// SPDX-License-Identifier: GPL-2.0+ /* * Copyright 2008-2009 Freescale Semiconductor, Inc. All Rights Reserved. * Copyright 2010 Orex Computed Radiography
*/
/* * This driver uses the 47-bit 32 kHz counter in the Freescale DryIce block * to implement a Linux RTC. Times and alarms are truncated to seconds. * Since the RTC framework performs API locking via rtc->ops_lock the * only simultaneous accesses we need to deal with is updating DryIce * registers while servicing an alarm. * * Note that reading the DSR (DryIce Status Register) automatically clears * the WCF (Write Complete Flag). All DryIce writes are synchronized to the * LP (Low Power) domain and set the WCF upon completion. Writes to the * DIER (DryIce Interrupt Enable Register) are the only exception. These * occur at normal bus speeds and do not set WCF. Periodic interrupts are * not supported by the hardware.
*/
/* Some background: * * The DryIce unit is a complex security/tamper monitor device. To be able do * its job in a useful manner it runs a bigger statemachine to bring it into * security/tamper failure state and once again to bring it out of this state. * * This unit can be in one of three states: * * - "NON-VALID STATE" * always after the battery power was removed * - "FAILURE STATE" * if one of the enabled security events has happened * - "VALID STATE" * if the unit works as expected * * Everything stops when the unit enters the failure state including the RTC * counter (to be able to detect the time the security event happened). * * The following events (when enabled) let the DryIce unit enter the failure * state: * * - wire-mesh-tamper detect * - external tamper B detect * - external tamper A detect * - temperature tamper detect * - clock tamper detect * - voltage tamper detect * - RTC counter overflow * - monotonic counter overflow * - external boot * * If we find the DryIce unit in "FAILURE STATE" and the TDCHL cleared, we * can only detect this state. In this case the unit is completely locked and * must force a second "SYSTEM POR" to bring the DryIce into the * "NON-VALID STATE" + "FAILURE STATE" where a recovery is possible. * If the TDCHL is set in the "FAILURE STATE" we are out of luck. In this case * a battery power cycle is required. * * In the "NON-VALID STATE" + "FAILURE STATE" we can clear the "FAILURE STATE" * and recover the DryIce unit. By clearing the "NON-VALID STATE" as the last * task, we bring back this unit into life.
*/
/* * Do a write into the unit without interrupt support. * We do not need to check the WEF here, because the only reason this kind of * write error can happen is if we write to the unit twice within the 122 us * interval. This cannot happen, since we are using this function only while * setting up the unit.
*/ staticvoid di_write_busy_wait(conststruct imxdi_dev *imxdi, u32 val, unsigned reg)
{ /* do the register write */
writel(val, imxdi->ioaddr + reg);
/* * now it takes four 32,768 kHz clock cycles to take * the change into effect = 122 us
*/
usleep_range(130, 200);
}
dev_emerg(&imxdi->pdev->dev, "DryIce tamper event detected\n"); /* the following flags force a transition into the "FAILURE STATE" */ if (dsr & DSR_VTD)
dev_emerg(&imxdi->pdev->dev, "%sVoltage Tamper Event\n",
dtcr & DTCR_VTE ? "" : "Spurious ");
staticvoid di_what_is_to_be_done(struct imxdi_dev *imxdi, constchar *power_supply)
{
dev_emerg(&imxdi->pdev->dev, "Please cycle the %s power supply in order to get the DryIce/RTC unit working again\n",
power_supply);
}
/* report the cause */
di_report_tamper_info(imxdi, dsr);
dcr = readl(imxdi->ioaddr + DCR);
if (dcr & DCR_FSHL) { /* we are out of luck */
di_what_is_to_be_done(imxdi, "battery"); return -ENODEV;
} /* * with the next SYSTEM POR we will transit from the "FAILURE STATE" * into the "NON-VALID STATE" + "FAILURE STATE"
*/
di_what_is_to_be_done(imxdi, "main");
/* * lets disable all sources which can force the DryIce unit into * the "FAILURE STATE" for now
*/
di_write_busy_wait(imxdi, 0x00000000, DTCR); /* and lets protect them at runtime from any change */
di_write_busy_wait(imxdi, DCR_TDCSL, DCR);
sec = readl(imxdi->ioaddr + DTCMR); if (sec != 0)
dev_warn(&imxdi->pdev->dev, "The security violation has happened at %u seconds\n",
sec); /* * the timer cannot be set/modified if * - the TCHL or TCSL bit is set in DCR
*/
dcr = readl(imxdi->ioaddr + DCR); if (!(dcr & DCR_TCE)) { if (dcr & DCR_TCHL) { /* we are out of luck */
di_what_is_to_be_done(imxdi, "battery"); return -ENODEV;
} if (dcr & DCR_TCSL) {
di_what_is_to_be_done(imxdi, "main"); return -ENODEV;
}
} /* * - the timer counter stops/is stopped if * - its overflow flag is set (TCO in DSR) * -> clear overflow bit to make it count again * - NVF is set in DSR * -> clear non-valid bit to make it count again * - its TCE (DCR) is cleared * -> set TCE to make it count * - it was never set before * -> write a time into it (required again if the NVF was set)
*/ /* state handled */
di_write_busy_wait(imxdi, DSR_NVF, DSR); /* clear overflow flag */
di_write_busy_wait(imxdi, DSR_TCO, DSR); /* enable the counter */
di_write_busy_wait(imxdi, dcr | DCR_TCE, DCR); /* set and trigger it to make it count */
di_write_busy_wait(imxdi, sec, DTCMR);
/* now prepare for the valid state */ return di_handle_valid_state(imxdi, __raw_readl(imxdi->ioaddr + DSR));
}
/* * now we must first remove the tamper sources in order to get the * device out of the "FAILURE STATE" * To disable any of the following sources we need to modify the DTCR
*/ if (dsr & (DSR_WTD | DSR_ETBD | DSR_ETAD | DSR_EBD | DSR_SAD |
DSR_TTD | DSR_CTD | DSR_VTD | DSR_MCO | DSR_TCO)) {
dcr = __raw_readl(imxdi->ioaddr + DCR); if (dcr & DCR_TDCHL) { /* * the tamper register is locked. We cannot disable the * tamper detection. The TDCHL can only be reset by a * DRYICE POR, but we cannot force a DRYICE POR in * software because we are still in "FAILURE STATE". * We need a DRYICE POR via battery power cycling....
*/ /* * out of luck! * we cannot disable them without a DRYICE POR
*/
di_what_is_to_be_done(imxdi, "battery"); return -ENODEV;
} if (dcr & DCR_TDCSL) { /* a soft lock can be removed by a SYSTEM POR */
di_what_is_to_be_done(imxdi, "main"); return -ENODEV;
}
}
/* disable all sources */
di_write_busy_wait(imxdi, 0x00000000, DTCR);
/* clear the status bits now */
di_write_busy_wait(imxdi, dsr & (DSR_WTD | DSR_ETBD | DSR_ETAD |
DSR_EBD | DSR_SAD | DSR_TTD | DSR_CTD | DSR_VTD |
DSR_MCO | DSR_TCO), DSR);
dsr = readl(imxdi->ioaddr + DSR); if ((dsr & ~(DSR_NVF | DSR_SVF | DSR_WBF | DSR_WNF |
DSR_WCF | DSR_WEF)) != 0)
dev_warn(&imxdi->pdev->dev, "There are still some sources of pain in DSR: %08x!\n",
dsr & ~(DSR_NVF | DSR_SVF | DSR_WBF | DSR_WNF |
DSR_WCF | DSR_WEF));
/* * now we are trying to clear the "Security-violation flag" to * get the DryIce out of this state
*/
di_write_busy_wait(imxdi, DSR_SVF, DSR);
/* success? */
dsr = readl(imxdi->ioaddr + DSR); if (dsr & DSR_SVF) {
dev_crit(&imxdi->pdev->dev, "Cannot clear the security violation flag. We are ending up in an endless loop!\n"); /* last resort */
di_what_is_to_be_done(imxdi, "battery"); return -ENODEV;
}
/* * now we have left the "FAILURE STATE" and ending up in the * "NON-VALID STATE" time to recover everything
*/ return di_handle_invalid_state(imxdi, dsr);
}
staticint di_handle_state(struct imxdi_dev *imxdi)
{ int rc;
u32 dsr;
dsr = readl(imxdi->ioaddr + DSR);
switch (dsr & (DSR_NVF | DSR_SVF)) { case DSR_NVF:
dev_warn(&imxdi->pdev->dev, "Invalid stated unit detected\n");
rc = di_handle_invalid_state(imxdi, dsr); break; case DSR_SVF:
dev_warn(&imxdi->pdev->dev, "Failure stated unit detected\n");
rc = di_handle_failure_state(imxdi, dsr); break; case DSR_NVF | DSR_SVF:
dev_warn(&imxdi->pdev->dev, "Failure+Invalid stated unit detected\n");
rc = di_handle_invalid_and_failure_state(imxdi, dsr); break; default:
dev_notice(&imxdi->pdev->dev, "Unlocked unit detected\n");
rc = di_handle_valid_state(imxdi, dsr);
}
/* * This function attempts to clear the dryice write-error flag. * * A dryice write error is similar to a bus fault and should not occur in * normal operation. Clearing the flag requires another write, so the root * cause of the problem may need to be fixed before the flag can be cleared.
*/ staticvoid clear_write_error(struct imxdi_dev *imxdi)
{ int cnt;
/* clear the write error flag */
writel(DSR_WEF, imxdi->ioaddr + DSR);
/* wait for it to take effect */ for (cnt = 0; cnt < 1000; cnt++) { if ((readl(imxdi->ioaddr + DSR) & DSR_WEF) == 0) return;
udelay(10);
}
dev_err(&imxdi->pdev->dev, "ERROR: Cannot clear write-error flag!\n");
}
/* * Write a dryice register and wait until it completes. * * This function uses interrupts to determine when the * write has completed.
*/ staticint di_write_wait(struct imxdi_dev *imxdi, u32 val, int reg)
{ int ret; int rc = 0;
/* enable the write-complete interrupt */
di_int_enable(imxdi, DIER_WCIE);
imxdi->dsr = 0;
/* do the register write */
writel(val, imxdi->ioaddr + reg);
/* wait for the write to finish */
ret = wait_event_interruptible_timeout(imxdi->write_wait,
imxdi->dsr & (DSR_WCF | DSR_WEF), msecs_to_jiffies(1)); if (ret < 0) {
rc = ret; goto out;
} elseif (ret == 0) {
dev_warn(&imxdi->pdev->dev, "Write-wait timeout " "val = 0x%08x reg = 0x%08x\n", val, reg);
}
/* check for write error */ if (imxdi->dsr & DSR_WEF) {
clear_write_error(imxdi);
rc = -EIO;
}
out:
mutex_unlock(&imxdi->write_mutex);
return rc;
}
/* * read the seconds portion of the current time from the dryice time counter
*/ staticint dryice_rtc_read_time(struct device *dev, struct rtc_time *tm)
{ struct imxdi_dev *imxdi = dev_get_drvdata(dev); unsignedlong now;
now = readl(imxdi->ioaddr + DTCMR);
rtc_time64_to_tm(now, tm);
return 0;
}
/* * set the seconds portion of dryice time counter and clear the * fractional part.
*/ staticint dryice_rtc_set_time(struct device *dev, struct rtc_time *tm)
{ struct imxdi_dev *imxdi = dev_get_drvdata(dev);
u32 dcr, dsr; int rc;
if (!(dcr & DCR_TCE) || (dsr & DSR_SVF)) { if (dcr & DCR_TCHL) { /* we are even more out of luck */
di_what_is_to_be_done(imxdi, "battery"); return -EPERM;
} if ((dcr & DCR_TCSL) || (dsr & DSR_SVF)) { /* we are out of luck for now */
di_what_is_to_be_done(imxdi, "main"); return -EPERM;
}
}
/* zero the fractional part first */
rc = di_write_wait(imxdi, 0, DTCLR); if (rc != 0) return rc;
if (enabled)
di_int_enable(imxdi, DIER_CAIE); else
di_int_disable(imxdi, DIER_CAIE);
return 0;
}
/* * read the seconds portion of the alarm register. * the fractional part of the alarm register is always zero.
*/ staticint dryice_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alarm)
{ struct imxdi_dev *imxdi = dev_get_drvdata(dev);
u32 dcamr;
/* handle the security violation event */ if (dier & DIER_SVIE) { if (dsr & DSR_SVF) { /* * Disable the interrupt when this kind of event has * happened. * There cannot be more than one event of this type, * because it needs a complex state change * including a main power cycle to get again out of * this state.
*/
di_int_disable(imxdi, DIER_SVIE); /* report the violation */
di_report_tamper_info(imxdi, dsr);
rc = IRQ_HANDLED;
}
}
/* handle write complete and write error cases */ if (dier & DIER_WCIE) { /*If the write wait queue is empty then there is no pending operations. It means the interrupt is for DryIce -Security.
IRQ must be returned as none.*/ if (list_empty_careful(&imxdi->write_wait.head)) return rc;
/* DSR_WCF clears itself on DSR read */ if (dsr & (DSR_WCF | DSR_WEF)) { /* mask the interrupt */
di_int_disable(imxdi, DIER_WCIE);
/* save the dsr value for the wait queue */
imxdi->dsr |= dsr;
/* handle the alarm case */ if (dier & DIER_CAIE) { /* DSR_WCF clears itself on DSR read */ if (dsr & DSR_CAF) { /* mask the interrupt */
di_int_disable(imxdi, DIER_CAIE);
/* finish alarm in user context */
schedule_work(&imxdi->work);
rc = IRQ_HANDLED;
}
} return rc;
}
/* * post the alarm event from user context so it can sleep * on the write completion.
*/ staticvoid dryice_work(struct work_struct *work)
{ struct imxdi_dev *imxdi = container_of(work, struct imxdi_dev, work);
/* dismiss the interrupt (ignore error) */
di_write_wait(imxdi, DSR_CAF, DSR);
/* pass the alarm event to the rtc framework. */
rtc_update_irq(imxdi->rtc, 1, RTC_AF | RTC_IRQF);
}
/* * probe for dryice rtc device
*/ staticint __init dryice_rtc_probe(struct platform_device *pdev)
{ struct imxdi_dev *imxdi; int norm_irq, sec_irq; int rc;
imxdi = devm_kzalloc(&pdev->dev, sizeof(*imxdi), GFP_KERNEL); if (!imxdi) return -ENOMEM;
imxdi->pdev = pdev;
imxdi->ioaddr = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(imxdi->ioaddr)) return PTR_ERR(imxdi->ioaddr);
spin_lock_init(&imxdi->irq_lock);
norm_irq = platform_get_irq(pdev, 0); if (norm_irq < 0) return norm_irq;
/* the 2nd irq is the security violation irq * make this optional, don't break the device tree ABI
*/
sec_irq = platform_get_irq(pdev, 1); if (sec_irq <= 0)
sec_irq = IRQ_NOTCONNECTED;
init_waitqueue_head(&imxdi->write_wait);
INIT_WORK(&imxdi->work, dryice_work);
mutex_init(&imxdi->write_mutex);
imxdi->rtc = devm_rtc_allocate_device(&pdev->dev); if (IS_ERR(imxdi->rtc)) return PTR_ERR(imxdi->rtc);
imxdi->clk = devm_clk_get(&pdev->dev, NULL); if (IS_ERR(imxdi->clk)) return PTR_ERR(imxdi->clk);
rc = clk_prepare_enable(imxdi->clk); if (rc) return rc;
/* * Initialize dryice hardware
*/
/* mask all interrupts */
writel(0, imxdi->ioaddr + DIER);
rc = di_handle_state(imxdi); if (rc != 0) goto err;
rc = devm_request_irq(&pdev->dev, norm_irq, dryice_irq,
IRQF_SHARED, pdev->name, imxdi); if (rc) {
dev_warn(&pdev->dev, "interrupt not available.\n"); goto err;
}
rc = devm_request_irq(&pdev->dev, sec_irq, dryice_irq,
IRQF_SHARED, pdev->name, imxdi); if (rc) {
dev_warn(&pdev->dev, "security violation interrupt not available.\n"); /* this is not an error, see above */
}
/* * dryice_rtc_remove() lives in .exit.text. For drivers registered via * module_platform_driver_probe() this is ok because they cannot get unbound at * runtime. So mark the driver struct with __refdata to prevent modpost * triggering a section mismatch warning.
*/ staticstruct platform_driver dryice_rtc_driver __refdata = {
.driver = {
.name = "imxdi_rtc",
.of_match_table = dryice_dt_ids,
},
.remove = __exit_p(dryice_rtc_remove),
};
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
