1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/acpi.h> 13 #include <acpi/acpi_bus.h> 14 #include <asm/unaligned.h> 15 16 #include <net/bluetooth/bluetooth.h> 17 #include <net/bluetooth/hci_core.h> 18 19 #include "btintel.h" 20 21 #define VERSION "0.1" 22 23 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 24 #define RSA_HEADER_LEN 644 25 #define CSS_HEADER_OFFSET 8 26 #define ECDSA_OFFSET 644 27 #define ECDSA_HEADER_LEN 320 28 29 #define BTINTEL_PPAG_NAME "PPAG" 30 31 enum { 32 DSM_SET_WDISABLE2_DELAY = 1, 33 DSM_SET_RESET_METHOD = 3, 34 }; 35 36 /* structure to store the PPAG data read from ACPI table */ 37 struct btintel_ppag { 38 u32 domain; 39 u32 mode; 40 acpi_status status; 41 struct hci_dev *hdev; 42 }; 43 44 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 45 struct cmd_write_boot_params { 46 __le32 boot_addr; 47 u8 fw_build_num; 48 u8 fw_build_ww; 49 u8 fw_build_yy; 50 } __packed; 51 52 static struct { 53 const char *driver_name; 54 u8 hw_variant; 55 u32 fw_build_num; 56 } coredump_info; 57 58 static const guid_t btintel_guid_dsm = 59 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 60 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 61 62 int btintel_check_bdaddr(struct hci_dev *hdev) 63 { 64 struct hci_rp_read_bd_addr *bda; 65 struct sk_buff *skb; 66 67 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 68 HCI_INIT_TIMEOUT); 69 if (IS_ERR(skb)) { 70 int err = PTR_ERR(skb); 71 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 72 err); 73 return err; 74 } 75 76 if (skb->len != sizeof(*bda)) { 77 bt_dev_err(hdev, "Intel device address length mismatch"); 78 kfree_skb(skb); 79 return -EIO; 80 } 81 82 bda = (struct hci_rp_read_bd_addr *)skb->data; 83 84 /* For some Intel based controllers, the default Bluetooth device 85 * address 00:03:19:9E:8B:00 can be found. These controllers are 86 * fully operational, but have the danger of duplicate addresses 87 * and that in turn can cause problems with Bluetooth operation. 88 */ 89 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 90 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 91 &bda->bdaddr); 92 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 93 } 94 95 kfree_skb(skb); 96 97 return 0; 98 } 99 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 100 101 int btintel_enter_mfg(struct hci_dev *hdev) 102 { 103 static const u8 param[] = { 0x01, 0x00 }; 104 struct sk_buff *skb; 105 106 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 107 if (IS_ERR(skb)) { 108 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 109 PTR_ERR(skb)); 110 return PTR_ERR(skb); 111 } 112 kfree_skb(skb); 113 114 return 0; 115 } 116 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 117 118 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 119 { 120 u8 param[] = { 0x00, 0x00 }; 121 struct sk_buff *skb; 122 123 /* The 2nd command parameter specifies the manufacturing exit method: 124 * 0x00: Just disable the manufacturing mode (0x00). 125 * 0x01: Disable manufacturing mode and reset with patches deactivated. 126 * 0x02: Disable manufacturing mode and reset with patches activated. 127 */ 128 if (reset) 129 param[1] |= patched ? 0x02 : 0x01; 130 131 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 132 if (IS_ERR(skb)) { 133 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 134 PTR_ERR(skb)); 135 return PTR_ERR(skb); 136 } 137 kfree_skb(skb); 138 139 return 0; 140 } 141 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 142 143 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 144 { 145 struct sk_buff *skb; 146 int err; 147 148 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 149 if (IS_ERR(skb)) { 150 err = PTR_ERR(skb); 151 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 152 err); 153 return err; 154 } 155 kfree_skb(skb); 156 157 return 0; 158 } 159 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 160 161 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 162 { 163 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 164 struct sk_buff *skb; 165 int err; 166 167 if (debug) 168 mask[1] |= 0x62; 169 170 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 171 if (IS_ERR(skb)) { 172 err = PTR_ERR(skb); 173 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 174 return err; 175 } 176 kfree_skb(skb); 177 178 return 0; 179 } 180 181 int btintel_set_diag(struct hci_dev *hdev, bool enable) 182 { 183 struct sk_buff *skb; 184 u8 param[3]; 185 int err; 186 187 if (enable) { 188 param[0] = 0x03; 189 param[1] = 0x03; 190 param[2] = 0x03; 191 } else { 192 param[0] = 0x00; 193 param[1] = 0x00; 194 param[2] = 0x00; 195 } 196 197 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 198 if (IS_ERR(skb)) { 199 err = PTR_ERR(skb); 200 if (err == -ENODATA) 201 goto done; 202 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 203 err); 204 return err; 205 } 206 kfree_skb(skb); 207 208 done: 209 btintel_set_event_mask(hdev, enable); 210 return 0; 211 } 212 EXPORT_SYMBOL_GPL(btintel_set_diag); 213 214 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 215 { 216 int err, ret; 217 218 err = btintel_enter_mfg(hdev); 219 if (err) 220 return err; 221 222 ret = btintel_set_diag(hdev, enable); 223 224 err = btintel_exit_mfg(hdev, false, false); 225 if (err) 226 return err; 227 228 return ret; 229 } 230 231 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 232 { 233 int ret; 234 235 /* Legacy ROM device needs to be in the manufacturer mode to apply 236 * diagnostic setting 237 * 238 * This flag is set after reading the Intel version. 239 */ 240 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 241 ret = btintel_set_diag_mfg(hdev, enable); 242 else 243 ret = btintel_set_diag(hdev, enable); 244 245 return ret; 246 } 247 248 static void btintel_hw_error(struct hci_dev *hdev, u8 code) 249 { 250 struct sk_buff *skb; 251 u8 type = 0x00; 252 253 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 254 255 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 256 if (IS_ERR(skb)) { 257 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 258 PTR_ERR(skb)); 259 return; 260 } 261 kfree_skb(skb); 262 263 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 264 if (IS_ERR(skb)) { 265 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 266 PTR_ERR(skb)); 267 return; 268 } 269 270 if (skb->len != 13) { 271 bt_dev_err(hdev, "Exception info size mismatch"); 272 kfree_skb(skb); 273 return; 274 } 275 276 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 277 278 kfree_skb(skb); 279 } 280 281 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 282 { 283 const char *variant; 284 285 /* The hardware platform number has a fixed value of 0x37 and 286 * for now only accept this single value. 287 */ 288 if (ver->hw_platform != 0x37) { 289 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 290 ver->hw_platform); 291 return -EINVAL; 292 } 293 294 /* Check for supported iBT hardware variants of this firmware 295 * loading method. 296 * 297 * This check has been put in place to ensure correct forward 298 * compatibility options when newer hardware variants come along. 299 */ 300 switch (ver->hw_variant) { 301 case 0x07: /* WP - Legacy ROM */ 302 case 0x08: /* StP - Legacy ROM */ 303 case 0x0b: /* SfP */ 304 case 0x0c: /* WsP */ 305 case 0x11: /* JfP */ 306 case 0x12: /* ThP */ 307 case 0x13: /* HrP */ 308 case 0x14: /* CcP */ 309 break; 310 default: 311 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 312 ver->hw_variant); 313 return -EINVAL; 314 } 315 316 switch (ver->fw_variant) { 317 case 0x01: 318 variant = "Legacy ROM 2.5"; 319 break; 320 case 0x06: 321 variant = "Bootloader"; 322 break; 323 case 0x22: 324 variant = "Legacy ROM 2.x"; 325 break; 326 case 0x23: 327 variant = "Firmware"; 328 break; 329 default: 330 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 331 return -EINVAL; 332 } 333 334 coredump_info.hw_variant = ver->hw_variant; 335 coredump_info.fw_build_num = ver->fw_build_num; 336 337 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 338 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 339 ver->fw_build_num, ver->fw_build_ww, 340 2000 + ver->fw_build_yy); 341 342 return 0; 343 } 344 EXPORT_SYMBOL_GPL(btintel_version_info); 345 346 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 347 const void *param) 348 { 349 while (plen > 0) { 350 struct sk_buff *skb; 351 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 352 353 cmd_param[0] = fragment_type; 354 memcpy(cmd_param + 1, param, fragment_len); 355 356 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 357 cmd_param, HCI_INIT_TIMEOUT); 358 if (IS_ERR(skb)) 359 return PTR_ERR(skb); 360 361 kfree_skb(skb); 362 363 plen -= fragment_len; 364 param += fragment_len; 365 } 366 367 return 0; 368 } 369 370 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 371 { 372 const struct firmware *fw; 373 struct sk_buff *skb; 374 const u8 *fw_ptr; 375 int err; 376 377 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 378 if (err < 0) { 379 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 380 ddc_name, err); 381 return err; 382 } 383 384 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 385 386 fw_ptr = fw->data; 387 388 /* DDC file contains one or more DDC structure which has 389 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 390 */ 391 while (fw->size > fw_ptr - fw->data) { 392 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 393 394 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 395 HCI_INIT_TIMEOUT); 396 if (IS_ERR(skb)) { 397 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 398 PTR_ERR(skb)); 399 release_firmware(fw); 400 return PTR_ERR(skb); 401 } 402 403 fw_ptr += cmd_plen; 404 kfree_skb(skb); 405 } 406 407 release_firmware(fw); 408 409 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 410 411 return 0; 412 } 413 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 414 415 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 416 { 417 int err, ret; 418 419 err = btintel_enter_mfg(hdev); 420 if (err) 421 return err; 422 423 ret = btintel_set_event_mask(hdev, debug); 424 425 err = btintel_exit_mfg(hdev, false, false); 426 if (err) 427 return err; 428 429 return ret; 430 } 431 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 432 433 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 434 { 435 struct sk_buff *skb; 436 437 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 438 if (IS_ERR(skb)) { 439 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 440 PTR_ERR(skb)); 441 return PTR_ERR(skb); 442 } 443 444 if (!skb || skb->len != sizeof(*ver)) { 445 bt_dev_err(hdev, "Intel version event size mismatch"); 446 kfree_skb(skb); 447 return -EILSEQ; 448 } 449 450 memcpy(ver, skb->data, sizeof(*ver)); 451 452 kfree_skb(skb); 453 454 return 0; 455 } 456 EXPORT_SYMBOL_GPL(btintel_read_version); 457 458 static int btintel_version_info_tlv(struct hci_dev *hdev, 459 struct intel_version_tlv *version) 460 { 461 const char *variant; 462 463 /* The hardware platform number has a fixed value of 0x37 and 464 * for now only accept this single value. 465 */ 466 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 467 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 468 INTEL_HW_PLATFORM(version->cnvi_bt)); 469 return -EINVAL; 470 } 471 472 /* Check for supported iBT hardware variants of this firmware 473 * loading method. 474 * 475 * This check has been put in place to ensure correct forward 476 * compatibility options when newer hardware variants come along. 477 */ 478 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 479 case 0x17: /* TyP */ 480 case 0x18: /* Slr */ 481 case 0x19: /* Slr-F */ 482 case 0x1b: /* Mgr */ 483 case 0x1c: /* Gale Peak (GaP) */ 484 break; 485 default: 486 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 487 INTEL_HW_VARIANT(version->cnvi_bt)); 488 return -EINVAL; 489 } 490 491 switch (version->img_type) { 492 case 0x01: 493 variant = "Bootloader"; 494 /* It is required that every single firmware fragment is acknowledged 495 * with a command complete event. If the boot parameters indicate 496 * that this bootloader does not send them, then abort the setup. 497 */ 498 if (version->limited_cce != 0x00) { 499 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 500 version->limited_cce); 501 return -EINVAL; 502 } 503 504 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 505 if (version->sbe_type > 0x01) { 506 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 507 version->sbe_type); 508 return -EINVAL; 509 } 510 511 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 512 bt_dev_info(hdev, "Secure boot is %s", 513 version->secure_boot ? "enabled" : "disabled"); 514 bt_dev_info(hdev, "OTP lock is %s", 515 version->otp_lock ? "enabled" : "disabled"); 516 bt_dev_info(hdev, "API lock is %s", 517 version->api_lock ? "enabled" : "disabled"); 518 bt_dev_info(hdev, "Debug lock is %s", 519 version->debug_lock ? "enabled" : "disabled"); 520 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 521 version->min_fw_build_nn, version->min_fw_build_cw, 522 2000 + version->min_fw_build_yy); 523 break; 524 case 0x03: 525 variant = "Firmware"; 526 break; 527 default: 528 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 529 return -EINVAL; 530 } 531 532 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 533 coredump_info.fw_build_num = version->build_num; 534 535 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 536 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 537 version->build_type, version->build_num); 538 if (version->img_type == 0x03) 539 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 540 541 return 0; 542 } 543 544 static int btintel_parse_version_tlv(struct hci_dev *hdev, 545 struct intel_version_tlv *version, 546 struct sk_buff *skb) 547 { 548 /* Consume Command Complete Status field */ 549 skb_pull(skb, 1); 550 551 /* Event parameters contatin multiple TLVs. Read each of them 552 * and only keep the required data. Also, it use existing legacy 553 * version field like hw_platform, hw_variant, and fw_variant 554 * to keep the existing setup flow 555 */ 556 while (skb->len) { 557 struct intel_tlv *tlv; 558 559 /* Make sure skb has a minimum length of the header */ 560 if (skb->len < sizeof(*tlv)) 561 return -EINVAL; 562 563 tlv = (struct intel_tlv *)skb->data; 564 565 /* Make sure skb has a enough data */ 566 if (skb->len < tlv->len + sizeof(*tlv)) 567 return -EINVAL; 568 569 switch (tlv->type) { 570 case INTEL_TLV_CNVI_TOP: 571 version->cnvi_top = get_unaligned_le32(tlv->val); 572 break; 573 case INTEL_TLV_CNVR_TOP: 574 version->cnvr_top = get_unaligned_le32(tlv->val); 575 break; 576 case INTEL_TLV_CNVI_BT: 577 version->cnvi_bt = get_unaligned_le32(tlv->val); 578 break; 579 case INTEL_TLV_CNVR_BT: 580 version->cnvr_bt = get_unaligned_le32(tlv->val); 581 break; 582 case INTEL_TLV_DEV_REV_ID: 583 version->dev_rev_id = get_unaligned_le16(tlv->val); 584 break; 585 case INTEL_TLV_IMAGE_TYPE: 586 version->img_type = tlv->val[0]; 587 break; 588 case INTEL_TLV_TIME_STAMP: 589 /* If image type is Operational firmware (0x03), then 590 * running FW Calendar Week and Year information can 591 * be extracted from Timestamp information 592 */ 593 version->min_fw_build_cw = tlv->val[0]; 594 version->min_fw_build_yy = tlv->val[1]; 595 version->timestamp = get_unaligned_le16(tlv->val); 596 break; 597 case INTEL_TLV_BUILD_TYPE: 598 version->build_type = tlv->val[0]; 599 break; 600 case INTEL_TLV_BUILD_NUM: 601 /* If image type is Operational firmware (0x03), then 602 * running FW build number can be extracted from the 603 * Build information 604 */ 605 version->min_fw_build_nn = tlv->val[0]; 606 version->build_num = get_unaligned_le32(tlv->val); 607 break; 608 case INTEL_TLV_SECURE_BOOT: 609 version->secure_boot = tlv->val[0]; 610 break; 611 case INTEL_TLV_OTP_LOCK: 612 version->otp_lock = tlv->val[0]; 613 break; 614 case INTEL_TLV_API_LOCK: 615 version->api_lock = tlv->val[0]; 616 break; 617 case INTEL_TLV_DEBUG_LOCK: 618 version->debug_lock = tlv->val[0]; 619 break; 620 case INTEL_TLV_MIN_FW: 621 version->min_fw_build_nn = tlv->val[0]; 622 version->min_fw_build_cw = tlv->val[1]; 623 version->min_fw_build_yy = tlv->val[2]; 624 break; 625 case INTEL_TLV_LIMITED_CCE: 626 version->limited_cce = tlv->val[0]; 627 break; 628 case INTEL_TLV_SBE_TYPE: 629 version->sbe_type = tlv->val[0]; 630 break; 631 case INTEL_TLV_OTP_BDADDR: 632 memcpy(&version->otp_bd_addr, tlv->val, 633 sizeof(bdaddr_t)); 634 break; 635 case INTEL_TLV_GIT_SHA1: 636 version->git_sha1 = get_unaligned_le32(tlv->val); 637 break; 638 default: 639 /* Ignore rest of information */ 640 break; 641 } 642 /* consume the current tlv and move to next*/ 643 skb_pull(skb, tlv->len + sizeof(*tlv)); 644 } 645 646 return 0; 647 } 648 649 static int btintel_read_version_tlv(struct hci_dev *hdev, 650 struct intel_version_tlv *version) 651 { 652 struct sk_buff *skb; 653 const u8 param[1] = { 0xFF }; 654 655 if (!version) 656 return -EINVAL; 657 658 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 659 if (IS_ERR(skb)) { 660 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 661 PTR_ERR(skb)); 662 return PTR_ERR(skb); 663 } 664 665 if (skb->data[0]) { 666 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 667 skb->data[0]); 668 kfree_skb(skb); 669 return -EIO; 670 } 671 672 btintel_parse_version_tlv(hdev, version, skb); 673 674 kfree_skb(skb); 675 return 0; 676 } 677 678 /* ------- REGMAP IBT SUPPORT ------- */ 679 680 #define IBT_REG_MODE_8BIT 0x00 681 #define IBT_REG_MODE_16BIT 0x01 682 #define IBT_REG_MODE_32BIT 0x02 683 684 struct regmap_ibt_context { 685 struct hci_dev *hdev; 686 __u16 op_write; 687 __u16 op_read; 688 }; 689 690 struct ibt_cp_reg_access { 691 __le32 addr; 692 __u8 mode; 693 __u8 len; 694 __u8 data[]; 695 } __packed; 696 697 struct ibt_rp_reg_access { 698 __u8 status; 699 __le32 addr; 700 __u8 data[]; 701 } __packed; 702 703 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 704 void *val, size_t val_size) 705 { 706 struct regmap_ibt_context *ctx = context; 707 struct ibt_cp_reg_access cp; 708 struct ibt_rp_reg_access *rp; 709 struct sk_buff *skb; 710 int err = 0; 711 712 if (reg_size != sizeof(__le32)) 713 return -EINVAL; 714 715 switch (val_size) { 716 case 1: 717 cp.mode = IBT_REG_MODE_8BIT; 718 break; 719 case 2: 720 cp.mode = IBT_REG_MODE_16BIT; 721 break; 722 case 4: 723 cp.mode = IBT_REG_MODE_32BIT; 724 break; 725 default: 726 return -EINVAL; 727 } 728 729 /* regmap provides a little-endian formatted addr */ 730 cp.addr = *(__le32 *)addr; 731 cp.len = val_size; 732 733 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 734 735 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 736 HCI_CMD_TIMEOUT); 737 if (IS_ERR(skb)) { 738 err = PTR_ERR(skb); 739 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 740 le32_to_cpu(cp.addr), err); 741 return err; 742 } 743 744 if (skb->len != sizeof(*rp) + val_size) { 745 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 746 le32_to_cpu(cp.addr)); 747 err = -EINVAL; 748 goto done; 749 } 750 751 rp = (struct ibt_rp_reg_access *)skb->data; 752 753 if (rp->addr != cp.addr) { 754 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 755 le32_to_cpu(rp->addr)); 756 err = -EINVAL; 757 goto done; 758 } 759 760 memcpy(val, rp->data, val_size); 761 762 done: 763 kfree_skb(skb); 764 return err; 765 } 766 767 static int regmap_ibt_gather_write(void *context, 768 const void *addr, size_t reg_size, 769 const void *val, size_t val_size) 770 { 771 struct regmap_ibt_context *ctx = context; 772 struct ibt_cp_reg_access *cp; 773 struct sk_buff *skb; 774 int plen = sizeof(*cp) + val_size; 775 u8 mode; 776 int err = 0; 777 778 if (reg_size != sizeof(__le32)) 779 return -EINVAL; 780 781 switch (val_size) { 782 case 1: 783 mode = IBT_REG_MODE_8BIT; 784 break; 785 case 2: 786 mode = IBT_REG_MODE_16BIT; 787 break; 788 case 4: 789 mode = IBT_REG_MODE_32BIT; 790 break; 791 default: 792 return -EINVAL; 793 } 794 795 cp = kmalloc(plen, GFP_KERNEL); 796 if (!cp) 797 return -ENOMEM; 798 799 /* regmap provides a little-endian formatted addr/value */ 800 cp->addr = *(__le32 *)addr; 801 cp->mode = mode; 802 cp->len = val_size; 803 memcpy(&cp->data, val, val_size); 804 805 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 806 807 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 808 if (IS_ERR(skb)) { 809 err = PTR_ERR(skb); 810 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 811 le32_to_cpu(cp->addr), err); 812 goto done; 813 } 814 kfree_skb(skb); 815 816 done: 817 kfree(cp); 818 return err; 819 } 820 821 static int regmap_ibt_write(void *context, const void *data, size_t count) 822 { 823 /* data contains register+value, since we only support 32bit addr, 824 * minimum data size is 4 bytes. 825 */ 826 if (WARN_ONCE(count < 4, "Invalid register access")) 827 return -EINVAL; 828 829 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 830 } 831 832 static void regmap_ibt_free_context(void *context) 833 { 834 kfree(context); 835 } 836 837 static const struct regmap_bus regmap_ibt = { 838 .read = regmap_ibt_read, 839 .write = regmap_ibt_write, 840 .gather_write = regmap_ibt_gather_write, 841 .free_context = regmap_ibt_free_context, 842 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 843 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 844 }; 845 846 /* Config is the same for all register regions */ 847 static const struct regmap_config regmap_ibt_cfg = { 848 .name = "btintel_regmap", 849 .reg_bits = 32, 850 .val_bits = 32, 851 }; 852 853 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 854 u16 opcode_write) 855 { 856 struct regmap_ibt_context *ctx; 857 858 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 859 opcode_write); 860 861 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 862 if (!ctx) 863 return ERR_PTR(-ENOMEM); 864 865 ctx->op_read = opcode_read; 866 ctx->op_write = opcode_write; 867 ctx->hdev = hdev; 868 869 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 870 } 871 EXPORT_SYMBOL_GPL(btintel_regmap_init); 872 873 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 874 { 875 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 876 struct sk_buff *skb; 877 878 params.boot_param = cpu_to_le32(boot_param); 879 880 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 881 HCI_INIT_TIMEOUT); 882 if (IS_ERR(skb)) { 883 bt_dev_err(hdev, "Failed to send Intel Reset command"); 884 return PTR_ERR(skb); 885 } 886 887 kfree_skb(skb); 888 889 return 0; 890 } 891 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 892 893 int btintel_read_boot_params(struct hci_dev *hdev, 894 struct intel_boot_params *params) 895 { 896 struct sk_buff *skb; 897 898 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 899 if (IS_ERR(skb)) { 900 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 901 PTR_ERR(skb)); 902 return PTR_ERR(skb); 903 } 904 905 if (skb->len != sizeof(*params)) { 906 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 907 kfree_skb(skb); 908 return -EILSEQ; 909 } 910 911 memcpy(params, skb->data, sizeof(*params)); 912 913 kfree_skb(skb); 914 915 if (params->status) { 916 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 917 params->status); 918 return -bt_to_errno(params->status); 919 } 920 921 bt_dev_info(hdev, "Device revision is %u", 922 le16_to_cpu(params->dev_revid)); 923 924 bt_dev_info(hdev, "Secure boot is %s", 925 params->secure_boot ? "enabled" : "disabled"); 926 927 bt_dev_info(hdev, "OTP lock is %s", 928 params->otp_lock ? "enabled" : "disabled"); 929 930 bt_dev_info(hdev, "API lock is %s", 931 params->api_lock ? "enabled" : "disabled"); 932 933 bt_dev_info(hdev, "Debug lock is %s", 934 params->debug_lock ? "enabled" : "disabled"); 935 936 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 937 params->min_fw_build_nn, params->min_fw_build_cw, 938 2000 + params->min_fw_build_yy); 939 940 return 0; 941 } 942 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 943 944 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 945 const struct firmware *fw) 946 { 947 int err; 948 949 /* Start the firmware download transaction with the Init fragment 950 * represented by the 128 bytes of CSS header. 951 */ 952 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 953 if (err < 0) { 954 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 955 goto done; 956 } 957 958 /* Send the 256 bytes of public key information from the firmware 959 * as the PKey fragment. 960 */ 961 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 962 if (err < 0) { 963 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 964 goto done; 965 } 966 967 /* Send the 256 bytes of signature information from the firmware 968 * as the Sign fragment. 969 */ 970 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 971 if (err < 0) { 972 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 973 goto done; 974 } 975 976 done: 977 return err; 978 } 979 980 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 981 const struct firmware *fw) 982 { 983 int err; 984 985 /* Start the firmware download transaction with the Init fragment 986 * represented by the 128 bytes of CSS header. 987 */ 988 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 989 if (err < 0) { 990 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 991 return err; 992 } 993 994 /* Send the 96 bytes of public key information from the firmware 995 * as the PKey fragment. 996 */ 997 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 998 if (err < 0) { 999 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1000 return err; 1001 } 1002 1003 /* Send the 96 bytes of signature information from the firmware 1004 * as the Sign fragment 1005 */ 1006 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1007 if (err < 0) { 1008 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1009 err); 1010 return err; 1011 } 1012 return 0; 1013 } 1014 1015 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1016 const struct firmware *fw, 1017 size_t offset) 1018 { 1019 int err; 1020 const u8 *fw_ptr; 1021 u32 frag_len; 1022 1023 fw_ptr = fw->data + offset; 1024 frag_len = 0; 1025 err = -EINVAL; 1026 1027 while (fw_ptr - fw->data < fw->size) { 1028 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1029 1030 frag_len += sizeof(*cmd) + cmd->plen; 1031 1032 /* The parameter length of the secure send command requires 1033 * a 4 byte alignment. It happens so that the firmware file 1034 * contains proper Intel_NOP commands to align the fragments 1035 * as needed. 1036 * 1037 * Send set of commands with 4 byte alignment from the 1038 * firmware data buffer as a single Data fragement. 1039 */ 1040 if (!(frag_len % 4)) { 1041 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1042 if (err < 0) { 1043 bt_dev_err(hdev, 1044 "Failed to send firmware data (%d)", 1045 err); 1046 goto done; 1047 } 1048 1049 fw_ptr += frag_len; 1050 frag_len = 0; 1051 } 1052 } 1053 1054 done: 1055 return err; 1056 } 1057 1058 static bool btintel_firmware_version(struct hci_dev *hdev, 1059 u8 num, u8 ww, u8 yy, 1060 const struct firmware *fw, 1061 u32 *boot_addr) 1062 { 1063 const u8 *fw_ptr; 1064 1065 fw_ptr = fw->data; 1066 1067 while (fw_ptr - fw->data < fw->size) { 1068 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1069 1070 /* Each SKU has a different reset parameter to use in the 1071 * HCI_Intel_Reset command and it is embedded in the firmware 1072 * data. So, instead of using static value per SKU, check 1073 * the firmware data and save it for later use. 1074 */ 1075 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1076 struct cmd_write_boot_params *params; 1077 1078 params = (void *)(fw_ptr + sizeof(*cmd)); 1079 1080 *boot_addr = le32_to_cpu(params->boot_addr); 1081 1082 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1083 1084 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1085 params->fw_build_num, params->fw_build_ww, 1086 params->fw_build_yy); 1087 1088 return (num == params->fw_build_num && 1089 ww == params->fw_build_ww && 1090 yy == params->fw_build_yy); 1091 } 1092 1093 fw_ptr += sizeof(*cmd) + cmd->plen; 1094 } 1095 1096 return false; 1097 } 1098 1099 int btintel_download_firmware(struct hci_dev *hdev, 1100 struct intel_version *ver, 1101 const struct firmware *fw, 1102 u32 *boot_param) 1103 { 1104 int err; 1105 1106 /* SfP and WsP don't seem to update the firmware version on file 1107 * so version checking is currently not possible. 1108 */ 1109 switch (ver->hw_variant) { 1110 case 0x0b: /* SfP */ 1111 case 0x0c: /* WsP */ 1112 /* Skip version checking */ 1113 break; 1114 default: 1115 1116 /* Skip download if firmware has the same version */ 1117 if (btintel_firmware_version(hdev, ver->fw_build_num, 1118 ver->fw_build_ww, ver->fw_build_yy, 1119 fw, boot_param)) { 1120 bt_dev_info(hdev, "Firmware already loaded"); 1121 /* Return -EALREADY to indicate that the firmware has 1122 * already been loaded. 1123 */ 1124 return -EALREADY; 1125 } 1126 } 1127 1128 /* The firmware variant determines if the device is in bootloader 1129 * mode or is running operational firmware. The value 0x06 identifies 1130 * the bootloader and the value 0x23 identifies the operational 1131 * firmware. 1132 * 1133 * If the firmware version has changed that means it needs to be reset 1134 * to bootloader when operational so the new firmware can be loaded. 1135 */ 1136 if (ver->fw_variant == 0x23) 1137 return -EINVAL; 1138 1139 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1140 if (err) 1141 return err; 1142 1143 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1144 } 1145 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1146 1147 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1148 struct intel_version_tlv *ver, 1149 const struct firmware *fw, u32 *boot_param, 1150 u8 hw_variant, u8 sbe_type) 1151 { 1152 int err; 1153 u32 css_header_ver; 1154 1155 /* Skip download if firmware has the same version */ 1156 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1157 ver->min_fw_build_cw, 1158 ver->min_fw_build_yy, 1159 fw, boot_param)) { 1160 bt_dev_info(hdev, "Firmware already loaded"); 1161 /* Return -EALREADY to indicate that firmware has 1162 * already been loaded. 1163 */ 1164 return -EALREADY; 1165 } 1166 1167 /* The firmware variant determines if the device is in bootloader 1168 * mode or is running operational firmware. The value 0x01 identifies 1169 * the bootloader and the value 0x03 identifies the operational 1170 * firmware. 1171 * 1172 * If the firmware version has changed that means it needs to be reset 1173 * to bootloader when operational so the new firmware can be loaded. 1174 */ 1175 if (ver->img_type == 0x03) 1176 return -EINVAL; 1177 1178 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1179 * only RSA secure boot engine. Hence, the corresponding sfi file will 1180 * have RSA header of 644 bytes followed by Command Buffer. 1181 * 1182 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1183 * secure boot engine. As a result, the corresponding sfi file will 1184 * have RSA header of 644, ECDSA header of 320 bytes followed by 1185 * Command Buffer. 1186 * 1187 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1188 * version: RSA(0x00010000) , ECDSA (0x00020000) 1189 */ 1190 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1191 if (css_header_ver != 0x00010000) { 1192 bt_dev_err(hdev, "Invalid CSS Header version"); 1193 return -EINVAL; 1194 } 1195 1196 if (hw_variant <= 0x14) { 1197 if (sbe_type != 0x00) { 1198 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1199 hw_variant); 1200 return -EINVAL; 1201 } 1202 1203 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1204 if (err) 1205 return err; 1206 1207 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1208 if (err) 1209 return err; 1210 } else if (hw_variant >= 0x17) { 1211 /* Check if CSS header for ECDSA follows the RSA header */ 1212 if (fw->data[ECDSA_OFFSET] != 0x06) 1213 return -EINVAL; 1214 1215 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1216 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1217 if (css_header_ver != 0x00020000) { 1218 bt_dev_err(hdev, "Invalid CSS Header version"); 1219 return -EINVAL; 1220 } 1221 1222 if (sbe_type == 0x00) { 1223 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1224 if (err) 1225 return err; 1226 1227 err = btintel_download_firmware_payload(hdev, fw, 1228 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1229 if (err) 1230 return err; 1231 } else if (sbe_type == 0x01) { 1232 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1233 if (err) 1234 return err; 1235 1236 err = btintel_download_firmware_payload(hdev, fw, 1237 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1238 if (err) 1239 return err; 1240 } 1241 } 1242 return 0; 1243 } 1244 1245 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1246 { 1247 struct intel_reset params; 1248 struct sk_buff *skb; 1249 1250 /* Send Intel Reset command. This will result in 1251 * re-enumeration of BT controller. 1252 * 1253 * Intel Reset parameter description: 1254 * reset_type : 0x00 (Soft reset), 1255 * 0x01 (Hard reset) 1256 * patch_enable : 0x00 (Do not enable), 1257 * 0x01 (Enable) 1258 * ddc_reload : 0x00 (Do not reload), 1259 * 0x01 (Reload) 1260 * boot_option: 0x00 (Current image), 1261 * 0x01 (Specified boot address) 1262 * boot_param: Boot address 1263 * 1264 */ 1265 params.reset_type = 0x01; 1266 params.patch_enable = 0x01; 1267 params.ddc_reload = 0x01; 1268 params.boot_option = 0x00; 1269 params.boot_param = cpu_to_le32(0x00000000); 1270 1271 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1272 ¶ms, HCI_INIT_TIMEOUT); 1273 if (IS_ERR(skb)) { 1274 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1275 PTR_ERR(skb)); 1276 return; 1277 } 1278 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1279 kfree_skb(skb); 1280 1281 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1282 * lines for 2ms when it receives Intel Reset in bootloader mode. 1283 * Whereas, the upcoming Intel BT controllers will hold USB reset 1284 * for 150ms. To keep the delay generic, 150ms is chosen here. 1285 */ 1286 msleep(150); 1287 } 1288 1289 static int btintel_read_debug_features(struct hci_dev *hdev, 1290 struct intel_debug_features *features) 1291 { 1292 struct sk_buff *skb; 1293 u8 page_no = 1; 1294 1295 /* Intel controller supports two pages, each page is of 128-bit 1296 * feature bit mask. And each bit defines specific feature support 1297 */ 1298 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1299 HCI_INIT_TIMEOUT); 1300 if (IS_ERR(skb)) { 1301 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1302 PTR_ERR(skb)); 1303 return PTR_ERR(skb); 1304 } 1305 1306 if (skb->len != (sizeof(features->page1) + 3)) { 1307 bt_dev_err(hdev, "Supported features event size mismatch"); 1308 kfree_skb(skb); 1309 return -EILSEQ; 1310 } 1311 1312 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1313 1314 /* Read the supported features page2 if required in future. 1315 */ 1316 kfree_skb(skb); 1317 return 0; 1318 } 1319 1320 static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data, 1321 void **ret) 1322 { 1323 acpi_status status; 1324 size_t len; 1325 struct btintel_ppag *ppag = data; 1326 union acpi_object *p, *elements; 1327 struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL}; 1328 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 1329 struct hci_dev *hdev = ppag->hdev; 1330 1331 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string); 1332 if (ACPI_FAILURE(status)) { 1333 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1334 return status; 1335 } 1336 1337 len = strlen(string.pointer); 1338 if (len < strlen(BTINTEL_PPAG_NAME)) { 1339 kfree(string.pointer); 1340 return AE_OK; 1341 } 1342 1343 if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) { 1344 kfree(string.pointer); 1345 return AE_OK; 1346 } 1347 kfree(string.pointer); 1348 1349 status = acpi_evaluate_object(handle, NULL, NULL, &buffer); 1350 if (ACPI_FAILURE(status)) { 1351 ppag->status = status; 1352 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1353 return status; 1354 } 1355 1356 p = buffer.pointer; 1357 ppag = (struct btintel_ppag *)data; 1358 1359 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 1360 kfree(buffer.pointer); 1361 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 1362 p->type, p->package.count); 1363 ppag->status = AE_ERROR; 1364 return AE_ERROR; 1365 } 1366 1367 elements = p->package.elements; 1368 1369 /* PPAG table is located at element[1] */ 1370 p = &elements[1]; 1371 1372 ppag->domain = (u32)p->package.elements[0].integer.value; 1373 ppag->mode = (u32)p->package.elements[1].integer.value; 1374 ppag->status = AE_OK; 1375 kfree(buffer.pointer); 1376 return AE_CTRL_TERMINATE; 1377 } 1378 1379 static int btintel_set_debug_features(struct hci_dev *hdev, 1380 const struct intel_debug_features *features) 1381 { 1382 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1383 0x00, 0x00, 0x00 }; 1384 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1385 u8 trace_enable = 0x02; 1386 struct sk_buff *skb; 1387 1388 if (!features) { 1389 bt_dev_warn(hdev, "Debug features not read"); 1390 return -EINVAL; 1391 } 1392 1393 if (!(features->page1[0] & 0x3f)) { 1394 bt_dev_info(hdev, "Telemetry exception format not supported"); 1395 return 0; 1396 } 1397 1398 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1399 if (IS_ERR(skb)) { 1400 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1401 PTR_ERR(skb)); 1402 return PTR_ERR(skb); 1403 } 1404 kfree_skb(skb); 1405 1406 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1407 if (IS_ERR(skb)) { 1408 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1409 PTR_ERR(skb)); 1410 return PTR_ERR(skb); 1411 } 1412 kfree_skb(skb); 1413 1414 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1415 if (IS_ERR(skb)) { 1416 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1417 PTR_ERR(skb)); 1418 return PTR_ERR(skb); 1419 } 1420 kfree_skb(skb); 1421 1422 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1423 trace_enable, mask[3]); 1424 1425 return 0; 1426 } 1427 1428 static int btintel_reset_debug_features(struct hci_dev *hdev, 1429 const struct intel_debug_features *features) 1430 { 1431 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1432 0x00, 0x00, 0x00 }; 1433 u8 trace_enable = 0x00; 1434 struct sk_buff *skb; 1435 1436 if (!features) { 1437 bt_dev_warn(hdev, "Debug features not read"); 1438 return -EINVAL; 1439 } 1440 1441 if (!(features->page1[0] & 0x3f)) { 1442 bt_dev_info(hdev, "Telemetry exception format not supported"); 1443 return 0; 1444 } 1445 1446 /* Should stop the trace before writing ddc event mask. */ 1447 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1448 if (IS_ERR(skb)) { 1449 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1450 PTR_ERR(skb)); 1451 return PTR_ERR(skb); 1452 } 1453 kfree_skb(skb); 1454 1455 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1456 if (IS_ERR(skb)) { 1457 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1458 PTR_ERR(skb)); 1459 return PTR_ERR(skb); 1460 } 1461 kfree_skb(skb); 1462 1463 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1464 trace_enable, mask[3]); 1465 1466 return 0; 1467 } 1468 1469 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1470 { 1471 struct intel_debug_features features; 1472 int err; 1473 1474 bt_dev_dbg(hdev, "enable %d", enable); 1475 1476 /* Read the Intel supported features and if new exception formats 1477 * supported, need to load the additional DDC config to enable. 1478 */ 1479 err = btintel_read_debug_features(hdev, &features); 1480 if (err) 1481 return err; 1482 1483 /* Set or reset the debug features. */ 1484 if (enable) 1485 err = btintel_set_debug_features(hdev, &features); 1486 else 1487 err = btintel_reset_debug_features(hdev, &features); 1488 1489 return err; 1490 } 1491 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1492 1493 static void btintel_coredump(struct hci_dev *hdev) 1494 { 1495 struct sk_buff *skb; 1496 1497 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1498 if (IS_ERR(skb)) { 1499 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1500 return; 1501 } 1502 1503 kfree_skb(skb); 1504 } 1505 1506 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1507 { 1508 char buf[80]; 1509 1510 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1511 coredump_info.hw_variant); 1512 skb_put_data(skb, buf, strlen(buf)); 1513 1514 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1515 coredump_info.fw_build_num); 1516 skb_put_data(skb, buf, strlen(buf)); 1517 1518 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1519 skb_put_data(skb, buf, strlen(buf)); 1520 1521 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1522 skb_put_data(skb, buf, strlen(buf)); 1523 } 1524 1525 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1526 { 1527 struct intel_debug_features features; 1528 int err; 1529 1530 err = btintel_read_debug_features(hdev, &features); 1531 if (err) { 1532 bt_dev_info(hdev, "Error reading debug features"); 1533 return err; 1534 } 1535 1536 if (!(features.page1[0] & 0x3f)) { 1537 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1538 return -EOPNOTSUPP; 1539 } 1540 1541 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1542 1543 return err; 1544 } 1545 1546 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1547 struct intel_version *ver) 1548 { 1549 const struct firmware *fw; 1550 char fwname[64]; 1551 int ret; 1552 1553 snprintf(fwname, sizeof(fwname), 1554 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1555 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1556 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1557 ver->fw_build_ww, ver->fw_build_yy); 1558 1559 ret = request_firmware(&fw, fwname, &hdev->dev); 1560 if (ret < 0) { 1561 if (ret == -EINVAL) { 1562 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1563 ret); 1564 return NULL; 1565 } 1566 1567 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1568 fwname, ret); 1569 1570 /* If the correct firmware patch file is not found, use the 1571 * default firmware patch file instead 1572 */ 1573 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1574 ver->hw_platform, ver->hw_variant); 1575 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1576 bt_dev_err(hdev, "failed to open default fw file: %s", 1577 fwname); 1578 return NULL; 1579 } 1580 } 1581 1582 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1583 1584 return fw; 1585 } 1586 1587 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1588 const struct firmware *fw, 1589 const u8 **fw_ptr, int *disable_patch) 1590 { 1591 struct sk_buff *skb; 1592 struct hci_command_hdr *cmd; 1593 const u8 *cmd_param; 1594 struct hci_event_hdr *evt = NULL; 1595 const u8 *evt_param = NULL; 1596 int remain = fw->size - (*fw_ptr - fw->data); 1597 1598 /* The first byte indicates the types of the patch command or event. 1599 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1600 * in the current firmware buffer doesn't start with 0x01 or 1601 * the size of remain buffer is smaller than HCI command header, 1602 * the firmware file is corrupted and it should stop the patching 1603 * process. 1604 */ 1605 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1606 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1607 return -EINVAL; 1608 } 1609 (*fw_ptr)++; 1610 remain--; 1611 1612 cmd = (struct hci_command_hdr *)(*fw_ptr); 1613 *fw_ptr += sizeof(*cmd); 1614 remain -= sizeof(*cmd); 1615 1616 /* Ensure that the remain firmware data is long enough than the length 1617 * of command parameter. If not, the firmware file is corrupted. 1618 */ 1619 if (remain < cmd->plen) { 1620 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1621 return -EFAULT; 1622 } 1623 1624 /* If there is a command that loads a patch in the firmware 1625 * file, then enable the patch upon success, otherwise just 1626 * disable the manufacturer mode, for example patch activation 1627 * is not required when the default firmware patch file is used 1628 * because there are no patch data to load. 1629 */ 1630 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1631 *disable_patch = 0; 1632 1633 cmd_param = *fw_ptr; 1634 *fw_ptr += cmd->plen; 1635 remain -= cmd->plen; 1636 1637 /* This reads the expected events when the above command is sent to the 1638 * device. Some vendor commands expects more than one events, for 1639 * example command status event followed by vendor specific event. 1640 * For this case, it only keeps the last expected event. so the command 1641 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1642 * last expected event. 1643 */ 1644 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1645 (*fw_ptr)++; 1646 remain--; 1647 1648 evt = (struct hci_event_hdr *)(*fw_ptr); 1649 *fw_ptr += sizeof(*evt); 1650 remain -= sizeof(*evt); 1651 1652 if (remain < evt->plen) { 1653 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1654 return -EFAULT; 1655 } 1656 1657 evt_param = *fw_ptr; 1658 *fw_ptr += evt->plen; 1659 remain -= evt->plen; 1660 } 1661 1662 /* Every HCI commands in the firmware file has its correspond event. 1663 * If event is not found or remain is smaller than zero, the firmware 1664 * file is corrupted. 1665 */ 1666 if (!evt || !evt_param || remain < 0) { 1667 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1668 return -EFAULT; 1669 } 1670 1671 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1672 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1673 if (IS_ERR(skb)) { 1674 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1675 cmd->opcode, PTR_ERR(skb)); 1676 return PTR_ERR(skb); 1677 } 1678 1679 /* It ensures that the returned event matches the event data read from 1680 * the firmware file. At fist, it checks the length and then 1681 * the contents of the event. 1682 */ 1683 if (skb->len != evt->plen) { 1684 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1685 le16_to_cpu(cmd->opcode)); 1686 kfree_skb(skb); 1687 return -EFAULT; 1688 } 1689 1690 if (memcmp(skb->data, evt_param, evt->plen)) { 1691 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1692 le16_to_cpu(cmd->opcode)); 1693 kfree_skb(skb); 1694 return -EFAULT; 1695 } 1696 kfree_skb(skb); 1697 1698 return 0; 1699 } 1700 1701 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1702 struct intel_version *ver) 1703 { 1704 const struct firmware *fw; 1705 const u8 *fw_ptr; 1706 int disable_patch, err; 1707 struct intel_version new_ver; 1708 1709 BT_DBG("%s", hdev->name); 1710 1711 /* fw_patch_num indicates the version of patch the device currently 1712 * have. If there is no patch data in the device, it is always 0x00. 1713 * So, if it is other than 0x00, no need to patch the device again. 1714 */ 1715 if (ver->fw_patch_num) { 1716 bt_dev_info(hdev, 1717 "Intel device is already patched. patch num: %02x", 1718 ver->fw_patch_num); 1719 goto complete; 1720 } 1721 1722 /* Opens the firmware patch file based on the firmware version read 1723 * from the controller. If it fails to open the matching firmware 1724 * patch file, it tries to open the default firmware patch file. 1725 * If no patch file is found, allow the device to operate without 1726 * a patch. 1727 */ 1728 fw = btintel_legacy_rom_get_fw(hdev, ver); 1729 if (!fw) 1730 goto complete; 1731 fw_ptr = fw->data; 1732 1733 /* Enable the manufacturer mode of the controller. 1734 * Only while this mode is enabled, the driver can download the 1735 * firmware patch data and configuration parameters. 1736 */ 1737 err = btintel_enter_mfg(hdev); 1738 if (err) { 1739 release_firmware(fw); 1740 return err; 1741 } 1742 1743 disable_patch = 1; 1744 1745 /* The firmware data file consists of list of Intel specific HCI 1746 * commands and its expected events. The first byte indicates the 1747 * type of the message, either HCI command or HCI event. 1748 * 1749 * It reads the command and its expected event from the firmware file, 1750 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1751 * the returned event is compared with the event read from the firmware 1752 * file and it will continue until all the messages are downloaded to 1753 * the controller. 1754 * 1755 * Once the firmware patching is completed successfully, 1756 * the manufacturer mode is disabled with reset and activating the 1757 * downloaded patch. 1758 * 1759 * If the firmware patching fails, the manufacturer mode is 1760 * disabled with reset and deactivating the patch. 1761 * 1762 * If the default patch file is used, no reset is done when disabling 1763 * the manufacturer. 1764 */ 1765 while (fw->size > fw_ptr - fw->data) { 1766 int ret; 1767 1768 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1769 &disable_patch); 1770 if (ret < 0) 1771 goto exit_mfg_deactivate; 1772 } 1773 1774 release_firmware(fw); 1775 1776 if (disable_patch) 1777 goto exit_mfg_disable; 1778 1779 /* Patching completed successfully and disable the manufacturer mode 1780 * with reset and activate the downloaded firmware patches. 1781 */ 1782 err = btintel_exit_mfg(hdev, true, true); 1783 if (err) 1784 return err; 1785 1786 /* Need build number for downloaded fw patches in 1787 * every power-on boot 1788 */ 1789 err = btintel_read_version(hdev, &new_ver); 1790 if (err) 1791 return err; 1792 1793 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1794 new_ver.fw_patch_num); 1795 1796 goto complete; 1797 1798 exit_mfg_disable: 1799 /* Disable the manufacturer mode without reset */ 1800 err = btintel_exit_mfg(hdev, false, false); 1801 if (err) 1802 return err; 1803 1804 bt_dev_info(hdev, "Intel firmware patch completed"); 1805 1806 goto complete; 1807 1808 exit_mfg_deactivate: 1809 release_firmware(fw); 1810 1811 /* Patching failed. Disable the manufacturer mode with reset and 1812 * deactivate the downloaded firmware patches. 1813 */ 1814 err = btintel_exit_mfg(hdev, true, false); 1815 if (err) 1816 return err; 1817 1818 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1819 1820 complete: 1821 /* Set the event mask for Intel specific vendor events. This enables 1822 * a few extra events that are useful during general operation. 1823 */ 1824 btintel_set_event_mask_mfg(hdev, false); 1825 1826 btintel_check_bdaddr(hdev); 1827 1828 return 0; 1829 } 1830 1831 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1832 { 1833 ktime_t delta, rettime; 1834 unsigned long long duration; 1835 int err; 1836 1837 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1838 1839 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1840 1841 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1842 TASK_INTERRUPTIBLE, 1843 msecs_to_jiffies(msec)); 1844 if (err == -EINTR) { 1845 bt_dev_err(hdev, "Firmware loading interrupted"); 1846 return err; 1847 } 1848 1849 if (err) { 1850 bt_dev_err(hdev, "Firmware loading timeout"); 1851 return -ETIMEDOUT; 1852 } 1853 1854 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1855 bt_dev_err(hdev, "Firmware loading failed"); 1856 return -ENOEXEC; 1857 } 1858 1859 rettime = ktime_get(); 1860 delta = ktime_sub(rettime, calltime); 1861 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1862 1863 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1864 1865 return 0; 1866 } 1867 1868 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1869 { 1870 ktime_t delta, rettime; 1871 unsigned long long duration; 1872 int err; 1873 1874 bt_dev_info(hdev, "Waiting for device to boot"); 1875 1876 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1877 TASK_INTERRUPTIBLE, 1878 msecs_to_jiffies(msec)); 1879 if (err == -EINTR) { 1880 bt_dev_err(hdev, "Device boot interrupted"); 1881 return -EINTR; 1882 } 1883 1884 if (err) { 1885 bt_dev_err(hdev, "Device boot timeout"); 1886 return -ETIMEDOUT; 1887 } 1888 1889 rettime = ktime_get(); 1890 delta = ktime_sub(rettime, calltime); 1891 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1892 1893 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1894 1895 return 0; 1896 } 1897 1898 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1899 { 1900 ktime_t calltime; 1901 int err; 1902 1903 calltime = ktime_get(); 1904 1905 btintel_set_flag(hdev, INTEL_BOOTING); 1906 1907 err = btintel_send_intel_reset(hdev, boot_addr); 1908 if (err) { 1909 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1910 btintel_reset_to_bootloader(hdev); 1911 return err; 1912 } 1913 1914 /* The bootloader will not indicate when the device is ready. This 1915 * is done by the operational firmware sending bootup notification. 1916 * 1917 * Booting into operational firmware should not take longer than 1918 * 1 second. However if that happens, then just fail the setup 1919 * since something went wrong. 1920 */ 1921 err = btintel_boot_wait(hdev, calltime, 1000); 1922 if (err == -ETIMEDOUT) 1923 btintel_reset_to_bootloader(hdev); 1924 1925 return err; 1926 } 1927 1928 static int btintel_get_fw_name(struct intel_version *ver, 1929 struct intel_boot_params *params, 1930 char *fw_name, size_t len, 1931 const char *suffix) 1932 { 1933 switch (ver->hw_variant) { 1934 case 0x0b: /* SfP */ 1935 case 0x0c: /* WsP */ 1936 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1937 ver->hw_variant, 1938 le16_to_cpu(params->dev_revid), 1939 suffix); 1940 break; 1941 case 0x11: /* JfP */ 1942 case 0x12: /* ThP */ 1943 case 0x13: /* HrP */ 1944 case 0x14: /* CcP */ 1945 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1946 ver->hw_variant, 1947 ver->hw_revision, 1948 ver->fw_revision, 1949 suffix); 1950 break; 1951 default: 1952 return -EINVAL; 1953 } 1954 1955 return 0; 1956 } 1957 1958 static int btintel_download_fw(struct hci_dev *hdev, 1959 struct intel_version *ver, 1960 struct intel_boot_params *params, 1961 u32 *boot_param) 1962 { 1963 const struct firmware *fw; 1964 char fwname[64]; 1965 int err; 1966 ktime_t calltime; 1967 1968 if (!ver || !params) 1969 return -EINVAL; 1970 1971 /* The firmware variant determines if the device is in bootloader 1972 * mode or is running operational firmware. The value 0x06 identifies 1973 * the bootloader and the value 0x23 identifies the operational 1974 * firmware. 1975 * 1976 * When the operational firmware is already present, then only 1977 * the check for valid Bluetooth device address is needed. This 1978 * determines if the device will be added as configured or 1979 * unconfigured controller. 1980 * 1981 * It is not possible to use the Secure Boot Parameters in this 1982 * case since that command is only available in bootloader mode. 1983 */ 1984 if (ver->fw_variant == 0x23) { 1985 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1986 btintel_check_bdaddr(hdev); 1987 1988 /* SfP and WsP don't seem to update the firmware version on file 1989 * so version checking is currently possible. 1990 */ 1991 switch (ver->hw_variant) { 1992 case 0x0b: /* SfP */ 1993 case 0x0c: /* WsP */ 1994 return 0; 1995 } 1996 1997 /* Proceed to download to check if the version matches */ 1998 goto download; 1999 } 2000 2001 /* Read the secure boot parameters to identify the operating 2002 * details of the bootloader. 2003 */ 2004 err = btintel_read_boot_params(hdev, params); 2005 if (err) 2006 return err; 2007 2008 /* It is required that every single firmware fragment is acknowledged 2009 * with a command complete event. If the boot parameters indicate 2010 * that this bootloader does not send them, then abort the setup. 2011 */ 2012 if (params->limited_cce != 0x00) { 2013 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2014 params->limited_cce); 2015 return -EINVAL; 2016 } 2017 2018 /* If the OTP has no valid Bluetooth device address, then there will 2019 * also be no valid address for the operational firmware. 2020 */ 2021 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2022 bt_dev_info(hdev, "No device address configured"); 2023 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2024 } 2025 2026 download: 2027 /* With this Intel bootloader only the hardware variant and device 2028 * revision information are used to select the right firmware for SfP 2029 * and WsP. 2030 * 2031 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2032 * 2033 * Currently the supported hardware variants are: 2034 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2035 * 12 (0x0c) for iBT3.5 (WsP) 2036 * 2037 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2038 * variant, HW revision and FW revision, as these are dependent on CNVi 2039 * and RF Combination. 2040 * 2041 * 17 (0x11) for iBT3.5 (JfP) 2042 * 18 (0x12) for iBT3.5 (ThP) 2043 * 2044 * The firmware file name for these will be 2045 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2046 * 2047 */ 2048 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2049 if (err < 0) { 2050 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2051 /* Firmware has already been loaded */ 2052 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2053 return 0; 2054 } 2055 2056 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2057 return -EINVAL; 2058 } 2059 2060 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2061 if (err < 0) { 2062 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2063 /* Firmware has already been loaded */ 2064 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2065 return 0; 2066 } 2067 2068 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2069 fwname, err); 2070 return err; 2071 } 2072 2073 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2074 2075 if (fw->size < 644) { 2076 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2077 fw->size); 2078 err = -EBADF; 2079 goto done; 2080 } 2081 2082 calltime = ktime_get(); 2083 2084 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2085 2086 /* Start firmware downloading and get boot parameter */ 2087 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2088 if (err < 0) { 2089 if (err == -EALREADY) { 2090 /* Firmware has already been loaded */ 2091 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2092 err = 0; 2093 goto done; 2094 } 2095 2096 /* When FW download fails, send Intel Reset to retry 2097 * FW download. 2098 */ 2099 btintel_reset_to_bootloader(hdev); 2100 goto done; 2101 } 2102 2103 /* Before switching the device into operational mode and with that 2104 * booting the loaded firmware, wait for the bootloader notification 2105 * that all fragments have been successfully received. 2106 * 2107 * When the event processing receives the notification, then the 2108 * INTEL_DOWNLOADING flag will be cleared. 2109 * 2110 * The firmware loading should not take longer than 5 seconds 2111 * and thus just timeout if that happens and fail the setup 2112 * of this device. 2113 */ 2114 err = btintel_download_wait(hdev, calltime, 5000); 2115 if (err == -ETIMEDOUT) 2116 btintel_reset_to_bootloader(hdev); 2117 2118 done: 2119 release_firmware(fw); 2120 return err; 2121 } 2122 2123 static int btintel_bootloader_setup(struct hci_dev *hdev, 2124 struct intel_version *ver) 2125 { 2126 struct intel_version new_ver; 2127 struct intel_boot_params params; 2128 u32 boot_param; 2129 char ddcname[64]; 2130 int err; 2131 2132 BT_DBG("%s", hdev->name); 2133 2134 /* Set the default boot parameter to 0x0 and it is updated to 2135 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2136 * command while downloading the firmware. 2137 */ 2138 boot_param = 0x00000000; 2139 2140 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2141 2142 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2143 if (err) 2144 return err; 2145 2146 /* controller is already having an operational firmware */ 2147 if (ver->fw_variant == 0x23) 2148 goto finish; 2149 2150 err = btintel_boot(hdev, boot_param); 2151 if (err) 2152 return err; 2153 2154 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2155 2156 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2157 sizeof(ddcname), "ddc"); 2158 2159 if (err < 0) { 2160 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2161 } else { 2162 /* Once the device is running in operational mode, it needs to 2163 * apply the device configuration (DDC) parameters. 2164 * 2165 * The device can work without DDC parameters, so even if it 2166 * fails to load the file, no need to fail the setup. 2167 */ 2168 btintel_load_ddc_config(hdev, ddcname); 2169 } 2170 2171 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2172 2173 /* Read the Intel version information after loading the FW */ 2174 err = btintel_read_version(hdev, &new_ver); 2175 if (err) 2176 return err; 2177 2178 btintel_version_info(hdev, &new_ver); 2179 2180 finish: 2181 /* Set the event mask for Intel specific vendor events. This enables 2182 * a few extra events that are useful during general operation. It 2183 * does not enable any debugging related events. 2184 * 2185 * The device will function correctly without these events enabled 2186 * and thus no need to fail the setup. 2187 */ 2188 btintel_set_event_mask(hdev, false); 2189 2190 return 0; 2191 } 2192 2193 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2194 char *fw_name, size_t len, 2195 const char *suffix) 2196 { 2197 /* The firmware file name for new generation controllers will be 2198 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2199 */ 2200 snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s", 2201 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2202 INTEL_CNVX_TOP_STEP(ver->cnvi_top)), 2203 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2204 INTEL_CNVX_TOP_STEP(ver->cnvr_top)), 2205 suffix); 2206 } 2207 2208 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2209 struct intel_version_tlv *ver, 2210 u32 *boot_param) 2211 { 2212 const struct firmware *fw; 2213 char fwname[64]; 2214 int err; 2215 ktime_t calltime; 2216 2217 if (!ver || !boot_param) 2218 return -EINVAL; 2219 2220 /* The firmware variant determines if the device is in bootloader 2221 * mode or is running operational firmware. The value 0x03 identifies 2222 * the bootloader and the value 0x23 identifies the operational 2223 * firmware. 2224 * 2225 * When the operational firmware is already present, then only 2226 * the check for valid Bluetooth device address is needed. This 2227 * determines if the device will be added as configured or 2228 * unconfigured controller. 2229 * 2230 * It is not possible to use the Secure Boot Parameters in this 2231 * case since that command is only available in bootloader mode. 2232 */ 2233 if (ver->img_type == 0x03) { 2234 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2235 btintel_check_bdaddr(hdev); 2236 } else { 2237 /* 2238 * Check for valid bd address in boot loader mode. Device 2239 * will be marked as unconfigured if empty bd address is 2240 * found. 2241 */ 2242 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2243 bt_dev_info(hdev, "No device address configured"); 2244 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2245 } 2246 } 2247 2248 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2249 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2250 if (err < 0) { 2251 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2252 /* Firmware has already been loaded */ 2253 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2254 return 0; 2255 } 2256 2257 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2258 fwname, err); 2259 2260 return err; 2261 } 2262 2263 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2264 2265 if (fw->size < 644) { 2266 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2267 fw->size); 2268 err = -EBADF; 2269 goto done; 2270 } 2271 2272 calltime = ktime_get(); 2273 2274 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2275 2276 /* Start firmware downloading and get boot parameter */ 2277 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2278 INTEL_HW_VARIANT(ver->cnvi_bt), 2279 ver->sbe_type); 2280 if (err < 0) { 2281 if (err == -EALREADY) { 2282 /* Firmware has already been loaded */ 2283 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2284 err = 0; 2285 goto done; 2286 } 2287 2288 /* When FW download fails, send Intel Reset to retry 2289 * FW download. 2290 */ 2291 btintel_reset_to_bootloader(hdev); 2292 goto done; 2293 } 2294 2295 /* Before switching the device into operational mode and with that 2296 * booting the loaded firmware, wait for the bootloader notification 2297 * that all fragments have been successfully received. 2298 * 2299 * When the event processing receives the notification, then the 2300 * BTUSB_DOWNLOADING flag will be cleared. 2301 * 2302 * The firmware loading should not take longer than 5 seconds 2303 * and thus just timeout if that happens and fail the setup 2304 * of this device. 2305 */ 2306 err = btintel_download_wait(hdev, calltime, 5000); 2307 if (err == -ETIMEDOUT) 2308 btintel_reset_to_bootloader(hdev); 2309 2310 done: 2311 release_firmware(fw); 2312 return err; 2313 } 2314 2315 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2316 __u8 link, struct bt_codec *codec, 2317 __u8 *ven_len, __u8 **ven_data) 2318 { 2319 int err = 0; 2320 2321 if (!ven_data || !ven_len) 2322 return -EINVAL; 2323 2324 *ven_len = 0; 2325 *ven_data = NULL; 2326 2327 if (link != ESCO_LINK) { 2328 bt_dev_err(hdev, "Invalid link type(%u)", link); 2329 return -EINVAL; 2330 } 2331 2332 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2333 if (!*ven_data) { 2334 err = -ENOMEM; 2335 goto error; 2336 } 2337 2338 /* supports only CVSD and mSBC offload codecs */ 2339 switch (codec->id) { 2340 case 0x02: 2341 **ven_data = 0x00; 2342 break; 2343 case 0x05: 2344 **ven_data = 0x01; 2345 break; 2346 default: 2347 err = -EINVAL; 2348 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2349 goto error; 2350 } 2351 /* codec and its capabilities are pre-defined to ids 2352 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2353 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2354 */ 2355 *ven_len = sizeof(__u8); 2356 return err; 2357 2358 error: 2359 kfree(*ven_data); 2360 *ven_data = NULL; 2361 return err; 2362 } 2363 2364 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2365 { 2366 /* Intel uses 1 as data path id for all the usecases */ 2367 *data_path_id = 1; 2368 return 0; 2369 } 2370 2371 static int btintel_configure_offload(struct hci_dev *hdev) 2372 { 2373 struct sk_buff *skb; 2374 int err = 0; 2375 struct intel_offload_use_cases *use_cases; 2376 2377 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2378 if (IS_ERR(skb)) { 2379 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2380 PTR_ERR(skb)); 2381 return PTR_ERR(skb); 2382 } 2383 2384 if (skb->len < sizeof(*use_cases)) { 2385 err = -EIO; 2386 goto error; 2387 } 2388 2389 use_cases = (void *)skb->data; 2390 2391 if (use_cases->status) { 2392 err = -bt_to_errno(skb->data[0]); 2393 goto error; 2394 } 2395 2396 if (use_cases->preset[0] & 0x03) { 2397 hdev->get_data_path_id = btintel_get_data_path_id; 2398 hdev->get_codec_config_data = btintel_get_codec_config_data; 2399 } 2400 error: 2401 kfree_skb(skb); 2402 return err; 2403 } 2404 2405 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2406 { 2407 struct btintel_ppag ppag; 2408 struct sk_buff *skb; 2409 struct hci_ppag_enable_cmd ppag_cmd; 2410 acpi_handle handle; 2411 2412 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2413 switch (ver->cnvr_top & 0xFFF) { 2414 case 0x504: /* Hrp2 */ 2415 case 0x202: /* Jfp2 */ 2416 case 0x201: /* Jfp1 */ 2417 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2418 ver->cnvr_top & 0xFFF); 2419 return; 2420 } 2421 2422 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2423 if (!handle) { 2424 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2425 return; 2426 } 2427 2428 memset(&ppag, 0, sizeof(ppag)); 2429 2430 ppag.hdev = hdev; 2431 ppag.status = AE_NOT_FOUND; 2432 acpi_walk_namespace(ACPI_TYPE_PACKAGE, handle, 1, NULL, 2433 btintel_ppag_callback, &ppag, NULL); 2434 2435 if (ACPI_FAILURE(ppag.status)) { 2436 if (ppag.status == AE_NOT_FOUND) { 2437 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2438 return; 2439 } 2440 return; 2441 } 2442 2443 if (ppag.domain != 0x12) { 2444 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2445 return; 2446 } 2447 2448 /* PPAG mode 2449 * BIT 0 : 0 Disabled in EU 2450 * 1 Enabled in EU 2451 * BIT 1 : 0 Disabled in China 2452 * 1 Enabled in China 2453 */ 2454 if ((ppag.mode & 0x01) != BIT(0) && (ppag.mode & 0x02) != BIT(1)) { 2455 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in CB/BIOS"); 2456 return; 2457 } 2458 2459 ppag_cmd.ppag_enable_flags = cpu_to_le32(ppag.mode); 2460 2461 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT); 2462 if (IS_ERR(skb)) { 2463 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2464 return; 2465 } 2466 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", ppag.mode); 2467 kfree_skb(skb); 2468 } 2469 2470 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2471 { 2472 int ret = 0; 2473 acpi_status status; 2474 union acpi_object *p, *ref; 2475 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2476 2477 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2478 if (ACPI_FAILURE(status)) { 2479 bt_dev_err(hdev, "Failed to run _PRR method"); 2480 ret = -ENODEV; 2481 return ret; 2482 } 2483 p = buffer.pointer; 2484 2485 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2486 bt_dev_err(hdev, "Invalid arguments"); 2487 ret = -EINVAL; 2488 goto exit_on_error; 2489 } 2490 2491 ref = &p->package.elements[0]; 2492 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2493 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2494 ret = -EINVAL; 2495 goto exit_on_error; 2496 } 2497 2498 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2499 if (ACPI_FAILURE(status)) { 2500 bt_dev_err(hdev, "Failed to run_RST method"); 2501 ret = -ENODEV; 2502 goto exit_on_error; 2503 } 2504 2505 exit_on_error: 2506 kfree(buffer.pointer); 2507 return ret; 2508 } 2509 2510 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2511 struct intel_version_tlv *ver_tlv) 2512 { 2513 struct btintel_data *data = hci_get_priv(hdev); 2514 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2515 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2516 union acpi_object *obj, argv4; 2517 enum { 2518 RESET_TYPE_WDISABLE2, 2519 RESET_TYPE_VSEC 2520 }; 2521 2522 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2523 2524 if (!handle) { 2525 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2526 return; 2527 } 2528 2529 if (!acpi_has_method(handle, "_PRR")) { 2530 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2531 return; 2532 } 2533 2534 switch (ver_tlv->cnvi_top & 0xfff) { 2535 case 0x910: /* GalePeak2 */ 2536 reset_payload[2] = RESET_TYPE_VSEC; 2537 break; 2538 default: 2539 /* WDISABLE2 is the default reset method */ 2540 reset_payload[2] = RESET_TYPE_WDISABLE2; 2541 2542 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2543 BIT(DSM_SET_WDISABLE2_DELAY))) { 2544 bt_dev_err(hdev, "No dsm support to set reset delay"); 2545 return; 2546 } 2547 argv4.integer.type = ACPI_TYPE_INTEGER; 2548 /* delay required to toggle BT power */ 2549 argv4.integer.value = 160; 2550 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2551 DSM_SET_WDISABLE2_DELAY, &argv4); 2552 if (!obj) { 2553 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2554 return; 2555 } 2556 ACPI_FREE(obj); 2557 } 2558 2559 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2560 2561 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2562 DSM_SET_RESET_METHOD)) { 2563 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2564 return; 2565 } 2566 argv4.buffer.type = ACPI_TYPE_BUFFER; 2567 argv4.buffer.length = sizeof(reset_payload); 2568 argv4.buffer.pointer = reset_payload; 2569 2570 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2571 DSM_SET_RESET_METHOD, &argv4); 2572 if (!obj) { 2573 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2574 return; 2575 } 2576 ACPI_FREE(obj); 2577 data->acpi_reset_method = btintel_acpi_reset_method; 2578 } 2579 2580 static int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2581 struct intel_version_tlv *ver) 2582 { 2583 u32 boot_param; 2584 char ddcname[64]; 2585 int err; 2586 struct intel_version_tlv new_ver; 2587 2588 bt_dev_dbg(hdev, ""); 2589 2590 /* Set the default boot parameter to 0x0 and it is updated to 2591 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2592 * command while downloading the firmware. 2593 */ 2594 boot_param = 0x00000000; 2595 2596 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2597 2598 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2599 if (err) 2600 return err; 2601 2602 /* check if controller is already having an operational firmware */ 2603 if (ver->img_type == 0x03) 2604 goto finish; 2605 2606 err = btintel_boot(hdev, boot_param); 2607 if (err) 2608 return err; 2609 2610 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2611 2612 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2613 /* Once the device is running in operational mode, it needs to 2614 * apply the device configuration (DDC) parameters. 2615 * 2616 * The device can work without DDC parameters, so even if it 2617 * fails to load the file, no need to fail the setup. 2618 */ 2619 btintel_load_ddc_config(hdev, ddcname); 2620 2621 /* Read supported use cases and set callbacks to fetch datapath id */ 2622 btintel_configure_offload(hdev); 2623 2624 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2625 2626 /* Set PPAG feature */ 2627 btintel_set_ppag(hdev, ver); 2628 2629 /* Read the Intel version information after loading the FW */ 2630 err = btintel_read_version_tlv(hdev, &new_ver); 2631 if (err) 2632 return err; 2633 2634 btintel_version_info_tlv(hdev, &new_ver); 2635 2636 finish: 2637 /* Set the event mask for Intel specific vendor events. This enables 2638 * a few extra events that are useful during general operation. It 2639 * does not enable any debugging related events. 2640 * 2641 * The device will function correctly without these events enabled 2642 * and thus no need to fail the setup. 2643 */ 2644 btintel_set_event_mask(hdev, false); 2645 2646 return 0; 2647 } 2648 2649 static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2650 { 2651 switch (hw_variant) { 2652 /* Legacy bootloader devices that supports MSFT Extension */ 2653 case 0x11: /* JfP */ 2654 case 0x12: /* ThP */ 2655 case 0x13: /* HrP */ 2656 case 0x14: /* CcP */ 2657 /* All Intel new genration controllers support the Microsoft vendor 2658 * extension are using 0xFC1E for VsMsftOpCode. 2659 */ 2660 case 0x17: 2661 case 0x18: 2662 case 0x19: 2663 case 0x1b: 2664 case 0x1c: 2665 hci_set_msft_opcode(hdev, 0xFC1E); 2666 break; 2667 default: 2668 /* Not supported */ 2669 break; 2670 } 2671 } 2672 2673 static void btintel_print_fseq_info(struct hci_dev *hdev) 2674 { 2675 struct sk_buff *skb; 2676 u8 *p; 2677 u32 val; 2678 const char *str; 2679 2680 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 2681 if (IS_ERR(skb)) { 2682 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 2683 PTR_ERR(skb)); 2684 return; 2685 } 2686 2687 if (skb->len < (sizeof(u32) * 16 + 2)) { 2688 bt_dev_dbg(hdev, "Malformed packet of length %u received", 2689 skb->len); 2690 kfree_skb(skb); 2691 return; 2692 } 2693 2694 p = skb_pull_data(skb, 1); 2695 if (*p) { 2696 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 2697 kfree_skb(skb); 2698 return; 2699 } 2700 2701 p = skb_pull_data(skb, 1); 2702 switch (*p) { 2703 case 0: 2704 str = "Success"; 2705 break; 2706 case 1: 2707 str = "Fatal error"; 2708 break; 2709 case 2: 2710 str = "Semaphore acquire error"; 2711 break; 2712 default: 2713 str = "Unknown error"; 2714 break; 2715 } 2716 2717 if (*p) { 2718 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2719 kfree_skb(skb); 2720 return; 2721 } 2722 2723 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2724 2725 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2726 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 2727 2728 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2729 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 2730 2731 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2732 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 2733 2734 p = skb->data; 2735 skb_pull_data(skb, 4); 2736 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2737 p[2], p[3]); 2738 2739 p = skb->data; 2740 skb_pull_data(skb, 4); 2741 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2742 p[2], p[3]); 2743 2744 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2745 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 2746 2747 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2748 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 2749 2750 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2751 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 2752 2753 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2754 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 2755 2756 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2757 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 2758 2759 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2760 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 2761 2762 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2763 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 2764 2765 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2766 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 2767 2768 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2769 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 2770 2771 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2772 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 2773 2774 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2775 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 2776 2777 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2778 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 2779 2780 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2781 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 2782 2783 kfree_skb(skb); 2784 } 2785 2786 static int btintel_setup_combined(struct hci_dev *hdev) 2787 { 2788 const u8 param[1] = { 0xFF }; 2789 struct intel_version ver; 2790 struct intel_version_tlv ver_tlv; 2791 struct sk_buff *skb; 2792 int err; 2793 2794 BT_DBG("%s", hdev->name); 2795 2796 /* The some controllers have a bug with the first HCI command sent to it 2797 * returning number of completed commands as zero. This would stall the 2798 * command processing in the Bluetooth core. 2799 * 2800 * As a workaround, send HCI Reset command first which will reset the 2801 * number of completed commands and allow normal command processing 2802 * from now on. 2803 * 2804 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 2805 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 2806 * the shutdown() procedure, and once the device is in SW_RFKILL ON 2807 * state, the only way to exit out of it is sending the HCI_Reset 2808 * command. 2809 */ 2810 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 2811 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2812 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 2813 HCI_INIT_TIMEOUT); 2814 if (IS_ERR(skb)) { 2815 bt_dev_err(hdev, 2816 "sending initial HCI reset failed (%ld)", 2817 PTR_ERR(skb)); 2818 return PTR_ERR(skb); 2819 } 2820 kfree_skb(skb); 2821 } 2822 2823 /* Starting from TyP device, the command parameter and response are 2824 * changed even though the OCF for HCI_Intel_Read_Version command 2825 * remains same. The legacy devices can handle even if the 2826 * command has a parameter and returns a correct version information. 2827 * So, it uses new format to support both legacy and new format. 2828 */ 2829 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 2830 if (IS_ERR(skb)) { 2831 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 2832 PTR_ERR(skb)); 2833 return PTR_ERR(skb); 2834 } 2835 2836 /* Check the status */ 2837 if (skb->data[0]) { 2838 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 2839 skb->data[0]); 2840 err = -EIO; 2841 goto exit_error; 2842 } 2843 2844 /* Apply the common HCI quirks for Intel device */ 2845 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2846 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2847 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 2848 2849 /* Set up the quality report callback for Intel devices */ 2850 hdev->set_quality_report = btintel_set_quality_report; 2851 2852 /* For Legacy device, check the HW platform value and size */ 2853 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 2854 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 2855 2856 memcpy(&ver, skb->data, sizeof(ver)); 2857 2858 /* Display version information */ 2859 btintel_version_info(hdev, &ver); 2860 2861 /* Check for supported iBT hardware variants of this firmware 2862 * loading method. 2863 * 2864 * This check has been put in place to ensure correct forward 2865 * compatibility options when newer hardware variants come 2866 * along. 2867 */ 2868 switch (ver.hw_variant) { 2869 case 0x07: /* WP */ 2870 case 0x08: /* StP */ 2871 /* Legacy ROM product */ 2872 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 2873 2874 /* Apply the device specific HCI quirks 2875 * 2876 * WBS for SdP - For the Legacy ROM products, only SdP 2877 * supports the WBS. But the version information is not 2878 * enough to use here because the StP2 and SdP have same 2879 * hw_variant and fw_variant. So, this flag is set by 2880 * the transport driver (btusb) based on the HW info 2881 * (idProduct) 2882 */ 2883 if (!btintel_test_flag(hdev, 2884 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 2885 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2886 &hdev->quirks); 2887 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22) 2888 set_bit(HCI_QUIRK_VALID_LE_STATES, 2889 &hdev->quirks); 2890 2891 err = btintel_legacy_rom_setup(hdev, &ver); 2892 break; 2893 case 0x0b: /* SfP */ 2894 case 0x11: /* JfP */ 2895 case 0x12: /* ThP */ 2896 case 0x13: /* HrP */ 2897 case 0x14: /* CcP */ 2898 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2899 fallthrough; 2900 case 0x0c: /* WsP */ 2901 /* Apply the device specific HCI quirks 2902 * 2903 * All Legacy bootloader devices support WBS 2904 */ 2905 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2906 &hdev->quirks); 2907 2908 /* These variants don't seem to support LE Coded PHY */ 2909 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2910 2911 /* Setup MSFT Extension support */ 2912 btintel_set_msft_opcode(hdev, ver.hw_variant); 2913 2914 err = btintel_bootloader_setup(hdev, &ver); 2915 btintel_register_devcoredump_support(hdev); 2916 break; 2917 default: 2918 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2919 ver.hw_variant); 2920 err = -EINVAL; 2921 } 2922 2923 goto exit_error; 2924 } 2925 2926 /* memset ver_tlv to start with clean state as few fields are exclusive 2927 * to bootloader mode and are not populated in operational mode 2928 */ 2929 memset(&ver_tlv, 0, sizeof(ver_tlv)); 2930 /* For TLV type device, parse the tlv data */ 2931 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 2932 if (err) { 2933 bt_dev_err(hdev, "Failed to parse TLV version information"); 2934 goto exit_error; 2935 } 2936 2937 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 2938 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 2939 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 2940 err = -EINVAL; 2941 goto exit_error; 2942 } 2943 2944 /* Check for supported iBT hardware variants of this firmware 2945 * loading method. 2946 * 2947 * This check has been put in place to ensure correct forward 2948 * compatibility options when newer hardware variants come 2949 * along. 2950 */ 2951 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 2952 case 0x11: /* JfP */ 2953 case 0x12: /* ThP */ 2954 case 0x13: /* HrP */ 2955 case 0x14: /* CcP */ 2956 /* Some legacy bootloader devices starting from JfP, 2957 * the operational firmware supports both old and TLV based 2958 * HCI_Intel_Read_Version command based on the command 2959 * parameter. 2960 * 2961 * For upgrading firmware case, the TLV based version cannot 2962 * be used because the firmware filename for legacy bootloader 2963 * is based on the old format. 2964 * 2965 * Also, it is not easy to convert TLV based version from the 2966 * legacy version format. 2967 * 2968 * So, as a workaround for those devices, use the legacy 2969 * HCI_Intel_Read_Version to get the version information and 2970 * run the legacy bootloader setup. 2971 */ 2972 err = btintel_read_version(hdev, &ver); 2973 if (err) 2974 break; 2975 2976 /* Apply the device specific HCI quirks 2977 * 2978 * All Legacy bootloader devices support WBS 2979 */ 2980 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 2981 2982 /* These variants don't seem to support LE Coded PHY */ 2983 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2984 2985 /* Set Valid LE States quirk */ 2986 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2987 2988 /* Setup MSFT Extension support */ 2989 btintel_set_msft_opcode(hdev, ver.hw_variant); 2990 2991 err = btintel_bootloader_setup(hdev, &ver); 2992 btintel_register_devcoredump_support(hdev); 2993 break; 2994 case 0x17: 2995 case 0x18: 2996 case 0x19: 2997 case 0x1b: 2998 case 0x1c: 2999 /* Display version information of TLV type */ 3000 btintel_version_info_tlv(hdev, &ver_tlv); 3001 3002 /* Apply the device specific HCI quirks for TLV based devices 3003 * 3004 * All TLV based devices support WBS 3005 */ 3006 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3007 3008 /* Apply LE States quirk from solar onwards */ 3009 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 3010 3011 /* Setup MSFT Extension support */ 3012 btintel_set_msft_opcode(hdev, 3013 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3014 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3015 3016 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3017 btintel_register_devcoredump_support(hdev); 3018 btintel_print_fseq_info(hdev); 3019 break; 3020 default: 3021 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3022 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3023 err = -EINVAL; 3024 break; 3025 } 3026 3027 exit_error: 3028 kfree_skb(skb); 3029 3030 return err; 3031 } 3032 3033 static int btintel_shutdown_combined(struct hci_dev *hdev) 3034 { 3035 struct sk_buff *skb; 3036 int ret; 3037 3038 /* Send HCI Reset to the controller to stop any BT activity which 3039 * were triggered. This will help to save power and maintain the 3040 * sync b/w Host and controller 3041 */ 3042 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3043 if (IS_ERR(skb)) { 3044 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3045 return PTR_ERR(skb); 3046 } 3047 kfree_skb(skb); 3048 3049 3050 /* Some platforms have an issue with BT LED when the interface is 3051 * down or BT radio is turned off, which takes 5 seconds to BT LED 3052 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3053 * device in the RFKILL ON state which turns off the BT LED immediately. 3054 */ 3055 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3056 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3057 if (IS_ERR(skb)) { 3058 ret = PTR_ERR(skb); 3059 bt_dev_err(hdev, "turning off Intel device LED failed"); 3060 return ret; 3061 } 3062 kfree_skb(skb); 3063 } 3064 3065 return 0; 3066 } 3067 3068 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3069 { 3070 hdev->manufacturer = 2; 3071 hdev->setup = btintel_setup_combined; 3072 hdev->shutdown = btintel_shutdown_combined; 3073 hdev->hw_error = btintel_hw_error; 3074 hdev->set_diag = btintel_set_diag_combined; 3075 hdev->set_bdaddr = btintel_set_bdaddr; 3076 3077 coredump_info.driver_name = driver_name; 3078 3079 return 0; 3080 } 3081 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3082 3083 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3084 { 3085 struct intel_tlv *tlv = (void *)&skb->data[5]; 3086 3087 /* The first event is always an event type TLV */ 3088 if (tlv->type != INTEL_TLV_TYPE_ID) 3089 goto recv_frame; 3090 3091 switch (tlv->val[0]) { 3092 case INTEL_TLV_SYSTEM_EXCEPTION: 3093 case INTEL_TLV_FATAL_EXCEPTION: 3094 case INTEL_TLV_DEBUG_EXCEPTION: 3095 case INTEL_TLV_TEST_EXCEPTION: 3096 /* Generate devcoredump from exception */ 3097 if (!hci_devcd_init(hdev, skb->len)) { 3098 hci_devcd_append(hdev, skb); 3099 hci_devcd_complete(hdev); 3100 } else { 3101 bt_dev_err(hdev, "Failed to generate devcoredump"); 3102 kfree_skb(skb); 3103 } 3104 return 0; 3105 default: 3106 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3107 } 3108 3109 recv_frame: 3110 return hci_recv_frame(hdev, skb); 3111 } 3112 3113 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3114 { 3115 struct hci_event_hdr *hdr = (void *)skb->data; 3116 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3117 3118 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3119 hdr->plen > 0) { 3120 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3121 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3122 3123 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3124 switch (skb->data[2]) { 3125 case 0x02: 3126 /* When switching to the operational firmware 3127 * the device sends a vendor specific event 3128 * indicating that the bootup completed. 3129 */ 3130 btintel_bootup(hdev, ptr, len); 3131 break; 3132 case 0x06: 3133 /* When the firmware loading completes the 3134 * device sends out a vendor specific event 3135 * indicating the result of the firmware 3136 * loading. 3137 */ 3138 btintel_secure_send_result(hdev, ptr, len); 3139 break; 3140 } 3141 } 3142 3143 /* Handle all diagnostics events separately. May still call 3144 * hci_recv_frame. 3145 */ 3146 if (len >= sizeof(diagnostics_hdr) && 3147 memcmp(&skb->data[2], diagnostics_hdr, 3148 sizeof(diagnostics_hdr)) == 0) { 3149 return btintel_diagnostics(hdev, skb); 3150 } 3151 } 3152 3153 return hci_recv_frame(hdev, skb); 3154 } 3155 EXPORT_SYMBOL_GPL(btintel_recv_event); 3156 3157 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3158 { 3159 const struct intel_bootup *evt = ptr; 3160 3161 if (len != sizeof(*evt)) 3162 return; 3163 3164 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3165 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3166 } 3167 EXPORT_SYMBOL_GPL(btintel_bootup); 3168 3169 void btintel_secure_send_result(struct hci_dev *hdev, 3170 const void *ptr, unsigned int len) 3171 { 3172 const struct intel_secure_send_result *evt = ptr; 3173 3174 if (len != sizeof(*evt)) 3175 return; 3176 3177 if (evt->result) 3178 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3179 3180 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3181 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3182 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3183 } 3184 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3185 3186 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3187 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3188 MODULE_VERSION(VERSION); 3189 MODULE_LICENSE("GPL"); 3190 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3191 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3192 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3193 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3194