From: Arun Menon <[email protected]> - Add logic to populate internal TPM command request and response buffers and to toggle the control registers after each operation. - The chunk size is limited to CRB_CTRL_CMD_SIZE which is (TPM_CRB_ADDR_SIZE - A_CRB_DATA_BUFFER). This comes out as 3968 bytes (4096 - 128 or 0x1000 - 0x80), because 128 bytes are reserved for control and status registers. In other words, only 3968 bytes are available for the TPM data. - With this feature, guests can send commands larger than 3968 bytes. - Refer section 6.5.3.9 of [1] for implementation details.
[1] https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p07_Pub.pdf Signed-off-by: Arun Menon <[email protected]> Reviewed-by: Stefan Berger <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Link: https://lore.kernel.org/qemu-devel/[email protected] Signed-off-by: Stefan Berger <[email protected]> --- hw/tpm/tpm_crb.c | 143 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 130 insertions(+), 13 deletions(-) diff --git a/hw/tpm/tpm_crb.c b/hw/tpm/tpm_crb.c index 1c944d7ef2..f85df08185 100644 --- a/hw/tpm/tpm_crb.c +++ b/hw/tpm/tpm_crb.c @@ -17,6 +17,7 @@ #include "qemu/osdep.h" #include "qemu/module.h" +#include "qemu/error-report.h" #include "qapi/error.h" #include "system/address-spaces.h" #include "hw/core/qdev-properties.h" @@ -66,6 +67,7 @@ DECLARE_INSTANCE_CHECKER(CRBState, CRB, #define CRB_INTF_CAP_CRB_CHUNK 0b1 #define CRB_CTRL_CMD_SIZE (TPM_CRB_ADDR_SIZE - A_CRB_DATA_BUFFER) +#define TPM_HEADER_SIZE 10 enum crb_loc_ctrl { CRB_LOC_CTRL_REQUEST_ACCESS = BIT(0), @@ -81,6 +83,8 @@ enum crb_ctrl_req { enum crb_start { CRB_START_INVOKE = BIT(0), + CRB_START_RSP_RETRY = BIT(1), + CRB_START_NEXT_CHUNK = BIT(2), }; enum crb_cancel { @@ -123,6 +127,69 @@ static uint8_t tpm_crb_get_active_locty(CRBState *s) return ARRAY_FIELD_EX32(s->regs, CRB_LOC_STATE, activeLocality); } +static bool tpm_crb_append_command_request(CRBState *s) +{ + /* + * The linux guest writes the TPM command to the MMIO region in chunks. + * This function appends a chunk from the MMIO region to internal + * command_buffer. + */ + void *mem = memory_region_get_ram_ptr(&s->cmdmem); + uint32_t to_copy = 0; + uint32_t total_request_size = 0; + + /* + * The initial call extracts the total TPM command size + * from its header. For the subsequent calls, the data already + * appended in the command_buffer is used to calculate the total + * size, as its header stays the same. + */ + if (s->command_buffer->len == 0) { + total_request_size = tpm_cmd_get_size(mem); + if (total_request_size < TPM_HEADER_SIZE) { + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_STS, tpmSts, 1); + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, Start, 0); + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, nextChunk, 0); + tpm_crb_clear_internal_buffers(s); + error_report("Command size %" PRIu32 " less than " + "TPM header size %" PRIu32, + total_request_size, (uint32_t)TPM_HEADER_SIZE); + return false; + } + } else { + total_request_size = tpm_cmd_get_size(s->command_buffer->data); + } + total_request_size = MIN(total_request_size, s->be_buffer_size); + + if (total_request_size > s->command_buffer->len) { + uint32_t remaining = total_request_size - s->command_buffer->len; + to_copy = MIN(remaining, CRB_CTRL_CMD_SIZE); + g_byte_array_append(s->command_buffer, (guint8 *)mem, to_copy); + } + return true; +} + +static void tpm_crb_fill_command_response(CRBState *s) +{ + /* + * Response from the tpm backend will be stored in the internal + * response_buffer. This function will serve that accumulated response + * to the linux guest in chunks by writing it back to MMIO region. + */ + void *mem = memory_region_get_ram_ptr(&s->cmdmem); + uint32_t remaining = s->response_buffer->len - s->response_offset; + uint32_t to_copy = MIN(CRB_CTRL_CMD_SIZE, remaining); + + memcpy(mem, s->response_buffer->data + s->response_offset, to_copy); + + if (to_copy < CRB_CTRL_CMD_SIZE) { + memset((guint8 *)mem + to_copy, 0, CRB_CTRL_CMD_SIZE - to_copy); + } + + s->response_offset += to_copy; + memory_region_set_dirty(&s->cmdmem, 0, CRB_CTRL_CMD_SIZE); +} + static void tpm_crb_mmio_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) { @@ -153,20 +220,58 @@ static void tpm_crb_mmio_write(void *opaque, hwaddr addr, } break; case A_CRB_CTRL_START: - if (val == CRB_START_INVOKE && - !(s->regs[R_CRB_CTRL_START] & CRB_START_INVOKE) && - tpm_crb_get_active_locty(s) == locty) { - void *mem = memory_region_get_ram_ptr(&s->cmdmem); - + if (tpm_crb_get_active_locty(s) != locty) { + break; + } + if (s->regs[R_CRB_CTRL_START] & CRB_START_INVOKE) { + /* + * Backend TPM is busy processing a request. + */ + break; + } + if (val & CRB_START_INVOKE) { + if (!tpm_crb_append_command_request(s)) { + break; + } ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, Start, 1); + g_byte_array_set_size(s->response_buffer, s->be_buffer_size); s->cmd = (TPMBackendCmd) { - .in = mem, - .in_len = MIN(tpm_cmd_get_size(mem), s->be_buffer_size), - .out = mem, - .out_len = s->be_buffer_size, + .in = s->command_buffer->data, + .in_len = s->command_buffer->len, + .out = s->response_buffer->data, + .out_len = s->response_buffer->len, }; - tpm_backend_deliver_request(s->tpmbe, &s->cmd); + } else if (val & CRB_START_NEXT_CHUNK) { + if (!s->cap_chunk) { + break; + } + /* + * nextChunk is used both while sending and receiving data. + * To distinguish between the two, response_buffer is checked. + * If it does not have data, then that means we have not yet + * sent the command to the tpm backend, and therefore call + * tpm_crb_append_command_request(). + */ + if (s->response_buffer->len > 0 && + s->response_offset < s->response_buffer->len) { + tpm_crb_fill_command_response(s); + } else { + if (!tpm_crb_append_command_request(s)) { + break; + } + } + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, nextChunk, 0); + } else if (val & CRB_START_RSP_RETRY) { + if (!s->cap_chunk) { + break; + } + if (s->response_buffer->len > 0) { + s->response_offset = 0; + tpm_crb_fill_command_response(s); + } + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, crbRspRetry, 0); + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, nextChunk, 0); } break; case A_CRB_LOC_CTRL: @@ -211,8 +316,21 @@ static void tpm_crb_request_completed(TPMIf *ti, int ret) if (ret != 0) { ARRAY_FIELD_DP32(s->regs, CRB_CTRL_STS, tpmSts, 1); /* fatal error */ + tpm_crb_clear_internal_buffers(s); + } else { + uint32_t actual_resp_size = tpm_cmd_get_size(s->response_buffer->data); + uint32_t total_resp_size = MIN(actual_resp_size, s->be_buffer_size); + g_byte_array_set_size(s->response_buffer, total_resp_size); + s->response_offset = 0; } - memory_region_set_dirty(&s->cmdmem, 0, CRB_CTRL_CMD_SIZE); + /* + * Send the first chunk. Subsequent chunks will be sent + * on receiving nextChunk from the guest + */ + tpm_crb_fill_command_response(s); + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, nextChunk, 0); + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_START, crbRspRetry, 0); + g_byte_array_set_size(s->command_buffer, 0); } static enum TPMVersion tpm_crb_get_version(TPMIf *ti) @@ -287,8 +405,7 @@ static void tpm_crb_reset(void *dev) s->regs[R_CRB_CTRL_RSP_SIZE] = CRB_CTRL_CMD_SIZE; s->regs[R_CRB_CTRL_RSP_ADDR] = TPM_CRB_ADDR_BASE + A_CRB_DATA_BUFFER; - s->be_buffer_size = MIN(tpm_backend_get_buffer_size(s->tpmbe), - CRB_CTRL_CMD_SIZE); + s->be_buffer_size = tpm_backend_get_buffer_size(s->tpmbe); if (tpm_backend_startup_tpm(s->tpmbe, s->be_buffer_size) < 0) { exit(1); -- 2.54.0
