Add qemu 2.4.0

Change-Id: Ic99cbad4b61f8b127b7dc74d04576c0bcbaaf4f5
Signed-off-by: Yang Zhang <yang.z.zhang@intel.com>

7 files changed, 2274 insertions, 0 deletions

diff --git a/qemu/roms/u-boot/drivers/tpm/Makefile b/qemu/roms/u-boot/drivers/tpm/Makefile
new file mode 100644
index 000000000..150570ee7
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/Makefile
@@ -0,0 +1,11 @@
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+#
+# SPDX-License-Identifier:	GPL-2.0+
+#
+
+# TODO: Merge tpm_tis_lpc.c with tpm.c
+obj-$(CONFIG_TPM_ATMEL_TWI) += tpm_atmel_twi.o
+obj-$(CONFIG_TPM_TIS_I2C) += tpm.o
+obj-$(CONFIG_TPM_TIS_I2C) += tpm_tis_i2c.o
+obj-$(CONFIG_TPM_TIS_LPC) += tpm_tis_lpc.o
+obj-$(CONFIG_TPM_TIS_SANDBOX) += tpm_tis_sandbox.o
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm.c b/qemu/roms/u-boot/drivers/tpm/tpm.c
new file mode 100644
index 000000000..b65733419
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm.c
@@ -0,0 +1,629 @@
+/*
+ * Copyright (C) 2011 Infineon Technologies
+ *
+ * Authors:
+ * Peter Huewe <huewe.external@infineon.com>
+ *
+ * Description:
+ * Device driver for TCG/TCPA TPM (trusted platform module).
+ * Specifications at www.trustedcomputinggroup.org
+ *
+ * It is based on the Linux kernel driver tpm.c from Leendert van
+ * Dorn, Dave Safford, Reiner Sailer, and Kyleen Hall.
+ *
+ * Version: 2.1.1
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <config.h>
+#include <common.h>
+#include <compiler.h>
+#include <fdtdec.h>
+#include <i2c.h>
+#include <tpm.h>
+#include <asm-generic/errno.h>
+#include <linux/types.h>
+#include <linux/unaligned/be_byteshift.h>
+
+#include "tpm_private.h"
+
+DECLARE_GLOBAL_DATA_PTR;
+
+/* TPM configuration */
+struct tpm {
+	int i2c_bus;
+	int slave_addr;
+	char inited;
+	int old_bus;
+} tpm;
+
+/* Global structure for tpm chip data */
+static struct tpm_chip g_chip;
+
+enum tpm_duration {
+	TPM_SHORT = 0,
+	TPM_MEDIUM = 1,
+	TPM_LONG = 2,
+	TPM_UNDEFINED,
+};
+
+/* Extended error numbers from linux (see errno.h) */
+#define ECANCELED	125	/* Operation Canceled */
+
+/* Timer frequency. Corresponds to msec timer resolution*/
+#define HZ		1000
+
+#define TPM_MAX_ORDINAL			243
+#define TPM_MAX_PROTECTED_ORDINAL	12
+#define TPM_PROTECTED_ORDINAL_MASK	0xFF
+
+#define TPM_CMD_COUNT_BYTE	2
+#define TPM_CMD_ORDINAL_BYTE	6
+
+/*
+ * Array with one entry per ordinal defining the maximum amount
+ * of time the chip could take to return the result.  The ordinal
+ * designation of short, medium or long is defined in a table in
+ * TCG Specification TPM Main Part 2 TPM Structures Section 17. The
+ * values of the SHORT, MEDIUM, and LONG durations are retrieved
+ * from the chip during initialization with a call to tpm_get_timeouts.
+ */
+static const u8 tpm_protected_ordinal_duration[TPM_MAX_PROTECTED_ORDINAL] = {
+	TPM_UNDEFINED,		/* 0 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 5 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 10 */
+	TPM_SHORT,
+};
+
+static const u8 tpm_ordinal_duration[TPM_MAX_ORDINAL] = {
+	TPM_UNDEFINED,		/* 0 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 5 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 10 */
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_LONG,
+	TPM_LONG,
+	TPM_MEDIUM,		/* 15 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_LONG,
+	TPM_SHORT,		/* 20 */
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_SHORT,		/* 25 */
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_MEDIUM,		/* 30 */
+	TPM_LONG,
+	TPM_MEDIUM,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,		/* 35 */
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_MEDIUM,		/* 40 */
+	TPM_LONG,
+	TPM_MEDIUM,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,		/* 45 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_LONG,
+	TPM_MEDIUM,		/* 50 */
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 55 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_MEDIUM,		/* 60 */
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_MEDIUM,		/* 65 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 70 */
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 75 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_LONG,		/* 80 */
+	TPM_UNDEFINED,
+	TPM_MEDIUM,
+	TPM_LONG,
+	TPM_SHORT,
+	TPM_UNDEFINED,		/* 85 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 90 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,		/* 95 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_MEDIUM,		/* 100 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 105 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 110 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,		/* 115 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_LONG,		/* 120 */
+	TPM_LONG,
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_SHORT,
+	TPM_SHORT,		/* 125 */
+	TPM_SHORT,
+	TPM_LONG,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,		/* 130 */
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_UNDEFINED,		/* 135 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 140 */
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 145 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 150 */
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,		/* 155 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 160 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 165 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_LONG,		/* 170 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 175 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_MEDIUM,		/* 180 */
+	TPM_SHORT,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_MEDIUM,		/* 185 */
+	TPM_SHORT,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 190 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 195 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 200 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,
+	TPM_SHORT,		/* 205 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_MEDIUM,		/* 210 */
+	TPM_UNDEFINED,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_MEDIUM,
+	TPM_UNDEFINED,		/* 215 */
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,
+	TPM_SHORT,		/* 220 */
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_SHORT,
+	TPM_UNDEFINED,		/* 225 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 230 */
+	TPM_LONG,
+	TPM_MEDIUM,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,		/* 235 */
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_UNDEFINED,
+	TPM_SHORT,		/* 240 */
+	TPM_UNDEFINED,
+	TPM_MEDIUM,
+};
+
+/* Returns max number of milliseconds to wait */
+static unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip,
+		u32 ordinal)
+{
+	int duration_idx = TPM_UNDEFINED;
+	int duration = 0;
+
+	if (ordinal < TPM_MAX_ORDINAL) {
+		duration_idx = tpm_ordinal_duration[ordinal];
+	} else if ((ordinal & TPM_PROTECTED_ORDINAL_MASK) <
+			TPM_MAX_PROTECTED_ORDINAL) {
+		duration_idx = tpm_protected_ordinal_duration[
+				ordinal & TPM_PROTECTED_ORDINAL_MASK];
+	}
+
+	if (duration_idx != TPM_UNDEFINED)
+		duration = chip->vendor.duration[duration_idx];
+
+	if (duration <= 0)
+		return 2 * 60 * HZ; /* Two minutes timeout */
+	else
+		return duration;
+}
+
+static ssize_t tpm_transmit(const unsigned char *buf, size_t bufsiz)
+{
+	ssize_t rc;
+	u32 count, ordinal;
+	unsigned long start, stop;
+
+	struct tpm_chip *chip = &g_chip;
+
+	/* switch endianess: big->little */
+	count = get_unaligned_be32(buf + TPM_CMD_COUNT_BYTE);
+	ordinal = get_unaligned_be32(buf + TPM_CMD_ORDINAL_BYTE);
+
+	if (count == 0) {
+		error("no data\n");
+		return -ENODATA;
+	}
+	if (count > bufsiz) {
+		error("invalid count value %x %zx\n", count, bufsiz);
+		return -E2BIG;
+	}
+
+	rc = chip->vendor.send(chip, (u8 *)buf, count);
+	if (rc < 0) {
+		error("tpm_transmit: tpm_send: error %zd\n", rc);
+		goto out;
+	}
+
+	if (chip->vendor.irq)
+		goto out_recv;
+
+	start = get_timer(0);
+	stop = tpm_calc_ordinal_duration(chip, ordinal);
+	do {
+		debug("waiting for status...\n");
+		u8 status = chip->vendor.status(chip);
+		if ((status & chip->vendor.req_complete_mask) ==
+		    chip->vendor.req_complete_val) {
+			debug("...got it;\n");
+			goto out_recv;
+		}
+
+		if ((status == chip->vendor.req_canceled)) {
+			error("Operation Canceled\n");
+			rc = -ECANCELED;
+			goto out;
+		}
+		udelay(TPM_TIMEOUT * 1000);
+	} while (get_timer(start) < stop);
+
+	chip->vendor.cancel(chip);
+	error("Operation Timed out\n");
+	rc = -ETIME;
+	goto out;
+
+out_recv:
+	debug("out_recv: reading response...\n");
+	rc = chip->vendor.recv(chip, (u8 *)buf, TPM_BUFSIZE);
+	if (rc < 0)
+		error("tpm_transmit: tpm_recv: error %zd\n", rc);
+
+out:
+	return rc;
+}
+
+static int tpm_open(uint32_t dev_addr)
+{
+	int rc;
+	if (g_chip.is_open)
+		return -EBUSY;
+	rc = tpm_vendor_init(dev_addr);
+	if (rc < 0)
+		g_chip.is_open = 0;
+	return rc;
+}
+
+static void tpm_close(void)
+{
+	if (g_chip.is_open) {
+		tpm_vendor_cleanup(&g_chip);
+		g_chip.is_open = 0;
+	}
+}
+
+static int tpm_select(void)
+{
+	int ret;
+
+	tpm.old_bus = i2c_get_bus_num();
+	if (tpm.old_bus != tpm.i2c_bus) {
+		ret = i2c_set_bus_num(tpm.i2c_bus);
+		if (ret) {
+			debug("%s: Fail to set i2c bus %d\n", __func__,
+			      tpm.i2c_bus);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+static int tpm_deselect(void)
+{
+	int ret;
+
+	if (tpm.old_bus != i2c_get_bus_num()) {
+		ret = i2c_set_bus_num(tpm.old_bus);
+		if (ret) {
+			debug("%s: Fail to restore i2c bus %d\n",
+			      __func__, tpm.old_bus);
+			return -1;
+		}
+	}
+	tpm.old_bus = -1;
+	return 0;
+}
+
+/**
+ * Decode TPM configuration.
+ *
+ * @param dev	Returns a configuration of TPM device
+ * @return 0 if ok, -1 on error
+ */
+static int tpm_decode_config(struct tpm *dev)
+{
+#ifdef CONFIG_OF_CONTROL
+	const void *blob = gd->fdt_blob;
+	int node, parent;
+	int i2c_bus;
+
+	node = fdtdec_next_compatible(blob, 0, COMPAT_INFINEON_SLB9635_TPM);
+	if (node < 0) {
+		node = fdtdec_next_compatible(blob, 0,
+				COMPAT_INFINEON_SLB9645_TPM);
+	}
+	if (node < 0) {
+		debug("%s: Node not found\n", __func__);
+		return -1;
+	}
+	parent = fdt_parent_offset(blob, node);
+	if (parent < 0) {
+		debug("%s: Cannot find node parent\n", __func__);
+		return -1;
+	}
+	i2c_bus = i2c_get_bus_num_fdt(parent);
+	if (i2c_bus < 0)
+		return -1;
+	dev->i2c_bus = i2c_bus;
+	dev->slave_addr = fdtdec_get_addr(blob, node, "reg");
+#else
+	dev->i2c_bus = CONFIG_TPM_TIS_I2C_BUS_NUMBER;
+	dev->slave_addr = CONFIG_TPM_TIS_I2C_SLAVE_ADDRESS;
+#endif
+	return 0;
+}
+
+struct tpm_chip *tpm_register_hardware(const struct tpm_vendor_specific *entry)
+{
+	struct tpm_chip *chip;
+
+	/* Driver specific per-device data */
+	chip = &g_chip;
+	memcpy(&chip->vendor, entry, sizeof(struct tpm_vendor_specific));
+	chip->is_open = 1;
+
+	return chip;
+}
+
+int tis_init(void)
+{
+	if (tpm.inited)
+		return 0;
+
+	if (tpm_decode_config(&tpm))
+		return -1;
+
+	if (tpm_select())
+		return -1;
+
+	/*
+	 * Probe TPM twice; the first probing might fail because TPM is asleep,
+	 * and the probing can wake up TPM.
+	 */
+	if (i2c_probe(tpm.slave_addr) && i2c_probe(tpm.slave_addr)) {
+		debug("%s: fail to probe i2c addr 0x%x\n", __func__,
+		      tpm.slave_addr);
+		return -1;
+	}
+
+	tpm_deselect();
+
+	tpm.inited = 1;
+
+	return 0;
+}
+
+int tis_open(void)
+{
+	int rc;
+
+	if (!tpm.inited)
+		return -1;
+
+	if (tpm_select())
+		return -1;
+
+	rc = tpm_open(tpm.slave_addr);
+
+	tpm_deselect();
+
+	return rc;
+}
+
+int tis_close(void)
+{
+	if (!tpm.inited)
+		return -1;
+
+	if (tpm_select())
+		return -1;
+
+	tpm_close();
+
+	tpm_deselect();
+
+	return 0;
+}
+
+int tis_sendrecv(const uint8_t *sendbuf, size_t sbuf_size,
+		uint8_t *recvbuf, size_t *rbuf_len)
+{
+	int len;
+	uint8_t buf[4096];
+
+	if (!tpm.inited)
+		return -1;
+
+	if (sizeof(buf) < sbuf_size)
+		return -1;
+
+	memcpy(buf, sendbuf, sbuf_size);
+
+	if (tpm_select())
+		return -1;
+
+	len = tpm_transmit(buf, sbuf_size);
+
+	tpm_deselect();
+
+	if (len < 10) {
+		*rbuf_len = 0;
+		return -1;
+	}
+
+	memcpy(recvbuf, buf, len);
+	*rbuf_len = len;
+
+	return 0;
+}
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm_atmel_twi.c b/qemu/roms/u-boot/drivers/tpm/tpm_atmel_twi.c
new file mode 100644
index 000000000..361a7720f
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm_atmel_twi.c
@@ -0,0 +1,121 @@
+/*
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <common.h>
+#include <tpm.h>
+#include <i2c.h>
+#include <asm/unaligned.h>
+
+#define ATMEL_TPM_TIMEOUT_MS 5000 /* sufficient for anything but
+				     generating/exporting keys */
+
+/*
+ * tis_init()
+ *
+ * Initialize the TPM device. Returns 0 on success or -1 on
+ * failure (in case device probing did not succeed).
+ */
+int tis_init(void)
+{
+	return 0;
+}
+
+/*
+ * tis_open()
+ *
+ * Requests access to locality 0 for the caller. After all commands have been
+ * completed the caller is supposed to call tis_close().
+ *
+ * Returns 0 on success, -1 on failure.
+ */
+int tis_open(void)
+{
+	return 0;
+}
+
+/*
+ * tis_close()
+ *
+ * terminate the currect session with the TPM by releasing the locked
+ * locality. Returns 0 on success of -1 on failure (in case lock
+ * removal did not succeed).
+ */
+int tis_close(void)
+{
+	return 0;
+}
+
+/*
+ * tis_sendrecv()
+ *
+ * Send the requested data to the TPM and then try to get its response
+ *
+ * @sendbuf - buffer of the data to send
+ * @send_size size of the data to send
+ * @recvbuf - memory to save the response to
+ * @recv_len - pointer to the size of the response buffer
+ *
+ * Returns 0 on success (and places the number of response bytes at recv_len)
+ * or -1 on failure.
+ */
+int tis_sendrecv(const uint8_t *sendbuf, size_t send_size, uint8_t *recvbuf,
+			size_t *recv_len)
+{
+	int res;
+	unsigned long start;
+
+#ifdef DEBUG
+	memset(recvbuf, 0xcc, *recv_len);
+	printf("send to TPM (%d bytes, recv_len=%d):\n", send_size, *recv_len);
+	print_buffer(0, (void *)sendbuf, 1, send_size, 0);
+#endif
+
+	res = i2c_write(0x29, 0, 0, (uchar *)sendbuf, send_size);
+	if (res) {
+		printf("i2c_write returned %d\n", res);
+		return -1;
+	}
+
+	start = get_timer(0);
+	while ((res = i2c_read(0x29, 0, 0, recvbuf, 10))) {
+		if (get_timer(start) > ATMEL_TPM_TIMEOUT_MS) {
+			puts("tpm timed out\n");
+			return -1;
+		}
+		udelay(100);
+	}
+	if (!res) {
+		*recv_len = get_unaligned_be32(recvbuf + 2);
+		if (*recv_len > 10)
+			res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
+	}
+	if (res) {
+		printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);
+#ifdef DEBUG
+		print_buffer(0, recvbuf, 1, *recv_len, 0);
+#endif
+	}
+
+#ifdef DEBUG
+	if (!res) {
+		printf("read from TPM (%d bytes):\n", *recv_len);
+		print_buffer(0, recvbuf, 1, *recv_len, 0);
+	}
+#endif
+
+	return res;
+}
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm_private.h b/qemu/roms/u-boot/drivers/tpm/tpm_private.h
new file mode 100644
index 000000000..888a074d3
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm_private.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2011 Infineon Technologies
+ *
+ * Authors:
+ * Peter Huewe <huewe.external@infineon.com>
+ *
+ * Version: 2.1.1
+ *
+ * Description:
+ * Device driver for TCG/TCPA TPM (trusted platform module).
+ * Specifications at www.trustedcomputinggroup.org
+ *
+ * It is based on the Linux kernel driver tpm.c from Leendert van
+ * Dorn, Dave Safford, Reiner Sailer, and Kyleen Hall.
+ *
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#ifndef _TPM_PRIVATE_H_
+#define _TPM_PRIVATE_H_
+
+#include <linux/compiler.h>
+#include <linux/types.h>
+
+enum tpm_timeout {
+	TPM_TIMEOUT = 5,	/* msecs */
+};
+
+/* Size of external transmit buffer (used in tpm_transmit)*/
+#define TPM_BUFSIZE 4096
+
+/* Index of Count field in TPM response buffer */
+#define TPM_RSP_SIZE_BYTE	2
+#define TPM_RSP_RC_BYTE		6
+
+struct tpm_chip;
+
+struct tpm_vendor_specific {
+	const u8 req_complete_mask;
+	const u8 req_complete_val;
+	const u8 req_canceled;
+	int irq;
+	int (*recv) (struct tpm_chip *, u8 *, size_t);
+	int (*send) (struct tpm_chip *, u8 *, size_t);
+	void (*cancel) (struct tpm_chip *);
+	u8(*status) (struct tpm_chip *);
+	int locality;
+	unsigned long timeout_a, timeout_b, timeout_c, timeout_d;  /* msec */
+	unsigned long duration[3];  /* msec */
+};
+
+struct tpm_chip {
+	int is_open;
+	struct tpm_vendor_specific vendor;
+};
+
+struct tpm_input_header {
+	__be16 tag;
+	__be32 length;
+	__be32 ordinal;
+} __packed;
+
+struct tpm_output_header {
+	__be16 tag;
+	__be32 length;
+	__be32 return_code;
+} __packed;
+
+struct timeout_t {
+	__be32 a;
+	__be32 b;
+	__be32 c;
+	__be32 d;
+} __packed;
+
+struct duration_t {
+	__be32 tpm_short;
+	__be32 tpm_medium;
+	__be32 tpm_long;
+} __packed;
+
+union cap_t {
+	struct timeout_t timeout;
+	struct duration_t duration;
+};
+
+struct tpm_getcap_params_in {
+	__be32 cap;
+	__be32 subcap_size;
+	__be32 subcap;
+} __packed;
+
+struct tpm_getcap_params_out {
+	__be32 cap_size;
+	union cap_t cap;
+} __packed;
+
+union tpm_cmd_header {
+	struct tpm_input_header in;
+	struct tpm_output_header out;
+};
+
+union tpm_cmd_params {
+	struct tpm_getcap_params_out getcap_out;
+	struct tpm_getcap_params_in getcap_in;
+};
+
+struct tpm_cmd_t {
+	union tpm_cmd_header header;
+	union tpm_cmd_params params;
+} __packed;
+
+struct tpm_chip *tpm_register_hardware(const struct tpm_vendor_specific *);
+
+int tpm_vendor_init(uint32_t dev_addr);
+
+void tpm_vendor_cleanup(struct tpm_chip *chip);
+
+
+#endif
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm_tis_i2c.c b/qemu/roms/u-boot/drivers/tpm/tpm_tis_i2c.c
new file mode 100644
index 000000000..2dd8501f9
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm_tis_i2c.c
@@ -0,0 +1,637 @@
+/*
+ * Copyright (C) 2011 Infineon Technologies
+ *
+ * Authors:
+ * Peter Huewe <huewe.external@infineon.com>
+ *
+ * Description:
+ * Device driver for TCG/TCPA TPM (trusted platform module).
+ * Specifications at www.trustedcomputinggroup.org
+ *
+ * This device driver implements the TPM interface as defined in
+ * the TCG TPM Interface Spec version 1.2, revision 1.0 and the
+ * Infineon I2C Protocol Stack Specification v0.20.
+ *
+ * It is based on the Linux kernel driver tpm.c from Leendert van
+ * Dorn, Dave Safford, Reiner Sailer, and Kyleen Hall.
+ *
+ * Version: 2.1.1
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <common.h>
+#include <fdtdec.h>
+#include <compiler.h>
+#include <i2c.h>
+#include <tpm.h>
+#include <asm-generic/errno.h>
+#include <linux/types.h>
+#include <linux/unaligned/be_byteshift.h>
+
+#include "tpm_private.h"
+
+DECLARE_GLOBAL_DATA_PTR;
+
+/* Address of the TPM on the I2C bus */
+#define TPM_I2C_ADDR		0x20
+
+/* Max buffer size supported by our tpm */
+#define TPM_DEV_BUFSIZE		1260
+
+/* Max number of iterations after i2c NAK */
+#define MAX_COUNT		3
+
+/*
+ * Max number of iterations after i2c NAK for 'long' commands
+ *
+ * We need this especially for sending TPM_READY, since the cleanup after the
+ * transtion to the ready state may take some time, but it is unpredictable
+ * how long it will take.
+ */
+#define MAX_COUNT_LONG		50
+
+#define SLEEP_DURATION		60	/* in usec */
+#define SLEEP_DURATION_LONG	210	/* in usec */
+
+#define TPM_HEADER_SIZE		10
+
+/*
+ * Expected value for DIDVID register
+ *
+ * The only device the system knows about at this moment is Infineon slb9635.
+ */
+#define TPM_TIS_I2C_DID_VID	0x000b15d1L
+
+enum tis_access {
+	TPM_ACCESS_VALID		= 0x80,
+	TPM_ACCESS_ACTIVE_LOCALITY	= 0x20,
+	TPM_ACCESS_REQUEST_PENDING	= 0x04,
+	TPM_ACCESS_REQUEST_USE		= 0x02,
+};
+
+enum tis_status {
+	TPM_STS_VALID			= 0x80,
+	TPM_STS_COMMAND_READY		= 0x40,
+	TPM_STS_GO			= 0x20,
+	TPM_STS_DATA_AVAIL		= 0x10,
+	TPM_STS_DATA_EXPECT		= 0x08,
+};
+
+enum tis_defaults {
+	TIS_SHORT_TIMEOUT		= 750,	/* ms */
+	TIS_LONG_TIMEOUT		= 2000,	/* ms */
+};
+
+/* expected value for DIDVID register */
+#define TPM_TIS_I2C_DID_VID_9635 0x000b15d1L
+#define TPM_TIS_I2C_DID_VID_9645 0x001a15d1L
+
+enum i2c_chip_type {
+	SLB9635,
+	SLB9645,
+	UNKNOWN,
+};
+
+static const char * const chip_name[] = {
+	[SLB9635] = "slb9635tt",
+	[SLB9645] = "slb9645tt",
+	[UNKNOWN] = "unknown/fallback to slb9635",
+};
+
+#define	TPM_ACCESS(l)			(0x0000 | ((l) << 4))
+#define	TPM_STS(l)			(0x0001 | ((l) << 4))
+#define	TPM_DATA_FIFO(l)		(0x0005 | ((l) << 4))
+#define	TPM_DID_VID(l)			(0x0006 | ((l) << 4))
+
+/* Structure to store I2C TPM specific stuff */
+struct tpm_dev {
+	uint addr;
+	u8 buf[TPM_DEV_BUFSIZE + sizeof(u8)];  /* Max buffer size + addr */
+	enum i2c_chip_type chip_type;
+};
+
+static struct tpm_dev tpm_dev = {
+	.addr = TPM_I2C_ADDR
+};
+
+static struct tpm_dev tpm_dev;
+
+/*
+ * iic_tpm_read() - read from TPM register
+ * @addr: register address to read from
+ * @buffer: provided by caller
+ * @len: number of bytes to read
+ *
+ * Read len bytes from TPM register and put them into
+ * buffer (little-endian format, i.e. first byte is put into buffer[0]).
+ *
+ * NOTE: TPM is big-endian for multi-byte values. Multi-byte
+ * values have to be swapped.
+ *
+ * Return -EIO on error, 0 on success.
+ */
+static int iic_tpm_read(u8 addr, u8 *buffer, size_t len)
+{
+	int rc;
+	int count;
+	uint32_t addrbuf = addr;
+
+	if ((tpm_dev.chip_type == SLB9635) || (tpm_dev.chip_type == UNKNOWN)) {
+		/* slb9635 protocol should work in both cases */
+		for (count = 0; count < MAX_COUNT; count++) {
+			rc = i2c_write(tpm_dev.addr, 0, 0,
+				       (uchar *)&addrbuf, 1);
+			if (rc == 0)
+				break;  /* Success, break to skip sleep */
+			udelay(SLEEP_DURATION);
+		}
+		if (rc)
+			return -rc;
+
+		/* After the TPM has successfully received the register address
+		 * it needs some time, thus we're sleeping here again, before
+		 * retrieving the data
+		 */
+		for (count = 0; count < MAX_COUNT; count++) {
+			udelay(SLEEP_DURATION);
+			rc = i2c_read(tpm_dev.addr, 0, 0, buffer, len);
+			if (rc == 0)
+				break;  /* success, break to skip sleep */
+		}
+	} else {
+		/*
+		 * Use a combined read for newer chips.
+		 * Unfortunately the smbus functions are not suitable due to
+		 * the 32 byte limit of the smbus.
+		 * Retries should usually not be needed, but are kept just to
+		 * be safe on the safe side.
+		 */
+		for (count = 0; count < MAX_COUNT; count++) {
+			rc = i2c_read(tpm_dev.addr, addr, 1, buffer, len);
+			if (rc == 0)
+				break;  /* break here to skip sleep */
+			udelay(SLEEP_DURATION);
+		}
+	}
+
+	/* Take care of 'guard time' */
+	udelay(SLEEP_DURATION);
+	if (rc)
+		return -rc;
+
+	return 0;
+}
+
+static int iic_tpm_write_generic(u8 addr, u8 *buffer, size_t len,
+		unsigned int sleep_time, u8 max_count)
+{
+	int rc = 0;
+	int count;
+
+	/* Prepare send buffer */
+	tpm_dev.buf[0] = addr;
+	memcpy(&(tpm_dev.buf[1]), buffer, len);
+
+	for (count = 0; count < max_count; count++) {
+		rc = i2c_write(tpm_dev.addr, 0, 0, tpm_dev.buf, len + 1);
+		if (rc == 0)
+			break;  /* Success, break to skip sleep */
+		udelay(sleep_time);
+	}
+
+	/* take care of 'guard time' */
+	udelay(SLEEP_DURATION);
+	if (rc)
+		return -rc;
+
+	return 0;
+}
+
+/*
+ * iic_tpm_write() - write to TPM register
+ * @addr: register address to write to
+ * @buffer: containing data to be written
+ * @len: number of bytes to write
+ *
+ * Write len bytes from provided buffer to TPM register (little
+ * endian format, i.e. buffer[0] is written as first byte).
+ *
+ * NOTE: TPM is big-endian for multi-byte values. Multi-byte
+ * values have to be swapped.
+ *
+ * NOTE: use this function instead of the iic_tpm_write_generic function.
+ *
+ * Return -EIO on error, 0 on success
+ */
+static int iic_tpm_write(u8 addr, u8 *buffer, size_t len)
+{
+	return iic_tpm_write_generic(addr, buffer, len, SLEEP_DURATION,
+			MAX_COUNT);
+}
+
+/*
+ * This function is needed especially for the cleanup situation after
+ * sending TPM_READY
+ */
+static int iic_tpm_write_long(u8 addr, u8 *buffer, size_t len)
+{
+	return iic_tpm_write_generic(addr, buffer, len, SLEEP_DURATION_LONG,
+			MAX_COUNT_LONG);
+}
+
+static int check_locality(struct tpm_chip *chip, int loc)
+{
+	const u8 mask = TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID;
+	u8 buf;
+	int rc;
+
+	rc = iic_tpm_read(TPM_ACCESS(loc), &buf, 1);
+	if (rc < 0)
+		return rc;
+
+	if ((buf & mask) == mask) {
+		chip->vendor.locality = loc;
+		return loc;
+	}
+
+	return -1;
+}
+
+static void release_locality(struct tpm_chip *chip, int loc, int force)
+{
+	const u8 mask = TPM_ACCESS_REQUEST_PENDING | TPM_ACCESS_VALID;
+	u8 buf;
+
+	if (iic_tpm_read(TPM_ACCESS(loc), &buf, 1) < 0)
+		return;
+
+	if (force || (buf & mask) == mask) {
+		buf = TPM_ACCESS_ACTIVE_LOCALITY;
+		iic_tpm_write(TPM_ACCESS(loc), &buf, 1);
+	}
+}
+
+static int request_locality(struct tpm_chip *chip, int loc)
+{
+	unsigned long start, stop;
+	u8 buf = TPM_ACCESS_REQUEST_USE;
+
+	if (check_locality(chip, loc) >= 0)
+		return loc;  /* We already have the locality */
+
+	iic_tpm_write(TPM_ACCESS(loc), &buf, 1);
+
+	/* Wait for burstcount */
+	start = get_timer(0);
+	stop = chip->vendor.timeout_a;
+	do {
+		if (check_locality(chip, loc) >= 0)
+			return loc;
+		udelay(TPM_TIMEOUT * 1000);
+	} while (get_timer(start) < stop);
+
+	return -1;
+}
+
+static u8 tpm_tis_i2c_status(struct tpm_chip *chip)
+{
+	/* NOTE: Since i2c read may fail, return 0 in this case --> time-out */
+	u8 buf;
+
+	if (iic_tpm_read(TPM_STS(chip->vendor.locality), &buf, 1) < 0)
+		return 0;
+	else
+		return buf;
+}
+
+static void tpm_tis_i2c_ready(struct tpm_chip *chip)
+{
+	/* This causes the current command to be aborted */
+	u8 buf = TPM_STS_COMMAND_READY;
+
+	iic_tpm_write_long(TPM_STS(chip->vendor.locality), &buf, 1);
+}
+
+static ssize_t get_burstcount(struct tpm_chip *chip)
+{
+	unsigned long start, stop;
+	ssize_t burstcnt;
+	u8 addr, buf[3];
+
+	/* Wait for burstcount */
+	/* XXX: Which timeout value? Spec has 2 answers (c & d) */
+	start = get_timer(0);
+	stop = chip->vendor.timeout_d;
+	do {
+		/* Note: STS is little endian */
+		addr = TPM_STS(chip->vendor.locality) + 1;
+		if (iic_tpm_read(addr, buf, 3) < 0)
+			burstcnt = 0;
+		else
+			burstcnt = (buf[2] << 16) + (buf[1] << 8) + buf[0];
+
+		if (burstcnt)
+			return burstcnt;
+		udelay(TPM_TIMEOUT * 1000);
+	} while (get_timer(start) < stop);
+
+	return -EBUSY;
+}
+
+static int wait_for_stat(struct tpm_chip *chip, u8 mask, unsigned long timeout,
+		int *status)
+{
+	unsigned long start, stop;
+
+	/* Check current status */
+	*status = tpm_tis_i2c_status(chip);
+	if ((*status & mask) == mask)
+		return 0;
+
+	start = get_timer(0);
+	stop = timeout;
+	do {
+		udelay(TPM_TIMEOUT * 1000);
+		*status = tpm_tis_i2c_status(chip);
+		if ((*status & mask) == mask)
+			return 0;
+	} while (get_timer(start) < stop);
+
+	return -ETIME;
+}
+
+static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
+{
+	size_t size = 0;
+	ssize_t burstcnt;
+	int rc;
+
+	while (size < count) {
+		burstcnt = get_burstcount(chip);
+
+		/* burstcount < 0 -> tpm is busy */
+		if (burstcnt < 0)
+			return burstcnt;
+
+		/* Limit received data to max left */
+		if (burstcnt > (count - size))
+			burstcnt = count - size;
+
+		rc = iic_tpm_read(TPM_DATA_FIFO(chip->vendor.locality),
+				&(buf[size]), burstcnt);
+		if (rc == 0)
+			size += burstcnt;
+	}
+
+	return size;
+}
+
+static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+{
+	int size = 0;
+	int expected, status;
+
+	if (count < TPM_HEADER_SIZE) {
+		size = -EIO;
+		goto out;
+	}
+
+	/* Read first 10 bytes, including tag, paramsize, and result */
+	size = recv_data(chip, buf, TPM_HEADER_SIZE);
+	if (size < TPM_HEADER_SIZE) {
+		error("Unable to read header\n");
+		goto out;
+	}
+
+	expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE);
+	if ((size_t)expected > count) {
+		size = -EIO;
+		goto out;
+	}
+
+	size += recv_data(chip, &buf[TPM_HEADER_SIZE],
+			expected - TPM_HEADER_SIZE);
+	if (size < expected) {
+		error("Unable to read remainder of result\n");
+		size = -ETIME;
+		goto out;
+	}
+
+	wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c, &status);
+	if (status & TPM_STS_DATA_AVAIL) {  /* Retry? */
+		error("Error left over data\n");
+		size = -EIO;
+		goto out;
+	}
+
+out:
+	tpm_tis_i2c_ready(chip);
+	/*
+	 * The TPM needs some time to clean up here,
+	 * so we sleep rather than keeping the bus busy
+	 */
+	udelay(2000);
+	release_locality(chip, chip->vendor.locality, 0);
+
+	return size;
+}
+
+static int tpm_tis_i2c_send(struct tpm_chip *chip, u8 *buf, size_t len)
+{
+	int rc, status;
+	ssize_t burstcnt;
+	size_t count = 0;
+	int retry = 0;
+	u8 sts = TPM_STS_GO;
+
+	if (len > TPM_DEV_BUFSIZE)
+		return -E2BIG;  /* Command is too long for our tpm, sorry */
+
+	if (request_locality(chip, 0) < 0)
+		return -EBUSY;
+
+	status = tpm_tis_i2c_status(chip);
+	if ((status & TPM_STS_COMMAND_READY) == 0) {
+		tpm_tis_i2c_ready(chip);
+		if (wait_for_stat(chip, TPM_STS_COMMAND_READY,
+				  chip->vendor.timeout_b, &status) < 0) {
+			rc = -ETIME;
+			goto out_err;
+		}
+	}
+
+	burstcnt = get_burstcount(chip);
+
+	/* burstcount < 0 -> tpm is busy */
+	if (burstcnt < 0)
+		return burstcnt;
+
+	while (count < len - 1) {
+		if (burstcnt > len - 1 - count)
+			burstcnt = len - 1 - count;
+
+#ifdef CONFIG_TPM_TIS_I2C_BURST_LIMITATION
+		if (retry && burstcnt > CONFIG_TPM_TIS_I2C_BURST_LIMITATION)
+			burstcnt = CONFIG_TPM_TIS_I2C_BURST_LIMITATION;
+#endif /* CONFIG_TPM_TIS_I2C_BURST_LIMITATION */
+
+		rc = iic_tpm_write(TPM_DATA_FIFO(chip->vendor.locality),
+				&(buf[count]), burstcnt);
+		if (rc == 0)
+			count += burstcnt;
+		else {
+			retry++;
+			wait_for_stat(chip, TPM_STS_VALID,
+				      chip->vendor.timeout_c, &status);
+
+			if ((status & TPM_STS_DATA_EXPECT) == 0) {
+				rc = -EIO;
+				goto out_err;
+			}
+		}
+	}
+
+	/* Write last byte */
+	iic_tpm_write(TPM_DATA_FIFO(chip->vendor.locality), &(buf[count]), 1);
+	wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c, &status);
+	if ((status & TPM_STS_DATA_EXPECT) != 0) {
+		rc = -EIO;
+		goto out_err;
+	}
+
+	/* Go and do it */
+	iic_tpm_write(TPM_STS(chip->vendor.locality), &sts, 1);
+
+	return len;
+
+out_err:
+	tpm_tis_i2c_ready(chip);
+	/*
+	 * The TPM needs some time to clean up here,
+	 * so we sleep rather than keeping the bus busy
+	 */
+	udelay(2000);
+	release_locality(chip, chip->vendor.locality, 0);
+
+	return rc;
+}
+
+static struct tpm_vendor_specific tpm_tis_i2c = {
+	.status = tpm_tis_i2c_status,
+	.recv = tpm_tis_i2c_recv,
+	.send = tpm_tis_i2c_send,
+	.cancel = tpm_tis_i2c_ready,
+	.req_complete_mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
+	.req_complete_val = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
+	.req_canceled = TPM_STS_COMMAND_READY,
+};
+
+
+static enum i2c_chip_type tpm_vendor_chip_type(void)
+{
+#ifdef CONFIG_OF_CONTROL
+	const void *blob = gd->fdt_blob;
+
+	if (fdtdec_next_compatible(blob, 0, COMPAT_INFINEON_SLB9645_TPM) >= 0)
+		return SLB9645;
+
+	if (fdtdec_next_compatible(blob, 0, COMPAT_INFINEON_SLB9635_TPM) >= 0)
+		return SLB9635;
+#endif
+	return UNKNOWN;
+}
+
+/* Initialisation of i2c tpm */
+int tpm_vendor_init(uint32_t dev_addr)
+{
+	u32 vendor;
+	u32 expected_did_vid;
+	uint old_addr;
+	int rc = 0;
+	struct tpm_chip *chip;
+
+	old_addr = tpm_dev.addr;
+	if (dev_addr != 0)
+		tpm_dev.addr = dev_addr;
+
+	tpm_dev.chip_type = tpm_vendor_chip_type();
+
+	chip = tpm_register_hardware(&tpm_tis_i2c);
+	if (chip < 0) {
+		rc = -ENODEV;
+		goto out_err;
+	}
+
+	/* Disable interrupts (not supported) */
+	chip->vendor.irq = 0;
+
+	/* Default timeouts */
+	chip->vendor.timeout_a = TIS_SHORT_TIMEOUT;
+	chip->vendor.timeout_b = TIS_LONG_TIMEOUT;
+	chip->vendor.timeout_c = TIS_SHORT_TIMEOUT;
+	chip->vendor.timeout_d = TIS_SHORT_TIMEOUT;
+
+	if (request_locality(chip, 0) < 0) {
+		rc = -ENODEV;
+		goto out_err;
+	}
+
+	/* Read four bytes from DID_VID register */
+	if (iic_tpm_read(TPM_DID_VID(0), (uchar *)&vendor, 4) < 0) {
+		rc = -EIO;
+		goto out_release;
+	}
+
+	if (tpm_dev.chip_type == SLB9635) {
+		vendor = be32_to_cpu(vendor);
+		expected_did_vid = TPM_TIS_I2C_DID_VID_9635;
+	} else {
+		/* device id and byte order has changed for newer i2c tpms */
+		expected_did_vid = TPM_TIS_I2C_DID_VID_9645;
+	}
+
+	if (tpm_dev.chip_type != UNKNOWN && vendor != expected_did_vid) {
+		error("Vendor id did not match! ID was %08x\n", vendor);
+		rc = -ENODEV;
+		goto out_release;
+	}
+
+	debug("1.2 TPM (chip type %s device-id 0x%X)\n",
+	      chip_name[tpm_dev.chip_type], vendor >> 16);
+
+	/*
+	 * A timeout query to TPM can be placed here.
+	 * Standard timeout values are used so far
+	 */
+
+	return 0;
+
+out_release:
+	release_locality(chip, 0, 1);
+
+out_err:
+	tpm_dev.addr = old_addr;
+	return rc;
+}
+
+void tpm_vendor_cleanup(struct tpm_chip *chip)
+{
+	release_locality(chip, chip->vendor.locality, 1);
+}
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm_tis_lpc.c b/qemu/roms/u-boot/drivers/tpm/tpm_tis_lpc.c
new file mode 100644
index 000000000..eecf18cbf
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm_tis_lpc.c
@@ -0,0 +1,479 @@
+/*
+ * Copyright (c) 2011 The Chromium OS Authors.
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+/*
+ * The code in this file is based on the article "Writing a TPM Device Driver"
+ * published on http://ptgmedia.pearsoncmg.com.
+ *
+ * One principal difference is that in the simplest config the other than 0
+ * TPM localities do not get mapped by some devices (for instance, by Infineon
+ * slb9635), so this driver provides access to locality 0 only.
+ */
+
+#include <common.h>
+#include <asm/io.h>
+#include <tpm.h>
+
+#define PREFIX "lpc_tpm: "
+
+struct tpm_locality {
+	u32 access;
+	u8 padding0[4];
+	u32 int_enable;
+	u8 vector;
+	u8 padding1[3];
+	u32 int_status;
+	u32 int_capability;
+	u32 tpm_status;
+	u8 padding2[8];
+	u8 data;
+	u8 padding3[3803];
+	u32 did_vid;
+	u8 rid;
+	u8 padding4[251];
+};
+
+/*
+ * This pointer refers to the TPM chip, 5 of its localities are mapped as an
+ * array.
+ */
+#define TPM_TOTAL_LOCALITIES	5
+static struct tpm_locality *lpc_tpm_dev =
+	(struct tpm_locality *)CONFIG_TPM_TIS_BASE_ADDRESS;
+
+/* Some registers' bit field definitions */
+#define TIS_STS_VALID                  (1 << 7) /* 0x80 */
+#define TIS_STS_COMMAND_READY          (1 << 6) /* 0x40 */
+#define TIS_STS_TPM_GO                 (1 << 5) /* 0x20 */
+#define TIS_STS_DATA_AVAILABLE         (1 << 4) /* 0x10 */
+#define TIS_STS_EXPECT                 (1 << 3) /* 0x08 */
+#define TIS_STS_RESPONSE_RETRY         (1 << 1) /* 0x02 */
+
+#define TIS_ACCESS_TPM_REG_VALID_STS   (1 << 7) /* 0x80 */
+#define TIS_ACCESS_ACTIVE_LOCALITY     (1 << 5) /* 0x20 */
+#define TIS_ACCESS_BEEN_SEIZED         (1 << 4) /* 0x10 */
+#define TIS_ACCESS_SEIZE               (1 << 3) /* 0x08 */
+#define TIS_ACCESS_PENDING_REQUEST     (1 << 2) /* 0x04 */
+#define TIS_ACCESS_REQUEST_USE         (1 << 1) /* 0x02 */
+#define TIS_ACCESS_TPM_ESTABLISHMENT   (1 << 0) /* 0x01 */
+
+#define TIS_STS_BURST_COUNT_MASK       (0xffff)
+#define TIS_STS_BURST_COUNT_SHIFT      (8)
+
+/*
+ * Error value returned if a tpm register does not enter the expected state
+ * after continuous polling. No actual TPM register reading ever returns -1,
+ * so this value is a safe error indication to be mixed with possible status
+ * register values.
+ */
+#define TPM_TIMEOUT_ERR			(-1)
+
+/* Error value returned on various TPM driver errors. */
+#define TPM_DRIVER_ERR		(1)
+
+ /* 1 second is plenty for anything TPM does. */
+#define MAX_DELAY_US	(1000 * 1000)
+
+/* Retrieve burst count value out of the status register contents. */
+static u16 burst_count(u32 status)
+{
+	return (status >> TIS_STS_BURST_COUNT_SHIFT) & TIS_STS_BURST_COUNT_MASK;
+}
+
+/*
+ * Structures defined below allow creating descriptions of TPM vendor/device
+ * ID information for run time discovery. The only device the system knows
+ * about at this time is Infineon slb9635.
+ */
+struct device_name {
+	u16 dev_id;
+	const char * const dev_name;
+};
+
+struct vendor_name {
+	u16 vendor_id;
+	const char *vendor_name;
+	const struct device_name *dev_names;
+};
+
+static const struct device_name infineon_devices[] = {
+	{0xb, "SLB9635 TT 1.2"},
+	{0}
+};
+
+static const struct vendor_name vendor_names[] = {
+	{0x15d1, "Infineon", infineon_devices},
+};
+
+/*
+ * Cached vendor/device ID pair to indicate that the device has been already
+ * discovered.
+ */
+static u32 vendor_dev_id;
+
+/* TPM access wrappers to support tracing */
+static u8 tpm_read_byte(const u8 *ptr)
+{
+	u8  ret = readb(ptr);
+	debug(PREFIX "Read reg 0x%4.4x returns 0x%2.2x\n",
+	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret);
+	return ret;
+}
+
+static u32 tpm_read_word(const u32 *ptr)
+{
+	u32  ret = readl(ptr);
+	debug(PREFIX "Read reg 0x%4.4x returns 0x%8.8x\n",
+	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, ret);
+	return ret;
+}
+
+static void tpm_write_byte(u8 value, u8 *ptr)
+{
+	debug(PREFIX "Write reg 0x%4.4x with 0x%2.2x\n",
+	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value);
+	writeb(value, ptr);
+}
+
+static void tpm_write_word(u32 value, u32 *ptr)
+{
+	debug(PREFIX "Write reg 0x%4.4x with 0x%8.8x\n",
+	      (u32)(uintptr_t)ptr - (u32)(uintptr_t)lpc_tpm_dev, value);
+	writel(value, ptr);
+}
+
+/*
+ * tis_wait_reg()
+ *
+ * Wait for at least a second for a register to change its state to match the
+ * expected state. Normally the transition happens within microseconds.
+ *
+ * @reg - pointer to the TPM register
+ * @mask - bitmask for the bitfield(s) to watch
+ * @expected - value the field(s) are supposed to be set to
+ *
+ * Returns the register contents in case the expected value was found in the
+ * appropriate register bits, or TPM_TIMEOUT_ERR on timeout.
+ */
+static u32 tis_wait_reg(u32 *reg, u8 mask, u8 expected)
+{
+	u32 time_us = MAX_DELAY_US;
+
+	while (time_us > 0) {
+		u32 value = tpm_read_word(reg);
+		if ((value & mask) == expected)
+			return value;
+		udelay(1); /* 1 us */
+		time_us--;
+	}
+	return TPM_TIMEOUT_ERR;
+}
+
+/*
+ * Probe the TPM device and try determining its manufacturer/device name.
+ *
+ * Returns 0 on success (the device is found or was found during an earlier
+ * invocation) or TPM_DRIVER_ERR if the device is not found.
+ */
+int tis_init(void)
+{
+	u32 didvid = tpm_read_word(&lpc_tpm_dev[0].did_vid);
+	int i;
+	const char *device_name = "unknown";
+	const char *vendor_name = device_name;
+	u16 vid, did;
+
+	if (vendor_dev_id)
+		return 0;  /* Already probed. */
+
+	if (!didvid || (didvid == 0xffffffff)) {
+		printf("%s: No TPM device found\n", __func__);
+		return TPM_DRIVER_ERR;
+	}
+
+	vendor_dev_id = didvid;
+
+	vid = didvid & 0xffff;
+	did = (didvid >> 16) & 0xffff;
+	for (i = 0; i < ARRAY_SIZE(vendor_names); i++) {
+		int j = 0;
+		u16 known_did;
+
+		if (vid == vendor_names[i].vendor_id)
+			vendor_name = vendor_names[i].vendor_name;
+
+		while ((known_did = vendor_names[i].dev_names[j].dev_id) != 0) {
+			if (known_did == did) {
+				device_name =
+					vendor_names[i].dev_names[j].dev_name;
+				break;
+			}
+			j++;
+		}
+		break;
+	}
+
+	printf("Found TPM %s by %s\n", device_name, vendor_name);
+	return 0;
+}
+
+/*
+ * tis_senddata()
+ *
+ * send the passed in data to the TPM device.
+ *
+ * @data - address of the data to send, byte by byte
+ * @len - length of the data to send
+ *
+ * Returns 0 on success, TPM_DRIVER_ERR on error (in case the device does
+ * not accept the entire command).
+ */
+static u32 tis_senddata(const u8 * const data, u32 len)
+{
+	u32 offset = 0;
+	u16 burst = 0;
+	u32 max_cycles = 0;
+	u8 locality = 0;
+	u32 value;
+
+	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
+			     TIS_STS_COMMAND_READY, TIS_STS_COMMAND_READY);
+	if (value == TPM_TIMEOUT_ERR) {
+		printf("%s:%d - failed to get 'command_ready' status\n",
+		       __FILE__, __LINE__);
+		return TPM_DRIVER_ERR;
+	}
+	burst = burst_count(value);
+
+	while (1) {
+		unsigned count;
+
+		/* Wait till the device is ready to accept more data. */
+		while (!burst) {
+			if (max_cycles++ == MAX_DELAY_US) {
+				printf("%s:%d failed to feed %d bytes of %d\n",
+				       __FILE__, __LINE__, len - offset, len);
+				return TPM_DRIVER_ERR;
+			}
+			udelay(1);
+			burst = burst_count(tpm_read_word(&lpc_tpm_dev
+						     [locality].tpm_status));
+		}
+
+		max_cycles = 0;
+
+		/*
+		 * Calculate number of bytes the TPM is ready to accept in one
+		 * shot.
+		 *
+		 * We want to send the last byte outside of the loop (hence
+		 * the -1 below) to make sure that the 'expected' status bit
+		 * changes to zero exactly after the last byte is fed into the
+		 * FIFO.
+		 */
+		count = min(burst, len - offset - 1);
+		while (count--)
+			tpm_write_byte(data[offset++],
+				  &lpc_tpm_dev[locality].data);
+
+		value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
+				     TIS_STS_VALID, TIS_STS_VALID);
+
+		if ((value == TPM_TIMEOUT_ERR) || !(value & TIS_STS_EXPECT)) {
+			printf("%s:%d TPM command feed overflow\n",
+			       __FILE__, __LINE__);
+			return TPM_DRIVER_ERR;
+		}
+
+		burst = burst_count(value);
+		if ((offset == (len - 1)) && burst) {
+			/*
+			 * We need to be able to send the last byte to the
+			 * device, so burst size must be nonzero before we
+			 * break out.
+			 */
+			break;
+		}
+	}
+
+	/* Send the last byte. */
+	tpm_write_byte(data[offset++], &lpc_tpm_dev[locality].data);
+	/*
+	 * Verify that TPM does not expect any more data as part of this
+	 * command.
+	 */
+	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
+			     TIS_STS_VALID, TIS_STS_VALID);
+	if ((value == TPM_TIMEOUT_ERR) || (value & TIS_STS_EXPECT)) {
+		printf("%s:%d unexpected TPM status 0x%x\n",
+		       __FILE__, __LINE__, value);
+		return TPM_DRIVER_ERR;
+	}
+
+	/* OK, sitting pretty, let's start the command execution. */
+	tpm_write_word(TIS_STS_TPM_GO, &lpc_tpm_dev[locality].tpm_status);
+	return 0;
+}
+
+/*
+ * tis_readresponse()
+ *
+ * read the TPM device response after a command was issued.
+ *
+ * @buffer - address where to read the response, byte by byte.
+ * @len - pointer to the size of buffer
+ *
+ * On success stores the number of received bytes to len and returns 0. On
+ * errors (misformatted TPM data or synchronization problems) returns
+ * TPM_DRIVER_ERR.
+ */
+static u32 tis_readresponse(u8 *buffer, u32 *len)
+{
+	u16 burst;
+	u32 value;
+	u32 offset = 0;
+	u8 locality = 0;
+	const u32 has_data = TIS_STS_DATA_AVAILABLE | TIS_STS_VALID;
+	u32 expected_count = *len;
+	int max_cycles = 0;
+
+	/* Wait for the TPM to process the command. */
+	value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
+			      has_data, has_data);
+	if (value == TPM_TIMEOUT_ERR) {
+		printf("%s:%d failed processing command\n",
+		       __FILE__, __LINE__);
+		return TPM_DRIVER_ERR;
+	}
+
+	do {
+		while ((burst = burst_count(value)) == 0) {
+			if (max_cycles++ == MAX_DELAY_US) {
+				printf("%s:%d TPM stuck on read\n",
+				       __FILE__, __LINE__);
+				return TPM_DRIVER_ERR;
+			}
+			udelay(1);
+			value = tpm_read_word(&lpc_tpm_dev
+					      [locality].tpm_status);
+		}
+
+		max_cycles = 0;
+
+		while (burst-- && (offset < expected_count)) {
+			buffer[offset++] = tpm_read_byte(&lpc_tpm_dev
+							 [locality].data);
+
+			if (offset == 6) {
+				/*
+				 * We got the first six bytes of the reply,
+				 * let's figure out how many bytes to expect
+				 * total - it is stored as a 4 byte number in
+				 * network order, starting with offset 2 into
+				 * the body of the reply.
+				 */
+				u32 real_length;
+				memcpy(&real_length,
+				       buffer + 2,
+				       sizeof(real_length));
+				expected_count = be32_to_cpu(real_length);
+
+				if ((expected_count < offset) ||
+				    (expected_count > *len)) {
+					printf("%s:%d bad response size %d\n",
+					       __FILE__, __LINE__,
+					       expected_count);
+					return TPM_DRIVER_ERR;
+				}
+			}
+		}
+
+		/* Wait for the next portion. */
+		value = tis_wait_reg(&lpc_tpm_dev[locality].tpm_status,
+				     TIS_STS_VALID, TIS_STS_VALID);
+		if (value == TPM_TIMEOUT_ERR) {
+			printf("%s:%d failed to read response\n",
+			       __FILE__, __LINE__);
+			return TPM_DRIVER_ERR;
+		}
+
+		if (offset == expected_count)
+			break;	/* We got all we needed. */
+
+	} while ((value & has_data) == has_data);
+
+	/*
+	 * Make sure we indeed read all there was. The TIS_STS_VALID bit is
+	 * known to be set.
+	 */
+	if (value & TIS_STS_DATA_AVAILABLE) {
+		printf("%s:%d wrong receive status %x\n",
+		       __FILE__, __LINE__, value);
+		return TPM_DRIVER_ERR;
+	}
+
+	/* Tell the TPM that we are done. */
+	tpm_write_word(TIS_STS_COMMAND_READY, &lpc_tpm_dev
+		  [locality].tpm_status);
+	*len = offset;
+	return 0;
+}
+
+int tis_open(void)
+{
+	u8 locality = 0; /* we use locality zero for everything. */
+
+	if (tis_close())
+		return TPM_DRIVER_ERR;
+
+	/* now request access to locality. */
+	tpm_write_word(TIS_ACCESS_REQUEST_USE, &lpc_tpm_dev[locality].access);
+
+	/* did we get a lock? */
+	if (tis_wait_reg(&lpc_tpm_dev[locality].access,
+			 TIS_ACCESS_ACTIVE_LOCALITY,
+			 TIS_ACCESS_ACTIVE_LOCALITY) == TPM_TIMEOUT_ERR) {
+		printf("%s:%d - failed to lock locality %d\n",
+		       __FILE__, __LINE__, locality);
+		return TPM_DRIVER_ERR;
+	}
+
+	tpm_write_word(TIS_STS_COMMAND_READY,
+		       &lpc_tpm_dev[locality].tpm_status);
+	return 0;
+}
+
+int tis_close(void)
+{
+	u8 locality = 0;
+
+	if (tpm_read_word(&lpc_tpm_dev[locality].access) &
+	    TIS_ACCESS_ACTIVE_LOCALITY) {
+		tpm_write_word(TIS_ACCESS_ACTIVE_LOCALITY,
+			       &lpc_tpm_dev[locality].access);
+
+		if (tis_wait_reg(&lpc_tpm_dev[locality].access,
+				 TIS_ACCESS_ACTIVE_LOCALITY, 0) ==
+		    TPM_TIMEOUT_ERR) {
+			printf("%s:%d - failed to release locality %d\n",
+			       __FILE__, __LINE__, locality);
+			return TPM_DRIVER_ERR;
+		}
+	}
+	return 0;
+}
+
+int tis_sendrecv(const u8 *sendbuf, size_t send_size,
+		 u8 *recvbuf, size_t *recv_len)
+{
+	if (tis_senddata(sendbuf, send_size)) {
+		printf("%s:%d failed sending data to TPM\n",
+		       __FILE__, __LINE__);
+		return TPM_DRIVER_ERR;
+	}
+
+	return tis_readresponse(recvbuf, (u32 *)recv_len);
+}
diff --git a/qemu/roms/u-boot/drivers/tpm/tpm_tis_sandbox.c b/qemu/roms/u-boot/drivers/tpm/tpm_tis_sandbox.c
new file mode 100644
index 000000000..ed4b03912
--- /dev/null
+++ b/qemu/roms/u-boot/drivers/tpm/tpm_tis_sandbox.c
@@ -0,0 +1,260 @@
+/*
+ * Copyright (c) 2013 Google, Inc
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#include <common.h>
+#include <asm/state.h>
+#include <asm/unaligned.h>
+#include <linux/crc8.h>
+
+/* TPM NVRAM location indices. */
+#define FIRMWARE_NV_INDEX		0x1007
+#define KERNEL_NV_INDEX			0x1008
+
+#define NV_DATA_PUBLIC_PERMISSIONS_OFFSET	60
+
+/* Kernel TPM space - KERNEL_NV_INDEX, locked with physical presence */
+#define ROLLBACK_SPACE_KERNEL_VERSION	2
+#define ROLLBACK_SPACE_KERNEL_UID	0x4752574C  /* 'GRWL' */
+
+struct rollback_space_kernel {
+	/* Struct version, for backwards compatibility */
+	uint8_t struct_version;
+	/* Unique ID to detect space redefinition */
+	uint32_t uid;
+	/* Kernel versions */
+	uint32_t kernel_versions;
+	/* Reserved for future expansion */
+	uint8_t reserved[3];
+	/* Checksum (v2 and later only) */
+	uint8_t crc8;
+} __packed rollback_space_kernel;
+
+/*
+ * These numbers derive from adding the sizes of command fields as shown in
+ * the TPM commands manual.
+ */
+#define TPM_REQUEST_HEADER_LENGTH	10
+#define TPM_RESPONSE_HEADER_LENGTH	10
+
+/* These are the different non-volatile spaces that we emulate */
+enum {
+	NV_GLOBAL_LOCK,
+	NV_SEQ_FIRMWARE,
+	NV_SEQ_KERNEL,
+	NV_SEQ_COUNT,
+};
+
+/* Size of each non-volatile space */
+#define NV_DATA_SIZE		0x20
+
+/*
+ * Information about our TPM emulation. This is preserved in the sandbox
+ * state file if enabled.
+ */
+static struct tpm_state {
+	uint8_t nvdata[NV_SEQ_COUNT][NV_DATA_SIZE];
+} state;
+
+/**
+ * sandbox_tpm_read_state() - read the sandbox EC state from the state file
+ *
+ * If data is available, then blob and node will provide access to it. If
+ * not this function sets up an empty TPM.
+ *
+ * @blob: Pointer to device tree blob, or NULL if no data to read
+ * @node: Node offset to read from
+ */
+static int sandbox_tpm_read_state(const void *blob, int node)
+{
+	const char *prop;
+	int len;
+	int i;
+
+	if (!blob)
+		return 0;
+
+	for (i = 0; i < NV_SEQ_COUNT; i++) {
+		char prop_name[20];
+
+		sprintf(prop_name, "nvdata%d", i);
+		prop = fdt_getprop(blob, node, prop_name, &len);
+		if (prop && len == NV_DATA_SIZE)
+			memcpy(state.nvdata[i], prop, NV_DATA_SIZE);
+	}
+
+	return 0;
+}
+
+/**
+ * cros_ec_write_state() - Write out our state to the state file
+ *
+ * The caller will ensure that there is a node ready for the state. The node
+ * may already contain the old state, in which case it is overridden.
+ *
+ * @blob: Device tree blob holding state
+ * @node: Node to write our state into
+ */
+static int sandbox_tpm_write_state(void *blob, int node)
+{
+	int i;
+
+	/*
+	 * We are guaranteed enough space to write basic properties.
+	 * We could use fdt_add_subnode() to put each set of data in its
+	 * own node - perhaps useful if we add access informaiton to each.
+	 */
+	for (i = 0; i < NV_SEQ_COUNT; i++) {
+		char prop_name[20];
+
+		sprintf(prop_name, "nvdata%d", i);
+		fdt_setprop(blob, node, prop_name, state.nvdata[i],
+			    NV_DATA_SIZE);
+	}
+
+	return 0;
+}
+
+SANDBOX_STATE_IO(sandbox_tpm, "google,sandbox-tpm", sandbox_tpm_read_state,
+		 sandbox_tpm_write_state);
+
+static int index_to_seq(uint32_t index)
+{
+	switch (index) {
+	case FIRMWARE_NV_INDEX:
+		return NV_SEQ_FIRMWARE;
+	case KERNEL_NV_INDEX:
+		return NV_SEQ_KERNEL;
+	case 0:
+		return NV_GLOBAL_LOCK;
+	}
+
+	printf("Invalid nv index %#x\n", index);
+	return -1;
+}
+
+int tis_sendrecv(const u8 *sendbuf, size_t send_size,
+		 u8 *recvbuf, size_t *recv_len)
+{
+	struct tpm_state *tpm = &state;
+	uint32_t code, index, length, type;
+	uint8_t *data;
+	int seq;
+
+	code = get_unaligned_be32(sendbuf + sizeof(uint16_t) +
+				  sizeof(uint32_t));
+	printf("tpm: %zd bytes, recv_len %zd, cmd = %x\n", send_size,
+	       *recv_len, code);
+	print_buffer(0, sendbuf, 1, send_size, 0);
+	switch (code) {
+	case 0x65: /* get flags */
+		type = get_unaligned_be32(sendbuf + 14);
+		switch (type) {
+		case 4:
+			index = get_unaligned_be32(sendbuf + 18);
+			printf("Get flags index %#02x\n", index);
+			*recv_len = 22;
+			memset(recvbuf, '\0', *recv_len);
+			put_unaligned_be32(22, recvbuf +
+					   TPM_RESPONSE_HEADER_LENGTH);
+			data = recvbuf + TPM_RESPONSE_HEADER_LENGTH +
+					sizeof(uint32_t);
+			switch (index) {
+			case FIRMWARE_NV_INDEX:
+				break;
+			case KERNEL_NV_INDEX:
+				/* TPM_NV_PER_PPWRITE */
+				put_unaligned_be32(1, data +
+					NV_DATA_PUBLIC_PERMISSIONS_OFFSET);
+				break;
+			}
+			break;
+		case 0x11: /* TPM_CAP_NV_INDEX */
+			index = get_unaligned_be32(sendbuf + 18);
+			printf("Get cap nv index %#02x\n", index);
+			put_unaligned_be32(22, recvbuf +
+					   TPM_RESPONSE_HEADER_LENGTH);
+			break;
+		default:
+			printf("   ** Unknown 0x65 command type %#02x\n",
+			       type);
+			return -1;
+		}
+		break;
+	case 0xcd: /* nvwrite */
+		index = get_unaligned_be32(sendbuf + 10);
+		length = get_unaligned_be32(sendbuf + 18);
+		seq = index_to_seq(index);
+		if (seq < 0)
+			return -1;
+		printf("tpm: nvwrite index=%#02x, len=%#02x\n", index, length);
+		memcpy(&tpm->nvdata[seq], sendbuf + 22, length);
+		*recv_len = 12;
+		memset(recvbuf, '\0', *recv_len);
+		break;
+	case 0xcf: /* nvread */
+		index = get_unaligned_be32(sendbuf + 10);
+		length = get_unaligned_be32(sendbuf + 18);
+		seq = index_to_seq(index);
+		if (seq < 0)
+			return -1;
+		printf("tpm: nvread index=%#02x, len=%#02x\n", index, length);
+		*recv_len = TPM_RESPONSE_HEADER_LENGTH + sizeof(uint32_t) +
+					length;
+		memset(recvbuf, '\0', *recv_len);
+		put_unaligned_be32(length, recvbuf +
+				   TPM_RESPONSE_HEADER_LENGTH);
+		if (seq == NV_SEQ_KERNEL) {
+			struct rollback_space_kernel rsk;
+
+			data = recvbuf + TPM_RESPONSE_HEADER_LENGTH +
+					sizeof(uint32_t);
+			rsk.struct_version = 2;
+			rsk.uid = ROLLBACK_SPACE_KERNEL_UID;
+			rsk.kernel_versions = 0;
+			rsk.crc8 = crc8((unsigned char *)&rsk,
+					offsetof(struct rollback_space_kernel,
+						 crc8));
+			memcpy(data, &rsk, sizeof(rsk));
+		} else {
+			memcpy(recvbuf + TPM_RESPONSE_HEADER_LENGTH +
+			       sizeof(uint32_t), &tpm->nvdata[seq], length);
+		}
+		break;
+	case 0x14: /* tpm extend */
+	case 0x15: /* pcr read */
+	case 0x5d: /* force clear */
+	case 0x6f: /* physical enable */
+	case 0x72: /* physical set deactivated */
+	case 0x99: /* startup */
+	case 0x4000000a:  /* assert physical presence */
+		*recv_len = 12;
+		memset(recvbuf, '\0', *recv_len);
+		break;
+	default:
+		printf("Unknown tpm command %02x\n", code);
+		return -1;
+	}
+
+	return 0;
+}
+
+int tis_open(void)
+{
+	printf("%s\n", __func__);
+	return 0;
+}
+
+int tis_close(void)
+{
+	printf("%s\n", __func__);
+	return 0;
+}
+
+int tis_init(void)
+{
+	printf("%s\n", __func__);
+	return 0;
+}