xref: /linux/drivers/bluetooth/btintel.c (revision 0ddd7eaffa644baa78e247bbd220ab7195b1eed6)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *
4  *  Bluetooth support for Intel devices
5  *
6  *  Copyright (C) 2015  Intel Corporation
7  */
8 
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <asm/unaligned.h>
13 
14 #include <net/bluetooth/bluetooth.h>
15 #include <net/bluetooth/hci_core.h>
16 
17 #include "btintel.h"
18 
19 #define VERSION "0.1"
20 
21 #define BDADDR_INTEL		(&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
22 #define RSA_HEADER_LEN		644
23 #define CSS_HEADER_OFFSET	8
24 #define ECDSA_OFFSET		644
25 #define ECDSA_HEADER_LEN	320
26 
27 #define CMD_WRITE_BOOT_PARAMS	0xfc0e
28 struct cmd_write_boot_params {
29 	u32 boot_addr;
30 	u8  fw_build_num;
31 	u8  fw_build_ww;
32 	u8  fw_build_yy;
33 } __packed;
34 
35 int btintel_check_bdaddr(struct hci_dev *hdev)
36 {
37 	struct hci_rp_read_bd_addr *bda;
38 	struct sk_buff *skb;
39 
40 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
41 			     HCI_INIT_TIMEOUT);
42 	if (IS_ERR(skb)) {
43 		int err = PTR_ERR(skb);
44 		bt_dev_err(hdev, "Reading Intel device address failed (%d)",
45 			   err);
46 		return err;
47 	}
48 
49 	if (skb->len != sizeof(*bda)) {
50 		bt_dev_err(hdev, "Intel device address length mismatch");
51 		kfree_skb(skb);
52 		return -EIO;
53 	}
54 
55 	bda = (struct hci_rp_read_bd_addr *)skb->data;
56 
57 	/* For some Intel based controllers, the default Bluetooth device
58 	 * address 00:03:19:9E:8B:00 can be found. These controllers are
59 	 * fully operational, but have the danger of duplicate addresses
60 	 * and that in turn can cause problems with Bluetooth operation.
61 	 */
62 	if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
63 		bt_dev_err(hdev, "Found Intel default device address (%pMR)",
64 			   &bda->bdaddr);
65 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
66 	}
67 
68 	kfree_skb(skb);
69 
70 	return 0;
71 }
72 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
73 
74 int btintel_enter_mfg(struct hci_dev *hdev)
75 {
76 	static const u8 param[] = { 0x01, 0x00 };
77 	struct sk_buff *skb;
78 
79 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
80 	if (IS_ERR(skb)) {
81 		bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
82 			   PTR_ERR(skb));
83 		return PTR_ERR(skb);
84 	}
85 	kfree_skb(skb);
86 
87 	return 0;
88 }
89 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
90 
91 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
92 {
93 	u8 param[] = { 0x00, 0x00 };
94 	struct sk_buff *skb;
95 
96 	/* The 2nd command parameter specifies the manufacturing exit method:
97 	 * 0x00: Just disable the manufacturing mode (0x00).
98 	 * 0x01: Disable manufacturing mode and reset with patches deactivated.
99 	 * 0x02: Disable manufacturing mode and reset with patches activated.
100 	 */
101 	if (reset)
102 		param[1] |= patched ? 0x02 : 0x01;
103 
104 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
105 	if (IS_ERR(skb)) {
106 		bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
107 			   PTR_ERR(skb));
108 		return PTR_ERR(skb);
109 	}
110 	kfree_skb(skb);
111 
112 	return 0;
113 }
114 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
115 
116 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
117 {
118 	struct sk_buff *skb;
119 	int err;
120 
121 	skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
122 	if (IS_ERR(skb)) {
123 		err = PTR_ERR(skb);
124 		bt_dev_err(hdev, "Changing Intel device address failed (%d)",
125 			   err);
126 		return err;
127 	}
128 	kfree_skb(skb);
129 
130 	return 0;
131 }
132 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
133 
134 int btintel_set_diag(struct hci_dev *hdev, bool enable)
135 {
136 	struct sk_buff *skb;
137 	u8 param[3];
138 	int err;
139 
140 	if (enable) {
141 		param[0] = 0x03;
142 		param[1] = 0x03;
143 		param[2] = 0x03;
144 	} else {
145 		param[0] = 0x00;
146 		param[1] = 0x00;
147 		param[2] = 0x00;
148 	}
149 
150 	skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
151 	if (IS_ERR(skb)) {
152 		err = PTR_ERR(skb);
153 		if (err == -ENODATA)
154 			goto done;
155 		bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
156 			   err);
157 		return err;
158 	}
159 	kfree_skb(skb);
160 
161 done:
162 	btintel_set_event_mask(hdev, enable);
163 	return 0;
164 }
165 EXPORT_SYMBOL_GPL(btintel_set_diag);
166 
167 int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
168 {
169 	int err, ret;
170 
171 	err = btintel_enter_mfg(hdev);
172 	if (err)
173 		return err;
174 
175 	ret = btintel_set_diag(hdev, enable);
176 
177 	err = btintel_exit_mfg(hdev, false, false);
178 	if (err)
179 		return err;
180 
181 	return ret;
182 }
183 EXPORT_SYMBOL_GPL(btintel_set_diag_mfg);
184 
185 void btintel_hw_error(struct hci_dev *hdev, u8 code)
186 {
187 	struct sk_buff *skb;
188 	u8 type = 0x00;
189 
190 	bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
191 
192 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
193 	if (IS_ERR(skb)) {
194 		bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
195 			   PTR_ERR(skb));
196 		return;
197 	}
198 	kfree_skb(skb);
199 
200 	skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
201 	if (IS_ERR(skb)) {
202 		bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
203 			   PTR_ERR(skb));
204 		return;
205 	}
206 
207 	if (skb->len != 13) {
208 		bt_dev_err(hdev, "Exception info size mismatch");
209 		kfree_skb(skb);
210 		return;
211 	}
212 
213 	bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
214 
215 	kfree_skb(skb);
216 }
217 EXPORT_SYMBOL_GPL(btintel_hw_error);
218 
219 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
220 {
221 	const char *variant;
222 
223 	/* The hardware platform number has a fixed value of 0x37 and
224 	 * for now only accept this single value.
225 	 */
226 	if (ver->hw_platform != 0x37) {
227 		bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
228 			   ver->hw_platform);
229 		return -EINVAL;
230 	}
231 
232 	/* Check for supported iBT hardware variants of this firmware
233 	 * loading method.
234 	 *
235 	 * This check has been put in place to ensure correct forward
236 	 * compatibility options when newer hardware variants come along.
237 	 */
238 	switch (ver->hw_variant) {
239 	case 0x0b:      /* SfP */
240 	case 0x0c:      /* WsP */
241 	case 0x11:      /* JfP */
242 	case 0x12:      /* ThP */
243 	case 0x13:      /* HrP */
244 	case 0x14:      /* CcP */
245 		break;
246 	default:
247 		bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
248 			   ver->hw_variant);
249 		return -EINVAL;
250 	}
251 
252 	switch (ver->fw_variant) {
253 	case 0x06:
254 		variant = "Bootloader";
255 		break;
256 	case 0x23:
257 		variant = "Firmware";
258 		break;
259 	default:
260 		bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
261 		return -EINVAL;
262 	}
263 
264 	bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
265 		    variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
266 		    ver->fw_build_num, ver->fw_build_ww,
267 		    2000 + ver->fw_build_yy);
268 
269 	return 0;
270 }
271 EXPORT_SYMBOL_GPL(btintel_version_info);
272 
273 int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
274 			const void *param)
275 {
276 	while (plen > 0) {
277 		struct sk_buff *skb;
278 		u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
279 
280 		cmd_param[0] = fragment_type;
281 		memcpy(cmd_param + 1, param, fragment_len);
282 
283 		skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
284 				     cmd_param, HCI_INIT_TIMEOUT);
285 		if (IS_ERR(skb))
286 			return PTR_ERR(skb);
287 
288 		kfree_skb(skb);
289 
290 		plen -= fragment_len;
291 		param += fragment_len;
292 	}
293 
294 	return 0;
295 }
296 EXPORT_SYMBOL_GPL(btintel_secure_send);
297 
298 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
299 {
300 	const struct firmware *fw;
301 	struct sk_buff *skb;
302 	const u8 *fw_ptr;
303 	int err;
304 
305 	err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
306 	if (err < 0) {
307 		bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
308 			   ddc_name, err);
309 		return err;
310 	}
311 
312 	bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
313 
314 	fw_ptr = fw->data;
315 
316 	/* DDC file contains one or more DDC structure which has
317 	 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
318 	 */
319 	while (fw->size > fw_ptr - fw->data) {
320 		u8 cmd_plen = fw_ptr[0] + sizeof(u8);
321 
322 		skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
323 				     HCI_INIT_TIMEOUT);
324 		if (IS_ERR(skb)) {
325 			bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
326 				   PTR_ERR(skb));
327 			release_firmware(fw);
328 			return PTR_ERR(skb);
329 		}
330 
331 		fw_ptr += cmd_plen;
332 		kfree_skb(skb);
333 	}
334 
335 	release_firmware(fw);
336 
337 	bt_dev_info(hdev, "Applying Intel DDC parameters completed");
338 
339 	return 0;
340 }
341 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
342 
343 int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
344 {
345 	u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
346 	struct sk_buff *skb;
347 	int err;
348 
349 	if (debug)
350 		mask[1] |= 0x62;
351 
352 	skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
353 	if (IS_ERR(skb)) {
354 		err = PTR_ERR(skb);
355 		bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
356 		return err;
357 	}
358 	kfree_skb(skb);
359 
360 	return 0;
361 }
362 EXPORT_SYMBOL_GPL(btintel_set_event_mask);
363 
364 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
365 {
366 	int err, ret;
367 
368 	err = btintel_enter_mfg(hdev);
369 	if (err)
370 		return err;
371 
372 	ret = btintel_set_event_mask(hdev, debug);
373 
374 	err = btintel_exit_mfg(hdev, false, false);
375 	if (err)
376 		return err;
377 
378 	return ret;
379 }
380 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
381 
382 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
383 {
384 	struct sk_buff *skb;
385 
386 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
387 	if (IS_ERR(skb)) {
388 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
389 			   PTR_ERR(skb));
390 		return PTR_ERR(skb);
391 	}
392 
393 	if (skb->len != sizeof(*ver)) {
394 		bt_dev_err(hdev, "Intel version event size mismatch");
395 		kfree_skb(skb);
396 		return -EILSEQ;
397 	}
398 
399 	memcpy(ver, skb->data, sizeof(*ver));
400 
401 	kfree_skb(skb);
402 
403 	return 0;
404 }
405 EXPORT_SYMBOL_GPL(btintel_read_version);
406 
407 int btintel_version_info_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
408 {
409 	const char *variant;
410 
411 	/* The hardware platform number has a fixed value of 0x37 and
412 	 * for now only accept this single value.
413 	 */
414 	if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
415 		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
416 			   INTEL_HW_PLATFORM(version->cnvi_bt));
417 		return -EINVAL;
418 	}
419 
420 	/* Check for supported iBT hardware variants of this firmware
421 	 * loading method.
422 	 *
423 	 * This check has been put in place to ensure correct forward
424 	 * compatibility options when newer hardware variants come along.
425 	 */
426 	switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
427 	case 0x17:	/* TyP */
428 	case 0x18:	/* Slr */
429 	case 0x19:	/* Slr-F */
430 		break;
431 	default:
432 		bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
433 			   INTEL_HW_VARIANT(version->cnvi_bt));
434 		return -EINVAL;
435 	}
436 
437 	switch (version->img_type) {
438 	case 0x01:
439 		variant = "Bootloader";
440 		/* It is required that every single firmware fragment is acknowledged
441 		 * with a command complete event. If the boot parameters indicate
442 		 * that this bootloader does not send them, then abort the setup.
443 		 */
444 		if (version->limited_cce != 0x00) {
445 			bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
446 				   version->limited_cce);
447 			return -EINVAL;
448 		}
449 
450 		/* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
451 		if (version->sbe_type > 0x01) {
452 			bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
453 				   version->sbe_type);
454 			return -EINVAL;
455 		}
456 
457 		bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
458 		bt_dev_info(hdev, "Secure boot is %s",
459 			    version->secure_boot ? "enabled" : "disabled");
460 		bt_dev_info(hdev, "OTP lock is %s",
461 			    version->otp_lock ? "enabled" : "disabled");
462 		bt_dev_info(hdev, "API lock is %s",
463 			    version->api_lock ? "enabled" : "disabled");
464 		bt_dev_info(hdev, "Debug lock is %s",
465 			    version->debug_lock ? "enabled" : "disabled");
466 		bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
467 			    version->min_fw_build_nn, version->min_fw_build_cw,
468 			    2000 + version->min_fw_build_yy);
469 		break;
470 	case 0x03:
471 		variant = "Firmware";
472 		break;
473 	default:
474 		bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
475 		return -EINVAL;
476 	}
477 
478 	bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
479 		    2000 + (version->timestamp >> 8), version->timestamp & 0xff,
480 		    version->build_type, version->build_num);
481 
482 	return 0;
483 }
484 EXPORT_SYMBOL_GPL(btintel_version_info_tlv);
485 
486 int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
487 {
488 	struct sk_buff *skb;
489 	const u8 param[1] = { 0xFF };
490 
491 	if (!version)
492 		return -EINVAL;
493 
494 	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
495 	if (IS_ERR(skb)) {
496 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
497 			   PTR_ERR(skb));
498 		return PTR_ERR(skb);
499 	}
500 
501 	if (skb->data[0]) {
502 		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
503 			   skb->data[0]);
504 		kfree_skb(skb);
505 		return -EIO;
506 	}
507 
508 	/* Consume Command Complete Status field */
509 	skb_pull(skb, 1);
510 
511 	/* Event parameters contatin multiple TLVs. Read each of them
512 	 * and only keep the required data. Also, it use existing legacy
513 	 * version field like hw_platform, hw_variant, and fw_variant
514 	 * to keep the existing setup flow
515 	 */
516 	while (skb->len) {
517 		struct intel_tlv *tlv;
518 
519 		tlv = (struct intel_tlv *)skb->data;
520 		switch (tlv->type) {
521 		case INTEL_TLV_CNVI_TOP:
522 			version->cnvi_top = get_unaligned_le32(tlv->val);
523 			break;
524 		case INTEL_TLV_CNVR_TOP:
525 			version->cnvr_top = get_unaligned_le32(tlv->val);
526 			break;
527 		case INTEL_TLV_CNVI_BT:
528 			version->cnvi_bt = get_unaligned_le32(tlv->val);
529 			break;
530 		case INTEL_TLV_CNVR_BT:
531 			version->cnvr_bt = get_unaligned_le32(tlv->val);
532 			break;
533 		case INTEL_TLV_DEV_REV_ID:
534 			version->dev_rev_id = get_unaligned_le16(tlv->val);
535 			break;
536 		case INTEL_TLV_IMAGE_TYPE:
537 			version->img_type = tlv->val[0];
538 			break;
539 		case INTEL_TLV_TIME_STAMP:
540 			/* If image type is Operational firmware (0x03), then
541 			 * running FW Calendar Week and Year information can
542 			 * be extracted from Timestamp information
543 			 */
544 			version->min_fw_build_cw = tlv->val[0];
545 			version->min_fw_build_yy = tlv->val[1];
546 			version->timestamp = get_unaligned_le16(tlv->val);
547 			break;
548 		case INTEL_TLV_BUILD_TYPE:
549 			version->build_type = tlv->val[0];
550 			break;
551 		case INTEL_TLV_BUILD_NUM:
552 			/* If image type is Operational firmware (0x03), then
553 			 * running FW build number can be extracted from the
554 			 * Build information
555 			 */
556 			version->min_fw_build_nn = tlv->val[0];
557 			version->build_num = get_unaligned_le32(tlv->val);
558 			break;
559 		case INTEL_TLV_SECURE_BOOT:
560 			version->secure_boot = tlv->val[0];
561 			break;
562 		case INTEL_TLV_OTP_LOCK:
563 			version->otp_lock = tlv->val[0];
564 			break;
565 		case INTEL_TLV_API_LOCK:
566 			version->api_lock = tlv->val[0];
567 			break;
568 		case INTEL_TLV_DEBUG_LOCK:
569 			version->debug_lock = tlv->val[0];
570 			break;
571 		case INTEL_TLV_MIN_FW:
572 			version->min_fw_build_nn = tlv->val[0];
573 			version->min_fw_build_cw = tlv->val[1];
574 			version->min_fw_build_yy = tlv->val[2];
575 			break;
576 		case INTEL_TLV_LIMITED_CCE:
577 			version->limited_cce = tlv->val[0];
578 			break;
579 		case INTEL_TLV_SBE_TYPE:
580 			version->sbe_type = tlv->val[0];
581 			break;
582 		case INTEL_TLV_OTP_BDADDR:
583 			memcpy(&version->otp_bd_addr, tlv->val, tlv->len);
584 			break;
585 		default:
586 			/* Ignore rest of information */
587 			break;
588 		}
589 		/* consume the current tlv and move to next*/
590 		skb_pull(skb, tlv->len + sizeof(*tlv));
591 	}
592 
593 	kfree_skb(skb);
594 	return 0;
595 }
596 EXPORT_SYMBOL_GPL(btintel_read_version_tlv);
597 
598 /* ------- REGMAP IBT SUPPORT ------- */
599 
600 #define IBT_REG_MODE_8BIT  0x00
601 #define IBT_REG_MODE_16BIT 0x01
602 #define IBT_REG_MODE_32BIT 0x02
603 
604 struct regmap_ibt_context {
605 	struct hci_dev *hdev;
606 	__u16 op_write;
607 	__u16 op_read;
608 };
609 
610 struct ibt_cp_reg_access {
611 	__le32  addr;
612 	__u8    mode;
613 	__u8    len;
614 	__u8    data[];
615 } __packed;
616 
617 struct ibt_rp_reg_access {
618 	__u8    status;
619 	__le32  addr;
620 	__u8    data[];
621 } __packed;
622 
623 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
624 			   void *val, size_t val_size)
625 {
626 	struct regmap_ibt_context *ctx = context;
627 	struct ibt_cp_reg_access cp;
628 	struct ibt_rp_reg_access *rp;
629 	struct sk_buff *skb;
630 	int err = 0;
631 
632 	if (reg_size != sizeof(__le32))
633 		return -EINVAL;
634 
635 	switch (val_size) {
636 	case 1:
637 		cp.mode = IBT_REG_MODE_8BIT;
638 		break;
639 	case 2:
640 		cp.mode = IBT_REG_MODE_16BIT;
641 		break;
642 	case 4:
643 		cp.mode = IBT_REG_MODE_32BIT;
644 		break;
645 	default:
646 		return -EINVAL;
647 	}
648 
649 	/* regmap provides a little-endian formatted addr */
650 	cp.addr = *(__le32 *)addr;
651 	cp.len = val_size;
652 
653 	bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
654 
655 	skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
656 			   HCI_CMD_TIMEOUT);
657 	if (IS_ERR(skb)) {
658 		err = PTR_ERR(skb);
659 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
660 			   le32_to_cpu(cp.addr), err);
661 		return err;
662 	}
663 
664 	if (skb->len != sizeof(*rp) + val_size) {
665 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
666 			   le32_to_cpu(cp.addr));
667 		err = -EINVAL;
668 		goto done;
669 	}
670 
671 	rp = (struct ibt_rp_reg_access *)skb->data;
672 
673 	if (rp->addr != cp.addr) {
674 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
675 			   le32_to_cpu(rp->addr));
676 		err = -EINVAL;
677 		goto done;
678 	}
679 
680 	memcpy(val, rp->data, val_size);
681 
682 done:
683 	kfree_skb(skb);
684 	return err;
685 }
686 
687 static int regmap_ibt_gather_write(void *context,
688 				   const void *addr, size_t reg_size,
689 				   const void *val, size_t val_size)
690 {
691 	struct regmap_ibt_context *ctx = context;
692 	struct ibt_cp_reg_access *cp;
693 	struct sk_buff *skb;
694 	int plen = sizeof(*cp) + val_size;
695 	u8 mode;
696 	int err = 0;
697 
698 	if (reg_size != sizeof(__le32))
699 		return -EINVAL;
700 
701 	switch (val_size) {
702 	case 1:
703 		mode = IBT_REG_MODE_8BIT;
704 		break;
705 	case 2:
706 		mode = IBT_REG_MODE_16BIT;
707 		break;
708 	case 4:
709 		mode = IBT_REG_MODE_32BIT;
710 		break;
711 	default:
712 		return -EINVAL;
713 	}
714 
715 	cp = kmalloc(plen, GFP_KERNEL);
716 	if (!cp)
717 		return -ENOMEM;
718 
719 	/* regmap provides a little-endian formatted addr/value */
720 	cp->addr = *(__le32 *)addr;
721 	cp->mode = mode;
722 	cp->len = val_size;
723 	memcpy(&cp->data, val, val_size);
724 
725 	bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
726 
727 	skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
728 	if (IS_ERR(skb)) {
729 		err = PTR_ERR(skb);
730 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
731 			   le32_to_cpu(cp->addr), err);
732 		goto done;
733 	}
734 	kfree_skb(skb);
735 
736 done:
737 	kfree(cp);
738 	return err;
739 }
740 
741 static int regmap_ibt_write(void *context, const void *data, size_t count)
742 {
743 	/* data contains register+value, since we only support 32bit addr,
744 	 * minimum data size is 4 bytes.
745 	 */
746 	if (WARN_ONCE(count < 4, "Invalid register access"))
747 		return -EINVAL;
748 
749 	return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
750 }
751 
752 static void regmap_ibt_free_context(void *context)
753 {
754 	kfree(context);
755 }
756 
757 static struct regmap_bus regmap_ibt = {
758 	.read = regmap_ibt_read,
759 	.write = regmap_ibt_write,
760 	.gather_write = regmap_ibt_gather_write,
761 	.free_context = regmap_ibt_free_context,
762 	.reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
763 	.val_format_endian_default = REGMAP_ENDIAN_LITTLE,
764 };
765 
766 /* Config is the same for all register regions */
767 static const struct regmap_config regmap_ibt_cfg = {
768 	.name      = "btintel_regmap",
769 	.reg_bits  = 32,
770 	.val_bits  = 32,
771 };
772 
773 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
774 				   u16 opcode_write)
775 {
776 	struct regmap_ibt_context *ctx;
777 
778 	bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
779 		    opcode_write);
780 
781 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
782 	if (!ctx)
783 		return ERR_PTR(-ENOMEM);
784 
785 	ctx->op_read = opcode_read;
786 	ctx->op_write = opcode_write;
787 	ctx->hdev = hdev;
788 
789 	return regmap_init(&hdev->dev, &regmap_ibt, ctx, &regmap_ibt_cfg);
790 }
791 EXPORT_SYMBOL_GPL(btintel_regmap_init);
792 
793 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
794 {
795 	struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
796 	struct sk_buff *skb;
797 
798 	params.boot_param = cpu_to_le32(boot_param);
799 
800 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), &params,
801 			     HCI_INIT_TIMEOUT);
802 	if (IS_ERR(skb)) {
803 		bt_dev_err(hdev, "Failed to send Intel Reset command");
804 		return PTR_ERR(skb);
805 	}
806 
807 	kfree_skb(skb);
808 
809 	return 0;
810 }
811 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
812 
813 int btintel_read_boot_params(struct hci_dev *hdev,
814 			     struct intel_boot_params *params)
815 {
816 	struct sk_buff *skb;
817 
818 	skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
819 	if (IS_ERR(skb)) {
820 		bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
821 			   PTR_ERR(skb));
822 		return PTR_ERR(skb);
823 	}
824 
825 	if (skb->len != sizeof(*params)) {
826 		bt_dev_err(hdev, "Intel boot parameters size mismatch");
827 		kfree_skb(skb);
828 		return -EILSEQ;
829 	}
830 
831 	memcpy(params, skb->data, sizeof(*params));
832 
833 	kfree_skb(skb);
834 
835 	if (params->status) {
836 		bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
837 			   params->status);
838 		return -bt_to_errno(params->status);
839 	}
840 
841 	bt_dev_info(hdev, "Device revision is %u",
842 		    le16_to_cpu(params->dev_revid));
843 
844 	bt_dev_info(hdev, "Secure boot is %s",
845 		    params->secure_boot ? "enabled" : "disabled");
846 
847 	bt_dev_info(hdev, "OTP lock is %s",
848 		    params->otp_lock ? "enabled" : "disabled");
849 
850 	bt_dev_info(hdev, "API lock is %s",
851 		    params->api_lock ? "enabled" : "disabled");
852 
853 	bt_dev_info(hdev, "Debug lock is %s",
854 		    params->debug_lock ? "enabled" : "disabled");
855 
856 	bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
857 		    params->min_fw_build_nn, params->min_fw_build_cw,
858 		    2000 + params->min_fw_build_yy);
859 
860 	return 0;
861 }
862 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
863 
864 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
865 					      const struct firmware *fw)
866 {
867 	int err;
868 
869 	/* Start the firmware download transaction with the Init fragment
870 	 * represented by the 128 bytes of CSS header.
871 	 */
872 	err = btintel_secure_send(hdev, 0x00, 128, fw->data);
873 	if (err < 0) {
874 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
875 		goto done;
876 	}
877 
878 	/* Send the 256 bytes of public key information from the firmware
879 	 * as the PKey fragment.
880 	 */
881 	err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
882 	if (err < 0) {
883 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
884 		goto done;
885 	}
886 
887 	/* Send the 256 bytes of signature information from the firmware
888 	 * as the Sign fragment.
889 	 */
890 	err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
891 	if (err < 0) {
892 		bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
893 		goto done;
894 	}
895 
896 done:
897 	return err;
898 }
899 
900 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
901 						const struct firmware *fw)
902 {
903 	int err;
904 
905 	/* Start the firmware download transaction with the Init fragment
906 	 * represented by the 128 bytes of CSS header.
907 	 */
908 	err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
909 	if (err < 0) {
910 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
911 		return err;
912 	}
913 
914 	/* Send the 96 bytes of public key information from the firmware
915 	 * as the PKey fragment.
916 	 */
917 	err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
918 	if (err < 0) {
919 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
920 		return err;
921 	}
922 
923 	/* Send the 96 bytes of signature information from the firmware
924 	 * as the Sign fragment
925 	 */
926 	err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
927 	if (err < 0) {
928 		bt_dev_err(hdev, "Failed to send firmware signature (%d)",
929 			   err);
930 		return err;
931 	}
932 	return 0;
933 }
934 
935 static int btintel_download_firmware_payload(struct hci_dev *hdev,
936 					     const struct firmware *fw,
937 					     size_t offset)
938 {
939 	int err;
940 	const u8 *fw_ptr;
941 	u32 frag_len;
942 
943 	fw_ptr = fw->data + offset;
944 	frag_len = 0;
945 	err = -EINVAL;
946 
947 	while (fw_ptr - fw->data < fw->size) {
948 		struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
949 
950 		frag_len += sizeof(*cmd) + cmd->plen;
951 
952 		/* The parameter length of the secure send command requires
953 		 * a 4 byte alignment. It happens so that the firmware file
954 		 * contains proper Intel_NOP commands to align the fragments
955 		 * as needed.
956 		 *
957 		 * Send set of commands with 4 byte alignment from the
958 		 * firmware data buffer as a single Data fragement.
959 		 */
960 		if (!(frag_len % 4)) {
961 			err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
962 			if (err < 0) {
963 				bt_dev_err(hdev,
964 					   "Failed to send firmware data (%d)",
965 					   err);
966 				goto done;
967 			}
968 
969 			fw_ptr += frag_len;
970 			frag_len = 0;
971 		}
972 	}
973 
974 done:
975 	return err;
976 }
977 
978 static bool btintel_firmware_version(struct hci_dev *hdev,
979 				     u8 num, u8 ww, u8 yy,
980 				     const struct firmware *fw,
981 				     u32 *boot_addr)
982 {
983 	const u8 *fw_ptr;
984 
985 	fw_ptr = fw->data;
986 
987 	while (fw_ptr - fw->data < fw->size) {
988 		struct hci_command_hdr *cmd = (void *)(fw_ptr);
989 
990 		/* Each SKU has a different reset parameter to use in the
991 		 * HCI_Intel_Reset command and it is embedded in the firmware
992 		 * data. So, instead of using static value per SKU, check
993 		 * the firmware data and save it for later use.
994 		 */
995 		if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
996 			struct cmd_write_boot_params *params;
997 
998 			params = (void *)(fw_ptr + sizeof(*cmd));
999 
1000 			bt_dev_info(hdev, "Boot Address: 0x%x",
1001 				    le32_to_cpu(params->boot_addr));
1002 
1003 			bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1004 				    params->fw_build_num, params->fw_build_ww,
1005 				    params->fw_build_yy);
1006 
1007 			return (num == params->fw_build_num &&
1008 				ww == params->fw_build_ww &&
1009 				yy == params->fw_build_yy);
1010 		}
1011 
1012 		fw_ptr += sizeof(*cmd) + cmd->plen;
1013 	}
1014 
1015 	return false;
1016 }
1017 
1018 int btintel_download_firmware(struct hci_dev *hdev,
1019 			      struct intel_version *ver,
1020 			      const struct firmware *fw,
1021 			      u32 *boot_param)
1022 {
1023 	int err;
1024 
1025 	/* SfP and WsP don't seem to update the firmware version on file
1026 	 * so version checking is currently not possible.
1027 	 */
1028 	switch (ver->hw_variant) {
1029 	case 0x0b:	/* SfP */
1030 	case 0x0c:	/* WsP */
1031 		/* Skip version checking */
1032 		break;
1033 	default:
1034 		/* Skip reading firmware file version in bootloader mode */
1035 		if (ver->fw_variant == 0x06)
1036 			break;
1037 
1038 		/* Skip download if firmware has the same version */
1039 		if (btintel_firmware_version(hdev, ver->fw_build_num,
1040 					     ver->fw_build_ww, ver->fw_build_yy,
1041 					     fw, boot_param)) {
1042 			bt_dev_info(hdev, "Firmware already loaded");
1043 			/* Return -EALREADY to indicate that the firmware has
1044 			 * already been loaded.
1045 			 */
1046 			return -EALREADY;
1047 		}
1048 	}
1049 
1050 	/* The firmware variant determines if the device is in bootloader
1051 	 * mode or is running operational firmware. The value 0x06 identifies
1052 	 * the bootloader and the value 0x23 identifies the operational
1053 	 * firmware.
1054 	 *
1055 	 * If the firmware version has changed that means it needs to be reset
1056 	 * to bootloader when operational so the new firmware can be loaded.
1057 	 */
1058 	if (ver->fw_variant == 0x23)
1059 		return -EINVAL;
1060 
1061 	err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1062 	if (err)
1063 		return err;
1064 
1065 	return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1066 }
1067 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1068 
1069 int btintel_download_firmware_newgen(struct hci_dev *hdev,
1070 				     struct intel_version_tlv *ver,
1071 				     const struct firmware *fw, u32 *boot_param,
1072 				     u8 hw_variant, u8 sbe_type)
1073 {
1074 	int err;
1075 	u32 css_header_ver;
1076 
1077 	/* Skip reading firmware file version in bootloader mode */
1078 	if (ver->img_type != 0x01) {
1079 		/* Skip download if firmware has the same version */
1080 		if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1081 					     ver->min_fw_build_cw,
1082 					     ver->min_fw_build_yy,
1083 					     fw, boot_param)) {
1084 			bt_dev_info(hdev, "Firmware already loaded");
1085 			/* Return -EALREADY to indicate that firmware has
1086 			 * already been loaded.
1087 			 */
1088 			return -EALREADY;
1089 		}
1090 	}
1091 
1092 	/* The firmware variant determines if the device is in bootloader
1093 	 * mode or is running operational firmware. The value 0x01 identifies
1094 	 * the bootloader and the value 0x03 identifies the operational
1095 	 * firmware.
1096 	 *
1097 	 * If the firmware version has changed that means it needs to be reset
1098 	 * to bootloader when operational so the new firmware can be loaded.
1099 	 */
1100 	if (ver->img_type == 0x03)
1101 		return -EINVAL;
1102 
1103 	/* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1104 	 * only RSA secure boot engine. Hence, the corresponding sfi file will
1105 	 * have RSA header of 644 bytes followed by Command Buffer.
1106 	 *
1107 	 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1108 	 * secure boot engine. As a result, the corresponding sfi file will
1109 	 * have RSA header of 644, ECDSA header of 320 bytes followed by
1110 	 * Command Buffer.
1111 	 *
1112 	 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1113 	 * version: RSA(0x00010000) , ECDSA (0x00020000)
1114 	 */
1115 	css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1116 	if (css_header_ver != 0x00010000) {
1117 		bt_dev_err(hdev, "Invalid CSS Header version");
1118 		return -EINVAL;
1119 	}
1120 
1121 	if (hw_variant <= 0x14) {
1122 		if (sbe_type != 0x00) {
1123 			bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1124 				   hw_variant);
1125 			return -EINVAL;
1126 		}
1127 
1128 		err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1129 		if (err)
1130 			return err;
1131 
1132 		err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1133 		if (err)
1134 			return err;
1135 	} else if (hw_variant >= 0x17) {
1136 		/* Check if CSS header for ECDSA follows the RSA header */
1137 		if (fw->data[ECDSA_OFFSET] != 0x06)
1138 			return -EINVAL;
1139 
1140 		/* Check if the CSS Header version is ECDSA(0x00020000) */
1141 		css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1142 		if (css_header_ver != 0x00020000) {
1143 			bt_dev_err(hdev, "Invalid CSS Header version");
1144 			return -EINVAL;
1145 		}
1146 
1147 		if (sbe_type == 0x00) {
1148 			err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1149 			if (err)
1150 				return err;
1151 
1152 			err = btintel_download_firmware_payload(hdev, fw,
1153 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1154 			if (err)
1155 				return err;
1156 		} else if (sbe_type == 0x01) {
1157 			err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1158 			if (err)
1159 				return err;
1160 
1161 			err = btintel_download_firmware_payload(hdev, fw,
1162 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1163 			if (err)
1164 				return err;
1165 		}
1166 	}
1167 	return 0;
1168 }
1169 EXPORT_SYMBOL_GPL(btintel_download_firmware_newgen);
1170 
1171 void btintel_reset_to_bootloader(struct hci_dev *hdev)
1172 {
1173 	struct intel_reset params;
1174 	struct sk_buff *skb;
1175 
1176 	/* Send Intel Reset command. This will result in
1177 	 * re-enumeration of BT controller.
1178 	 *
1179 	 * Intel Reset parameter description:
1180 	 * reset_type :   0x00 (Soft reset),
1181 	 *		  0x01 (Hard reset)
1182 	 * patch_enable : 0x00 (Do not enable),
1183 	 *		  0x01 (Enable)
1184 	 * ddc_reload :   0x00 (Do not reload),
1185 	 *		  0x01 (Reload)
1186 	 * boot_option:   0x00 (Current image),
1187 	 *                0x01 (Specified boot address)
1188 	 * boot_param:    Boot address
1189 	 *
1190 	 */
1191 	params.reset_type = 0x01;
1192 	params.patch_enable = 0x01;
1193 	params.ddc_reload = 0x01;
1194 	params.boot_option = 0x00;
1195 	params.boot_param = cpu_to_le32(0x00000000);
1196 
1197 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1198 			     &params, HCI_INIT_TIMEOUT);
1199 	if (IS_ERR(skb)) {
1200 		bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1201 			   PTR_ERR(skb));
1202 		return;
1203 	}
1204 	bt_dev_info(hdev, "Intel reset sent to retry FW download");
1205 	kfree_skb(skb);
1206 
1207 	/* Current Intel BT controllers(ThP/JfP) hold the USB reset
1208 	 * lines for 2ms when it receives Intel Reset in bootloader mode.
1209 	 * Whereas, the upcoming Intel BT controllers will hold USB reset
1210 	 * for 150ms. To keep the delay generic, 150ms is chosen here.
1211 	 */
1212 	msleep(150);
1213 }
1214 EXPORT_SYMBOL_GPL(btintel_reset_to_bootloader);
1215 
1216 int btintel_read_debug_features(struct hci_dev *hdev,
1217 				struct intel_debug_features *features)
1218 {
1219 	struct sk_buff *skb;
1220 	u8 page_no = 1;
1221 
1222 	/* Intel controller supports two pages, each page is of 128-bit
1223 	 * feature bit mask. And each bit defines specific feature support
1224 	 */
1225 	skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1226 			     HCI_INIT_TIMEOUT);
1227 	if (IS_ERR(skb)) {
1228 		bt_dev_err(hdev, "Reading supported features failed (%ld)",
1229 			   PTR_ERR(skb));
1230 		return PTR_ERR(skb);
1231 	}
1232 
1233 	if (skb->len != (sizeof(features->page1) + 3)) {
1234 		bt_dev_err(hdev, "Supported features event size mismatch");
1235 		kfree_skb(skb);
1236 		return -EILSEQ;
1237 	}
1238 
1239 	memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1240 
1241 	/* Read the supported features page2 if required in future.
1242 	 */
1243 	kfree_skb(skb);
1244 	return 0;
1245 }
1246 EXPORT_SYMBOL_GPL(btintel_read_debug_features);
1247 
1248 int btintel_set_debug_features(struct hci_dev *hdev,
1249 			       const struct intel_debug_features *features)
1250 {
1251 	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x07, 0x00, 0x00, 0x00, 0x00,
1252 			0x00, 0x00, 0x00 };
1253 	struct sk_buff *skb;
1254 
1255 	if (!features)
1256 		return -EINVAL;
1257 
1258 	if (!(features->page1[0] & 0x3f)) {
1259 		bt_dev_info(hdev, "Telemetry exception format not supported");
1260 		return 0;
1261 	}
1262 
1263 	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1264 	if (IS_ERR(skb)) {
1265 		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1266 			   PTR_ERR(skb));
1267 		return PTR_ERR(skb);
1268 	}
1269 
1270 	kfree_skb(skb);
1271 	return 0;
1272 }
1273 EXPORT_SYMBOL_GPL(btintel_set_debug_features);
1274 
1275 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1276 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
1277 MODULE_VERSION(VERSION);
1278 MODULE_LICENSE("GPL");
1279 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
1280 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
1281 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
1282 MODULE_FIRMWARE("intel/ibt-12-16.ddc");
1283