = 0;
make_dev_args_init(&args);
args.mda_devsw = &tpm_cdevsw;
args.mda_uid = UID_ROOT;
args.mda_gid = GID_WHEEL;
args.mda_mode = TPM_CDEV_PERM_FLAG;
args.mda_si_drv1 = sc;
result = make_dev_s(&args, &sc->sc_cdev, TPM_CDEV_NAME);
if (result != 0)
tpm20_release(sc);
return (result);
}
void
tpm20_release(struct tpm_sc *sc)
{
if (sc->buf != NULL)
free(sc->buf, M_TPM20);
sx_destroy(&sc->dev_lock);
cv_destroy(&sc->buf_cv);
if (sc->sc_cdev != NULL)
destroy_dev(sc->sc_cdev);
}
int
tpm20_suspend(device_t dev)
{
return (tpm20_save_state(dev, true));
}
int
tpm20_shutdown(device_t dev)
{
return (tpm20_save_state(dev, false));
}
static int
tpm20_save_state(device_t dev, bool suspend)
{
struct tpm_sc *sc;
uint8_t save_cmd[] = {
0x80, 0x01, /* TPM_ST_NO_SESSIONS tag*/
0x00, 0x00, 0x00, 0x0C, /* cmd length */
0x00, 0x00, 0x01, 0x45, 0x00, 0x00 /* cmd TPM_CC_Shutdown */
};
sc = device_get_softc(dev);
/*
* Inform the TPM whether we are going to suspend or reboot/shutdown.
*/
if (suspend)
save_cmd[11] = 1; /* TPM_SU_STATE */
if (sc == NULL || sc->buf == NULL)
return (0);
sx_xlock(&sc->dev_lock);
memcpy(sc->buf, save_cmd, sizeof(save_cmd));
sc->transmit(sc, sizeof(save_cmd));
sx_xunlock(&sc->dev_lock);
return (0);
}
int32_t
tpm20_get_timeout(uint32_t command)
{
int32_t timeout;
switch (command) {
case TPM_CC_CreatePrimary:
case TPM_CC_Create:
case TPM_CC_CreateLoaded:
timeout = TPM_TIMEOUT_LONG;
break;
case TPM_CC_SequenceComplete:
case TPM_CC_Startup:
case TPM_CC_SequenceUpdate:
case TPM_CC_GetCapability:
case TPM_CC_PCR_Extend:
case TPM_CC_EventSequenceComplete:
case TPM_CC_HashSequenceStart:
timeout = TPM_TIMEOUT_C;
break;
default:
timeout = TPM_TIMEOUT_B;
break;
}
return timeout;
}

192
sys/dev/tpm/tpm20.h Normal file
View File

@ -0,0 +1,192 @@
/*-
* Copyright (c) 2018 Stormshield.
* Copyright (c) 2018 Semihalf.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _TPM20_H_
#define _TPM20_H_
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/endian.h>
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/proc.h>
#include <sys/systm.h>
#include <sys/bus.h>
#include <sys/callout.h>
#include <sys/conf.h>
#include <sys/module.h>
#include <sys/rman.h>
#include <sys/sx.h>
#include <sys/uio.h>
#include <machine/bus.h>
#include <machine/md_var.h>
#include <machine/resource.h>
#include <contrib/dev/acpica/include/acpi.h>
#include <contrib/dev/acpica/include/accommon.h>
#include <dev/acpica/acpivar.h>
#include "opt_acpi.h"
#define BIT(x) (1 << (x))
/* Timeouts in us */
#define TPM_TIMEOUT_A 750000
#define TPM_TIMEOUT_B 2000000
#define TPM_TIMEOUT_C 200000
#define TPM_TIMEOUT_D 30000
/*
* Generating RSA key pair takes ~(10-20s), which is significantly longer than
* any timeout defined in spec. Because of that we need a new one.
*/
#define TPM_TIMEOUT_LONG 40000000
/* List of commands that require TPM_TIMEOUT_LONG time to complete */
#define TPM_CC_CreatePrimary 0x00000131
#define TPM_CC_Create 0x00000153
#define TPM_CC_CreateLoaded 0x00000191
/* List of commands that require only TPM_TIMEOUT_C time to complete */
#define TPM_CC_SequenceComplete 0x0000013e
#define TPM_CC_Startup 0x00000144
#define TPM_CC_SequenceUpdate 0x0000015c
#define TPM_CC_GetCapability 0x0000017a
#define TPM_CC_PCR_Extend 0x00000182
#define TPM_CC_EventSequenceComplete 0x00000185
#define TPM_CC_HashSequenceStart 0x00000186
/* Timeout before data in read buffer is discarded */
#define TPM_READ_TIMEOUT 500000
#define TPM_BUFSIZE 0x1000
#define TPM_HEADER_SIZE 10
#define TPM_CDEV_NAME "tpm0"
#define TPM_CDEV_PERM_FLAG 0600
struct tpm_sc {
device_t dev;
struct resource *mem_res;
struct resource *irq_res;
int mem_rid;
int irq_rid;
struct cdev *sc_cdev;
struct sx dev_lock;
struct cv buf_cv;
void *intr_cookie;
int intr_type; /* Current event type */
bool interrupts;
uint8_t *buf;
size_t pending_data_length;
struct callout discard_buffer_callout;
int (*transmit)(struct tpm_sc *, size_t);
};
int tpm20_suspend(device_t dev);
int tpm20_shutdown(device_t dev);
int32_t tpm20_get_timeout(uint32_t command);
int tpm20_init(struct tpm_sc *sc);
void tpm20_release(struct tpm_sc *sc);
d_open_t tpm20_open;
d_close_t tpm20_close;
d_read_t tpm20_read;
d_write_t tpm20_write;
d_ioctl_t tpm20_ioctl;
static struct cdevsw tpm_cdevsw = {
.d_version = D_VERSION,
.d_open = tpm20_open,
.d_close = tpm20_close,
.d_read = tpm20_read,
.d_write = tpm20_write,
.d_ioctl = tpm20_ioctl,
.d_name = "tpm20",
};
/* Small helper routines for io ops */
static inline uint8_t
RD1(struct tpm_sc *sc, bus_size_t off)
{
return (bus_read_1(sc->mem_res, off));
}
static inline uint32_t
RD4(struct tpm_sc *sc, bus_size_t off)
{
return (bus_read_4(sc->mem_res, off));
}
static inline uint64_t
RD8(struct tpm_sc *sc, bus_size_t off)
{
return (bus_read_8(sc->mem_res, off));
}
static inline void
WR1(struct tpm_sc *sc, bus_size_t off, uint8_t val)
{
bus_write_1(sc->mem_res, off, val);
}
static inline void
WR4(struct tpm_sc *sc, bus_size_t off, uint32_t val)
{
bus_write_4(sc->mem_res, off, val);
}
static inline void
AND4(struct tpm_sc *sc, bus_size_t off, uint32_t val)
{
WR4(sc, off, RD4(sc, off) & val);
}
static inline void
OR1(struct tpm_sc *sc, bus_size_t off, uint8_t val)
{
WR1(sc, off, RD1(sc, off) | val);
}
static inline void
OR4(struct tpm_sc *sc, bus_size_t off, uint32_t val)
{
WR4(sc, off, RD4(sc, off) | val);
}
#endif /* _TPM20_H_ */

419
sys/dev/tpm/tpm_crb.c Normal file
View File

@ -0,0 +1,419 @@
/*-
* Copyright (c) 2018 Stormshield.
* Copyright (c) 2018 Semihalf.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "tpm20.h"
/*
* CRB register space as defined in
* TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22
*/
#define TPM_LOC_STATE 0x0
#define TPM_LOC_CTRL 0x8
#define TPM_LOC_STS 0xC
#define TPM_CRB_INTF_ID 0x30
#define TPM_CRB_CTRL_EXT 0x38
#define TPM_CRB_CTRL_REQ 0x40
#define TPM_CRB_CTRL_STS 0x44
#define TPM_CRB_CTRL_CANCEL 0x48
#define TPM_CRB_CTRL_START 0x4C
#define TPM_CRB_INT_ENABLE 0x50
#define TPM_CRB_INT_STS 0x54
#define TPM_CRB_CTRL_CMD_SIZE 0x58
#define TPM_CRB_CTRL_CMD_LADDR 0x5C
#define TPM_CRB_CTRL_CMD_HADDR 0x60
#define TPM_CRB_CTRL_RSP_SIZE 0x64
#define TPM_CRB_CTRL_RSP_ADDR 0x68
#define TPM_CRB_DATA_BUFFER 0x80
#define TPM_LOC_STATE_ESTB BIT(0)
#define TPM_LOC_STATE_ASSIGNED BIT(1)
#define TPM_LOC_STATE_ACTIVE_MASK 0x9C
#define TPM_LOC_STATE_VALID BIT(7)
#define TPM_CRB_INTF_ID_TYPE_CRB 0x1
#define TPM_CRB_INTF_ID_TYPE 0x7
#define TPM_LOC_CTRL_REQUEST BIT(0)
#define TPM_LOC_CTRL_RELINQUISH BIT(1)
#define TPM_CRB_CTRL_REQ_GO_READY BIT(0)
#define TPM_CRB_CTRL_REQ_GO_IDLE BIT(1)
#define TPM_CRB_CTRL_STS_ERR_BIT BIT(0)
#define TPM_CRB_CTRL_STS_IDLE_BIT BIT(1)
#define TPM_CRB_CTRL_CANCEL_CMD BIT(0)
#define TPM_CRB_CTRL_START_CMD BIT(0)
#define TPM_CRB_INT_ENABLE_BIT BIT(31)
struct tpmcrb_sc {
struct tpm_sc base;
bus_size_t cmd_off;
bus_size_t rsp_off;
size_t cmd_buf_size;
size_t rsp_buf_size;
};
int tpmcrb_transmit(struct tpm_sc *sc, size_t size);
static int tpmcrb_acpi_probe(device_t dev);
static int tpmcrb_attach(device_t dev);
static int tpmcrb_detach(device_t dev);
static ACPI_STATUS tpmcrb_fix_buff_offsets(ACPI_RESOURCE *res, void *arg);
static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off,
uint32_t mask, uint32_t val, int32_t timeout);
static bool tpmcrb_request_locality(struct tpm_sc *sc, int locality);
static void tpmcrb_relinquish_locality(struct tpm_sc *sc);
static bool tpmcrb_cancel_cmd(struct tpm_sc *sc);
char *tpmcrb_ids[] = {"MSFT0101", NULL};
static int
tpmcrb_acpi_probe(device_t dev)
{
struct resource *res;
int rid = 0;
uint32_t caps;
if (ACPI_ID_PROBE(device_get_parent(dev), dev, tpmcrb_ids) == NULL)
return (ENXIO);
/* Check if device is in CRB mode */
res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid, RF_ACTIVE);
if (res == NULL)
return (ENXIO);
caps = bus_read_4(res, TPM_CRB_INTF_ID);
bus_release_resource(dev, SYS_RES_MEMORY, rid, res);
if ((caps & TPM_CRB_INTF_ID_TYPE) != TPM_CRB_INTF_ID_TYPE_CRB)
return (ENXIO);
device_set_desc(dev, "Trusted Platform Module 2.0, CRB mode");
return (BUS_PROBE_DEFAULT);
}
static ACPI_STATUS
tpmcrb_fix_buff_offsets(ACPI_RESOURCE *res, void *arg)
{
struct tpmcrb_sc *crb_sc;
size_t length;
uint32_t base_addr;
crb_sc = (struct tpmcrb_sc *)arg;
if (res->Type != ACPI_RESOURCE_TYPE_FIXED_MEMORY32)
return (AE_OK);
base_addr = res->Data.FixedMemory32.Address;
length = res->Data.FixedMemory32.AddressLength;
if (crb_sc->cmd_off > base_addr && crb_sc->cmd_off < base_addr + length)
crb_sc->cmd_off -= base_addr;
if (crb_sc->rsp_off > base_addr && crb_sc->rsp_off < base_addr + length)
crb_sc->rsp_off -= base_addr;
return (AE_OK);
}
static int
tpmcrb_attach(device_t dev)
{
struct tpmcrb_sc *crb_sc;
struct tpm_sc *sc;
ACPI_HANDLE handle;
ACPI_STATUS status;
int result;
crb_sc = device_get_softc(dev);
sc = &crb_sc->base;
handle = acpi_get_handle(dev);
sc->dev = dev;
sc->mem_rid = 0;
sc->mem_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &sc->mem_rid,
RF_ACTIVE);
if (sc->mem_res == NULL)
return (ENXIO);
if(!tpmcrb_request_locality(sc, 0)) {
tpmcrb_detach(dev);
return (ENXIO);
}
/*
* Disable all interrupts for now, since I don't have a device that
* works in CRB mode and supports them.
*/
AND4(sc, TPM_CRB_INT_ENABLE, ~TPM_CRB_INT_ENABLE_BIT);
sc->interrupts = false;
/*
* Read addresses of Tx/Rx buffers and their sizes. Note that they
* can be implemented by a single buffer. Also for some reason CMD
* addr is stored in two 4 byte neighboring registers, whereas RSP is
* stored in a single 8 byte one.
*/
crb_sc->rsp_off = RD8(sc, TPM_CRB_CTRL_RSP_ADDR);
crb_sc->cmd_off = RD4(sc, TPM_CRB_CTRL_CMD_LADDR);
crb_sc->cmd_off |= ((uint64_t) RD4(sc, TPM_CRB_CTRL_CMD_HADDR) << 32);
crb_sc->cmd_buf_size = RD4(sc, TPM_CRB_CTRL_CMD_SIZE);
crb_sc->rsp_buf_size = RD4(sc, TPM_CRB_CTRL_RSP_SIZE);
tpmcrb_relinquish_locality(sc);
/* Emulator returns address in acpi space instead of an offset */
status = AcpiWalkResources(handle, "_CRS", tpmcrb_fix_buff_offsets,
(void *)crb_sc);
if (ACPI_FAILURE(status)) {
tpmcrb_detach(dev);
return (ENXIO);
}
if (crb_sc->rsp_off == crb_sc->cmd_off) {
/*
* If Tx/Rx buffers are implemented as one they have to be of
* same size
*/
if (crb_sc->cmd_buf_size != crb_sc->rsp_buf_size) {
device_printf(sc->dev,
"Overlapping Tx/Rx buffers have different sizes\n");
tpmcrb_detach(dev);
return (ENXIO);
}
}
sc->transmit = tpmcrb_transmit;
result = tpm20_init(sc);
if (result != 0)
tpmcrb_detach(dev);
return (result);
}
static int
tpmcrb_detach(device_t dev)
{
struct tpm_sc *sc;
sc = device_get_softc(dev);
if (sc->mem_res != NULL)
bus_release_resource(dev, SYS_RES_MEMORY,
sc->mem_rid, sc->mem_res);
tpm20_release(sc);
return (0);
}
static bool
tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val,
int32_t timeout)
{
/* Check for condition */
if ((RD4(sc, off) & mask) == val)
return (true);
while (timeout > 0) {
if ((RD4(sc, off) & mask) == val)
return (true);
pause("TPM in polling mode", 1);
timeout -= tick;
}
return (false);
}
static bool
tpmcrb_request_locality(struct tpm_sc *sc, int locality)
{
uint32_t mask;
/* Currently we only support Locality 0 */
if (locality != 0)
return (false);
mask = TPM_LOC_STATE_VALID | TPM_LOC_STATE_ASSIGNED;
OR4(sc, TPM_LOC_CTRL, TPM_LOC_CTRL_REQUEST);
if (!tpm_wait_for_u32(sc, TPM_LOC_STATE, mask, mask, TPM_TIMEOUT_C))
return (false);
return (true);
}
static void
tpmcrb_relinquish_locality(struct tpm_sc *sc)
{
OR4(sc, TPM_LOC_CTRL, TPM_LOC_CTRL_RELINQUISH);
}
static bool
tpmcrb_cancel_cmd(struct tpm_sc *sc)
{
uint32_t mask = ~0;
WR4(sc, TPM_CRB_CTRL_CANCEL, TPM_CRB_CTRL_CANCEL_CMD);
if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_START,
mask, ~mask, TPM_TIMEOUT_B)) {
device_printf(sc->dev,
"Device failed to cancel command\n");
return (false);
}
WR4(sc, TPM_CRB_CTRL_CANCEL, !TPM_CRB_CTRL_CANCEL_CMD);
return (true);
}
int
tpmcrb_transmit(struct tpm_sc *sc, size_t length)
{
struct tpmcrb_sc *crb_sc;
uint32_t mask, curr_cmd;
int timeout, bytes_available;
crb_sc = (struct tpmcrb_sc *)sc;
sx_assert(&sc->dev_lock, SA_XLOCKED);
if (length > crb_sc->cmd_buf_size) {
device_printf(sc->dev,
"Requested transfer is bigger than buffer size\n");
return (E2BIG);
}
if (RD4(sc, TPM_CRB_CTRL_STS) & TPM_CRB_CTRL_STS_ERR_BIT) {
device_printf(sc->dev,
"Device has Error bit set\n");
return (EIO);
}
if (!tpmcrb_request_locality(sc, 0)) {
device_printf(sc->dev,
"Failed to obtain locality\n");
return (EIO);
}
/* Clear cancellation bit */
WR4(sc, TPM_CRB_CTRL_CANCEL, !TPM_CRB_CTRL_CANCEL_CMD);
/* Switch device to idle state if necessary */
if (!(RD4(sc, TPM_CRB_CTRL_STS) & TPM_CRB_CTRL_STS_IDLE_BIT)) {
OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_IDLE);
mask = TPM_CRB_CTRL_STS_IDLE_BIT;
if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_STS,
mask, mask, TPM_TIMEOUT_C)) {
device_printf(sc->dev,
"Failed to transition to idle state\n");
return (EIO);
}
}
/* Switch to ready state */
OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_READY);
mask = TPM_CRB_CTRL_REQ_GO_READY;
if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_STS,
mask, !mask, TPM_TIMEOUT_C)) {
device_printf(sc->dev,
"Failed to transition to ready state\n");
return (EIO);
}
/*
* Calculate timeout for current command.
* Command code is passed in bytes 6-10.
*/
curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6]));
timeout = tpm20_get_timeout(curr_cmd);
/* Send command and tell device to process it. */
bus_write_region_stream_1(sc->mem_res, crb_sc->cmd_off,
sc->buf, length);
bus_barrier(sc->mem_res, crb_sc->cmd_off,
length, BUS_SPACE_BARRIER_WRITE);
WR4(sc, TPM_CRB_CTRL_START, TPM_CRB_CTRL_START_CMD);
bus_barrier(sc->mem_res, TPM_CRB_CTRL_START,
4, BUS_SPACE_BARRIER_WRITE);
mask = ~0;
if (!tpm_wait_for_u32(sc, TPM_CRB_CTRL_START, mask, ~mask, timeout)) {
device_printf(sc->dev,
"Timeout while waiting for device to process cmd\n");
if (!tpmcrb_cancel_cmd(sc))
return (EIO);
}
/* Read response header. Length is passed in bytes 2 - 6. */
bus_read_region_stream_1(sc->mem_res, crb_sc->rsp_off,
sc->buf, TPM_HEADER_SIZE);
bytes_available = be32toh(*(uint32_t *) (&sc->buf[2]));
if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) {
device_printf(sc->dev,
"Incorrect response size: %d\n",
bytes_available);
return (EIO);
}
bus_read_region_stream_1(sc->mem_res, crb_sc->rsp_off + TPM_HEADER_SIZE,
&sc->buf[TPM_HEADER_SIZE], bytes_available - TPM_HEADER_SIZE);
OR4(sc, TPM_CRB_CTRL_REQ, TPM_CRB_CTRL_REQ_GO_IDLE);
tpmcrb_relinquish_locality(sc);
sc->pending_data_length = bytes_available;
return (0);
}
/* ACPI Driver */
static device_method_t tpmcrb_methods[] = {
DEVMETHOD(device_probe, tpmcrb_acpi_probe),
DEVMETHOD(device_attach, tpmcrb_attach),
DEVMETHOD(device_detach, tpmcrb_detach),
DEVMETHOD(device_shutdown, tpm20_shutdown),
DEVMETHOD(device_suspend, tpm20_suspend),
{0, 0}
};
static driver_t tpmcrb_driver = {
"tpmcrb", tpmcrb_methods, sizeof(struct tpmcrb_sc),
};
devclass_t tpmcrb_devclass;
DRIVER_MODULE(tpmcrb, acpi, tpmcrb_driver, tpmcrb_devclass, 0, 0);

510
sys/dev/tpm/tpm_tis.c Normal file
View File

@ -0,0 +1,510 @@
/*-
* Copyright (c) 2018 Stormshield.
* Copyright (c) 2018 Semihalf.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "tpm20.h"
/*
* TIS register space as defined in
* TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22
*/
#define TPM_ACCESS 0x0
#define TPM_INT_ENABLE 0x8
#define TPM_INT_VECTOR 0xc
#define TPM_INT_STS 0x10
#define TPM_INTF_CAPS 0x14
#define TPM_STS 0x18
#define TPM_DATA_FIFO 0x24
#define TPM_INTF_ID 0x30
#define TPM_XDATA_FIFO 0x80
#define TPM_DID_VID 0xF00
#define TPM_RID 0xF04
#define TPM_ACCESS_LOC_REQ BIT(1)
#define TPM_ACCESS_LOC_Seize BIT(3)
#define TPM_ACCESS_LOC_ACTIVE BIT(5)
#define TPM_ACCESS_LOC_RELINQUISH BIT(5)
#define TPM_ACCESS_VALID BIT(7)
#define TPM_INT_ENABLE_GLOBAL_ENABLE BIT(31)
#define TPM_INT_ENABLE_CMD_RDY BIT(7)
#define TPM_INT_ENABLE_LOC_CHANGE BIT(2)
#define TPM_INT_ENABLE_STS_VALID BIT(1)
#define TPM_INT_ENABLE_DATA_AVAIL BIT(0)
#define TPM_INT_STS_CMD_RDY BIT(7)
#define TPM_INT_STS_LOC_CHANGE BIT(2)
#define TPM_INT_STS_VALID BIT(1)
#define TPM_INT_STS_DATA_AVAIL BIT(0)
#define TPM_INTF_CAPS_VERSION 0x70000000
#define TPM_INTF_CAPS_TPM20 0x30000000
#define TPM_STS_VALID BIT(7)
#define TPM_STS_CMD_RDY BIT(6)
#define TPM_STS_CMD_START BIT(5)
#define TPM_STS_DATA_AVAIL BIT(4)
#define TPM_STS_DATA_EXPECTED BIT(3)
#define TPM_STS_BURST_MASK 0xFFFF00
#define TPM_STS_BURST_OFFSET 0x8
static int tpmtis_transmit(struct tpm_sc *sc, size_t length);
static int tpmtis_acpi_probe(device_t dev);
static int tpmtis_attach(device_t dev);
static int tpmtis_detach(device_t dev);
static void tpmtis_intr_handler(void *arg);
static ACPI_STATUS tpmtis_get_SIRQ_channel(ACPI_RESOURCE *res, void *arg);
static bool tpmtis_setup_intr(struct tpm_sc *sc);
static bool tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf);
static bool tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf);
static bool tpmtis_request_locality(struct tpm_sc *sc, int locality);
static void tpmtis_relinquish_locality(struct tpm_sc *sc);
static bool tpmtis_go_ready(struct tpm_sc *sc);
static bool tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off,
uint32_t mask, uint32_t val, int32_t timeout);
static uint16_t tpmtis_wait_for_burst(struct tpm_sc *sc);
char *tpmtis_ids[] = {"MSFT0101", NULL};
static int
tpmtis_acpi_probe(device_t dev)
{
struct resource *res;
int rid = 0;
uint32_t caps;
if (ACPI_ID_PROBE(device_get_parent(dev), dev, tpmtis_ids) == NULL)
return (ENXIO);
/* Check if device is in TPM 2.0 TIS mode */
res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid, RF_ACTIVE);
if (res == NULL)
return (ENXIO);
caps = bus_read_4(res, TPM_INTF_CAPS);
bus_release_resource(dev, SYS_RES_MEMORY, rid, res);
if ((caps & TPM_INTF_CAPS_VERSION) != TPM_INTF_CAPS_TPM20)
return (ENXIO);
device_set_desc(dev, "Trusted Platform Module 2.0, FIFO mode");
return (BUS_PROBE_DEFAULT);
}
static int
tpmtis_attach(device_t dev)
{
struct tpm_sc *sc;
int result;
sc = device_get_softc(dev);
sc->dev = dev;
sc->mem_rid = 0;
sc->mem_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &sc->mem_rid,
RF_ACTIVE);
if (sc->mem_res == NULL)
return (ENXIO);
sc->irq_rid = 0;
sc->irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &sc->irq_rid,
RF_ACTIVE | RF_SHAREABLE);
if (sc->irq_res != NULL) {
if (bus_setup_intr(dev, sc->irq_res, INTR_TYPE_MISC | INTR_MPSAFE,
NULL, tpmtis_intr_handler, sc, &sc->intr_cookie))
sc->interrupts = false;
else
sc->interrupts = tpmtis_setup_intr(sc);
} else {
sc->interrupts = false;
}
sc->intr_type = -1;
sc->transmit = tpmtis_transmit;
result = tpm20_init(sc);
if (result != 0)
tpmtis_detach(dev);
return (result);
}
static int
tpmtis_detach(device_t dev)
{
struct tpm_sc *sc;
sc = device_get_softc(dev);
if (sc->intr_cookie != NULL)
bus_teardown_intr(dev, sc->irq_res, sc->intr_cookie);
if (sc->irq_res != NULL)
bus_release_resource(dev, SYS_RES_IRQ,
sc->irq_rid, sc->irq_res);
if (sc->mem_res != NULL)
bus_release_resource(dev, SYS_RES_MEMORY,
sc->mem_rid, sc->mem_res);
tpm20_release(sc);
return (0);
}
static ACPI_STATUS
tpmtis_get_SIRQ_channel(ACPI_RESOURCE *res, void *arg)
{
struct tpm_sc *sc;
uint8_t channel;
sc = (struct tpm_sc *)arg;
switch (res->Type) {
case ACPI_RESOURCE_TYPE_IRQ:
channel = res->Data.Irq.Interrupts[0];
break;
case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
channel = res->Data.ExtendedIrq.Interrupts[0];
break;
default:
return (AE_OK);
}
WR1(sc, TPM_INT_VECTOR, channel);
return (AE_OK);
}
static bool
tpmtis_setup_intr(struct tpm_sc *sc)
{
ACPI_STATUS status;
ACPI_HANDLE handle;
uint32_t irq_mask;
handle = acpi_get_handle(sc->dev);
if(!tpmtis_request_locality(sc, 0))
return (false);
irq_mask = RD4(sc, TPM_INT_ENABLE);
irq_mask |= TPM_INT_ENABLE_GLOBAL_ENABLE |
TPM_INT_ENABLE_DATA_AVAIL |
TPM_INT_ENABLE_LOC_CHANGE |
TPM_INT_ENABLE_CMD_RDY |
TPM_INT_ENABLE_STS_VALID;
WR4(sc, TPM_INT_ENABLE, irq_mask);
status = AcpiWalkResources(handle, "_CRS",
tpmtis_get_SIRQ_channel, (void *)sc);
tpmtis_relinquish_locality(sc);
return (ACPI_SUCCESS(status));
}
static void
tpmtis_intr_handler(void *arg)
{
struct tpm_sc *sc;
uint32_t status;
sc = (struct tpm_sc *)arg;
status = RD4(sc, TPM_INT_STS);
WR4(sc, TPM_INT_STS, status);
if (sc->intr_type != -1 && sc->intr_type & status)
wakeup(sc);
}
static bool
tpm_wait_for_u32(struct tpm_sc *sc, bus_size_t off, uint32_t mask, uint32_t val,
int32_t timeout)
{
/* Check for condition */
if ((RD4(sc, off) & mask) == val)
return (true);
/* If interrupts are enabled sleep for timeout duration */
if(sc->interrupts && sc->intr_type != -1) {
tsleep(sc, PWAIT, "TPM WITH INTERRUPTS", timeout / tick);
sc->intr_type = -1;
return ((RD4(sc, off) & mask) == val);
}
/* If we don't have interrupts poll the device every tick */
while (timeout > 0) {
if ((RD4(sc, off) & mask) == val)
return (true);
pause("TPM POLLING", 1);
timeout -= tick;
}
return (false);
}
static uint16_t
tpmtis_wait_for_burst(struct tpm_sc *sc)
{
int timeout;
uint16_t burst_count;
timeout = TPM_TIMEOUT_A;
while (timeout-- > 0) {
burst_count = (RD4(sc, TPM_STS) & TPM_STS_BURST_MASK) >>
TPM_STS_BURST_OFFSET;
if (burst_count > 0)
break;
DELAY(1);
}
return (burst_count);
}
static bool
tpmtis_read_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf)
{
uint16_t burst_count;
while (count > 0) {
burst_count = tpmtis_wait_for_burst(sc);
if (burst_count == 0)
return (false);
burst_count = MIN(burst_count, count);
count -= burst_count;
while (burst_count-- > 0)
*buf++ = RD1(sc, TPM_DATA_FIFO);
}
return (true);
}
static bool
tpmtis_write_bytes(struct tpm_sc *sc, size_t count, uint8_t *buf)
{
uint16_t burst_count;
while (count > 0) {
burst_count = tpmtis_wait_for_burst(sc);
if (burst_count == 0)
return (false);
burst_count = MIN(burst_count, count);
count -= burst_count;
while (burst_count-- > 0)
WR1(sc, TPM_DATA_FIFO, *buf++);
}
return (true);
}
static bool
tpmtis_request_locality(struct tpm_sc *sc, int locality)
{
uint8_t mask;
int timeout;
/* Currently we only support Locality 0 */
if (locality != 0)
return (false);
mask = TPM_ACCESS_LOC_ACTIVE | TPM_ACCESS_VALID;
timeout = TPM_TIMEOUT_A;
sc->intr_type = TPM_INT_STS_LOC_CHANGE;
WR1(sc, TPM_ACCESS, TPM_ACCESS_LOC_REQ);
bus_barrier(sc->mem_res, TPM_ACCESS, 1, BUS_SPACE_BARRIER_WRITE);
if(sc->interrupts) {
tsleep(sc, PWAIT, "TPMLOCREQUEST with INTR", timeout / tick);
return ((RD1(sc, TPM_ACCESS) & mask) == mask);
} else {
while(timeout > 0) {
if ((RD1(sc, TPM_ACCESS) & mask) == mask)
return (true);
pause("TPMLOCREQUEST POLLING", 1);
timeout -= tick;
}
}
return (false);
}
static void
tpmtis_relinquish_locality(struct tpm_sc *sc)
{
/*
* Interrupts can only be cleared when a locality is active.
* Clear them now in case interrupt handler didn't make it in time.
*/
if(sc->interrupts)
AND4(sc, TPM_INT_STS, RD4(sc, TPM_INT_STS));
OR1(sc, TPM_ACCESS, TPM_ACCESS_LOC_RELINQUISH);
}
static bool
tpmtis_go_ready(struct tpm_sc *sc)
{
uint32_t mask;
mask = TPM_STS_CMD_RDY;
sc->intr_type = TPM_INT_STS_CMD_RDY;
OR4(sc, TPM_STS, TPM_STS_CMD_RDY);
bus_barrier(sc->mem_res, TPM_STS, 4, BUS_SPACE_BARRIER_WRITE);
if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_B))
return (false);
AND4(sc, TPM_STS, ~TPM_STS_CMD_RDY);
return (true);
}
static int
tpmtis_transmit(struct tpm_sc *sc, size_t length)
{
size_t bytes_available;
uint32_t mask, curr_cmd;
int timeout;
sx_assert(&sc->dev_lock, SA_XLOCKED);
if (!tpmtis_request_locality(sc, 0)) {
device_printf(sc->dev,
"Failed to obtain locality\n");
return (EIO);
}
if (!tpmtis_go_ready(sc)) {
device_printf(sc->dev,
"Failed to switch to ready state\n");
return (EIO);
}
if (!tpmtis_write_bytes(sc, length, sc->buf)) {
device_printf(sc->dev,
"Failed to write cmd to device\n");
return (EIO);
}
mask = TPM_STS_VALID;
sc->intr_type = TPM_INT_STS_VALID;
if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C)) {
device_printf(sc->dev,
"Timeout while waiting for valid bit\n");
return (EIO);
}
if (RD4(sc, TPM_STS) & TPM_STS_DATA_EXPECTED) {
device_printf(sc->dev,
"Device expects more data even though we already"
" sent everything we had\n");
return (EIO);
}
/*
* Calculate timeout for current command.
* Command code is passed in bytes 6-10.
*/
curr_cmd = be32toh(*(uint32_t *) (&sc->buf[6]));
timeout = tpm20_get_timeout(curr_cmd);
WR4(sc, TPM_STS, TPM_STS_CMD_START);
bus_barrier(sc->mem_res, TPM_STS, 4, BUS_SPACE_BARRIER_WRITE);
mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID;
sc->intr_type = TPM_INT_STS_DATA_AVAIL;
if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, timeout)) {
device_printf(sc->dev,
"Timeout while waiting for device to process cmd\n");
/*
* Switching to ready state also cancels processing
* current command
*/
if (!tpmtis_go_ready(sc))
return (EIO);
/*
* After canceling a command we should get a response,
* check if there is one.
*/
sc->intr_type = TPM_INT_STS_DATA_AVAIL;
if (!tpm_wait_for_u32(sc, TPM_STS, mask, mask, TPM_TIMEOUT_C))
return (EIO);
}
/* Read response header. Length is passed in bytes 2 - 6. */
if(!tpmtis_read_bytes(sc, TPM_HEADER_SIZE, sc->buf)) {
device_printf(sc->dev,
"Failed to read response header\n");
return (EIO);
}
bytes_available = be32toh(*(uint32_t *) (&sc->buf[2]));
if (bytes_available > TPM_BUFSIZE || bytes_available < TPM_HEADER_SIZE) {
device_printf(sc->dev,
"Incorrect response size: %zu\n",
bytes_available);
return (EIO);
}
if(!tpmtis_read_bytes(sc, bytes_available - TPM_HEADER_SIZE,
&sc->buf[TPM_HEADER_SIZE])) {
device_printf(sc->dev,
"Failed to read response\n");
return (EIO);
}
tpmtis_relinquish_locality(sc);
sc->pending_data_length = bytes_available;
return (0);
}
/* ACPI Driver */
static device_method_t tpmtis_methods[] = {
DEVMETHOD(device_probe, tpmtis_acpi_probe),
DEVMETHOD(device_attach, tpmtis_attach),
DEVMETHOD(device_detach, tpmtis_detach),
DEVMETHOD(device_shutdown, tpm20_shutdown),
DEVMETHOD(device_suspend, tpm20_suspend),
{0, 0}
};
static driver_t tpmtis_driver = {
"tpmtis", tpmtis_methods, sizeof(struct tpm_sc),
};
devclass_t tpmtis_devclass;
DRIVER_MODULE(tpmtis, acpi, tpmtis_driver, tpmtis_devclass, 0, 0);