1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/string_choices.h> 13 #include <linux/acpi.h> 14 #include <acpi/acpi_bus.h> 15 #include <linux/unaligned.h> 16 #include <linux/efi.h> 17 18 #include <net/bluetooth/bluetooth.h> 19 #include <net/bluetooth/hci_core.h> 20 21 #include "btintel.h" 22 23 #define VERSION "0.1" 24 25 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 26 #define RSA_HEADER_LEN 644 27 #define CSS_HEADER_OFFSET 8 28 #define ECDSA_OFFSET 644 29 #define ECDSA_HEADER_LEN 320 30 31 #define BTINTEL_EFI_DSBR L"UefiCnvCommonDSBR" 32 33 enum { 34 DSM_SET_WDISABLE2_DELAY = 1, 35 DSM_SET_RESET_METHOD = 3, 36 }; 37 38 #define BTINTEL_BT_DOMAIN 0x12 39 #define BTINTEL_SAR_LEGACY 0 40 #define BTINTEL_SAR_INC_PWR 1 41 #define BTINTEL_SAR_INC_PWR_SUPPORTED 0 42 43 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 44 struct cmd_write_boot_params { 45 __le32 boot_addr; 46 u8 fw_build_num; 47 u8 fw_build_ww; 48 u8 fw_build_yy; 49 } __packed; 50 51 static struct { 52 const char *driver_name; 53 u8 hw_variant; 54 u32 fw_build_num; 55 } coredump_info; 56 57 static const guid_t btintel_guid_dsm = 58 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 59 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 60 61 int btintel_check_bdaddr(struct hci_dev *hdev) 62 { 63 struct hci_rp_read_bd_addr *bda; 64 struct sk_buff *skb; 65 66 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 67 HCI_INIT_TIMEOUT); 68 if (IS_ERR(skb)) { 69 int err = PTR_ERR(skb); 70 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 71 err); 72 return err; 73 } 74 75 if (skb->len != sizeof(*bda)) { 76 bt_dev_err(hdev, "Intel device address length mismatch"); 77 kfree_skb(skb); 78 return -EIO; 79 } 80 81 bda = (struct hci_rp_read_bd_addr *)skb->data; 82 83 /* For some Intel based controllers, the default Bluetooth device 84 * address 00:03:19:9E:8B:00 can be found. These controllers are 85 * fully operational, but have the danger of duplicate addresses 86 * and that in turn can cause problems with Bluetooth operation. 87 */ 88 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 89 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 90 &bda->bdaddr); 91 hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR); 92 } 93 94 kfree_skb(skb); 95 96 return 0; 97 } 98 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 99 100 int btintel_enter_mfg(struct hci_dev *hdev) 101 { 102 static const u8 param[] = { 0x01, 0x00 }; 103 struct sk_buff *skb; 104 105 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 106 if (IS_ERR(skb)) { 107 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 108 PTR_ERR(skb)); 109 return PTR_ERR(skb); 110 } 111 kfree_skb(skb); 112 113 return 0; 114 } 115 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 116 117 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 118 { 119 u8 param[] = { 0x00, 0x00 }; 120 struct sk_buff *skb; 121 122 /* The 2nd command parameter specifies the manufacturing exit method: 123 * 0x00: Just disable the manufacturing mode (0x00). 124 * 0x01: Disable manufacturing mode and reset with patches deactivated. 125 * 0x02: Disable manufacturing mode and reset with patches activated. 126 */ 127 if (reset) 128 param[1] |= patched ? 0x02 : 0x01; 129 130 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 131 if (IS_ERR(skb)) { 132 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 133 PTR_ERR(skb)); 134 return PTR_ERR(skb); 135 } 136 kfree_skb(skb); 137 138 return 0; 139 } 140 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 141 142 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 143 { 144 struct sk_buff *skb; 145 int err; 146 147 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 148 if (IS_ERR(skb)) { 149 err = PTR_ERR(skb); 150 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 151 err); 152 return err; 153 } 154 kfree_skb(skb); 155 156 return 0; 157 } 158 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 159 160 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 161 { 162 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 163 struct sk_buff *skb; 164 int err; 165 166 if (debug) 167 mask[1] |= 0x62; 168 169 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 170 if (IS_ERR(skb)) { 171 err = PTR_ERR(skb); 172 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 173 return err; 174 } 175 kfree_skb(skb); 176 177 return 0; 178 } 179 180 int btintel_set_diag(struct hci_dev *hdev, bool enable) 181 { 182 struct sk_buff *skb; 183 u8 param[3]; 184 int err; 185 186 if (enable) { 187 param[0] = 0x03; 188 param[1] = 0x03; 189 param[2] = 0x03; 190 } else { 191 param[0] = 0x00; 192 param[1] = 0x00; 193 param[2] = 0x00; 194 } 195 196 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 197 if (IS_ERR(skb)) { 198 err = PTR_ERR(skb); 199 if (err == -ENODATA) 200 goto done; 201 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 202 err); 203 return err; 204 } 205 kfree_skb(skb); 206 207 done: 208 btintel_set_event_mask(hdev, enable); 209 return 0; 210 } 211 EXPORT_SYMBOL_GPL(btintel_set_diag); 212 213 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 214 { 215 int err, ret; 216 217 err = btintel_enter_mfg(hdev); 218 if (err) 219 return err; 220 221 ret = btintel_set_diag(hdev, enable); 222 223 err = btintel_exit_mfg(hdev, false, false); 224 if (err) 225 return err; 226 227 return ret; 228 } 229 230 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 231 { 232 int ret; 233 234 /* Legacy ROM device needs to be in the manufacturer mode to apply 235 * diagnostic setting 236 * 237 * This flag is set after reading the Intel version. 238 */ 239 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 240 ret = btintel_set_diag_mfg(hdev, enable); 241 else 242 ret = btintel_set_diag(hdev, enable); 243 244 return ret; 245 } 246 247 void btintel_hw_error(struct hci_dev *hdev, u8 code) 248 { 249 struct sk_buff *skb; 250 u8 type = 0x00; 251 252 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 253 254 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 255 if (IS_ERR(skb)) { 256 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 257 PTR_ERR(skb)); 258 return; 259 } 260 kfree_skb(skb); 261 262 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 263 if (IS_ERR(skb)) { 264 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 265 PTR_ERR(skb)); 266 return; 267 } 268 269 if (skb->len != 13) { 270 bt_dev_err(hdev, "Exception info size mismatch"); 271 kfree_skb(skb); 272 return; 273 } 274 275 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 276 277 kfree_skb(skb); 278 } 279 EXPORT_SYMBOL_GPL(btintel_hw_error); 280 281 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 282 { 283 const char *variant; 284 285 /* The hardware platform number has a fixed value of 0x37 and 286 * for now only accept this single value. 287 */ 288 if (ver->hw_platform != 0x37) { 289 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 290 ver->hw_platform); 291 return -EINVAL; 292 } 293 294 /* Check for supported iBT hardware variants of this firmware 295 * loading method. 296 * 297 * This check has been put in place to ensure correct forward 298 * compatibility options when newer hardware variants come along. 299 */ 300 switch (ver->hw_variant) { 301 case 0x07: /* WP - Legacy ROM */ 302 case 0x08: /* StP - Legacy ROM */ 303 case 0x0b: /* SfP */ 304 case 0x0c: /* WsP */ 305 case 0x11: /* JfP */ 306 case 0x12: /* ThP */ 307 case 0x13: /* HrP */ 308 case 0x14: /* CcP */ 309 break; 310 default: 311 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 312 ver->hw_variant); 313 return -EINVAL; 314 } 315 316 switch (ver->fw_variant) { 317 case 0x01: 318 variant = "Legacy ROM 2.5"; 319 break; 320 case 0x06: 321 variant = "Bootloader"; 322 break; 323 case 0x22: 324 variant = "Legacy ROM 2.x"; 325 break; 326 case 0x23: 327 variant = "Firmware"; 328 break; 329 default: 330 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 331 return -EINVAL; 332 } 333 334 coredump_info.hw_variant = ver->hw_variant; 335 coredump_info.fw_build_num = ver->fw_build_num; 336 337 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 338 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 339 ver->fw_build_num, ver->fw_build_ww, 340 2000 + ver->fw_build_yy); 341 342 return 0; 343 } 344 EXPORT_SYMBOL_GPL(btintel_version_info); 345 346 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 347 const void *param) 348 { 349 while (plen > 0) { 350 struct sk_buff *skb; 351 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 352 353 cmd_param[0] = fragment_type; 354 memcpy(cmd_param + 1, param, fragment_len); 355 356 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 357 cmd_param, HCI_INIT_TIMEOUT); 358 if (IS_ERR(skb)) 359 return PTR_ERR(skb); 360 361 kfree_skb(skb); 362 363 plen -= fragment_len; 364 param += fragment_len; 365 } 366 367 return 0; 368 } 369 370 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 371 { 372 const struct firmware *fw; 373 struct sk_buff *skb; 374 const u8 *fw_ptr; 375 int err; 376 377 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 378 if (err < 0) { 379 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 380 ddc_name, err); 381 return err; 382 } 383 384 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 385 386 fw_ptr = fw->data; 387 388 /* DDC file contains one or more DDC structure which has 389 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 390 */ 391 while (fw->size > fw_ptr - fw->data) { 392 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 393 394 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 395 HCI_INIT_TIMEOUT); 396 if (IS_ERR(skb)) { 397 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 398 PTR_ERR(skb)); 399 release_firmware(fw); 400 return PTR_ERR(skb); 401 } 402 403 fw_ptr += cmd_plen; 404 kfree_skb(skb); 405 } 406 407 release_firmware(fw); 408 409 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 410 411 return 0; 412 } 413 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 414 415 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 416 { 417 int err, ret; 418 419 err = btintel_enter_mfg(hdev); 420 if (err) 421 return err; 422 423 ret = btintel_set_event_mask(hdev, debug); 424 425 err = btintel_exit_mfg(hdev, false, false); 426 if (err) 427 return err; 428 429 return ret; 430 } 431 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 432 433 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 434 { 435 struct sk_buff *skb; 436 437 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 438 if (IS_ERR(skb)) { 439 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 440 PTR_ERR(skb)); 441 return PTR_ERR(skb); 442 } 443 444 if (!skb || skb->len != sizeof(*ver)) { 445 bt_dev_err(hdev, "Intel version event size mismatch"); 446 kfree_skb(skb); 447 return -EILSEQ; 448 } 449 450 memcpy(ver, skb->data, sizeof(*ver)); 451 452 kfree_skb(skb); 453 454 return 0; 455 } 456 EXPORT_SYMBOL_GPL(btintel_read_version); 457 458 int btintel_version_info_tlv(struct hci_dev *hdev, 459 struct intel_version_tlv *version) 460 { 461 const char *variant; 462 463 /* The hardware platform number has a fixed value of 0x37 and 464 * for now only accept this single value. 465 */ 466 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 467 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 468 INTEL_HW_PLATFORM(version->cnvi_bt)); 469 return -EINVAL; 470 } 471 472 /* Check for supported iBT hardware variants of this firmware 473 * loading method. 474 * 475 * This check has been put in place to ensure correct forward 476 * compatibility options when newer hardware variants come along. 477 */ 478 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 479 case 0x17: /* TyP */ 480 case 0x18: /* Slr */ 481 case 0x19: /* Slr-F */ 482 case 0x1b: /* Mgr */ 483 case 0x1c: /* Gale Peak (GaP) */ 484 case 0x1d: /* BlazarU (BzrU) */ 485 case 0x1e: /* BlazarI (Bzr) */ 486 case 0x1f: /* Scorpious Peak */ 487 case 0x22: /* BlazarIW (BzrIW) */ 488 break; 489 default: 490 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 491 INTEL_HW_VARIANT(version->cnvi_bt)); 492 return -EINVAL; 493 } 494 495 switch (version->img_type) { 496 case BTINTEL_IMG_BOOTLOADER: 497 variant = "Bootloader"; 498 /* It is required that every single firmware fragment is acknowledged 499 * with a command complete event. If the boot parameters indicate 500 * that this bootloader does not send them, then abort the setup. 501 */ 502 if (version->limited_cce != 0x00) { 503 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 504 version->limited_cce); 505 return -EINVAL; 506 } 507 508 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 509 if (version->sbe_type > 0x01) { 510 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 511 version->sbe_type); 512 return -EINVAL; 513 } 514 515 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 516 bt_dev_info(hdev, "Secure boot is %s", 517 str_enabled_disabled(version->secure_boot)); 518 bt_dev_info(hdev, "OTP lock is %s", 519 str_enabled_disabled(version->otp_lock)); 520 bt_dev_info(hdev, "API lock is %s", 521 str_enabled_disabled(version->api_lock)); 522 bt_dev_info(hdev, "Debug lock is %s", 523 str_enabled_disabled(version->debug_lock)); 524 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 525 version->min_fw_build_nn, version->min_fw_build_cw, 526 2000 + version->min_fw_build_yy); 527 break; 528 case BTINTEL_IMG_IML: 529 variant = "Intermediate loader"; 530 break; 531 case BTINTEL_IMG_OP: 532 variant = "Firmware"; 533 break; 534 default: 535 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 536 return -EINVAL; 537 } 538 539 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 540 coredump_info.fw_build_num = version->build_num; 541 542 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 543 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 544 version->build_type, version->build_num); 545 if (version->img_type == BTINTEL_IMG_OP) 546 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 547 548 return 0; 549 } 550 EXPORT_SYMBOL_GPL(btintel_version_info_tlv); 551 552 int btintel_parse_version_tlv(struct hci_dev *hdev, 553 struct intel_version_tlv *version, 554 struct sk_buff *skb) 555 { 556 /* Consume Command Complete Status field */ 557 skb_pull(skb, 1); 558 559 /* Event parameters contain multiple TLVs. Read each of them 560 * and only keep the required data. Also, it use existing legacy 561 * version field like hw_platform, hw_variant, and fw_variant 562 * to keep the existing setup flow 563 */ 564 while (skb->len) { 565 struct intel_tlv *tlv; 566 567 /* Make sure skb has a minimum length of the header */ 568 if (skb->len < sizeof(*tlv)) 569 return -EINVAL; 570 571 tlv = (struct intel_tlv *)skb->data; 572 573 /* Make sure skb has a enough data */ 574 if (skb->len < tlv->len + sizeof(*tlv)) 575 return -EINVAL; 576 577 switch (tlv->type) { 578 case INTEL_TLV_CNVI_TOP: 579 version->cnvi_top = get_unaligned_le32(tlv->val); 580 break; 581 case INTEL_TLV_CNVR_TOP: 582 version->cnvr_top = get_unaligned_le32(tlv->val); 583 break; 584 case INTEL_TLV_CNVI_BT: 585 version->cnvi_bt = get_unaligned_le32(tlv->val); 586 break; 587 case INTEL_TLV_CNVR_BT: 588 version->cnvr_bt = get_unaligned_le32(tlv->val); 589 break; 590 case INTEL_TLV_DEV_REV_ID: 591 version->dev_rev_id = get_unaligned_le16(tlv->val); 592 break; 593 case INTEL_TLV_IMAGE_TYPE: 594 version->img_type = tlv->val[0]; 595 break; 596 case INTEL_TLV_TIME_STAMP: 597 /* If image type is Operational firmware (0x03), then 598 * running FW Calendar Week and Year information can 599 * be extracted from Timestamp information 600 */ 601 version->min_fw_build_cw = tlv->val[0]; 602 version->min_fw_build_yy = tlv->val[1]; 603 version->timestamp = get_unaligned_le16(tlv->val); 604 break; 605 case INTEL_TLV_BUILD_TYPE: 606 version->build_type = tlv->val[0]; 607 break; 608 case INTEL_TLV_BUILD_NUM: 609 /* If image type is Operational firmware (0x03), then 610 * running FW build number can be extracted from the 611 * Build information 612 */ 613 version->min_fw_build_nn = tlv->val[0]; 614 version->build_num = get_unaligned_le32(tlv->val); 615 break; 616 case INTEL_TLV_SECURE_BOOT: 617 version->secure_boot = tlv->val[0]; 618 break; 619 case INTEL_TLV_OTP_LOCK: 620 version->otp_lock = tlv->val[0]; 621 break; 622 case INTEL_TLV_API_LOCK: 623 version->api_lock = tlv->val[0]; 624 break; 625 case INTEL_TLV_DEBUG_LOCK: 626 version->debug_lock = tlv->val[0]; 627 break; 628 case INTEL_TLV_MIN_FW: 629 version->min_fw_build_nn = tlv->val[0]; 630 version->min_fw_build_cw = tlv->val[1]; 631 version->min_fw_build_yy = tlv->val[2]; 632 break; 633 case INTEL_TLV_LIMITED_CCE: 634 version->limited_cce = tlv->val[0]; 635 break; 636 case INTEL_TLV_SBE_TYPE: 637 version->sbe_type = tlv->val[0]; 638 break; 639 case INTEL_TLV_OTP_BDADDR: 640 memcpy(&version->otp_bd_addr, tlv->val, 641 sizeof(bdaddr_t)); 642 break; 643 case INTEL_TLV_GIT_SHA1: 644 version->git_sha1 = get_unaligned_le32(tlv->val); 645 break; 646 case INTEL_TLV_FW_ID: 647 snprintf(version->fw_id, sizeof(version->fw_id), 648 "%s", tlv->val); 649 break; 650 default: 651 /* Ignore rest of information */ 652 break; 653 } 654 /* consume the current tlv and move to next*/ 655 skb_pull(skb, tlv->len + sizeof(*tlv)); 656 } 657 658 return 0; 659 } 660 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv); 661 662 static int btintel_read_version_tlv(struct hci_dev *hdev, 663 struct intel_version_tlv *version) 664 { 665 struct sk_buff *skb; 666 const u8 param[1] = { 0xFF }; 667 668 if (!version) 669 return -EINVAL; 670 671 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 672 if (IS_ERR(skb)) { 673 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 674 PTR_ERR(skb)); 675 return PTR_ERR(skb); 676 } 677 678 if (skb->data[0]) { 679 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 680 skb->data[0]); 681 kfree_skb(skb); 682 return -EIO; 683 } 684 685 btintel_parse_version_tlv(hdev, version, skb); 686 687 kfree_skb(skb); 688 return 0; 689 } 690 691 /* ------- REGMAP IBT SUPPORT ------- */ 692 693 #define IBT_REG_MODE_8BIT 0x00 694 #define IBT_REG_MODE_16BIT 0x01 695 #define IBT_REG_MODE_32BIT 0x02 696 697 struct regmap_ibt_context { 698 struct hci_dev *hdev; 699 __u16 op_write; 700 __u16 op_read; 701 }; 702 703 struct ibt_cp_reg_access { 704 __le32 addr; 705 __u8 mode; 706 __u8 len; 707 __u8 data[]; 708 } __packed; 709 710 struct ibt_rp_reg_access { 711 __u8 status; 712 __le32 addr; 713 __u8 data[]; 714 } __packed; 715 716 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 717 void *val, size_t val_size) 718 { 719 struct regmap_ibt_context *ctx = context; 720 struct ibt_cp_reg_access cp; 721 struct ibt_rp_reg_access *rp; 722 struct sk_buff *skb; 723 int err = 0; 724 725 if (reg_size != sizeof(__le32)) 726 return -EINVAL; 727 728 switch (val_size) { 729 case 1: 730 cp.mode = IBT_REG_MODE_8BIT; 731 break; 732 case 2: 733 cp.mode = IBT_REG_MODE_16BIT; 734 break; 735 case 4: 736 cp.mode = IBT_REG_MODE_32BIT; 737 break; 738 default: 739 return -EINVAL; 740 } 741 742 /* regmap provides a little-endian formatted addr */ 743 cp.addr = *(__le32 *)addr; 744 cp.len = val_size; 745 746 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 747 748 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 749 HCI_CMD_TIMEOUT); 750 if (IS_ERR(skb)) { 751 err = PTR_ERR(skb); 752 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 753 le32_to_cpu(cp.addr), err); 754 return err; 755 } 756 757 if (skb->len != sizeof(*rp) + val_size) { 758 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 759 le32_to_cpu(cp.addr)); 760 err = -EINVAL; 761 goto done; 762 } 763 764 rp = (struct ibt_rp_reg_access *)skb->data; 765 766 if (rp->addr != cp.addr) { 767 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 768 le32_to_cpu(rp->addr)); 769 err = -EINVAL; 770 goto done; 771 } 772 773 memcpy(val, rp->data, val_size); 774 775 done: 776 kfree_skb(skb); 777 return err; 778 } 779 780 static int regmap_ibt_gather_write(void *context, 781 const void *addr, size_t reg_size, 782 const void *val, size_t val_size) 783 { 784 struct regmap_ibt_context *ctx = context; 785 struct ibt_cp_reg_access *cp; 786 struct sk_buff *skb; 787 int plen = sizeof(*cp) + val_size; 788 u8 mode; 789 int err = 0; 790 791 if (reg_size != sizeof(__le32)) 792 return -EINVAL; 793 794 switch (val_size) { 795 case 1: 796 mode = IBT_REG_MODE_8BIT; 797 break; 798 case 2: 799 mode = IBT_REG_MODE_16BIT; 800 break; 801 case 4: 802 mode = IBT_REG_MODE_32BIT; 803 break; 804 default: 805 return -EINVAL; 806 } 807 808 cp = kmalloc(plen, GFP_KERNEL); 809 if (!cp) 810 return -ENOMEM; 811 812 /* regmap provides a little-endian formatted addr/value */ 813 cp->addr = *(__le32 *)addr; 814 cp->mode = mode; 815 cp->len = val_size; 816 memcpy(&cp->data, val, val_size); 817 818 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 819 820 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 821 if (IS_ERR(skb)) { 822 err = PTR_ERR(skb); 823 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 824 le32_to_cpu(cp->addr), err); 825 goto done; 826 } 827 kfree_skb(skb); 828 829 done: 830 kfree(cp); 831 return err; 832 } 833 834 static int regmap_ibt_write(void *context, const void *data, size_t count) 835 { 836 /* data contains register+value, since we only support 32bit addr, 837 * minimum data size is 4 bytes. 838 */ 839 if (WARN_ONCE(count < 4, "Invalid register access")) 840 return -EINVAL; 841 842 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 843 } 844 845 static void regmap_ibt_free_context(void *context) 846 { 847 kfree(context); 848 } 849 850 static const struct regmap_bus regmap_ibt = { 851 .read = regmap_ibt_read, 852 .write = regmap_ibt_write, 853 .gather_write = regmap_ibt_gather_write, 854 .free_context = regmap_ibt_free_context, 855 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 856 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 857 }; 858 859 /* Config is the same for all register regions */ 860 static const struct regmap_config regmap_ibt_cfg = { 861 .name = "btintel_regmap", 862 .reg_bits = 32, 863 .val_bits = 32, 864 }; 865 866 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 867 u16 opcode_write) 868 { 869 struct regmap_ibt_context *ctx; 870 871 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 872 opcode_write); 873 874 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 875 if (!ctx) 876 return ERR_PTR(-ENOMEM); 877 878 ctx->op_read = opcode_read; 879 ctx->op_write = opcode_write; 880 ctx->hdev = hdev; 881 882 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 883 } 884 EXPORT_SYMBOL_GPL(btintel_regmap_init); 885 886 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 887 { 888 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 889 struct sk_buff *skb; 890 891 params.boot_param = cpu_to_le32(boot_param); 892 893 skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params), ¶ms, 894 HCI_INIT_TIMEOUT); 895 if (IS_ERR(skb)) { 896 bt_dev_err(hdev, "Failed to send Intel Reset command"); 897 return PTR_ERR(skb); 898 } 899 900 kfree_skb(skb); 901 902 return 0; 903 } 904 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 905 906 int btintel_read_boot_params(struct hci_dev *hdev, 907 struct intel_boot_params *params) 908 { 909 struct sk_buff *skb; 910 911 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 912 if (IS_ERR(skb)) { 913 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 914 PTR_ERR(skb)); 915 return PTR_ERR(skb); 916 } 917 918 if (skb->len != sizeof(*params)) { 919 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 920 kfree_skb(skb); 921 return -EILSEQ; 922 } 923 924 memcpy(params, skb->data, sizeof(*params)); 925 926 kfree_skb(skb); 927 928 if (params->status) { 929 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 930 params->status); 931 return -bt_to_errno(params->status); 932 } 933 934 bt_dev_info(hdev, "Device revision is %u", 935 le16_to_cpu(params->dev_revid)); 936 937 bt_dev_info(hdev, "Secure boot is %s", 938 str_enabled_disabled(params->secure_boot)); 939 940 bt_dev_info(hdev, "OTP lock is %s", 941 str_enabled_disabled(params->otp_lock)); 942 943 bt_dev_info(hdev, "API lock is %s", 944 str_enabled_disabled(params->api_lock)); 945 946 bt_dev_info(hdev, "Debug lock is %s", 947 str_enabled_disabled(params->debug_lock)); 948 949 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 950 params->min_fw_build_nn, params->min_fw_build_cw, 951 2000 + params->min_fw_build_yy); 952 953 return 0; 954 } 955 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 956 957 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 958 const struct firmware *fw) 959 { 960 int err; 961 962 /* Start the firmware download transaction with the Init fragment 963 * represented by the 128 bytes of CSS header. 964 */ 965 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 966 if (err < 0) { 967 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 968 goto done; 969 } 970 971 /* Send the 256 bytes of public key information from the firmware 972 * as the PKey fragment. 973 */ 974 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 975 if (err < 0) { 976 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 977 goto done; 978 } 979 980 /* Send the 256 bytes of signature information from the firmware 981 * as the Sign fragment. 982 */ 983 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 984 if (err < 0) { 985 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 986 goto done; 987 } 988 989 done: 990 return err; 991 } 992 993 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 994 const struct firmware *fw) 995 { 996 int err; 997 998 /* Start the firmware download transaction with the Init fragment 999 * represented by the 128 bytes of CSS header. 1000 */ 1001 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 1002 if (err < 0) { 1003 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 1004 return err; 1005 } 1006 1007 /* Send the 96 bytes of public key information from the firmware 1008 * as the PKey fragment. 1009 */ 1010 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 1011 if (err < 0) { 1012 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1013 return err; 1014 } 1015 1016 /* Send the 96 bytes of signature information from the firmware 1017 * as the Sign fragment 1018 */ 1019 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1020 if (err < 0) { 1021 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1022 err); 1023 return err; 1024 } 1025 return 0; 1026 } 1027 1028 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1029 const struct firmware *fw, 1030 size_t offset) 1031 { 1032 int err; 1033 const u8 *fw_ptr; 1034 u32 frag_len; 1035 1036 fw_ptr = fw->data + offset; 1037 frag_len = 0; 1038 err = -EINVAL; 1039 1040 while (fw_ptr - fw->data < fw->size) { 1041 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1042 1043 frag_len += sizeof(*cmd) + cmd->plen; 1044 1045 /* The parameter length of the secure send command requires 1046 * a 4 byte alignment. It happens so that the firmware file 1047 * contains proper Intel_NOP commands to align the fragments 1048 * as needed. 1049 * 1050 * Send set of commands with 4 byte alignment from the 1051 * firmware data buffer as a single Data fragment. 1052 */ 1053 if (!(frag_len % 4)) { 1054 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1055 if (err < 0) { 1056 bt_dev_err(hdev, 1057 "Failed to send firmware data (%d)", 1058 err); 1059 goto done; 1060 } 1061 1062 fw_ptr += frag_len; 1063 frag_len = 0; 1064 } 1065 } 1066 1067 done: 1068 return err; 1069 } 1070 1071 static bool btintel_firmware_version(struct hci_dev *hdev, 1072 u8 num, u8 ww, u8 yy, 1073 const struct firmware *fw, 1074 u32 *boot_addr) 1075 { 1076 const u8 *fw_ptr; 1077 1078 fw_ptr = fw->data; 1079 1080 while (fw_ptr - fw->data < fw->size) { 1081 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1082 1083 /* Each SKU has a different reset parameter to use in the 1084 * HCI_Intel_Reset command and it is embedded in the firmware 1085 * data. So, instead of using static value per SKU, check 1086 * the firmware data and save it for later use. 1087 */ 1088 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1089 struct cmd_write_boot_params *params; 1090 1091 params = (void *)(fw_ptr + sizeof(*cmd)); 1092 1093 *boot_addr = le32_to_cpu(params->boot_addr); 1094 1095 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1096 1097 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1098 params->fw_build_num, params->fw_build_ww, 1099 params->fw_build_yy); 1100 1101 return (num == params->fw_build_num && 1102 ww == params->fw_build_ww && 1103 yy == params->fw_build_yy); 1104 } 1105 1106 fw_ptr += sizeof(*cmd) + cmd->plen; 1107 } 1108 1109 return false; 1110 } 1111 1112 int btintel_download_firmware(struct hci_dev *hdev, 1113 struct intel_version *ver, 1114 const struct firmware *fw, 1115 u32 *boot_param) 1116 { 1117 int err; 1118 1119 /* SfP and WsP don't seem to update the firmware version on file 1120 * so version checking is currently not possible. 1121 */ 1122 switch (ver->hw_variant) { 1123 case 0x0b: /* SfP */ 1124 case 0x0c: /* WsP */ 1125 /* Skip version checking */ 1126 break; 1127 default: 1128 1129 /* Skip download if firmware has the same version */ 1130 if (btintel_firmware_version(hdev, ver->fw_build_num, 1131 ver->fw_build_ww, ver->fw_build_yy, 1132 fw, boot_param)) { 1133 bt_dev_info(hdev, "Firmware already loaded"); 1134 /* Return -EALREADY to indicate that the firmware has 1135 * already been loaded. 1136 */ 1137 return -EALREADY; 1138 } 1139 } 1140 1141 /* The firmware variant determines if the device is in bootloader 1142 * mode or is running operational firmware. The value 0x06 identifies 1143 * the bootloader and the value 0x23 identifies the operational 1144 * firmware. 1145 * 1146 * If the firmware version has changed that means it needs to be reset 1147 * to bootloader when operational so the new firmware can be loaded. 1148 */ 1149 if (ver->fw_variant == 0x23) 1150 return -EINVAL; 1151 1152 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1153 if (err) 1154 return err; 1155 1156 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1157 } 1158 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1159 1160 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1161 struct intel_version_tlv *ver, 1162 const struct firmware *fw, u32 *boot_param, 1163 u8 hw_variant, u8 sbe_type) 1164 { 1165 int err; 1166 u32 css_header_ver; 1167 1168 /* Skip download if firmware has the same version */ 1169 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1170 ver->min_fw_build_cw, 1171 ver->min_fw_build_yy, 1172 fw, boot_param)) { 1173 bt_dev_info(hdev, "Firmware already loaded"); 1174 /* Return -EALREADY to indicate that firmware has 1175 * already been loaded. 1176 */ 1177 return -EALREADY; 1178 } 1179 1180 /* The firmware variant determines if the device is in bootloader 1181 * mode or is running operational firmware. The value 0x01 identifies 1182 * the bootloader and the value 0x03 identifies the operational 1183 * firmware. 1184 * 1185 * If the firmware version has changed that means it needs to be reset 1186 * to bootloader when operational so the new firmware can be loaded. 1187 */ 1188 if (ver->img_type == BTINTEL_IMG_OP) 1189 return -EINVAL; 1190 1191 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1192 * only RSA secure boot engine. Hence, the corresponding sfi file will 1193 * have RSA header of 644 bytes followed by Command Buffer. 1194 * 1195 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1196 * secure boot engine. As a result, the corresponding sfi file will 1197 * have RSA header of 644, ECDSA header of 320 bytes followed by 1198 * Command Buffer. 1199 * 1200 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1201 * version: RSA(0x00010000) , ECDSA (0x00020000) 1202 */ 1203 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1204 if (css_header_ver != 0x00010000) { 1205 bt_dev_err(hdev, "Invalid CSS Header version"); 1206 return -EINVAL; 1207 } 1208 1209 if (hw_variant <= 0x14) { 1210 if (sbe_type != 0x00) { 1211 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1212 hw_variant); 1213 return -EINVAL; 1214 } 1215 1216 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1217 if (err) 1218 return err; 1219 1220 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1221 if (err) 1222 return err; 1223 } else if (hw_variant >= 0x17) { 1224 /* Check if CSS header for ECDSA follows the RSA header */ 1225 if (fw->data[ECDSA_OFFSET] != 0x06) 1226 return -EINVAL; 1227 1228 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1229 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1230 if (css_header_ver != 0x00020000) { 1231 bt_dev_err(hdev, "Invalid CSS Header version"); 1232 return -EINVAL; 1233 } 1234 1235 if (sbe_type == 0x00) { 1236 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1237 if (err) 1238 return err; 1239 1240 err = btintel_download_firmware_payload(hdev, fw, 1241 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1242 if (err) 1243 return err; 1244 } else if (sbe_type == 0x01) { 1245 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1246 if (err) 1247 return err; 1248 1249 err = btintel_download_firmware_payload(hdev, fw, 1250 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1251 if (err) 1252 return err; 1253 } 1254 } 1255 return 0; 1256 } 1257 1258 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1259 { 1260 struct intel_reset params; 1261 struct sk_buff *skb; 1262 1263 /* PCIe transport uses shared hardware reset mechanism for recovery 1264 * which gets triggered in pcie *setup* function on error. 1265 */ 1266 if (hdev->bus == HCI_PCI) 1267 return; 1268 1269 /* Send Intel Reset command. This will result in 1270 * re-enumeration of BT controller. 1271 * 1272 * Intel Reset parameter description: 1273 * reset_type : 0x00 (Soft reset), 1274 * 0x01 (Hard reset) 1275 * patch_enable : 0x00 (Do not enable), 1276 * 0x01 (Enable) 1277 * ddc_reload : 0x00 (Do not reload), 1278 * 0x01 (Reload) 1279 * boot_option: 0x00 (Current image), 1280 * 0x01 (Specified boot address) 1281 * boot_param: Boot address 1282 * 1283 */ 1284 1285 params.reset_type = 0x01; 1286 params.patch_enable = 0x01; 1287 params.ddc_reload = 0x01; 1288 params.boot_option = 0x00; 1289 params.boot_param = cpu_to_le32(0x00000000); 1290 1291 skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params), 1292 ¶ms, HCI_INIT_TIMEOUT); 1293 if (IS_ERR(skb)) { 1294 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1295 PTR_ERR(skb)); 1296 return; 1297 } 1298 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1299 kfree_skb(skb); 1300 1301 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1302 * lines for 2ms when it receives Intel Reset in bootloader mode. 1303 * Whereas, the upcoming Intel BT controllers will hold USB reset 1304 * for 150ms. To keep the delay generic, 150ms is chosen here. 1305 */ 1306 msleep(150); 1307 } 1308 1309 static int btintel_read_debug_features(struct hci_dev *hdev, 1310 struct intel_debug_features *features) 1311 { 1312 struct sk_buff *skb; 1313 u8 page_no = 1; 1314 1315 /* Intel controller supports two pages, each page is of 128-bit 1316 * feature bit mask. And each bit defines specific feature support 1317 */ 1318 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1319 HCI_INIT_TIMEOUT); 1320 if (IS_ERR(skb)) { 1321 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1322 PTR_ERR(skb)); 1323 return PTR_ERR(skb); 1324 } 1325 1326 if (skb->len != (sizeof(features->page1) + 3)) { 1327 bt_dev_err(hdev, "Supported features event size mismatch"); 1328 kfree_skb(skb); 1329 return -EILSEQ; 1330 } 1331 1332 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1333 1334 /* Read the supported features page2 if required in future. 1335 */ 1336 kfree_skb(skb); 1337 return 0; 1338 } 1339 1340 static int btintel_set_debug_features(struct hci_dev *hdev, 1341 const struct intel_debug_features *features) 1342 { 1343 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1344 0x00, 0x00, 0x00 }; 1345 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1346 u8 trace_enable = 0x02; 1347 struct sk_buff *skb; 1348 1349 if (!features) { 1350 bt_dev_warn(hdev, "Debug features not read"); 1351 return -EINVAL; 1352 } 1353 1354 if (!(features->page1[0] & 0x3f)) { 1355 bt_dev_info(hdev, "Telemetry exception format not supported"); 1356 return 0; 1357 } 1358 1359 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1360 if (IS_ERR(skb)) { 1361 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1362 PTR_ERR(skb)); 1363 return PTR_ERR(skb); 1364 } 1365 kfree_skb(skb); 1366 1367 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1368 if (IS_ERR(skb)) { 1369 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1370 PTR_ERR(skb)); 1371 return PTR_ERR(skb); 1372 } 1373 kfree_skb(skb); 1374 1375 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1376 if (IS_ERR(skb)) { 1377 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1378 PTR_ERR(skb)); 1379 return PTR_ERR(skb); 1380 } 1381 kfree_skb(skb); 1382 1383 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1384 trace_enable, mask[3]); 1385 1386 return 0; 1387 } 1388 1389 static int btintel_reset_debug_features(struct hci_dev *hdev, 1390 const struct intel_debug_features *features) 1391 { 1392 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1393 0x00, 0x00, 0x00 }; 1394 u8 trace_enable = 0x00; 1395 struct sk_buff *skb; 1396 1397 if (!features) { 1398 bt_dev_warn(hdev, "Debug features not read"); 1399 return -EINVAL; 1400 } 1401 1402 if (!(features->page1[0] & 0x3f)) { 1403 bt_dev_info(hdev, "Telemetry exception format not supported"); 1404 return 0; 1405 } 1406 1407 /* Should stop the trace before writing ddc event mask. */ 1408 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1409 if (IS_ERR(skb)) { 1410 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1411 PTR_ERR(skb)); 1412 return PTR_ERR(skb); 1413 } 1414 kfree_skb(skb); 1415 1416 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1417 if (IS_ERR(skb)) { 1418 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1419 PTR_ERR(skb)); 1420 return PTR_ERR(skb); 1421 } 1422 kfree_skb(skb); 1423 1424 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1425 trace_enable, mask[3]); 1426 1427 return 0; 1428 } 1429 1430 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1431 { 1432 struct intel_debug_features features; 1433 int err; 1434 1435 bt_dev_dbg(hdev, "enable %d", enable); 1436 1437 /* Read the Intel supported features and if new exception formats 1438 * supported, need to load the additional DDC config to enable. 1439 */ 1440 err = btintel_read_debug_features(hdev, &features); 1441 if (err) 1442 return err; 1443 1444 /* Set or reset the debug features. */ 1445 if (enable) 1446 err = btintel_set_debug_features(hdev, &features); 1447 else 1448 err = btintel_reset_debug_features(hdev, &features); 1449 1450 return err; 1451 } 1452 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1453 1454 static void btintel_coredump(struct hci_dev *hdev) 1455 { 1456 struct sk_buff *skb; 1457 1458 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1459 if (IS_ERR(skb)) { 1460 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1461 return; 1462 } 1463 1464 kfree_skb(skb); 1465 } 1466 1467 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1468 { 1469 char buf[80]; 1470 1471 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1472 coredump_info.hw_variant); 1473 skb_put_data(skb, buf, strlen(buf)); 1474 1475 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1476 coredump_info.fw_build_num); 1477 skb_put_data(skb, buf, strlen(buf)); 1478 1479 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1480 skb_put_data(skb, buf, strlen(buf)); 1481 1482 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1483 skb_put_data(skb, buf, strlen(buf)); 1484 } 1485 1486 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1487 { 1488 struct intel_debug_features features; 1489 int err; 1490 1491 err = btintel_read_debug_features(hdev, &features); 1492 if (err) { 1493 bt_dev_info(hdev, "Error reading debug features"); 1494 return err; 1495 } 1496 1497 if (!(features.page1[0] & 0x3f)) { 1498 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1499 return -EOPNOTSUPP; 1500 } 1501 1502 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1503 1504 return err; 1505 } 1506 1507 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1508 struct intel_version *ver) 1509 { 1510 const struct firmware *fw; 1511 char fwname[64]; 1512 int ret; 1513 1514 snprintf(fwname, sizeof(fwname), 1515 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1516 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1517 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1518 ver->fw_build_ww, ver->fw_build_yy); 1519 1520 ret = request_firmware(&fw, fwname, &hdev->dev); 1521 if (ret < 0) { 1522 if (ret == -EINVAL) { 1523 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1524 ret); 1525 return NULL; 1526 } 1527 1528 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1529 fwname, ret); 1530 1531 /* If the correct firmware patch file is not found, use the 1532 * default firmware patch file instead 1533 */ 1534 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1535 ver->hw_platform, ver->hw_variant); 1536 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1537 bt_dev_err(hdev, "failed to open default fw file: %s", 1538 fwname); 1539 return NULL; 1540 } 1541 } 1542 1543 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1544 1545 return fw; 1546 } 1547 1548 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1549 const struct firmware *fw, 1550 const u8 **fw_ptr, int *disable_patch) 1551 { 1552 struct sk_buff *skb; 1553 struct hci_command_hdr *cmd; 1554 const u8 *cmd_param; 1555 struct hci_event_hdr *evt = NULL; 1556 const u8 *evt_param = NULL; 1557 int remain = fw->size - (*fw_ptr - fw->data); 1558 1559 /* The first byte indicates the types of the patch command or event. 1560 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1561 * in the current firmware buffer doesn't start with 0x01 or 1562 * the size of remain buffer is smaller than HCI command header, 1563 * the firmware file is corrupted and it should stop the patching 1564 * process. 1565 */ 1566 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1567 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1568 return -EINVAL; 1569 } 1570 (*fw_ptr)++; 1571 remain--; 1572 1573 cmd = (struct hci_command_hdr *)(*fw_ptr); 1574 *fw_ptr += sizeof(*cmd); 1575 remain -= sizeof(*cmd); 1576 1577 /* Ensure that the remain firmware data is long enough than the length 1578 * of command parameter. If not, the firmware file is corrupted. 1579 */ 1580 if (remain < cmd->plen) { 1581 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1582 return -EFAULT; 1583 } 1584 1585 /* If there is a command that loads a patch in the firmware 1586 * file, then enable the patch upon success, otherwise just 1587 * disable the manufacturer mode, for example patch activation 1588 * is not required when the default firmware patch file is used 1589 * because there are no patch data to load. 1590 */ 1591 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1592 *disable_patch = 0; 1593 1594 cmd_param = *fw_ptr; 1595 *fw_ptr += cmd->plen; 1596 remain -= cmd->plen; 1597 1598 /* This reads the expected events when the above command is sent to the 1599 * device. Some vendor commands expects more than one events, for 1600 * example command status event followed by vendor specific event. 1601 * For this case, it only keeps the last expected event. so the command 1602 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1603 * last expected event. 1604 */ 1605 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1606 (*fw_ptr)++; 1607 remain--; 1608 1609 evt = (struct hci_event_hdr *)(*fw_ptr); 1610 *fw_ptr += sizeof(*evt); 1611 remain -= sizeof(*evt); 1612 1613 if (remain < evt->plen) { 1614 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1615 return -EFAULT; 1616 } 1617 1618 evt_param = *fw_ptr; 1619 *fw_ptr += evt->plen; 1620 remain -= evt->plen; 1621 } 1622 1623 /* Every HCI commands in the firmware file has its correspond event. 1624 * If event is not found or remain is smaller than zero, the firmware 1625 * file is corrupted. 1626 */ 1627 if (!evt || !evt_param || remain < 0) { 1628 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1629 return -EFAULT; 1630 } 1631 1632 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1633 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1634 if (IS_ERR(skb)) { 1635 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1636 cmd->opcode, PTR_ERR(skb)); 1637 return PTR_ERR(skb); 1638 } 1639 1640 /* It ensures that the returned event matches the event data read from 1641 * the firmware file. At fist, it checks the length and then 1642 * the contents of the event. 1643 */ 1644 if (skb->len != evt->plen) { 1645 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1646 le16_to_cpu(cmd->opcode)); 1647 kfree_skb(skb); 1648 return -EFAULT; 1649 } 1650 1651 if (memcmp(skb->data, evt_param, evt->plen)) { 1652 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1653 le16_to_cpu(cmd->opcode)); 1654 kfree_skb(skb); 1655 return -EFAULT; 1656 } 1657 kfree_skb(skb); 1658 1659 return 0; 1660 } 1661 1662 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1663 struct intel_version *ver) 1664 { 1665 const struct firmware *fw; 1666 const u8 *fw_ptr; 1667 int disable_patch, err; 1668 struct intel_version new_ver; 1669 1670 BT_DBG("%s", hdev->name); 1671 1672 /* fw_patch_num indicates the version of patch the device currently 1673 * have. If there is no patch data in the device, it is always 0x00. 1674 * So, if it is other than 0x00, no need to patch the device again. 1675 */ 1676 if (ver->fw_patch_num) { 1677 bt_dev_info(hdev, 1678 "Intel device is already patched. patch num: %02x", 1679 ver->fw_patch_num); 1680 goto complete; 1681 } 1682 1683 /* Opens the firmware patch file based on the firmware version read 1684 * from the controller. If it fails to open the matching firmware 1685 * patch file, it tries to open the default firmware patch file. 1686 * If no patch file is found, allow the device to operate without 1687 * a patch. 1688 */ 1689 fw = btintel_legacy_rom_get_fw(hdev, ver); 1690 if (!fw) 1691 goto complete; 1692 fw_ptr = fw->data; 1693 1694 /* Enable the manufacturer mode of the controller. 1695 * Only while this mode is enabled, the driver can download the 1696 * firmware patch data and configuration parameters. 1697 */ 1698 err = btintel_enter_mfg(hdev); 1699 if (err) { 1700 release_firmware(fw); 1701 return err; 1702 } 1703 1704 disable_patch = 1; 1705 1706 /* The firmware data file consists of list of Intel specific HCI 1707 * commands and its expected events. The first byte indicates the 1708 * type of the message, either HCI command or HCI event. 1709 * 1710 * It reads the command and its expected event from the firmware file, 1711 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1712 * the returned event is compared with the event read from the firmware 1713 * file and it will continue until all the messages are downloaded to 1714 * the controller. 1715 * 1716 * Once the firmware patching is completed successfully, 1717 * the manufacturer mode is disabled with reset and activating the 1718 * downloaded patch. 1719 * 1720 * If the firmware patching fails, the manufacturer mode is 1721 * disabled with reset and deactivating the patch. 1722 * 1723 * If the default patch file is used, no reset is done when disabling 1724 * the manufacturer. 1725 */ 1726 while (fw->size > fw_ptr - fw->data) { 1727 int ret; 1728 1729 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1730 &disable_patch); 1731 if (ret < 0) 1732 goto exit_mfg_deactivate; 1733 } 1734 1735 release_firmware(fw); 1736 1737 if (disable_patch) 1738 goto exit_mfg_disable; 1739 1740 /* Patching completed successfully and disable the manufacturer mode 1741 * with reset and activate the downloaded firmware patches. 1742 */ 1743 err = btintel_exit_mfg(hdev, true, true); 1744 if (err) 1745 return err; 1746 1747 /* Need build number for downloaded fw patches in 1748 * every power-on boot 1749 */ 1750 err = btintel_read_version(hdev, &new_ver); 1751 if (err) 1752 return err; 1753 1754 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1755 new_ver.fw_patch_num); 1756 1757 goto complete; 1758 1759 exit_mfg_disable: 1760 /* Disable the manufacturer mode without reset */ 1761 err = btintel_exit_mfg(hdev, false, false); 1762 if (err) 1763 return err; 1764 1765 bt_dev_info(hdev, "Intel firmware patch completed"); 1766 1767 goto complete; 1768 1769 exit_mfg_deactivate: 1770 release_firmware(fw); 1771 1772 /* Patching failed. Disable the manufacturer mode with reset and 1773 * deactivate the downloaded firmware patches. 1774 */ 1775 err = btintel_exit_mfg(hdev, true, false); 1776 if (err) 1777 return err; 1778 1779 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1780 1781 complete: 1782 /* Set the event mask for Intel specific vendor events. This enables 1783 * a few extra events that are useful during general operation. 1784 */ 1785 btintel_set_event_mask_mfg(hdev, false); 1786 1787 btintel_check_bdaddr(hdev); 1788 1789 return 0; 1790 } 1791 1792 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1793 { 1794 ktime_t delta, rettime; 1795 unsigned long long duration; 1796 int err; 1797 1798 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1799 1800 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1801 1802 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1803 TASK_INTERRUPTIBLE, 1804 msecs_to_jiffies(msec)); 1805 if (err == -EINTR) { 1806 bt_dev_err(hdev, "Firmware loading interrupted"); 1807 return err; 1808 } 1809 1810 if (err) { 1811 bt_dev_err(hdev, "Firmware loading timeout"); 1812 return -ETIMEDOUT; 1813 } 1814 1815 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1816 bt_dev_err(hdev, "Firmware loading failed"); 1817 return -ENOEXEC; 1818 } 1819 1820 rettime = ktime_get(); 1821 delta = ktime_sub(rettime, calltime); 1822 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1823 1824 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1825 1826 return 0; 1827 } 1828 1829 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1830 { 1831 ktime_t delta, rettime; 1832 unsigned long long duration; 1833 int err; 1834 1835 bt_dev_info(hdev, "Waiting for device to boot"); 1836 1837 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1838 TASK_INTERRUPTIBLE, 1839 msecs_to_jiffies(msec)); 1840 if (err == -EINTR) { 1841 bt_dev_err(hdev, "Device boot interrupted"); 1842 return -EINTR; 1843 } 1844 1845 if (err) { 1846 bt_dev_err(hdev, "Device boot timeout"); 1847 return -ETIMEDOUT; 1848 } 1849 1850 rettime = ktime_get(); 1851 delta = ktime_sub(rettime, calltime); 1852 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1853 1854 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1855 1856 return 0; 1857 } 1858 1859 static int btintel_boot_wait_d0(struct hci_dev *hdev, ktime_t calltime, 1860 int msec) 1861 { 1862 ktime_t delta, rettime; 1863 unsigned long long duration; 1864 int err; 1865 1866 bt_dev_info(hdev, "Waiting for device transition to d0"); 1867 1868 err = btintel_wait_on_flag_timeout(hdev, INTEL_WAIT_FOR_D0, 1869 TASK_INTERRUPTIBLE, 1870 msecs_to_jiffies(msec)); 1871 if (err == -EINTR) { 1872 bt_dev_err(hdev, "Device d0 move interrupted"); 1873 return -EINTR; 1874 } 1875 1876 if (err) { 1877 bt_dev_err(hdev, "Device d0 move timeout"); 1878 return -ETIMEDOUT; 1879 } 1880 1881 rettime = ktime_get(); 1882 delta = ktime_sub(rettime, calltime); 1883 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1884 1885 bt_dev_info(hdev, "Device moved to D0 in %llu usecs", duration); 1886 1887 return 0; 1888 } 1889 1890 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1891 { 1892 ktime_t calltime; 1893 int err; 1894 1895 calltime = ktime_get(); 1896 1897 btintel_set_flag(hdev, INTEL_BOOTING); 1898 btintel_set_flag(hdev, INTEL_WAIT_FOR_D0); 1899 1900 err = btintel_send_intel_reset(hdev, boot_addr); 1901 if (err) { 1902 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1903 btintel_reset_to_bootloader(hdev); 1904 return err; 1905 } 1906 1907 /* The bootloader will not indicate when the device is ready. This 1908 * is done by the operational firmware sending bootup notification. 1909 * 1910 * Booting into operational firmware should not take longer than 1911 * 5 second. However if that happens, then just fail the setup 1912 * since something went wrong. 1913 */ 1914 err = btintel_boot_wait(hdev, calltime, 5000); 1915 if (err == -ETIMEDOUT) { 1916 btintel_reset_to_bootloader(hdev); 1917 goto exit_error; 1918 } 1919 1920 if (hdev->bus == HCI_PCI) { 1921 /* In case of PCIe, after receiving bootup event, driver performs 1922 * D0 entry by writing 0 to sleep control register (check 1923 * btintel_pcie_recv_event()) 1924 * Firmware acks with alive interrupt indicating host is full ready to 1925 * perform BT operation. Lets wait here till INTEL_WAIT_FOR_D0 1926 * bit is cleared. 1927 */ 1928 calltime = ktime_get(); 1929 err = btintel_boot_wait_d0(hdev, calltime, 2000); 1930 } 1931 1932 exit_error: 1933 return err; 1934 } 1935 1936 static int btintel_get_fw_name(struct intel_version *ver, 1937 struct intel_boot_params *params, 1938 char *fw_name, size_t len, 1939 const char *suffix) 1940 { 1941 switch (ver->hw_variant) { 1942 case 0x0b: /* SfP */ 1943 case 0x0c: /* WsP */ 1944 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1945 ver->hw_variant, 1946 le16_to_cpu(params->dev_revid), 1947 suffix); 1948 break; 1949 case 0x11: /* JfP */ 1950 case 0x12: /* ThP */ 1951 case 0x13: /* HrP */ 1952 case 0x14: /* CcP */ 1953 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1954 ver->hw_variant, 1955 ver->hw_revision, 1956 ver->fw_revision, 1957 suffix); 1958 break; 1959 default: 1960 return -EINVAL; 1961 } 1962 1963 return 0; 1964 } 1965 1966 static int btintel_download_fw(struct hci_dev *hdev, 1967 struct intel_version *ver, 1968 struct intel_boot_params *params, 1969 u32 *boot_param) 1970 { 1971 const struct firmware *fw; 1972 char fwname[64]; 1973 int err; 1974 ktime_t calltime; 1975 1976 if (!ver || !params) 1977 return -EINVAL; 1978 1979 /* The firmware variant determines if the device is in bootloader 1980 * mode or is running operational firmware. The value 0x06 identifies 1981 * the bootloader and the value 0x23 identifies the operational 1982 * firmware. 1983 * 1984 * When the operational firmware is already present, then only 1985 * the check for valid Bluetooth device address is needed. This 1986 * determines if the device will be added as configured or 1987 * unconfigured controller. 1988 * 1989 * It is not possible to use the Secure Boot Parameters in this 1990 * case since that command is only available in bootloader mode. 1991 */ 1992 if (ver->fw_variant == 0x23) { 1993 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1994 btintel_check_bdaddr(hdev); 1995 1996 /* SfP and WsP don't seem to update the firmware version on file 1997 * so version checking is currently possible. 1998 */ 1999 switch (ver->hw_variant) { 2000 case 0x0b: /* SfP */ 2001 case 0x0c: /* WsP */ 2002 return 0; 2003 } 2004 2005 /* Proceed to download to check if the version matches */ 2006 goto download; 2007 } 2008 2009 /* Read the secure boot parameters to identify the operating 2010 * details of the bootloader. 2011 */ 2012 err = btintel_read_boot_params(hdev, params); 2013 if (err) 2014 return err; 2015 2016 /* It is required that every single firmware fragment is acknowledged 2017 * with a command complete event. If the boot parameters indicate 2018 * that this bootloader does not send them, then abort the setup. 2019 */ 2020 if (params->limited_cce != 0x00) { 2021 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2022 params->limited_cce); 2023 return -EINVAL; 2024 } 2025 2026 /* If the OTP has no valid Bluetooth device address, then there will 2027 * also be no valid address for the operational firmware. 2028 */ 2029 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2030 bt_dev_info(hdev, "No device address configured"); 2031 hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR); 2032 } 2033 2034 download: 2035 /* With this Intel bootloader only the hardware variant and device 2036 * revision information are used to select the right firmware for SfP 2037 * and WsP. 2038 * 2039 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2040 * 2041 * Currently the supported hardware variants are: 2042 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2043 * 12 (0x0c) for iBT3.5 (WsP) 2044 * 2045 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2046 * variant, HW revision and FW revision, as these are dependent on CNVi 2047 * and RF Combination. 2048 * 2049 * 17 (0x11) for iBT3.5 (JfP) 2050 * 18 (0x12) for iBT3.5 (ThP) 2051 * 2052 * The firmware file name for these will be 2053 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2054 * 2055 */ 2056 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2057 if (err < 0) { 2058 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2059 /* Firmware has already been loaded */ 2060 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2061 return 0; 2062 } 2063 2064 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2065 return -EINVAL; 2066 } 2067 2068 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2069 if (err < 0) { 2070 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2071 /* Firmware has already been loaded */ 2072 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2073 return 0; 2074 } 2075 2076 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2077 fwname, err); 2078 return err; 2079 } 2080 2081 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2082 2083 if (fw->size < 644) { 2084 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2085 fw->size); 2086 err = -EBADF; 2087 goto done; 2088 } 2089 2090 calltime = ktime_get(); 2091 2092 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2093 2094 /* Start firmware downloading and get boot parameter */ 2095 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2096 if (err < 0) { 2097 if (err == -EALREADY) { 2098 /* Firmware has already been loaded */ 2099 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2100 err = 0; 2101 goto done; 2102 } 2103 2104 /* When FW download fails, send Intel Reset to retry 2105 * FW download. 2106 */ 2107 btintel_reset_to_bootloader(hdev); 2108 goto done; 2109 } 2110 2111 /* Before switching the device into operational mode and with that 2112 * booting the loaded firmware, wait for the bootloader notification 2113 * that all fragments have been successfully received. 2114 * 2115 * When the event processing receives the notification, then the 2116 * INTEL_DOWNLOADING flag will be cleared. 2117 * 2118 * The firmware loading should not take longer than 5 seconds 2119 * and thus just timeout if that happens and fail the setup 2120 * of this device. 2121 */ 2122 err = btintel_download_wait(hdev, calltime, 5000); 2123 if (err == -ETIMEDOUT) 2124 btintel_reset_to_bootloader(hdev); 2125 2126 done: 2127 release_firmware(fw); 2128 return err; 2129 } 2130 2131 static int btintel_bootloader_setup(struct hci_dev *hdev, 2132 struct intel_version *ver) 2133 { 2134 struct intel_version new_ver; 2135 struct intel_boot_params params; 2136 u32 boot_param; 2137 char ddcname[64]; 2138 int err; 2139 2140 BT_DBG("%s", hdev->name); 2141 2142 /* Set the default boot parameter to 0x0 and it is updated to 2143 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2144 * command while downloading the firmware. 2145 */ 2146 boot_param = 0x00000000; 2147 2148 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2149 2150 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2151 if (err) 2152 return err; 2153 2154 /* controller is already having an operational firmware */ 2155 if (ver->fw_variant == 0x23) 2156 goto finish; 2157 2158 err = btintel_boot(hdev, boot_param); 2159 if (err) 2160 return err; 2161 2162 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2163 2164 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2165 sizeof(ddcname), "ddc"); 2166 2167 if (err < 0) { 2168 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2169 } else { 2170 /* Once the device is running in operational mode, it needs to 2171 * apply the device configuration (DDC) parameters. 2172 * 2173 * The device can work without DDC parameters, so even if it 2174 * fails to load the file, no need to fail the setup. 2175 */ 2176 btintel_load_ddc_config(hdev, ddcname); 2177 } 2178 2179 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2180 2181 /* Read the Intel version information after loading the FW */ 2182 err = btintel_read_version(hdev, &new_ver); 2183 if (err) 2184 return err; 2185 2186 btintel_version_info(hdev, &new_ver); 2187 2188 finish: 2189 /* Set the event mask for Intel specific vendor events. This enables 2190 * a few extra events that are useful during general operation. It 2191 * does not enable any debugging related events. 2192 * 2193 * The device will function correctly without these events enabled 2194 * and thus no need to fail the setup. 2195 */ 2196 btintel_set_event_mask(hdev, false); 2197 2198 return 0; 2199 } 2200 2201 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2202 char *fw_name, size_t len, 2203 const char *suffix) 2204 { 2205 const char *format; 2206 u32 cnvi, cnvr; 2207 2208 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2209 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2210 2211 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2212 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2213 2214 /* Only Blazar product supports downloading of intermediate loader 2215 * image 2216 */ 2217 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) { 2218 u8 zero[BTINTEL_FWID_MAXLEN]; 2219 2220 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) { 2221 format = "intel/ibt-%04x-%04x-iml.%s"; 2222 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2223 return; 2224 } 2225 2226 memset(zero, 0, sizeof(zero)); 2227 2228 /* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */ 2229 if (memcmp(ver->fw_id, zero, sizeof(zero))) { 2230 format = "intel/ibt-%04x-%04x-%s.%s"; 2231 snprintf(fw_name, len, format, cnvi, cnvr, 2232 ver->fw_id, suffix); 2233 return; 2234 } 2235 /* If firmware id is not present, fallback to legacy naming 2236 * convention 2237 */ 2238 } 2239 /* Fallback to legacy naming convention for other controllers 2240 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2241 */ 2242 format = "intel/ibt-%04x-%04x.%s"; 2243 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2244 } 2245 2246 static void btintel_get_iml_tlv(const struct intel_version_tlv *ver, 2247 char *fw_name, size_t len, 2248 const char *suffix) 2249 { 2250 const char *format; 2251 u32 cnvi, cnvr; 2252 2253 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2254 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2255 2256 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2257 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2258 2259 format = "intel/ibt-%04x-%04x-iml.%s"; 2260 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2261 } 2262 2263 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2264 struct intel_version_tlv *ver, 2265 u32 *boot_param) 2266 { 2267 const struct firmware *fw; 2268 char fwname[128]; 2269 int err; 2270 ktime_t calltime; 2271 2272 if (!ver || !boot_param) 2273 return -EINVAL; 2274 2275 /* The firmware variant determines if the device is in bootloader 2276 * mode or is running operational firmware. The value 0x03 identifies 2277 * the bootloader and the value 0x23 identifies the operational 2278 * firmware. 2279 * 2280 * When the operational firmware is already present, then only 2281 * the check for valid Bluetooth device address is needed. This 2282 * determines if the device will be added as configured or 2283 * unconfigured controller. 2284 * 2285 * It is not possible to use the Secure Boot Parameters in this 2286 * case since that command is only available in bootloader mode. 2287 */ 2288 if (ver->img_type == BTINTEL_IMG_OP) { 2289 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2290 btintel_check_bdaddr(hdev); 2291 } else { 2292 /* 2293 * Check for valid bd address in boot loader mode. Device 2294 * will be marked as unconfigured if empty bd address is 2295 * found. 2296 */ 2297 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2298 bt_dev_info(hdev, "No device address configured"); 2299 hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR); 2300 } 2301 } 2302 2303 if (ver->img_type == BTINTEL_IMG_OP) { 2304 /* Controller running OP image. In case of FW downgrade, 2305 * FWID TLV may not be present and driver may attempt to load 2306 * firmware image which doesn't exist. Lets compare the version 2307 * of IML image 2308 */ 2309 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) 2310 btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi"); 2311 else 2312 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2313 } else { 2314 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2315 } 2316 2317 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2318 if (err < 0) { 2319 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2320 /* Firmware has already been loaded */ 2321 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2322 return 0; 2323 } 2324 2325 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2326 fwname, err); 2327 2328 return err; 2329 } 2330 2331 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2332 2333 if (fw->size < 644) { 2334 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2335 fw->size); 2336 err = -EBADF; 2337 goto done; 2338 } 2339 2340 calltime = ktime_get(); 2341 2342 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2343 2344 /* Start firmware downloading and get boot parameter */ 2345 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2346 INTEL_HW_VARIANT(ver->cnvi_bt), 2347 ver->sbe_type); 2348 if (err < 0) { 2349 if (err == -EALREADY) { 2350 /* Firmware has already been loaded */ 2351 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2352 err = 0; 2353 goto done; 2354 } 2355 2356 /* When FW download fails, send Intel Reset to retry 2357 * FW download. 2358 */ 2359 btintel_reset_to_bootloader(hdev); 2360 goto done; 2361 } 2362 2363 /* Before switching the device into operational mode and with that 2364 * booting the loaded firmware, wait for the bootloader notification 2365 * that all fragments have been successfully received. 2366 * 2367 * When the event processing receives the notification, then the 2368 * BTUSB_DOWNLOADING flag will be cleared. 2369 * 2370 * The firmware loading should not take longer than 5 seconds 2371 * and thus just timeout if that happens and fail the setup 2372 * of this device. 2373 */ 2374 err = btintel_download_wait(hdev, calltime, 5000); 2375 if (err == -ETIMEDOUT) 2376 btintel_reset_to_bootloader(hdev); 2377 2378 done: 2379 release_firmware(fw); 2380 return err; 2381 } 2382 2383 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2384 __u8 link, struct bt_codec *codec, 2385 __u8 *ven_len, __u8 **ven_data) 2386 { 2387 int err = 0; 2388 2389 if (!ven_data || !ven_len) 2390 return -EINVAL; 2391 2392 *ven_len = 0; 2393 *ven_data = NULL; 2394 2395 if (link != ESCO_LINK) { 2396 bt_dev_err(hdev, "Invalid link type(%u)", link); 2397 return -EINVAL; 2398 } 2399 2400 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2401 if (!*ven_data) { 2402 err = -ENOMEM; 2403 goto error; 2404 } 2405 2406 /* supports only CVSD and mSBC offload codecs */ 2407 switch (codec->id) { 2408 case 0x02: 2409 **ven_data = 0x00; 2410 break; 2411 case 0x05: 2412 **ven_data = 0x01; 2413 break; 2414 default: 2415 err = -EINVAL; 2416 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2417 goto error; 2418 } 2419 /* codec and its capabilities are pre-defined to ids 2420 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2421 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2422 */ 2423 *ven_len = sizeof(__u8); 2424 return err; 2425 2426 error: 2427 kfree(*ven_data); 2428 *ven_data = NULL; 2429 return err; 2430 } 2431 2432 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2433 { 2434 /* Intel uses 1 as data path id for all the usecases */ 2435 *data_path_id = 1; 2436 return 0; 2437 } 2438 2439 static int btintel_configure_offload(struct hci_dev *hdev) 2440 { 2441 struct sk_buff *skb; 2442 int err = 0; 2443 struct intel_offload_use_cases *use_cases; 2444 2445 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2446 if (IS_ERR(skb)) { 2447 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2448 PTR_ERR(skb)); 2449 return PTR_ERR(skb); 2450 } 2451 2452 if (skb->len < sizeof(*use_cases)) { 2453 err = -EIO; 2454 goto error; 2455 } 2456 2457 use_cases = (void *)skb->data; 2458 2459 if (use_cases->status) { 2460 err = -bt_to_errno(skb->data[0]); 2461 goto error; 2462 } 2463 2464 if (use_cases->preset[0] & 0x03) { 2465 hdev->get_data_path_id = btintel_get_data_path_id; 2466 hdev->get_codec_config_data = btintel_get_codec_config_data; 2467 } 2468 error: 2469 kfree_skb(skb); 2470 return err; 2471 } 2472 2473 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2474 { 2475 struct sk_buff *skb; 2476 struct hci_ppag_enable_cmd ppag_cmd; 2477 acpi_handle handle; 2478 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 2479 union acpi_object *p, *elements; 2480 u32 domain, mode; 2481 acpi_status status; 2482 2483 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2484 switch (ver->cnvr_top & 0xFFF) { 2485 case 0x504: /* Hrp2 */ 2486 case 0x202: /* Jfp2 */ 2487 case 0x201: /* Jfp1 */ 2488 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2489 ver->cnvr_top & 0xFFF); 2490 return; 2491 } 2492 2493 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2494 if (!handle) { 2495 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2496 return; 2497 } 2498 2499 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer); 2500 if (ACPI_FAILURE(status)) { 2501 if (status == AE_NOT_FOUND) { 2502 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2503 return; 2504 } 2505 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 2506 return; 2507 } 2508 2509 p = buffer.pointer; 2510 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 2511 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 2512 p->type, p->package.count); 2513 kfree(buffer.pointer); 2514 return; 2515 } 2516 2517 elements = p->package.elements; 2518 2519 /* PPAG table is located at element[1] */ 2520 p = &elements[1]; 2521 2522 domain = (u32)p->package.elements[0].integer.value; 2523 mode = (u32)p->package.elements[1].integer.value; 2524 kfree(buffer.pointer); 2525 2526 if (domain != 0x12) { 2527 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2528 return; 2529 } 2530 2531 /* PPAG mode 2532 * BIT 0 : 0 Disabled in EU 2533 * 1 Enabled in EU 2534 * BIT 1 : 0 Disabled in China 2535 * 1 Enabled in China 2536 */ 2537 mode &= 0x03; 2538 2539 if (!mode) { 2540 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS"); 2541 return; 2542 } 2543 2544 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode); 2545 2546 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), 2547 &ppag_cmd, HCI_CMD_TIMEOUT); 2548 if (IS_ERR(skb)) { 2549 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2550 return; 2551 } 2552 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode); 2553 kfree_skb(skb); 2554 } 2555 2556 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2557 { 2558 int ret = 0; 2559 acpi_status status; 2560 union acpi_object *p, *ref; 2561 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2562 2563 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2564 if (ACPI_FAILURE(status)) { 2565 bt_dev_err(hdev, "Failed to run _PRR method"); 2566 ret = -ENODEV; 2567 return ret; 2568 } 2569 p = buffer.pointer; 2570 2571 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2572 bt_dev_err(hdev, "Invalid arguments"); 2573 ret = -EINVAL; 2574 goto exit_on_error; 2575 } 2576 2577 ref = &p->package.elements[0]; 2578 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2579 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2580 ret = -EINVAL; 2581 goto exit_on_error; 2582 } 2583 2584 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2585 if (ACPI_FAILURE(status)) { 2586 bt_dev_err(hdev, "Failed to run_RST method"); 2587 ret = -ENODEV; 2588 goto exit_on_error; 2589 } 2590 2591 exit_on_error: 2592 kfree(buffer.pointer); 2593 return ret; 2594 } 2595 2596 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2597 struct intel_version_tlv *ver_tlv) 2598 { 2599 struct btintel_data *data = hci_get_priv(hdev); 2600 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2601 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2602 union acpi_object *obj, argv4; 2603 enum { 2604 RESET_TYPE_WDISABLE2, 2605 RESET_TYPE_VSEC 2606 }; 2607 2608 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2609 2610 if (!handle) { 2611 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2612 return; 2613 } 2614 2615 if (!acpi_has_method(handle, "_PRR")) { 2616 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2617 return; 2618 } 2619 2620 switch (ver_tlv->cnvi_top & 0xfff) { 2621 case 0x910: /* GalePeak2 */ 2622 reset_payload[2] = RESET_TYPE_VSEC; 2623 break; 2624 default: 2625 /* WDISABLE2 is the default reset method */ 2626 reset_payload[2] = RESET_TYPE_WDISABLE2; 2627 2628 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2629 BIT(DSM_SET_WDISABLE2_DELAY))) { 2630 bt_dev_err(hdev, "No dsm support to set reset delay"); 2631 return; 2632 } 2633 argv4.integer.type = ACPI_TYPE_INTEGER; 2634 /* delay required to toggle BT power */ 2635 argv4.integer.value = 160; 2636 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2637 DSM_SET_WDISABLE2_DELAY, &argv4); 2638 if (!obj) { 2639 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2640 return; 2641 } 2642 ACPI_FREE(obj); 2643 } 2644 2645 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2646 2647 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2648 DSM_SET_RESET_METHOD)) { 2649 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2650 return; 2651 } 2652 argv4.buffer.type = ACPI_TYPE_BUFFER; 2653 argv4.buffer.length = sizeof(reset_payload); 2654 argv4.buffer.pointer = reset_payload; 2655 2656 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2657 DSM_SET_RESET_METHOD, &argv4); 2658 if (!obj) { 2659 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2660 return; 2661 } 2662 ACPI_FREE(obj); 2663 data->acpi_reset_method = btintel_acpi_reset_method; 2664 } 2665 2666 #define BTINTEL_ISODATA_HANDLE_BASE 0x900 2667 2668 static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) 2669 { 2670 /* 2671 * Distinguish ISO data packets form ACL data packets 2672 * based on their connection handle value range. 2673 */ 2674 if (iso_capable(hdev) && hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { 2675 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2676 2677 if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE) 2678 return HCI_ISODATA_PKT; 2679 } 2680 2681 return hci_skb_pkt_type(skb); 2682 } 2683 2684 /* 2685 * UefiCnvCommonDSBR UEFI variable provides information from the OEM platforms 2686 * if they have replaced the BRI (Bluetooth Radio Interface) resistor to 2687 * overcome the potential STEP errors on their designs. Based on the 2688 * configauration, bluetooth firmware shall adjust the BRI response line drive 2689 * strength. The below structure represents DSBR data. 2690 * struct { 2691 * u8 header; 2692 * u32 dsbr; 2693 * } __packed; 2694 * 2695 * header - defines revision number of the structure 2696 * dsbr - defines drive strength BRI response 2697 * bit0 2698 * 0 - instructs bluetooth firmware to use default values 2699 * 1 - instructs bluetooth firmware to override default values 2700 * bit3:1 2701 * Reserved 2702 * bit7:4 2703 * DSBR override values (only if bit0 is set. Default value is 0xF 2704 * bit31:7 2705 * Reserved 2706 * Expected values for dsbr field: 2707 * 1. 0xF1 - indicates that the resistor on board is 33 Ohm 2708 * 2. 0x00 or 0xB1 - indicates that the resistor on board is 10 Ohm 2709 * 3. Non existing UEFI variable or invalid (none of the above) - indicates 2710 * that the resistor on board is 10 Ohm 2711 * Even if uefi variable is not present, driver shall send 0xfc0a command to 2712 * firmware to use default values. 2713 * 2714 */ 2715 static int btintel_uefi_get_dsbr(u32 *dsbr_var) 2716 { 2717 struct btintel_dsbr { 2718 u8 header; 2719 u32 dsbr; 2720 } __packed data; 2721 2722 efi_status_t status; 2723 unsigned long data_size = sizeof(data); 2724 efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03, 2725 0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31); 2726 2727 if (!IS_ENABLED(CONFIG_EFI)) 2728 return -EOPNOTSUPP; 2729 2730 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) 2731 return -EOPNOTSUPP; 2732 2733 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2734 &data); 2735 2736 if (status != EFI_SUCCESS || data_size != sizeof(data)) 2737 return -ENXIO; 2738 2739 *dsbr_var = data.dsbr; 2740 return 0; 2741 } 2742 2743 static int btintel_set_dsbr(struct hci_dev *hdev, struct intel_version_tlv *ver) 2744 { 2745 struct btintel_dsbr_cmd { 2746 u8 enable; 2747 u8 dsbr; 2748 } __packed; 2749 2750 struct btintel_dsbr_cmd cmd; 2751 struct sk_buff *skb; 2752 u32 dsbr, cnvi; 2753 u8 status; 2754 int err; 2755 2756 cnvi = ver->cnvi_top & 0xfff; 2757 /* DSBR command needs to be sent for, 2758 * 1. BlazarI or BlazarIW + B0 step product in IML image. 2759 * 2. Gale Peak2 or BlazarU in OP image. 2760 * 3. Scorpious Peak in IML image. 2761 */ 2762 2763 switch (cnvi) { 2764 case BTINTEL_CNVI_BLAZARI: 2765 case BTINTEL_CNVI_BLAZARIW: 2766 if (ver->img_type == BTINTEL_IMG_IML && 2767 INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01) 2768 break; 2769 return 0; 2770 case BTINTEL_CNVI_GAP: 2771 case BTINTEL_CNVI_BLAZARU: 2772 if (ver->img_type == BTINTEL_IMG_OP && 2773 hdev->bus == HCI_USB) 2774 break; 2775 return 0; 2776 case BTINTEL_CNVI_SCP: 2777 if (ver->img_type == BTINTEL_IMG_IML) 2778 break; 2779 return 0; 2780 default: 2781 return 0; 2782 } 2783 2784 dsbr = 0; 2785 err = btintel_uefi_get_dsbr(&dsbr); 2786 if (err < 0) 2787 bt_dev_dbg(hdev, "Error reading efi: %ls (%d)", 2788 BTINTEL_EFI_DSBR, err); 2789 2790 cmd.enable = dsbr & BIT(0); 2791 cmd.dsbr = dsbr >> 4 & 0xF; 2792 2793 bt_dev_info(hdev, "dsbr: enable: 0x%2.2x value: 0x%2.2x", cmd.enable, 2794 cmd.dsbr); 2795 2796 skb = __hci_cmd_sync(hdev, 0xfc0a, sizeof(cmd), &cmd, HCI_CMD_TIMEOUT); 2797 if (IS_ERR(skb)) 2798 return -bt_to_errno(PTR_ERR(skb)); 2799 2800 status = skb->data[0]; 2801 kfree_skb(skb); 2802 2803 if (status) 2804 return -bt_to_errno(status); 2805 2806 return 0; 2807 } 2808 2809 #ifdef CONFIG_ACPI 2810 static acpi_status btintel_evaluate_acpi_method(struct hci_dev *hdev, 2811 acpi_string method, 2812 union acpi_object **ptr, 2813 u8 pkg_size) 2814 { 2815 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2816 union acpi_object *p; 2817 acpi_status status; 2818 acpi_handle handle; 2819 2820 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2821 if (!handle) { 2822 bt_dev_dbg(hdev, "ACPI-BT: No ACPI support for Bluetooth device"); 2823 return AE_NOT_EXIST; 2824 } 2825 2826 status = acpi_evaluate_object(handle, method, NULL, &buffer); 2827 2828 if (ACPI_FAILURE(status)) { 2829 bt_dev_dbg(hdev, "ACPI-BT: ACPI Failure: %s method: %s", 2830 acpi_format_exception(status), method); 2831 return status; 2832 } 2833 2834 p = buffer.pointer; 2835 2836 if (p->type != ACPI_TYPE_PACKAGE || p->package.count < pkg_size) { 2837 bt_dev_warn(hdev, "ACPI-BT: Invalid object type: %d or package count: %d", 2838 p->type, p->package.count); 2839 kfree(buffer.pointer); 2840 return AE_ERROR; 2841 } 2842 2843 *ptr = buffer.pointer; 2844 return 0; 2845 } 2846 2847 static union acpi_object *btintel_acpi_get_bt_pkg(union acpi_object *buffer) 2848 { 2849 union acpi_object *domain, *bt_pkg; 2850 int i; 2851 2852 for (i = 1; i < buffer->package.count; i++) { 2853 bt_pkg = &buffer->package.elements[i]; 2854 domain = &bt_pkg->package.elements[0]; 2855 if (domain->type == ACPI_TYPE_INTEGER && 2856 domain->integer.value == BTINTEL_BT_DOMAIN) 2857 return bt_pkg; 2858 } 2859 return ERR_PTR(-ENOENT); 2860 } 2861 2862 static int btintel_send_sar_ddc(struct hci_dev *hdev, struct btintel_cp_ddc_write *data, u8 len) 2863 { 2864 struct sk_buff *skb; 2865 2866 skb = __hci_cmd_sync(hdev, 0xfc8b, len, data, HCI_CMD_TIMEOUT); 2867 if (IS_ERR(skb)) { 2868 bt_dev_warn(hdev, "Failed to send sar ddc id:0x%4.4x (%ld)", 2869 le16_to_cpu(data->id), PTR_ERR(skb)); 2870 return PTR_ERR(skb); 2871 } 2872 kfree_skb(skb); 2873 return 0; 2874 } 2875 2876 static int btintel_send_edr(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2877 int id, struct btintel_sar_inc_pwr *sar) 2878 { 2879 cmd->len = 5; 2880 cmd->id = cpu_to_le16(id); 2881 cmd->data[0] = sar->br >> 3; 2882 cmd->data[1] = sar->edr2 >> 3; 2883 cmd->data[2] = sar->edr3 >> 3; 2884 return btintel_send_sar_ddc(hdev, cmd, 6); 2885 } 2886 2887 static int btintel_send_le(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2888 int id, struct btintel_sar_inc_pwr *sar) 2889 { 2890 cmd->len = 3; 2891 cmd->id = cpu_to_le16(id); 2892 cmd->data[0] = min3(sar->le, sar->le_lr, sar->le_2mhz) >> 3; 2893 return btintel_send_sar_ddc(hdev, cmd, 4); 2894 } 2895 2896 static int btintel_send_br(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2897 int id, struct btintel_sar_inc_pwr *sar) 2898 { 2899 cmd->len = 3; 2900 cmd->id = cpu_to_le16(id); 2901 cmd->data[0] = sar->br >> 3; 2902 return btintel_send_sar_ddc(hdev, cmd, 4); 2903 } 2904 2905 static int btintel_send_br_mutual(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2906 int id, struct btintel_sar_inc_pwr *sar) 2907 { 2908 cmd->len = 3; 2909 cmd->id = cpu_to_le16(id); 2910 cmd->data[0] = sar->br; 2911 return btintel_send_sar_ddc(hdev, cmd, 4); 2912 } 2913 2914 static int btintel_send_edr2(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2915 int id, struct btintel_sar_inc_pwr *sar) 2916 { 2917 cmd->len = 3; 2918 cmd->id = cpu_to_le16(id); 2919 cmd->data[0] = sar->edr2; 2920 return btintel_send_sar_ddc(hdev, cmd, 4); 2921 } 2922 2923 static int btintel_send_edr3(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd, 2924 int id, struct btintel_sar_inc_pwr *sar) 2925 { 2926 cmd->len = 3; 2927 cmd->id = cpu_to_le16(id); 2928 cmd->data[0] = sar->edr3; 2929 return btintel_send_sar_ddc(hdev, cmd, 4); 2930 } 2931 2932 static int btintel_set_legacy_sar(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar) 2933 { 2934 struct btintel_cp_ddc_write *cmd; 2935 u8 buffer[64]; 2936 int ret; 2937 2938 cmd = (void *)buffer; 2939 ret = btintel_send_br(hdev, cmd, 0x0131, sar); 2940 if (ret) 2941 return ret; 2942 2943 ret = btintel_send_br(hdev, cmd, 0x0132, sar); 2944 if (ret) 2945 return ret; 2946 2947 ret = btintel_send_le(hdev, cmd, 0x0133, sar); 2948 if (ret) 2949 return ret; 2950 2951 ret = btintel_send_edr(hdev, cmd, 0x0137, sar); 2952 if (ret) 2953 return ret; 2954 2955 ret = btintel_send_edr(hdev, cmd, 0x0138, sar); 2956 if (ret) 2957 return ret; 2958 2959 ret = btintel_send_edr(hdev, cmd, 0x013b, sar); 2960 if (ret) 2961 return ret; 2962 2963 ret = btintel_send_edr(hdev, cmd, 0x013c, sar); 2964 2965 return ret; 2966 } 2967 2968 static int btintel_set_mutual_sar(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar) 2969 { 2970 struct btintel_cp_ddc_write *cmd; 2971 struct sk_buff *skb; 2972 u8 buffer[64]; 2973 bool enable; 2974 int ret; 2975 2976 cmd = (void *)buffer; 2977 2978 cmd->len = 3; 2979 cmd->id = cpu_to_le16(0x019e); 2980 2981 if (sar->revision == BTINTEL_SAR_INC_PWR && 2982 sar->inc_power_mode == BTINTEL_SAR_INC_PWR_SUPPORTED) 2983 cmd->data[0] = 0x01; 2984 else 2985 cmd->data[0] = 0x00; 2986 2987 ret = btintel_send_sar_ddc(hdev, cmd, 4); 2988 if (ret) 2989 return ret; 2990 2991 if (sar->revision == BTINTEL_SAR_INC_PWR && 2992 sar->inc_power_mode == BTINTEL_SAR_INC_PWR_SUPPORTED) { 2993 cmd->len = 3; 2994 cmd->id = cpu_to_le16(0x019f); 2995 cmd->data[0] = sar->sar_2400_chain_a; 2996 2997 ret = btintel_send_sar_ddc(hdev, cmd, 4); 2998 if (ret) 2999 return ret; 3000 } 3001 3002 ret = btintel_send_br_mutual(hdev, cmd, 0x01a0, sar); 3003 if (ret) 3004 return ret; 3005 3006 ret = btintel_send_edr2(hdev, cmd, 0x01a1, sar); 3007 if (ret) 3008 return ret; 3009 3010 ret = btintel_send_edr3(hdev, cmd, 0x01a2, sar); 3011 if (ret) 3012 return ret; 3013 3014 ret = btintel_send_le(hdev, cmd, 0x01a3, sar); 3015 if (ret) 3016 return ret; 3017 3018 enable = true; 3019 skb = __hci_cmd_sync(hdev, 0xfe25, 1, &enable, HCI_CMD_TIMEOUT); 3020 if (IS_ERR(skb)) { 3021 bt_dev_warn(hdev, "Failed to send Intel SAR Enable (%ld)", PTR_ERR(skb)); 3022 return PTR_ERR(skb); 3023 } 3024 3025 kfree_skb(skb); 3026 return 0; 3027 } 3028 3029 static int btintel_sar_send_to_device(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar, 3030 struct intel_version_tlv *ver) 3031 { 3032 u16 cnvi, cnvr; 3033 int ret; 3034 3035 cnvi = ver->cnvi_top & 0xfff; 3036 cnvr = ver->cnvr_top & 0xfff; 3037 3038 if (cnvi < BTINTEL_CNVI_BLAZARI && cnvr < BTINTEL_CNVR_FMP2) { 3039 bt_dev_info(hdev, "Applying legacy Bluetooth SAR"); 3040 ret = btintel_set_legacy_sar(hdev, sar); 3041 } else if (cnvi == BTINTEL_CNVI_GAP || cnvr == BTINTEL_CNVR_FMP2) { 3042 bt_dev_info(hdev, "Applying mutual Bluetooth SAR"); 3043 ret = btintel_set_mutual_sar(hdev, sar); 3044 } else { 3045 ret = -EOPNOTSUPP; 3046 } 3047 3048 return ret; 3049 } 3050 3051 static int btintel_acpi_set_sar(struct hci_dev *hdev, struct intel_version_tlv *ver) 3052 { 3053 union acpi_object *bt_pkg, *buffer = NULL; 3054 struct btintel_sar_inc_pwr sar; 3055 acpi_status status; 3056 u8 revision; 3057 int ret; 3058 3059 status = btintel_evaluate_acpi_method(hdev, "BRDS", &buffer, 2); 3060 if (ACPI_FAILURE(status)) 3061 return -ENOENT; 3062 3063 bt_pkg = btintel_acpi_get_bt_pkg(buffer); 3064 3065 if (IS_ERR(bt_pkg)) { 3066 ret = PTR_ERR(bt_pkg); 3067 goto error; 3068 } 3069 3070 if (!bt_pkg->package.count) { 3071 ret = -EINVAL; 3072 goto error; 3073 } 3074 3075 revision = buffer->package.elements[0].integer.value; 3076 3077 if (revision > BTINTEL_SAR_INC_PWR) { 3078 bt_dev_dbg(hdev, "BT_SAR: revision: 0x%2.2x not supported", revision); 3079 ret = -EOPNOTSUPP; 3080 goto error; 3081 } 3082 3083 memset(&sar, 0, sizeof(sar)); 3084 3085 if (revision == BTINTEL_SAR_LEGACY && bt_pkg->package.count == 8) { 3086 sar.revision = revision; 3087 sar.bt_sar_bios = bt_pkg->package.elements[1].integer.value; 3088 sar.br = bt_pkg->package.elements[2].integer.value; 3089 sar.edr2 = bt_pkg->package.elements[3].integer.value; 3090 sar.edr3 = bt_pkg->package.elements[4].integer.value; 3091 sar.le = bt_pkg->package.elements[5].integer.value; 3092 sar.le_2mhz = bt_pkg->package.elements[6].integer.value; 3093 sar.le_lr = bt_pkg->package.elements[7].integer.value; 3094 3095 } else if (revision == BTINTEL_SAR_INC_PWR && bt_pkg->package.count == 10) { 3096 sar.revision = revision; 3097 sar.bt_sar_bios = bt_pkg->package.elements[1].integer.value; 3098 sar.inc_power_mode = bt_pkg->package.elements[2].integer.value; 3099 sar.sar_2400_chain_a = bt_pkg->package.elements[3].integer.value; 3100 sar.br = bt_pkg->package.elements[4].integer.value; 3101 sar.edr2 = bt_pkg->package.elements[5].integer.value; 3102 sar.edr3 = bt_pkg->package.elements[6].integer.value; 3103 sar.le = bt_pkg->package.elements[7].integer.value; 3104 sar.le_2mhz = bt_pkg->package.elements[8].integer.value; 3105 sar.le_lr = bt_pkg->package.elements[9].integer.value; 3106 } else { 3107 ret = -EINVAL; 3108 goto error; 3109 } 3110 3111 /* Apply only if it is enabled in BIOS */ 3112 if (sar.bt_sar_bios != 1) { 3113 bt_dev_dbg(hdev, "Bluetooth SAR is not enabled"); 3114 ret = -EOPNOTSUPP; 3115 goto error; 3116 } 3117 3118 ret = btintel_sar_send_to_device(hdev, &sar, ver); 3119 error: 3120 kfree(buffer); 3121 return ret; 3122 } 3123 #endif /* CONFIG_ACPI */ 3124 3125 static int btintel_set_specific_absorption_rate(struct hci_dev *hdev, 3126 struct intel_version_tlv *ver) 3127 { 3128 #ifdef CONFIG_ACPI 3129 return btintel_acpi_set_sar(hdev, ver); 3130 #endif 3131 return 0; 3132 } 3133 3134 int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 3135 struct intel_version_tlv *ver) 3136 { 3137 u32 boot_param; 3138 char ddcname[64]; 3139 int err; 3140 struct intel_version_tlv new_ver; 3141 3142 bt_dev_dbg(hdev, ""); 3143 3144 /* Set the default boot parameter to 0x0 and it is updated to 3145 * SKU specific boot parameter after reading Intel_Write_Boot_Params 3146 * command while downloading the firmware. 3147 */ 3148 boot_param = 0x00000000; 3149 3150 /* In case of PCIe, this function might get called multiple times with 3151 * same hdev instance if there is any error on firmware download. 3152 * Need to clear stale bits of previous firmware download attempt. 3153 */ 3154 for (int i = 0; i < __INTEL_NUM_FLAGS; i++) 3155 btintel_clear_flag(hdev, i); 3156 3157 btintel_set_flag(hdev, INTEL_BOOTLOADER); 3158 3159 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 3160 if (err) 3161 return err; 3162 3163 /* check if controller is already having an operational firmware */ 3164 if (ver->img_type == BTINTEL_IMG_OP) 3165 goto finish; 3166 3167 err = btintel_boot(hdev, boot_param); 3168 if (err) 3169 return err; 3170 3171 err = btintel_read_version_tlv(hdev, ver); 3172 if (err) 3173 return err; 3174 3175 /* set drive strength of BRI response */ 3176 err = btintel_set_dsbr(hdev, ver); 3177 if (err) { 3178 bt_dev_err(hdev, "Failed to send dsbr command (%d)", err); 3179 return err; 3180 } 3181 3182 /* If image type returned is BTINTEL_IMG_IML, then controller supports 3183 * intermediate loader image 3184 */ 3185 if (ver->img_type == BTINTEL_IMG_IML) { 3186 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 3187 if (err) 3188 return err; 3189 3190 err = btintel_boot(hdev, boot_param); 3191 if (err) 3192 return err; 3193 } 3194 3195 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 3196 3197 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 3198 /* Once the device is running in operational mode, it needs to 3199 * apply the device configuration (DDC) parameters. 3200 * 3201 * The device can work without DDC parameters, so even if it 3202 * fails to load the file, no need to fail the setup. 3203 */ 3204 btintel_load_ddc_config(hdev, ddcname); 3205 3206 /* Read supported use cases and set callbacks to fetch datapath id */ 3207 btintel_configure_offload(hdev); 3208 3209 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 3210 3211 /* Send sar values to controller */ 3212 btintel_set_specific_absorption_rate(hdev, ver); 3213 3214 /* Set PPAG feature */ 3215 btintel_set_ppag(hdev, ver); 3216 3217 /* Read the Intel version information after loading the FW */ 3218 err = btintel_read_version_tlv(hdev, &new_ver); 3219 if (err) 3220 return err; 3221 3222 btintel_version_info_tlv(hdev, &new_ver); 3223 3224 finish: 3225 /* Set the event mask for Intel specific vendor events. This enables 3226 * a few extra events that are useful during general operation. It 3227 * does not enable any debugging related events. 3228 * 3229 * The device will function correctly without these events enabled 3230 * and thus no need to fail the setup. 3231 */ 3232 btintel_set_event_mask(hdev, false); 3233 3234 return 0; 3235 } 3236 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv); 3237 3238 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 3239 { 3240 switch (hw_variant) { 3241 /* Legacy bootloader devices that supports MSFT Extension */ 3242 case 0x11: /* JfP */ 3243 case 0x12: /* ThP */ 3244 case 0x13: /* HrP */ 3245 case 0x14: /* CcP */ 3246 /* All Intel new generation controllers support the Microsoft vendor 3247 * extension are using 0xFC1E for VsMsftOpCode. 3248 */ 3249 case 0x17: 3250 case 0x18: 3251 case 0x19: 3252 case 0x1b: 3253 case 0x1c: 3254 case 0x1d: 3255 case 0x1e: 3256 case 0x1f: 3257 case 0x22: 3258 hci_set_msft_opcode(hdev, 0xFC1E); 3259 break; 3260 default: 3261 /* Not supported */ 3262 break; 3263 } 3264 } 3265 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode); 3266 3267 void btintel_print_fseq_info(struct hci_dev *hdev) 3268 { 3269 struct sk_buff *skb; 3270 u8 *p; 3271 u32 val; 3272 const char *str; 3273 3274 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 3275 if (IS_ERR(skb)) { 3276 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 3277 PTR_ERR(skb)); 3278 return; 3279 } 3280 3281 if (skb->len < (sizeof(u32) * 16 + 2)) { 3282 bt_dev_dbg(hdev, "Malformed packet of length %u received", 3283 skb->len); 3284 kfree_skb(skb); 3285 return; 3286 } 3287 3288 p = skb_pull_data(skb, 1); 3289 if (*p) { 3290 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 3291 kfree_skb(skb); 3292 return; 3293 } 3294 3295 p = skb_pull_data(skb, 1); 3296 switch (*p) { 3297 case 0: 3298 str = "Success"; 3299 break; 3300 case 1: 3301 str = "Fatal error"; 3302 break; 3303 case 2: 3304 str = "Semaphore acquire error"; 3305 break; 3306 default: 3307 str = "Unknown error"; 3308 break; 3309 } 3310 3311 if (*p) { 3312 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 3313 kfree_skb(skb); 3314 return; 3315 } 3316 3317 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 3318 3319 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3320 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 3321 3322 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3323 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 3324 3325 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3326 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 3327 3328 p = skb->data; 3329 skb_pull_data(skb, 4); 3330 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 3331 p[2], p[3]); 3332 3333 p = skb->data; 3334 skb_pull_data(skb, 4); 3335 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 3336 p[2], p[3]); 3337 3338 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3339 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 3340 3341 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3342 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 3343 3344 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3345 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 3346 3347 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3348 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 3349 3350 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3351 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 3352 3353 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3354 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 3355 3356 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3357 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 3358 3359 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3360 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 3361 3362 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3363 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 3364 3365 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3366 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 3367 3368 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3369 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 3370 3371 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3372 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 3373 3374 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3375 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 3376 3377 kfree_skb(skb); 3378 } 3379 EXPORT_SYMBOL_GPL(btintel_print_fseq_info); 3380 3381 static int btintel_setup_combined(struct hci_dev *hdev) 3382 { 3383 const u8 param[1] = { 0xFF }; 3384 struct intel_version ver; 3385 struct intel_version_tlv ver_tlv; 3386 struct sk_buff *skb; 3387 int err; 3388 3389 BT_DBG("%s", hdev->name); 3390 3391 /* The some controllers have a bug with the first HCI command sent to it 3392 * returning number of completed commands as zero. This would stall the 3393 * command processing in the Bluetooth core. 3394 * 3395 * As a workaround, send HCI Reset command first which will reset the 3396 * number of completed commands and allow normal command processing 3397 * from now on. 3398 * 3399 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 3400 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 3401 * the shutdown() procedure, and once the device is in SW_RFKILL ON 3402 * state, the only way to exit out of it is sending the HCI_Reset 3403 * command. 3404 */ 3405 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 3406 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3407 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 3408 HCI_INIT_TIMEOUT); 3409 if (IS_ERR(skb)) { 3410 bt_dev_err(hdev, 3411 "sending initial HCI reset failed (%ld)", 3412 PTR_ERR(skb)); 3413 return PTR_ERR(skb); 3414 } 3415 kfree_skb(skb); 3416 } 3417 3418 /* Starting from TyP device, the command parameter and response are 3419 * changed even though the OCF for HCI_Intel_Read_Version command 3420 * remains same. The legacy devices can handle even if the 3421 * command has a parameter and returns a correct version information. 3422 * So, it uses new format to support both legacy and new format. 3423 */ 3424 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 3425 if (IS_ERR(skb)) { 3426 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 3427 PTR_ERR(skb)); 3428 return PTR_ERR(skb); 3429 } 3430 3431 /* Check the status */ 3432 if (skb->data[0]) { 3433 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 3434 skb->data[0]); 3435 err = -EIO; 3436 goto exit_error; 3437 } 3438 3439 /* Apply the common HCI quirks for Intel device */ 3440 hci_set_quirk(hdev, HCI_QUIRK_STRICT_DUPLICATE_FILTER); 3441 hci_set_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY); 3442 hci_set_quirk(hdev, HCI_QUIRK_NON_PERSISTENT_DIAG); 3443 3444 /* Set up the quality report callback for Intel devices */ 3445 hdev->set_quality_report = btintel_set_quality_report; 3446 3447 /* For Legacy device, check the HW platform value and size */ 3448 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 3449 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 3450 3451 memcpy(&ver, skb->data, sizeof(ver)); 3452 3453 /* Display version information */ 3454 btintel_version_info(hdev, &ver); 3455 3456 /* Check for supported iBT hardware variants of this firmware 3457 * loading method. 3458 * 3459 * This check has been put in place to ensure correct forward 3460 * compatibility options when newer hardware variants come 3461 * along. 3462 */ 3463 switch (ver.hw_variant) { 3464 case 0x07: /* WP */ 3465 case 0x08: /* StP */ 3466 /* Legacy ROM product */ 3467 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 3468 3469 /* Apply the device specific HCI quirks 3470 * 3471 * WBS for SdP - For the Legacy ROM products, only SdP 3472 * supports the WBS. But the version information is not 3473 * enough to use here because the StP2 and SdP have same 3474 * hw_variant and fw_variant. So, this flag is set by 3475 * the transport driver (btusb) based on the HW info 3476 * (idProduct) 3477 */ 3478 if (!btintel_test_flag(hdev, 3479 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 3480 hci_set_quirk(hdev, 3481 HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED); 3482 3483 err = btintel_legacy_rom_setup(hdev, &ver); 3484 break; 3485 case 0x0b: /* SfP */ 3486 case 0x11: /* JfP */ 3487 case 0x12: /* ThP */ 3488 case 0x13: /* HrP */ 3489 case 0x14: /* CcP */ 3490 fallthrough; 3491 case 0x0c: /* WsP */ 3492 /* Apply the device specific HCI quirks 3493 * 3494 * All Legacy bootloader devices support WBS 3495 */ 3496 hci_set_quirk(hdev, 3497 HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED); 3498 3499 /* These variants don't seem to support LE Coded PHY */ 3500 hci_set_quirk(hdev, HCI_QUIRK_BROKEN_LE_CODED); 3501 3502 /* Setup MSFT Extension support */ 3503 btintel_set_msft_opcode(hdev, ver.hw_variant); 3504 3505 err = btintel_bootloader_setup(hdev, &ver); 3506 btintel_register_devcoredump_support(hdev); 3507 break; 3508 default: 3509 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3510 ver.hw_variant); 3511 err = -EINVAL; 3512 } 3513 3514 hci_set_hw_info(hdev, 3515 "INTEL platform=%u variant=%u revision=%u", 3516 ver.hw_platform, ver.hw_variant, 3517 ver.hw_revision); 3518 3519 goto exit_error; 3520 } 3521 3522 /* memset ver_tlv to start with clean state as few fields are exclusive 3523 * to bootloader mode and are not populated in operational mode 3524 */ 3525 memset(&ver_tlv, 0, sizeof(ver_tlv)); 3526 /* For TLV type device, parse the tlv data */ 3527 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 3528 if (err) { 3529 bt_dev_err(hdev, "Failed to parse TLV version information"); 3530 goto exit_error; 3531 } 3532 3533 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 3534 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 3535 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 3536 err = -EINVAL; 3537 goto exit_error; 3538 } 3539 3540 /* Check for supported iBT hardware variants of this firmware 3541 * loading method. 3542 * 3543 * This check has been put in place to ensure correct forward 3544 * compatibility options when newer hardware variants come 3545 * along. 3546 */ 3547 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 3548 case 0x11: /* JfP */ 3549 case 0x12: /* ThP */ 3550 case 0x13: /* HrP */ 3551 case 0x14: /* CcP */ 3552 /* Some legacy bootloader devices starting from JfP, 3553 * the operational firmware supports both old and TLV based 3554 * HCI_Intel_Read_Version command based on the command 3555 * parameter. 3556 * 3557 * For upgrading firmware case, the TLV based version cannot 3558 * be used because the firmware filename for legacy bootloader 3559 * is based on the old format. 3560 * 3561 * Also, it is not easy to convert TLV based version from the 3562 * legacy version format. 3563 * 3564 * So, as a workaround for those devices, use the legacy 3565 * HCI_Intel_Read_Version to get the version information and 3566 * run the legacy bootloader setup. 3567 */ 3568 err = btintel_read_version(hdev, &ver); 3569 if (err) 3570 break; 3571 3572 /* Apply the device specific HCI quirks 3573 * 3574 * All Legacy bootloader devices support WBS 3575 */ 3576 hci_set_quirk(hdev, HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED); 3577 3578 /* These variants don't seem to support LE Coded PHY */ 3579 hci_set_quirk(hdev, HCI_QUIRK_BROKEN_LE_CODED); 3580 3581 /* Setup MSFT Extension support */ 3582 btintel_set_msft_opcode(hdev, ver.hw_variant); 3583 3584 err = btintel_bootloader_setup(hdev, &ver); 3585 btintel_register_devcoredump_support(hdev); 3586 break; 3587 case 0x18: /* GfP2 */ 3588 case 0x1c: /* GaP */ 3589 /* Re-classify packet type for controllers with LE audio */ 3590 hdev->classify_pkt_type = btintel_classify_pkt_type; 3591 fallthrough; 3592 case 0x17: 3593 case 0x19: 3594 case 0x1b: 3595 case 0x1d: 3596 case 0x1e: 3597 case 0x1f: 3598 case 0x22: 3599 /* Display version information of TLV type */ 3600 btintel_version_info_tlv(hdev, &ver_tlv); 3601 3602 /* Apply the device specific HCI quirks for TLV based devices 3603 * 3604 * All TLV based devices support WBS 3605 */ 3606 hci_set_quirk(hdev, HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED); 3607 3608 /* Setup MSFT Extension support */ 3609 btintel_set_msft_opcode(hdev, 3610 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3611 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3612 3613 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3614 if (err) 3615 goto exit_error; 3616 3617 btintel_register_devcoredump_support(hdev); 3618 btintel_print_fseq_info(hdev); 3619 break; 3620 default: 3621 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3622 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3623 err = -EINVAL; 3624 break; 3625 } 3626 3627 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u", 3628 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt), 3629 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3630 3631 exit_error: 3632 kfree_skb(skb); 3633 3634 return err; 3635 } 3636 3637 int btintel_shutdown_combined(struct hci_dev *hdev) 3638 { 3639 struct sk_buff *skb; 3640 int ret; 3641 3642 /* Send HCI Reset to the controller to stop any BT activity which 3643 * were triggered. This will help to save power and maintain the 3644 * sync b/w Host and controller 3645 */ 3646 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3647 if (IS_ERR(skb)) { 3648 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3649 return PTR_ERR(skb); 3650 } 3651 kfree_skb(skb); 3652 3653 3654 /* Some platforms have an issue with BT LED when the interface is 3655 * down or BT radio is turned off, which takes 5 seconds to BT LED 3656 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3657 * device in the RFKILL ON state which turns off the BT LED immediately. 3658 */ 3659 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3660 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3661 if (IS_ERR(skb)) { 3662 ret = PTR_ERR(skb); 3663 bt_dev_err(hdev, "turning off Intel device LED failed"); 3664 return ret; 3665 } 3666 kfree_skb(skb); 3667 } 3668 3669 return 0; 3670 } 3671 EXPORT_SYMBOL_GPL(btintel_shutdown_combined); 3672 3673 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3674 { 3675 hdev->manufacturer = 2; 3676 hdev->setup = btintel_setup_combined; 3677 hdev->shutdown = btintel_shutdown_combined; 3678 hdev->hw_error = btintel_hw_error; 3679 hdev->set_diag = btintel_set_diag_combined; 3680 hdev->set_bdaddr = btintel_set_bdaddr; 3681 3682 coredump_info.driver_name = driver_name; 3683 3684 return 0; 3685 } 3686 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3687 3688 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3689 { 3690 struct intel_tlv *tlv = (void *)&skb->data[5]; 3691 3692 /* The first event is always an event type TLV */ 3693 if (tlv->type != INTEL_TLV_TYPE_ID) 3694 goto recv_frame; 3695 3696 switch (tlv->val[0]) { 3697 case INTEL_TLV_SYSTEM_EXCEPTION: 3698 case INTEL_TLV_FATAL_EXCEPTION: 3699 case INTEL_TLV_DEBUG_EXCEPTION: 3700 case INTEL_TLV_TEST_EXCEPTION: 3701 /* Generate devcoredump from exception */ 3702 if (!hci_devcd_init(hdev, skb->len)) { 3703 hci_devcd_append(hdev, skb_clone(skb, GFP_ATOMIC)); 3704 hci_devcd_complete(hdev); 3705 } else { 3706 bt_dev_err(hdev, "Failed to generate devcoredump"); 3707 } 3708 break; 3709 default: 3710 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3711 } 3712 3713 recv_frame: 3714 return hci_recv_frame(hdev, skb); 3715 } 3716 3717 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3718 { 3719 struct hci_event_hdr *hdr = (void *)skb->data; 3720 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3721 3722 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3723 hdr->plen > 0) { 3724 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3725 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3726 3727 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3728 switch (skb->data[2]) { 3729 case 0x02: 3730 /* When switching to the operational firmware 3731 * the device sends a vendor specific event 3732 * indicating that the bootup completed. 3733 */ 3734 btintel_bootup(hdev, ptr, len); 3735 kfree_skb(skb); 3736 return 0; 3737 case 0x06: 3738 /* When the firmware loading completes the 3739 * device sends out a vendor specific event 3740 * indicating the result of the firmware 3741 * loading. 3742 */ 3743 btintel_secure_send_result(hdev, ptr, len); 3744 kfree_skb(skb); 3745 return 0; 3746 } 3747 } 3748 3749 /* Handle all diagnostics events separately. May still call 3750 * hci_recv_frame. 3751 */ 3752 if (len >= sizeof(diagnostics_hdr) && 3753 memcmp(&skb->data[2], diagnostics_hdr, 3754 sizeof(diagnostics_hdr)) == 0) { 3755 return btintel_diagnostics(hdev, skb); 3756 } 3757 } 3758 3759 return hci_recv_frame(hdev, skb); 3760 } 3761 EXPORT_SYMBOL_GPL(btintel_recv_event); 3762 3763 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3764 { 3765 const struct intel_bootup *evt = ptr; 3766 3767 if (len != sizeof(*evt)) 3768 return; 3769 3770 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3771 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3772 } 3773 EXPORT_SYMBOL_GPL(btintel_bootup); 3774 3775 void btintel_secure_send_result(struct hci_dev *hdev, 3776 const void *ptr, unsigned int len) 3777 { 3778 const struct intel_secure_send_result *evt = ptr; 3779 3780 if (len != sizeof(*evt)) 3781 return; 3782 3783 if (evt->result) 3784 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3785 3786 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3787 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3788 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3789 } 3790 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3791 3792 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3793 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3794 MODULE_VERSION(VERSION); 3795 MODULE_LICENSE("GPL"); 3796 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3797 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3798 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3799 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3800