/* * Copyright 2008-2009 Freescale Semiconductor, Inc. All Rights Reserved. * Copyright 2010 Orex Computed Radiography */ /* * The code contained herein is licensed under the GNU General Public * License. You may obtain a copy of the GNU General Public License * Version 2 or later at the following locations: * * http://www.opensource.org/licenses/gpl-license.html * http://www.gnu.org/copyleft/gpl.html */ /* based on rtc-mc13892.c */ /* * This driver uses the 47-bit 32 kHz counter in the Freescale DryIce block * to implement a Linux RTC. Times and alarms are truncated to seconds. * Since the RTC framework performs API locking via rtc->ops_lock the * only simultaneous accesses we need to deal with is updating DryIce * registers while servicing an alarm. * * Note that reading the DSR (DryIce Status Register) automatically clears * the WCF (Write Complete Flag). All DryIce writes are synchronized to the * LP (Low Power) domain and set the WCF upon completion. Writes to the * DIER (DryIce Interrupt Enable Register) are the only exception. These * occur at normal bus speeds and do not set WCF. Periodic interrupts are * not supported by the hardware. */ #include #include #include #include #include #include #include #include /* DryIce Register Definitions */ #define DTCMR 0x00 /* Time Counter MSB Reg */ #define DTCLR 0x04 /* Time Counter LSB Reg */ #define DCAMR 0x08 /* Clock Alarm MSB Reg */ #define DCALR 0x0c /* Clock Alarm LSB Reg */ #define DCAMR_UNSET 0xFFFFFFFF /* doomsday - 1 sec */ #define DCR 0x10 /* Control Reg */ #define DCR_TDCHL (1 << 30) /* Tamper-detect configuration hard lock */ #define DCR_TDCSL (1 << 29) /* Tamper-detect configuration soft lock */ #define DCR_KSSL (1 << 27) /* Key-select soft lock */ #define DCR_MCHL (1 << 20) /* Monotonic-counter hard lock */ #define DCR_MCSL (1 << 19) /* Monotonic-counter soft lock */ #define DCR_TCHL (1 << 18) /* Timer-counter hard lock */ #define DCR_TCSL (1 << 17) /* Timer-counter soft lock */ #define DCR_FSHL (1 << 16) /* Failure state hard lock */ #define DCR_TCE (1 << 3) /* Time Counter Enable */ #define DCR_MCE (1 << 2) /* Monotonic Counter Enable */ #define DSR 0x14 /* Status Reg */ #define DSR_WTD (1 << 23) /* Wire-mesh tamper detected */ #define DSR_ETBD (1 << 22) /* External tamper B detected */ #define DSR_ETAD (1 << 21) /* External tamper A detected */ #define DSR_EBD (1 << 20) /* External boot detected */ #define DSR_SAD (1 << 19) /* SCC alarm detected */ #define DSR_TTD (1 << 18) /* Temperature tamper detected */ #define DSR_CTD (1 << 17) /* Clock tamper detected */ #define DSR_VTD (1 << 16) /* Voltage tamper detected */ #define DSR_WBF (1 << 10) /* Write Busy Flag (synchronous) */ #define DSR_WNF (1 << 9) /* Write Next Flag (synchronous) */ #define DSR_WCF (1 << 8) /* Write Complete Flag (synchronous)*/ #define DSR_WEF (1 << 7) /* Write Error Flag */ #define DSR_CAF (1 << 4) /* Clock Alarm Flag */ #define DSR_MCO (1 << 3) /* monotonic counter overflow */ #define DSR_TCO (1 << 2) /* time counter overflow */ #define DSR_NVF (1 << 1) /* Non-Valid Flag */ #define DSR_SVF (1 << 0) /* Security Violation Flag */ #define DIER 0x18 /* Interrupt Enable Reg (synchronous) */ #define DIER_WNIE (1 << 9) /* Write Next Interrupt Enable */ #define DIER_WCIE (1 << 8) /* Write Complete Interrupt Enable */ #define DIER_WEIE (1 << 7) /* Write Error Interrupt Enable */ #define DIER_CAIE (1 << 4) /* Clock Alarm Interrupt Enable */ #define DIER_SVIE (1 << 0) /* Security-violation Interrupt Enable */ #define DMCR 0x1c /* DryIce Monotonic Counter Reg */ #define DTCR 0x28 /* DryIce Tamper Configuration Reg */ #define DTCR_MOE (1 << 9) /* monotonic overflow enabled */ #define DTCR_TOE (1 << 8) /* time overflow enabled */ #define DTCR_WTE (1 << 7) /* wire-mesh tamper enabled */ #define DTCR_ETBE (1 << 6) /* external B tamper enabled */ #define DTCR_ETAE (1 << 5) /* external A tamper enabled */ #define DTCR_EBE (1 << 4) /* external boot tamper enabled */ #define DTCR_SAIE (1 << 3) /* SCC enabled */ #define DTCR_TTE (1 << 2) /* temperature tamper enabled */ #define DTCR_CTE (1 << 1) /* clock tamper enabled */ #define DTCR_VTE (1 << 0) /* voltage tamper enabled */ #define DGPR 0x3c /* DryIce General Purpose Reg */ /** * struct imxdi_dev - private imxdi rtc data * @dev: pionter to dev * @rtc: pointer to rtc struct * @ioaddr: IO registers pointer * @clk: input reference clock * @dsr: copy of the DSR register */ struct imxdi_dev { struct device_d *dev; struct rtc_device rtc; void __iomem *ioaddr; struct clk *clk; u32 dsr; struct nvmem_device *nvmem; }; /* Some background: * * The DryIce unit is a complex security/tamper monitor device. To be able do * its job in a useful manner it runs a bigger statemachine to bring it into * security/tamper failure state and once again to bring it out of this state. * * This unit can be in one of three states: * * - "NON-VALID STATE" * always after the battery power was removed * - "FAILURE STATE" * if one of the enabled security events has happened * - "VALID STATE" * if the unit works as expected * * Everything stops when the unit enters the failure state including the RTC * counter (to be able to detect the time the security event happened). * * The following events (when enabled) let the DryIce unit enter the failure * state: * * - wire-mesh-tamper detect * - external tamper B detect * - external tamper A detect * - temperature tamper detect * - clock tamper detect * - voltage tamper detect * - RTC counter overflow * - monotonic counter overflow * - external boot * * If we find the DryIce unit in "FAILURE STATE" and the TDCHL cleared, we * can only detect this state. In this case the unit is completely locked and * must force a second "SYSTEM POR" to bring the DryIce into the * "NON-VALID STATE" + "FAILURE STATE" where a recovery is possible. * If the TDCHL is set in the "FAILURE STATE" we are out of luck. In this case * a battery power cycle is required. * * In the "NON-VALID STATE" + "FAILURE STATE" we can clear the "FAILURE STATE" * and recover the DryIce unit. By clearing the "NON-VALID STATE" as the last * task, we bring back this unit into life. */ /* * Do a write into the unit without interrupt support. * We do not need to check the WEF here, because the only reason this kind of * write error can happen is if we write to the unit twice within the 122 us * interval. This cannot happen, since we are using this function only while * setting up the unit. */ static void di_write_busy_wait(const struct imxdi_dev *imxdi, u32 val, unsigned reg) { /* do the register write */ writel(val, imxdi->ioaddr + reg); /* * now it takes four 32,768 kHz clock cycles to take * the change into effect = 122 us */ udelay(130); } static void di_what_is_to_be_done(struct imxdi_dev *imxdi, const char *power_supply) { dev_emerg(imxdi->dev, "Please cycle the %s power supply in order to get the DryIce/RTC unit working again\n", power_supply); } static int di_handle_failure_state(struct imxdi_dev *imxdi, u32 dsr) { u32 dcr; dev_dbg(imxdi->dev, "DSR register reports: %08X\n", dsr); dcr = readl(imxdi->ioaddr + DCR); if (dcr & DCR_FSHL) { /* we are out of luck */ di_what_is_to_be_done(imxdi, "battery"); return -ENODEV; } /* * with the next SYSTEM POR we will transit from the "FAILURE STATE" * into the "NON-VALID STATE" + "FAILURE STATE" */ di_what_is_to_be_done(imxdi, "main"); return -ENODEV; } static int di_handle_valid_state(struct imxdi_dev *imxdi, u32 dsr) { /* initialize alarm */ di_write_busy_wait(imxdi, DCAMR_UNSET, DCAMR); di_write_busy_wait(imxdi, 0, DCALR); /* clear alarm flag */ if (dsr & DSR_CAF) di_write_busy_wait(imxdi, DSR_CAF, DSR); return 0; } static int di_handle_invalid_state(struct imxdi_dev *imxdi, u32 dsr) { u32 dcr, sec; /* * lets disable all sources which can force the DryIce unit into * the "FAILURE STATE" for now */ di_write_busy_wait(imxdi, 0x00000000, DTCR); /* and lets protect them at runtime from any change */ di_write_busy_wait(imxdi, DCR_TDCSL, DCR); sec = readl(imxdi->ioaddr + DTCMR); if (sec != 0) dev_warn(imxdi->dev, "The security violation has happened at %u seconds\n", sec); /* * the timer cannot be set/modified if * - the TCHL or TCSL bit is set in DCR */ dcr = readl(imxdi->ioaddr + DCR); if (!(dcr & DCR_TCE)) { if (dcr & DCR_TCHL) { /* we are out of luck */ di_what_is_to_be_done(imxdi, "battery"); return -ENODEV; } if (dcr & DCR_TCSL) { di_what_is_to_be_done(imxdi, "main"); return -ENODEV; } } /* * - the timer counter stops/is stopped if * - its overflow flag is set (TCO in DSR) * -> clear overflow bit to make it count again * - NVF is set in DSR * -> clear non-valid bit to make it count again * - its TCE (DCR) is cleared * -> set TCE to make it count * - it was never set before * -> write a time into it (required again if the NVF was set) */ /* state handled */ di_write_busy_wait(imxdi, DSR_NVF, DSR); /* clear overflow flag */ di_write_busy_wait(imxdi, DSR_TCO, DSR); /* enable the counter */ di_write_busy_wait(imxdi, dcr | DCR_TCE, DCR); /* set and trigger it to make it count */ di_write_busy_wait(imxdi, sec, DTCMR); /* now prepare for the valid state */ return di_handle_valid_state(imxdi, __raw_readl(imxdi->ioaddr + DSR)); } static int di_handle_invalid_and_failure_state(struct imxdi_dev *imxdi, u32 dsr) { u32 dcr; /* * now we must first remove the tamper sources in order to get the * device out of the "FAILURE STATE" * To disable any of the following sources we need to modify the DTCR */ if (dsr & (DSR_WTD | DSR_ETBD | DSR_ETAD | DSR_EBD | DSR_SAD | DSR_TTD | DSR_CTD | DSR_VTD | DSR_MCO | DSR_TCO)) { dcr = __raw_readl(imxdi->ioaddr + DCR); if (dcr & DCR_TDCHL) { /* * the tamper register is locked. We cannot disable the * tamper detection. The TDCHL can only be reset by a * DRYICE POR, but we cannot force a DRYICE POR in * softwere because we are still in "FAILURE STATE". * We need a DRYICE POR via battery power cycling.... */ /* * out of luck! * we cannot disable them without a DRYICE POR */ di_what_is_to_be_done(imxdi, "battery"); return -ENODEV; } if (dcr & DCR_TDCSL) { /* a soft lock can be removed by a SYSTEM POR */ di_what_is_to_be_done(imxdi, "main"); return -ENODEV; } } /* disable all sources */ di_write_busy_wait(imxdi, 0x00000000, DTCR); /* clear the status bits now */ di_write_busy_wait(imxdi, dsr & (DSR_WTD | DSR_ETBD | DSR_ETAD | DSR_EBD | DSR_SAD | DSR_TTD | DSR_CTD | DSR_VTD | DSR_MCO | DSR_TCO), DSR); dsr = readl(imxdi->ioaddr + DSR); if ((dsr & ~(DSR_NVF | DSR_SVF | DSR_WBF | DSR_WNF | DSR_WCF | DSR_WEF)) != 0) dev_warn(imxdi->dev, "There are still some sources of pain in DSR: %08x!\n", dsr & ~(DSR_NVF | DSR_SVF | DSR_WBF | DSR_WNF | DSR_WCF | DSR_WEF)); /* * now we are trying to clear the "Security-violation flag" to * get the DryIce out of this state */ di_write_busy_wait(imxdi, DSR_SVF, DSR); /* success? */ dsr = readl(imxdi->ioaddr + DSR); if (dsr & DSR_SVF) { dev_crit(imxdi->dev, "Cannot clear the security violation flag. We are ending up in an endless loop!\n"); /* last resort */ di_what_is_to_be_done(imxdi, "battery"); return -ENODEV; } /* * now we have left the "FAILURE STATE" and ending up in the * "NON-VALID STATE" time to recover everything */ return di_handle_invalid_state(imxdi, dsr); } static int di_handle_state(struct imxdi_dev *imxdi) { int rc; u32 dsr; dsr = readl(imxdi->ioaddr + DSR); switch (dsr & (DSR_NVF | DSR_SVF)) { case DSR_NVF: dev_warn(imxdi->dev, "Invalid stated unit detected\n"); rc = di_handle_invalid_state(imxdi, dsr); break; case DSR_SVF: dev_warn(imxdi->dev, "Failure stated unit detected\n"); rc = di_handle_failure_state(imxdi, dsr); break; case DSR_NVF | DSR_SVF: dev_warn(imxdi->dev, "Failure+Invalid stated unit detected\n"); rc = di_handle_invalid_and_failure_state(imxdi, dsr); break; default: dev_notice(imxdi->dev, "Unlocked unit detected\n"); rc = di_handle_valid_state(imxdi, dsr); } return rc; } /* * This function attempts to clear the dryice write-error flag. * * A dryice write error is similar to a bus fault and should not occur in * normal operation. Clearing the flag requires another write, so the root * cause of the problem may need to be fixed before the flag can be cleared. */ static void clear_write_error(struct imxdi_dev *imxdi) { int cnt; dev_warn(imxdi->dev, "WARNING: Register write error!\n"); /* clear the write error flag */ writel(DSR_WEF, imxdi->ioaddr + DSR); /* wait for it to take effect */ for (cnt = 0; cnt < 1000; cnt++) { if ((readl(imxdi->ioaddr + DSR) & DSR_WEF) == 0) return; udelay(10); } dev_err(imxdi->dev, "ERROR: Cannot clear write-error flag!\n"); } /* * Write a dryice register and wait until it completes. * * This function uses interrupts to determine when the * write has completed. */ static int di_write_wait(struct imxdi_dev *imxdi, u32 val, int reg) { int rc = 0; uint32_t dsr; uint64_t start; /* do the register write */ writel(val, imxdi->ioaddr + reg); start = get_time_ns(); /* wait for the write to finish */ while (1) { dsr = readl(imxdi->ioaddr + DSR); if (dsr & (DSR_WCF | DSR_WEF)) break; if (is_timeout(start, MSECOND)) return -EIO; } /* check for write error */ if (dsr & DSR_WEF) { clear_write_error(imxdi); rc = -EIO; } return rc; } static struct imxdi_dev *to_imxdi_dev(struct rtc_device *rtc) { return container_of(rtc, struct imxdi_dev, rtc); } /* * read the seconds portion of the current time from the dryice time counter */ static int dryice_rtc_read_time(struct rtc_device *rtc, struct rtc_time *tm) { struct imxdi_dev *imxdi = to_imxdi_dev(rtc); unsigned long now; now = readl(imxdi->ioaddr + DTCMR); rtc_time_to_tm(now, tm); return 0; } /* * set the seconds portion of dryice time counter and clear the * fractional part. */ static int dryice_rtc_set_time(struct rtc_device *rtc, struct rtc_time *tm) { struct imxdi_dev *imxdi = to_imxdi_dev(rtc); u32 dcr, dsr; int ret; unsigned long secs; ret = rtc_tm_to_time(tm, &secs); if (ret) return ret; dcr = readl(imxdi->ioaddr + DCR); dsr = readl(imxdi->ioaddr + DSR); if (!(dcr & DCR_TCE) || (dsr & DSR_SVF)) { if (dcr & DCR_TCHL) { /* we are even more out of luck */ di_what_is_to_be_done(imxdi, "battery"); return -EPERM; } if ((dcr & DCR_TCSL) || (dsr & DSR_SVF)) { /* we are out of luck for now */ di_what_is_to_be_done(imxdi, "main"); return -EPERM; } } /* zero the fractional part first */ ret = di_write_wait(imxdi, 0, DTCLR); if (ret) return ret; ret = di_write_wait(imxdi, secs, DTCMR); if (ret) return ret; return di_write_wait(imxdi, readl(imxdi->ioaddr + DCR) | DCR_TCE, DCR); } static const struct rtc_class_ops dryice_rtc_ops = { .read_time = dryice_rtc_read_time, .set_time = dryice_rtc_set_time, }; static int nvstore_write(struct device_d *dev, const int reg, const void *val, int bytes) { struct imxdi_dev *imxdi = dev->parent->priv; const u32 *val32 = val; if (bytes != 4) return 0; writel(*val32, imxdi->ioaddr + DGPR); return 0; } static int nvstore_read(struct device_d *dev, const int reg, void *val, int bytes) { struct imxdi_dev *imxdi = dev->parent->priv; u32 *val32 = val; if (bytes != 4) return 0; *val32 = readl(imxdi->ioaddr + DGPR); return 0; } static struct nvmem_bus nvstore_nvmem_bus = { .write = nvstore_write, .read = nvstore_read, }; static struct nvmem_config nvstore_nvmem_config = { .name = "nvstore", .stride = 4, .word_size = 4, .size = 4, .bus = &nvstore_nvmem_bus, }; static int __init dryice_rtc_probe(struct device_d *dev) { struct resource *res; struct imxdi_dev *imxdi; int ret; imxdi = xzalloc(sizeof(*imxdi)); imxdi->dev = dev; imxdi->rtc.ops = &dryice_rtc_ops; res = dev_request_mem_resource(dev, 0); if (IS_ERR(res)) return PTR_ERR(res); imxdi->ioaddr = IOMEM(res->start); imxdi->clk = clk_get(dev, NULL); if (IS_ERR(imxdi->clk)) return PTR_ERR(imxdi->clk); ret = clk_enable(imxdi->clk); if (ret) return ret; /* * Initialize dryice hardware */ /* mask all interrupts */ writel(0, imxdi->ioaddr + DIER); ret = di_handle_state(imxdi); if (ret) goto err; dev->priv = imxdi; nvstore_nvmem_config.dev = dev; imxdi->nvmem = nvmem_register(&nvstore_nvmem_config); if (IS_ENABLED(CONFIG_NVMEM) && IS_ERR(imxdi->nvmem)) { ret = PTR_ERR(imxdi->nvmem); goto err; } ret = rtc_register(&imxdi->rtc); if (ret) goto err; return 0; err: clk_disable(imxdi->clk); return ret; } static __maybe_unused const struct of_device_id dryice_dt_ids[] = { { .compatible = "fsl,imx25-rtc" }, { /* sentinel */ } }; static struct driver_d dryice_rtc_driver = { .name = "imx-di-rtc", .probe = dryice_rtc_probe, .of_compatible = DRV_OF_COMPAT(dryice_dt_ids), }; device_platform_driver(dryice_rtc_driver);