Fix the suspend regression due to the wrong way of retrieving the
chip structure. The suspend functions are attached to the hardware
device, not the chip and thus must rely on drvdata.

Fixes: e89f8b1ade9cc1a ("tpm: Remove all uses of drvdata from the TPM Core")
Reported-by: NJeremiah Mahler <jmmahler@gmail.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: NJeremiah Mahler <jmmahler@gmail.com>
Acked-by: NJarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkine@linux.intel.com>

The final thing preventing this was the way the sysfs files were
attached to the pdev. Follow the approach developed for ppi and move
the sysfs files to the chip->dev with symlinks from the pdev
for compatibility. Everything in the core now sanely uses container_of
to get the chip.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Move tpm_vendor_specific data related to TCG PTP specification to tpm_chip.

Move all fields directly linked with well known TCG concepts and used in
TPM drivers (tpm_i2c_atmel, tpm_i2c_infineon, tpm_i2c_nuvoton, tpm_tis
and xen-tpmfront) as well as in TPM core files (tpm-sysfs, tpm-interface
and tpm2-cmd) in tpm_chip.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Dropped the field 'irq' from struct tpm_vendor_specific and make it
available to the various private structures in the drivers using irqs.

A dedicated flag TPM_CHIP_FLAG_IRQ is added for the upper layers.

In st33zp24, struct st33zp24_dev declaration is moved to st33zp24.h in
order to make accessible irq from other phy's(i2c, spi).

In tpm_i2c_nuvoton, chip->vendor.priv is not directly allocated. We can
access irq field from priv_data in a cleaner way.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Replace the device number bitmap with IDR. Extend the number of devices we
can create to 64k.
Since an IDR allows us to associate a pointer with an ID, we use this now
to rewrite tpm_chip_find_get() to simply look up the chip pointer by the
given device ID.

Protect the IDR calls with a mutex.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add a read/write semaphore around the ops function pointers so
ops can be set to null when the driver un-registers.

Previously the tpm core expected module locking to be enough to
ensure that tpm_unregister could not be called during certain times,
however that hasn't been sufficient for a long time.

Introduce a read/write semaphore around 'ops' so the core can set
it to null when unregistering. This provides a strong fence around
the driver callbacks, guaranteeing to the driver that no callbacks
are running or will run again.

For now the ops_lock is placed very high in the call stack, it could
be pushed down and made more granular in future if necessary.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

This is a hold over from before the struct device conversion.

- All prints should be using &chip->dev, which is the Linux
  standard. This changes prints to use tpm0 as the device name,
  not the PnP/etc ID.
- The few places involving sysfs/modules that really do need the
  parent just use chip->dev.parent instead
- We no longer need to get_device(pdev) in any places since it is no
  longer used by any of the code. The kref on the parent is held
  by the device core during device_add and dropped in device_del
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

IRQ probing needs to know that the TPM is working before trying to
probe, so move tpm_get_timeouts() to the top of the tpm_tis_init().
This has the advantage of also getting the correct timeouts loaded
before doing IRQ probing.

All the timeout handling code is moved to tpm_get_timeouts() in order to
remove duplicate code in tpm_tis and tpm_crb.

[jarkko.sakkinen@linux.intel.com: squashed two patches together and
improved the commit message.]
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NMartin Wilck <Martin.Wilck@ts.fujitsu.com>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Acked-by: NPeter Huewe <peterhuewe@gmx.de>

commit 07b133e6 ("char/tpm: simplify duration calculation and
eliminate smatch warning.") includes a misleading test that is always
false. The tpm_ordinal_duration table is only valid for TPM_PROTECTED
ordinals where the higher 16 bits are all 0, anyway.
Signed-off-by: NMartin Wilck <Martin.Wilck@ts.fujitsu.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Acked-by: NPeter Huewe <peterhuewe@gmx.de>

Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.

This patch implements basic sealing and unsealing functionality for
TPM 2.0:

* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Fixed suspend/resume paths for TPM 2.0 and consolidated all the
associated code to the tpm_pm_suspend() and tpm_pm_resume()
functions. Resume path should be handled by the firmware, i.e.
Startup(CLEAR) for hibernate and Startup(STATE) for suspend.

There might be some non-PC embedded devices in the future where
Startup() is not the handled by the FW but fixing the code for
those IMHO should be postponed until there is hardware available
to test the fixes although extra Startup in the driver code is
essentially a NOP.

Added Shutdown(CLEAR) to the remove paths of TIS and CRB drivers.
Changed tpm2_shutdown() to a void function because there isn't
much you can do except print an error message if this fails with
a system error.

Fixes: aec04cbd ("tpm: TPM 2.0 FIFO Interface")
Fixes: 30fc8d13 ("tpm: TPM 2.0 CRB Interface")
[phuewe: both did send TPM_Shutdown on resume which 'disables' the TPM
and did not send TPM2_Shutdown on teardown which leads some TPM2.0 to
believe there was an attack (no TPM2_Shutdown = no orderly shutdown =
attack)]
Reported-by: NPeter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

tpm_crb is a driver for TPM 2.0 Command Response Buffer (CRB) Interface
as defined in PC Client Platform TPM Profile (PTP) Specification.

Only polling and single locality is supported as these are the limitations
of the available hardware, Platform Trust Techonlogy (PTT) in Haswell
CPUs.

The driver always applies CRB with ACPI start because PTT reports using
only ACPI start as start method but as a result of my testing it requires
also CRB start.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

TPM 2.0 devices are separated by adding a field 'flags' to struct
tpm_chip and defining a flag TPM_CHIP_FLAG_TPM2 for tagging them.

This patch adds the following internal functions:

- tpm2_get_random()
- tpm2_get_tpm_pt()
- tpm2_pcr_extend()
- tpm2_pcr_read()
- tpm2_startup()

Additionally, the following exported functions are implemented for
implementing TPM 2.0 device drivers:

- tpm2_do_selftest()
- tpm2_calc_ordinal_durations()
- tpm2_gen_interrupt()

The existing functions that are exported for the use for existing
subsystems have been changed to check the flags field in struct
tpm_chip and use appropriate TPM 2.0 counterpart if
TPM_CHIP_FLAG_TPM2 is est.

The code for tpm2_calc_ordinal_duration() and tpm2_startup() were
originally written by Will Arthur.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NWill Arthur <will.c.arthur@intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Tested-by: NPeter Huewe <peterhuewe@gmx.de>

[phuewe: Fixed copy paste error * 2]
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Added own device class for TPM. Uses MISC_MAJOR:TPM_MINOR for the
first character device in order to retain backwards compatibility.
Added tpm_dev_release() back attached to the character device.

I've been running this code now for a while on my laptop (Lenovo
T430S) TrouSerS works perfectly without modifications. I don't
believe it breaks anything significantly.

The sysfs attributes that have been placed under the wrong place
and are against sysfs-rules.txt should be probably left to
stagnate under platform device directory and start defining
new sysfs attributes to the char device directory.

Guidelines for future TPM sysfs attributes should be probably
along the lines of

- Single flat set of mandatory sysfs attributes. For example,
  current PPI interface is way way too rich when you only want
  to use it to clear and activate the TPM.

- Define sysfs attribute if and only if there's no way to get
  the value from ring-3. No attributes for TPM properties. It's
  just unnecessary maintenance hurdle that we don't want.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Tested-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Rename chip->dev to chip->pdev to make it explicit that this not the
character device but actually represents the platform device.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Tested-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

tpm_register_hardware() and tpm_remove_hardware() are called often
before initializing the device. The problem is that the device might
not be fully initialized when it comes visible to the user space.

This patch resolves the issue by diving initialization into two
parts:

- tpmm_chip_alloc() creates struct tpm_chip.

- tpm_chip_register() sets up the character device and sysfs
  attributes.

The framework takes care of freeing struct tpm_chip by using the devres
API. The broken release callback has been wiped. ACPI drivers do not
ever get this callback.

Regards to Jason Gunthorpe for carefully reviewing this part of the
code.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Tested-by: NPeter Huewe <peterhuewe@gmx.de>
[phuewe: update to upstream changes]
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Merged transmit_cmd() functions in tpm-interface.c and tpm-sysfs.c.
Added "tpm_" prefix for consistency sake. Changed cmd parameter as
opaque. This enables to use separate command structures for TPM1
and TPM2 commands in future. Loose coupling works fine here.
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: NJasob Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Reviewed-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Tested-by: NScot Doyle <lkml14@scotdoyle.com>
Tested-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Add newly registered TPMs to the tail of the list, not the beginning, so that
things that are specifying TPM_ANY_NUM don't find that the device they're
using has inadvertently changed.  Adding a second device would break IMA, for
instance.

Cc: stable@vger.kernel.org
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Some Atmel TPMs provide completely wrong timeouts from their
TPM_CAP_PROP_TIS_TIMEOUT query. This patch detects that and returns
new correct values via a DID/VID table in the TIS driver.

Tested on ARM using an AT97SC3204T FW version 37.16

Cc: <stable@vger.kernel.org>
[PHuewe: without this fix these 'broken' Atmel TPMs won't function on
older kernels]
Signed-off-by: N"Berg, Christopher" <Christopher.Berg@atmel.com>
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Regression in 41ab999c. Call to tpm_chip_put is missing. This
will cause TPM device driver not to unload if tmp_get_random()
is called.

Cc: <stable@vger.kernel.org> # 3.7+
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Properly clean the sysfs entries in the error path

Cc: <stable@vger.kernel.org>
Reported-by: NDmitry Kasatkin <dmitry.kasatkin@gmail.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

This builds on the last commit to use the ops structure in the core
and reduce the size of tpm_vendor_specific.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NAshley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

This replaces the static initialization of a tpm_vendor_specific
structure in the drivers with the standard Linux idiom of providing
a const structure of function pointers.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NAshley Lai <adlai@linux.vnet.ibm.com>
[phuewe: did apply manually due to commit
191ffc6bde3 tpm/tpm_i2c_atmel: fix coccinelle warnings]
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

The tpm core now sets up and controls all sysfs attributes, instead
of having each driver have a unique take on it.

All drivers now now have a uniform set of attributes, and no sysfs
related entry points are exported from the tpm core module.

This also uses the new method used to declare sysfs attributes
with DEVICE_ATTR_RO and 'struct attribute *'
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
[phuewe: had to apply the tpm_i2c_atmel part manually due to commit
191ffc6bde3fc tpm/tpm_i2c_atmel: fix coccinelle warnings]
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

CLASS-sysfs.c is a common idiom for linux subsystems.

This is the first step to pulling all the sysfs support code from
the drivers into tpm-sysfs. This is a plain text copy from tpm-interface
with support changes to make it compile.

_tpm_pcr_read is made non-static and is called tpm_pcr_read_dev.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

CLASS-dev.c is a common idiom for Linux subsystems

This pulls all the code related to the miscdev into tpm-dev.c and makes it
static. The identical file_operation structs in the drivers are purged and the
tpm common code unconditionally creates the miscdev.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NAshley Lai <adlai@linux.vnet.ibm.com>
[phuewe:
tpm_dev_release is now used only in this file, thus the EXPORT_SYMBOL
can be dropped and the function be marked as static.
It has no other in-kernel users]
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

This is preparation for making the tpm module multi-file. kbuild does
not like having a .c file with the same name as a module. We wish to
keep the tpm module name so that userspace doesn't see this change.

tpm-interface.c is chosen because the next several commits in the series
migrate items into tpm-sysfs.c, tpm-dev.c and tpm-class.c. All that will
be left is tpm command processing and interfacing code.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>

before we rename the file it might be a good idea to cleanup the long
persisting checkpatch warnings.
Since everything is really trivial, splitting the patch up would only
result in noise.

For the interested reader - here the checkpatch warnings:
(regrouped for easer readability)

ERROR: trailing whitespace
+ * Specifications at www.trustedcomputinggroup.org^I $
+ * $
+^I/* $
+^I   parameters (RSA 12->bytes: keybit, #primes, expbit)  $

WARNING: unnecessary whitespace before a quoted newline
+			"invalid count value %x %zx \n", count, bufsiz);

ERROR: do not use assignment in if condition
+	if ((rc = chip->vendor.send(chip, (u8 *) buf, count)) < 0) {

ERROR: space required after that ',' (ctx:VxV)
+	len = tpm_transmit(chip,(u8 *) cmd, len);
 	                       ^

ERROR: "foo * bar" should be "foo *bar"
+ssize_t tpm_show_enabled(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_enabled(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_active(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_active(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_owned(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_owned(struct device * dev, struct device_attribute * attr,
+ssize_t tpm_show_temp_deactivated(struct device * dev,
+				struct device_attribute * attr, char *buf)

WARNING: please, no space before tabs
+ * @chip_num: ^Itpm idx # or ANY$
+ * @res_buf: ^ITPM_PCR value$
+ * ^I^Isize of res_buf is 20 bytes (or NULL if you don't care)$
+ * @chip_num: ^Itpm idx # or AN&$
+ * @hash: ^Ihash value used to extend pcr value$

ERROR: code indent should use tabs where possible
+^I                                     TPM_ORD_CONTINUE_SELFTEST);$

WARNING: line over 80 characters
+static bool wait_for_tpm_stat_cond(struct tpm_chip *chip, u8 mask, bool check_cancel,

ERROR: trailing whitespace
+ * Called from tpm_<specific>.c probe function only for devices $

total: 16 errors, 7 warnings, 1554 lines checked
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

The version of the TPM should not depend on the bus it is connected
through. 1.1, 1.2 and soon 2.0 TPMS will be all be able to use the
same bus interfaces.

Make tpm_show_caps try the 1.2 capability first. If that fails then
fall back to the 1.1 capability. This effectively auto-detects what
interface the TPM supports at run-time.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

misc_open sets the file->private_date to the misc_dev when calling
open. We can use container_of to go from the misc_dev back to the
tpm_chip.

Future clean ups will move tpm_open into a new file and this change
means we do not have to export the tpm_chip list.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Acked-by: NAshley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

Just put the memory directly in the chip structure, rather than
in a 2nd dedicated kmalloc.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: NJoel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Acked-by: NAshley Lai <adlai@linux.vnet.ibm.com>

The 81198078 commit reintroduced a regression
(error: __ksymtab_tpm_dev_release causes a section type conflict) that was fixed by commit
cbb2ed4a.
Fix it for good by adding the prototype to tpm.h so sparse doesn't
complain about it anymore.
Reported-by: NTony Camuso <tcamuso@redhat.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>

If the TPM has already been sent a SaveState command before the driver
is loaded it may have problems sending that same command again later.

This issue is seen with the Chromebook Pixel due to a firmware bug in
the legacy mode boot path which is sending the SaveState command
before booting the kernel.  More information is available at
http://crbug.com/203524

This change introduces a retry of the SaveState command in the suspend
path in order to work around this issue.  A future firmware update
should fix this but this is also a trivial workaround in the driver
that has no effect on systems that do not show this problem.

When this does happen the TPM responds with a non-fatal TPM_RETRY code
that is defined in the specification:

  The TPM is too busy to respond to the command immediately, but the
  command could be resubmitted at a later time.  The TPM MAY return
  TPM_RETRY for any command at any time.

It can take several seconds before the TPM will respond again.  I
measured a typical time between 3 and 4 seconds and the timeout is set
at a safe 5 seconds.

It is also possible to reproduce this with commands via /dev/tpm0.
The bug linked above has a python script attached which can be used to
test for this problem.  I tested a variety of TPMs from Infineon,
Nuvoton, Atmel, and STMicro but was only able to reproduce this with
LPC and I2C TPMs from Infineon.

The TPM specification only loosely defines this behavior:

  TPM Main Level 2 Part 3 v1.2 r116, section 3.3. TPM_SaveState:
  The TPM MAY declare all preserved values invalid in response to any
  command other than TPM_Init.

  TCG PC Client BIOS Spec 1.21 section 8.3.1.
  After issuing a TPM_SaveState command, the OS SHOULD NOT issue TPM
  commands before transitioning to S3 without issuing another
  TPM_SaveState command.

  TCG PC Client TIS 1.21, section 4. Power Management:
  The TPM_SaveState command allows a Static OS to indicate to the TPM
  that the platform may enter a low power state where the TPM will be
  required to enter into the D3 power state.  The use of the term "may"
  is significant in that there is no requirement for the platform to
  actually enter the low power state after sending the TPM_SaveState
  command.  The software may, in fact, send subsequent commands after
  sending the TPM_SaveState command.

Change-Id: I52b41e826412688e5b6c8ddd3bb16409939704e9
Signed-off-by: NDuncan Laurie <dlaurie@chromium.org>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

Support cancellation of TPM commands when driver is used in interrupt
mode.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

On one of my machines the cancellation of TPM commands does not work.
The reason is that by writing into sysfs 'cancel' the tpm_tis_ready
call causes the status flag TPM_STS_VALID to be set in the statusregister.
However, the TIS driver seems to wait for TPM_STS_COMMAND_READY.
Once a 2nd time sysfs 'cancel' is written to, the TPM_STS_COMMAND_READY flag
also gets set, resulting in TPM_STS_VALID|TPM_STS_COMMAND_READY to be
read from the status register.

This patch now converts req_canceled into a function to enable more complex
comparisons against possible cancellation status codes.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

We've been testing an alternative TPM for our embedded products and
found random kernel boot failures due to time outs after the continue
self test command.

This was happening randomly, and has been *very* hard to track down, but
it
looks like with this chip there is some kind of race with the
tpm_tis_status()
check of TPM_STS_COMMAND_READY. If things get there 'too fast' then
it sees the chip is ready, or tpm_tis_ready() works. Otherwise it takes
somewhere over 400ms before the chip will return TPM_STS_COMMAND_READY.

Adding some delay after tpm_continue_selftest() makes things reliably
hit the failure path, otherwise it is a crapshot.

The spec says it should be returning TPM_WARN_DOING_SELFTEST, not
holding
off on ready..

Boot log during this event looks like this:

tpm_tis 70030000.tpm_tis: 1.2 TPM (device-id 0x3204, rev-id 64)
tpm_tis 70030000.tpm_tis: Issuing TPM_STARTUP
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test
tpm_tis 70030000.tpm_tis: tpm_transmit: tpm_send: error -62
tpm_tis 70030000.tpm_tis: [Hardware Error]: TPM command timed out during
continue self test

The other TPM vendor we use doesn't show this wonky behaviour:
tpm_tis 70030000.tpm_tis: 1.2 TPM (device-id 0xFE, rev-id 70)
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

The TPM will respond to TPM_GET_CAP with TPM_ERR_INVALID_POSTINIT if
TPM_STARTUP has not been issued. Detect this and automatically
issue TPM_STARTUP.

This is for embedded applications where the kernel is the first thing
to touch the TPM.
Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: NPeter Huewe <peter.huewe@infineon.com>
Reviewed-by: NPeter Huewe <peter.huewe@infineon.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

This patch changes the semantics of the duration calculation for an
ordinal, by masking out the higher bits of a tpm command, which specify
whether it's an TPM_PROTECTED_COMMAND, TPM_UNPROTECTED_COMMAND,
TPM_CONNECTION_COMMAND, TPM_CONNECTION_COMMAND, TPM_VENDOR_COMMAND.
(See TPM Main Spec Part 2 Section 17 for details).

For all TPM_PROTECTED and TPM_CONNECTION commands the results are
unchanged.
The TPM_UNPROTECTED commands are TSS commands and thus irrelevant as
they are not sent to the tpm.
For vendor commands the semantics change for ordinals 10 and 11 but
they were probably wrong anyway.

For everything else which has the ordinal set to 10 or 11 the semantics
change as it now uses TPM_UNDEFINED instead of TPM_SHORT which was
probably wrong anyway (but irrelevant as not defined by the standard).

This patch also gets rid of the (false positive) smatch warning:
 drivers/char/tpm/tpm.c:360 tpm_calc_ordinal_duration() error: buffer
 overflow 'tpm_protected_ordinal_duration' 12 <= 243
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

The entries in tpm_protected_ordinal_duration are exactly the same as
the first 12 in tpm_ordinal_duration, so we can simply remove this one,
and save some bytes.

This does not change the behavior of the driver.
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>

tpm_write calls tpm_transmit without checking the return value and
assigns the return value unconditionally to chip->pending_data, even if
it's an error value.
This causes three bugs.

So if we write to /dev/tpm0 with a tpm_param_size bigger than
TPM_BUFSIZE=0x1000 (e.g. 0x100a)
and a bufsize also bigger than TPM_BUFSIZE (e.g. 0x100a)
tpm_transmit returns -E2BIG which is assigned to chip->pending_data as
-7, but tpm_write returns that TPM_BUFSIZE bytes have been successfully
been written to the TPM, altough this is not true (bug #1).

As we did write more than than TPM_BUFSIZE bytes but tpm_write reports
that only TPM_BUFSIZE bytes have been written the vfs tries to write
the remaining bytes (in this case 10 bytes) to the tpm device driver via
tpm_write which then blocks at

 /* cannot perform a write until the read has cleared
 either via tpm_read or a user_read_timer timeout */
 while (atomic_read(&chip->data_pending) != 0)
	 msleep(TPM_TIMEOUT);

for 60 seconds, since data_pending is -7 and nobody is able to
read it (since tpm_read luckily checks if data_pending is greater than
0) (#bug 2).

After that the remaining bytes are written to the TPM which are
interpreted by the tpm as a normal command. (bug #3)
So if the last bytes of the command stream happen to be a e.g.
tpm_force_clear this gets accidentally sent to the TPM.

This patch fixes all three bugs, by propagating the error code of
tpm_write and returning -E2BIG if the input buffer is too big,
since the response from the tpm for a truncated value is bogus anyway.
Moreover it returns -EBUSY to userspace if there is a response ready to be
read.
Signed-off-by: NPeter Huewe <peter.huewe@infineon.com>
Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>