tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus
[sfrench/cifs-2.6.git] / drivers / char / tpm / st33zp24 / st33zp24.c
1 /*
2  * STMicroelectronics TPM Linux driver for TPM ST33ZP24
3  * Copyright (C) 2009 - 2016 STMicroelectronics
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 2 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, see <http://www.gnu.org/licenses/>.
17  */
18
19 #include <linux/module.h>
20 #include <linux/fs.h>
21 #include <linux/kernel.h>
22 #include <linux/delay.h>
23 #include <linux/wait.h>
24 #include <linux/freezer.h>
25 #include <linux/string.h>
26 #include <linux/interrupt.h>
27 #include <linux/gpio.h>
28 #include <linux/sched.h>
29 #include <linux/uaccess.h>
30 #include <linux/io.h>
31 #include <linux/slab.h>
32
33 #include "../tpm.h"
34 #include "st33zp24.h"
35
36 #define TPM_ACCESS                      0x0
37 #define TPM_STS                         0x18
38 #define TPM_DATA_FIFO                   0x24
39 #define TPM_INTF_CAPABILITY             0x14
40 #define TPM_INT_STATUS                  0x10
41 #define TPM_INT_ENABLE                  0x08
42
43 #define LOCALITY0                       0
44
45 enum st33zp24_access {
46         TPM_ACCESS_VALID = 0x80,
47         TPM_ACCESS_ACTIVE_LOCALITY = 0x20,
48         TPM_ACCESS_REQUEST_PENDING = 0x04,
49         TPM_ACCESS_REQUEST_USE = 0x02,
50 };
51
52 enum st33zp24_status {
53         TPM_STS_VALID = 0x80,
54         TPM_STS_COMMAND_READY = 0x40,
55         TPM_STS_GO = 0x20,
56         TPM_STS_DATA_AVAIL = 0x10,
57         TPM_STS_DATA_EXPECT = 0x08,
58 };
59
60 enum st33zp24_int_flags {
61         TPM_GLOBAL_INT_ENABLE = 0x80,
62         TPM_INTF_CMD_READY_INT = 0x080,
63         TPM_INTF_FIFO_AVALAIBLE_INT = 0x040,
64         TPM_INTF_WAKE_UP_READY_INT = 0x020,
65         TPM_INTF_LOCALITY_CHANGE_INT = 0x004,
66         TPM_INTF_STS_VALID_INT = 0x002,
67         TPM_INTF_DATA_AVAIL_INT = 0x001,
68 };
69
70 enum tis_defaults {
71         TIS_SHORT_TIMEOUT = 750,
72         TIS_LONG_TIMEOUT = 2000,
73 };
74
75 /*
76  * clear_interruption clear the pending interrupt.
77  * @param: tpm_dev, the tpm device device.
78  * @return: the interrupt status value.
79  */
80 static u8 clear_interruption(struct st33zp24_dev *tpm_dev)
81 {
82         u8 interrupt;
83
84         tpm_dev->ops->recv(tpm_dev->phy_id, TPM_INT_STATUS, &interrupt, 1);
85         tpm_dev->ops->send(tpm_dev->phy_id, TPM_INT_STATUS, &interrupt, 1);
86         return interrupt;
87 } /* clear_interruption() */
88
89 /*
90  * st33zp24_cancel, cancel the current command execution or
91  * set STS to COMMAND READY.
92  * @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h
93  */
94 static void st33zp24_cancel(struct tpm_chip *chip)
95 {
96         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
97         u8 data;
98
99         data = TPM_STS_COMMAND_READY;
100         tpm_dev->ops->send(tpm_dev->phy_id, TPM_STS, &data, 1);
101 } /* st33zp24_cancel() */
102
103 /*
104  * st33zp24_status return the TPM_STS register
105  * @param: chip, the tpm chip description
106  * @return: the TPM_STS register value.
107  */
108 static u8 st33zp24_status(struct tpm_chip *chip)
109 {
110         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
111         u8 data;
112
113         tpm_dev->ops->recv(tpm_dev->phy_id, TPM_STS, &data, 1);
114         return data;
115 } /* st33zp24_status() */
116
117 /*
118  * check_locality if the locality is active
119  * @param: chip, the tpm chip description
120  * @return: true if LOCALITY0 is active, otherwise false
121  */
122 static bool check_locality(struct tpm_chip *chip)
123 {
124         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
125         u8 data;
126         u8 status;
127
128         status = tpm_dev->ops->recv(tpm_dev->phy_id, TPM_ACCESS, &data, 1);
129         if (status && (data &
130                 (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) ==
131                 (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID))
132                 return true;
133
134         return false;
135 } /* check_locality() */
136
137 /*
138  * request_locality request the TPM locality
139  * @param: chip, the chip description
140  * @return: the active locality or negative value.
141  */
142 static int request_locality(struct tpm_chip *chip)
143 {
144         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
145         unsigned long stop;
146         long ret;
147         u8 data;
148
149         if (check_locality(chip))
150                 return tpm_dev->locality;
151
152         data = TPM_ACCESS_REQUEST_USE;
153         ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_ACCESS, &data, 1);
154         if (ret < 0)
155                 return ret;
156
157         stop = jiffies + chip->timeout_a;
158
159         /* Request locality is usually effective after the request */
160         do {
161                 if (check_locality(chip))
162                         return tpm_dev->locality;
163                 msleep(TPM_TIMEOUT);
164         } while (time_before(jiffies, stop));
165
166         /* could not get locality */
167         return -EACCES;
168 } /* request_locality() */
169
170 /*
171  * release_locality release the active locality
172  * @param: chip, the tpm chip description.
173  */
174 static void release_locality(struct tpm_chip *chip)
175 {
176         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
177         u8 data;
178
179         data = TPM_ACCESS_ACTIVE_LOCALITY;
180
181         tpm_dev->ops->send(tpm_dev->phy_id, TPM_ACCESS, &data, 1);
182 }
183
184 /*
185  * get_burstcount return the burstcount value
186  * @param: chip, the chip description
187  * return: the burstcount or negative value.
188  */
189 static int get_burstcount(struct tpm_chip *chip)
190 {
191         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
192         unsigned long stop;
193         int burstcnt, status;
194         u8 temp;
195
196         stop = jiffies + chip->timeout_d;
197         do {
198                 status = tpm_dev->ops->recv(tpm_dev->phy_id, TPM_STS + 1,
199                                             &temp, 1);
200                 if (status < 0)
201                         return -EBUSY;
202
203                 burstcnt = temp;
204                 status = tpm_dev->ops->recv(tpm_dev->phy_id, TPM_STS + 2,
205                                             &temp, 1);
206                 if (status < 0)
207                         return -EBUSY;
208
209                 burstcnt |= temp << 8;
210                 if (burstcnt)
211                         return burstcnt;
212                 msleep(TPM_TIMEOUT);
213         } while (time_before(jiffies, stop));
214         return -EBUSY;
215 } /* get_burstcount() */
216
217
218 /*
219  * wait_for_tpm_stat_cond
220  * @param: chip, chip description
221  * @param: mask, expected mask value
222  * @param: check_cancel, does the command expected to be canceled ?
223  * @param: canceled, did we received a cancel request ?
224  * @return: true if status == mask or if the command is canceled.
225  * false in other cases.
226  */
227 static bool wait_for_tpm_stat_cond(struct tpm_chip *chip, u8 mask,
228                                 bool check_cancel, bool *canceled)
229 {
230         u8 status = chip->ops->status(chip);
231
232         *canceled = false;
233         if ((status & mask) == mask)
234                 return true;
235         if (check_cancel && chip->ops->req_canceled(chip, status)) {
236                 *canceled = true;
237                 return true;
238         }
239         return false;
240 }
241
242 /*
243  * wait_for_stat wait for a TPM_STS value
244  * @param: chip, the tpm chip description
245  * @param: mask, the value mask to wait
246  * @param: timeout, the timeout
247  * @param: queue, the wait queue.
248  * @param: check_cancel, does the command can be cancelled ?
249  * @return: the tpm status, 0 if success, -ETIME if timeout is reached.
250  */
251 static int wait_for_stat(struct tpm_chip *chip, u8 mask, unsigned long timeout,
252                         wait_queue_head_t *queue, bool check_cancel)
253 {
254         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
255         unsigned long stop;
256         int ret = 0;
257         bool canceled = false;
258         bool condition;
259         u32 cur_intrs;
260         u8 status;
261
262         /* check current status */
263         status = st33zp24_status(chip);
264         if ((status & mask) == mask)
265                 return 0;
266
267         stop = jiffies + timeout;
268
269         if (chip->flags & TPM_CHIP_FLAG_IRQ) {
270                 cur_intrs = tpm_dev->intrs;
271                 clear_interruption(tpm_dev);
272                 enable_irq(tpm_dev->irq);
273
274                 do {
275                         if (ret == -ERESTARTSYS && freezing(current))
276                                 clear_thread_flag(TIF_SIGPENDING);
277
278                         timeout = stop - jiffies;
279                         if ((long) timeout <= 0)
280                                 return -1;
281
282                         ret = wait_event_interruptible_timeout(*queue,
283                                                 cur_intrs != tpm_dev->intrs,
284                                                 timeout);
285                         clear_interruption(tpm_dev);
286                         condition = wait_for_tpm_stat_cond(chip, mask,
287                                                 check_cancel, &canceled);
288                         if (ret >= 0 && condition) {
289                                 if (canceled)
290                                         return -ECANCELED;
291                                 return 0;
292                         }
293                 } while (ret == -ERESTARTSYS && freezing(current));
294
295                 disable_irq_nosync(tpm_dev->irq);
296
297         } else {
298                 do {
299                         msleep(TPM_TIMEOUT);
300                         status = chip->ops->status(chip);
301                         if ((status & mask) == mask)
302                                 return 0;
303                 } while (time_before(jiffies, stop));
304         }
305
306         return -ETIME;
307 } /* wait_for_stat() */
308
309 /*
310  * recv_data receive data
311  * @param: chip, the tpm chip description
312  * @param: buf, the buffer where the data are received
313  * @param: count, the number of data to receive
314  * @return: the number of bytes read from TPM FIFO.
315  */
316 static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
317 {
318         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
319         int size = 0, burstcnt, len, ret;
320
321         while (size < count &&
322                wait_for_stat(chip,
323                              TPM_STS_DATA_AVAIL | TPM_STS_VALID,
324                              chip->timeout_c,
325                              &tpm_dev->read_queue, true) == 0) {
326                 burstcnt = get_burstcount(chip);
327                 if (burstcnt < 0)
328                         return burstcnt;
329                 len = min_t(int, burstcnt, count - size);
330                 ret = tpm_dev->ops->recv(tpm_dev->phy_id, TPM_DATA_FIFO,
331                                          buf + size, len);
332                 if (ret < 0)
333                         return ret;
334
335                 size += len;
336         }
337         return size;
338 }
339
340 /*
341  * tpm_ioserirq_handler the serirq irq handler
342  * @param: irq, the tpm chip description
343  * @param: dev_id, the description of the chip
344  * @return: the status of the handler.
345  */
346 static irqreturn_t tpm_ioserirq_handler(int irq, void *dev_id)
347 {
348         struct tpm_chip *chip = dev_id;
349         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
350
351         tpm_dev->intrs++;
352         wake_up_interruptible(&tpm_dev->read_queue);
353         disable_irq_nosync(tpm_dev->irq);
354
355         return IRQ_HANDLED;
356 } /* tpm_ioserirq_handler() */
357
358 /*
359  * st33zp24_send send TPM commands through the I2C bus.
360  *
361  * @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h
362  * @param: buf, the buffer to send.
363  * @param: count, the number of bytes to send.
364  * @return: In case of success the number of bytes sent.
365  *                      In other case, a < 0 value describing the issue.
366  */
367 static int st33zp24_send(struct tpm_chip *chip, unsigned char *buf,
368                          size_t len)
369 {
370         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
371         u32 status, i, size, ordinal;
372         int burstcnt = 0;
373         int ret;
374         u8 data;
375
376         if (!chip)
377                 return -EBUSY;
378         if (len < TPM_HEADER_SIZE)
379                 return -EBUSY;
380
381         ret = request_locality(chip);
382         if (ret < 0)
383                 return ret;
384
385         status = st33zp24_status(chip);
386         if ((status & TPM_STS_COMMAND_READY) == 0) {
387                 st33zp24_cancel(chip);
388                 if (wait_for_stat
389                     (chip, TPM_STS_COMMAND_READY, chip->timeout_b,
390                      &tpm_dev->read_queue, false) < 0) {
391                         ret = -ETIME;
392                         goto out_err;
393                 }
394         }
395
396         for (i = 0; i < len - 1;) {
397                 burstcnt = get_burstcount(chip);
398                 if (burstcnt < 0)
399                         return burstcnt;
400                 size = min_t(int, len - i - 1, burstcnt);
401                 ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_DATA_FIFO,
402                                          buf + i, size);
403                 if (ret < 0)
404                         goto out_err;
405
406                 i += size;
407         }
408
409         status = st33zp24_status(chip);
410         if ((status & TPM_STS_DATA_EXPECT) == 0) {
411                 ret = -EIO;
412                 goto out_err;
413         }
414
415         ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_DATA_FIFO,
416                                  buf + len - 1, 1);
417         if (ret < 0)
418                 goto out_err;
419
420         status = st33zp24_status(chip);
421         if ((status & TPM_STS_DATA_EXPECT) != 0) {
422                 ret = -EIO;
423                 goto out_err;
424         }
425
426         data = TPM_STS_GO;
427         ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_STS, &data, 1);
428         if (ret < 0)
429                 goto out_err;
430
431         if (chip->flags & TPM_CHIP_FLAG_IRQ) {
432                 ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
433
434                 ret = wait_for_stat(chip, TPM_STS_DATA_AVAIL | TPM_STS_VALID,
435                                 tpm_calc_ordinal_duration(chip, ordinal),
436                                 &tpm_dev->read_queue, false);
437                 if (ret < 0)
438                         goto out_err;
439         }
440
441         return len;
442 out_err:
443         st33zp24_cancel(chip);
444         release_locality(chip);
445         return ret;
446 }
447
448 /*
449  * st33zp24_recv received TPM response through TPM phy.
450  * @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h.
451  * @param: buf, the buffer to store datas.
452  * @param: count, the number of bytes to send.
453  * @return: In case of success the number of bytes received.
454  *          In other case, a < 0 value describing the issue.
455  */
456 static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
457                             size_t count)
458 {
459         int size = 0;
460         u32 expected;
461
462         if (!chip)
463                 return -EBUSY;
464
465         if (count < TPM_HEADER_SIZE) {
466                 size = -EIO;
467                 goto out;
468         }
469
470         size = recv_data(chip, buf, TPM_HEADER_SIZE);
471         if (size < TPM_HEADER_SIZE) {
472                 dev_err(&chip->dev, "Unable to read header\n");
473                 goto out;
474         }
475
476         expected = be32_to_cpu(*(__be32 *)(buf + 2));
477         if (expected > count || expected < TPM_HEADER_SIZE) {
478                 size = -EIO;
479                 goto out;
480         }
481
482         size += recv_data(chip, &buf[TPM_HEADER_SIZE],
483                         expected - TPM_HEADER_SIZE);
484         if (size < expected) {
485                 dev_err(&chip->dev, "Unable to read remainder of result\n");
486                 size = -ETIME;
487         }
488
489 out:
490         st33zp24_cancel(chip);
491         release_locality(chip);
492         return size;
493 }
494
495 /*
496  * st33zp24_req_canceled
497  * @param: chip, the tpm_chip description as specified in driver/char/tpm/tpm.h.
498  * @param: status, the TPM status.
499  * @return: Does TPM ready to compute a new command ? true.
500  */
501 static bool st33zp24_req_canceled(struct tpm_chip *chip, u8 status)
502 {
503         return (status == TPM_STS_COMMAND_READY);
504 }
505
506 static const struct tpm_class_ops st33zp24_tpm = {
507         .flags = TPM_OPS_AUTO_STARTUP,
508         .send = st33zp24_send,
509         .recv = st33zp24_recv,
510         .cancel = st33zp24_cancel,
511         .status = st33zp24_status,
512         .req_complete_mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
513         .req_complete_val = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
514         .req_canceled = st33zp24_req_canceled,
515 };
516
517 /*
518  * st33zp24_probe initialize the TPM device
519  * @param: client, the i2c_client drescription (TPM I2C description).
520  * @param: id, the i2c_device_id struct.
521  * @return: 0 in case of success.
522  *       -1 in other case.
523  */
524 int st33zp24_probe(void *phy_id, const struct st33zp24_phy_ops *ops,
525                    struct device *dev, int irq, int io_lpcpd)
526 {
527         int ret;
528         u8 intmask = 0;
529         struct tpm_chip *chip;
530         struct st33zp24_dev *tpm_dev;
531
532         chip = tpmm_chip_alloc(dev, &st33zp24_tpm);
533         if (IS_ERR(chip))
534                 return PTR_ERR(chip);
535
536         tpm_dev = devm_kzalloc(dev, sizeof(struct st33zp24_dev),
537                                GFP_KERNEL);
538         if (!tpm_dev)
539                 return -ENOMEM;
540
541         tpm_dev->phy_id = phy_id;
542         tpm_dev->ops = ops;
543         dev_set_drvdata(&chip->dev, tpm_dev);
544
545         chip->timeout_a = msecs_to_jiffies(TIS_SHORT_TIMEOUT);
546         chip->timeout_b = msecs_to_jiffies(TIS_LONG_TIMEOUT);
547         chip->timeout_c = msecs_to_jiffies(TIS_SHORT_TIMEOUT);
548         chip->timeout_d = msecs_to_jiffies(TIS_SHORT_TIMEOUT);
549
550         tpm_dev->locality = LOCALITY0;
551
552         if (irq) {
553                 /* INTERRUPT Setup */
554                 init_waitqueue_head(&tpm_dev->read_queue);
555                 tpm_dev->intrs = 0;
556
557                 if (request_locality(chip) != LOCALITY0) {
558                         ret = -ENODEV;
559                         goto _tpm_clean_answer;
560                 }
561
562                 clear_interruption(tpm_dev);
563                 ret = devm_request_irq(dev, irq, tpm_ioserirq_handler,
564                                 IRQF_TRIGGER_HIGH, "TPM SERIRQ management",
565                                 chip);
566                 if (ret < 0) {
567                         dev_err(&chip->dev, "TPM SERIRQ signals %d not available\n",
568                                 irq);
569                         goto _tpm_clean_answer;
570                 }
571
572                 intmask |= TPM_INTF_CMD_READY_INT
573                         |  TPM_INTF_STS_VALID_INT
574                         |  TPM_INTF_DATA_AVAIL_INT;
575
576                 ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_INT_ENABLE,
577                                          &intmask, 1);
578                 if (ret < 0)
579                         goto _tpm_clean_answer;
580
581                 intmask = TPM_GLOBAL_INT_ENABLE;
582                 ret = tpm_dev->ops->send(tpm_dev->phy_id, (TPM_INT_ENABLE + 3),
583                                          &intmask, 1);
584                 if (ret < 0)
585                         goto _tpm_clean_answer;
586
587                 tpm_dev->irq = irq;
588                 chip->flags |= TPM_CHIP_FLAG_IRQ;
589
590                 disable_irq_nosync(tpm_dev->irq);
591         }
592
593         return tpm_chip_register(chip);
594 _tpm_clean_answer:
595         dev_info(&chip->dev, "TPM initialization fail\n");
596         return ret;
597 }
598 EXPORT_SYMBOL(st33zp24_probe);
599
600 /*
601  * st33zp24_remove remove the TPM device
602  * @param: tpm_data, the tpm phy.
603  * @return: 0 in case of success.
604  */
605 int st33zp24_remove(struct tpm_chip *chip)
606 {
607         tpm_chip_unregister(chip);
608         return 0;
609 }
610 EXPORT_SYMBOL(st33zp24_remove);
611
612 #ifdef CONFIG_PM_SLEEP
613 /*
614  * st33zp24_pm_suspend suspend the TPM device
615  * @param: tpm_data, the tpm phy.
616  * @param: mesg, the power management message.
617  * @return: 0 in case of success.
618  */
619 int st33zp24_pm_suspend(struct device *dev)
620 {
621         struct tpm_chip *chip = dev_get_drvdata(dev);
622         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
623
624         int ret = 0;
625
626         if (gpio_is_valid(tpm_dev->io_lpcpd))
627                 gpio_set_value(tpm_dev->io_lpcpd, 0);
628         else
629                 ret = tpm_pm_suspend(dev);
630
631         return ret;
632 } /* st33zp24_pm_suspend() */
633 EXPORT_SYMBOL(st33zp24_pm_suspend);
634
635 /*
636  * st33zp24_pm_resume resume the TPM device
637  * @param: tpm_data, the tpm phy.
638  * @return: 0 in case of success.
639  */
640 int st33zp24_pm_resume(struct device *dev)
641 {
642         struct tpm_chip *chip = dev_get_drvdata(dev);
643         struct st33zp24_dev *tpm_dev = dev_get_drvdata(&chip->dev);
644         int ret = 0;
645
646         if (gpio_is_valid(tpm_dev->io_lpcpd)) {
647                 gpio_set_value(tpm_dev->io_lpcpd, 1);
648                 ret = wait_for_stat(chip,
649                                 TPM_STS_VALID, chip->timeout_b,
650                                 &tpm_dev->read_queue, false);
651         } else {
652                 ret = tpm_pm_resume(dev);
653                 if (!ret)
654                         tpm_do_selftest(chip);
655         }
656         return ret;
657 } /* st33zp24_pm_resume() */
658 EXPORT_SYMBOL(st33zp24_pm_resume);
659 #endif
660
661 MODULE_AUTHOR("TPM support (TPMsupport@list.st.com)");
662 MODULE_DESCRIPTION("ST33ZP24 TPM 1.2 driver");
663 MODULE_VERSION("1.3.0");
664 MODULE_LICENSE("GPL");