1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Copyright (C) 2016 Google, Inc |
4 | * |
5 | * This device driver implements a TCG PTP FIFO interface over SPI for chips |
6 | * with Cr50 firmware. |
7 | * It is based on tpm_tis_spi driver by Peter Huewe and Christophe Ricard. |
8 | */ |
9 | |
10 | #include <linux/completion.h> |
11 | #include <linux/interrupt.h> |
12 | #include <linux/module.h> |
13 | #include <linux/of.h> |
14 | #include <linux/pm.h> |
15 | #include <linux/spi/spi.h> |
16 | #include <linux/wait.h> |
17 | |
18 | #include "tpm_tis_core.h" |
19 | #include "tpm_tis_spi.h" |
20 | |
21 | /* |
22 | * Cr50 timing constants: |
23 | * - can go to sleep not earlier than after CR50_SLEEP_DELAY_MSEC. |
24 | * - needs up to CR50_WAKE_START_DELAY_USEC to wake after sleep. |
25 | * - requires waiting for "ready" IRQ, if supported; or waiting for at least |
26 | * CR50_NOIRQ_ACCESS_DELAY_MSEC between transactions, if IRQ is not supported. |
27 | * - waits for up to CR50_FLOW_CONTROL for flow control 'ready' indication. |
28 | */ |
29 | #define CR50_SLEEP_DELAY_MSEC 1000 |
30 | #define CR50_WAKE_START_DELAY_USEC 1000 |
31 | #define CR50_NOIRQ_ACCESS_DELAY msecs_to_jiffies(2) |
32 | #define CR50_READY_IRQ_TIMEOUT msecs_to_jiffies(TPM2_TIMEOUT_A) |
33 | #define CR50_FLOW_CONTROL msecs_to_jiffies(TPM2_TIMEOUT_A) |
34 | #define MAX_IRQ_CONFIRMATION_ATTEMPTS 3 |
35 | |
36 | #define TPM_CR50_FW_VER(l) (0x0f90 | ((l) << 12)) |
37 | #define TPM_CR50_MAX_FW_VER_LEN 64 |
38 | |
39 | /* Default quality for hwrng. */ |
40 | #define TPM_CR50_DEFAULT_RNG_QUALITY 700 |
41 | |
42 | struct cr50_spi_phy { |
43 | struct tpm_tis_spi_phy spi_phy; |
44 | |
45 | struct mutex time_track_mutex; |
46 | unsigned long last_access; |
47 | |
48 | unsigned long access_delay; |
49 | |
50 | unsigned int irq_confirmation_attempt; |
51 | bool irq_needs_confirmation; |
52 | bool irq_confirmed; |
53 | }; |
54 | |
55 | static inline struct cr50_spi_phy *to_cr50_spi_phy(struct tpm_tis_spi_phy *phy) |
56 | { |
57 | return container_of(phy, struct cr50_spi_phy, spi_phy); |
58 | } |
59 | |
60 | /* |
61 | * The cr50 interrupt handler just signals waiting threads that the |
62 | * interrupt was asserted. It does not do any processing triggered |
63 | * by interrupts but is instead used to avoid fixed delays. |
64 | */ |
65 | static irqreturn_t cr50_spi_irq_handler(int dummy, void *dev_id) |
66 | { |
67 | struct cr50_spi_phy *cr50_phy = dev_id; |
68 | |
69 | cr50_phy->irq_confirmed = true; |
70 | complete(&cr50_phy->spi_phy.ready); |
71 | |
72 | return IRQ_HANDLED; |
73 | } |
74 | |
75 | /* |
76 | * Cr50 needs to have at least some delay between consecutive |
77 | * transactions. Make sure we wait. |
78 | */ |
79 | static void cr50_ensure_access_delay(struct cr50_spi_phy *phy) |
80 | { |
81 | unsigned long allowed_access = phy->last_access + phy->access_delay; |
82 | unsigned long time_now = jiffies; |
83 | struct device *dev = &phy->spi_phy.spi_device->dev; |
84 | |
85 | /* |
86 | * Note: There is a small chance, if Cr50 is not accessed in a few days, |
87 | * that time_in_range will not provide the correct result after the wrap |
88 | * around for jiffies. In this case, we'll have an unneeded short delay, |
89 | * which is fine. |
90 | */ |
91 | if (time_in_range_open(time_now, phy->last_access, allowed_access)) { |
92 | unsigned long remaining, timeout = allowed_access - time_now; |
93 | |
94 | remaining = wait_for_completion_timeout(x: &phy->spi_phy.ready, |
95 | timeout); |
96 | if (!remaining && phy->irq_confirmed) |
97 | dev_warn(dev, "Timeout waiting for TPM ready IRQ\n" ); |
98 | } |
99 | |
100 | if (phy->irq_needs_confirmation) { |
101 | unsigned int attempt = ++phy->irq_confirmation_attempt; |
102 | |
103 | if (phy->irq_confirmed) { |
104 | phy->irq_needs_confirmation = false; |
105 | phy->access_delay = CR50_READY_IRQ_TIMEOUT; |
106 | dev_info(dev, "TPM ready IRQ confirmed on attempt %u\n" , |
107 | attempt); |
108 | } else if (attempt > MAX_IRQ_CONFIRMATION_ATTEMPTS) { |
109 | phy->irq_needs_confirmation = false; |
110 | dev_warn(dev, "IRQ not confirmed - will use delays\n" ); |
111 | } |
112 | } |
113 | } |
114 | |
115 | /* |
116 | * Cr50 might go to sleep if there is no SPI activity for some time and |
117 | * miss the first few bits/bytes on the bus. In such case, wake it up |
118 | * by asserting CS and give it time to start up. |
119 | */ |
120 | static bool cr50_needs_waking(struct cr50_spi_phy *phy) |
121 | { |
122 | /* |
123 | * Note: There is a small chance, if Cr50 is not accessed in a few days, |
124 | * that time_in_range will not provide the correct result after the wrap |
125 | * around for jiffies. In this case, we'll probably timeout or read |
126 | * incorrect value from TPM_STS and just retry the operation. |
127 | */ |
128 | return !time_in_range_open(jiffies, phy->last_access, |
129 | phy->spi_phy.wake_after); |
130 | } |
131 | |
132 | static void cr50_wake_if_needed(struct cr50_spi_phy *cr50_phy) |
133 | { |
134 | struct tpm_tis_spi_phy *phy = &cr50_phy->spi_phy; |
135 | |
136 | if (cr50_needs_waking(phy: cr50_phy)) { |
137 | /* Assert CS, wait 1 msec, deassert CS */ |
138 | struct spi_transfer spi_cs_wake = { |
139 | .delay = { |
140 | .value = 1000, |
141 | .unit = SPI_DELAY_UNIT_USECS |
142 | } |
143 | }; |
144 | |
145 | spi_sync_transfer(spi: phy->spi_device, xfers: &spi_cs_wake, num_xfers: 1); |
146 | /* Wait for it to fully wake */ |
147 | usleep_range(CR50_WAKE_START_DELAY_USEC, |
148 | CR50_WAKE_START_DELAY_USEC * 2); |
149 | } |
150 | |
151 | /* Reset the time when we need to wake Cr50 again */ |
152 | phy->wake_after = jiffies + msecs_to_jiffies(CR50_SLEEP_DELAY_MSEC); |
153 | } |
154 | |
155 | /* |
156 | * Flow control: clock the bus and wait for cr50 to set LSB before |
157 | * sending/receiving data. TCG PTP spec allows it to happen during |
158 | * the last byte of header, but cr50 never does that in practice, |
159 | * and earlier versions had a bug when it was set too early, so don't |
160 | * check for it during header transfer. |
161 | */ |
162 | static int cr50_spi_flow_control(struct tpm_tis_spi_phy *phy, |
163 | struct spi_transfer *spi_xfer) |
164 | { |
165 | struct device *dev = &phy->spi_device->dev; |
166 | unsigned long timeout = jiffies + CR50_FLOW_CONTROL; |
167 | struct spi_message m; |
168 | int ret; |
169 | |
170 | spi_xfer->len = 1; |
171 | |
172 | do { |
173 | spi_message_init(m: &m); |
174 | spi_message_add_tail(t: spi_xfer, m: &m); |
175 | ret = spi_sync_locked(spi: phy->spi_device, message: &m); |
176 | if (ret < 0) |
177 | return ret; |
178 | |
179 | if (time_after(jiffies, timeout)) { |
180 | dev_warn(dev, "Timeout during flow control\n" ); |
181 | return -EBUSY; |
182 | } |
183 | } while (!(phy->iobuf[0] & 0x01)); |
184 | |
185 | return 0; |
186 | } |
187 | |
188 | static bool tpm_cr50_spi_is_firmware_power_managed(struct device *dev) |
189 | { |
190 | u8 val; |
191 | int ret; |
192 | |
193 | /* This flag should default true when the device property is not present */ |
194 | ret = device_property_read_u8(dev, propname: "firmware-power-managed" , val: &val); |
195 | if (ret) |
196 | return true; |
197 | |
198 | return val; |
199 | } |
200 | |
201 | static int tpm_tis_spi_cr50_transfer(struct tpm_tis_data *data, u32 addr, u16 len, |
202 | u8 *in, const u8 *out) |
203 | { |
204 | struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); |
205 | struct cr50_spi_phy *cr50_phy = to_cr50_spi_phy(phy); |
206 | int ret; |
207 | |
208 | mutex_lock(&cr50_phy->time_track_mutex); |
209 | /* |
210 | * Do this outside of spi_bus_lock in case cr50 is not the |
211 | * only device on that spi bus. |
212 | */ |
213 | cr50_ensure_access_delay(phy: cr50_phy); |
214 | cr50_wake_if_needed(cr50_phy); |
215 | |
216 | ret = tpm_tis_spi_transfer(data, addr, len, in, out); |
217 | |
218 | cr50_phy->last_access = jiffies; |
219 | mutex_unlock(lock: &cr50_phy->time_track_mutex); |
220 | |
221 | return ret; |
222 | } |
223 | |
224 | static int tpm_tis_spi_cr50_read_bytes(struct tpm_tis_data *data, u32 addr, |
225 | u16 len, u8 *result, enum tpm_tis_io_mode io_mode) |
226 | { |
227 | return tpm_tis_spi_cr50_transfer(data, addr, len, in: result, NULL); |
228 | } |
229 | |
230 | static int tpm_tis_spi_cr50_write_bytes(struct tpm_tis_data *data, u32 addr, |
231 | u16 len, const u8 *value, enum tpm_tis_io_mode io_mode) |
232 | { |
233 | return tpm_tis_spi_cr50_transfer(data, addr, len, NULL, out: value); |
234 | } |
235 | |
236 | static const struct tpm_tis_phy_ops tpm_spi_cr50_phy_ops = { |
237 | .read_bytes = tpm_tis_spi_cr50_read_bytes, |
238 | .write_bytes = tpm_tis_spi_cr50_write_bytes, |
239 | }; |
240 | |
241 | static void cr50_print_fw_version(struct tpm_tis_data *data) |
242 | { |
243 | struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); |
244 | int i, len = 0; |
245 | char fw_ver[TPM_CR50_MAX_FW_VER_LEN + 1]; |
246 | char fw_ver_block[4]; |
247 | |
248 | /* |
249 | * Write anything to TPM_CR50_FW_VER to start from the beginning |
250 | * of the version string |
251 | */ |
252 | tpm_tis_write8(data, TPM_CR50_FW_VER(data->locality), value: 0); |
253 | |
254 | /* Read the string, 4 bytes at a time, until we get '\0' */ |
255 | do { |
256 | tpm_tis_read_bytes(data, TPM_CR50_FW_VER(data->locality), len: 4, |
257 | result: fw_ver_block); |
258 | for (i = 0; i < 4 && fw_ver_block[i]; ++len, ++i) |
259 | fw_ver[len] = fw_ver_block[i]; |
260 | } while (i == 4 && len < TPM_CR50_MAX_FW_VER_LEN); |
261 | fw_ver[len] = '\0'; |
262 | |
263 | dev_info(&phy->spi_device->dev, "Cr50 firmware version: %s\n" , fw_ver); |
264 | } |
265 | |
266 | int cr50_spi_probe(struct spi_device *spi) |
267 | { |
268 | struct tpm_tis_spi_phy *phy; |
269 | struct cr50_spi_phy *cr50_phy; |
270 | int ret; |
271 | struct tpm_chip *chip; |
272 | |
273 | cr50_phy = devm_kzalloc(dev: &spi->dev, size: sizeof(*cr50_phy), GFP_KERNEL); |
274 | if (!cr50_phy) |
275 | return -ENOMEM; |
276 | |
277 | phy = &cr50_phy->spi_phy; |
278 | phy->flow_control = cr50_spi_flow_control; |
279 | phy->wake_after = jiffies; |
280 | phy->priv.rng_quality = TPM_CR50_DEFAULT_RNG_QUALITY; |
281 | init_completion(x: &phy->ready); |
282 | |
283 | cr50_phy->access_delay = CR50_NOIRQ_ACCESS_DELAY; |
284 | cr50_phy->last_access = jiffies; |
285 | mutex_init(&cr50_phy->time_track_mutex); |
286 | |
287 | if (spi->irq > 0) { |
288 | ret = devm_request_irq(dev: &spi->dev, irq: spi->irq, |
289 | handler: cr50_spi_irq_handler, |
290 | IRQF_TRIGGER_RISING | IRQF_ONESHOT, |
291 | devname: "cr50_spi" , dev_id: cr50_phy); |
292 | if (ret < 0) { |
293 | if (ret == -EPROBE_DEFER) |
294 | return ret; |
295 | dev_warn(&spi->dev, "Requesting IRQ %d failed: %d\n" , |
296 | spi->irq, ret); |
297 | /* |
298 | * This is not fatal, the driver will fall back to |
299 | * delays automatically, since ready will never |
300 | * be completed without a registered irq handler. |
301 | * So, just fall through. |
302 | */ |
303 | } else { |
304 | /* |
305 | * IRQ requested, let's verify that it is actually |
306 | * triggered, before relying on it. |
307 | */ |
308 | cr50_phy->irq_needs_confirmation = true; |
309 | } |
310 | } else { |
311 | dev_warn(&spi->dev, |
312 | "No IRQ - will use delays between transactions.\n" ); |
313 | } |
314 | |
315 | ret = tpm_tis_spi_init(spi, phy, irq: -1, phy_ops: &tpm_spi_cr50_phy_ops); |
316 | if (ret) |
317 | return ret; |
318 | |
319 | cr50_print_fw_version(data: &phy->priv); |
320 | |
321 | chip = dev_get_drvdata(dev: &spi->dev); |
322 | if (tpm_cr50_spi_is_firmware_power_managed(dev: &spi->dev)) |
323 | chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED; |
324 | |
325 | return 0; |
326 | } |
327 | |
328 | #ifdef CONFIG_PM_SLEEP |
329 | int tpm_tis_spi_resume(struct device *dev) |
330 | { |
331 | struct tpm_chip *chip = dev_get_drvdata(dev); |
332 | struct tpm_tis_data *data = dev_get_drvdata(dev: &chip->dev); |
333 | struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data); |
334 | /* |
335 | * Jiffies not increased during suspend, so we need to reset |
336 | * the time to wake Cr50 after resume. |
337 | */ |
338 | phy->wake_after = jiffies; |
339 | |
340 | return tpm_tis_resume(dev); |
341 | } |
342 | #endif |
343 | |