1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/string_choices.h> 13 #include <linux/acpi.h> 14 #include <acpi/acpi_bus.h> 15 #include <linux/unaligned.h> 16 #include <linux/efi.h> 17 18 #include <net/bluetooth/bluetooth.h> 19 #include <net/bluetooth/hci_core.h> 20 21 #include "btintel.h" 22 23 #define VERSION "0.1" 24 25 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 26 #define RSA_HEADER_LEN 644 27 #define CSS_HEADER_OFFSET 8 28 #define ECDSA_OFFSET 644 29 #define ECDSA_HEADER_LEN 320 30 31 #define BTINTEL_EFI_DSBR L"UefiCnvCommonDSBR" 32 33 enum { 34 DSM_SET_WDISABLE2_DELAY = 1, 35 DSM_SET_RESET_METHOD = 3, 36 }; 37 38 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 39 struct cmd_write_boot_params { 40 __le32 boot_addr; 41 u8 fw_build_num; 42 u8 fw_build_ww; 43 u8 fw_build_yy; 44 } __packed; 45 46 static struct { 47 const char *driver_name; 48 u8 hw_variant; 49 u32 fw_build_num; 50 } coredump_info; 51 52 static const guid_t btintel_guid_dsm = 53 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 54 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 55 56 int btintel_check_bdaddr(struct hci_dev *hdev) 57 { 58 struct hci_rp_read_bd_addr *bda; 59 struct sk_buff *skb; 60 61 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 62 HCI_INIT_TIMEOUT); 63 if (IS_ERR(skb)) { 64 int err = PTR_ERR(skb); 65 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 66 err); 67 return err; 68 } 69 70 if (skb->len != sizeof(*bda)) { 71 bt_dev_err(hdev, "Intel device address length mismatch"); 72 kfree_skb(skb); 73 return -EIO; 74 } 75 76 bda = (struct hci_rp_read_bd_addr *)skb->data; 77 78 /* For some Intel based controllers, the default Bluetooth device 79 * address 00:03:19:9E:8B:00 can be found. These controllers are 80 * fully operational, but have the danger of duplicate addresses 81 * and that in turn can cause problems with Bluetooth operation. 82 */ 83 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 84 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 85 &bda->bdaddr); 86 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 87 } 88 89 kfree_skb(skb); 90 91 return 0; 92 } 93 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 94 95 int btintel_enter_mfg(struct hci_dev *hdev) 96 { 97 static const u8 param[] = { 0x01, 0x00 }; 98 struct sk_buff *skb; 99 100 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 101 if (IS_ERR(skb)) { 102 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 103 PTR_ERR(skb)); 104 return PTR_ERR(skb); 105 } 106 kfree_skb(skb); 107 108 return 0; 109 } 110 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 111 112 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 113 { 114 u8 param[] = { 0x00, 0x00 }; 115 struct sk_buff *skb; 116 117 /* The 2nd command parameter specifies the manufacturing exit method: 118 * 0x00: Just disable the manufacturing mode (0x00). 119 * 0x01: Disable manufacturing mode and reset with patches deactivated. 120 * 0x02: Disable manufacturing mode and reset with patches activated. 121 */ 122 if (reset) 123 param[1] |= patched ? 0x02 : 0x01; 124 125 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 126 if (IS_ERR(skb)) { 127 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 128 PTR_ERR(skb)); 129 return PTR_ERR(skb); 130 } 131 kfree_skb(skb); 132 133 return 0; 134 } 135 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 136 137 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 138 { 139 struct sk_buff *skb; 140 int err; 141 142 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 143 if (IS_ERR(skb)) { 144 err = PTR_ERR(skb); 145 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 146 err); 147 return err; 148 } 149 kfree_skb(skb); 150 151 return 0; 152 } 153 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 154 155 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 156 { 157 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 158 struct sk_buff *skb; 159 int err; 160 161 if (debug) 162 mask[1] |= 0x62; 163 164 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 165 if (IS_ERR(skb)) { 166 err = PTR_ERR(skb); 167 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 168 return err; 169 } 170 kfree_skb(skb); 171 172 return 0; 173 } 174 175 int btintel_set_diag(struct hci_dev *hdev, bool enable) 176 { 177 struct sk_buff *skb; 178 u8 param[3]; 179 int err; 180 181 if (enable) { 182 param[0] = 0x03; 183 param[1] = 0x03; 184 param[2] = 0x03; 185 } else { 186 param[0] = 0x00; 187 param[1] = 0x00; 188 param[2] = 0x00; 189 } 190 191 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 192 if (IS_ERR(skb)) { 193 err = PTR_ERR(skb); 194 if (err == -ENODATA) 195 goto done; 196 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 197 err); 198 return err; 199 } 200 kfree_skb(skb); 201 202 done: 203 btintel_set_event_mask(hdev, enable); 204 return 0; 205 } 206 EXPORT_SYMBOL_GPL(btintel_set_diag); 207 208 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 209 { 210 int err, ret; 211 212 err = btintel_enter_mfg(hdev); 213 if (err) 214 return err; 215 216 ret = btintel_set_diag(hdev, enable); 217 218 err = btintel_exit_mfg(hdev, false, false); 219 if (err) 220 return err; 221 222 return ret; 223 } 224 225 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 226 { 227 int ret; 228 229 /* Legacy ROM device needs to be in the manufacturer mode to apply 230 * diagnostic setting 231 * 232 * This flag is set after reading the Intel version. 233 */ 234 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 235 ret = btintel_set_diag_mfg(hdev, enable); 236 else 237 ret = btintel_set_diag(hdev, enable); 238 239 return ret; 240 } 241 242 void btintel_hw_error(struct hci_dev *hdev, u8 code) 243 { 244 struct sk_buff *skb; 245 u8 type = 0x00; 246 247 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 248 249 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 250 if (IS_ERR(skb)) { 251 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 252 PTR_ERR(skb)); 253 return; 254 } 255 kfree_skb(skb); 256 257 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 258 if (IS_ERR(skb)) { 259 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 260 PTR_ERR(skb)); 261 return; 262 } 263 264 if (skb->len != 13) { 265 bt_dev_err(hdev, "Exception info size mismatch"); 266 kfree_skb(skb); 267 return; 268 } 269 270 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 271 272 kfree_skb(skb); 273 } 274 EXPORT_SYMBOL_GPL(btintel_hw_error); 275 276 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 277 { 278 const char *variant; 279 280 /* The hardware platform number has a fixed value of 0x37 and 281 * for now only accept this single value. 282 */ 283 if (ver->hw_platform != 0x37) { 284 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 285 ver->hw_platform); 286 return -EINVAL; 287 } 288 289 /* Check for supported iBT hardware variants of this firmware 290 * loading method. 291 * 292 * This check has been put in place to ensure correct forward 293 * compatibility options when newer hardware variants come along. 294 */ 295 switch (ver->hw_variant) { 296 case 0x07: /* WP - Legacy ROM */ 297 case 0x08: /* StP - Legacy ROM */ 298 case 0x0b: /* SfP */ 299 case 0x0c: /* WsP */ 300 case 0x11: /* JfP */ 301 case 0x12: /* ThP */ 302 case 0x13: /* HrP */ 303 case 0x14: /* CcP */ 304 break; 305 default: 306 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 307 ver->hw_variant); 308 return -EINVAL; 309 } 310 311 switch (ver->fw_variant) { 312 case 0x01: 313 variant = "Legacy ROM 2.5"; 314 break; 315 case 0x06: 316 variant = "Bootloader"; 317 break; 318 case 0x22: 319 variant = "Legacy ROM 2.x"; 320 break; 321 case 0x23: 322 variant = "Firmware"; 323 break; 324 default: 325 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 326 return -EINVAL; 327 } 328 329 coredump_info.hw_variant = ver->hw_variant; 330 coredump_info.fw_build_num = ver->fw_build_num; 331 332 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 333 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 334 ver->fw_build_num, ver->fw_build_ww, 335 2000 + ver->fw_build_yy); 336 337 return 0; 338 } 339 EXPORT_SYMBOL_GPL(btintel_version_info); 340 341 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 342 const void *param) 343 { 344 while (plen > 0) { 345 struct sk_buff *skb; 346 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 347 348 cmd_param[0] = fragment_type; 349 memcpy(cmd_param + 1, param, fragment_len); 350 351 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 352 cmd_param, HCI_INIT_TIMEOUT); 353 if (IS_ERR(skb)) 354 return PTR_ERR(skb); 355 356 kfree_skb(skb); 357 358 plen -= fragment_len; 359 param += fragment_len; 360 } 361 362 return 0; 363 } 364 365 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 366 { 367 const struct firmware *fw; 368 struct sk_buff *skb; 369 const u8 *fw_ptr; 370 int err; 371 372 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 373 if (err < 0) { 374 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 375 ddc_name, err); 376 return err; 377 } 378 379 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 380 381 fw_ptr = fw->data; 382 383 /* DDC file contains one or more DDC structure which has 384 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 385 */ 386 while (fw->size > fw_ptr - fw->data) { 387 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 388 389 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 390 HCI_INIT_TIMEOUT); 391 if (IS_ERR(skb)) { 392 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 393 PTR_ERR(skb)); 394 release_firmware(fw); 395 return PTR_ERR(skb); 396 } 397 398 fw_ptr += cmd_plen; 399 kfree_skb(skb); 400 } 401 402 release_firmware(fw); 403 404 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 405 406 return 0; 407 } 408 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 409 410 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 411 { 412 int err, ret; 413 414 err = btintel_enter_mfg(hdev); 415 if (err) 416 return err; 417 418 ret = btintel_set_event_mask(hdev, debug); 419 420 err = btintel_exit_mfg(hdev, false, false); 421 if (err) 422 return err; 423 424 return ret; 425 } 426 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 427 428 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 429 { 430 struct sk_buff *skb; 431 432 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 433 if (IS_ERR(skb)) { 434 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 435 PTR_ERR(skb)); 436 return PTR_ERR(skb); 437 } 438 439 if (!skb || skb->len != sizeof(*ver)) { 440 bt_dev_err(hdev, "Intel version event size mismatch"); 441 kfree_skb(skb); 442 return -EILSEQ; 443 } 444 445 memcpy(ver, skb->data, sizeof(*ver)); 446 447 kfree_skb(skb); 448 449 return 0; 450 } 451 EXPORT_SYMBOL_GPL(btintel_read_version); 452 453 int btintel_version_info_tlv(struct hci_dev *hdev, 454 struct intel_version_tlv *version) 455 { 456 const char *variant; 457 458 /* The hardware platform number has a fixed value of 0x37 and 459 * for now only accept this single value. 460 */ 461 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 462 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 463 INTEL_HW_PLATFORM(version->cnvi_bt)); 464 return -EINVAL; 465 } 466 467 /* Check for supported iBT hardware variants of this firmware 468 * loading method. 469 * 470 * This check has been put in place to ensure correct forward 471 * compatibility options when newer hardware variants come along. 472 */ 473 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 474 case 0x17: /* TyP */ 475 case 0x18: /* Slr */ 476 case 0x19: /* Slr-F */ 477 case 0x1b: /* Mgr */ 478 case 0x1c: /* Gale Peak (GaP) */ 479 case 0x1d: /* BlazarU (BzrU) */ 480 case 0x1e: /* BlazarI (Bzr) */ 481 break; 482 default: 483 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 484 INTEL_HW_VARIANT(version->cnvi_bt)); 485 return -EINVAL; 486 } 487 488 switch (version->img_type) { 489 case BTINTEL_IMG_BOOTLOADER: 490 variant = "Bootloader"; 491 /* It is required that every single firmware fragment is acknowledged 492 * with a command complete event. If the boot parameters indicate 493 * that this bootloader does not send them, then abort the setup. 494 */ 495 if (version->limited_cce != 0x00) { 496 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 497 version->limited_cce); 498 return -EINVAL; 499 } 500 501 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 502 if (version->sbe_type > 0x01) { 503 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 504 version->sbe_type); 505 return -EINVAL; 506 } 507 508 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 509 bt_dev_info(hdev, "Secure boot is %s", 510 str_enabled_disabled(version->secure_boot)); 511 bt_dev_info(hdev, "OTP lock is %s", 512 str_enabled_disabled(version->otp_lock)); 513 bt_dev_info(hdev, "API lock is %s", 514 str_enabled_disabled(version->api_lock)); 515 bt_dev_info(hdev, "Debug lock is %s", 516 str_enabled_disabled(version->debug_lock)); 517 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 518 version->min_fw_build_nn, version->min_fw_build_cw, 519 2000 + version->min_fw_build_yy); 520 break; 521 case BTINTEL_IMG_IML: 522 variant = "Intermediate loader"; 523 break; 524 case BTINTEL_IMG_OP: 525 variant = "Firmware"; 526 break; 527 default: 528 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 529 return -EINVAL; 530 } 531 532 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 533 coredump_info.fw_build_num = version->build_num; 534 535 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 536 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 537 version->build_type, version->build_num); 538 if (version->img_type == BTINTEL_IMG_OP) 539 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 540 541 return 0; 542 } 543 EXPORT_SYMBOL_GPL(btintel_version_info_tlv); 544 545 int btintel_parse_version_tlv(struct hci_dev *hdev, 546 struct intel_version_tlv *version, 547 struct sk_buff *skb) 548 { 549 /* Consume Command Complete Status field */ 550 skb_pull(skb, 1); 551 552 /* Event parameters contatin multiple TLVs. Read each of them 553 * and only keep the required data. Also, it use existing legacy 554 * version field like hw_platform, hw_variant, and fw_variant 555 * to keep the existing setup flow 556 */ 557 while (skb->len) { 558 struct intel_tlv *tlv; 559 560 /* Make sure skb has a minimum length of the header */ 561 if (skb->len < sizeof(*tlv)) 562 return -EINVAL; 563 564 tlv = (struct intel_tlv *)skb->data; 565 566 /* Make sure skb has a enough data */ 567 if (skb->len < tlv->len + sizeof(*tlv)) 568 return -EINVAL; 569 570 switch (tlv->type) { 571 case INTEL_TLV_CNVI_TOP: 572 version->cnvi_top = get_unaligned_le32(tlv->val); 573 break; 574 case INTEL_TLV_CNVR_TOP: 575 version->cnvr_top = get_unaligned_le32(tlv->val); 576 break; 577 case INTEL_TLV_CNVI_BT: 578 version->cnvi_bt = get_unaligned_le32(tlv->val); 579 break; 580 case INTEL_TLV_CNVR_BT: 581 version->cnvr_bt = get_unaligned_le32(tlv->val); 582 break; 583 case INTEL_TLV_DEV_REV_ID: 584 version->dev_rev_id = get_unaligned_le16(tlv->val); 585 break; 586 case INTEL_TLV_IMAGE_TYPE: 587 version->img_type = tlv->val[0]; 588 break; 589 case INTEL_TLV_TIME_STAMP: 590 /* If image type is Operational firmware (0x03), then 591 * running FW Calendar Week and Year information can 592 * be extracted from Timestamp information 593 */ 594 version->min_fw_build_cw = tlv->val[0]; 595 version->min_fw_build_yy = tlv->val[1]; 596 version->timestamp = get_unaligned_le16(tlv->val); 597 break; 598 case INTEL_TLV_BUILD_TYPE: 599 version->build_type = tlv->val[0]; 600 break; 601 case INTEL_TLV_BUILD_NUM: 602 /* If image type is Operational firmware (0x03), then 603 * running FW build number can be extracted from the 604 * Build information 605 */ 606 version->min_fw_build_nn = tlv->val[0]; 607 version->build_num = get_unaligned_le32(tlv->val); 608 break; 609 case INTEL_TLV_SECURE_BOOT: 610 version->secure_boot = tlv->val[0]; 611 break; 612 case INTEL_TLV_OTP_LOCK: 613 version->otp_lock = tlv->val[0]; 614 break; 615 case INTEL_TLV_API_LOCK: 616 version->api_lock = tlv->val[0]; 617 break; 618 case INTEL_TLV_DEBUG_LOCK: 619 version->debug_lock = tlv->val[0]; 620 break; 621 case INTEL_TLV_MIN_FW: 622 version->min_fw_build_nn = tlv->val[0]; 623 version->min_fw_build_cw = tlv->val[1]; 624 version->min_fw_build_yy = tlv->val[2]; 625 break; 626 case INTEL_TLV_LIMITED_CCE: 627 version->limited_cce = tlv->val[0]; 628 break; 629 case INTEL_TLV_SBE_TYPE: 630 version->sbe_type = tlv->val[0]; 631 break; 632 case INTEL_TLV_OTP_BDADDR: 633 memcpy(&version->otp_bd_addr, tlv->val, 634 sizeof(bdaddr_t)); 635 break; 636 case INTEL_TLV_GIT_SHA1: 637 version->git_sha1 = get_unaligned_le32(tlv->val); 638 break; 639 case INTEL_TLV_FW_ID: 640 snprintf(version->fw_id, sizeof(version->fw_id), 641 "%s", tlv->val); 642 break; 643 default: 644 /* Ignore rest of information */ 645 break; 646 } 647 /* consume the current tlv and move to next*/ 648 skb_pull(skb, tlv->len + sizeof(*tlv)); 649 } 650 651 return 0; 652 } 653 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv); 654 655 static int btintel_read_version_tlv(struct hci_dev *hdev, 656 struct intel_version_tlv *version) 657 { 658 struct sk_buff *skb; 659 const u8 param[1] = { 0xFF }; 660 661 if (!version) 662 return -EINVAL; 663 664 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 665 if (IS_ERR(skb)) { 666 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 667 PTR_ERR(skb)); 668 return PTR_ERR(skb); 669 } 670 671 if (skb->data[0]) { 672 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 673 skb->data[0]); 674 kfree_skb(skb); 675 return -EIO; 676 } 677 678 btintel_parse_version_tlv(hdev, version, skb); 679 680 kfree_skb(skb); 681 return 0; 682 } 683 684 /* ------- REGMAP IBT SUPPORT ------- */ 685 686 #define IBT_REG_MODE_8BIT 0x00 687 #define IBT_REG_MODE_16BIT 0x01 688 #define IBT_REG_MODE_32BIT 0x02 689 690 struct regmap_ibt_context { 691 struct hci_dev *hdev; 692 __u16 op_write; 693 __u16 op_read; 694 }; 695 696 struct ibt_cp_reg_access { 697 __le32 addr; 698 __u8 mode; 699 __u8 len; 700 __u8 data[]; 701 } __packed; 702 703 struct ibt_rp_reg_access { 704 __u8 status; 705 __le32 addr; 706 __u8 data[]; 707 } __packed; 708 709 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 710 void *val, size_t val_size) 711 { 712 struct regmap_ibt_context *ctx = context; 713 struct ibt_cp_reg_access cp; 714 struct ibt_rp_reg_access *rp; 715 struct sk_buff *skb; 716 int err = 0; 717 718 if (reg_size != sizeof(__le32)) 719 return -EINVAL; 720 721 switch (val_size) { 722 case 1: 723 cp.mode = IBT_REG_MODE_8BIT; 724 break; 725 case 2: 726 cp.mode = IBT_REG_MODE_16BIT; 727 break; 728 case 4: 729 cp.mode = IBT_REG_MODE_32BIT; 730 break; 731 default: 732 return -EINVAL; 733 } 734 735 /* regmap provides a little-endian formatted addr */ 736 cp.addr = *(__le32 *)addr; 737 cp.len = val_size; 738 739 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 740 741 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 742 HCI_CMD_TIMEOUT); 743 if (IS_ERR(skb)) { 744 err = PTR_ERR(skb); 745 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 746 le32_to_cpu(cp.addr), err); 747 return err; 748 } 749 750 if (skb->len != sizeof(*rp) + val_size) { 751 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 752 le32_to_cpu(cp.addr)); 753 err = -EINVAL; 754 goto done; 755 } 756 757 rp = (struct ibt_rp_reg_access *)skb->data; 758 759 if (rp->addr != cp.addr) { 760 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 761 le32_to_cpu(rp->addr)); 762 err = -EINVAL; 763 goto done; 764 } 765 766 memcpy(val, rp->data, val_size); 767 768 done: 769 kfree_skb(skb); 770 return err; 771 } 772 773 static int regmap_ibt_gather_write(void *context, 774 const void *addr, size_t reg_size, 775 const void *val, size_t val_size) 776 { 777 struct regmap_ibt_context *ctx = context; 778 struct ibt_cp_reg_access *cp; 779 struct sk_buff *skb; 780 int plen = sizeof(*cp) + val_size; 781 u8 mode; 782 int err = 0; 783 784 if (reg_size != sizeof(__le32)) 785 return -EINVAL; 786 787 switch (val_size) { 788 case 1: 789 mode = IBT_REG_MODE_8BIT; 790 break; 791 case 2: 792 mode = IBT_REG_MODE_16BIT; 793 break; 794 case 4: 795 mode = IBT_REG_MODE_32BIT; 796 break; 797 default: 798 return -EINVAL; 799 } 800 801 cp = kmalloc(plen, GFP_KERNEL); 802 if (!cp) 803 return -ENOMEM; 804 805 /* regmap provides a little-endian formatted addr/value */ 806 cp->addr = *(__le32 *)addr; 807 cp->mode = mode; 808 cp->len = val_size; 809 memcpy(&cp->data, val, val_size); 810 811 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 812 813 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 814 if (IS_ERR(skb)) { 815 err = PTR_ERR(skb); 816 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 817 le32_to_cpu(cp->addr), err); 818 goto done; 819 } 820 kfree_skb(skb); 821 822 done: 823 kfree(cp); 824 return err; 825 } 826 827 static int regmap_ibt_write(void *context, const void *data, size_t count) 828 { 829 /* data contains register+value, since we only support 32bit addr, 830 * minimum data size is 4 bytes. 831 */ 832 if (WARN_ONCE(count < 4, "Invalid register access")) 833 return -EINVAL; 834 835 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 836 } 837 838 static void regmap_ibt_free_context(void *context) 839 { 840 kfree(context); 841 } 842 843 static const struct regmap_bus regmap_ibt = { 844 .read = regmap_ibt_read, 845 .write = regmap_ibt_write, 846 .gather_write = regmap_ibt_gather_write, 847 .free_context = regmap_ibt_free_context, 848 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 849 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 850 }; 851 852 /* Config is the same for all register regions */ 853 static const struct regmap_config regmap_ibt_cfg = { 854 .name = "btintel_regmap", 855 .reg_bits = 32, 856 .val_bits = 32, 857 }; 858 859 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 860 u16 opcode_write) 861 { 862 struct regmap_ibt_context *ctx; 863 864 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 865 opcode_write); 866 867 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 868 if (!ctx) 869 return ERR_PTR(-ENOMEM); 870 871 ctx->op_read = opcode_read; 872 ctx->op_write = opcode_write; 873 ctx->hdev = hdev; 874 875 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 876 } 877 EXPORT_SYMBOL_GPL(btintel_regmap_init); 878 879 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 880 { 881 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 882 struct sk_buff *skb; 883 884 params.boot_param = cpu_to_le32(boot_param); 885 886 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 887 HCI_INIT_TIMEOUT); 888 if (IS_ERR(skb)) { 889 bt_dev_err(hdev, "Failed to send Intel Reset command"); 890 return PTR_ERR(skb); 891 } 892 893 kfree_skb(skb); 894 895 return 0; 896 } 897 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 898 899 int btintel_read_boot_params(struct hci_dev *hdev, 900 struct intel_boot_params *params) 901 { 902 struct sk_buff *skb; 903 904 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 905 if (IS_ERR(skb)) { 906 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 907 PTR_ERR(skb)); 908 return PTR_ERR(skb); 909 } 910 911 if (skb->len != sizeof(*params)) { 912 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 913 kfree_skb(skb); 914 return -EILSEQ; 915 } 916 917 memcpy(params, skb->data, sizeof(*params)); 918 919 kfree_skb(skb); 920 921 if (params->status) { 922 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 923 params->status); 924 return -bt_to_errno(params->status); 925 } 926 927 bt_dev_info(hdev, "Device revision is %u", 928 le16_to_cpu(params->dev_revid)); 929 930 bt_dev_info(hdev, "Secure boot is %s", 931 str_enabled_disabled(params->secure_boot)); 932 933 bt_dev_info(hdev, "OTP lock is %s", 934 str_enabled_disabled(params->otp_lock)); 935 936 bt_dev_info(hdev, "API lock is %s", 937 str_enabled_disabled(params->api_lock)); 938 939 bt_dev_info(hdev, "Debug lock is %s", 940 str_enabled_disabled(params->debug_lock)); 941 942 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 943 params->min_fw_build_nn, params->min_fw_build_cw, 944 2000 + params->min_fw_build_yy); 945 946 return 0; 947 } 948 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 949 950 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 951 const struct firmware *fw) 952 { 953 int err; 954 955 /* Start the firmware download transaction with the Init fragment 956 * represented by the 128 bytes of CSS header. 957 */ 958 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 959 if (err < 0) { 960 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 961 goto done; 962 } 963 964 /* Send the 256 bytes of public key information from the firmware 965 * as the PKey fragment. 966 */ 967 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 968 if (err < 0) { 969 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 970 goto done; 971 } 972 973 /* Send the 256 bytes of signature information from the firmware 974 * as the Sign fragment. 975 */ 976 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 977 if (err < 0) { 978 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 979 goto done; 980 } 981 982 done: 983 return err; 984 } 985 986 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 987 const struct firmware *fw) 988 { 989 int err; 990 991 /* Start the firmware download transaction with the Init fragment 992 * represented by the 128 bytes of CSS header. 993 */ 994 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 995 if (err < 0) { 996 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 997 return err; 998 } 999 1000 /* Send the 96 bytes of public key information from the firmware 1001 * as the PKey fragment. 1002 */ 1003 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 1004 if (err < 0) { 1005 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1006 return err; 1007 } 1008 1009 /* Send the 96 bytes of signature information from the firmware 1010 * as the Sign fragment 1011 */ 1012 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1013 if (err < 0) { 1014 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1015 err); 1016 return err; 1017 } 1018 return 0; 1019 } 1020 1021 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1022 const struct firmware *fw, 1023 size_t offset) 1024 { 1025 int err; 1026 const u8 *fw_ptr; 1027 u32 frag_len; 1028 1029 fw_ptr = fw->data + offset; 1030 frag_len = 0; 1031 err = -EINVAL; 1032 1033 while (fw_ptr - fw->data < fw->size) { 1034 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1035 1036 frag_len += sizeof(*cmd) + cmd->plen; 1037 1038 /* The parameter length of the secure send command requires 1039 * a 4 byte alignment. It happens so that the firmware file 1040 * contains proper Intel_NOP commands to align the fragments 1041 * as needed. 1042 * 1043 * Send set of commands with 4 byte alignment from the 1044 * firmware data buffer as a single Data fragment. 1045 */ 1046 if (!(frag_len % 4)) { 1047 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1048 if (err < 0) { 1049 bt_dev_err(hdev, 1050 "Failed to send firmware data (%d)", 1051 err); 1052 goto done; 1053 } 1054 1055 fw_ptr += frag_len; 1056 frag_len = 0; 1057 } 1058 } 1059 1060 done: 1061 return err; 1062 } 1063 1064 static bool btintel_firmware_version(struct hci_dev *hdev, 1065 u8 num, u8 ww, u8 yy, 1066 const struct firmware *fw, 1067 u32 *boot_addr) 1068 { 1069 const u8 *fw_ptr; 1070 1071 fw_ptr = fw->data; 1072 1073 while (fw_ptr - fw->data < fw->size) { 1074 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1075 1076 /* Each SKU has a different reset parameter to use in the 1077 * HCI_Intel_Reset command and it is embedded in the firmware 1078 * data. So, instead of using static value per SKU, check 1079 * the firmware data and save it for later use. 1080 */ 1081 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1082 struct cmd_write_boot_params *params; 1083 1084 params = (void *)(fw_ptr + sizeof(*cmd)); 1085 1086 *boot_addr = le32_to_cpu(params->boot_addr); 1087 1088 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1089 1090 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1091 params->fw_build_num, params->fw_build_ww, 1092 params->fw_build_yy); 1093 1094 return (num == params->fw_build_num && 1095 ww == params->fw_build_ww && 1096 yy == params->fw_build_yy); 1097 } 1098 1099 fw_ptr += sizeof(*cmd) + cmd->plen; 1100 } 1101 1102 return false; 1103 } 1104 1105 int btintel_download_firmware(struct hci_dev *hdev, 1106 struct intel_version *ver, 1107 const struct firmware *fw, 1108 u32 *boot_param) 1109 { 1110 int err; 1111 1112 /* SfP and WsP don't seem to update the firmware version on file 1113 * so version checking is currently not possible. 1114 */ 1115 switch (ver->hw_variant) { 1116 case 0x0b: /* SfP */ 1117 case 0x0c: /* WsP */ 1118 /* Skip version checking */ 1119 break; 1120 default: 1121 1122 /* Skip download if firmware has the same version */ 1123 if (btintel_firmware_version(hdev, ver->fw_build_num, 1124 ver->fw_build_ww, ver->fw_build_yy, 1125 fw, boot_param)) { 1126 bt_dev_info(hdev, "Firmware already loaded"); 1127 /* Return -EALREADY to indicate that the firmware has 1128 * already been loaded. 1129 */ 1130 return -EALREADY; 1131 } 1132 } 1133 1134 /* The firmware variant determines if the device is in bootloader 1135 * mode or is running operational firmware. The value 0x06 identifies 1136 * the bootloader and the value 0x23 identifies the operational 1137 * firmware. 1138 * 1139 * If the firmware version has changed that means it needs to be reset 1140 * to bootloader when operational so the new firmware can be loaded. 1141 */ 1142 if (ver->fw_variant == 0x23) 1143 return -EINVAL; 1144 1145 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1146 if (err) 1147 return err; 1148 1149 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1150 } 1151 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1152 1153 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1154 struct intel_version_tlv *ver, 1155 const struct firmware *fw, u32 *boot_param, 1156 u8 hw_variant, u8 sbe_type) 1157 { 1158 int err; 1159 u32 css_header_ver; 1160 1161 /* Skip download if firmware has the same version */ 1162 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1163 ver->min_fw_build_cw, 1164 ver->min_fw_build_yy, 1165 fw, boot_param)) { 1166 bt_dev_info(hdev, "Firmware already loaded"); 1167 /* Return -EALREADY to indicate that firmware has 1168 * already been loaded. 1169 */ 1170 return -EALREADY; 1171 } 1172 1173 /* The firmware variant determines if the device is in bootloader 1174 * mode or is running operational firmware. The value 0x01 identifies 1175 * the bootloader and the value 0x03 identifies the operational 1176 * firmware. 1177 * 1178 * If the firmware version has changed that means it needs to be reset 1179 * to bootloader when operational so the new firmware can be loaded. 1180 */ 1181 if (ver->img_type == BTINTEL_IMG_OP) 1182 return -EINVAL; 1183 1184 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1185 * only RSA secure boot engine. Hence, the corresponding sfi file will 1186 * have RSA header of 644 bytes followed by Command Buffer. 1187 * 1188 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1189 * secure boot engine. As a result, the corresponding sfi file will 1190 * have RSA header of 644, ECDSA header of 320 bytes followed by 1191 * Command Buffer. 1192 * 1193 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1194 * version: RSA(0x00010000) , ECDSA (0x00020000) 1195 */ 1196 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1197 if (css_header_ver != 0x00010000) { 1198 bt_dev_err(hdev, "Invalid CSS Header version"); 1199 return -EINVAL; 1200 } 1201 1202 if (hw_variant <= 0x14) { 1203 if (sbe_type != 0x00) { 1204 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1205 hw_variant); 1206 return -EINVAL; 1207 } 1208 1209 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1210 if (err) 1211 return err; 1212 1213 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1214 if (err) 1215 return err; 1216 } else if (hw_variant >= 0x17) { 1217 /* Check if CSS header for ECDSA follows the RSA header */ 1218 if (fw->data[ECDSA_OFFSET] != 0x06) 1219 return -EINVAL; 1220 1221 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1222 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1223 if (css_header_ver != 0x00020000) { 1224 bt_dev_err(hdev, "Invalid CSS Header version"); 1225 return -EINVAL; 1226 } 1227 1228 if (sbe_type == 0x00) { 1229 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1230 if (err) 1231 return err; 1232 1233 err = btintel_download_firmware_payload(hdev, fw, 1234 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1235 if (err) 1236 return err; 1237 } else if (sbe_type == 0x01) { 1238 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1239 if (err) 1240 return err; 1241 1242 err = btintel_download_firmware_payload(hdev, fw, 1243 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1244 if (err) 1245 return err; 1246 } 1247 } 1248 return 0; 1249 } 1250 1251 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1252 { 1253 struct intel_reset params; 1254 struct sk_buff *skb; 1255 1256 /* PCIe transport uses shared hardware reset mechanism for recovery 1257 * which gets triggered in pcie *setup* function on error. 1258 */ 1259 if (hdev->bus == HCI_PCI) 1260 return; 1261 1262 /* Send Intel Reset command. This will result in 1263 * re-enumeration of BT controller. 1264 * 1265 * Intel Reset parameter description: 1266 * reset_type : 0x00 (Soft reset), 1267 * 0x01 (Hard reset) 1268 * patch_enable : 0x00 (Do not enable), 1269 * 0x01 (Enable) 1270 * ddc_reload : 0x00 (Do not reload), 1271 * 0x01 (Reload) 1272 * boot_option: 0x00 (Current image), 1273 * 0x01 (Specified boot address) 1274 * boot_param: Boot address 1275 * 1276 */ 1277 1278 params.reset_type = 0x01; 1279 params.patch_enable = 0x01; 1280 params.ddc_reload = 0x01; 1281 params.boot_option = 0x00; 1282 params.boot_param = cpu_to_le32(0x00000000); 1283 1284 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1285 ¶ms, HCI_INIT_TIMEOUT); 1286 if (IS_ERR(skb)) { 1287 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1288 PTR_ERR(skb)); 1289 return; 1290 } 1291 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1292 kfree_skb(skb); 1293 1294 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1295 * lines for 2ms when it receives Intel Reset in bootloader mode. 1296 * Whereas, the upcoming Intel BT controllers will hold USB reset 1297 * for 150ms. To keep the delay generic, 150ms is chosen here. 1298 */ 1299 msleep(150); 1300 } 1301 1302 static int btintel_read_debug_features(struct hci_dev *hdev, 1303 struct intel_debug_features *features) 1304 { 1305 struct sk_buff *skb; 1306 u8 page_no = 1; 1307 1308 /* Intel controller supports two pages, each page is of 128-bit 1309 * feature bit mask. And each bit defines specific feature support 1310 */ 1311 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1312 HCI_INIT_TIMEOUT); 1313 if (IS_ERR(skb)) { 1314 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1315 PTR_ERR(skb)); 1316 return PTR_ERR(skb); 1317 } 1318 1319 if (skb->len != (sizeof(features->page1) + 3)) { 1320 bt_dev_err(hdev, "Supported features event size mismatch"); 1321 kfree_skb(skb); 1322 return -EILSEQ; 1323 } 1324 1325 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1326 1327 /* Read the supported features page2 if required in future. 1328 */ 1329 kfree_skb(skb); 1330 return 0; 1331 } 1332 1333 static int btintel_set_debug_features(struct hci_dev *hdev, 1334 const struct intel_debug_features *features) 1335 { 1336 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1337 0x00, 0x00, 0x00 }; 1338 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1339 u8 trace_enable = 0x02; 1340 struct sk_buff *skb; 1341 1342 if (!features) { 1343 bt_dev_warn(hdev, "Debug features not read"); 1344 return -EINVAL; 1345 } 1346 1347 if (!(features->page1[0] & 0x3f)) { 1348 bt_dev_info(hdev, "Telemetry exception format not supported"); 1349 return 0; 1350 } 1351 1352 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1353 if (IS_ERR(skb)) { 1354 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1355 PTR_ERR(skb)); 1356 return PTR_ERR(skb); 1357 } 1358 kfree_skb(skb); 1359 1360 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1361 if (IS_ERR(skb)) { 1362 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1363 PTR_ERR(skb)); 1364 return PTR_ERR(skb); 1365 } 1366 kfree_skb(skb); 1367 1368 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1369 if (IS_ERR(skb)) { 1370 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1371 PTR_ERR(skb)); 1372 return PTR_ERR(skb); 1373 } 1374 kfree_skb(skb); 1375 1376 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1377 trace_enable, mask[3]); 1378 1379 return 0; 1380 } 1381 1382 static int btintel_reset_debug_features(struct hci_dev *hdev, 1383 const struct intel_debug_features *features) 1384 { 1385 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1386 0x00, 0x00, 0x00 }; 1387 u8 trace_enable = 0x00; 1388 struct sk_buff *skb; 1389 1390 if (!features) { 1391 bt_dev_warn(hdev, "Debug features not read"); 1392 return -EINVAL; 1393 } 1394 1395 if (!(features->page1[0] & 0x3f)) { 1396 bt_dev_info(hdev, "Telemetry exception format not supported"); 1397 return 0; 1398 } 1399 1400 /* Should stop the trace before writing ddc event mask. */ 1401 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1402 if (IS_ERR(skb)) { 1403 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1404 PTR_ERR(skb)); 1405 return PTR_ERR(skb); 1406 } 1407 kfree_skb(skb); 1408 1409 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1410 if (IS_ERR(skb)) { 1411 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1412 PTR_ERR(skb)); 1413 return PTR_ERR(skb); 1414 } 1415 kfree_skb(skb); 1416 1417 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1418 trace_enable, mask[3]); 1419 1420 return 0; 1421 } 1422 1423 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1424 { 1425 struct intel_debug_features features; 1426 int err; 1427 1428 bt_dev_dbg(hdev, "enable %d", enable); 1429 1430 /* Read the Intel supported features and if new exception formats 1431 * supported, need to load the additional DDC config to enable. 1432 */ 1433 err = btintel_read_debug_features(hdev, &features); 1434 if (err) 1435 return err; 1436 1437 /* Set or reset the debug features. */ 1438 if (enable) 1439 err = btintel_set_debug_features(hdev, &features); 1440 else 1441 err = btintel_reset_debug_features(hdev, &features); 1442 1443 return err; 1444 } 1445 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1446 1447 static void btintel_coredump(struct hci_dev *hdev) 1448 { 1449 struct sk_buff *skb; 1450 1451 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1452 if (IS_ERR(skb)) { 1453 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1454 return; 1455 } 1456 1457 kfree_skb(skb); 1458 } 1459 1460 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1461 { 1462 char buf[80]; 1463 1464 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1465 coredump_info.hw_variant); 1466 skb_put_data(skb, buf, strlen(buf)); 1467 1468 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1469 coredump_info.fw_build_num); 1470 skb_put_data(skb, buf, strlen(buf)); 1471 1472 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1473 skb_put_data(skb, buf, strlen(buf)); 1474 1475 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1476 skb_put_data(skb, buf, strlen(buf)); 1477 } 1478 1479 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1480 { 1481 struct intel_debug_features features; 1482 int err; 1483 1484 err = btintel_read_debug_features(hdev, &features); 1485 if (err) { 1486 bt_dev_info(hdev, "Error reading debug features"); 1487 return err; 1488 } 1489 1490 if (!(features.page1[0] & 0x3f)) { 1491 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1492 return -EOPNOTSUPP; 1493 } 1494 1495 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1496 1497 return err; 1498 } 1499 1500 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1501 struct intel_version *ver) 1502 { 1503 const struct firmware *fw; 1504 char fwname[64]; 1505 int ret; 1506 1507 snprintf(fwname, sizeof(fwname), 1508 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1509 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1510 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1511 ver->fw_build_ww, ver->fw_build_yy); 1512 1513 ret = request_firmware(&fw, fwname, &hdev->dev); 1514 if (ret < 0) { 1515 if (ret == -EINVAL) { 1516 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1517 ret); 1518 return NULL; 1519 } 1520 1521 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1522 fwname, ret); 1523 1524 /* If the correct firmware patch file is not found, use the 1525 * default firmware patch file instead 1526 */ 1527 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1528 ver->hw_platform, ver->hw_variant); 1529 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1530 bt_dev_err(hdev, "failed to open default fw file: %s", 1531 fwname); 1532 return NULL; 1533 } 1534 } 1535 1536 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1537 1538 return fw; 1539 } 1540 1541 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1542 const struct firmware *fw, 1543 const u8 **fw_ptr, int *disable_patch) 1544 { 1545 struct sk_buff *skb; 1546 struct hci_command_hdr *cmd; 1547 const u8 *cmd_param; 1548 struct hci_event_hdr *evt = NULL; 1549 const u8 *evt_param = NULL; 1550 int remain = fw->size - (*fw_ptr - fw->data); 1551 1552 /* The first byte indicates the types of the patch command or event. 1553 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1554 * in the current firmware buffer doesn't start with 0x01 or 1555 * the size of remain buffer is smaller than HCI command header, 1556 * the firmware file is corrupted and it should stop the patching 1557 * process. 1558 */ 1559 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1560 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1561 return -EINVAL; 1562 } 1563 (*fw_ptr)++; 1564 remain--; 1565 1566 cmd = (struct hci_command_hdr *)(*fw_ptr); 1567 *fw_ptr += sizeof(*cmd); 1568 remain -= sizeof(*cmd); 1569 1570 /* Ensure that the remain firmware data is long enough than the length 1571 * of command parameter. If not, the firmware file is corrupted. 1572 */ 1573 if (remain < cmd->plen) { 1574 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1575 return -EFAULT; 1576 } 1577 1578 /* If there is a command that loads a patch in the firmware 1579 * file, then enable the patch upon success, otherwise just 1580 * disable the manufacturer mode, for example patch activation 1581 * is not required when the default firmware patch file is used 1582 * because there are no patch data to load. 1583 */ 1584 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1585 *disable_patch = 0; 1586 1587 cmd_param = *fw_ptr; 1588 *fw_ptr += cmd->plen; 1589 remain -= cmd->plen; 1590 1591 /* This reads the expected events when the above command is sent to the 1592 * device. Some vendor commands expects more than one events, for 1593 * example command status event followed by vendor specific event. 1594 * For this case, it only keeps the last expected event. so the command 1595 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1596 * last expected event. 1597 */ 1598 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1599 (*fw_ptr)++; 1600 remain--; 1601 1602 evt = (struct hci_event_hdr *)(*fw_ptr); 1603 *fw_ptr += sizeof(*evt); 1604 remain -= sizeof(*evt); 1605 1606 if (remain < evt->plen) { 1607 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1608 return -EFAULT; 1609 } 1610 1611 evt_param = *fw_ptr; 1612 *fw_ptr += evt->plen; 1613 remain -= evt->plen; 1614 } 1615 1616 /* Every HCI commands in the firmware file has its correspond event. 1617 * If event is not found or remain is smaller than zero, the firmware 1618 * file is corrupted. 1619 */ 1620 if (!evt || !evt_param || remain < 0) { 1621 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1622 return -EFAULT; 1623 } 1624 1625 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1626 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1627 if (IS_ERR(skb)) { 1628 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1629 cmd->opcode, PTR_ERR(skb)); 1630 return PTR_ERR(skb); 1631 } 1632 1633 /* It ensures that the returned event matches the event data read from 1634 * the firmware file. At fist, it checks the length and then 1635 * the contents of the event. 1636 */ 1637 if (skb->len != evt->plen) { 1638 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1639 le16_to_cpu(cmd->opcode)); 1640 kfree_skb(skb); 1641 return -EFAULT; 1642 } 1643 1644 if (memcmp(skb->data, evt_param, evt->plen)) { 1645 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1646 le16_to_cpu(cmd->opcode)); 1647 kfree_skb(skb); 1648 return -EFAULT; 1649 } 1650 kfree_skb(skb); 1651 1652 return 0; 1653 } 1654 1655 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1656 struct intel_version *ver) 1657 { 1658 const struct firmware *fw; 1659 const u8 *fw_ptr; 1660 int disable_patch, err; 1661 struct intel_version new_ver; 1662 1663 BT_DBG("%s", hdev->name); 1664 1665 /* fw_patch_num indicates the version of patch the device currently 1666 * have. If there is no patch data in the device, it is always 0x00. 1667 * So, if it is other than 0x00, no need to patch the device again. 1668 */ 1669 if (ver->fw_patch_num) { 1670 bt_dev_info(hdev, 1671 "Intel device is already patched. patch num: %02x", 1672 ver->fw_patch_num); 1673 goto complete; 1674 } 1675 1676 /* Opens the firmware patch file based on the firmware version read 1677 * from the controller. If it fails to open the matching firmware 1678 * patch file, it tries to open the default firmware patch file. 1679 * If no patch file is found, allow the device to operate without 1680 * a patch. 1681 */ 1682 fw = btintel_legacy_rom_get_fw(hdev, ver); 1683 if (!fw) 1684 goto complete; 1685 fw_ptr = fw->data; 1686 1687 /* Enable the manufacturer mode of the controller. 1688 * Only while this mode is enabled, the driver can download the 1689 * firmware patch data and configuration parameters. 1690 */ 1691 err = btintel_enter_mfg(hdev); 1692 if (err) { 1693 release_firmware(fw); 1694 return err; 1695 } 1696 1697 disable_patch = 1; 1698 1699 /* The firmware data file consists of list of Intel specific HCI 1700 * commands and its expected events. The first byte indicates the 1701 * type of the message, either HCI command or HCI event. 1702 * 1703 * It reads the command and its expected event from the firmware file, 1704 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1705 * the returned event is compared with the event read from the firmware 1706 * file and it will continue until all the messages are downloaded to 1707 * the controller. 1708 * 1709 * Once the firmware patching is completed successfully, 1710 * the manufacturer mode is disabled with reset and activating the 1711 * downloaded patch. 1712 * 1713 * If the firmware patching fails, the manufacturer mode is 1714 * disabled with reset and deactivating the patch. 1715 * 1716 * If the default patch file is used, no reset is done when disabling 1717 * the manufacturer. 1718 */ 1719 while (fw->size > fw_ptr - fw->data) { 1720 int ret; 1721 1722 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1723 &disable_patch); 1724 if (ret < 0) 1725 goto exit_mfg_deactivate; 1726 } 1727 1728 release_firmware(fw); 1729 1730 if (disable_patch) 1731 goto exit_mfg_disable; 1732 1733 /* Patching completed successfully and disable the manufacturer mode 1734 * with reset and activate the downloaded firmware patches. 1735 */ 1736 err = btintel_exit_mfg(hdev, true, true); 1737 if (err) 1738 return err; 1739 1740 /* Need build number for downloaded fw patches in 1741 * every power-on boot 1742 */ 1743 err = btintel_read_version(hdev, &new_ver); 1744 if (err) 1745 return err; 1746 1747 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1748 new_ver.fw_patch_num); 1749 1750 goto complete; 1751 1752 exit_mfg_disable: 1753 /* Disable the manufacturer mode without reset */ 1754 err = btintel_exit_mfg(hdev, false, false); 1755 if (err) 1756 return err; 1757 1758 bt_dev_info(hdev, "Intel firmware patch completed"); 1759 1760 goto complete; 1761 1762 exit_mfg_deactivate: 1763 release_firmware(fw); 1764 1765 /* Patching failed. Disable the manufacturer mode with reset and 1766 * deactivate the downloaded firmware patches. 1767 */ 1768 err = btintel_exit_mfg(hdev, true, false); 1769 if (err) 1770 return err; 1771 1772 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1773 1774 complete: 1775 /* Set the event mask for Intel specific vendor events. This enables 1776 * a few extra events that are useful during general operation. 1777 */ 1778 btintel_set_event_mask_mfg(hdev, false); 1779 1780 btintel_check_bdaddr(hdev); 1781 1782 return 0; 1783 } 1784 1785 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1786 { 1787 ktime_t delta, rettime; 1788 unsigned long long duration; 1789 int err; 1790 1791 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1792 1793 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1794 1795 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1796 TASK_INTERRUPTIBLE, 1797 msecs_to_jiffies(msec)); 1798 if (err == -EINTR) { 1799 bt_dev_err(hdev, "Firmware loading interrupted"); 1800 return err; 1801 } 1802 1803 if (err) { 1804 bt_dev_err(hdev, "Firmware loading timeout"); 1805 return -ETIMEDOUT; 1806 } 1807 1808 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1809 bt_dev_err(hdev, "Firmware loading failed"); 1810 return -ENOEXEC; 1811 } 1812 1813 rettime = ktime_get(); 1814 delta = ktime_sub(rettime, calltime); 1815 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1816 1817 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1818 1819 return 0; 1820 } 1821 1822 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1823 { 1824 ktime_t delta, rettime; 1825 unsigned long long duration; 1826 int err; 1827 1828 bt_dev_info(hdev, "Waiting for device to boot"); 1829 1830 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1831 TASK_INTERRUPTIBLE, 1832 msecs_to_jiffies(msec)); 1833 if (err == -EINTR) { 1834 bt_dev_err(hdev, "Device boot interrupted"); 1835 return -EINTR; 1836 } 1837 1838 if (err) { 1839 bt_dev_err(hdev, "Device boot timeout"); 1840 return -ETIMEDOUT; 1841 } 1842 1843 rettime = ktime_get(); 1844 delta = ktime_sub(rettime, calltime); 1845 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1846 1847 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1848 1849 return 0; 1850 } 1851 1852 static int btintel_boot_wait_d0(struct hci_dev *hdev, ktime_t calltime, 1853 int msec) 1854 { 1855 ktime_t delta, rettime; 1856 unsigned long long duration; 1857 int err; 1858 1859 bt_dev_info(hdev, "Waiting for device transition to d0"); 1860 1861 err = btintel_wait_on_flag_timeout(hdev, INTEL_WAIT_FOR_D0, 1862 TASK_INTERRUPTIBLE, 1863 msecs_to_jiffies(msec)); 1864 if (err == -EINTR) { 1865 bt_dev_err(hdev, "Device d0 move interrupted"); 1866 return -EINTR; 1867 } 1868 1869 if (err) { 1870 bt_dev_err(hdev, "Device d0 move timeout"); 1871 return -ETIMEDOUT; 1872 } 1873 1874 rettime = ktime_get(); 1875 delta = ktime_sub(rettime, calltime); 1876 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1877 1878 bt_dev_info(hdev, "Device moved to D0 in %llu usecs", duration); 1879 1880 return 0; 1881 } 1882 1883 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1884 { 1885 ktime_t calltime; 1886 int err; 1887 1888 calltime = ktime_get(); 1889 1890 btintel_set_flag(hdev, INTEL_BOOTING); 1891 btintel_set_flag(hdev, INTEL_WAIT_FOR_D0); 1892 1893 err = btintel_send_intel_reset(hdev, boot_addr); 1894 if (err) { 1895 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1896 btintel_reset_to_bootloader(hdev); 1897 return err; 1898 } 1899 1900 /* The bootloader will not indicate when the device is ready. This 1901 * is done by the operational firmware sending bootup notification. 1902 * 1903 * Booting into operational firmware should not take longer than 1904 * 5 second. However if that happens, then just fail the setup 1905 * since something went wrong. 1906 */ 1907 err = btintel_boot_wait(hdev, calltime, 5000); 1908 if (err == -ETIMEDOUT) { 1909 btintel_reset_to_bootloader(hdev); 1910 goto exit_error; 1911 } 1912 1913 if (hdev->bus == HCI_PCI) { 1914 /* In case of PCIe, after receiving bootup event, driver performs 1915 * D0 entry by writing 0 to sleep control register (check 1916 * btintel_pcie_recv_event()) 1917 * Firmware acks with alive interrupt indicating host is full ready to 1918 * perform BT operation. Lets wait here till INTEL_WAIT_FOR_D0 1919 * bit is cleared. 1920 */ 1921 calltime = ktime_get(); 1922 err = btintel_boot_wait_d0(hdev, calltime, 2000); 1923 } 1924 1925 exit_error: 1926 return err; 1927 } 1928 1929 static int btintel_get_fw_name(struct intel_version *ver, 1930 struct intel_boot_params *params, 1931 char *fw_name, size_t len, 1932 const char *suffix) 1933 { 1934 switch (ver->hw_variant) { 1935 case 0x0b: /* SfP */ 1936 case 0x0c: /* WsP */ 1937 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1938 ver->hw_variant, 1939 le16_to_cpu(params->dev_revid), 1940 suffix); 1941 break; 1942 case 0x11: /* JfP */ 1943 case 0x12: /* ThP */ 1944 case 0x13: /* HrP */ 1945 case 0x14: /* CcP */ 1946 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1947 ver->hw_variant, 1948 ver->hw_revision, 1949 ver->fw_revision, 1950 suffix); 1951 break; 1952 default: 1953 return -EINVAL; 1954 } 1955 1956 return 0; 1957 } 1958 1959 static int btintel_download_fw(struct hci_dev *hdev, 1960 struct intel_version *ver, 1961 struct intel_boot_params *params, 1962 u32 *boot_param) 1963 { 1964 const struct firmware *fw; 1965 char fwname[64]; 1966 int err; 1967 ktime_t calltime; 1968 1969 if (!ver || !params) 1970 return -EINVAL; 1971 1972 /* The firmware variant determines if the device is in bootloader 1973 * mode or is running operational firmware. The value 0x06 identifies 1974 * the bootloader and the value 0x23 identifies the operational 1975 * firmware. 1976 * 1977 * When the operational firmware is already present, then only 1978 * the check for valid Bluetooth device address is needed. This 1979 * determines if the device will be added as configured or 1980 * unconfigured controller. 1981 * 1982 * It is not possible to use the Secure Boot Parameters in this 1983 * case since that command is only available in bootloader mode. 1984 */ 1985 if (ver->fw_variant == 0x23) { 1986 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1987 btintel_check_bdaddr(hdev); 1988 1989 /* SfP and WsP don't seem to update the firmware version on file 1990 * so version checking is currently possible. 1991 */ 1992 switch (ver->hw_variant) { 1993 case 0x0b: /* SfP */ 1994 case 0x0c: /* WsP */ 1995 return 0; 1996 } 1997 1998 /* Proceed to download to check if the version matches */ 1999 goto download; 2000 } 2001 2002 /* Read the secure boot parameters to identify the operating 2003 * details of the bootloader. 2004 */ 2005 err = btintel_read_boot_params(hdev, params); 2006 if (err) 2007 return err; 2008 2009 /* It is required that every single firmware fragment is acknowledged 2010 * with a command complete event. If the boot parameters indicate 2011 * that this bootloader does not send them, then abort the setup. 2012 */ 2013 if (params->limited_cce != 0x00) { 2014 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2015 params->limited_cce); 2016 return -EINVAL; 2017 } 2018 2019 /* If the OTP has no valid Bluetooth device address, then there will 2020 * also be no valid address for the operational firmware. 2021 */ 2022 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2023 bt_dev_info(hdev, "No device address configured"); 2024 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2025 } 2026 2027 download: 2028 /* With this Intel bootloader only the hardware variant and device 2029 * revision information are used to select the right firmware for SfP 2030 * and WsP. 2031 * 2032 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2033 * 2034 * Currently the supported hardware variants are: 2035 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2036 * 12 (0x0c) for iBT3.5 (WsP) 2037 * 2038 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2039 * variant, HW revision and FW revision, as these are dependent on CNVi 2040 * and RF Combination. 2041 * 2042 * 17 (0x11) for iBT3.5 (JfP) 2043 * 18 (0x12) for iBT3.5 (ThP) 2044 * 2045 * The firmware file name for these will be 2046 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2047 * 2048 */ 2049 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2050 if (err < 0) { 2051 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2052 /* Firmware has already been loaded */ 2053 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2054 return 0; 2055 } 2056 2057 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2058 return -EINVAL; 2059 } 2060 2061 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2062 if (err < 0) { 2063 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2064 /* Firmware has already been loaded */ 2065 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2066 return 0; 2067 } 2068 2069 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2070 fwname, err); 2071 return err; 2072 } 2073 2074 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2075 2076 if (fw->size < 644) { 2077 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2078 fw->size); 2079 err = -EBADF; 2080 goto done; 2081 } 2082 2083 calltime = ktime_get(); 2084 2085 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2086 2087 /* Start firmware downloading and get boot parameter */ 2088 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2089 if (err < 0) { 2090 if (err == -EALREADY) { 2091 /* Firmware has already been loaded */ 2092 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2093 err = 0; 2094 goto done; 2095 } 2096 2097 /* When FW download fails, send Intel Reset to retry 2098 * FW download. 2099 */ 2100 btintel_reset_to_bootloader(hdev); 2101 goto done; 2102 } 2103 2104 /* Before switching the device into operational mode and with that 2105 * booting the loaded firmware, wait for the bootloader notification 2106 * that all fragments have been successfully received. 2107 * 2108 * When the event processing receives the notification, then the 2109 * INTEL_DOWNLOADING flag will be cleared. 2110 * 2111 * The firmware loading should not take longer than 5 seconds 2112 * and thus just timeout if that happens and fail the setup 2113 * of this device. 2114 */ 2115 err = btintel_download_wait(hdev, calltime, 5000); 2116 if (err == -ETIMEDOUT) 2117 btintel_reset_to_bootloader(hdev); 2118 2119 done: 2120 release_firmware(fw); 2121 return err; 2122 } 2123 2124 static int btintel_bootloader_setup(struct hci_dev *hdev, 2125 struct intel_version *ver) 2126 { 2127 struct intel_version new_ver; 2128 struct intel_boot_params params; 2129 u32 boot_param; 2130 char ddcname[64]; 2131 int err; 2132 2133 BT_DBG("%s", hdev->name); 2134 2135 /* Set the default boot parameter to 0x0 and it is updated to 2136 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2137 * command while downloading the firmware. 2138 */ 2139 boot_param = 0x00000000; 2140 2141 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2142 2143 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2144 if (err) 2145 return err; 2146 2147 /* controller is already having an operational firmware */ 2148 if (ver->fw_variant == 0x23) 2149 goto finish; 2150 2151 err = btintel_boot(hdev, boot_param); 2152 if (err) 2153 return err; 2154 2155 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2156 2157 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2158 sizeof(ddcname), "ddc"); 2159 2160 if (err < 0) { 2161 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2162 } else { 2163 /* Once the device is running in operational mode, it needs to 2164 * apply the device configuration (DDC) parameters. 2165 * 2166 * The device can work without DDC parameters, so even if it 2167 * fails to load the file, no need to fail the setup. 2168 */ 2169 btintel_load_ddc_config(hdev, ddcname); 2170 } 2171 2172 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2173 2174 /* Read the Intel version information after loading the FW */ 2175 err = btintel_read_version(hdev, &new_ver); 2176 if (err) 2177 return err; 2178 2179 btintel_version_info(hdev, &new_ver); 2180 2181 finish: 2182 /* Set the event mask for Intel specific vendor events. This enables 2183 * a few extra events that are useful during general operation. It 2184 * does not enable any debugging related events. 2185 * 2186 * The device will function correctly without these events enabled 2187 * and thus no need to fail the setup. 2188 */ 2189 btintel_set_event_mask(hdev, false); 2190 2191 return 0; 2192 } 2193 2194 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2195 char *fw_name, size_t len, 2196 const char *suffix) 2197 { 2198 const char *format; 2199 u32 cnvi, cnvr; 2200 2201 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2202 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2203 2204 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2205 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2206 2207 /* Only Blazar product supports downloading of intermediate loader 2208 * image 2209 */ 2210 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) { 2211 u8 zero[BTINTEL_FWID_MAXLEN]; 2212 2213 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) { 2214 format = "intel/ibt-%04x-%04x-iml.%s"; 2215 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2216 return; 2217 } 2218 2219 memset(zero, 0, sizeof(zero)); 2220 2221 /* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */ 2222 if (memcmp(ver->fw_id, zero, sizeof(zero))) { 2223 format = "intel/ibt-%04x-%04x-%s.%s"; 2224 snprintf(fw_name, len, format, cnvi, cnvr, 2225 ver->fw_id, suffix); 2226 return; 2227 } 2228 /* If firmware id is not present, fallback to legacy naming 2229 * convention 2230 */ 2231 } 2232 /* Fallback to legacy naming convention for other controllers 2233 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2234 */ 2235 format = "intel/ibt-%04x-%04x.%s"; 2236 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2237 } 2238 2239 static void btintel_get_iml_tlv(const struct intel_version_tlv *ver, 2240 char *fw_name, size_t len, 2241 const char *suffix) 2242 { 2243 const char *format; 2244 u32 cnvi, cnvr; 2245 2246 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2247 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2248 2249 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2250 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2251 2252 format = "intel/ibt-%04x-%04x-iml.%s"; 2253 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2254 } 2255 2256 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2257 struct intel_version_tlv *ver, 2258 u32 *boot_param) 2259 { 2260 const struct firmware *fw; 2261 char fwname[128]; 2262 int err; 2263 ktime_t calltime; 2264 2265 if (!ver || !boot_param) 2266 return -EINVAL; 2267 2268 /* The firmware variant determines if the device is in bootloader 2269 * mode or is running operational firmware. The value 0x03 identifies 2270 * the bootloader and the value 0x23 identifies the operational 2271 * firmware. 2272 * 2273 * When the operational firmware is already present, then only 2274 * the check for valid Bluetooth device address is needed. This 2275 * determines if the device will be added as configured or 2276 * unconfigured controller. 2277 * 2278 * It is not possible to use the Secure Boot Parameters in this 2279 * case since that command is only available in bootloader mode. 2280 */ 2281 if (ver->img_type == BTINTEL_IMG_OP) { 2282 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2283 btintel_check_bdaddr(hdev); 2284 } else { 2285 /* 2286 * Check for valid bd address in boot loader mode. Device 2287 * will be marked as unconfigured if empty bd address is 2288 * found. 2289 */ 2290 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2291 bt_dev_info(hdev, "No device address configured"); 2292 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2293 } 2294 } 2295 2296 if (ver->img_type == BTINTEL_IMG_OP) { 2297 /* Controller running OP image. In case of FW downgrade, 2298 * FWID TLV may not be present and driver may attempt to load 2299 * firmware image which doesn't exist. Lets compare the version 2300 * of IML image 2301 */ 2302 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) 2303 btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi"); 2304 else 2305 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2306 } else { 2307 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2308 } 2309 2310 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2311 if (err < 0) { 2312 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2313 /* Firmware has already been loaded */ 2314 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2315 return 0; 2316 } 2317 2318 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2319 fwname, err); 2320 2321 return err; 2322 } 2323 2324 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2325 2326 if (fw->size < 644) { 2327 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2328 fw->size); 2329 err = -EBADF; 2330 goto done; 2331 } 2332 2333 calltime = ktime_get(); 2334 2335 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2336 2337 /* Start firmware downloading and get boot parameter */ 2338 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2339 INTEL_HW_VARIANT(ver->cnvi_bt), 2340 ver->sbe_type); 2341 if (err < 0) { 2342 if (err == -EALREADY) { 2343 /* Firmware has already been loaded */ 2344 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2345 err = 0; 2346 goto done; 2347 } 2348 2349 /* When FW download fails, send Intel Reset to retry 2350 * FW download. 2351 */ 2352 btintel_reset_to_bootloader(hdev); 2353 goto done; 2354 } 2355 2356 /* Before switching the device into operational mode and with that 2357 * booting the loaded firmware, wait for the bootloader notification 2358 * that all fragments have been successfully received. 2359 * 2360 * When the event processing receives the notification, then the 2361 * BTUSB_DOWNLOADING flag will be cleared. 2362 * 2363 * The firmware loading should not take longer than 5 seconds 2364 * and thus just timeout if that happens and fail the setup 2365 * of this device. 2366 */ 2367 err = btintel_download_wait(hdev, calltime, 5000); 2368 if (err == -ETIMEDOUT) 2369 btintel_reset_to_bootloader(hdev); 2370 2371 done: 2372 release_firmware(fw); 2373 return err; 2374 } 2375 2376 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2377 __u8 link, struct bt_codec *codec, 2378 __u8 *ven_len, __u8 **ven_data) 2379 { 2380 int err = 0; 2381 2382 if (!ven_data || !ven_len) 2383 return -EINVAL; 2384 2385 *ven_len = 0; 2386 *ven_data = NULL; 2387 2388 if (link != ESCO_LINK) { 2389 bt_dev_err(hdev, "Invalid link type(%u)", link); 2390 return -EINVAL; 2391 } 2392 2393 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2394 if (!*ven_data) { 2395 err = -ENOMEM; 2396 goto error; 2397 } 2398 2399 /* supports only CVSD and mSBC offload codecs */ 2400 switch (codec->id) { 2401 case 0x02: 2402 **ven_data = 0x00; 2403 break; 2404 case 0x05: 2405 **ven_data = 0x01; 2406 break; 2407 default: 2408 err = -EINVAL; 2409 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2410 goto error; 2411 } 2412 /* codec and its capabilities are pre-defined to ids 2413 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2414 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2415 */ 2416 *ven_len = sizeof(__u8); 2417 return err; 2418 2419 error: 2420 kfree(*ven_data); 2421 *ven_data = NULL; 2422 return err; 2423 } 2424 2425 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2426 { 2427 /* Intel uses 1 as data path id for all the usecases */ 2428 *data_path_id = 1; 2429 return 0; 2430 } 2431 2432 static int btintel_configure_offload(struct hci_dev *hdev) 2433 { 2434 struct sk_buff *skb; 2435 int err = 0; 2436 struct intel_offload_use_cases *use_cases; 2437 2438 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2439 if (IS_ERR(skb)) { 2440 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2441 PTR_ERR(skb)); 2442 return PTR_ERR(skb); 2443 } 2444 2445 if (skb->len < sizeof(*use_cases)) { 2446 err = -EIO; 2447 goto error; 2448 } 2449 2450 use_cases = (void *)skb->data; 2451 2452 if (use_cases->status) { 2453 err = -bt_to_errno(skb->data[0]); 2454 goto error; 2455 } 2456 2457 if (use_cases->preset[0] & 0x03) { 2458 hdev->get_data_path_id = btintel_get_data_path_id; 2459 hdev->get_codec_config_data = btintel_get_codec_config_data; 2460 } 2461 error: 2462 kfree_skb(skb); 2463 return err; 2464 } 2465 2466 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2467 { 2468 struct sk_buff *skb; 2469 struct hci_ppag_enable_cmd ppag_cmd; 2470 acpi_handle handle; 2471 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 2472 union acpi_object *p, *elements; 2473 u32 domain, mode; 2474 acpi_status status; 2475 2476 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2477 switch (ver->cnvr_top & 0xFFF) { 2478 case 0x504: /* Hrp2 */ 2479 case 0x202: /* Jfp2 */ 2480 case 0x201: /* Jfp1 */ 2481 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2482 ver->cnvr_top & 0xFFF); 2483 return; 2484 } 2485 2486 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2487 if (!handle) { 2488 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2489 return; 2490 } 2491 2492 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer); 2493 if (ACPI_FAILURE(status)) { 2494 if (status == AE_NOT_FOUND) { 2495 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2496 return; 2497 } 2498 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 2499 return; 2500 } 2501 2502 p = buffer.pointer; 2503 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 2504 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 2505 p->type, p->package.count); 2506 kfree(buffer.pointer); 2507 return; 2508 } 2509 2510 elements = p->package.elements; 2511 2512 /* PPAG table is located at element[1] */ 2513 p = &elements[1]; 2514 2515 domain = (u32)p->package.elements[0].integer.value; 2516 mode = (u32)p->package.elements[1].integer.value; 2517 kfree(buffer.pointer); 2518 2519 if (domain != 0x12) { 2520 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2521 return; 2522 } 2523 2524 /* PPAG mode 2525 * BIT 0 : 0 Disabled in EU 2526 * 1 Enabled in EU 2527 * BIT 1 : 0 Disabled in China 2528 * 1 Enabled in China 2529 */ 2530 mode &= 0x03; 2531 2532 if (!mode) { 2533 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS"); 2534 return; 2535 } 2536 2537 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode); 2538 2539 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), 2540 &ppag_cmd, HCI_CMD_TIMEOUT); 2541 if (IS_ERR(skb)) { 2542 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2543 return; 2544 } 2545 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode); 2546 kfree_skb(skb); 2547 } 2548 2549 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2550 { 2551 int ret = 0; 2552 acpi_status status; 2553 union acpi_object *p, *ref; 2554 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2555 2556 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2557 if (ACPI_FAILURE(status)) { 2558 bt_dev_err(hdev, "Failed to run _PRR method"); 2559 ret = -ENODEV; 2560 return ret; 2561 } 2562 p = buffer.pointer; 2563 2564 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2565 bt_dev_err(hdev, "Invalid arguments"); 2566 ret = -EINVAL; 2567 goto exit_on_error; 2568 } 2569 2570 ref = &p->package.elements[0]; 2571 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2572 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2573 ret = -EINVAL; 2574 goto exit_on_error; 2575 } 2576 2577 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2578 if (ACPI_FAILURE(status)) { 2579 bt_dev_err(hdev, "Failed to run_RST method"); 2580 ret = -ENODEV; 2581 goto exit_on_error; 2582 } 2583 2584 exit_on_error: 2585 kfree(buffer.pointer); 2586 return ret; 2587 } 2588 2589 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2590 struct intel_version_tlv *ver_tlv) 2591 { 2592 struct btintel_data *data = hci_get_priv(hdev); 2593 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2594 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2595 union acpi_object *obj, argv4; 2596 enum { 2597 RESET_TYPE_WDISABLE2, 2598 RESET_TYPE_VSEC 2599 }; 2600 2601 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2602 2603 if (!handle) { 2604 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2605 return; 2606 } 2607 2608 if (!acpi_has_method(handle, "_PRR")) { 2609 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2610 return; 2611 } 2612 2613 switch (ver_tlv->cnvi_top & 0xfff) { 2614 case 0x910: /* GalePeak2 */ 2615 reset_payload[2] = RESET_TYPE_VSEC; 2616 break; 2617 default: 2618 /* WDISABLE2 is the default reset method */ 2619 reset_payload[2] = RESET_TYPE_WDISABLE2; 2620 2621 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2622 BIT(DSM_SET_WDISABLE2_DELAY))) { 2623 bt_dev_err(hdev, "No dsm support to set reset delay"); 2624 return; 2625 } 2626 argv4.integer.type = ACPI_TYPE_INTEGER; 2627 /* delay required to toggle BT power */ 2628 argv4.integer.value = 160; 2629 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2630 DSM_SET_WDISABLE2_DELAY, &argv4); 2631 if (!obj) { 2632 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2633 return; 2634 } 2635 ACPI_FREE(obj); 2636 } 2637 2638 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2639 2640 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2641 DSM_SET_RESET_METHOD)) { 2642 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2643 return; 2644 } 2645 argv4.buffer.type = ACPI_TYPE_BUFFER; 2646 argv4.buffer.length = sizeof(reset_payload); 2647 argv4.buffer.pointer = reset_payload; 2648 2649 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2650 DSM_SET_RESET_METHOD, &argv4); 2651 if (!obj) { 2652 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2653 return; 2654 } 2655 ACPI_FREE(obj); 2656 data->acpi_reset_method = btintel_acpi_reset_method; 2657 } 2658 2659 #define BTINTEL_ISODATA_HANDLE_BASE 0x900 2660 2661 static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) 2662 { 2663 /* 2664 * Distinguish ISO data packets form ACL data packets 2665 * based on their connection handle value range. 2666 */ 2667 if (hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { 2668 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2669 2670 if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE) 2671 return HCI_ISODATA_PKT; 2672 } 2673 2674 return hci_skb_pkt_type(skb); 2675 } 2676 2677 /* 2678 * UefiCnvCommonDSBR UEFI variable provides information from the OEM platforms 2679 * if they have replaced the BRI (Bluetooth Radio Interface) resistor to 2680 * overcome the potential STEP errors on their designs. Based on the 2681 * configauration, bluetooth firmware shall adjust the BRI response line drive 2682 * strength. The below structure represents DSBR data. 2683 * struct { 2684 * u8 header; 2685 * u32 dsbr; 2686 * } __packed; 2687 * 2688 * header - defines revision number of the structure 2689 * dsbr - defines drive strength BRI response 2690 * bit0 2691 * 0 - instructs bluetooth firmware to use default values 2692 * 1 - instructs bluetooth firmware to override default values 2693 * bit3:1 2694 * Reserved 2695 * bit7:4 2696 * DSBR override values (only if bit0 is set. Default value is 0xF 2697 * bit31:7 2698 * Reserved 2699 * Expected values for dsbr field: 2700 * 1. 0xF1 - indicates that the resistor on board is 33 Ohm 2701 * 2. 0x00 or 0xB1 - indicates that the resistor on board is 10 Ohm 2702 * 3. Non existing UEFI variable or invalid (none of the above) - indicates 2703 * that the resistor on board is 10 Ohm 2704 * Even if uefi variable is not present, driver shall send 0xfc0a command to 2705 * firmware to use default values. 2706 * 2707 */ 2708 static int btintel_uefi_get_dsbr(u32 *dsbr_var) 2709 { 2710 struct btintel_dsbr { 2711 u8 header; 2712 u32 dsbr; 2713 } __packed data; 2714 2715 efi_status_t status; 2716 unsigned long data_size = 0; 2717 efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03, 2718 0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31); 2719 2720 if (!IS_ENABLED(CONFIG_EFI)) 2721 return -EOPNOTSUPP; 2722 2723 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) 2724 return -EOPNOTSUPP; 2725 2726 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2727 NULL); 2728 2729 if (status != EFI_BUFFER_TOO_SMALL || !data_size) 2730 return -EIO; 2731 2732 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2733 &data); 2734 2735 if (status != EFI_SUCCESS) 2736 return -ENXIO; 2737 2738 *dsbr_var = data.dsbr; 2739 return 0; 2740 } 2741 2742 static int btintel_set_dsbr(struct hci_dev *hdev, struct intel_version_tlv *ver) 2743 { 2744 struct btintel_dsbr_cmd { 2745 u8 enable; 2746 u8 dsbr; 2747 } __packed; 2748 2749 struct btintel_dsbr_cmd cmd; 2750 struct sk_buff *skb; 2751 u32 dsbr, cnvi; 2752 u8 status; 2753 int err; 2754 2755 cnvi = ver->cnvi_top & 0xfff; 2756 /* DSBR command needs to be sent for, 2757 * 1. BlazarI or BlazarIW + B0 step product in IML image. 2758 * 2. Gale Peak2 or BlazarU in OP image. 2759 */ 2760 2761 switch (cnvi) { 2762 case BTINTEL_CNVI_BLAZARI: 2763 case BTINTEL_CNVI_BLAZARIW: 2764 if (ver->img_type == BTINTEL_IMG_IML && 2765 INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01) 2766 break; 2767 return 0; 2768 case BTINTEL_CNVI_GAP: 2769 case BTINTEL_CNVI_BLAZARU: 2770 if (ver->img_type == BTINTEL_IMG_OP && 2771 hdev->bus == HCI_USB) 2772 break; 2773 return 0; 2774 default: 2775 return 0; 2776 } 2777 2778 dsbr = 0; 2779 err = btintel_uefi_get_dsbr(&dsbr); 2780 if (err < 0) 2781 bt_dev_dbg(hdev, "Error reading efi: %ls (%d)", 2782 BTINTEL_EFI_DSBR, err); 2783 2784 cmd.enable = dsbr & BIT(0); 2785 cmd.dsbr = dsbr >> 4 & 0xF; 2786 2787 bt_dev_info(hdev, "dsbr: enable: 0x%2.2x value: 0x%2.2x", cmd.enable, 2788 cmd.dsbr); 2789 2790 skb = __hci_cmd_sync(hdev, 0xfc0a, sizeof(cmd), &cmd, HCI_CMD_TIMEOUT); 2791 if (IS_ERR(skb)) 2792 return -bt_to_errno(PTR_ERR(skb)); 2793 2794 status = skb->data[0]; 2795 kfree_skb(skb); 2796 2797 if (status) 2798 return -bt_to_errno(status); 2799 2800 return 0; 2801 } 2802 2803 int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2804 struct intel_version_tlv *ver) 2805 { 2806 u32 boot_param; 2807 char ddcname[64]; 2808 int err; 2809 struct intel_version_tlv new_ver; 2810 2811 bt_dev_dbg(hdev, ""); 2812 2813 /* Set the default boot parameter to 0x0 and it is updated to 2814 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2815 * command while downloading the firmware. 2816 */ 2817 boot_param = 0x00000000; 2818 2819 /* In case of PCIe, this function might get called multiple times with 2820 * same hdev instance if there is any error on firmware download. 2821 * Need to clear stale bits of previous firmware download attempt. 2822 */ 2823 for (int i = 0; i < __INTEL_NUM_FLAGS; i++) 2824 btintel_clear_flag(hdev, i); 2825 2826 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2827 2828 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2829 if (err) 2830 return err; 2831 2832 /* check if controller is already having an operational firmware */ 2833 if (ver->img_type == BTINTEL_IMG_OP) 2834 goto finish; 2835 2836 err = btintel_boot(hdev, boot_param); 2837 if (err) 2838 return err; 2839 2840 err = btintel_read_version_tlv(hdev, ver); 2841 if (err) 2842 return err; 2843 2844 /* set drive strength of BRI response */ 2845 err = btintel_set_dsbr(hdev, ver); 2846 if (err) { 2847 bt_dev_err(hdev, "Failed to send dsbr command (%d)", err); 2848 return err; 2849 } 2850 2851 /* If image type returned is BTINTEL_IMG_IML, then controller supports 2852 * intermediate loader image 2853 */ 2854 if (ver->img_type == BTINTEL_IMG_IML) { 2855 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2856 if (err) 2857 return err; 2858 2859 err = btintel_boot(hdev, boot_param); 2860 if (err) 2861 return err; 2862 } 2863 2864 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2865 2866 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2867 /* Once the device is running in operational mode, it needs to 2868 * apply the device configuration (DDC) parameters. 2869 * 2870 * The device can work without DDC parameters, so even if it 2871 * fails to load the file, no need to fail the setup. 2872 */ 2873 btintel_load_ddc_config(hdev, ddcname); 2874 2875 /* Read supported use cases and set callbacks to fetch datapath id */ 2876 btintel_configure_offload(hdev); 2877 2878 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2879 2880 /* Set PPAG feature */ 2881 btintel_set_ppag(hdev, ver); 2882 2883 /* Read the Intel version information after loading the FW */ 2884 err = btintel_read_version_tlv(hdev, &new_ver); 2885 if (err) 2886 return err; 2887 2888 btintel_version_info_tlv(hdev, &new_ver); 2889 2890 finish: 2891 /* Set the event mask for Intel specific vendor events. This enables 2892 * a few extra events that are useful during general operation. It 2893 * does not enable any debugging related events. 2894 * 2895 * The device will function correctly without these events enabled 2896 * and thus no need to fail the setup. 2897 */ 2898 btintel_set_event_mask(hdev, false); 2899 2900 return 0; 2901 } 2902 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv); 2903 2904 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2905 { 2906 switch (hw_variant) { 2907 /* Legacy bootloader devices that supports MSFT Extension */ 2908 case 0x11: /* JfP */ 2909 case 0x12: /* ThP */ 2910 case 0x13: /* HrP */ 2911 case 0x14: /* CcP */ 2912 /* All Intel new generation controllers support the Microsoft vendor 2913 * extension are using 0xFC1E for VsMsftOpCode. 2914 */ 2915 case 0x17: 2916 case 0x18: 2917 case 0x19: 2918 case 0x1b: 2919 case 0x1c: 2920 case 0x1d: 2921 case 0x1e: 2922 hci_set_msft_opcode(hdev, 0xFC1E); 2923 break; 2924 default: 2925 /* Not supported */ 2926 break; 2927 } 2928 } 2929 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode); 2930 2931 void btintel_print_fseq_info(struct hci_dev *hdev) 2932 { 2933 struct sk_buff *skb; 2934 u8 *p; 2935 u32 val; 2936 const char *str; 2937 2938 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 2939 if (IS_ERR(skb)) { 2940 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 2941 PTR_ERR(skb)); 2942 return; 2943 } 2944 2945 if (skb->len < (sizeof(u32) * 16 + 2)) { 2946 bt_dev_dbg(hdev, "Malformed packet of length %u received", 2947 skb->len); 2948 kfree_skb(skb); 2949 return; 2950 } 2951 2952 p = skb_pull_data(skb, 1); 2953 if (*p) { 2954 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 2955 kfree_skb(skb); 2956 return; 2957 } 2958 2959 p = skb_pull_data(skb, 1); 2960 switch (*p) { 2961 case 0: 2962 str = "Success"; 2963 break; 2964 case 1: 2965 str = "Fatal error"; 2966 break; 2967 case 2: 2968 str = "Semaphore acquire error"; 2969 break; 2970 default: 2971 str = "Unknown error"; 2972 break; 2973 } 2974 2975 if (*p) { 2976 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2977 kfree_skb(skb); 2978 return; 2979 } 2980 2981 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2982 2983 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2984 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 2985 2986 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2987 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 2988 2989 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2990 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 2991 2992 p = skb->data; 2993 skb_pull_data(skb, 4); 2994 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2995 p[2], p[3]); 2996 2997 p = skb->data; 2998 skb_pull_data(skb, 4); 2999 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 3000 p[2], p[3]); 3001 3002 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3003 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 3004 3005 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3006 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 3007 3008 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3009 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 3010 3011 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3012 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 3013 3014 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3015 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 3016 3017 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3018 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 3019 3020 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3021 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 3022 3023 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3024 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 3025 3026 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3027 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 3028 3029 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3030 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 3031 3032 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3033 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 3034 3035 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3036 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 3037 3038 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3039 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 3040 3041 kfree_skb(skb); 3042 } 3043 EXPORT_SYMBOL_GPL(btintel_print_fseq_info); 3044 3045 static int btintel_setup_combined(struct hci_dev *hdev) 3046 { 3047 const u8 param[1] = { 0xFF }; 3048 struct intel_version ver; 3049 struct intel_version_tlv ver_tlv; 3050 struct sk_buff *skb; 3051 int err; 3052 3053 BT_DBG("%s", hdev->name); 3054 3055 /* The some controllers have a bug with the first HCI command sent to it 3056 * returning number of completed commands as zero. This would stall the 3057 * command processing in the Bluetooth core. 3058 * 3059 * As a workaround, send HCI Reset command first which will reset the 3060 * number of completed commands and allow normal command processing 3061 * from now on. 3062 * 3063 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 3064 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 3065 * the shutdown() procedure, and once the device is in SW_RFKILL ON 3066 * state, the only way to exit out of it is sending the HCI_Reset 3067 * command. 3068 */ 3069 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 3070 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3071 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 3072 HCI_INIT_TIMEOUT); 3073 if (IS_ERR(skb)) { 3074 bt_dev_err(hdev, 3075 "sending initial HCI reset failed (%ld)", 3076 PTR_ERR(skb)); 3077 return PTR_ERR(skb); 3078 } 3079 kfree_skb(skb); 3080 } 3081 3082 /* Starting from TyP device, the command parameter and response are 3083 * changed even though the OCF for HCI_Intel_Read_Version command 3084 * remains same. The legacy devices can handle even if the 3085 * command has a parameter and returns a correct version information. 3086 * So, it uses new format to support both legacy and new format. 3087 */ 3088 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 3089 if (IS_ERR(skb)) { 3090 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 3091 PTR_ERR(skb)); 3092 return PTR_ERR(skb); 3093 } 3094 3095 /* Check the status */ 3096 if (skb->data[0]) { 3097 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 3098 skb->data[0]); 3099 err = -EIO; 3100 goto exit_error; 3101 } 3102 3103 /* Apply the common HCI quirks for Intel device */ 3104 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 3105 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 3106 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 3107 3108 /* Set up the quality report callback for Intel devices */ 3109 hdev->set_quality_report = btintel_set_quality_report; 3110 3111 /* For Legacy device, check the HW platform value and size */ 3112 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 3113 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 3114 3115 memcpy(&ver, skb->data, sizeof(ver)); 3116 3117 /* Display version information */ 3118 btintel_version_info(hdev, &ver); 3119 3120 /* Check for supported iBT hardware variants of this firmware 3121 * loading method. 3122 * 3123 * This check has been put in place to ensure correct forward 3124 * compatibility options when newer hardware variants come 3125 * along. 3126 */ 3127 switch (ver.hw_variant) { 3128 case 0x07: /* WP */ 3129 case 0x08: /* StP */ 3130 /* Legacy ROM product */ 3131 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 3132 3133 /* Apply the device specific HCI quirks 3134 * 3135 * WBS for SdP - For the Legacy ROM products, only SdP 3136 * supports the WBS. But the version information is not 3137 * enough to use here because the StP2 and SdP have same 3138 * hw_variant and fw_variant. So, this flag is set by 3139 * the transport driver (btusb) based on the HW info 3140 * (idProduct) 3141 */ 3142 if (!btintel_test_flag(hdev, 3143 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 3144 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3145 &hdev->quirks); 3146 3147 err = btintel_legacy_rom_setup(hdev, &ver); 3148 break; 3149 case 0x0b: /* SfP */ 3150 case 0x11: /* JfP */ 3151 case 0x12: /* ThP */ 3152 case 0x13: /* HrP */ 3153 case 0x14: /* CcP */ 3154 fallthrough; 3155 case 0x0c: /* WsP */ 3156 /* Apply the device specific HCI quirks 3157 * 3158 * All Legacy bootloader devices support WBS 3159 */ 3160 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3161 &hdev->quirks); 3162 3163 /* These variants don't seem to support LE Coded PHY */ 3164 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3165 3166 /* Setup MSFT Extension support */ 3167 btintel_set_msft_opcode(hdev, ver.hw_variant); 3168 3169 err = btintel_bootloader_setup(hdev, &ver); 3170 btintel_register_devcoredump_support(hdev); 3171 break; 3172 default: 3173 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3174 ver.hw_variant); 3175 err = -EINVAL; 3176 } 3177 3178 hci_set_hw_info(hdev, 3179 "INTEL platform=%u variant=%u revision=%u", 3180 ver.hw_platform, ver.hw_variant, 3181 ver.hw_revision); 3182 3183 goto exit_error; 3184 } 3185 3186 /* memset ver_tlv to start with clean state as few fields are exclusive 3187 * to bootloader mode and are not populated in operational mode 3188 */ 3189 memset(&ver_tlv, 0, sizeof(ver_tlv)); 3190 /* For TLV type device, parse the tlv data */ 3191 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 3192 if (err) { 3193 bt_dev_err(hdev, "Failed to parse TLV version information"); 3194 goto exit_error; 3195 } 3196 3197 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 3198 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 3199 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 3200 err = -EINVAL; 3201 goto exit_error; 3202 } 3203 3204 /* Check for supported iBT hardware variants of this firmware 3205 * loading method. 3206 * 3207 * This check has been put in place to ensure correct forward 3208 * compatibility options when newer hardware variants come 3209 * along. 3210 */ 3211 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 3212 case 0x11: /* JfP */ 3213 case 0x12: /* ThP */ 3214 case 0x13: /* HrP */ 3215 case 0x14: /* CcP */ 3216 /* Some legacy bootloader devices starting from JfP, 3217 * the operational firmware supports both old and TLV based 3218 * HCI_Intel_Read_Version command based on the command 3219 * parameter. 3220 * 3221 * For upgrading firmware case, the TLV based version cannot 3222 * be used because the firmware filename for legacy bootloader 3223 * is based on the old format. 3224 * 3225 * Also, it is not easy to convert TLV based version from the 3226 * legacy version format. 3227 * 3228 * So, as a workaround for those devices, use the legacy 3229 * HCI_Intel_Read_Version to get the version information and 3230 * run the legacy bootloader setup. 3231 */ 3232 err = btintel_read_version(hdev, &ver); 3233 if (err) 3234 break; 3235 3236 /* Apply the device specific HCI quirks 3237 * 3238 * All Legacy bootloader devices support WBS 3239 */ 3240 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3241 3242 /* These variants don't seem to support LE Coded PHY */ 3243 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3244 3245 /* Setup MSFT Extension support */ 3246 btintel_set_msft_opcode(hdev, ver.hw_variant); 3247 3248 err = btintel_bootloader_setup(hdev, &ver); 3249 btintel_register_devcoredump_support(hdev); 3250 break; 3251 case 0x18: /* GfP2 */ 3252 case 0x1c: /* GaP */ 3253 /* Re-classify packet type for controllers with LE audio */ 3254 hdev->classify_pkt_type = btintel_classify_pkt_type; 3255 fallthrough; 3256 case 0x17: 3257 case 0x19: 3258 case 0x1b: 3259 case 0x1d: 3260 case 0x1e: 3261 /* Display version information of TLV type */ 3262 btintel_version_info_tlv(hdev, &ver_tlv); 3263 3264 /* Apply the device specific HCI quirks for TLV based devices 3265 * 3266 * All TLV based devices support WBS 3267 */ 3268 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3269 3270 /* Setup MSFT Extension support */ 3271 btintel_set_msft_opcode(hdev, 3272 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3273 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3274 3275 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3276 if (err) 3277 goto exit_error; 3278 3279 btintel_register_devcoredump_support(hdev); 3280 btintel_print_fseq_info(hdev); 3281 break; 3282 default: 3283 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3284 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3285 err = -EINVAL; 3286 break; 3287 } 3288 3289 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u", 3290 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt), 3291 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3292 3293 exit_error: 3294 kfree_skb(skb); 3295 3296 return err; 3297 } 3298 3299 int btintel_shutdown_combined(struct hci_dev *hdev) 3300 { 3301 struct sk_buff *skb; 3302 int ret; 3303 3304 /* Send HCI Reset to the controller to stop any BT activity which 3305 * were triggered. This will help to save power and maintain the 3306 * sync b/w Host and controller 3307 */ 3308 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3309 if (IS_ERR(skb)) { 3310 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3311 return PTR_ERR(skb); 3312 } 3313 kfree_skb(skb); 3314 3315 3316 /* Some platforms have an issue with BT LED when the interface is 3317 * down or BT radio is turned off, which takes 5 seconds to BT LED 3318 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3319 * device in the RFKILL ON state which turns off the BT LED immediately. 3320 */ 3321 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3322 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3323 if (IS_ERR(skb)) { 3324 ret = PTR_ERR(skb); 3325 bt_dev_err(hdev, "turning off Intel device LED failed"); 3326 return ret; 3327 } 3328 kfree_skb(skb); 3329 } 3330 3331 return 0; 3332 } 3333 EXPORT_SYMBOL_GPL(btintel_shutdown_combined); 3334 3335 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3336 { 3337 hdev->manufacturer = 2; 3338 hdev->setup = btintel_setup_combined; 3339 hdev->shutdown = btintel_shutdown_combined; 3340 hdev->hw_error = btintel_hw_error; 3341 hdev->set_diag = btintel_set_diag_combined; 3342 hdev->set_bdaddr = btintel_set_bdaddr; 3343 3344 coredump_info.driver_name = driver_name; 3345 3346 return 0; 3347 } 3348 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3349 3350 int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3351 { 3352 struct intel_tlv *tlv = (void *)&skb->data[5]; 3353 3354 /* The first event is always an event type TLV */ 3355 if (tlv->type != INTEL_TLV_TYPE_ID) 3356 goto recv_frame; 3357 3358 switch (tlv->val[0]) { 3359 case INTEL_TLV_SYSTEM_EXCEPTION: 3360 case INTEL_TLV_FATAL_EXCEPTION: 3361 case INTEL_TLV_DEBUG_EXCEPTION: 3362 case INTEL_TLV_TEST_EXCEPTION: 3363 /* Generate devcoredump from exception */ 3364 if (!hci_devcd_init(hdev, skb->len)) { 3365 hci_devcd_append(hdev, skb_clone(skb, GFP_ATOMIC)); 3366 hci_devcd_complete(hdev); 3367 } else { 3368 bt_dev_err(hdev, "Failed to generate devcoredump"); 3369 } 3370 break; 3371 default: 3372 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3373 } 3374 3375 recv_frame: 3376 return hci_recv_frame(hdev, skb); 3377 } 3378 EXPORT_SYMBOL_GPL(btintel_diagnostics); 3379 3380 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3381 { 3382 struct hci_event_hdr *hdr = (void *)skb->data; 3383 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3384 3385 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3386 hdr->plen > 0) { 3387 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3388 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3389 3390 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3391 switch (skb->data[2]) { 3392 case 0x02: 3393 /* When switching to the operational firmware 3394 * the device sends a vendor specific event 3395 * indicating that the bootup completed. 3396 */ 3397 btintel_bootup(hdev, ptr, len); 3398 kfree_skb(skb); 3399 return 0; 3400 case 0x06: 3401 /* When the firmware loading completes the 3402 * device sends out a vendor specific event 3403 * indicating the result of the firmware 3404 * loading. 3405 */ 3406 btintel_secure_send_result(hdev, ptr, len); 3407 kfree_skb(skb); 3408 return 0; 3409 } 3410 } 3411 3412 /* Handle all diagnostics events separately. May still call 3413 * hci_recv_frame. 3414 */ 3415 if (len >= sizeof(diagnostics_hdr) && 3416 memcmp(&skb->data[2], diagnostics_hdr, 3417 sizeof(diagnostics_hdr)) == 0) { 3418 return btintel_diagnostics(hdev, skb); 3419 } 3420 } 3421 3422 return hci_recv_frame(hdev, skb); 3423 } 3424 EXPORT_SYMBOL_GPL(btintel_recv_event); 3425 3426 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3427 { 3428 const struct intel_bootup *evt = ptr; 3429 3430 if (len != sizeof(*evt)) 3431 return; 3432 3433 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3434 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3435 } 3436 EXPORT_SYMBOL_GPL(btintel_bootup); 3437 3438 void btintel_secure_send_result(struct hci_dev *hdev, 3439 const void *ptr, unsigned int len) 3440 { 3441 const struct intel_secure_send_result *evt = ptr; 3442 3443 if (len != sizeof(*evt)) 3444 return; 3445 3446 if (evt->result) 3447 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3448 3449 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3450 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3451 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3452 } 3453 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3454 3455 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3456 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3457 MODULE_VERSION(VERSION); 3458 MODULE_LICENSE("GPL"); 3459 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3460 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3461 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3462 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3463