linux/drivers/char/tpm/tpm_tis_spi_cr50.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Copyright (C) 2016 Google, Inc
 *
 * This device driver implements a TCG PTP FIFO interface over SPI for chips
 * with Cr50 firmware.
 * It is based on tpm_tis_spi driver by Peter Huewe and Christophe Ricard.
 */

#include <linux/completion.h>
#include <linux/interrupt.h>
#include <linux/module.h>
#include <linux/of.h>
#include <linux/pm.h>
#include <linux/spi/spi.h>
#include <linux/wait.h>

#include "tpm_tis_core.h"
#include "tpm_tis_spi.h"

/*
 * Cr50 timing constants:
 * - can go to sleep not earlier than after CR50_SLEEP_DELAY_MSEC.
 * - needs up to CR50_WAKE_START_DELAY_USEC to wake after sleep.
 * - requires waiting for "ready" IRQ, if supported; or waiting for at least
 *   CR50_NOIRQ_ACCESS_DELAY_MSEC between transactions, if IRQ is not supported.
 * - waits for up to CR50_FLOW_CONTROL for flow control 'ready' indication.
 */
#define CR50_SLEEP_DELAY_MSEC			1000
#define CR50_WAKE_START_DELAY_USEC		1000
#define CR50_NOIRQ_ACCESS_DELAY			msecs_to_jiffies(2)
#define CR50_READY_IRQ_TIMEOUT			msecs_to_jiffies(TPM2_TIMEOUT_A)
#define CR50_FLOW_CONTROL			msecs_to_jiffies(TPM2_TIMEOUT_A)
#define MAX_IRQ_CONFIRMATION_ATTEMPTS		3

#define TPM_CR50_FW_VER(l)			(0x0f90 | ((l) << 12))
#define TPM_CR50_MAX_FW_VER_LEN			64

/* Default quality for hwrng. */
#define TPM_CR50_DEFAULT_RNG_QUALITY		700

struct cr50_spi_phy {
	struct tpm_tis_spi_phy spi_phy;

	struct mutex time_track_mutex;
	unsigned long last_access;

	unsigned long access_delay;

	unsigned int irq_confirmation_attempt;
	bool irq_needs_confirmation;
	bool irq_confirmed;
};

static inline struct cr50_spi_phy *to_cr50_spi_phy(struct tpm_tis_spi_phy *phy)
{
	return container_of(phy, struct cr50_spi_phy, spi_phy);
}

/*
 * The cr50 interrupt handler just signals waiting threads that the
 * interrupt was asserted.  It does not do any processing triggered
 * by interrupts but is instead used to avoid fixed delays.
 */
static irqreturn_t cr50_spi_irq_handler(int dummy, void *dev_id)
{
	struct cr50_spi_phy *cr50_phy = dev_id;

	cr50_phy->irq_confirmed = true;
	complete(&cr50_phy->spi_phy.ready);

	return IRQ_HANDLED;
}

/*
 * Cr50 needs to have at least some delay between consecutive
 * transactions. Make sure we wait.
 */
static void cr50_ensure_access_delay(struct cr50_spi_phy *phy)
{
	unsigned long allowed_access = phy->last_access + phy->access_delay;
	unsigned long time_now = jiffies;
	struct device *dev = &phy->spi_phy.spi_device->dev;

	/*
	 * Note: There is a small chance, if Cr50 is not accessed in a few days,
	 * that time_in_range will not provide the correct result after the wrap
	 * around for jiffies. In this case, we'll have an unneeded short delay,
	 * which is fine.
	 */
	if (time_in_range_open(time_now, phy->last_access, allowed_access)) {
		unsigned long remaining, timeout = allowed_access - time_now;

		remaining = wait_for_completion_timeout(&phy->spi_phy.ready,
							timeout);
		if (!remaining && phy->irq_confirmed)
			dev_warn(dev, "Timeout waiting for TPM ready IRQ\n");
	}

	if (phy->irq_needs_confirmation) {
		unsigned int attempt = ++phy->irq_confirmation_attempt;

		if (phy->irq_confirmed) {
			phy->irq_needs_confirmation = false;
			phy->access_delay = CR50_READY_IRQ_TIMEOUT;
			dev_info(dev, "TPM ready IRQ confirmed on attempt %u\n",
				 attempt);
		} else if (attempt > MAX_IRQ_CONFIRMATION_ATTEMPTS) {
			phy->irq_needs_confirmation = false;
			dev_warn(dev, "IRQ not confirmed - will use delays\n");
		}
	}
}

/*
 * Cr50 might go to sleep if there is no SPI activity for some time and
 * miss the first few bits/bytes on the bus. In such case, wake it up
 * by asserting CS and give it time to start up.
 */
static bool cr50_needs_waking(struct cr50_spi_phy *phy)
{
	/*
	 * Note: There is a small chance, if Cr50 is not accessed in a few days,
	 * that time_in_range will not provide the correct result after the wrap
	 * around for jiffies. In this case, we'll probably timeout or read
	 * incorrect value from TPM_STS and just retry the operation.
	 */
	return !time_in_range_open(jiffies, phy->last_access,
				   phy->spi_phy.wake_after);
}

static void cr50_wake_if_needed(struct cr50_spi_phy *cr50_phy)
{
	struct tpm_tis_spi_phy *phy = &cr50_phy->spi_phy;

	if (cr50_needs_waking(cr50_phy)) {
		/* Assert CS, wait 1 msec, deassert CS */
		struct spi_transfer spi_cs_wake = {
			.delay = {
				.value = 1000,
				.unit = SPI_DELAY_UNIT_USECS
			}
		};

		spi_sync_transfer(phy->spi_device, &spi_cs_wake, 1);
		/* Wait for it to fully wake */
		usleep_range(CR50_WAKE_START_DELAY_USEC,
			     CR50_WAKE_START_DELAY_USEC * 2);
	}

	/* Reset the time when we need to wake Cr50 again */
	phy->wake_after = jiffies + msecs_to_jiffies(CR50_SLEEP_DELAY_MSEC);
}

/*
 * Flow control: clock the bus and wait for cr50 to set LSB before
 * sending/receiving data. TCG PTP spec allows it to happen during
 * the last byte of header, but cr50 never does that in practice,
 * and earlier versions had a bug when it was set too early, so don't
 * check for it during header transfer.
 */
static int cr50_spi_flow_control(struct tpm_tis_spi_phy *phy,
				 struct spi_transfer *spi_xfer)
{
	struct device *dev = &phy->spi_device->dev;
	unsigned long timeout = jiffies + CR50_FLOW_CONTROL;
	struct spi_message m;
	int ret;

	spi_xfer->len = 1;

	do {
		spi_message_init(&m);
		spi_message_add_tail(spi_xfer, &m);
		ret = spi_sync_locked(phy->spi_device, &m);
		if (ret < 0)
			return ret;

		if (time_after(jiffies, timeout)) {
			dev_warn(dev, "Timeout during flow control\n");
			return -EBUSY;
		}
	} while (!(phy->iobuf[0] & 0x01));

	return 0;
}

static bool tpm_cr50_spi_is_firmware_power_managed(struct device *dev)
{
	u8 val;
	int ret;

	/* This flag should default true when the device property is not present */
	ret = device_property_read_u8(dev, "firmware-power-managed", &val);
	if (ret)
		return true;

	return val;
}

static int tpm_tis_spi_cr50_transfer(struct tpm_tis_data *data, u32 addr, u16 len,
				     u8 *in, const u8 *out)
{
	struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data);
	struct cr50_spi_phy *cr50_phy = to_cr50_spi_phy(phy);
	int ret;

	mutex_lock(&cr50_phy->time_track_mutex);
	/*
	 * Do this outside of spi_bus_lock in case cr50 is not the
	 * only device on that spi bus.
	 */
	cr50_ensure_access_delay(cr50_phy);
	cr50_wake_if_needed(cr50_phy);

	ret = tpm_tis_spi_transfer(data, addr, len, in, out);

	cr50_phy->last_access = jiffies;
	mutex_unlock(&cr50_phy->time_track_mutex);

	return ret;
}

static int tpm_tis_spi_cr50_read_bytes(struct tpm_tis_data *data, u32 addr,
				       u16 len, u8 *result)
{
	return tpm_tis_spi_cr50_transfer(data, addr, len, result, NULL);
}

static int tpm_tis_spi_cr50_write_bytes(struct tpm_tis_data *data, u32 addr,
					u16 len, const u8 *value)
{
	return tpm_tis_spi_cr50_transfer(data, addr, len, NULL, value);
}

static const struct tpm_tis_phy_ops tpm_spi_cr50_phy_ops = {
	.read_bytes = tpm_tis_spi_cr50_read_bytes,
	.write_bytes = tpm_tis_spi_cr50_write_bytes,
	.read16 = tpm_tis_spi_read16,
	.read32 = tpm_tis_spi_read32,
	.write32 = tpm_tis_spi_write32,
};

static void cr50_print_fw_version(struct tpm_tis_data *data)
{
	struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data);
	int i, len = 0;
	char fw_ver[TPM_CR50_MAX_FW_VER_LEN + 1];
	char fw_ver_block[4];

	/*
	 * Write anything to TPM_CR50_FW_VER to start from the beginning
	 * of the version string
	 */
	tpm_tis_write8(data, TPM_CR50_FW_VER(data->locality), 0);

	/* Read the string, 4 bytes at a time, until we get '\0' */
	do {
		tpm_tis_read_bytes(data, TPM_CR50_FW_VER(data->locality), 4,
				   fw_ver_block);
		for (i = 0; i < 4 && fw_ver_block[i]; ++len, ++i)
			fw_ver[len] = fw_ver_block[i];
	} while (i == 4 && len < TPM_CR50_MAX_FW_VER_LEN);
	fw_ver[len] = '\0';

	dev_info(&phy->spi_device->dev, "Cr50 firmware version: %s\n", fw_ver);
}

int cr50_spi_probe(struct spi_device *spi)
{
	struct tpm_tis_spi_phy *phy;
	struct cr50_spi_phy *cr50_phy;
	int ret;
	struct tpm_chip *chip;

	cr50_phy = devm_kzalloc(&spi->dev, sizeof(*cr50_phy), GFP_KERNEL);
	if (!cr50_phy)
		return -ENOMEM;

	phy = &cr50_phy->spi_phy;
	phy->flow_control = cr50_spi_flow_control;
	phy->wake_after = jiffies;
	phy->priv.rng_quality = TPM_CR50_DEFAULT_RNG_QUALITY;
	init_completion(&phy->ready);

	cr50_phy->access_delay = CR50_NOIRQ_ACCESS_DELAY;
	cr50_phy->last_access = jiffies;
	mutex_init(&cr50_phy->time_track_mutex);

	if (spi->irq > 0) {
		ret = devm_request_irq(&spi->dev, spi->irq,
				       cr50_spi_irq_handler,
				       IRQF_TRIGGER_RISING | IRQF_ONESHOT,
				       "cr50_spi", cr50_phy);
		if (ret < 0) {
			if (ret == -EPROBE_DEFER)
				return ret;
			dev_warn(&spi->dev, "Requesting IRQ %d failed: %d\n",
				 spi->irq, ret);
			/*
			 * This is not fatal, the driver will fall back to
			 * delays automatically, since ready will never
			 * be completed without a registered irq handler.
			 * So, just fall through.
			 */
		} else {
			/*
			 * IRQ requested, let's verify that it is actually
			 * triggered, before relying on it.
			 */
			cr50_phy->irq_needs_confirmation = true;
		}
	} else {
		dev_warn(&spi->dev,
			 "No IRQ - will use delays between transactions.\n");
	}

	ret = tpm_tis_spi_init(spi, phy, -1, &tpm_spi_cr50_phy_ops);
	if (ret)
		return ret;

	cr50_print_fw_version(&phy->priv);

	chip = dev_get_drvdata(&spi->dev);
	if (tpm_cr50_spi_is_firmware_power_managed(&spi->dev))
		chip->flags |= TPM_CHIP_FLAG_FIRMWARE_POWER_MANAGED;

	return 0;
}

#ifdef CONFIG_PM_SLEEP
int tpm_tis_spi_resume(struct device *dev)
{
	struct tpm_chip *chip = dev_get_drvdata(dev);
	struct tpm_tis_data *data = dev_get_drvdata(&chip->dev);
	struct tpm_tis_spi_phy *phy = to_tpm_tis_spi_phy(data);
	/*
	 * Jiffies not increased during suspend, so we need to reset
	 * the time to wake Cr50 after resume.
	 */
	phy->wake_after = jiffies;

	return tpm_tis_resume(dev);
}
#endif