cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Observer
Observer
1,895 Views
Registered: ‎06-25-2019

Integrating a TPM into PetaLinux using the ZCU104 board

Jump to solution

Hello there.

I am using a ZCU104-board for a research project and I try to use a TPM in PetaLinux. I am at a point, where the TPM appears in the device tree but not in /dev as it should when the driver is working correctly. I am probably missing something trivial but could anyone help me out with this?

Here's what I did so far:

  • Connected the TPM board (PMOD, Infineon SLB 9670 TPM 2.0 with SPI) with the ZCU104
  • Started with this design, enabled SPI1, mapped it to the PMOD connector and created the bitstreams
  • Created the matching PetaLinux project and enabled spidev using petalinux-config -c kernel
  • Integrated an spidev-node into the device tree following this tutorial. It looks like this:
    &spi1 {
    	spidev@0x00 {
    		compatible = "spidev";
    		spi-max-frequency = <32000000>;
    		reg = <0>;
    		};
    	};
    };
  • Checked with a scope, if SPI1 works. It does, so apparently the IP configuration in Vivado is not the issue.
  • Enabled the TPM hardware support and "TPM Interface Specification 1.3 Interface / TPM 2.0 FIFO Interface - (SPI)" with petalinux-config -c kernel. Used the "m" option.
  • Changed the device tree entry. It is a combination of the node entry that worked before and the device tree entry for Raspberry Pi :
    &spi1 {
    	tpm@0 {
    		compatible = "tcg,tpm_tis-spi";
    		#address-cells = <1>;
    		#size-cells = <0>;
    		spi-max-frequency = <32000000>;
    		reg = <0>;
    		status = "okay";
    	};
    };
  • Booted the device. There should be an entry named /dev/tpm0 but there isn't. The device tree in /proc however holds an entry.
  • Tried modprobe tpm_tis_spi because earlier RPis did not load the driver automatically and I thought that this might be the problem here as well. It finishes without error codes but changes nothing.

I am usually working with TPMs on a higher level of abstraction so I don't have much experience with device trees and the whole driver stuff. If anyone could help me out that would save my day (and week for that matter...).

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Observer
Observer
770 Views
Registered: ‎06-25-2019

Hello everyone,

@damon Your trick to patch in the cip-sources helped me solve the problem. Thank you for that. I produced a patch that irons out the major differences in the file spi-cadence.c between the PetaLinux- and the cip-sources. I attached this patch in case anyone else needs it. You can add it to your PetaLinux following the instructions given here:
https://forums.xilinx.com/t5/Embedded-Linux/How-to-apply-patches-to-the-Linux-kernel-petalinux-tool-2018-3/td-p/982045 

@jovitac Maybe the patch helps Xilinx narrowing down the problem for a permanent fix.

View solution in original post

0 Kudos
25 Replies
Highlighted
Adventurer
Adventurer
1,775 Views
Registered: ‎10-19-2012

Did you have any success on this?  I am in similar situation.  I started off with a spi entry that I tested successfully, but when I converted it to a TPM entry, there's no module present in /dev.

0 Kudos
Highlighted
Observer
Observer
1,752 Views
Registered: ‎06-25-2019

Not so far, no. One of our project partners has attached a scope to the SPI-lines and checked the initialization process. The CS-line does not behave as it should but I myself had no time to look into this. I will have a look at this next year and let you know how it turned out.

0 Kudos
Highlighted
Adventurer
Adventurer
1,706 Views
Registered: ‎10-19-2012

Can anyone from Xilinx comment?  Searching for "petalinux tpm" returns very few results.  As I understand it, there's really 3 parts to this equation:

1. TPM 2.0 requires UEFI support - I verified this was enabled in the kernel config under "boot options" (it comes enabled by default 

2. the TPM character device driver must be included - this also happens in the driver section of the kernel config

3. the TPM hardware must be declared in the device tree

 

I've done all 3 steps, but there's a couple things that concern me:

1. when my device boots, I always get this message after "Starting Kernel":

[ 0.000000] efi: Getting EFI parameters from FDT:
[ 0.000000] efi: UEFI not found.

Why is UEFI not found if it's included by default in the kernel?

2. There's no /dev/tpm entry.  I do notice there's a 'tpm' entry in /proc/devices (which is not present if I don't include the TPM driver as outlined in step 2 above).  This could very well be an issue w/ my device tree...

3. ...but I notice there's no deamon running either.  If I run "ps -ef" there's no TPM (or tss, or tcsd, or similar) entry, nor is there anything in /usr/bin or /usr/sbin.  Maybe I'm looking in the wrong place and/or for the wrong thing.

 

Any suggestions on what to try next?

0 Kudos
Highlighted
Adventurer
Adventurer
1,642 Views
Registered: ‎10-19-2012

@stephenm  or @aravindb , any thoughts on what we can try next?  thank you in advance...

0 Kudos
Highlighted
Adventurer
Adventurer
1,622 Views
Registered: ‎10-19-2012

Another datapoint...I looked at the kernel config for what's loaded on my card as follows:

cat /proc/config.gz | gunzip > running.config

cat running.config | grep EFI

I pasted the output below...CONFIG_EFI_PARTITION is true, so I don't know why I'd be seeing "efi: UEFI not found" during boot.

CONFIG_EFI_PARTITION=y
CONFIG_EFI_STUB=y
CONFIG_EFI=y
# CONFIG_FB_EFI is not set
# CONFIG_RTC_DRV_EFI is not set
CONFIG_XEN_EFI=y
# EFI (Extensible Firmware Interface) Support
# CONFIG_EFI_VARS is not set
CONFIG_EFI_ESRT=y
CONFIG_EFI_PARAMS_FROM_FDT=y
CONFIG_EFI_RUNTIME_WRAPPERS=y
CONFIG_EFI_ARMSTUB=y
# CONFIG_EFI_CAPSULE_LOADER is not set
# CONFIG_EFI_TEST is not set
CONFIG_EFIVAR_FS=m

0 Kudos
Highlighted
Moderator
Moderator
1,616 Views
Registered: ‎05-10-2017

Do you see the tpm device being probed?

Can you do a dmesg | grep tpm?

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
1,575 Views
Registered: ‎10-19-2012

Nothing comes back when I execute that...

0 Kudos
Highlighted
Moderator
Moderator
1,558 Views
Registered: ‎05-10-2017

The tpm device will not be there in /dev/tpm if the probe for it fails. 

Can you post the boot snippet of when the spi driver gets probed?

Do a dmesg | grep spi

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
1,542 Views
Registered: ‎10-19-2012

I have reason to believe the hardware is not hooked up correctly...I will investigate that and reply back here.

Any thoughts on why there's no daemon running for TPM interaction?

0 Kudos
Highlighted
Moderator
Moderator
1,533 Views
Registered: ‎05-10-2017

Do you have the below kernel configs for tpm enabled ?

CONFIG_TCG_TPM = y
CONFIG_TCG_TIS_CORE = y
CONFIG_TCG_TIS_SPI = y 

 

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
1,495 Views
Registered: ‎10-19-2012

mine says:

CONFIG_TCG_TPM = y
CONFIG_TCG_TIS_CORE = y
CONFIG_TCG_TIS_SPI = y 

but it also says:

CONFIG_TCG_TIS is not set

0 Kudos
Highlighted
Observer
Observer
1,454 Views
Registered: ‎06-25-2019

Hello and a late happy new year to all of you.

I've had the opportunity to review my project partner's scope traces of the SPI communication between the ZCU104 and the TPM. The fact that something came out the ZCU104 on the SPI lines tells me that enabling UEFI and kernel support and adding the TPM to the device tree kind of works. My colleague located the problem with using the TPM in the SPI communication. He traced the communication of a Raspberry Pi with a TPM (a combination that works) and the communication of the ZCU104 with the TPM. Both traces show the transmission of the TPM startup command and the first byte of the following command.

RPi 3BRPi 3B
ZCU104ZCU104

If you're not that familiar with the TPM's communication protocol: The first four bytes on MOSI (0x80, 0xD4, 0x00, 0x00) are a command that starts the TPM. The TPM responds with 0x01 to signal its readyness for the command and 0x81 as a response that the startup was successful.

My colleague noticed that on the RPi the Enable line of SPI goes to high after the startup command is transmitted, telling the TPM to get ready for a new command. The ZCU104 does not do that. That way the TPM thinks, the startup command goes on forever and sends rubbish in response, resulting in an unsuccessful initialization. I suppose if we get the ZCU104 to do that correctly, the TPM should work like a charm. I guess we need to do something with PetaLInux' SPI driver but I have no idea what that would be. If anyone could help me out here that would be highly appreciated.

0 Kudos
Highlighted
Observer
Observer
1,363 Views
Registered: ‎06-25-2019

I've updated the whole toolchain to 2019.2 in the hope that maybe this issue is due to a faulty TPM driver that received an update in this newer version. The problem persists. I tried 

dmesg | grep spi

and got the following result:

[    3.533376] zynqmp_clk_divider_set_rate() set divider failed for spi1_ref_div1, ret = -13
[    4.783407] m25p80 spi0.0: n25q512a (65536 Kbytes)
[    4.788223] 3 fixed-partitions partitions found on MTD device spi0.0
[    4.794566] Creating 3 MTD partitions on "spi0.0":

Looks like SPI1 has some issue with its clock. I'll be looking into this next monday but as usual any idea that might be helpful is welcome.

0 Kudos
Highlighted
Observer
Observer
1,358 Views
Registered: ‎06-25-2019

For comparison: This is the dmesg output when I run it with an spidev device mapped to the same SPI port. So apparently the clock thing is not the culprit. Is that the probing message you spoke of?

[    3.532514] zynqmp_clk_divider_set_rate() set divider failed for spi1_ref_div1, ret = -13
[    4.782301] spidev spi1.0: buggy DT: spidev listed directly in DT
[    4.788435] WARNING: CPU: 2 PID: 32 at drivers/spi/spidev.c:730 spidev_probe+0x1c0/0x1d0
[    4.821703] pc : spidev_probe+0x1c0/0x1d0
[    4.825696] lr : spidev_probe+0x1bc/0x1d0
[    4.914918]  spidev_probe+0x1c0/0x1d0
[    4.918572]  spi_drv_probe+0x7c/0xd8
[    4.953301]  spi_add_device+0xac/0x168
[    4.957032]  of_register_spi_device+0x234/0x378
[    4.961546]  spi_register_controller+0x290/0x618
[    4.966148]  cdns_spi_probe+0x2f8/0x3b0
[    5.026480] m25p80 spi0.0: n25q512a (65536 Kbytes)
[    5.031281] 3 fixed-partitions partitions found on MTD device spi0.0
[    5.037623] Creating 3 MTD partitions on "spi0.0":
0 Kudos
Highlighted
Moderator
Moderator
1,333 Views
Registered: ‎05-10-2017

@ljaeger_sit When the TPM device gets probed in linux, you should see this message in your kernel boot log

 

[    5.892514] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 16)
[    5.901268] tpm tpm0: A TPM error (256) occurred attempting the self test
[    5.908061] tpm tpm0: starting up the TPM manually

Your device-tree entry should be as shown below

 

 

&spi0 {
	tpm_tis@0 {
		compatible = "infineon,slb9670";
		reg = <0>;
		spi-max-frequency = <10000000>;
    };
};

Currently there is an issue with the spi-cs being deasserted during the middle of the transaction. We are aware of this issue and are investigating it. It seems like only TPM devices are affected by it. 

 

There is a temporary fix for this and is not official. Could you please try it out and provide feedback on it?

diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
index 7c88f74f7f47..6be880d56c7b 100644
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -464,7 +464,7 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master)
{
     struct cdns_spi *xspi = spi_master_get_devdata(master);

-     cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+     //cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);

      return 0;
}

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Observer
Observer
1,251 Views
Registered: ‎06-25-2019

I tried but since the update to PetaLinux 2019.2 I can't get anything out of the SPI port when using the TPM driver. I am investigating this.

0 Kudos
Highlighted
Observer
Observer
1,221 Views
Registered: ‎06-25-2019

My colleague does not have the problems with the SPI port as I do, so he checked the fix. It does not work. I guess we'll wait until you provide the final solution.

0 Kudos
Highlighted
Adventurer
Adventurer
1,188 Views
Registered: ‎01-01-2019

Hi @ljaeger_sit,

I have encountered similar question.

My solution is porting TPM related code from cip-kernel: linux-4.4.y-cip, and it works fine.

https://gitlab.com/cip-project/cip-kernel/linux-cip/tree/linux-4.4.y-cip

0 Kudos
Highlighted
Observer
Observer
1,183 Views
Registered: ‎06-25-2019

@damon: Thanks. I'll check it out as soon as I get something out of the PMOD port.

0 Kudos
Highlighted
Observer
Observer
1,162 Views
Registered: ‎06-25-2019

I tried your fix and it does not work for me either. @jovitac Are you sure that this fix addresses our problem? It comments out the de-assertion but our problem is, that the CS line does not get de-asserted when a transaction to the TPM is complete. Shouldn't we add another de-assertion somewhere?

0 Kudos
Highlighted
Adventurer
Adventurer
1,016 Views
Registered: ‎09-30-2014

I have a related question.  

I have a Infineon part hooked up to a Zynq Ultrascale+.   I get the output in the boot message below.  Does this mean the part was seen correctly?  What are the recommend ways to verify the TPM is communicating and functional?

Three lines from dmesg:

tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 16)
tpm tpm0: A TPM error (256) occurred attempting the self test
tpm tpm0: starting up the TPM manually

 

0 Kudos
Highlighted
Adventurer
Adventurer
900 Views
Registered: ‎01-01-2019

Hi @bfrazier_arete,

You can use eltt2 to verify Infineon TPM 2.0.

https://github.com/Infineon/eltt2

0 Kudos
Highlighted
Observer
Observer
791 Views
Registered: ‎06-25-2019

@jovitac I hate to rush you but are there any news on this topic?

0 Kudos
Highlighted
Observer
Observer
771 Views
Registered: ‎06-25-2019

Hello everyone,

@damon Your trick to patch in the cip-sources helped me solve the problem. Thank you for that. I produced a patch that irons out the major differences in the file spi-cadence.c between the PetaLinux- and the cip-sources. I attached this patch in case anyone else needs it. You can add it to your PetaLinux following the instructions given here:
https://forums.xilinx.com/t5/Embedded-Linux/How-to-apply-patches-to-the-Linux-kernel-petalinux-tool-2018-3/td-p/982045 

@jovitac Maybe the patch helps Xilinx narrowing down the problem for a permanent fix.

View solution in original post

0 Kudos
Highlighted
Moderator
Moderator
740 Views
Registered: ‎05-10-2017

I haven't heard back anything from the engineering side on this. Thank you for sharing the patch you used. I have provided this to the development team and hopefully this wil help.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos