security/tpm/tspi: Do TPM Restart if TPM Resume fails

The Infineon SLB 9672 on newer Clevo machines regularly fails TPM Resume
on S3 with the error `TPM_RC_VALUE`.

Per TPM2 spec, handle the failure by performing a TPM Restart.

> The startup behavior defined by this specification is different than
> TPM 1.2 with respect to Startup(STATE). A TPM 1.2 device will enter
> Failure Mode if no state is available when the TPM receives
> Startup(STATE). This is not the case in this specification. It is up
> to the CRTM to take corrective action if it the TPM returns
> TPM_RC_VALUE in response to Startup(STATE).

Fixes the following error from being repeatedly logged in Linux:

> kernel: tpm tpm0: A TPM error (256) occurred attempting get random

Ref: Trusted Platform Module Library, Part 1: Architecture, rev 1.59
Change-Id: I3388007d4448c93bd0dda591c8ca7d1a8dc5306b
Signed-off-by: Tim Crawford <tcrawford@system76.com>

src/drivers/intel/dtbt/Kconfig

@@ -1,4 +0,0 @@
-config DRIVERS_INTEL_DTBT
-	def_bool n
-	help
-	  Support for discrete Thunderbolt controllers

src/drivers/intel/dtbt/Makefile.mk

@@ -1,3 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0-only
-
-ramstage-$(CONFIG_DRIVERS_INTEL_DTBT) += dtbt.c

src/drivers/intel/dtbt/chip.h

@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0-only */
-
-#ifndef _DRIVERS_INTEL_DTBT_CHIP_H_
-#define _DRIVERS_INTEL_DTBT_CHIP_H_
-
-struct drivers_intel_dtbt_config {};
-
-#endif /* _DRIVERS_INTEL_DTBT_CHIP_H_ */

src/drivers/intel/dtbt/dtbt.c

@@ -1,199 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0-only */
-
-#include "chip.h"
-#include <acpi/acpigen.h>
-#include <console/console.h>
-#include <delay.h>
-#include <device/device.h>
-#include <device/pci.h>
-#include <device/pciexp.h>
-#include <device/pci_ids.h>
-#include <timer.h>
-
-#define PCIE2TBT 0x54C
-#define PCIE2TBT_VALID BIT(0)
-#define PCIE2TBT_GO2SX			2
-#define PCIE2TBT_GO2SX_NO_WAKE		3
-#define PCIE2TBT_SX_EXIT_TBT_CONNECTED	4
-#define PCIE2TBT_OS_UP			6
-#define PCIE2TBT_SET_SECURITY_LEVEL	8
-#define PCIE2TBT_GET_SECURITY_LEVEL	9
-#define PCIE2TBT_BOOT_ON		24
-#define PCIE2TBT_USB_ON			25
-#define PCIE2TBT_GET_ENUMERATION_METHOD	26
-#define PCIE2TBT_SET_ENUMERATION_METHOD	27
-#define PCIE2TBT_POWER_CYCLE		28
-#define PCIE2TBT_SX_START		29
-#define PCIE2TBT_ACL_BOOT		30
-#define PCIE2TBT_CONNECT_TOPOLOGY	31
-
-#define TBT2PCIE 0x548
-#define TBT2PCIE_DONE BIT(0)
-
-// Default timeout for mailbox commands unless otherwise specified.
-#define TIMEOUT_MS 1000
-// Default timeout for controller to ack GO2SX/GO2SX_NO_WAKE mailbox command.
-#define GO2SX_TIMEOUT_MS 600
-
-static void dtbt_cmd(struct device *dev, u32 command, u32 data, u32 timeout)
-{
-	u32 reg = (data << 8) | (command << 1) | PCIE2TBT_VALID;
-	u32 status;
-
-	printk(BIOS_DEBUG, "dTBT send command %08x\n", command);
-	pci_write_config32(dev, PCIE2TBT, reg);
-
-	if (!wait_ms(timeout, (status = pci_read_config32(dev, TBT2PCIE)) & TBT2PCIE_DONE)) {
-		printk(BIOS_ERR, "dTBT command %08x send timeout %08x\n", command, status);
-	}
-
-	pci_write_config32(dev, PCIE2TBT, 0);
-	if (!wait_ms(timeout, !(pci_read_config32(dev, TBT2PCIE) & TBT2PCIE_DONE))) {
-		printk(BIOS_ERR, "dTBT command %08x clear timeout\n", command);
-	}
-}
-
-static void dtbt_write_dsd(void)
-{
-	struct acpi_dp *dsd = acpi_dp_new_table("_DSD");
-
-	acpi_device_add_hotplug_support_in_d3(dsd);
-	acpi_device_add_external_facing_port(dsd);
-	acpi_dp_write(dsd);
-}
-
-static void dtbt_write_opregion(const struct bus *bus)
-{
-	uintptr_t mmconf_base = (uintptr_t)CONFIG_ECAM_MMCONF_BASE_ADDRESS
-			+ (((uintptr_t)(bus->secondary)) << 20);
-	const struct opregion opregion = OPREGION("PXCS", SYSTEMMEMORY, mmconf_base, 0x1000);
-	const struct fieldlist fieldlist[] = {
-		FIELDLIST_OFFSET(TBT2PCIE),
-		FIELDLIST_NAMESTR("TB2P", 32),
-		FIELDLIST_OFFSET(PCIE2TBT),
-		FIELDLIST_NAMESTR("P2TB", 32),
-	};
-
-	acpigen_write_opregion(&opregion);
-	acpigen_write_field("PXCS", fieldlist, ARRAY_SIZE(fieldlist),
-			    FIELD_DWORDACC | FIELD_NOLOCK | FIELD_PRESERVE);
-}
-
-static void dtbt_fill_ssdt(const struct device *dev)
-{
-	struct bus *bus;
-	struct device *parent;
-	const char *parent_scope;
-	const char *dev_name = acpi_device_name(dev);
-
-	bus = dev->upstream;
-	if (!bus) {
-		printk(BIOS_ERR, "dTBT bus invalid\n");
-		return;
-	}
-
-	parent = bus->dev;
-	if (!parent || parent->path.type != DEVICE_PATH_PCI) {
-		printk(BIOS_ERR, "dTBT parent invalid\n");
-		return;
-	}
-
-	parent_scope = acpi_device_path(parent);
-	if (!parent_scope) {
-		printk(BIOS_ERR, "dTBT parent scope not valid\n");
-		return;
-	}
-
-	/* Scope */
-	acpigen_write_scope(parent_scope);
-	dtbt_write_dsd();
-
-	/* Device */
-	acpigen_write_device(dev_name);
-	acpigen_write_name_integer("_ADR", 0);
-	dtbt_write_opregion(bus);
-
-	/* Method */
-	acpigen_write_method_serialized("PTS", 0);
-
-	acpigen_write_debug_string("dTBT prepare to sleep");
-	acpigen_write_store_int_to_namestr(PCIE2TBT_GO2SX_NO_WAKE << 1, "P2TB");
-	acpigen_write_delay_until_namestr_int(GO2SX_TIMEOUT_MS, "TB2P", PCIE2TBT_GO2SX_NO_WAKE << 1);
-
-	acpigen_write_debug_namestr("TB2P");
-	acpigen_write_store_int_to_namestr(0, "P2TB");
-	acpigen_write_delay_until_namestr_int(GO2SX_TIMEOUT_MS, "TB2P", 0);
-	acpigen_write_debug_namestr("TB2P");
-
-	acpigen_write_method_end();
-	acpigen_write_device_end();
-	acpigen_write_scope_end();
-
-	printk(BIOS_DEBUG, "dTBT fill SSDT\n");
-	printk(BIOS_DEBUG, "  Dev %s\n", dev_path(dev));
-	//printk(BIOS_DEBUG, "  Bus %s\n", bus_path(bus));
-	printk(BIOS_DEBUG, "  Parent %s\n", dev_path(parent));
-	printk(BIOS_DEBUG, "  Scope %s\n", parent_scope);
-	printk(BIOS_DEBUG, "    Device %s\n", dev_name);
-
-	// \.TBTS Method
-	acpigen_write_scope("\\");
-	acpigen_write_method("TBTS", 0);
-	acpigen_emit_namestring(acpi_device_path_join(dev, "PTS"));
-	acpigen_write_method_end();
-	acpigen_write_scope_end();
-}
-
-static const char *dtbt_acpi_name(const struct device *dev)
-{
-	return "DTBT";
-}
-
-static struct pci_operations dtbt_device_ops_pci = {
-	.set_subsystem = 0,
-};
-
-static struct device_operations dtbt_device_ops = {
-	.read_resources   = pci_bus_read_resources,
-	.set_resources    = pci_dev_set_resources,
-	.enable_resources = pci_bus_enable_resources,
-	.acpi_fill_ssdt   = dtbt_fill_ssdt,
-	.acpi_name        = dtbt_acpi_name,
-	.scan_bus         = pciexp_scan_bridge,
-	.reset_bus        = pci_bus_reset,
-	.ops_pci          = &dtbt_device_ops_pci,
-};
-
-static void dtbt_enable(struct device *dev)
-{
-	if (!is_dev_enabled(dev) || dev->path.type != DEVICE_PATH_PCI)
-		return;
-
-	if (pci_read_config16(dev, PCI_VENDOR_ID) != PCI_VID_INTEL)
-		return;
-
-	// TODO: check device ID
-
-	dev->ops = &dtbt_device_ops;
-
-	printk(BIOS_INFO, "dTBT controller found at %s\n", dev_path(dev));
-
-	// XXX: Recommendation is to set SL1 ("User Authorization")
-	printk(BIOS_DEBUG, "dTBT set security level SL0\n");
-	dtbt_cmd(dev, PCIE2TBT_SET_SECURITY_LEVEL, 0, TIMEOUT_MS);
-	// XXX: Must verify change or rollback all controllers
-
-	if (acpi_is_wakeup_s3()) {
-		printk(BIOS_DEBUG, "dTBT SX exit\n");
-		dtbt_cmd(dev, PCIE2TBT_SX_EXIT_TBT_CONNECTED, 0, TIMEOUT_MS);
-		// TODO: "wait for fast link bring-up" loop (timeout: 5s)
-	} else {
-		printk(BIOS_DEBUG, "dTBT boot on\n");
-		dtbt_cmd(dev, PCIE2TBT_BOOT_ON, 0, TIMEOUT_MS);
-	}
-}
-
-struct chip_operations drivers_intel_dtbt_ops = {
-	.name = "Intel Discrete Thunderbolt",
-	.enable_dev = dtbt_enable,
-};

src/mainboard/system76/rpl/Kconfig

@@ -27,7 +27,6 @@ config BOARD_SYSTEM76_RPL_COMMON
 
 config BOARD_SYSTEM76_ADDW3
 	select BOARD_SYSTEM76_RPL_COMMON
-	select DRIVERS_INTEL_DTBT
 	select EC_SYSTEM76_EC_DGPU
 	select MAINBOARD_USES_IFD_GBE_REGION
 	select PCIEXP_HOTPLUG
@@ -41,7 +40,6 @@ config BOARD_SYSTEM76_ADDW4
 
 config BOARD_SYSTEM76_BONW15
 	select BOARD_SYSTEM76_RPL_COMMON
-	select DRIVERS_INTEL_DTBT
 	select EC_SYSTEM76_EC_DGPU
 	select PCIEXP_HOTPLUG
 	select SOC_INTEL_ALDERLAKE_PCH_S
@@ -76,14 +74,12 @@ config BOARD_SYSTEM76_ORYP11
 config BOARD_SYSTEM76_ORYP12
 	select BOARD_SYSTEM76_RPL_COMMON
 	select DRIVERS_I2C_TAS5825M
-	select DRIVERS_INTEL_DTBT
 	select EC_SYSTEM76_EC_DGPU
 	select PCIEXP_HOTPLUG
 	select SOC_INTEL_ALDERLAKE_PCH_S
 
 config BOARD_SYSTEM76_SERW13
 	select BOARD_SYSTEM76_RPL_COMMON
-	select DRIVERS_INTEL_DTBT
 	select EC_SYSTEM76_EC_DGPU
 	select PCIEXP_HOTPLUG
 	select SOC_INTEL_ALDERLAKE_PCH_S

src/mainboard/system76/rpl/variants/addw3/overridetree.cb

@@ -101,9 +101,6 @@ chip soc/intel/alderlake
 				.clk_req = 15,
 				.flags = PCIE_RP_HOTPLUG | PCIE_RP_LTR,
 			}"
-			chip drivers/intel/dtbt
-				device pci 00.0 on end
-			end
 		end
 
 		device ref pcie_rp25 on

src/mainboard/system76/rpl/variants/bonw15/overridetree.cb

@@ -97,9 +97,6 @@ chip soc/intel/alderlake
 				.clk_req = 15,
 				.flags = PCIE_RP_HOTPLUG | PCIE_RP_LTR,
 			}"
-			chip drivers/intel/dtbt
-				device pci 00.0 on end
-			end
 		end
 
 		device ref pcie_rp21 on

src/mainboard/system76/rpl/variants/oryp12/overridetree.cb

@@ -116,9 +116,6 @@ chip soc/intel/alderlake
 				.clk_req = 15,
 				.flags = PCIE_RP_LTR | PCIE_RP_HOTPLUG,
 			}"
-			chip drivers/intel/dtbt
-				device pci 00.0 on end
-			end
 		end
 	end
 end

src/mainboard/system76/rpl/variants/serw13/overridetree.cb

@@ -106,9 +106,6 @@ chip soc/intel/alderlake
 				.clk_req = 15,
 				.flags = PCIE_RP_LTR | PCIE_RP_HOTPLUG, // XXX: AER causes UnsupReq warnings
 			}"
-			chip drivers/intel/dtbt
-				device pci 00.0 on end
-			end
 		end
 	end
 end

src/security/tpm/tspi/tspi.c

@@ -73,6 +73,14 @@ static tpm_result_t tpm_setup_s3_helper(void)
 
 	default:
 		printk(BIOS_ERR, "TPM: Resume failed (%#x).\n", rc);
+		if (CONFIG(TPM2)) {
+			/*
+			 * TODO: Record EV_SEPARATOR event to indicate to host
+			 * that an error has occurred.
+			 */
+			printk(BIOS_WARNING, "TPM: Performing restart\n");
+			rc = tlcl_startup();
+		}
 		break;
 	}