1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/acpi.h> 13 #include <acpi/acpi_bus.h> 14 #include <linux/unaligned.h> 15 #include <linux/efi.h> 16 17 #include <net/bluetooth/bluetooth.h> 18 #include <net/bluetooth/hci_core.h> 19 20 #include "btintel.h" 21 22 #define VERSION "0.1" 23 24 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 25 #define RSA_HEADER_LEN 644 26 #define CSS_HEADER_OFFSET 8 27 #define ECDSA_OFFSET 644 28 #define ECDSA_HEADER_LEN 320 29 30 #define BTINTEL_EFI_DSBR L"UefiCnvCommonDSBR" 31 32 enum { 33 DSM_SET_WDISABLE2_DELAY = 1, 34 DSM_SET_RESET_METHOD = 3, 35 }; 36 37 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 38 struct cmd_write_boot_params { 39 __le32 boot_addr; 40 u8 fw_build_num; 41 u8 fw_build_ww; 42 u8 fw_build_yy; 43 } __packed; 44 45 static struct { 46 const char *driver_name; 47 u8 hw_variant; 48 u32 fw_build_num; 49 } coredump_info; 50 51 static const guid_t btintel_guid_dsm = 52 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 53 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 54 55 int btintel_check_bdaddr(struct hci_dev *hdev) 56 { 57 struct hci_rp_read_bd_addr *bda; 58 struct sk_buff *skb; 59 60 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 61 HCI_INIT_TIMEOUT); 62 if (IS_ERR(skb)) { 63 int err = PTR_ERR(skb); 64 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 65 err); 66 return err; 67 } 68 69 if (skb->len != sizeof(*bda)) { 70 bt_dev_err(hdev, "Intel device address length mismatch"); 71 kfree_skb(skb); 72 return -EIO; 73 } 74 75 bda = (struct hci_rp_read_bd_addr *)skb->data; 76 77 /* For some Intel based controllers, the default Bluetooth device 78 * address 00:03:19:9E:8B:00 can be found. These controllers are 79 * fully operational, but have the danger of duplicate addresses 80 * and that in turn can cause problems with Bluetooth operation. 81 */ 82 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 83 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 84 &bda->bdaddr); 85 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 86 } 87 88 kfree_skb(skb); 89 90 return 0; 91 } 92 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 93 94 int btintel_enter_mfg(struct hci_dev *hdev) 95 { 96 static const u8 param[] = { 0x01, 0x00 }; 97 struct sk_buff *skb; 98 99 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 100 if (IS_ERR(skb)) { 101 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 102 PTR_ERR(skb)); 103 return PTR_ERR(skb); 104 } 105 kfree_skb(skb); 106 107 return 0; 108 } 109 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 110 111 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 112 { 113 u8 param[] = { 0x00, 0x00 }; 114 struct sk_buff *skb; 115 116 /* The 2nd command parameter specifies the manufacturing exit method: 117 * 0x00: Just disable the manufacturing mode (0x00). 118 * 0x01: Disable manufacturing mode and reset with patches deactivated. 119 * 0x02: Disable manufacturing mode and reset with patches activated. 120 */ 121 if (reset) 122 param[1] |= patched ? 0x02 : 0x01; 123 124 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 125 if (IS_ERR(skb)) { 126 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 127 PTR_ERR(skb)); 128 return PTR_ERR(skb); 129 } 130 kfree_skb(skb); 131 132 return 0; 133 } 134 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 135 136 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 137 { 138 struct sk_buff *skb; 139 int err; 140 141 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 142 if (IS_ERR(skb)) { 143 err = PTR_ERR(skb); 144 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 145 err); 146 return err; 147 } 148 kfree_skb(skb); 149 150 return 0; 151 } 152 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 153 154 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 155 { 156 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 157 struct sk_buff *skb; 158 int err; 159 160 if (debug) 161 mask[1] |= 0x62; 162 163 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 164 if (IS_ERR(skb)) { 165 err = PTR_ERR(skb); 166 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 167 return err; 168 } 169 kfree_skb(skb); 170 171 return 0; 172 } 173 174 int btintel_set_diag(struct hci_dev *hdev, bool enable) 175 { 176 struct sk_buff *skb; 177 u8 param[3]; 178 int err; 179 180 if (enable) { 181 param[0] = 0x03; 182 param[1] = 0x03; 183 param[2] = 0x03; 184 } else { 185 param[0] = 0x00; 186 param[1] = 0x00; 187 param[2] = 0x00; 188 } 189 190 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 191 if (IS_ERR(skb)) { 192 err = PTR_ERR(skb); 193 if (err == -ENODATA) 194 goto done; 195 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 196 err); 197 return err; 198 } 199 kfree_skb(skb); 200 201 done: 202 btintel_set_event_mask(hdev, enable); 203 return 0; 204 } 205 EXPORT_SYMBOL_GPL(btintel_set_diag); 206 207 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 208 { 209 int err, ret; 210 211 err = btintel_enter_mfg(hdev); 212 if (err) 213 return err; 214 215 ret = btintel_set_diag(hdev, enable); 216 217 err = btintel_exit_mfg(hdev, false, false); 218 if (err) 219 return err; 220 221 return ret; 222 } 223 224 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 225 { 226 int ret; 227 228 /* Legacy ROM device needs to be in the manufacturer mode to apply 229 * diagnostic setting 230 * 231 * This flag is set after reading the Intel version. 232 */ 233 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 234 ret = btintel_set_diag_mfg(hdev, enable); 235 else 236 ret = btintel_set_diag(hdev, enable); 237 238 return ret; 239 } 240 241 void btintel_hw_error(struct hci_dev *hdev, u8 code) 242 { 243 struct sk_buff *skb; 244 u8 type = 0x00; 245 246 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 247 248 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 249 if (IS_ERR(skb)) { 250 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 251 PTR_ERR(skb)); 252 return; 253 } 254 kfree_skb(skb); 255 256 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 257 if (IS_ERR(skb)) { 258 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 259 PTR_ERR(skb)); 260 return; 261 } 262 263 if (skb->len != 13) { 264 bt_dev_err(hdev, "Exception info size mismatch"); 265 kfree_skb(skb); 266 return; 267 } 268 269 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 270 271 kfree_skb(skb); 272 } 273 EXPORT_SYMBOL_GPL(btintel_hw_error); 274 275 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 276 { 277 const char *variant; 278 279 /* The hardware platform number has a fixed value of 0x37 and 280 * for now only accept this single value. 281 */ 282 if (ver->hw_platform != 0x37) { 283 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 284 ver->hw_platform); 285 return -EINVAL; 286 } 287 288 /* Check for supported iBT hardware variants of this firmware 289 * loading method. 290 * 291 * This check has been put in place to ensure correct forward 292 * compatibility options when newer hardware variants come along. 293 */ 294 switch (ver->hw_variant) { 295 case 0x07: /* WP - Legacy ROM */ 296 case 0x08: /* StP - Legacy ROM */ 297 case 0x0b: /* SfP */ 298 case 0x0c: /* WsP */ 299 case 0x11: /* JfP */ 300 case 0x12: /* ThP */ 301 case 0x13: /* HrP */ 302 case 0x14: /* CcP */ 303 break; 304 default: 305 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 306 ver->hw_variant); 307 return -EINVAL; 308 } 309 310 switch (ver->fw_variant) { 311 case 0x01: 312 variant = "Legacy ROM 2.5"; 313 break; 314 case 0x06: 315 variant = "Bootloader"; 316 break; 317 case 0x22: 318 variant = "Legacy ROM 2.x"; 319 break; 320 case 0x23: 321 variant = "Firmware"; 322 break; 323 default: 324 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 325 return -EINVAL; 326 } 327 328 coredump_info.hw_variant = ver->hw_variant; 329 coredump_info.fw_build_num = ver->fw_build_num; 330 331 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 332 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 333 ver->fw_build_num, ver->fw_build_ww, 334 2000 + ver->fw_build_yy); 335 336 return 0; 337 } 338 EXPORT_SYMBOL_GPL(btintel_version_info); 339 340 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 341 const void *param) 342 { 343 while (plen > 0) { 344 struct sk_buff *skb; 345 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 346 347 cmd_param[0] = fragment_type; 348 memcpy(cmd_param + 1, param, fragment_len); 349 350 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 351 cmd_param, HCI_INIT_TIMEOUT); 352 if (IS_ERR(skb)) 353 return PTR_ERR(skb); 354 355 kfree_skb(skb); 356 357 plen -= fragment_len; 358 param += fragment_len; 359 } 360 361 return 0; 362 } 363 364 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 365 { 366 const struct firmware *fw; 367 struct sk_buff *skb; 368 const u8 *fw_ptr; 369 int err; 370 371 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 372 if (err < 0) { 373 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 374 ddc_name, err); 375 return err; 376 } 377 378 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 379 380 fw_ptr = fw->data; 381 382 /* DDC file contains one or more DDC structure which has 383 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 384 */ 385 while (fw->size > fw_ptr - fw->data) { 386 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 387 388 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 389 HCI_INIT_TIMEOUT); 390 if (IS_ERR(skb)) { 391 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 392 PTR_ERR(skb)); 393 release_firmware(fw); 394 return PTR_ERR(skb); 395 } 396 397 fw_ptr += cmd_plen; 398 kfree_skb(skb); 399 } 400 401 release_firmware(fw); 402 403 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 404 405 return 0; 406 } 407 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 408 409 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 410 { 411 int err, ret; 412 413 err = btintel_enter_mfg(hdev); 414 if (err) 415 return err; 416 417 ret = btintel_set_event_mask(hdev, debug); 418 419 err = btintel_exit_mfg(hdev, false, false); 420 if (err) 421 return err; 422 423 return ret; 424 } 425 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 426 427 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 428 { 429 struct sk_buff *skb; 430 431 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 432 if (IS_ERR(skb)) { 433 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 434 PTR_ERR(skb)); 435 return PTR_ERR(skb); 436 } 437 438 if (!skb || skb->len != sizeof(*ver)) { 439 bt_dev_err(hdev, "Intel version event size mismatch"); 440 kfree_skb(skb); 441 return -EILSEQ; 442 } 443 444 memcpy(ver, skb->data, sizeof(*ver)); 445 446 kfree_skb(skb); 447 448 return 0; 449 } 450 EXPORT_SYMBOL_GPL(btintel_read_version); 451 452 int btintel_version_info_tlv(struct hci_dev *hdev, 453 struct intel_version_tlv *version) 454 { 455 const char *variant; 456 457 /* The hardware platform number has a fixed value of 0x37 and 458 * for now only accept this single value. 459 */ 460 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 461 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 462 INTEL_HW_PLATFORM(version->cnvi_bt)); 463 return -EINVAL; 464 } 465 466 /* Check for supported iBT hardware variants of this firmware 467 * loading method. 468 * 469 * This check has been put in place to ensure correct forward 470 * compatibility options when newer hardware variants come along. 471 */ 472 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 473 case 0x17: /* TyP */ 474 case 0x18: /* Slr */ 475 case 0x19: /* Slr-F */ 476 case 0x1b: /* Mgr */ 477 case 0x1c: /* Gale Peak (GaP) */ 478 case 0x1d: /* BlazarU (BzrU) */ 479 case 0x1e: /* BlazarI (Bzr) */ 480 break; 481 default: 482 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 483 INTEL_HW_VARIANT(version->cnvi_bt)); 484 return -EINVAL; 485 } 486 487 switch (version->img_type) { 488 case BTINTEL_IMG_BOOTLOADER: 489 variant = "Bootloader"; 490 /* It is required that every single firmware fragment is acknowledged 491 * with a command complete event. If the boot parameters indicate 492 * that this bootloader does not send them, then abort the setup. 493 */ 494 if (version->limited_cce != 0x00) { 495 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 496 version->limited_cce); 497 return -EINVAL; 498 } 499 500 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 501 if (version->sbe_type > 0x01) { 502 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 503 version->sbe_type); 504 return -EINVAL; 505 } 506 507 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 508 bt_dev_info(hdev, "Secure boot is %s", 509 version->secure_boot ? "enabled" : "disabled"); 510 bt_dev_info(hdev, "OTP lock is %s", 511 version->otp_lock ? "enabled" : "disabled"); 512 bt_dev_info(hdev, "API lock is %s", 513 version->api_lock ? "enabled" : "disabled"); 514 bt_dev_info(hdev, "Debug lock is %s", 515 version->debug_lock ? "enabled" : "disabled"); 516 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 517 version->min_fw_build_nn, version->min_fw_build_cw, 518 2000 + version->min_fw_build_yy); 519 break; 520 case BTINTEL_IMG_IML: 521 variant = "Intermediate loader"; 522 break; 523 case BTINTEL_IMG_OP: 524 variant = "Firmware"; 525 break; 526 default: 527 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 528 return -EINVAL; 529 } 530 531 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 532 coredump_info.fw_build_num = version->build_num; 533 534 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 535 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 536 version->build_type, version->build_num); 537 if (version->img_type == BTINTEL_IMG_OP) 538 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 539 540 return 0; 541 } 542 EXPORT_SYMBOL_GPL(btintel_version_info_tlv); 543 544 int btintel_parse_version_tlv(struct hci_dev *hdev, 545 struct intel_version_tlv *version, 546 struct sk_buff *skb) 547 { 548 /* Consume Command Complete Status field */ 549 skb_pull(skb, 1); 550 551 /* Event parameters contatin multiple TLVs. Read each of them 552 * and only keep the required data. Also, it use existing legacy 553 * version field like hw_platform, hw_variant, and fw_variant 554 * to keep the existing setup flow 555 */ 556 while (skb->len) { 557 struct intel_tlv *tlv; 558 559 /* Make sure skb has a minimum length of the header */ 560 if (skb->len < sizeof(*tlv)) 561 return -EINVAL; 562 563 tlv = (struct intel_tlv *)skb->data; 564 565 /* Make sure skb has a enough data */ 566 if (skb->len < tlv->len + sizeof(*tlv)) 567 return -EINVAL; 568 569 switch (tlv->type) { 570 case INTEL_TLV_CNVI_TOP: 571 version->cnvi_top = get_unaligned_le32(tlv->val); 572 break; 573 case INTEL_TLV_CNVR_TOP: 574 version->cnvr_top = get_unaligned_le32(tlv->val); 575 break; 576 case INTEL_TLV_CNVI_BT: 577 version->cnvi_bt = get_unaligned_le32(tlv->val); 578 break; 579 case INTEL_TLV_CNVR_BT: 580 version->cnvr_bt = get_unaligned_le32(tlv->val); 581 break; 582 case INTEL_TLV_DEV_REV_ID: 583 version->dev_rev_id = get_unaligned_le16(tlv->val); 584 break; 585 case INTEL_TLV_IMAGE_TYPE: 586 version->img_type = tlv->val[0]; 587 break; 588 case INTEL_TLV_TIME_STAMP: 589 /* If image type is Operational firmware (0x03), then 590 * running FW Calendar Week and Year information can 591 * be extracted from Timestamp information 592 */ 593 version->min_fw_build_cw = tlv->val[0]; 594 version->min_fw_build_yy = tlv->val[1]; 595 version->timestamp = get_unaligned_le16(tlv->val); 596 break; 597 case INTEL_TLV_BUILD_TYPE: 598 version->build_type = tlv->val[0]; 599 break; 600 case INTEL_TLV_BUILD_NUM: 601 /* If image type is Operational firmware (0x03), then 602 * running FW build number can be extracted from the 603 * Build information 604 */ 605 version->min_fw_build_nn = tlv->val[0]; 606 version->build_num = get_unaligned_le32(tlv->val); 607 break; 608 case INTEL_TLV_SECURE_BOOT: 609 version->secure_boot = tlv->val[0]; 610 break; 611 case INTEL_TLV_OTP_LOCK: 612 version->otp_lock = tlv->val[0]; 613 break; 614 case INTEL_TLV_API_LOCK: 615 version->api_lock = tlv->val[0]; 616 break; 617 case INTEL_TLV_DEBUG_LOCK: 618 version->debug_lock = tlv->val[0]; 619 break; 620 case INTEL_TLV_MIN_FW: 621 version->min_fw_build_nn = tlv->val[0]; 622 version->min_fw_build_cw = tlv->val[1]; 623 version->min_fw_build_yy = tlv->val[2]; 624 break; 625 case INTEL_TLV_LIMITED_CCE: 626 version->limited_cce = tlv->val[0]; 627 break; 628 case INTEL_TLV_SBE_TYPE: 629 version->sbe_type = tlv->val[0]; 630 break; 631 case INTEL_TLV_OTP_BDADDR: 632 memcpy(&version->otp_bd_addr, tlv->val, 633 sizeof(bdaddr_t)); 634 break; 635 case INTEL_TLV_GIT_SHA1: 636 version->git_sha1 = get_unaligned_le32(tlv->val); 637 break; 638 case INTEL_TLV_FW_ID: 639 snprintf(version->fw_id, sizeof(version->fw_id), 640 "%s", tlv->val); 641 break; 642 default: 643 /* Ignore rest of information */ 644 break; 645 } 646 /* consume the current tlv and move to next*/ 647 skb_pull(skb, tlv->len + sizeof(*tlv)); 648 } 649 650 return 0; 651 } 652 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv); 653 654 static int btintel_read_version_tlv(struct hci_dev *hdev, 655 struct intel_version_tlv *version) 656 { 657 struct sk_buff *skb; 658 const u8 param[1] = { 0xFF }; 659 660 if (!version) 661 return -EINVAL; 662 663 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 664 if (IS_ERR(skb)) { 665 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 666 PTR_ERR(skb)); 667 return PTR_ERR(skb); 668 } 669 670 if (skb->data[0]) { 671 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 672 skb->data[0]); 673 kfree_skb(skb); 674 return -EIO; 675 } 676 677 btintel_parse_version_tlv(hdev, version, skb); 678 679 kfree_skb(skb); 680 return 0; 681 } 682 683 /* ------- REGMAP IBT SUPPORT ------- */ 684 685 #define IBT_REG_MODE_8BIT 0x00 686 #define IBT_REG_MODE_16BIT 0x01 687 #define IBT_REG_MODE_32BIT 0x02 688 689 struct regmap_ibt_context { 690 struct hci_dev *hdev; 691 __u16 op_write; 692 __u16 op_read; 693 }; 694 695 struct ibt_cp_reg_access { 696 __le32 addr; 697 __u8 mode; 698 __u8 len; 699 __u8 data[]; 700 } __packed; 701 702 struct ibt_rp_reg_access { 703 __u8 status; 704 __le32 addr; 705 __u8 data[]; 706 } __packed; 707 708 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 709 void *val, size_t val_size) 710 { 711 struct regmap_ibt_context *ctx = context; 712 struct ibt_cp_reg_access cp; 713 struct ibt_rp_reg_access *rp; 714 struct sk_buff *skb; 715 int err = 0; 716 717 if (reg_size != sizeof(__le32)) 718 return -EINVAL; 719 720 switch (val_size) { 721 case 1: 722 cp.mode = IBT_REG_MODE_8BIT; 723 break; 724 case 2: 725 cp.mode = IBT_REG_MODE_16BIT; 726 break; 727 case 4: 728 cp.mode = IBT_REG_MODE_32BIT; 729 break; 730 default: 731 return -EINVAL; 732 } 733 734 /* regmap provides a little-endian formatted addr */ 735 cp.addr = *(__le32 *)addr; 736 cp.len = val_size; 737 738 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 739 740 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 741 HCI_CMD_TIMEOUT); 742 if (IS_ERR(skb)) { 743 err = PTR_ERR(skb); 744 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 745 le32_to_cpu(cp.addr), err); 746 return err; 747 } 748 749 if (skb->len != sizeof(*rp) + val_size) { 750 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 751 le32_to_cpu(cp.addr)); 752 err = -EINVAL; 753 goto done; 754 } 755 756 rp = (struct ibt_rp_reg_access *)skb->data; 757 758 if (rp->addr != cp.addr) { 759 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 760 le32_to_cpu(rp->addr)); 761 err = -EINVAL; 762 goto done; 763 } 764 765 memcpy(val, rp->data, val_size); 766 767 done: 768 kfree_skb(skb); 769 return err; 770 } 771 772 static int regmap_ibt_gather_write(void *context, 773 const void *addr, size_t reg_size, 774 const void *val, size_t val_size) 775 { 776 struct regmap_ibt_context *ctx = context; 777 struct ibt_cp_reg_access *cp; 778 struct sk_buff *skb; 779 int plen = sizeof(*cp) + val_size; 780 u8 mode; 781 int err = 0; 782 783 if (reg_size != sizeof(__le32)) 784 return -EINVAL; 785 786 switch (val_size) { 787 case 1: 788 mode = IBT_REG_MODE_8BIT; 789 break; 790 case 2: 791 mode = IBT_REG_MODE_16BIT; 792 break; 793 case 4: 794 mode = IBT_REG_MODE_32BIT; 795 break; 796 default: 797 return -EINVAL; 798 } 799 800 cp = kmalloc(plen, GFP_KERNEL); 801 if (!cp) 802 return -ENOMEM; 803 804 /* regmap provides a little-endian formatted addr/value */ 805 cp->addr = *(__le32 *)addr; 806 cp->mode = mode; 807 cp->len = val_size; 808 memcpy(&cp->data, val, val_size); 809 810 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 811 812 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 813 if (IS_ERR(skb)) { 814 err = PTR_ERR(skb); 815 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 816 le32_to_cpu(cp->addr), err); 817 goto done; 818 } 819 kfree_skb(skb); 820 821 done: 822 kfree(cp); 823 return err; 824 } 825 826 static int regmap_ibt_write(void *context, const void *data, size_t count) 827 { 828 /* data contains register+value, since we only support 32bit addr, 829 * minimum data size is 4 bytes. 830 */ 831 if (WARN_ONCE(count < 4, "Invalid register access")) 832 return -EINVAL; 833 834 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 835 } 836 837 static void regmap_ibt_free_context(void *context) 838 { 839 kfree(context); 840 } 841 842 static const struct regmap_bus regmap_ibt = { 843 .read = regmap_ibt_read, 844 .write = regmap_ibt_write, 845 .gather_write = regmap_ibt_gather_write, 846 .free_context = regmap_ibt_free_context, 847 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 848 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 849 }; 850 851 /* Config is the same for all register regions */ 852 static const struct regmap_config regmap_ibt_cfg = { 853 .name = "btintel_regmap", 854 .reg_bits = 32, 855 .val_bits = 32, 856 }; 857 858 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 859 u16 opcode_write) 860 { 861 struct regmap_ibt_context *ctx; 862 863 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 864 opcode_write); 865 866 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 867 if (!ctx) 868 return ERR_PTR(-ENOMEM); 869 870 ctx->op_read = opcode_read; 871 ctx->op_write = opcode_write; 872 ctx->hdev = hdev; 873 874 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 875 } 876 EXPORT_SYMBOL_GPL(btintel_regmap_init); 877 878 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 879 { 880 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 881 struct sk_buff *skb; 882 883 params.boot_param = cpu_to_le32(boot_param); 884 885 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 886 HCI_INIT_TIMEOUT); 887 if (IS_ERR(skb)) { 888 bt_dev_err(hdev, "Failed to send Intel Reset command"); 889 return PTR_ERR(skb); 890 } 891 892 kfree_skb(skb); 893 894 return 0; 895 } 896 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 897 898 int btintel_read_boot_params(struct hci_dev *hdev, 899 struct intel_boot_params *params) 900 { 901 struct sk_buff *skb; 902 903 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 904 if (IS_ERR(skb)) { 905 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 906 PTR_ERR(skb)); 907 return PTR_ERR(skb); 908 } 909 910 if (skb->len != sizeof(*params)) { 911 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 912 kfree_skb(skb); 913 return -EILSEQ; 914 } 915 916 memcpy(params, skb->data, sizeof(*params)); 917 918 kfree_skb(skb); 919 920 if (params->status) { 921 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 922 params->status); 923 return -bt_to_errno(params->status); 924 } 925 926 bt_dev_info(hdev, "Device revision is %u", 927 le16_to_cpu(params->dev_revid)); 928 929 bt_dev_info(hdev, "Secure boot is %s", 930 params->secure_boot ? "enabled" : "disabled"); 931 932 bt_dev_info(hdev, "OTP lock is %s", 933 params->otp_lock ? "enabled" : "disabled"); 934 935 bt_dev_info(hdev, "API lock is %s", 936 params->api_lock ? "enabled" : "disabled"); 937 938 bt_dev_info(hdev, "Debug lock is %s", 939 params->debug_lock ? "enabled" : "disabled"); 940 941 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 942 params->min_fw_build_nn, params->min_fw_build_cw, 943 2000 + params->min_fw_build_yy); 944 945 return 0; 946 } 947 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 948 949 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 950 const struct firmware *fw) 951 { 952 int err; 953 954 /* Start the firmware download transaction with the Init fragment 955 * represented by the 128 bytes of CSS header. 956 */ 957 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 958 if (err < 0) { 959 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 960 goto done; 961 } 962 963 /* Send the 256 bytes of public key information from the firmware 964 * as the PKey fragment. 965 */ 966 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 967 if (err < 0) { 968 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 969 goto done; 970 } 971 972 /* Send the 256 bytes of signature information from the firmware 973 * as the Sign fragment. 974 */ 975 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 976 if (err < 0) { 977 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 978 goto done; 979 } 980 981 done: 982 return err; 983 } 984 985 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 986 const struct firmware *fw) 987 { 988 int err; 989 990 /* Start the firmware download transaction with the Init fragment 991 * represented by the 128 bytes of CSS header. 992 */ 993 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 994 if (err < 0) { 995 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 996 return err; 997 } 998 999 /* Send the 96 bytes of public key information from the firmware 1000 * as the PKey fragment. 1001 */ 1002 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 1003 if (err < 0) { 1004 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1005 return err; 1006 } 1007 1008 /* Send the 96 bytes of signature information from the firmware 1009 * as the Sign fragment 1010 */ 1011 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1012 if (err < 0) { 1013 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1014 err); 1015 return err; 1016 } 1017 return 0; 1018 } 1019 1020 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1021 const struct firmware *fw, 1022 size_t offset) 1023 { 1024 int err; 1025 const u8 *fw_ptr; 1026 u32 frag_len; 1027 1028 fw_ptr = fw->data + offset; 1029 frag_len = 0; 1030 err = -EINVAL; 1031 1032 while (fw_ptr - fw->data < fw->size) { 1033 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1034 1035 frag_len += sizeof(*cmd) + cmd->plen; 1036 1037 /* The parameter length of the secure send command requires 1038 * a 4 byte alignment. It happens so that the firmware file 1039 * contains proper Intel_NOP commands to align the fragments 1040 * as needed. 1041 * 1042 * Send set of commands with 4 byte alignment from the 1043 * firmware data buffer as a single Data fragement. 1044 */ 1045 if (!(frag_len % 4)) { 1046 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1047 if (err < 0) { 1048 bt_dev_err(hdev, 1049 "Failed to send firmware data (%d)", 1050 err); 1051 goto done; 1052 } 1053 1054 fw_ptr += frag_len; 1055 frag_len = 0; 1056 } 1057 } 1058 1059 done: 1060 return err; 1061 } 1062 1063 static bool btintel_firmware_version(struct hci_dev *hdev, 1064 u8 num, u8 ww, u8 yy, 1065 const struct firmware *fw, 1066 u32 *boot_addr) 1067 { 1068 const u8 *fw_ptr; 1069 1070 fw_ptr = fw->data; 1071 1072 while (fw_ptr - fw->data < fw->size) { 1073 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1074 1075 /* Each SKU has a different reset parameter to use in the 1076 * HCI_Intel_Reset command and it is embedded in the firmware 1077 * data. So, instead of using static value per SKU, check 1078 * the firmware data and save it for later use. 1079 */ 1080 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1081 struct cmd_write_boot_params *params; 1082 1083 params = (void *)(fw_ptr + sizeof(*cmd)); 1084 1085 *boot_addr = le32_to_cpu(params->boot_addr); 1086 1087 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1088 1089 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1090 params->fw_build_num, params->fw_build_ww, 1091 params->fw_build_yy); 1092 1093 return (num == params->fw_build_num && 1094 ww == params->fw_build_ww && 1095 yy == params->fw_build_yy); 1096 } 1097 1098 fw_ptr += sizeof(*cmd) + cmd->plen; 1099 } 1100 1101 return false; 1102 } 1103 1104 int btintel_download_firmware(struct hci_dev *hdev, 1105 struct intel_version *ver, 1106 const struct firmware *fw, 1107 u32 *boot_param) 1108 { 1109 int err; 1110 1111 /* SfP and WsP don't seem to update the firmware version on file 1112 * so version checking is currently not possible. 1113 */ 1114 switch (ver->hw_variant) { 1115 case 0x0b: /* SfP */ 1116 case 0x0c: /* WsP */ 1117 /* Skip version checking */ 1118 break; 1119 default: 1120 1121 /* Skip download if firmware has the same version */ 1122 if (btintel_firmware_version(hdev, ver->fw_build_num, 1123 ver->fw_build_ww, ver->fw_build_yy, 1124 fw, boot_param)) { 1125 bt_dev_info(hdev, "Firmware already loaded"); 1126 /* Return -EALREADY to indicate that the firmware has 1127 * already been loaded. 1128 */ 1129 return -EALREADY; 1130 } 1131 } 1132 1133 /* The firmware variant determines if the device is in bootloader 1134 * mode or is running operational firmware. The value 0x06 identifies 1135 * the bootloader and the value 0x23 identifies the operational 1136 * firmware. 1137 * 1138 * If the firmware version has changed that means it needs to be reset 1139 * to bootloader when operational so the new firmware can be loaded. 1140 */ 1141 if (ver->fw_variant == 0x23) 1142 return -EINVAL; 1143 1144 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1145 if (err) 1146 return err; 1147 1148 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1149 } 1150 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1151 1152 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1153 struct intel_version_tlv *ver, 1154 const struct firmware *fw, u32 *boot_param, 1155 u8 hw_variant, u8 sbe_type) 1156 { 1157 int err; 1158 u32 css_header_ver; 1159 1160 /* Skip download if firmware has the same version */ 1161 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1162 ver->min_fw_build_cw, 1163 ver->min_fw_build_yy, 1164 fw, boot_param)) { 1165 bt_dev_info(hdev, "Firmware already loaded"); 1166 /* Return -EALREADY to indicate that firmware has 1167 * already been loaded. 1168 */ 1169 return -EALREADY; 1170 } 1171 1172 /* The firmware variant determines if the device is in bootloader 1173 * mode or is running operational firmware. The value 0x01 identifies 1174 * the bootloader and the value 0x03 identifies the operational 1175 * firmware. 1176 * 1177 * If the firmware version has changed that means it needs to be reset 1178 * to bootloader when operational so the new firmware can be loaded. 1179 */ 1180 if (ver->img_type == BTINTEL_IMG_OP) 1181 return -EINVAL; 1182 1183 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1184 * only RSA secure boot engine. Hence, the corresponding sfi file will 1185 * have RSA header of 644 bytes followed by Command Buffer. 1186 * 1187 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1188 * secure boot engine. As a result, the corresponding sfi file will 1189 * have RSA header of 644, ECDSA header of 320 bytes followed by 1190 * Command Buffer. 1191 * 1192 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1193 * version: RSA(0x00010000) , ECDSA (0x00020000) 1194 */ 1195 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1196 if (css_header_ver != 0x00010000) { 1197 bt_dev_err(hdev, "Invalid CSS Header version"); 1198 return -EINVAL; 1199 } 1200 1201 if (hw_variant <= 0x14) { 1202 if (sbe_type != 0x00) { 1203 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1204 hw_variant); 1205 return -EINVAL; 1206 } 1207 1208 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1209 if (err) 1210 return err; 1211 1212 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1213 if (err) 1214 return err; 1215 } else if (hw_variant >= 0x17) { 1216 /* Check if CSS header for ECDSA follows the RSA header */ 1217 if (fw->data[ECDSA_OFFSET] != 0x06) 1218 return -EINVAL; 1219 1220 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1221 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1222 if (css_header_ver != 0x00020000) { 1223 bt_dev_err(hdev, "Invalid CSS Header version"); 1224 return -EINVAL; 1225 } 1226 1227 if (sbe_type == 0x00) { 1228 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1229 if (err) 1230 return err; 1231 1232 err = btintel_download_firmware_payload(hdev, fw, 1233 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1234 if (err) 1235 return err; 1236 } else if (sbe_type == 0x01) { 1237 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1238 if (err) 1239 return err; 1240 1241 err = btintel_download_firmware_payload(hdev, fw, 1242 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1243 if (err) 1244 return err; 1245 } 1246 } 1247 return 0; 1248 } 1249 1250 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1251 { 1252 struct intel_reset params; 1253 struct sk_buff *skb; 1254 1255 /* Send Intel Reset command. This will result in 1256 * re-enumeration of BT controller. 1257 * 1258 * Intel Reset parameter description: 1259 * reset_type : 0x00 (Soft reset), 1260 * 0x01 (Hard reset) 1261 * patch_enable : 0x00 (Do not enable), 1262 * 0x01 (Enable) 1263 * ddc_reload : 0x00 (Do not reload), 1264 * 0x01 (Reload) 1265 * boot_option: 0x00 (Current image), 1266 * 0x01 (Specified boot address) 1267 * boot_param: Boot address 1268 * 1269 */ 1270 params.reset_type = 0x01; 1271 params.patch_enable = 0x01; 1272 params.ddc_reload = 0x01; 1273 params.boot_option = 0x00; 1274 params.boot_param = cpu_to_le32(0x00000000); 1275 1276 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1277 ¶ms, HCI_INIT_TIMEOUT); 1278 if (IS_ERR(skb)) { 1279 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1280 PTR_ERR(skb)); 1281 return; 1282 } 1283 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1284 kfree_skb(skb); 1285 1286 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1287 * lines for 2ms when it receives Intel Reset in bootloader mode. 1288 * Whereas, the upcoming Intel BT controllers will hold USB reset 1289 * for 150ms. To keep the delay generic, 150ms is chosen here. 1290 */ 1291 msleep(150); 1292 } 1293 1294 static int btintel_read_debug_features(struct hci_dev *hdev, 1295 struct intel_debug_features *features) 1296 { 1297 struct sk_buff *skb; 1298 u8 page_no = 1; 1299 1300 /* Intel controller supports two pages, each page is of 128-bit 1301 * feature bit mask. And each bit defines specific feature support 1302 */ 1303 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1304 HCI_INIT_TIMEOUT); 1305 if (IS_ERR(skb)) { 1306 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1307 PTR_ERR(skb)); 1308 return PTR_ERR(skb); 1309 } 1310 1311 if (skb->len != (sizeof(features->page1) + 3)) { 1312 bt_dev_err(hdev, "Supported features event size mismatch"); 1313 kfree_skb(skb); 1314 return -EILSEQ; 1315 } 1316 1317 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1318 1319 /* Read the supported features page2 if required in future. 1320 */ 1321 kfree_skb(skb); 1322 return 0; 1323 } 1324 1325 static int btintel_set_debug_features(struct hci_dev *hdev, 1326 const struct intel_debug_features *features) 1327 { 1328 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1329 0x00, 0x00, 0x00 }; 1330 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1331 u8 trace_enable = 0x02; 1332 struct sk_buff *skb; 1333 1334 if (!features) { 1335 bt_dev_warn(hdev, "Debug features not read"); 1336 return -EINVAL; 1337 } 1338 1339 if (!(features->page1[0] & 0x3f)) { 1340 bt_dev_info(hdev, "Telemetry exception format not supported"); 1341 return 0; 1342 } 1343 1344 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1345 if (IS_ERR(skb)) { 1346 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1347 PTR_ERR(skb)); 1348 return PTR_ERR(skb); 1349 } 1350 kfree_skb(skb); 1351 1352 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1353 if (IS_ERR(skb)) { 1354 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1355 PTR_ERR(skb)); 1356 return PTR_ERR(skb); 1357 } 1358 kfree_skb(skb); 1359 1360 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1361 if (IS_ERR(skb)) { 1362 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1363 PTR_ERR(skb)); 1364 return PTR_ERR(skb); 1365 } 1366 kfree_skb(skb); 1367 1368 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1369 trace_enable, mask[3]); 1370 1371 return 0; 1372 } 1373 1374 static int btintel_reset_debug_features(struct hci_dev *hdev, 1375 const struct intel_debug_features *features) 1376 { 1377 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1378 0x00, 0x00, 0x00 }; 1379 u8 trace_enable = 0x00; 1380 struct sk_buff *skb; 1381 1382 if (!features) { 1383 bt_dev_warn(hdev, "Debug features not read"); 1384 return -EINVAL; 1385 } 1386 1387 if (!(features->page1[0] & 0x3f)) { 1388 bt_dev_info(hdev, "Telemetry exception format not supported"); 1389 return 0; 1390 } 1391 1392 /* Should stop the trace before writing ddc event mask. */ 1393 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1394 if (IS_ERR(skb)) { 1395 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1396 PTR_ERR(skb)); 1397 return PTR_ERR(skb); 1398 } 1399 kfree_skb(skb); 1400 1401 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1402 if (IS_ERR(skb)) { 1403 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1404 PTR_ERR(skb)); 1405 return PTR_ERR(skb); 1406 } 1407 kfree_skb(skb); 1408 1409 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1410 trace_enable, mask[3]); 1411 1412 return 0; 1413 } 1414 1415 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1416 { 1417 struct intel_debug_features features; 1418 int err; 1419 1420 bt_dev_dbg(hdev, "enable %d", enable); 1421 1422 /* Read the Intel supported features and if new exception formats 1423 * supported, need to load the additional DDC config to enable. 1424 */ 1425 err = btintel_read_debug_features(hdev, &features); 1426 if (err) 1427 return err; 1428 1429 /* Set or reset the debug features. */ 1430 if (enable) 1431 err = btintel_set_debug_features(hdev, &features); 1432 else 1433 err = btintel_reset_debug_features(hdev, &features); 1434 1435 return err; 1436 } 1437 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1438 1439 static void btintel_coredump(struct hci_dev *hdev) 1440 { 1441 struct sk_buff *skb; 1442 1443 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1444 if (IS_ERR(skb)) { 1445 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1446 return; 1447 } 1448 1449 kfree_skb(skb); 1450 } 1451 1452 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1453 { 1454 char buf[80]; 1455 1456 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1457 coredump_info.hw_variant); 1458 skb_put_data(skb, buf, strlen(buf)); 1459 1460 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1461 coredump_info.fw_build_num); 1462 skb_put_data(skb, buf, strlen(buf)); 1463 1464 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1465 skb_put_data(skb, buf, strlen(buf)); 1466 1467 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1468 skb_put_data(skb, buf, strlen(buf)); 1469 } 1470 1471 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1472 { 1473 struct intel_debug_features features; 1474 int err; 1475 1476 err = btintel_read_debug_features(hdev, &features); 1477 if (err) { 1478 bt_dev_info(hdev, "Error reading debug features"); 1479 return err; 1480 } 1481 1482 if (!(features.page1[0] & 0x3f)) { 1483 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1484 return -EOPNOTSUPP; 1485 } 1486 1487 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1488 1489 return err; 1490 } 1491 1492 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1493 struct intel_version *ver) 1494 { 1495 const struct firmware *fw; 1496 char fwname[64]; 1497 int ret; 1498 1499 snprintf(fwname, sizeof(fwname), 1500 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1501 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1502 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1503 ver->fw_build_ww, ver->fw_build_yy); 1504 1505 ret = request_firmware(&fw, fwname, &hdev->dev); 1506 if (ret < 0) { 1507 if (ret == -EINVAL) { 1508 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1509 ret); 1510 return NULL; 1511 } 1512 1513 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1514 fwname, ret); 1515 1516 /* If the correct firmware patch file is not found, use the 1517 * default firmware patch file instead 1518 */ 1519 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1520 ver->hw_platform, ver->hw_variant); 1521 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1522 bt_dev_err(hdev, "failed to open default fw file: %s", 1523 fwname); 1524 return NULL; 1525 } 1526 } 1527 1528 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1529 1530 return fw; 1531 } 1532 1533 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1534 const struct firmware *fw, 1535 const u8 **fw_ptr, int *disable_patch) 1536 { 1537 struct sk_buff *skb; 1538 struct hci_command_hdr *cmd; 1539 const u8 *cmd_param; 1540 struct hci_event_hdr *evt = NULL; 1541 const u8 *evt_param = NULL; 1542 int remain = fw->size - (*fw_ptr - fw->data); 1543 1544 /* The first byte indicates the types of the patch command or event. 1545 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1546 * in the current firmware buffer doesn't start with 0x01 or 1547 * the size of remain buffer is smaller than HCI command header, 1548 * the firmware file is corrupted and it should stop the patching 1549 * process. 1550 */ 1551 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1552 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1553 return -EINVAL; 1554 } 1555 (*fw_ptr)++; 1556 remain--; 1557 1558 cmd = (struct hci_command_hdr *)(*fw_ptr); 1559 *fw_ptr += sizeof(*cmd); 1560 remain -= sizeof(*cmd); 1561 1562 /* Ensure that the remain firmware data is long enough than the length 1563 * of command parameter. If not, the firmware file is corrupted. 1564 */ 1565 if (remain < cmd->plen) { 1566 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1567 return -EFAULT; 1568 } 1569 1570 /* If there is a command that loads a patch in the firmware 1571 * file, then enable the patch upon success, otherwise just 1572 * disable the manufacturer mode, for example patch activation 1573 * is not required when the default firmware patch file is used 1574 * because there are no patch data to load. 1575 */ 1576 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1577 *disable_patch = 0; 1578 1579 cmd_param = *fw_ptr; 1580 *fw_ptr += cmd->plen; 1581 remain -= cmd->plen; 1582 1583 /* This reads the expected events when the above command is sent to the 1584 * device. Some vendor commands expects more than one events, for 1585 * example command status event followed by vendor specific event. 1586 * For this case, it only keeps the last expected event. so the command 1587 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1588 * last expected event. 1589 */ 1590 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1591 (*fw_ptr)++; 1592 remain--; 1593 1594 evt = (struct hci_event_hdr *)(*fw_ptr); 1595 *fw_ptr += sizeof(*evt); 1596 remain -= sizeof(*evt); 1597 1598 if (remain < evt->plen) { 1599 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1600 return -EFAULT; 1601 } 1602 1603 evt_param = *fw_ptr; 1604 *fw_ptr += evt->plen; 1605 remain -= evt->plen; 1606 } 1607 1608 /* Every HCI commands in the firmware file has its correspond event. 1609 * If event is not found or remain is smaller than zero, the firmware 1610 * file is corrupted. 1611 */ 1612 if (!evt || !evt_param || remain < 0) { 1613 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1614 return -EFAULT; 1615 } 1616 1617 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1618 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1619 if (IS_ERR(skb)) { 1620 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1621 cmd->opcode, PTR_ERR(skb)); 1622 return PTR_ERR(skb); 1623 } 1624 1625 /* It ensures that the returned event matches the event data read from 1626 * the firmware file. At fist, it checks the length and then 1627 * the contents of the event. 1628 */ 1629 if (skb->len != evt->plen) { 1630 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1631 le16_to_cpu(cmd->opcode)); 1632 kfree_skb(skb); 1633 return -EFAULT; 1634 } 1635 1636 if (memcmp(skb->data, evt_param, evt->plen)) { 1637 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1638 le16_to_cpu(cmd->opcode)); 1639 kfree_skb(skb); 1640 return -EFAULT; 1641 } 1642 kfree_skb(skb); 1643 1644 return 0; 1645 } 1646 1647 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1648 struct intel_version *ver) 1649 { 1650 const struct firmware *fw; 1651 const u8 *fw_ptr; 1652 int disable_patch, err; 1653 struct intel_version new_ver; 1654 1655 BT_DBG("%s", hdev->name); 1656 1657 /* fw_patch_num indicates the version of patch the device currently 1658 * have. If there is no patch data in the device, it is always 0x00. 1659 * So, if it is other than 0x00, no need to patch the device again. 1660 */ 1661 if (ver->fw_patch_num) { 1662 bt_dev_info(hdev, 1663 "Intel device is already patched. patch num: %02x", 1664 ver->fw_patch_num); 1665 goto complete; 1666 } 1667 1668 /* Opens the firmware patch file based on the firmware version read 1669 * from the controller. If it fails to open the matching firmware 1670 * patch file, it tries to open the default firmware patch file. 1671 * If no patch file is found, allow the device to operate without 1672 * a patch. 1673 */ 1674 fw = btintel_legacy_rom_get_fw(hdev, ver); 1675 if (!fw) 1676 goto complete; 1677 fw_ptr = fw->data; 1678 1679 /* Enable the manufacturer mode of the controller. 1680 * Only while this mode is enabled, the driver can download the 1681 * firmware patch data and configuration parameters. 1682 */ 1683 err = btintel_enter_mfg(hdev); 1684 if (err) { 1685 release_firmware(fw); 1686 return err; 1687 } 1688 1689 disable_patch = 1; 1690 1691 /* The firmware data file consists of list of Intel specific HCI 1692 * commands and its expected events. The first byte indicates the 1693 * type of the message, either HCI command or HCI event. 1694 * 1695 * It reads the command and its expected event from the firmware file, 1696 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1697 * the returned event is compared with the event read from the firmware 1698 * file and it will continue until all the messages are downloaded to 1699 * the controller. 1700 * 1701 * Once the firmware patching is completed successfully, 1702 * the manufacturer mode is disabled with reset and activating the 1703 * downloaded patch. 1704 * 1705 * If the firmware patching fails, the manufacturer mode is 1706 * disabled with reset and deactivating the patch. 1707 * 1708 * If the default patch file is used, no reset is done when disabling 1709 * the manufacturer. 1710 */ 1711 while (fw->size > fw_ptr - fw->data) { 1712 int ret; 1713 1714 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1715 &disable_patch); 1716 if (ret < 0) 1717 goto exit_mfg_deactivate; 1718 } 1719 1720 release_firmware(fw); 1721 1722 if (disable_patch) 1723 goto exit_mfg_disable; 1724 1725 /* Patching completed successfully and disable the manufacturer mode 1726 * with reset and activate the downloaded firmware patches. 1727 */ 1728 err = btintel_exit_mfg(hdev, true, true); 1729 if (err) 1730 return err; 1731 1732 /* Need build number for downloaded fw patches in 1733 * every power-on boot 1734 */ 1735 err = btintel_read_version(hdev, &new_ver); 1736 if (err) 1737 return err; 1738 1739 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1740 new_ver.fw_patch_num); 1741 1742 goto complete; 1743 1744 exit_mfg_disable: 1745 /* Disable the manufacturer mode without reset */ 1746 err = btintel_exit_mfg(hdev, false, false); 1747 if (err) 1748 return err; 1749 1750 bt_dev_info(hdev, "Intel firmware patch completed"); 1751 1752 goto complete; 1753 1754 exit_mfg_deactivate: 1755 release_firmware(fw); 1756 1757 /* Patching failed. Disable the manufacturer mode with reset and 1758 * deactivate the downloaded firmware patches. 1759 */ 1760 err = btintel_exit_mfg(hdev, true, false); 1761 if (err) 1762 return err; 1763 1764 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1765 1766 complete: 1767 /* Set the event mask for Intel specific vendor events. This enables 1768 * a few extra events that are useful during general operation. 1769 */ 1770 btintel_set_event_mask_mfg(hdev, false); 1771 1772 btintel_check_bdaddr(hdev); 1773 1774 return 0; 1775 } 1776 1777 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1778 { 1779 ktime_t delta, rettime; 1780 unsigned long long duration; 1781 int err; 1782 1783 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1784 1785 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1786 1787 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1788 TASK_INTERRUPTIBLE, 1789 msecs_to_jiffies(msec)); 1790 if (err == -EINTR) { 1791 bt_dev_err(hdev, "Firmware loading interrupted"); 1792 return err; 1793 } 1794 1795 if (err) { 1796 bt_dev_err(hdev, "Firmware loading timeout"); 1797 return -ETIMEDOUT; 1798 } 1799 1800 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1801 bt_dev_err(hdev, "Firmware loading failed"); 1802 return -ENOEXEC; 1803 } 1804 1805 rettime = ktime_get(); 1806 delta = ktime_sub(rettime, calltime); 1807 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1808 1809 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1810 1811 return 0; 1812 } 1813 1814 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1815 { 1816 ktime_t delta, rettime; 1817 unsigned long long duration; 1818 int err; 1819 1820 bt_dev_info(hdev, "Waiting for device to boot"); 1821 1822 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1823 TASK_INTERRUPTIBLE, 1824 msecs_to_jiffies(msec)); 1825 if (err == -EINTR) { 1826 bt_dev_err(hdev, "Device boot interrupted"); 1827 return -EINTR; 1828 } 1829 1830 if (err) { 1831 bt_dev_err(hdev, "Device boot timeout"); 1832 return -ETIMEDOUT; 1833 } 1834 1835 rettime = ktime_get(); 1836 delta = ktime_sub(rettime, calltime); 1837 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1838 1839 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1840 1841 return 0; 1842 } 1843 1844 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1845 { 1846 ktime_t calltime; 1847 int err; 1848 1849 calltime = ktime_get(); 1850 1851 btintel_set_flag(hdev, INTEL_BOOTING); 1852 1853 err = btintel_send_intel_reset(hdev, boot_addr); 1854 if (err) { 1855 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1856 btintel_reset_to_bootloader(hdev); 1857 return err; 1858 } 1859 1860 /* The bootloader will not indicate when the device is ready. This 1861 * is done by the operational firmware sending bootup notification. 1862 * 1863 * Booting into operational firmware should not take longer than 1864 * 1 second. However if that happens, then just fail the setup 1865 * since something went wrong. 1866 */ 1867 err = btintel_boot_wait(hdev, calltime, 1000); 1868 if (err == -ETIMEDOUT) 1869 btintel_reset_to_bootloader(hdev); 1870 1871 return err; 1872 } 1873 1874 static int btintel_get_fw_name(struct intel_version *ver, 1875 struct intel_boot_params *params, 1876 char *fw_name, size_t len, 1877 const char *suffix) 1878 { 1879 switch (ver->hw_variant) { 1880 case 0x0b: /* SfP */ 1881 case 0x0c: /* WsP */ 1882 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1883 ver->hw_variant, 1884 le16_to_cpu(params->dev_revid), 1885 suffix); 1886 break; 1887 case 0x11: /* JfP */ 1888 case 0x12: /* ThP */ 1889 case 0x13: /* HrP */ 1890 case 0x14: /* CcP */ 1891 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1892 ver->hw_variant, 1893 ver->hw_revision, 1894 ver->fw_revision, 1895 suffix); 1896 break; 1897 default: 1898 return -EINVAL; 1899 } 1900 1901 return 0; 1902 } 1903 1904 static int btintel_download_fw(struct hci_dev *hdev, 1905 struct intel_version *ver, 1906 struct intel_boot_params *params, 1907 u32 *boot_param) 1908 { 1909 const struct firmware *fw; 1910 char fwname[64]; 1911 int err; 1912 ktime_t calltime; 1913 1914 if (!ver || !params) 1915 return -EINVAL; 1916 1917 /* The firmware variant determines if the device is in bootloader 1918 * mode or is running operational firmware. The value 0x06 identifies 1919 * the bootloader and the value 0x23 identifies the operational 1920 * firmware. 1921 * 1922 * When the operational firmware is already present, then only 1923 * the check for valid Bluetooth device address is needed. This 1924 * determines if the device will be added as configured or 1925 * unconfigured controller. 1926 * 1927 * It is not possible to use the Secure Boot Parameters in this 1928 * case since that command is only available in bootloader mode. 1929 */ 1930 if (ver->fw_variant == 0x23) { 1931 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1932 btintel_check_bdaddr(hdev); 1933 1934 /* SfP and WsP don't seem to update the firmware version on file 1935 * so version checking is currently possible. 1936 */ 1937 switch (ver->hw_variant) { 1938 case 0x0b: /* SfP */ 1939 case 0x0c: /* WsP */ 1940 return 0; 1941 } 1942 1943 /* Proceed to download to check if the version matches */ 1944 goto download; 1945 } 1946 1947 /* Read the secure boot parameters to identify the operating 1948 * details of the bootloader. 1949 */ 1950 err = btintel_read_boot_params(hdev, params); 1951 if (err) 1952 return err; 1953 1954 /* It is required that every single firmware fragment is acknowledged 1955 * with a command complete event. If the boot parameters indicate 1956 * that this bootloader does not send them, then abort the setup. 1957 */ 1958 if (params->limited_cce != 0x00) { 1959 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 1960 params->limited_cce); 1961 return -EINVAL; 1962 } 1963 1964 /* If the OTP has no valid Bluetooth device address, then there will 1965 * also be no valid address for the operational firmware. 1966 */ 1967 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 1968 bt_dev_info(hdev, "No device address configured"); 1969 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 1970 } 1971 1972 download: 1973 /* With this Intel bootloader only the hardware variant and device 1974 * revision information are used to select the right firmware for SfP 1975 * and WsP. 1976 * 1977 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 1978 * 1979 * Currently the supported hardware variants are: 1980 * 11 (0x0b) for iBT3.0 (LnP/SfP) 1981 * 12 (0x0c) for iBT3.5 (WsP) 1982 * 1983 * For ThP/JfP and for future SKU's, the FW name varies based on HW 1984 * variant, HW revision and FW revision, as these are dependent on CNVi 1985 * and RF Combination. 1986 * 1987 * 17 (0x11) for iBT3.5 (JfP) 1988 * 18 (0x12) for iBT3.5 (ThP) 1989 * 1990 * The firmware file name for these will be 1991 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 1992 * 1993 */ 1994 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 1995 if (err < 0) { 1996 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 1997 /* Firmware has already been loaded */ 1998 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1999 return 0; 2000 } 2001 2002 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2003 return -EINVAL; 2004 } 2005 2006 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2007 if (err < 0) { 2008 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2009 /* Firmware has already been loaded */ 2010 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2011 return 0; 2012 } 2013 2014 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2015 fwname, err); 2016 return err; 2017 } 2018 2019 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2020 2021 if (fw->size < 644) { 2022 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2023 fw->size); 2024 err = -EBADF; 2025 goto done; 2026 } 2027 2028 calltime = ktime_get(); 2029 2030 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2031 2032 /* Start firmware downloading and get boot parameter */ 2033 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2034 if (err < 0) { 2035 if (err == -EALREADY) { 2036 /* Firmware has already been loaded */ 2037 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2038 err = 0; 2039 goto done; 2040 } 2041 2042 /* When FW download fails, send Intel Reset to retry 2043 * FW download. 2044 */ 2045 btintel_reset_to_bootloader(hdev); 2046 goto done; 2047 } 2048 2049 /* Before switching the device into operational mode and with that 2050 * booting the loaded firmware, wait for the bootloader notification 2051 * that all fragments have been successfully received. 2052 * 2053 * When the event processing receives the notification, then the 2054 * INTEL_DOWNLOADING flag will be cleared. 2055 * 2056 * The firmware loading should not take longer than 5 seconds 2057 * and thus just timeout if that happens and fail the setup 2058 * of this device. 2059 */ 2060 err = btintel_download_wait(hdev, calltime, 5000); 2061 if (err == -ETIMEDOUT) 2062 btintel_reset_to_bootloader(hdev); 2063 2064 done: 2065 release_firmware(fw); 2066 return err; 2067 } 2068 2069 static int btintel_bootloader_setup(struct hci_dev *hdev, 2070 struct intel_version *ver) 2071 { 2072 struct intel_version new_ver; 2073 struct intel_boot_params params; 2074 u32 boot_param; 2075 char ddcname[64]; 2076 int err; 2077 2078 BT_DBG("%s", hdev->name); 2079 2080 /* Set the default boot parameter to 0x0 and it is updated to 2081 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2082 * command while downloading the firmware. 2083 */ 2084 boot_param = 0x00000000; 2085 2086 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2087 2088 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2089 if (err) 2090 return err; 2091 2092 /* controller is already having an operational firmware */ 2093 if (ver->fw_variant == 0x23) 2094 goto finish; 2095 2096 err = btintel_boot(hdev, boot_param); 2097 if (err) 2098 return err; 2099 2100 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2101 2102 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2103 sizeof(ddcname), "ddc"); 2104 2105 if (err < 0) { 2106 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2107 } else { 2108 /* Once the device is running in operational mode, it needs to 2109 * apply the device configuration (DDC) parameters. 2110 * 2111 * The device can work without DDC parameters, so even if it 2112 * fails to load the file, no need to fail the setup. 2113 */ 2114 btintel_load_ddc_config(hdev, ddcname); 2115 } 2116 2117 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2118 2119 /* Read the Intel version information after loading the FW */ 2120 err = btintel_read_version(hdev, &new_ver); 2121 if (err) 2122 return err; 2123 2124 btintel_version_info(hdev, &new_ver); 2125 2126 finish: 2127 /* Set the event mask for Intel specific vendor events. This enables 2128 * a few extra events that are useful during general operation. It 2129 * does not enable any debugging related events. 2130 * 2131 * The device will function correctly without these events enabled 2132 * and thus no need to fail the setup. 2133 */ 2134 btintel_set_event_mask(hdev, false); 2135 2136 return 0; 2137 } 2138 2139 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2140 char *fw_name, size_t len, 2141 const char *suffix) 2142 { 2143 const char *format; 2144 u32 cnvi, cnvr; 2145 2146 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2147 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2148 2149 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2150 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2151 2152 /* Only Blazar product supports downloading of intermediate loader 2153 * image 2154 */ 2155 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) { 2156 u8 zero[BTINTEL_FWID_MAXLEN]; 2157 2158 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) { 2159 format = "intel/ibt-%04x-%04x-iml.%s"; 2160 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2161 return; 2162 } 2163 2164 memset(zero, 0, sizeof(zero)); 2165 2166 /* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */ 2167 if (memcmp(ver->fw_id, zero, sizeof(zero))) { 2168 format = "intel/ibt-%04x-%04x-%s.%s"; 2169 snprintf(fw_name, len, format, cnvi, cnvr, 2170 ver->fw_id, suffix); 2171 return; 2172 } 2173 /* If firmware id is not present, fallback to legacy naming 2174 * convention 2175 */ 2176 } 2177 /* Fallback to legacy naming convention for other controllers 2178 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2179 */ 2180 format = "intel/ibt-%04x-%04x.%s"; 2181 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2182 } 2183 2184 static void btintel_get_iml_tlv(const struct intel_version_tlv *ver, 2185 char *fw_name, size_t len, 2186 const char *suffix) 2187 { 2188 const char *format; 2189 u32 cnvi, cnvr; 2190 2191 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2192 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2193 2194 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2195 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2196 2197 format = "intel/ibt-%04x-%04x-iml.%s"; 2198 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2199 } 2200 2201 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2202 struct intel_version_tlv *ver, 2203 u32 *boot_param) 2204 { 2205 const struct firmware *fw; 2206 char fwname[128]; 2207 int err; 2208 ktime_t calltime; 2209 2210 if (!ver || !boot_param) 2211 return -EINVAL; 2212 2213 /* The firmware variant determines if the device is in bootloader 2214 * mode or is running operational firmware. The value 0x03 identifies 2215 * the bootloader and the value 0x23 identifies the operational 2216 * firmware. 2217 * 2218 * When the operational firmware is already present, then only 2219 * the check for valid Bluetooth device address is needed. This 2220 * determines if the device will be added as configured or 2221 * unconfigured controller. 2222 * 2223 * It is not possible to use the Secure Boot Parameters in this 2224 * case since that command is only available in bootloader mode. 2225 */ 2226 if (ver->img_type == BTINTEL_IMG_OP) { 2227 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2228 btintel_check_bdaddr(hdev); 2229 } else { 2230 /* 2231 * Check for valid bd address in boot loader mode. Device 2232 * will be marked as unconfigured if empty bd address is 2233 * found. 2234 */ 2235 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2236 bt_dev_info(hdev, "No device address configured"); 2237 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2238 } 2239 } 2240 2241 if (ver->img_type == BTINTEL_IMG_OP) { 2242 /* Controller running OP image. In case of FW downgrade, 2243 * FWID TLV may not be present and driver may attempt to load 2244 * firmware image which doesn't exist. Lets compare the version 2245 * of IML image 2246 */ 2247 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) 2248 btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi"); 2249 else 2250 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2251 } else { 2252 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2253 } 2254 2255 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2256 if (err < 0) { 2257 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2258 /* Firmware has already been loaded */ 2259 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2260 return 0; 2261 } 2262 2263 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2264 fwname, err); 2265 2266 return err; 2267 } 2268 2269 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2270 2271 if (fw->size < 644) { 2272 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2273 fw->size); 2274 err = -EBADF; 2275 goto done; 2276 } 2277 2278 calltime = ktime_get(); 2279 2280 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2281 2282 /* Start firmware downloading and get boot parameter */ 2283 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2284 INTEL_HW_VARIANT(ver->cnvi_bt), 2285 ver->sbe_type); 2286 if (err < 0) { 2287 if (err == -EALREADY) { 2288 /* Firmware has already been loaded */ 2289 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2290 err = 0; 2291 goto done; 2292 } 2293 2294 /* When FW download fails, send Intel Reset to retry 2295 * FW download. 2296 */ 2297 btintel_reset_to_bootloader(hdev); 2298 goto done; 2299 } 2300 2301 /* Before switching the device into operational mode and with that 2302 * booting the loaded firmware, wait for the bootloader notification 2303 * that all fragments have been successfully received. 2304 * 2305 * When the event processing receives the notification, then the 2306 * BTUSB_DOWNLOADING flag will be cleared. 2307 * 2308 * The firmware loading should not take longer than 5 seconds 2309 * and thus just timeout if that happens and fail the setup 2310 * of this device. 2311 */ 2312 err = btintel_download_wait(hdev, calltime, 5000); 2313 if (err == -ETIMEDOUT) 2314 btintel_reset_to_bootloader(hdev); 2315 2316 done: 2317 release_firmware(fw); 2318 return err; 2319 } 2320 2321 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2322 __u8 link, struct bt_codec *codec, 2323 __u8 *ven_len, __u8 **ven_data) 2324 { 2325 int err = 0; 2326 2327 if (!ven_data || !ven_len) 2328 return -EINVAL; 2329 2330 *ven_len = 0; 2331 *ven_data = NULL; 2332 2333 if (link != ESCO_LINK) { 2334 bt_dev_err(hdev, "Invalid link type(%u)", link); 2335 return -EINVAL; 2336 } 2337 2338 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2339 if (!*ven_data) { 2340 err = -ENOMEM; 2341 goto error; 2342 } 2343 2344 /* supports only CVSD and mSBC offload codecs */ 2345 switch (codec->id) { 2346 case 0x02: 2347 **ven_data = 0x00; 2348 break; 2349 case 0x05: 2350 **ven_data = 0x01; 2351 break; 2352 default: 2353 err = -EINVAL; 2354 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2355 goto error; 2356 } 2357 /* codec and its capabilities are pre-defined to ids 2358 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2359 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2360 */ 2361 *ven_len = sizeof(__u8); 2362 return err; 2363 2364 error: 2365 kfree(*ven_data); 2366 *ven_data = NULL; 2367 return err; 2368 } 2369 2370 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2371 { 2372 /* Intel uses 1 as data path id for all the usecases */ 2373 *data_path_id = 1; 2374 return 0; 2375 } 2376 2377 static int btintel_configure_offload(struct hci_dev *hdev) 2378 { 2379 struct sk_buff *skb; 2380 int err = 0; 2381 struct intel_offload_use_cases *use_cases; 2382 2383 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2384 if (IS_ERR(skb)) { 2385 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2386 PTR_ERR(skb)); 2387 return PTR_ERR(skb); 2388 } 2389 2390 if (skb->len < sizeof(*use_cases)) { 2391 err = -EIO; 2392 goto error; 2393 } 2394 2395 use_cases = (void *)skb->data; 2396 2397 if (use_cases->status) { 2398 err = -bt_to_errno(skb->data[0]); 2399 goto error; 2400 } 2401 2402 if (use_cases->preset[0] & 0x03) { 2403 hdev->get_data_path_id = btintel_get_data_path_id; 2404 hdev->get_codec_config_data = btintel_get_codec_config_data; 2405 } 2406 error: 2407 kfree_skb(skb); 2408 return err; 2409 } 2410 2411 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2412 { 2413 struct sk_buff *skb; 2414 struct hci_ppag_enable_cmd ppag_cmd; 2415 acpi_handle handle; 2416 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 2417 union acpi_object *p, *elements; 2418 u32 domain, mode; 2419 acpi_status status; 2420 2421 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2422 switch (ver->cnvr_top & 0xFFF) { 2423 case 0x504: /* Hrp2 */ 2424 case 0x202: /* Jfp2 */ 2425 case 0x201: /* Jfp1 */ 2426 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2427 ver->cnvr_top & 0xFFF); 2428 return; 2429 } 2430 2431 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2432 if (!handle) { 2433 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2434 return; 2435 } 2436 2437 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer); 2438 if (ACPI_FAILURE(status)) { 2439 if (status == AE_NOT_FOUND) { 2440 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2441 return; 2442 } 2443 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 2444 return; 2445 } 2446 2447 p = buffer.pointer; 2448 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 2449 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 2450 p->type, p->package.count); 2451 kfree(buffer.pointer); 2452 return; 2453 } 2454 2455 elements = p->package.elements; 2456 2457 /* PPAG table is located at element[1] */ 2458 p = &elements[1]; 2459 2460 domain = (u32)p->package.elements[0].integer.value; 2461 mode = (u32)p->package.elements[1].integer.value; 2462 kfree(buffer.pointer); 2463 2464 if (domain != 0x12) { 2465 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2466 return; 2467 } 2468 2469 /* PPAG mode 2470 * BIT 0 : 0 Disabled in EU 2471 * 1 Enabled in EU 2472 * BIT 1 : 0 Disabled in China 2473 * 1 Enabled in China 2474 */ 2475 mode &= 0x03; 2476 2477 if (!mode) { 2478 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS"); 2479 return; 2480 } 2481 2482 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode); 2483 2484 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), 2485 &ppag_cmd, HCI_CMD_TIMEOUT); 2486 if (IS_ERR(skb)) { 2487 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2488 return; 2489 } 2490 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode); 2491 kfree_skb(skb); 2492 } 2493 2494 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2495 { 2496 int ret = 0; 2497 acpi_status status; 2498 union acpi_object *p, *ref; 2499 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2500 2501 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2502 if (ACPI_FAILURE(status)) { 2503 bt_dev_err(hdev, "Failed to run _PRR method"); 2504 ret = -ENODEV; 2505 return ret; 2506 } 2507 p = buffer.pointer; 2508 2509 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2510 bt_dev_err(hdev, "Invalid arguments"); 2511 ret = -EINVAL; 2512 goto exit_on_error; 2513 } 2514 2515 ref = &p->package.elements[0]; 2516 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2517 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2518 ret = -EINVAL; 2519 goto exit_on_error; 2520 } 2521 2522 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2523 if (ACPI_FAILURE(status)) { 2524 bt_dev_err(hdev, "Failed to run_RST method"); 2525 ret = -ENODEV; 2526 goto exit_on_error; 2527 } 2528 2529 exit_on_error: 2530 kfree(buffer.pointer); 2531 return ret; 2532 } 2533 2534 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2535 struct intel_version_tlv *ver_tlv) 2536 { 2537 struct btintel_data *data = hci_get_priv(hdev); 2538 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2539 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2540 union acpi_object *obj, argv4; 2541 enum { 2542 RESET_TYPE_WDISABLE2, 2543 RESET_TYPE_VSEC 2544 }; 2545 2546 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2547 2548 if (!handle) { 2549 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2550 return; 2551 } 2552 2553 if (!acpi_has_method(handle, "_PRR")) { 2554 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2555 return; 2556 } 2557 2558 switch (ver_tlv->cnvi_top & 0xfff) { 2559 case 0x910: /* GalePeak2 */ 2560 reset_payload[2] = RESET_TYPE_VSEC; 2561 break; 2562 default: 2563 /* WDISABLE2 is the default reset method */ 2564 reset_payload[2] = RESET_TYPE_WDISABLE2; 2565 2566 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2567 BIT(DSM_SET_WDISABLE2_DELAY))) { 2568 bt_dev_err(hdev, "No dsm support to set reset delay"); 2569 return; 2570 } 2571 argv4.integer.type = ACPI_TYPE_INTEGER; 2572 /* delay required to toggle BT power */ 2573 argv4.integer.value = 160; 2574 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2575 DSM_SET_WDISABLE2_DELAY, &argv4); 2576 if (!obj) { 2577 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2578 return; 2579 } 2580 ACPI_FREE(obj); 2581 } 2582 2583 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2584 2585 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2586 DSM_SET_RESET_METHOD)) { 2587 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2588 return; 2589 } 2590 argv4.buffer.type = ACPI_TYPE_BUFFER; 2591 argv4.buffer.length = sizeof(reset_payload); 2592 argv4.buffer.pointer = reset_payload; 2593 2594 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2595 DSM_SET_RESET_METHOD, &argv4); 2596 if (!obj) { 2597 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2598 return; 2599 } 2600 ACPI_FREE(obj); 2601 data->acpi_reset_method = btintel_acpi_reset_method; 2602 } 2603 2604 #define BTINTEL_ISODATA_HANDLE_BASE 0x900 2605 2606 static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) 2607 { 2608 /* 2609 * Distinguish ISO data packets form ACL data packets 2610 * based on their connection handle value range. 2611 */ 2612 if (hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { 2613 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2614 2615 if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE) 2616 return HCI_ISODATA_PKT; 2617 } 2618 2619 return hci_skb_pkt_type(skb); 2620 } 2621 2622 /* 2623 * UefiCnvCommonDSBR UEFI variable provides information from the OEM platforms 2624 * if they have replaced the BRI (Bluetooth Radio Interface) resistor to 2625 * overcome the potential STEP errors on their designs. Based on the 2626 * configauration, bluetooth firmware shall adjust the BRI response line drive 2627 * strength. The below structure represents DSBR data. 2628 * struct { 2629 * u8 header; 2630 * u32 dsbr; 2631 * } __packed; 2632 * 2633 * header - defines revision number of the structure 2634 * dsbr - defines drive strength BRI response 2635 * bit0 2636 * 0 - instructs bluetooth firmware to use default values 2637 * 1 - instructs bluetooth firmware to override default values 2638 * bit3:1 2639 * Reserved 2640 * bit7:4 2641 * DSBR override values (only if bit0 is set. Default value is 0xF 2642 * bit31:7 2643 * Reserved 2644 * Expected values for dsbr field: 2645 * 1. 0xF1 - indicates that the resistor on board is 33 Ohm 2646 * 2. 0x00 or 0xB1 - indicates that the resistor on board is 10 Ohm 2647 * 3. Non existing UEFI variable or invalid (none of the above) - indicates 2648 * that the resistor on board is 10 Ohm 2649 * Even if uefi variable is not present, driver shall send 0xfc0a command to 2650 * firmware to use default values. 2651 * 2652 */ 2653 static int btintel_uefi_get_dsbr(u32 *dsbr_var) 2654 { 2655 struct btintel_dsbr { 2656 u8 header; 2657 u32 dsbr; 2658 } __packed data; 2659 2660 efi_status_t status; 2661 unsigned long data_size = 0; 2662 efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03, 2663 0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31); 2664 2665 if (!IS_ENABLED(CONFIG_EFI)) 2666 return -EOPNOTSUPP; 2667 2668 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) 2669 return -EOPNOTSUPP; 2670 2671 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2672 NULL); 2673 2674 if (status != EFI_BUFFER_TOO_SMALL || !data_size) 2675 return -EIO; 2676 2677 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2678 &data); 2679 2680 if (status != EFI_SUCCESS) 2681 return -ENXIO; 2682 2683 *dsbr_var = data.dsbr; 2684 return 0; 2685 } 2686 2687 static int btintel_set_dsbr(struct hci_dev *hdev, struct intel_version_tlv *ver) 2688 { 2689 struct btintel_dsbr_cmd { 2690 u8 enable; 2691 u8 dsbr; 2692 } __packed; 2693 2694 struct btintel_dsbr_cmd cmd; 2695 struct sk_buff *skb; 2696 u8 status; 2697 u32 dsbr; 2698 bool apply_dsbr; 2699 int err; 2700 2701 /* DSBR command needs to be sent for BlazarI + B0 step product after 2702 * downloading IML image. 2703 */ 2704 apply_dsbr = (ver->img_type == BTINTEL_IMG_IML && 2705 ((ver->cnvi_top & 0xfff) == BTINTEL_CNVI_BLAZARI) && 2706 INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01); 2707 2708 if (!apply_dsbr) 2709 return 0; 2710 2711 dsbr = 0; 2712 err = btintel_uefi_get_dsbr(&dsbr); 2713 if (err < 0) 2714 bt_dev_dbg(hdev, "Error reading efi: %ls (%d)", 2715 BTINTEL_EFI_DSBR, err); 2716 2717 cmd.enable = dsbr & BIT(0); 2718 cmd.dsbr = dsbr >> 4 & 0xF; 2719 2720 bt_dev_info(hdev, "dsbr: enable: 0x%2.2x value: 0x%2.2x", cmd.enable, 2721 cmd.dsbr); 2722 2723 skb = __hci_cmd_sync(hdev, 0xfc0a, sizeof(cmd), &cmd, HCI_CMD_TIMEOUT); 2724 if (IS_ERR(skb)) 2725 return -bt_to_errno(PTR_ERR(skb)); 2726 2727 status = skb->data[0]; 2728 kfree_skb(skb); 2729 2730 if (status) 2731 return -bt_to_errno(status); 2732 2733 return 0; 2734 } 2735 2736 int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2737 struct intel_version_tlv *ver) 2738 { 2739 u32 boot_param; 2740 char ddcname[64]; 2741 int err; 2742 struct intel_version_tlv new_ver; 2743 2744 bt_dev_dbg(hdev, ""); 2745 2746 /* Set the default boot parameter to 0x0 and it is updated to 2747 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2748 * command while downloading the firmware. 2749 */ 2750 boot_param = 0x00000000; 2751 2752 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2753 2754 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2755 if (err) 2756 return err; 2757 2758 /* check if controller is already having an operational firmware */ 2759 if (ver->img_type == BTINTEL_IMG_OP) 2760 goto finish; 2761 2762 err = btintel_boot(hdev, boot_param); 2763 if (err) 2764 return err; 2765 2766 err = btintel_read_version_tlv(hdev, ver); 2767 if (err) 2768 return err; 2769 2770 /* set drive strength of BRI response */ 2771 err = btintel_set_dsbr(hdev, ver); 2772 if (err) { 2773 bt_dev_err(hdev, "Failed to send dsbr command (%d)", err); 2774 return err; 2775 } 2776 2777 /* If image type returned is BTINTEL_IMG_IML, then controller supports 2778 * intermediate loader image 2779 */ 2780 if (ver->img_type == BTINTEL_IMG_IML) { 2781 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2782 if (err) 2783 return err; 2784 2785 err = btintel_boot(hdev, boot_param); 2786 if (err) 2787 return err; 2788 } 2789 2790 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2791 2792 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2793 /* Once the device is running in operational mode, it needs to 2794 * apply the device configuration (DDC) parameters. 2795 * 2796 * The device can work without DDC parameters, so even if it 2797 * fails to load the file, no need to fail the setup. 2798 */ 2799 btintel_load_ddc_config(hdev, ddcname); 2800 2801 /* Read supported use cases and set callbacks to fetch datapath id */ 2802 btintel_configure_offload(hdev); 2803 2804 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2805 2806 /* Set PPAG feature */ 2807 btintel_set_ppag(hdev, ver); 2808 2809 /* Read the Intel version information after loading the FW */ 2810 err = btintel_read_version_tlv(hdev, &new_ver); 2811 if (err) 2812 return err; 2813 2814 btintel_version_info_tlv(hdev, &new_ver); 2815 2816 finish: 2817 /* Set the event mask for Intel specific vendor events. This enables 2818 * a few extra events that are useful during general operation. It 2819 * does not enable any debugging related events. 2820 * 2821 * The device will function correctly without these events enabled 2822 * and thus no need to fail the setup. 2823 */ 2824 btintel_set_event_mask(hdev, false); 2825 2826 return 0; 2827 } 2828 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv); 2829 2830 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2831 { 2832 switch (hw_variant) { 2833 /* Legacy bootloader devices that supports MSFT Extension */ 2834 case 0x11: /* JfP */ 2835 case 0x12: /* ThP */ 2836 case 0x13: /* HrP */ 2837 case 0x14: /* CcP */ 2838 /* All Intel new genration controllers support the Microsoft vendor 2839 * extension are using 0xFC1E for VsMsftOpCode. 2840 */ 2841 case 0x17: 2842 case 0x18: 2843 case 0x19: 2844 case 0x1b: 2845 case 0x1c: 2846 case 0x1d: 2847 case 0x1e: 2848 hci_set_msft_opcode(hdev, 0xFC1E); 2849 break; 2850 default: 2851 /* Not supported */ 2852 break; 2853 } 2854 } 2855 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode); 2856 2857 void btintel_print_fseq_info(struct hci_dev *hdev) 2858 { 2859 struct sk_buff *skb; 2860 u8 *p; 2861 u32 val; 2862 const char *str; 2863 2864 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 2865 if (IS_ERR(skb)) { 2866 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 2867 PTR_ERR(skb)); 2868 return; 2869 } 2870 2871 if (skb->len < (sizeof(u32) * 16 + 2)) { 2872 bt_dev_dbg(hdev, "Malformed packet of length %u received", 2873 skb->len); 2874 kfree_skb(skb); 2875 return; 2876 } 2877 2878 p = skb_pull_data(skb, 1); 2879 if (*p) { 2880 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 2881 kfree_skb(skb); 2882 return; 2883 } 2884 2885 p = skb_pull_data(skb, 1); 2886 switch (*p) { 2887 case 0: 2888 str = "Success"; 2889 break; 2890 case 1: 2891 str = "Fatal error"; 2892 break; 2893 case 2: 2894 str = "Semaphore acquire error"; 2895 break; 2896 default: 2897 str = "Unknown error"; 2898 break; 2899 } 2900 2901 if (*p) { 2902 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2903 kfree_skb(skb); 2904 return; 2905 } 2906 2907 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2908 2909 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2910 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 2911 2912 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2913 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 2914 2915 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2916 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 2917 2918 p = skb->data; 2919 skb_pull_data(skb, 4); 2920 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2921 p[2], p[3]); 2922 2923 p = skb->data; 2924 skb_pull_data(skb, 4); 2925 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2926 p[2], p[3]); 2927 2928 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2929 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 2930 2931 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2932 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 2933 2934 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2935 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 2936 2937 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2938 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 2939 2940 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2941 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 2942 2943 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2944 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 2945 2946 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2947 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 2948 2949 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2950 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 2951 2952 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2953 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 2954 2955 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2956 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 2957 2958 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2959 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 2960 2961 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2962 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 2963 2964 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2965 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 2966 2967 kfree_skb(skb); 2968 } 2969 EXPORT_SYMBOL_GPL(btintel_print_fseq_info); 2970 2971 static int btintel_setup_combined(struct hci_dev *hdev) 2972 { 2973 const u8 param[1] = { 0xFF }; 2974 struct intel_version ver; 2975 struct intel_version_tlv ver_tlv; 2976 struct sk_buff *skb; 2977 int err; 2978 2979 BT_DBG("%s", hdev->name); 2980 2981 /* The some controllers have a bug with the first HCI command sent to it 2982 * returning number of completed commands as zero. This would stall the 2983 * command processing in the Bluetooth core. 2984 * 2985 * As a workaround, send HCI Reset command first which will reset the 2986 * number of completed commands and allow normal command processing 2987 * from now on. 2988 * 2989 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 2990 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 2991 * the shutdown() procedure, and once the device is in SW_RFKILL ON 2992 * state, the only way to exit out of it is sending the HCI_Reset 2993 * command. 2994 */ 2995 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 2996 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2997 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 2998 HCI_INIT_TIMEOUT); 2999 if (IS_ERR(skb)) { 3000 bt_dev_err(hdev, 3001 "sending initial HCI reset failed (%ld)", 3002 PTR_ERR(skb)); 3003 return PTR_ERR(skb); 3004 } 3005 kfree_skb(skb); 3006 } 3007 3008 /* Starting from TyP device, the command parameter and response are 3009 * changed even though the OCF for HCI_Intel_Read_Version command 3010 * remains same. The legacy devices can handle even if the 3011 * command has a parameter and returns a correct version information. 3012 * So, it uses new format to support both legacy and new format. 3013 */ 3014 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 3015 if (IS_ERR(skb)) { 3016 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 3017 PTR_ERR(skb)); 3018 return PTR_ERR(skb); 3019 } 3020 3021 /* Check the status */ 3022 if (skb->data[0]) { 3023 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 3024 skb->data[0]); 3025 err = -EIO; 3026 goto exit_error; 3027 } 3028 3029 /* Apply the common HCI quirks for Intel device */ 3030 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 3031 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 3032 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 3033 3034 /* Set up the quality report callback for Intel devices */ 3035 hdev->set_quality_report = btintel_set_quality_report; 3036 3037 /* For Legacy device, check the HW platform value and size */ 3038 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 3039 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 3040 3041 memcpy(&ver, skb->data, sizeof(ver)); 3042 3043 /* Display version information */ 3044 btintel_version_info(hdev, &ver); 3045 3046 /* Check for supported iBT hardware variants of this firmware 3047 * loading method. 3048 * 3049 * This check has been put in place to ensure correct forward 3050 * compatibility options when newer hardware variants come 3051 * along. 3052 */ 3053 switch (ver.hw_variant) { 3054 case 0x07: /* WP */ 3055 case 0x08: /* StP */ 3056 /* Legacy ROM product */ 3057 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 3058 3059 /* Apply the device specific HCI quirks 3060 * 3061 * WBS for SdP - For the Legacy ROM products, only SdP 3062 * supports the WBS. But the version information is not 3063 * enough to use here because the StP2 and SdP have same 3064 * hw_variant and fw_variant. So, this flag is set by 3065 * the transport driver (btusb) based on the HW info 3066 * (idProduct) 3067 */ 3068 if (!btintel_test_flag(hdev, 3069 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 3070 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3071 &hdev->quirks); 3072 3073 err = btintel_legacy_rom_setup(hdev, &ver); 3074 break; 3075 case 0x0b: /* SfP */ 3076 case 0x11: /* JfP */ 3077 case 0x12: /* ThP */ 3078 case 0x13: /* HrP */ 3079 case 0x14: /* CcP */ 3080 fallthrough; 3081 case 0x0c: /* WsP */ 3082 /* Apply the device specific HCI quirks 3083 * 3084 * All Legacy bootloader devices support WBS 3085 */ 3086 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3087 &hdev->quirks); 3088 3089 /* These variants don't seem to support LE Coded PHY */ 3090 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3091 3092 /* Setup MSFT Extension support */ 3093 btintel_set_msft_opcode(hdev, ver.hw_variant); 3094 3095 err = btintel_bootloader_setup(hdev, &ver); 3096 btintel_register_devcoredump_support(hdev); 3097 break; 3098 default: 3099 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3100 ver.hw_variant); 3101 err = -EINVAL; 3102 } 3103 3104 hci_set_hw_info(hdev, 3105 "INTEL platform=%u variant=%u revision=%u", 3106 ver.hw_platform, ver.hw_variant, 3107 ver.hw_revision); 3108 3109 goto exit_error; 3110 } 3111 3112 /* memset ver_tlv to start with clean state as few fields are exclusive 3113 * to bootloader mode and are not populated in operational mode 3114 */ 3115 memset(&ver_tlv, 0, sizeof(ver_tlv)); 3116 /* For TLV type device, parse the tlv data */ 3117 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 3118 if (err) { 3119 bt_dev_err(hdev, "Failed to parse TLV version information"); 3120 goto exit_error; 3121 } 3122 3123 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 3124 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 3125 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 3126 err = -EINVAL; 3127 goto exit_error; 3128 } 3129 3130 /* Check for supported iBT hardware variants of this firmware 3131 * loading method. 3132 * 3133 * This check has been put in place to ensure correct forward 3134 * compatibility options when newer hardware variants come 3135 * along. 3136 */ 3137 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 3138 case 0x11: /* JfP */ 3139 case 0x12: /* ThP */ 3140 case 0x13: /* HrP */ 3141 case 0x14: /* CcP */ 3142 /* Some legacy bootloader devices starting from JfP, 3143 * the operational firmware supports both old and TLV based 3144 * HCI_Intel_Read_Version command based on the command 3145 * parameter. 3146 * 3147 * For upgrading firmware case, the TLV based version cannot 3148 * be used because the firmware filename for legacy bootloader 3149 * is based on the old format. 3150 * 3151 * Also, it is not easy to convert TLV based version from the 3152 * legacy version format. 3153 * 3154 * So, as a workaround for those devices, use the legacy 3155 * HCI_Intel_Read_Version to get the version information and 3156 * run the legacy bootloader setup. 3157 */ 3158 err = btintel_read_version(hdev, &ver); 3159 if (err) 3160 break; 3161 3162 /* Apply the device specific HCI quirks 3163 * 3164 * All Legacy bootloader devices support WBS 3165 */ 3166 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3167 3168 /* These variants don't seem to support LE Coded PHY */ 3169 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3170 3171 /* Setup MSFT Extension support */ 3172 btintel_set_msft_opcode(hdev, ver.hw_variant); 3173 3174 err = btintel_bootloader_setup(hdev, &ver); 3175 btintel_register_devcoredump_support(hdev); 3176 break; 3177 case 0x18: /* GfP2 */ 3178 case 0x1c: /* GaP */ 3179 /* Re-classify packet type for controllers with LE audio */ 3180 hdev->classify_pkt_type = btintel_classify_pkt_type; 3181 fallthrough; 3182 case 0x17: 3183 case 0x19: 3184 case 0x1b: 3185 case 0x1d: 3186 case 0x1e: 3187 /* Display version information of TLV type */ 3188 btintel_version_info_tlv(hdev, &ver_tlv); 3189 3190 /* Apply the device specific HCI quirks for TLV based devices 3191 * 3192 * All TLV based devices support WBS 3193 */ 3194 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3195 3196 /* Setup MSFT Extension support */ 3197 btintel_set_msft_opcode(hdev, 3198 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3199 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3200 3201 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3202 if (err) 3203 goto exit_error; 3204 3205 btintel_register_devcoredump_support(hdev); 3206 btintel_print_fseq_info(hdev); 3207 break; 3208 default: 3209 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3210 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3211 err = -EINVAL; 3212 break; 3213 } 3214 3215 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u", 3216 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt), 3217 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3218 3219 exit_error: 3220 kfree_skb(skb); 3221 3222 return err; 3223 } 3224 3225 int btintel_shutdown_combined(struct hci_dev *hdev) 3226 { 3227 struct sk_buff *skb; 3228 int ret; 3229 3230 /* Send HCI Reset to the controller to stop any BT activity which 3231 * were triggered. This will help to save power and maintain the 3232 * sync b/w Host and controller 3233 */ 3234 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3235 if (IS_ERR(skb)) { 3236 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3237 return PTR_ERR(skb); 3238 } 3239 kfree_skb(skb); 3240 3241 3242 /* Some platforms have an issue with BT LED when the interface is 3243 * down or BT radio is turned off, which takes 5 seconds to BT LED 3244 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3245 * device in the RFKILL ON state which turns off the BT LED immediately. 3246 */ 3247 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3248 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3249 if (IS_ERR(skb)) { 3250 ret = PTR_ERR(skb); 3251 bt_dev_err(hdev, "turning off Intel device LED failed"); 3252 return ret; 3253 } 3254 kfree_skb(skb); 3255 } 3256 3257 return 0; 3258 } 3259 EXPORT_SYMBOL_GPL(btintel_shutdown_combined); 3260 3261 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3262 { 3263 hdev->manufacturer = 2; 3264 hdev->setup = btintel_setup_combined; 3265 hdev->shutdown = btintel_shutdown_combined; 3266 hdev->hw_error = btintel_hw_error; 3267 hdev->set_diag = btintel_set_diag_combined; 3268 hdev->set_bdaddr = btintel_set_bdaddr; 3269 3270 coredump_info.driver_name = driver_name; 3271 3272 return 0; 3273 } 3274 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3275 3276 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3277 { 3278 struct intel_tlv *tlv = (void *)&skb->data[5]; 3279 3280 /* The first event is always an event type TLV */ 3281 if (tlv->type != INTEL_TLV_TYPE_ID) 3282 goto recv_frame; 3283 3284 switch (tlv->val[0]) { 3285 case INTEL_TLV_SYSTEM_EXCEPTION: 3286 case INTEL_TLV_FATAL_EXCEPTION: 3287 case INTEL_TLV_DEBUG_EXCEPTION: 3288 case INTEL_TLV_TEST_EXCEPTION: 3289 /* Generate devcoredump from exception */ 3290 if (!hci_devcd_init(hdev, skb->len)) { 3291 hci_devcd_append(hdev, skb); 3292 hci_devcd_complete(hdev); 3293 } else { 3294 bt_dev_err(hdev, "Failed to generate devcoredump"); 3295 kfree_skb(skb); 3296 } 3297 return 0; 3298 default: 3299 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3300 } 3301 3302 recv_frame: 3303 return hci_recv_frame(hdev, skb); 3304 } 3305 3306 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3307 { 3308 struct hci_event_hdr *hdr = (void *)skb->data; 3309 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3310 3311 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3312 hdr->plen > 0) { 3313 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3314 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3315 3316 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3317 switch (skb->data[2]) { 3318 case 0x02: 3319 /* When switching to the operational firmware 3320 * the device sends a vendor specific event 3321 * indicating that the bootup completed. 3322 */ 3323 btintel_bootup(hdev, ptr, len); 3324 break; 3325 case 0x06: 3326 /* When the firmware loading completes the 3327 * device sends out a vendor specific event 3328 * indicating the result of the firmware 3329 * loading. 3330 */ 3331 btintel_secure_send_result(hdev, ptr, len); 3332 break; 3333 } 3334 } 3335 3336 /* Handle all diagnostics events separately. May still call 3337 * hci_recv_frame. 3338 */ 3339 if (len >= sizeof(diagnostics_hdr) && 3340 memcmp(&skb->data[2], diagnostics_hdr, 3341 sizeof(diagnostics_hdr)) == 0) { 3342 return btintel_diagnostics(hdev, skb); 3343 } 3344 } 3345 3346 return hci_recv_frame(hdev, skb); 3347 } 3348 EXPORT_SYMBOL_GPL(btintel_recv_event); 3349 3350 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3351 { 3352 const struct intel_bootup *evt = ptr; 3353 3354 if (len != sizeof(*evt)) 3355 return; 3356 3357 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3358 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3359 } 3360 EXPORT_SYMBOL_GPL(btintel_bootup); 3361 3362 void btintel_secure_send_result(struct hci_dev *hdev, 3363 const void *ptr, unsigned int len) 3364 { 3365 const struct intel_secure_send_result *evt = ptr; 3366 3367 if (len != sizeof(*evt)) 3368 return; 3369 3370 if (evt->result) 3371 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3372 3373 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3374 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3375 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3376 } 3377 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3378 3379 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3380 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3381 MODULE_VERSION(VERSION); 3382 MODULE_LICENSE("GPL"); 3383 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3384 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3385 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3386 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3387