1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/acpi.h> 13 #include <acpi/acpi_bus.h> 14 #include <asm/unaligned.h> 15 16 #include <net/bluetooth/bluetooth.h> 17 #include <net/bluetooth/hci_core.h> 18 19 #include "btintel.h" 20 21 #define VERSION "0.1" 22 23 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 24 #define RSA_HEADER_LEN 644 25 #define CSS_HEADER_OFFSET 8 26 #define ECDSA_OFFSET 644 27 #define ECDSA_HEADER_LEN 320 28 29 #define BTINTEL_PPAG_NAME "PPAG" 30 31 enum { 32 DSM_SET_WDISABLE2_DELAY = 1, 33 DSM_SET_RESET_METHOD = 3, 34 }; 35 36 /* structure to store the PPAG data read from ACPI table */ 37 struct btintel_ppag { 38 u32 domain; 39 u32 mode; 40 acpi_status status; 41 struct hci_dev *hdev; 42 }; 43 44 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 45 struct cmd_write_boot_params { 46 __le32 boot_addr; 47 u8 fw_build_num; 48 u8 fw_build_ww; 49 u8 fw_build_yy; 50 } __packed; 51 52 static struct { 53 const char *driver_name; 54 u8 hw_variant; 55 u32 fw_build_num; 56 } coredump_info; 57 58 static const guid_t btintel_guid_dsm = 59 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 60 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 61 62 int btintel_check_bdaddr(struct hci_dev *hdev) 63 { 64 struct hci_rp_read_bd_addr *bda; 65 struct sk_buff *skb; 66 67 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 68 HCI_INIT_TIMEOUT); 69 if (IS_ERR(skb)) { 70 int err = PTR_ERR(skb); 71 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 72 err); 73 return err; 74 } 75 76 if (skb->len != sizeof(*bda)) { 77 bt_dev_err(hdev, "Intel device address length mismatch"); 78 kfree_skb(skb); 79 return -EIO; 80 } 81 82 bda = (struct hci_rp_read_bd_addr *)skb->data; 83 84 /* For some Intel based controllers, the default Bluetooth device 85 * address 00:03:19:9E:8B:00 can be found. These controllers are 86 * fully operational, but have the danger of duplicate addresses 87 * and that in turn can cause problems with Bluetooth operation. 88 */ 89 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 90 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 91 &bda->bdaddr); 92 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 93 } 94 95 kfree_skb(skb); 96 97 return 0; 98 } 99 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 100 101 int btintel_enter_mfg(struct hci_dev *hdev) 102 { 103 static const u8 param[] = { 0x01, 0x00 }; 104 struct sk_buff *skb; 105 106 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 107 if (IS_ERR(skb)) { 108 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 109 PTR_ERR(skb)); 110 return PTR_ERR(skb); 111 } 112 kfree_skb(skb); 113 114 return 0; 115 } 116 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 117 118 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 119 { 120 u8 param[] = { 0x00, 0x00 }; 121 struct sk_buff *skb; 122 123 /* The 2nd command parameter specifies the manufacturing exit method: 124 * 0x00: Just disable the manufacturing mode (0x00). 125 * 0x01: Disable manufacturing mode and reset with patches deactivated. 126 * 0x02: Disable manufacturing mode and reset with patches activated. 127 */ 128 if (reset) 129 param[1] |= patched ? 0x02 : 0x01; 130 131 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 132 if (IS_ERR(skb)) { 133 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 134 PTR_ERR(skb)); 135 return PTR_ERR(skb); 136 } 137 kfree_skb(skb); 138 139 return 0; 140 } 141 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 142 143 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 144 { 145 struct sk_buff *skb; 146 int err; 147 148 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 149 if (IS_ERR(skb)) { 150 err = PTR_ERR(skb); 151 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 152 err); 153 return err; 154 } 155 kfree_skb(skb); 156 157 return 0; 158 } 159 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 160 161 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 162 { 163 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 164 struct sk_buff *skb; 165 int err; 166 167 if (debug) 168 mask[1] |= 0x62; 169 170 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 171 if (IS_ERR(skb)) { 172 err = PTR_ERR(skb); 173 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 174 return err; 175 } 176 kfree_skb(skb); 177 178 return 0; 179 } 180 181 int btintel_set_diag(struct hci_dev *hdev, bool enable) 182 { 183 struct sk_buff *skb; 184 u8 param[3]; 185 int err; 186 187 if (enable) { 188 param[0] = 0x03; 189 param[1] = 0x03; 190 param[2] = 0x03; 191 } else { 192 param[0] = 0x00; 193 param[1] = 0x00; 194 param[2] = 0x00; 195 } 196 197 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 198 if (IS_ERR(skb)) { 199 err = PTR_ERR(skb); 200 if (err == -ENODATA) 201 goto done; 202 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 203 err); 204 return err; 205 } 206 kfree_skb(skb); 207 208 done: 209 btintel_set_event_mask(hdev, enable); 210 return 0; 211 } 212 EXPORT_SYMBOL_GPL(btintel_set_diag); 213 214 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 215 { 216 int err, ret; 217 218 err = btintel_enter_mfg(hdev); 219 if (err) 220 return err; 221 222 ret = btintel_set_diag(hdev, enable); 223 224 err = btintel_exit_mfg(hdev, false, false); 225 if (err) 226 return err; 227 228 return ret; 229 } 230 231 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 232 { 233 int ret; 234 235 /* Legacy ROM device needs to be in the manufacturer mode to apply 236 * diagnostic setting 237 * 238 * This flag is set after reading the Intel version. 239 */ 240 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 241 ret = btintel_set_diag_mfg(hdev, enable); 242 else 243 ret = btintel_set_diag(hdev, enable); 244 245 return ret; 246 } 247 248 void btintel_hw_error(struct hci_dev *hdev, u8 code) 249 { 250 struct sk_buff *skb; 251 u8 type = 0x00; 252 253 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 254 255 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 256 if (IS_ERR(skb)) { 257 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 258 PTR_ERR(skb)); 259 return; 260 } 261 kfree_skb(skb); 262 263 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 264 if (IS_ERR(skb)) { 265 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 266 PTR_ERR(skb)); 267 return; 268 } 269 270 if (skb->len != 13) { 271 bt_dev_err(hdev, "Exception info size mismatch"); 272 kfree_skb(skb); 273 return; 274 } 275 276 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 277 278 kfree_skb(skb); 279 } 280 EXPORT_SYMBOL_GPL(btintel_hw_error); 281 282 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 283 { 284 const char *variant; 285 286 /* The hardware platform number has a fixed value of 0x37 and 287 * for now only accept this single value. 288 */ 289 if (ver->hw_platform != 0x37) { 290 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 291 ver->hw_platform); 292 return -EINVAL; 293 } 294 295 /* Check for supported iBT hardware variants of this firmware 296 * loading method. 297 * 298 * This check has been put in place to ensure correct forward 299 * compatibility options when newer hardware variants come along. 300 */ 301 switch (ver->hw_variant) { 302 case 0x07: /* WP - Legacy ROM */ 303 case 0x08: /* StP - Legacy ROM */ 304 case 0x0b: /* SfP */ 305 case 0x0c: /* WsP */ 306 case 0x11: /* JfP */ 307 case 0x12: /* ThP */ 308 case 0x13: /* HrP */ 309 case 0x14: /* CcP */ 310 break; 311 default: 312 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 313 ver->hw_variant); 314 return -EINVAL; 315 } 316 317 switch (ver->fw_variant) { 318 case 0x01: 319 variant = "Legacy ROM 2.5"; 320 break; 321 case 0x06: 322 variant = "Bootloader"; 323 break; 324 case 0x22: 325 variant = "Legacy ROM 2.x"; 326 break; 327 case 0x23: 328 variant = "Firmware"; 329 break; 330 default: 331 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 332 return -EINVAL; 333 } 334 335 coredump_info.hw_variant = ver->hw_variant; 336 coredump_info.fw_build_num = ver->fw_build_num; 337 338 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 339 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 340 ver->fw_build_num, ver->fw_build_ww, 341 2000 + ver->fw_build_yy); 342 343 return 0; 344 } 345 EXPORT_SYMBOL_GPL(btintel_version_info); 346 347 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 348 const void *param) 349 { 350 while (plen > 0) { 351 struct sk_buff *skb; 352 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 353 354 cmd_param[0] = fragment_type; 355 memcpy(cmd_param + 1, param, fragment_len); 356 357 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 358 cmd_param, HCI_INIT_TIMEOUT); 359 if (IS_ERR(skb)) 360 return PTR_ERR(skb); 361 362 kfree_skb(skb); 363 364 plen -= fragment_len; 365 param += fragment_len; 366 } 367 368 return 0; 369 } 370 371 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 372 { 373 const struct firmware *fw; 374 struct sk_buff *skb; 375 const u8 *fw_ptr; 376 int err; 377 378 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 379 if (err < 0) { 380 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 381 ddc_name, err); 382 return err; 383 } 384 385 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 386 387 fw_ptr = fw->data; 388 389 /* DDC file contains one or more DDC structure which has 390 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 391 */ 392 while (fw->size > fw_ptr - fw->data) { 393 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 394 395 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 396 HCI_INIT_TIMEOUT); 397 if (IS_ERR(skb)) { 398 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 399 PTR_ERR(skb)); 400 release_firmware(fw); 401 return PTR_ERR(skb); 402 } 403 404 fw_ptr += cmd_plen; 405 kfree_skb(skb); 406 } 407 408 release_firmware(fw); 409 410 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 411 412 return 0; 413 } 414 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 415 416 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 417 { 418 int err, ret; 419 420 err = btintel_enter_mfg(hdev); 421 if (err) 422 return err; 423 424 ret = btintel_set_event_mask(hdev, debug); 425 426 err = btintel_exit_mfg(hdev, false, false); 427 if (err) 428 return err; 429 430 return ret; 431 } 432 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 433 434 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 435 { 436 struct sk_buff *skb; 437 438 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 439 if (IS_ERR(skb)) { 440 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 441 PTR_ERR(skb)); 442 return PTR_ERR(skb); 443 } 444 445 if (!skb || skb->len != sizeof(*ver)) { 446 bt_dev_err(hdev, "Intel version event size mismatch"); 447 kfree_skb(skb); 448 return -EILSEQ; 449 } 450 451 memcpy(ver, skb->data, sizeof(*ver)); 452 453 kfree_skb(skb); 454 455 return 0; 456 } 457 EXPORT_SYMBOL_GPL(btintel_read_version); 458 459 int btintel_version_info_tlv(struct hci_dev *hdev, 460 struct intel_version_tlv *version) 461 { 462 const char *variant; 463 464 /* The hardware platform number has a fixed value of 0x37 and 465 * for now only accept this single value. 466 */ 467 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 468 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 469 INTEL_HW_PLATFORM(version->cnvi_bt)); 470 return -EINVAL; 471 } 472 473 /* Check for supported iBT hardware variants of this firmware 474 * loading method. 475 * 476 * This check has been put in place to ensure correct forward 477 * compatibility options when newer hardware variants come along. 478 */ 479 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 480 case 0x17: /* TyP */ 481 case 0x18: /* Slr */ 482 case 0x19: /* Slr-F */ 483 case 0x1b: /* Mgr */ 484 case 0x1c: /* Gale Peak (GaP) */ 485 case 0x1e: /* BlazarI (Bzr) */ 486 break; 487 default: 488 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 489 INTEL_HW_VARIANT(version->cnvi_bt)); 490 return -EINVAL; 491 } 492 493 switch (version->img_type) { 494 case BTINTEL_IMG_BOOTLOADER: 495 variant = "Bootloader"; 496 /* It is required that every single firmware fragment is acknowledged 497 * with a command complete event. If the boot parameters indicate 498 * that this bootloader does not send them, then abort the setup. 499 */ 500 if (version->limited_cce != 0x00) { 501 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 502 version->limited_cce); 503 return -EINVAL; 504 } 505 506 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 507 if (version->sbe_type > 0x01) { 508 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 509 version->sbe_type); 510 return -EINVAL; 511 } 512 513 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 514 bt_dev_info(hdev, "Secure boot is %s", 515 version->secure_boot ? "enabled" : "disabled"); 516 bt_dev_info(hdev, "OTP lock is %s", 517 version->otp_lock ? "enabled" : "disabled"); 518 bt_dev_info(hdev, "API lock is %s", 519 version->api_lock ? "enabled" : "disabled"); 520 bt_dev_info(hdev, "Debug lock is %s", 521 version->debug_lock ? "enabled" : "disabled"); 522 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 523 version->min_fw_build_nn, version->min_fw_build_cw, 524 2000 + version->min_fw_build_yy); 525 break; 526 case BTINTEL_IMG_IML: 527 variant = "Intermediate loader"; 528 break; 529 case BTINTEL_IMG_OP: 530 variant = "Firmware"; 531 break; 532 default: 533 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 534 return -EINVAL; 535 } 536 537 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 538 coredump_info.fw_build_num = version->build_num; 539 540 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 541 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 542 version->build_type, version->build_num); 543 if (version->img_type == BTINTEL_IMG_OP) 544 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 545 546 return 0; 547 } 548 EXPORT_SYMBOL_GPL(btintel_version_info_tlv); 549 550 int btintel_parse_version_tlv(struct hci_dev *hdev, 551 struct intel_version_tlv *version, 552 struct sk_buff *skb) 553 { 554 /* Consume Command Complete Status field */ 555 skb_pull(skb, 1); 556 557 /* Event parameters contatin multiple TLVs. Read each of them 558 * and only keep the required data. Also, it use existing legacy 559 * version field like hw_platform, hw_variant, and fw_variant 560 * to keep the existing setup flow 561 */ 562 while (skb->len) { 563 struct intel_tlv *tlv; 564 565 /* Make sure skb has a minimum length of the header */ 566 if (skb->len < sizeof(*tlv)) 567 return -EINVAL; 568 569 tlv = (struct intel_tlv *)skb->data; 570 571 /* Make sure skb has a enough data */ 572 if (skb->len < tlv->len + sizeof(*tlv)) 573 return -EINVAL; 574 575 switch (tlv->type) { 576 case INTEL_TLV_CNVI_TOP: 577 version->cnvi_top = get_unaligned_le32(tlv->val); 578 break; 579 case INTEL_TLV_CNVR_TOP: 580 version->cnvr_top = get_unaligned_le32(tlv->val); 581 break; 582 case INTEL_TLV_CNVI_BT: 583 version->cnvi_bt = get_unaligned_le32(tlv->val); 584 break; 585 case INTEL_TLV_CNVR_BT: 586 version->cnvr_bt = get_unaligned_le32(tlv->val); 587 break; 588 case INTEL_TLV_DEV_REV_ID: 589 version->dev_rev_id = get_unaligned_le16(tlv->val); 590 break; 591 case INTEL_TLV_IMAGE_TYPE: 592 version->img_type = tlv->val[0]; 593 break; 594 case INTEL_TLV_TIME_STAMP: 595 /* If image type is Operational firmware (0x03), then 596 * running FW Calendar Week and Year information can 597 * be extracted from Timestamp information 598 */ 599 version->min_fw_build_cw = tlv->val[0]; 600 version->min_fw_build_yy = tlv->val[1]; 601 version->timestamp = get_unaligned_le16(tlv->val); 602 break; 603 case INTEL_TLV_BUILD_TYPE: 604 version->build_type = tlv->val[0]; 605 break; 606 case INTEL_TLV_BUILD_NUM: 607 /* If image type is Operational firmware (0x03), then 608 * running FW build number can be extracted from the 609 * Build information 610 */ 611 version->min_fw_build_nn = tlv->val[0]; 612 version->build_num = get_unaligned_le32(tlv->val); 613 break; 614 case INTEL_TLV_SECURE_BOOT: 615 version->secure_boot = tlv->val[0]; 616 break; 617 case INTEL_TLV_OTP_LOCK: 618 version->otp_lock = tlv->val[0]; 619 break; 620 case INTEL_TLV_API_LOCK: 621 version->api_lock = tlv->val[0]; 622 break; 623 case INTEL_TLV_DEBUG_LOCK: 624 version->debug_lock = tlv->val[0]; 625 break; 626 case INTEL_TLV_MIN_FW: 627 version->min_fw_build_nn = tlv->val[0]; 628 version->min_fw_build_cw = tlv->val[1]; 629 version->min_fw_build_yy = tlv->val[2]; 630 break; 631 case INTEL_TLV_LIMITED_CCE: 632 version->limited_cce = tlv->val[0]; 633 break; 634 case INTEL_TLV_SBE_TYPE: 635 version->sbe_type = tlv->val[0]; 636 break; 637 case INTEL_TLV_OTP_BDADDR: 638 memcpy(&version->otp_bd_addr, tlv->val, 639 sizeof(bdaddr_t)); 640 break; 641 case INTEL_TLV_GIT_SHA1: 642 version->git_sha1 = get_unaligned_le32(tlv->val); 643 break; 644 default: 645 /* Ignore rest of information */ 646 break; 647 } 648 /* consume the current tlv and move to next*/ 649 skb_pull(skb, tlv->len + sizeof(*tlv)); 650 } 651 652 return 0; 653 } 654 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv); 655 656 static int btintel_read_version_tlv(struct hci_dev *hdev, 657 struct intel_version_tlv *version) 658 { 659 struct sk_buff *skb; 660 const u8 param[1] = { 0xFF }; 661 662 if (!version) 663 return -EINVAL; 664 665 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 666 if (IS_ERR(skb)) { 667 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 668 PTR_ERR(skb)); 669 return PTR_ERR(skb); 670 } 671 672 if (skb->data[0]) { 673 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 674 skb->data[0]); 675 kfree_skb(skb); 676 return -EIO; 677 } 678 679 btintel_parse_version_tlv(hdev, version, skb); 680 681 kfree_skb(skb); 682 return 0; 683 } 684 685 /* ------- REGMAP IBT SUPPORT ------- */ 686 687 #define IBT_REG_MODE_8BIT 0x00 688 #define IBT_REG_MODE_16BIT 0x01 689 #define IBT_REG_MODE_32BIT 0x02 690 691 struct regmap_ibt_context { 692 struct hci_dev *hdev; 693 __u16 op_write; 694 __u16 op_read; 695 }; 696 697 struct ibt_cp_reg_access { 698 __le32 addr; 699 __u8 mode; 700 __u8 len; 701 __u8 data[]; 702 } __packed; 703 704 struct ibt_rp_reg_access { 705 __u8 status; 706 __le32 addr; 707 __u8 data[]; 708 } __packed; 709 710 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 711 void *val, size_t val_size) 712 { 713 struct regmap_ibt_context *ctx = context; 714 struct ibt_cp_reg_access cp; 715 struct ibt_rp_reg_access *rp; 716 struct sk_buff *skb; 717 int err = 0; 718 719 if (reg_size != sizeof(__le32)) 720 return -EINVAL; 721 722 switch (val_size) { 723 case 1: 724 cp.mode = IBT_REG_MODE_8BIT; 725 break; 726 case 2: 727 cp.mode = IBT_REG_MODE_16BIT; 728 break; 729 case 4: 730 cp.mode = IBT_REG_MODE_32BIT; 731 break; 732 default: 733 return -EINVAL; 734 } 735 736 /* regmap provides a little-endian formatted addr */ 737 cp.addr = *(__le32 *)addr; 738 cp.len = val_size; 739 740 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 741 742 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 743 HCI_CMD_TIMEOUT); 744 if (IS_ERR(skb)) { 745 err = PTR_ERR(skb); 746 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 747 le32_to_cpu(cp.addr), err); 748 return err; 749 } 750 751 if (skb->len != sizeof(*rp) + val_size) { 752 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 753 le32_to_cpu(cp.addr)); 754 err = -EINVAL; 755 goto done; 756 } 757 758 rp = (struct ibt_rp_reg_access *)skb->data; 759 760 if (rp->addr != cp.addr) { 761 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 762 le32_to_cpu(rp->addr)); 763 err = -EINVAL; 764 goto done; 765 } 766 767 memcpy(val, rp->data, val_size); 768 769 done: 770 kfree_skb(skb); 771 return err; 772 } 773 774 static int regmap_ibt_gather_write(void *context, 775 const void *addr, size_t reg_size, 776 const void *val, size_t val_size) 777 { 778 struct regmap_ibt_context *ctx = context; 779 struct ibt_cp_reg_access *cp; 780 struct sk_buff *skb; 781 int plen = sizeof(*cp) + val_size; 782 u8 mode; 783 int err = 0; 784 785 if (reg_size != sizeof(__le32)) 786 return -EINVAL; 787 788 switch (val_size) { 789 case 1: 790 mode = IBT_REG_MODE_8BIT; 791 break; 792 case 2: 793 mode = IBT_REG_MODE_16BIT; 794 break; 795 case 4: 796 mode = IBT_REG_MODE_32BIT; 797 break; 798 default: 799 return -EINVAL; 800 } 801 802 cp = kmalloc(plen, GFP_KERNEL); 803 if (!cp) 804 return -ENOMEM; 805 806 /* regmap provides a little-endian formatted addr/value */ 807 cp->addr = *(__le32 *)addr; 808 cp->mode = mode; 809 cp->len = val_size; 810 memcpy(&cp->data, val, val_size); 811 812 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 813 814 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 815 if (IS_ERR(skb)) { 816 err = PTR_ERR(skb); 817 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 818 le32_to_cpu(cp->addr), err); 819 goto done; 820 } 821 kfree_skb(skb); 822 823 done: 824 kfree(cp); 825 return err; 826 } 827 828 static int regmap_ibt_write(void *context, const void *data, size_t count) 829 { 830 /* data contains register+value, since we only support 32bit addr, 831 * minimum data size is 4 bytes. 832 */ 833 if (WARN_ONCE(count < 4, "Invalid register access")) 834 return -EINVAL; 835 836 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 837 } 838 839 static void regmap_ibt_free_context(void *context) 840 { 841 kfree(context); 842 } 843 844 static const struct regmap_bus regmap_ibt = { 845 .read = regmap_ibt_read, 846 .write = regmap_ibt_write, 847 .gather_write = regmap_ibt_gather_write, 848 .free_context = regmap_ibt_free_context, 849 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 850 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 851 }; 852 853 /* Config is the same for all register regions */ 854 static const struct regmap_config regmap_ibt_cfg = { 855 .name = "btintel_regmap", 856 .reg_bits = 32, 857 .val_bits = 32, 858 }; 859 860 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 861 u16 opcode_write) 862 { 863 struct regmap_ibt_context *ctx; 864 865 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 866 opcode_write); 867 868 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 869 if (!ctx) 870 return ERR_PTR(-ENOMEM); 871 872 ctx->op_read = opcode_read; 873 ctx->op_write = opcode_write; 874 ctx->hdev = hdev; 875 876 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 877 } 878 EXPORT_SYMBOL_GPL(btintel_regmap_init); 879 880 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 881 { 882 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 883 struct sk_buff *skb; 884 885 params.boot_param = cpu_to_le32(boot_param); 886 887 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 888 HCI_INIT_TIMEOUT); 889 if (IS_ERR(skb)) { 890 bt_dev_err(hdev, "Failed to send Intel Reset command"); 891 return PTR_ERR(skb); 892 } 893 894 kfree_skb(skb); 895 896 return 0; 897 } 898 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 899 900 int btintel_read_boot_params(struct hci_dev *hdev, 901 struct intel_boot_params *params) 902 { 903 struct sk_buff *skb; 904 905 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 906 if (IS_ERR(skb)) { 907 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 908 PTR_ERR(skb)); 909 return PTR_ERR(skb); 910 } 911 912 if (skb->len != sizeof(*params)) { 913 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 914 kfree_skb(skb); 915 return -EILSEQ; 916 } 917 918 memcpy(params, skb->data, sizeof(*params)); 919 920 kfree_skb(skb); 921 922 if (params->status) { 923 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 924 params->status); 925 return -bt_to_errno(params->status); 926 } 927 928 bt_dev_info(hdev, "Device revision is %u", 929 le16_to_cpu(params->dev_revid)); 930 931 bt_dev_info(hdev, "Secure boot is %s", 932 params->secure_boot ? "enabled" : "disabled"); 933 934 bt_dev_info(hdev, "OTP lock is %s", 935 params->otp_lock ? "enabled" : "disabled"); 936 937 bt_dev_info(hdev, "API lock is %s", 938 params->api_lock ? "enabled" : "disabled"); 939 940 bt_dev_info(hdev, "Debug lock is %s", 941 params->debug_lock ? "enabled" : "disabled"); 942 943 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 944 params->min_fw_build_nn, params->min_fw_build_cw, 945 2000 + params->min_fw_build_yy); 946 947 return 0; 948 } 949 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 950 951 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 952 const struct firmware *fw) 953 { 954 int err; 955 956 /* Start the firmware download transaction with the Init fragment 957 * represented by the 128 bytes of CSS header. 958 */ 959 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 960 if (err < 0) { 961 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 962 goto done; 963 } 964 965 /* Send the 256 bytes of public key information from the firmware 966 * as the PKey fragment. 967 */ 968 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 969 if (err < 0) { 970 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 971 goto done; 972 } 973 974 /* Send the 256 bytes of signature information from the firmware 975 * as the Sign fragment. 976 */ 977 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 978 if (err < 0) { 979 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 980 goto done; 981 } 982 983 done: 984 return err; 985 } 986 987 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 988 const struct firmware *fw) 989 { 990 int err; 991 992 /* Start the firmware download transaction with the Init fragment 993 * represented by the 128 bytes of CSS header. 994 */ 995 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 996 if (err < 0) { 997 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 998 return err; 999 } 1000 1001 /* Send the 96 bytes of public key information from the firmware 1002 * as the PKey fragment. 1003 */ 1004 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 1005 if (err < 0) { 1006 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1007 return err; 1008 } 1009 1010 /* Send the 96 bytes of signature information from the firmware 1011 * as the Sign fragment 1012 */ 1013 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1014 if (err < 0) { 1015 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1016 err); 1017 return err; 1018 } 1019 return 0; 1020 } 1021 1022 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1023 const struct firmware *fw, 1024 size_t offset) 1025 { 1026 int err; 1027 const u8 *fw_ptr; 1028 u32 frag_len; 1029 1030 fw_ptr = fw->data + offset; 1031 frag_len = 0; 1032 err = -EINVAL; 1033 1034 while (fw_ptr - fw->data < fw->size) { 1035 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1036 1037 frag_len += sizeof(*cmd) + cmd->plen; 1038 1039 /* The parameter length of the secure send command requires 1040 * a 4 byte alignment. It happens so that the firmware file 1041 * contains proper Intel_NOP commands to align the fragments 1042 * as needed. 1043 * 1044 * Send set of commands with 4 byte alignment from the 1045 * firmware data buffer as a single Data fragement. 1046 */ 1047 if (!(frag_len % 4)) { 1048 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1049 if (err < 0) { 1050 bt_dev_err(hdev, 1051 "Failed to send firmware data (%d)", 1052 err); 1053 goto done; 1054 } 1055 1056 fw_ptr += frag_len; 1057 frag_len = 0; 1058 } 1059 } 1060 1061 done: 1062 return err; 1063 } 1064 1065 static bool btintel_firmware_version(struct hci_dev *hdev, 1066 u8 num, u8 ww, u8 yy, 1067 const struct firmware *fw, 1068 u32 *boot_addr) 1069 { 1070 const u8 *fw_ptr; 1071 1072 fw_ptr = fw->data; 1073 1074 while (fw_ptr - fw->data < fw->size) { 1075 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1076 1077 /* Each SKU has a different reset parameter to use in the 1078 * HCI_Intel_Reset command and it is embedded in the firmware 1079 * data. So, instead of using static value per SKU, check 1080 * the firmware data and save it for later use. 1081 */ 1082 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1083 struct cmd_write_boot_params *params; 1084 1085 params = (void *)(fw_ptr + sizeof(*cmd)); 1086 1087 *boot_addr = le32_to_cpu(params->boot_addr); 1088 1089 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1090 1091 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1092 params->fw_build_num, params->fw_build_ww, 1093 params->fw_build_yy); 1094 1095 return (num == params->fw_build_num && 1096 ww == params->fw_build_ww && 1097 yy == params->fw_build_yy); 1098 } 1099 1100 fw_ptr += sizeof(*cmd) + cmd->plen; 1101 } 1102 1103 return false; 1104 } 1105 1106 int btintel_download_firmware(struct hci_dev *hdev, 1107 struct intel_version *ver, 1108 const struct firmware *fw, 1109 u32 *boot_param) 1110 { 1111 int err; 1112 1113 /* SfP and WsP don't seem to update the firmware version on file 1114 * so version checking is currently not possible. 1115 */ 1116 switch (ver->hw_variant) { 1117 case 0x0b: /* SfP */ 1118 case 0x0c: /* WsP */ 1119 /* Skip version checking */ 1120 break; 1121 default: 1122 1123 /* Skip download if firmware has the same version */ 1124 if (btintel_firmware_version(hdev, ver->fw_build_num, 1125 ver->fw_build_ww, ver->fw_build_yy, 1126 fw, boot_param)) { 1127 bt_dev_info(hdev, "Firmware already loaded"); 1128 /* Return -EALREADY to indicate that the firmware has 1129 * already been loaded. 1130 */ 1131 return -EALREADY; 1132 } 1133 } 1134 1135 /* The firmware variant determines if the device is in bootloader 1136 * mode or is running operational firmware. The value 0x06 identifies 1137 * the bootloader and the value 0x23 identifies the operational 1138 * firmware. 1139 * 1140 * If the firmware version has changed that means it needs to be reset 1141 * to bootloader when operational so the new firmware can be loaded. 1142 */ 1143 if (ver->fw_variant == 0x23) 1144 return -EINVAL; 1145 1146 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1147 if (err) 1148 return err; 1149 1150 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1151 } 1152 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1153 1154 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1155 struct intel_version_tlv *ver, 1156 const struct firmware *fw, u32 *boot_param, 1157 u8 hw_variant, u8 sbe_type) 1158 { 1159 int err; 1160 u32 css_header_ver; 1161 1162 /* Skip download if firmware has the same version */ 1163 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1164 ver->min_fw_build_cw, 1165 ver->min_fw_build_yy, 1166 fw, boot_param)) { 1167 bt_dev_info(hdev, "Firmware already loaded"); 1168 /* Return -EALREADY to indicate that firmware has 1169 * already been loaded. 1170 */ 1171 return -EALREADY; 1172 } 1173 1174 /* The firmware variant determines if the device is in bootloader 1175 * mode or is running operational firmware. The value 0x01 identifies 1176 * the bootloader and the value 0x03 identifies the operational 1177 * firmware. 1178 * 1179 * If the firmware version has changed that means it needs to be reset 1180 * to bootloader when operational so the new firmware can be loaded. 1181 */ 1182 if (ver->img_type == BTINTEL_IMG_OP) 1183 return -EINVAL; 1184 1185 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1186 * only RSA secure boot engine. Hence, the corresponding sfi file will 1187 * have RSA header of 644 bytes followed by Command Buffer. 1188 * 1189 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1190 * secure boot engine. As a result, the corresponding sfi file will 1191 * have RSA header of 644, ECDSA header of 320 bytes followed by 1192 * Command Buffer. 1193 * 1194 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1195 * version: RSA(0x00010000) , ECDSA (0x00020000) 1196 */ 1197 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1198 if (css_header_ver != 0x00010000) { 1199 bt_dev_err(hdev, "Invalid CSS Header version"); 1200 return -EINVAL; 1201 } 1202 1203 if (hw_variant <= 0x14) { 1204 if (sbe_type != 0x00) { 1205 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1206 hw_variant); 1207 return -EINVAL; 1208 } 1209 1210 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1211 if (err) 1212 return err; 1213 1214 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1215 if (err) 1216 return err; 1217 } else if (hw_variant >= 0x17) { 1218 /* Check if CSS header for ECDSA follows the RSA header */ 1219 if (fw->data[ECDSA_OFFSET] != 0x06) 1220 return -EINVAL; 1221 1222 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1223 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1224 if (css_header_ver != 0x00020000) { 1225 bt_dev_err(hdev, "Invalid CSS Header version"); 1226 return -EINVAL; 1227 } 1228 1229 if (sbe_type == 0x00) { 1230 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1231 if (err) 1232 return err; 1233 1234 err = btintel_download_firmware_payload(hdev, fw, 1235 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1236 if (err) 1237 return err; 1238 } else if (sbe_type == 0x01) { 1239 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1240 if (err) 1241 return err; 1242 1243 err = btintel_download_firmware_payload(hdev, fw, 1244 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1245 if (err) 1246 return err; 1247 } 1248 } 1249 return 0; 1250 } 1251 1252 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1253 { 1254 struct intel_reset params; 1255 struct sk_buff *skb; 1256 1257 /* Send Intel Reset command. This will result in 1258 * re-enumeration of BT controller. 1259 * 1260 * Intel Reset parameter description: 1261 * reset_type : 0x00 (Soft reset), 1262 * 0x01 (Hard reset) 1263 * patch_enable : 0x00 (Do not enable), 1264 * 0x01 (Enable) 1265 * ddc_reload : 0x00 (Do not reload), 1266 * 0x01 (Reload) 1267 * boot_option: 0x00 (Current image), 1268 * 0x01 (Specified boot address) 1269 * boot_param: Boot address 1270 * 1271 */ 1272 params.reset_type = 0x01; 1273 params.patch_enable = 0x01; 1274 params.ddc_reload = 0x01; 1275 params.boot_option = 0x00; 1276 params.boot_param = cpu_to_le32(0x00000000); 1277 1278 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1279 ¶ms, HCI_INIT_TIMEOUT); 1280 if (IS_ERR(skb)) { 1281 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1282 PTR_ERR(skb)); 1283 return; 1284 } 1285 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1286 kfree_skb(skb); 1287 1288 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1289 * lines for 2ms when it receives Intel Reset in bootloader mode. 1290 * Whereas, the upcoming Intel BT controllers will hold USB reset 1291 * for 150ms. To keep the delay generic, 150ms is chosen here. 1292 */ 1293 msleep(150); 1294 } 1295 1296 static int btintel_read_debug_features(struct hci_dev *hdev, 1297 struct intel_debug_features *features) 1298 { 1299 struct sk_buff *skb; 1300 u8 page_no = 1; 1301 1302 /* Intel controller supports two pages, each page is of 128-bit 1303 * feature bit mask. And each bit defines specific feature support 1304 */ 1305 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1306 HCI_INIT_TIMEOUT); 1307 if (IS_ERR(skb)) { 1308 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1309 PTR_ERR(skb)); 1310 return PTR_ERR(skb); 1311 } 1312 1313 if (skb->len != (sizeof(features->page1) + 3)) { 1314 bt_dev_err(hdev, "Supported features event size mismatch"); 1315 kfree_skb(skb); 1316 return -EILSEQ; 1317 } 1318 1319 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1320 1321 /* Read the supported features page2 if required in future. 1322 */ 1323 kfree_skb(skb); 1324 return 0; 1325 } 1326 1327 static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data, 1328 void **ret) 1329 { 1330 acpi_status status; 1331 size_t len; 1332 struct btintel_ppag *ppag = data; 1333 union acpi_object *p, *elements; 1334 struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL}; 1335 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 1336 struct hci_dev *hdev = ppag->hdev; 1337 1338 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string); 1339 if (ACPI_FAILURE(status)) { 1340 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1341 return status; 1342 } 1343 1344 len = strlen(string.pointer); 1345 if (len < strlen(BTINTEL_PPAG_NAME)) { 1346 kfree(string.pointer); 1347 return AE_OK; 1348 } 1349 1350 if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) { 1351 kfree(string.pointer); 1352 return AE_OK; 1353 } 1354 kfree(string.pointer); 1355 1356 status = acpi_evaluate_object(handle, NULL, NULL, &buffer); 1357 if (ACPI_FAILURE(status)) { 1358 ppag->status = status; 1359 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1360 return status; 1361 } 1362 1363 p = buffer.pointer; 1364 ppag = (struct btintel_ppag *)data; 1365 1366 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 1367 kfree(buffer.pointer); 1368 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 1369 p->type, p->package.count); 1370 ppag->status = AE_ERROR; 1371 return AE_ERROR; 1372 } 1373 1374 elements = p->package.elements; 1375 1376 /* PPAG table is located at element[1] */ 1377 p = &elements[1]; 1378 1379 ppag->domain = (u32)p->package.elements[0].integer.value; 1380 ppag->mode = (u32)p->package.elements[1].integer.value; 1381 ppag->status = AE_OK; 1382 kfree(buffer.pointer); 1383 return AE_CTRL_TERMINATE; 1384 } 1385 1386 static int btintel_set_debug_features(struct hci_dev *hdev, 1387 const struct intel_debug_features *features) 1388 { 1389 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1390 0x00, 0x00, 0x00 }; 1391 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1392 u8 trace_enable = 0x02; 1393 struct sk_buff *skb; 1394 1395 if (!features) { 1396 bt_dev_warn(hdev, "Debug features not read"); 1397 return -EINVAL; 1398 } 1399 1400 if (!(features->page1[0] & 0x3f)) { 1401 bt_dev_info(hdev, "Telemetry exception format not supported"); 1402 return 0; 1403 } 1404 1405 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1406 if (IS_ERR(skb)) { 1407 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1408 PTR_ERR(skb)); 1409 return PTR_ERR(skb); 1410 } 1411 kfree_skb(skb); 1412 1413 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1414 if (IS_ERR(skb)) { 1415 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1416 PTR_ERR(skb)); 1417 return PTR_ERR(skb); 1418 } 1419 kfree_skb(skb); 1420 1421 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1422 if (IS_ERR(skb)) { 1423 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1424 PTR_ERR(skb)); 1425 return PTR_ERR(skb); 1426 } 1427 kfree_skb(skb); 1428 1429 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1430 trace_enable, mask[3]); 1431 1432 return 0; 1433 } 1434 1435 static int btintel_reset_debug_features(struct hci_dev *hdev, 1436 const struct intel_debug_features *features) 1437 { 1438 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1439 0x00, 0x00, 0x00 }; 1440 u8 trace_enable = 0x00; 1441 struct sk_buff *skb; 1442 1443 if (!features) { 1444 bt_dev_warn(hdev, "Debug features not read"); 1445 return -EINVAL; 1446 } 1447 1448 if (!(features->page1[0] & 0x3f)) { 1449 bt_dev_info(hdev, "Telemetry exception format not supported"); 1450 return 0; 1451 } 1452 1453 /* Should stop the trace before writing ddc event mask. */ 1454 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1455 if (IS_ERR(skb)) { 1456 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1457 PTR_ERR(skb)); 1458 return PTR_ERR(skb); 1459 } 1460 kfree_skb(skb); 1461 1462 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1463 if (IS_ERR(skb)) { 1464 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1465 PTR_ERR(skb)); 1466 return PTR_ERR(skb); 1467 } 1468 kfree_skb(skb); 1469 1470 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1471 trace_enable, mask[3]); 1472 1473 return 0; 1474 } 1475 1476 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1477 { 1478 struct intel_debug_features features; 1479 int err; 1480 1481 bt_dev_dbg(hdev, "enable %d", enable); 1482 1483 /* Read the Intel supported features and if new exception formats 1484 * supported, need to load the additional DDC config to enable. 1485 */ 1486 err = btintel_read_debug_features(hdev, &features); 1487 if (err) 1488 return err; 1489 1490 /* Set or reset the debug features. */ 1491 if (enable) 1492 err = btintel_set_debug_features(hdev, &features); 1493 else 1494 err = btintel_reset_debug_features(hdev, &features); 1495 1496 return err; 1497 } 1498 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1499 1500 static void btintel_coredump(struct hci_dev *hdev) 1501 { 1502 struct sk_buff *skb; 1503 1504 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1505 if (IS_ERR(skb)) { 1506 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1507 return; 1508 } 1509 1510 kfree_skb(skb); 1511 } 1512 1513 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1514 { 1515 char buf[80]; 1516 1517 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1518 coredump_info.hw_variant); 1519 skb_put_data(skb, buf, strlen(buf)); 1520 1521 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1522 coredump_info.fw_build_num); 1523 skb_put_data(skb, buf, strlen(buf)); 1524 1525 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1526 skb_put_data(skb, buf, strlen(buf)); 1527 1528 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1529 skb_put_data(skb, buf, strlen(buf)); 1530 } 1531 1532 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1533 { 1534 struct intel_debug_features features; 1535 int err; 1536 1537 err = btintel_read_debug_features(hdev, &features); 1538 if (err) { 1539 bt_dev_info(hdev, "Error reading debug features"); 1540 return err; 1541 } 1542 1543 if (!(features.page1[0] & 0x3f)) { 1544 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1545 return -EOPNOTSUPP; 1546 } 1547 1548 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1549 1550 return err; 1551 } 1552 1553 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1554 struct intel_version *ver) 1555 { 1556 const struct firmware *fw; 1557 char fwname[64]; 1558 int ret; 1559 1560 snprintf(fwname, sizeof(fwname), 1561 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1562 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1563 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1564 ver->fw_build_ww, ver->fw_build_yy); 1565 1566 ret = request_firmware(&fw, fwname, &hdev->dev); 1567 if (ret < 0) { 1568 if (ret == -EINVAL) { 1569 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1570 ret); 1571 return NULL; 1572 } 1573 1574 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1575 fwname, ret); 1576 1577 /* If the correct firmware patch file is not found, use the 1578 * default firmware patch file instead 1579 */ 1580 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1581 ver->hw_platform, ver->hw_variant); 1582 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1583 bt_dev_err(hdev, "failed to open default fw file: %s", 1584 fwname); 1585 return NULL; 1586 } 1587 } 1588 1589 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1590 1591 return fw; 1592 } 1593 1594 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1595 const struct firmware *fw, 1596 const u8 **fw_ptr, int *disable_patch) 1597 { 1598 struct sk_buff *skb; 1599 struct hci_command_hdr *cmd; 1600 const u8 *cmd_param; 1601 struct hci_event_hdr *evt = NULL; 1602 const u8 *evt_param = NULL; 1603 int remain = fw->size - (*fw_ptr - fw->data); 1604 1605 /* The first byte indicates the types of the patch command or event. 1606 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1607 * in the current firmware buffer doesn't start with 0x01 or 1608 * the size of remain buffer is smaller than HCI command header, 1609 * the firmware file is corrupted and it should stop the patching 1610 * process. 1611 */ 1612 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1613 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1614 return -EINVAL; 1615 } 1616 (*fw_ptr)++; 1617 remain--; 1618 1619 cmd = (struct hci_command_hdr *)(*fw_ptr); 1620 *fw_ptr += sizeof(*cmd); 1621 remain -= sizeof(*cmd); 1622 1623 /* Ensure that the remain firmware data is long enough than the length 1624 * of command parameter. If not, the firmware file is corrupted. 1625 */ 1626 if (remain < cmd->plen) { 1627 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1628 return -EFAULT; 1629 } 1630 1631 /* If there is a command that loads a patch in the firmware 1632 * file, then enable the patch upon success, otherwise just 1633 * disable the manufacturer mode, for example patch activation 1634 * is not required when the default firmware patch file is used 1635 * because there are no patch data to load. 1636 */ 1637 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1638 *disable_patch = 0; 1639 1640 cmd_param = *fw_ptr; 1641 *fw_ptr += cmd->plen; 1642 remain -= cmd->plen; 1643 1644 /* This reads the expected events when the above command is sent to the 1645 * device. Some vendor commands expects more than one events, for 1646 * example command status event followed by vendor specific event. 1647 * For this case, it only keeps the last expected event. so the command 1648 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1649 * last expected event. 1650 */ 1651 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1652 (*fw_ptr)++; 1653 remain--; 1654 1655 evt = (struct hci_event_hdr *)(*fw_ptr); 1656 *fw_ptr += sizeof(*evt); 1657 remain -= sizeof(*evt); 1658 1659 if (remain < evt->plen) { 1660 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1661 return -EFAULT; 1662 } 1663 1664 evt_param = *fw_ptr; 1665 *fw_ptr += evt->plen; 1666 remain -= evt->plen; 1667 } 1668 1669 /* Every HCI commands in the firmware file has its correspond event. 1670 * If event is not found or remain is smaller than zero, the firmware 1671 * file is corrupted. 1672 */ 1673 if (!evt || !evt_param || remain < 0) { 1674 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1675 return -EFAULT; 1676 } 1677 1678 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1679 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1680 if (IS_ERR(skb)) { 1681 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1682 cmd->opcode, PTR_ERR(skb)); 1683 return PTR_ERR(skb); 1684 } 1685 1686 /* It ensures that the returned event matches the event data read from 1687 * the firmware file. At fist, it checks the length and then 1688 * the contents of the event. 1689 */ 1690 if (skb->len != evt->plen) { 1691 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1692 le16_to_cpu(cmd->opcode)); 1693 kfree_skb(skb); 1694 return -EFAULT; 1695 } 1696 1697 if (memcmp(skb->data, evt_param, evt->plen)) { 1698 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1699 le16_to_cpu(cmd->opcode)); 1700 kfree_skb(skb); 1701 return -EFAULT; 1702 } 1703 kfree_skb(skb); 1704 1705 return 0; 1706 } 1707 1708 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1709 struct intel_version *ver) 1710 { 1711 const struct firmware *fw; 1712 const u8 *fw_ptr; 1713 int disable_patch, err; 1714 struct intel_version new_ver; 1715 1716 BT_DBG("%s", hdev->name); 1717 1718 /* fw_patch_num indicates the version of patch the device currently 1719 * have. If there is no patch data in the device, it is always 0x00. 1720 * So, if it is other than 0x00, no need to patch the device again. 1721 */ 1722 if (ver->fw_patch_num) { 1723 bt_dev_info(hdev, 1724 "Intel device is already patched. patch num: %02x", 1725 ver->fw_patch_num); 1726 goto complete; 1727 } 1728 1729 /* Opens the firmware patch file based on the firmware version read 1730 * from the controller. If it fails to open the matching firmware 1731 * patch file, it tries to open the default firmware patch file. 1732 * If no patch file is found, allow the device to operate without 1733 * a patch. 1734 */ 1735 fw = btintel_legacy_rom_get_fw(hdev, ver); 1736 if (!fw) 1737 goto complete; 1738 fw_ptr = fw->data; 1739 1740 /* Enable the manufacturer mode of the controller. 1741 * Only while this mode is enabled, the driver can download the 1742 * firmware patch data and configuration parameters. 1743 */ 1744 err = btintel_enter_mfg(hdev); 1745 if (err) { 1746 release_firmware(fw); 1747 return err; 1748 } 1749 1750 disable_patch = 1; 1751 1752 /* The firmware data file consists of list of Intel specific HCI 1753 * commands and its expected events. The first byte indicates the 1754 * type of the message, either HCI command or HCI event. 1755 * 1756 * It reads the command and its expected event from the firmware file, 1757 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1758 * the returned event is compared with the event read from the firmware 1759 * file and it will continue until all the messages are downloaded to 1760 * the controller. 1761 * 1762 * Once the firmware patching is completed successfully, 1763 * the manufacturer mode is disabled with reset and activating the 1764 * downloaded patch. 1765 * 1766 * If the firmware patching fails, the manufacturer mode is 1767 * disabled with reset and deactivating the patch. 1768 * 1769 * If the default patch file is used, no reset is done when disabling 1770 * the manufacturer. 1771 */ 1772 while (fw->size > fw_ptr - fw->data) { 1773 int ret; 1774 1775 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1776 &disable_patch); 1777 if (ret < 0) 1778 goto exit_mfg_deactivate; 1779 } 1780 1781 release_firmware(fw); 1782 1783 if (disable_patch) 1784 goto exit_mfg_disable; 1785 1786 /* Patching completed successfully and disable the manufacturer mode 1787 * with reset and activate the downloaded firmware patches. 1788 */ 1789 err = btintel_exit_mfg(hdev, true, true); 1790 if (err) 1791 return err; 1792 1793 /* Need build number for downloaded fw patches in 1794 * every power-on boot 1795 */ 1796 err = btintel_read_version(hdev, &new_ver); 1797 if (err) 1798 return err; 1799 1800 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1801 new_ver.fw_patch_num); 1802 1803 goto complete; 1804 1805 exit_mfg_disable: 1806 /* Disable the manufacturer mode without reset */ 1807 err = btintel_exit_mfg(hdev, false, false); 1808 if (err) 1809 return err; 1810 1811 bt_dev_info(hdev, "Intel firmware patch completed"); 1812 1813 goto complete; 1814 1815 exit_mfg_deactivate: 1816 release_firmware(fw); 1817 1818 /* Patching failed. Disable the manufacturer mode with reset and 1819 * deactivate the downloaded firmware patches. 1820 */ 1821 err = btintel_exit_mfg(hdev, true, false); 1822 if (err) 1823 return err; 1824 1825 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1826 1827 complete: 1828 /* Set the event mask for Intel specific vendor events. This enables 1829 * a few extra events that are useful during general operation. 1830 */ 1831 btintel_set_event_mask_mfg(hdev, false); 1832 1833 btintel_check_bdaddr(hdev); 1834 1835 return 0; 1836 } 1837 1838 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1839 { 1840 ktime_t delta, rettime; 1841 unsigned long long duration; 1842 int err; 1843 1844 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1845 1846 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1847 1848 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1849 TASK_INTERRUPTIBLE, 1850 msecs_to_jiffies(msec)); 1851 if (err == -EINTR) { 1852 bt_dev_err(hdev, "Firmware loading interrupted"); 1853 return err; 1854 } 1855 1856 if (err) { 1857 bt_dev_err(hdev, "Firmware loading timeout"); 1858 return -ETIMEDOUT; 1859 } 1860 1861 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1862 bt_dev_err(hdev, "Firmware loading failed"); 1863 return -ENOEXEC; 1864 } 1865 1866 rettime = ktime_get(); 1867 delta = ktime_sub(rettime, calltime); 1868 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1869 1870 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1871 1872 return 0; 1873 } 1874 1875 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1876 { 1877 ktime_t delta, rettime; 1878 unsigned long long duration; 1879 int err; 1880 1881 bt_dev_info(hdev, "Waiting for device to boot"); 1882 1883 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1884 TASK_INTERRUPTIBLE, 1885 msecs_to_jiffies(msec)); 1886 if (err == -EINTR) { 1887 bt_dev_err(hdev, "Device boot interrupted"); 1888 return -EINTR; 1889 } 1890 1891 if (err) { 1892 bt_dev_err(hdev, "Device boot timeout"); 1893 return -ETIMEDOUT; 1894 } 1895 1896 rettime = ktime_get(); 1897 delta = ktime_sub(rettime, calltime); 1898 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1899 1900 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1901 1902 return 0; 1903 } 1904 1905 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1906 { 1907 ktime_t calltime; 1908 int err; 1909 1910 calltime = ktime_get(); 1911 1912 btintel_set_flag(hdev, INTEL_BOOTING); 1913 1914 err = btintel_send_intel_reset(hdev, boot_addr); 1915 if (err) { 1916 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1917 btintel_reset_to_bootloader(hdev); 1918 return err; 1919 } 1920 1921 /* The bootloader will not indicate when the device is ready. This 1922 * is done by the operational firmware sending bootup notification. 1923 * 1924 * Booting into operational firmware should not take longer than 1925 * 1 second. However if that happens, then just fail the setup 1926 * since something went wrong. 1927 */ 1928 err = btintel_boot_wait(hdev, calltime, 1000); 1929 if (err == -ETIMEDOUT) 1930 btintel_reset_to_bootloader(hdev); 1931 1932 return err; 1933 } 1934 1935 static int btintel_get_fw_name(struct intel_version *ver, 1936 struct intel_boot_params *params, 1937 char *fw_name, size_t len, 1938 const char *suffix) 1939 { 1940 switch (ver->hw_variant) { 1941 case 0x0b: /* SfP */ 1942 case 0x0c: /* WsP */ 1943 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1944 ver->hw_variant, 1945 le16_to_cpu(params->dev_revid), 1946 suffix); 1947 break; 1948 case 0x11: /* JfP */ 1949 case 0x12: /* ThP */ 1950 case 0x13: /* HrP */ 1951 case 0x14: /* CcP */ 1952 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1953 ver->hw_variant, 1954 ver->hw_revision, 1955 ver->fw_revision, 1956 suffix); 1957 break; 1958 default: 1959 return -EINVAL; 1960 } 1961 1962 return 0; 1963 } 1964 1965 static int btintel_download_fw(struct hci_dev *hdev, 1966 struct intel_version *ver, 1967 struct intel_boot_params *params, 1968 u32 *boot_param) 1969 { 1970 const struct firmware *fw; 1971 char fwname[64]; 1972 int err; 1973 ktime_t calltime; 1974 1975 if (!ver || !params) 1976 return -EINVAL; 1977 1978 /* The firmware variant determines if the device is in bootloader 1979 * mode or is running operational firmware. The value 0x06 identifies 1980 * the bootloader and the value 0x23 identifies the operational 1981 * firmware. 1982 * 1983 * When the operational firmware is already present, then only 1984 * the check for valid Bluetooth device address is needed. This 1985 * determines if the device will be added as configured or 1986 * unconfigured controller. 1987 * 1988 * It is not possible to use the Secure Boot Parameters in this 1989 * case since that command is only available in bootloader mode. 1990 */ 1991 if (ver->fw_variant == 0x23) { 1992 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1993 btintel_check_bdaddr(hdev); 1994 1995 /* SfP and WsP don't seem to update the firmware version on file 1996 * so version checking is currently possible. 1997 */ 1998 switch (ver->hw_variant) { 1999 case 0x0b: /* SfP */ 2000 case 0x0c: /* WsP */ 2001 return 0; 2002 } 2003 2004 /* Proceed to download to check if the version matches */ 2005 goto download; 2006 } 2007 2008 /* Read the secure boot parameters to identify the operating 2009 * details of the bootloader. 2010 */ 2011 err = btintel_read_boot_params(hdev, params); 2012 if (err) 2013 return err; 2014 2015 /* It is required that every single firmware fragment is acknowledged 2016 * with a command complete event. If the boot parameters indicate 2017 * that this bootloader does not send them, then abort the setup. 2018 */ 2019 if (params->limited_cce != 0x00) { 2020 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2021 params->limited_cce); 2022 return -EINVAL; 2023 } 2024 2025 /* If the OTP has no valid Bluetooth device address, then there will 2026 * also be no valid address for the operational firmware. 2027 */ 2028 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2029 bt_dev_info(hdev, "No device address configured"); 2030 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2031 } 2032 2033 download: 2034 /* With this Intel bootloader only the hardware variant and device 2035 * revision information are used to select the right firmware for SfP 2036 * and WsP. 2037 * 2038 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2039 * 2040 * Currently the supported hardware variants are: 2041 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2042 * 12 (0x0c) for iBT3.5 (WsP) 2043 * 2044 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2045 * variant, HW revision and FW revision, as these are dependent on CNVi 2046 * and RF Combination. 2047 * 2048 * 17 (0x11) for iBT3.5 (JfP) 2049 * 18 (0x12) for iBT3.5 (ThP) 2050 * 2051 * The firmware file name for these will be 2052 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2053 * 2054 */ 2055 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2056 if (err < 0) { 2057 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2058 /* Firmware has already been loaded */ 2059 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2060 return 0; 2061 } 2062 2063 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2064 return -EINVAL; 2065 } 2066 2067 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2068 if (err < 0) { 2069 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2070 /* Firmware has already been loaded */ 2071 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2072 return 0; 2073 } 2074 2075 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2076 fwname, err); 2077 return err; 2078 } 2079 2080 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2081 2082 if (fw->size < 644) { 2083 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2084 fw->size); 2085 err = -EBADF; 2086 goto done; 2087 } 2088 2089 calltime = ktime_get(); 2090 2091 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2092 2093 /* Start firmware downloading and get boot parameter */ 2094 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2095 if (err < 0) { 2096 if (err == -EALREADY) { 2097 /* Firmware has already been loaded */ 2098 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2099 err = 0; 2100 goto done; 2101 } 2102 2103 /* When FW download fails, send Intel Reset to retry 2104 * FW download. 2105 */ 2106 btintel_reset_to_bootloader(hdev); 2107 goto done; 2108 } 2109 2110 /* Before switching the device into operational mode and with that 2111 * booting the loaded firmware, wait for the bootloader notification 2112 * that all fragments have been successfully received. 2113 * 2114 * When the event processing receives the notification, then the 2115 * INTEL_DOWNLOADING flag will be cleared. 2116 * 2117 * The firmware loading should not take longer than 5 seconds 2118 * and thus just timeout if that happens and fail the setup 2119 * of this device. 2120 */ 2121 err = btintel_download_wait(hdev, calltime, 5000); 2122 if (err == -ETIMEDOUT) 2123 btintel_reset_to_bootloader(hdev); 2124 2125 done: 2126 release_firmware(fw); 2127 return err; 2128 } 2129 2130 static int btintel_bootloader_setup(struct hci_dev *hdev, 2131 struct intel_version *ver) 2132 { 2133 struct intel_version new_ver; 2134 struct intel_boot_params params; 2135 u32 boot_param; 2136 char ddcname[64]; 2137 int err; 2138 2139 BT_DBG("%s", hdev->name); 2140 2141 /* Set the default boot parameter to 0x0 and it is updated to 2142 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2143 * command while downloading the firmware. 2144 */ 2145 boot_param = 0x00000000; 2146 2147 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2148 2149 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2150 if (err) 2151 return err; 2152 2153 /* controller is already having an operational firmware */ 2154 if (ver->fw_variant == 0x23) 2155 goto finish; 2156 2157 err = btintel_boot(hdev, boot_param); 2158 if (err) 2159 return err; 2160 2161 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2162 2163 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2164 sizeof(ddcname), "ddc"); 2165 2166 if (err < 0) { 2167 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2168 } else { 2169 /* Once the device is running in operational mode, it needs to 2170 * apply the device configuration (DDC) parameters. 2171 * 2172 * The device can work without DDC parameters, so even if it 2173 * fails to load the file, no need to fail the setup. 2174 */ 2175 btintel_load_ddc_config(hdev, ddcname); 2176 } 2177 2178 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2179 2180 /* Read the Intel version information after loading the FW */ 2181 err = btintel_read_version(hdev, &new_ver); 2182 if (err) 2183 return err; 2184 2185 btintel_version_info(hdev, &new_ver); 2186 2187 finish: 2188 /* Set the event mask for Intel specific vendor events. This enables 2189 * a few extra events that are useful during general operation. It 2190 * does not enable any debugging related events. 2191 * 2192 * The device will function correctly without these events enabled 2193 * and thus no need to fail the setup. 2194 */ 2195 btintel_set_event_mask(hdev, false); 2196 2197 return 0; 2198 } 2199 2200 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2201 char *fw_name, size_t len, 2202 const char *suffix) 2203 { 2204 const char *format; 2205 /* The firmware file name for new generation controllers will be 2206 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2207 */ 2208 switch (ver->cnvi_top & 0xfff) { 2209 /* Only Blazar product supports downloading of intermediate loader 2210 * image 2211 */ 2212 case BTINTEL_CNVI_BLAZARI: 2213 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) 2214 format = "intel/ibt-%04x-%04x-iml.%s"; 2215 else 2216 format = "intel/ibt-%04x-%04x.%s"; 2217 break; 2218 default: 2219 format = "intel/ibt-%04x-%04x.%s"; 2220 break; 2221 } 2222 2223 snprintf(fw_name, len, format, 2224 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2225 INTEL_CNVX_TOP_STEP(ver->cnvi_top)), 2226 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2227 INTEL_CNVX_TOP_STEP(ver->cnvr_top)), 2228 suffix); 2229 } 2230 2231 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2232 struct intel_version_tlv *ver, 2233 u32 *boot_param) 2234 { 2235 const struct firmware *fw; 2236 char fwname[64]; 2237 int err; 2238 ktime_t calltime; 2239 2240 if (!ver || !boot_param) 2241 return -EINVAL; 2242 2243 /* The firmware variant determines if the device is in bootloader 2244 * mode or is running operational firmware. The value 0x03 identifies 2245 * the bootloader and the value 0x23 identifies the operational 2246 * firmware. 2247 * 2248 * When the operational firmware is already present, then only 2249 * the check for valid Bluetooth device address is needed. This 2250 * determines if the device will be added as configured or 2251 * unconfigured controller. 2252 * 2253 * It is not possible to use the Secure Boot Parameters in this 2254 * case since that command is only available in bootloader mode. 2255 */ 2256 if (ver->img_type == BTINTEL_IMG_OP) { 2257 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2258 btintel_check_bdaddr(hdev); 2259 } else { 2260 /* 2261 * Check for valid bd address in boot loader mode. Device 2262 * will be marked as unconfigured if empty bd address is 2263 * found. 2264 */ 2265 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2266 bt_dev_info(hdev, "No device address configured"); 2267 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2268 } 2269 } 2270 2271 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2272 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2273 if (err < 0) { 2274 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2275 /* Firmware has already been loaded */ 2276 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2277 return 0; 2278 } 2279 2280 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2281 fwname, err); 2282 2283 return err; 2284 } 2285 2286 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2287 2288 if (fw->size < 644) { 2289 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2290 fw->size); 2291 err = -EBADF; 2292 goto done; 2293 } 2294 2295 calltime = ktime_get(); 2296 2297 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2298 2299 /* Start firmware downloading and get boot parameter */ 2300 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2301 INTEL_HW_VARIANT(ver->cnvi_bt), 2302 ver->sbe_type); 2303 if (err < 0) { 2304 if (err == -EALREADY) { 2305 /* Firmware has already been loaded */ 2306 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2307 err = 0; 2308 goto done; 2309 } 2310 2311 /* When FW download fails, send Intel Reset to retry 2312 * FW download. 2313 */ 2314 btintel_reset_to_bootloader(hdev); 2315 goto done; 2316 } 2317 2318 /* Before switching the device into operational mode and with that 2319 * booting the loaded firmware, wait for the bootloader notification 2320 * that all fragments have been successfully received. 2321 * 2322 * When the event processing receives the notification, then the 2323 * BTUSB_DOWNLOADING flag will be cleared. 2324 * 2325 * The firmware loading should not take longer than 5 seconds 2326 * and thus just timeout if that happens and fail the setup 2327 * of this device. 2328 */ 2329 err = btintel_download_wait(hdev, calltime, 5000); 2330 if (err == -ETIMEDOUT) 2331 btintel_reset_to_bootloader(hdev); 2332 2333 done: 2334 release_firmware(fw); 2335 return err; 2336 } 2337 2338 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2339 __u8 link, struct bt_codec *codec, 2340 __u8 *ven_len, __u8 **ven_data) 2341 { 2342 int err = 0; 2343 2344 if (!ven_data || !ven_len) 2345 return -EINVAL; 2346 2347 *ven_len = 0; 2348 *ven_data = NULL; 2349 2350 if (link != ESCO_LINK) { 2351 bt_dev_err(hdev, "Invalid link type(%u)", link); 2352 return -EINVAL; 2353 } 2354 2355 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2356 if (!*ven_data) { 2357 err = -ENOMEM; 2358 goto error; 2359 } 2360 2361 /* supports only CVSD and mSBC offload codecs */ 2362 switch (codec->id) { 2363 case 0x02: 2364 **ven_data = 0x00; 2365 break; 2366 case 0x05: 2367 **ven_data = 0x01; 2368 break; 2369 default: 2370 err = -EINVAL; 2371 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2372 goto error; 2373 } 2374 /* codec and its capabilities are pre-defined to ids 2375 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2376 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2377 */ 2378 *ven_len = sizeof(__u8); 2379 return err; 2380 2381 error: 2382 kfree(*ven_data); 2383 *ven_data = NULL; 2384 return err; 2385 } 2386 2387 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2388 { 2389 /* Intel uses 1 as data path id for all the usecases */ 2390 *data_path_id = 1; 2391 return 0; 2392 } 2393 2394 static int btintel_configure_offload(struct hci_dev *hdev) 2395 { 2396 struct sk_buff *skb; 2397 int err = 0; 2398 struct intel_offload_use_cases *use_cases; 2399 2400 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2401 if (IS_ERR(skb)) { 2402 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2403 PTR_ERR(skb)); 2404 return PTR_ERR(skb); 2405 } 2406 2407 if (skb->len < sizeof(*use_cases)) { 2408 err = -EIO; 2409 goto error; 2410 } 2411 2412 use_cases = (void *)skb->data; 2413 2414 if (use_cases->status) { 2415 err = -bt_to_errno(skb->data[0]); 2416 goto error; 2417 } 2418 2419 if (use_cases->preset[0] & 0x03) { 2420 hdev->get_data_path_id = btintel_get_data_path_id; 2421 hdev->get_codec_config_data = btintel_get_codec_config_data; 2422 } 2423 error: 2424 kfree_skb(skb); 2425 return err; 2426 } 2427 2428 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2429 { 2430 struct btintel_ppag ppag; 2431 struct sk_buff *skb; 2432 struct hci_ppag_enable_cmd ppag_cmd; 2433 acpi_handle handle; 2434 2435 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2436 switch (ver->cnvr_top & 0xFFF) { 2437 case 0x504: /* Hrp2 */ 2438 case 0x202: /* Jfp2 */ 2439 case 0x201: /* Jfp1 */ 2440 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2441 ver->cnvr_top & 0xFFF); 2442 return; 2443 } 2444 2445 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2446 if (!handle) { 2447 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2448 return; 2449 } 2450 2451 memset(&ppag, 0, sizeof(ppag)); 2452 2453 ppag.hdev = hdev; 2454 ppag.status = AE_NOT_FOUND; 2455 acpi_walk_namespace(ACPI_TYPE_PACKAGE, handle, 1, NULL, 2456 btintel_ppag_callback, &ppag, NULL); 2457 2458 if (ACPI_FAILURE(ppag.status)) { 2459 if (ppag.status == AE_NOT_FOUND) { 2460 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2461 return; 2462 } 2463 return; 2464 } 2465 2466 if (ppag.domain != 0x12) { 2467 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2468 return; 2469 } 2470 2471 /* PPAG mode 2472 * BIT 0 : 0 Disabled in EU 2473 * 1 Enabled in EU 2474 * BIT 1 : 0 Disabled in China 2475 * 1 Enabled in China 2476 */ 2477 if ((ppag.mode & 0x01) != BIT(0) && (ppag.mode & 0x02) != BIT(1)) { 2478 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in CB/BIOS"); 2479 return; 2480 } 2481 2482 ppag_cmd.ppag_enable_flags = cpu_to_le32(ppag.mode); 2483 2484 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT); 2485 if (IS_ERR(skb)) { 2486 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2487 return; 2488 } 2489 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", ppag.mode); 2490 kfree_skb(skb); 2491 } 2492 2493 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2494 { 2495 int ret = 0; 2496 acpi_status status; 2497 union acpi_object *p, *ref; 2498 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2499 2500 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2501 if (ACPI_FAILURE(status)) { 2502 bt_dev_err(hdev, "Failed to run _PRR method"); 2503 ret = -ENODEV; 2504 return ret; 2505 } 2506 p = buffer.pointer; 2507 2508 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2509 bt_dev_err(hdev, "Invalid arguments"); 2510 ret = -EINVAL; 2511 goto exit_on_error; 2512 } 2513 2514 ref = &p->package.elements[0]; 2515 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2516 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2517 ret = -EINVAL; 2518 goto exit_on_error; 2519 } 2520 2521 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2522 if (ACPI_FAILURE(status)) { 2523 bt_dev_err(hdev, "Failed to run_RST method"); 2524 ret = -ENODEV; 2525 goto exit_on_error; 2526 } 2527 2528 exit_on_error: 2529 kfree(buffer.pointer); 2530 return ret; 2531 } 2532 2533 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2534 struct intel_version_tlv *ver_tlv) 2535 { 2536 struct btintel_data *data = hci_get_priv(hdev); 2537 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2538 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2539 union acpi_object *obj, argv4; 2540 enum { 2541 RESET_TYPE_WDISABLE2, 2542 RESET_TYPE_VSEC 2543 }; 2544 2545 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2546 2547 if (!handle) { 2548 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2549 return; 2550 } 2551 2552 if (!acpi_has_method(handle, "_PRR")) { 2553 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2554 return; 2555 } 2556 2557 switch (ver_tlv->cnvi_top & 0xfff) { 2558 case 0x910: /* GalePeak2 */ 2559 reset_payload[2] = RESET_TYPE_VSEC; 2560 break; 2561 default: 2562 /* WDISABLE2 is the default reset method */ 2563 reset_payload[2] = RESET_TYPE_WDISABLE2; 2564 2565 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2566 BIT(DSM_SET_WDISABLE2_DELAY))) { 2567 bt_dev_err(hdev, "No dsm support to set reset delay"); 2568 return; 2569 } 2570 argv4.integer.type = ACPI_TYPE_INTEGER; 2571 /* delay required to toggle BT power */ 2572 argv4.integer.value = 160; 2573 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2574 DSM_SET_WDISABLE2_DELAY, &argv4); 2575 if (!obj) { 2576 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2577 return; 2578 } 2579 ACPI_FREE(obj); 2580 } 2581 2582 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2583 2584 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2585 DSM_SET_RESET_METHOD)) { 2586 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2587 return; 2588 } 2589 argv4.buffer.type = ACPI_TYPE_BUFFER; 2590 argv4.buffer.length = sizeof(reset_payload); 2591 argv4.buffer.pointer = reset_payload; 2592 2593 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2594 DSM_SET_RESET_METHOD, &argv4); 2595 if (!obj) { 2596 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2597 return; 2598 } 2599 ACPI_FREE(obj); 2600 data->acpi_reset_method = btintel_acpi_reset_method; 2601 } 2602 2603 int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2604 struct intel_version_tlv *ver) 2605 { 2606 u32 boot_param; 2607 char ddcname[64]; 2608 int err; 2609 struct intel_version_tlv new_ver; 2610 2611 bt_dev_dbg(hdev, ""); 2612 2613 /* Set the default boot parameter to 0x0 and it is updated to 2614 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2615 * command while downloading the firmware. 2616 */ 2617 boot_param = 0x00000000; 2618 2619 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2620 2621 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2622 if (err) 2623 return err; 2624 2625 /* check if controller is already having an operational firmware */ 2626 if (ver->img_type == BTINTEL_IMG_OP) 2627 goto finish; 2628 2629 err = btintel_boot(hdev, boot_param); 2630 if (err) 2631 return err; 2632 2633 err = btintel_read_version_tlv(hdev, ver); 2634 if (err) 2635 return err; 2636 2637 /* If image type returned is BTINTEL_IMG_IML, then controller supports 2638 * intermediae loader image 2639 */ 2640 if (ver->img_type == BTINTEL_IMG_IML) { 2641 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2642 if (err) 2643 return err; 2644 2645 err = btintel_boot(hdev, boot_param); 2646 if (err) 2647 return err; 2648 } 2649 2650 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2651 2652 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2653 /* Once the device is running in operational mode, it needs to 2654 * apply the device configuration (DDC) parameters. 2655 * 2656 * The device can work without DDC parameters, so even if it 2657 * fails to load the file, no need to fail the setup. 2658 */ 2659 btintel_load_ddc_config(hdev, ddcname); 2660 2661 /* Read supported use cases and set callbacks to fetch datapath id */ 2662 btintel_configure_offload(hdev); 2663 2664 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2665 2666 /* Set PPAG feature */ 2667 btintel_set_ppag(hdev, ver); 2668 2669 /* Read the Intel version information after loading the FW */ 2670 err = btintel_read_version_tlv(hdev, &new_ver); 2671 if (err) 2672 return err; 2673 2674 btintel_version_info_tlv(hdev, &new_ver); 2675 2676 finish: 2677 /* Set the event mask for Intel specific vendor events. This enables 2678 * a few extra events that are useful during general operation. It 2679 * does not enable any debugging related events. 2680 * 2681 * The device will function correctly without these events enabled 2682 * and thus no need to fail the setup. 2683 */ 2684 btintel_set_event_mask(hdev, false); 2685 2686 return 0; 2687 } 2688 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv); 2689 2690 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2691 { 2692 switch (hw_variant) { 2693 /* Legacy bootloader devices that supports MSFT Extension */ 2694 case 0x11: /* JfP */ 2695 case 0x12: /* ThP */ 2696 case 0x13: /* HrP */ 2697 case 0x14: /* CcP */ 2698 /* All Intel new genration controllers support the Microsoft vendor 2699 * extension are using 0xFC1E for VsMsftOpCode. 2700 */ 2701 case 0x17: 2702 case 0x18: 2703 case 0x19: 2704 case 0x1b: 2705 case 0x1c: 2706 case 0x1e: 2707 hci_set_msft_opcode(hdev, 0xFC1E); 2708 break; 2709 default: 2710 /* Not supported */ 2711 break; 2712 } 2713 } 2714 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode); 2715 2716 static void btintel_print_fseq_info(struct hci_dev *hdev) 2717 { 2718 struct sk_buff *skb; 2719 u8 *p; 2720 u32 val; 2721 const char *str; 2722 2723 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 2724 if (IS_ERR(skb)) { 2725 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 2726 PTR_ERR(skb)); 2727 return; 2728 } 2729 2730 if (skb->len < (sizeof(u32) * 16 + 2)) { 2731 bt_dev_dbg(hdev, "Malformed packet of length %u received", 2732 skb->len); 2733 kfree_skb(skb); 2734 return; 2735 } 2736 2737 p = skb_pull_data(skb, 1); 2738 if (*p) { 2739 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 2740 kfree_skb(skb); 2741 return; 2742 } 2743 2744 p = skb_pull_data(skb, 1); 2745 switch (*p) { 2746 case 0: 2747 str = "Success"; 2748 break; 2749 case 1: 2750 str = "Fatal error"; 2751 break; 2752 case 2: 2753 str = "Semaphore acquire error"; 2754 break; 2755 default: 2756 str = "Unknown error"; 2757 break; 2758 } 2759 2760 if (*p) { 2761 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2762 kfree_skb(skb); 2763 return; 2764 } 2765 2766 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2767 2768 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2769 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 2770 2771 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2772 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 2773 2774 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2775 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 2776 2777 p = skb->data; 2778 skb_pull_data(skb, 4); 2779 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2780 p[2], p[3]); 2781 2782 p = skb->data; 2783 skb_pull_data(skb, 4); 2784 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2785 p[2], p[3]); 2786 2787 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2788 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 2789 2790 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2791 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 2792 2793 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2794 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 2795 2796 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2797 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 2798 2799 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2800 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 2801 2802 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2803 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 2804 2805 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2806 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 2807 2808 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2809 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 2810 2811 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2812 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 2813 2814 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2815 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 2816 2817 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2818 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 2819 2820 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2821 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 2822 2823 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2824 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 2825 2826 kfree_skb(skb); 2827 } 2828 2829 static int btintel_setup_combined(struct hci_dev *hdev) 2830 { 2831 const u8 param[1] = { 0xFF }; 2832 struct intel_version ver; 2833 struct intel_version_tlv ver_tlv; 2834 struct sk_buff *skb; 2835 int err; 2836 2837 BT_DBG("%s", hdev->name); 2838 2839 /* The some controllers have a bug with the first HCI command sent to it 2840 * returning number of completed commands as zero. This would stall the 2841 * command processing in the Bluetooth core. 2842 * 2843 * As a workaround, send HCI Reset command first which will reset the 2844 * number of completed commands and allow normal command processing 2845 * from now on. 2846 * 2847 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 2848 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 2849 * the shutdown() procedure, and once the device is in SW_RFKILL ON 2850 * state, the only way to exit out of it is sending the HCI_Reset 2851 * command. 2852 */ 2853 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 2854 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2855 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 2856 HCI_INIT_TIMEOUT); 2857 if (IS_ERR(skb)) { 2858 bt_dev_err(hdev, 2859 "sending initial HCI reset failed (%ld)", 2860 PTR_ERR(skb)); 2861 return PTR_ERR(skb); 2862 } 2863 kfree_skb(skb); 2864 } 2865 2866 /* Starting from TyP device, the command parameter and response are 2867 * changed even though the OCF for HCI_Intel_Read_Version command 2868 * remains same. The legacy devices can handle even if the 2869 * command has a parameter and returns a correct version information. 2870 * So, it uses new format to support both legacy and new format. 2871 */ 2872 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 2873 if (IS_ERR(skb)) { 2874 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 2875 PTR_ERR(skb)); 2876 return PTR_ERR(skb); 2877 } 2878 2879 /* Check the status */ 2880 if (skb->data[0]) { 2881 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 2882 skb->data[0]); 2883 err = -EIO; 2884 goto exit_error; 2885 } 2886 2887 /* Apply the common HCI quirks for Intel device */ 2888 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2889 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2890 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 2891 2892 /* Set up the quality report callback for Intel devices */ 2893 hdev->set_quality_report = btintel_set_quality_report; 2894 2895 /* For Legacy device, check the HW platform value and size */ 2896 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 2897 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 2898 2899 memcpy(&ver, skb->data, sizeof(ver)); 2900 2901 /* Display version information */ 2902 btintel_version_info(hdev, &ver); 2903 2904 /* Check for supported iBT hardware variants of this firmware 2905 * loading method. 2906 * 2907 * This check has been put in place to ensure correct forward 2908 * compatibility options when newer hardware variants come 2909 * along. 2910 */ 2911 switch (ver.hw_variant) { 2912 case 0x07: /* WP */ 2913 case 0x08: /* StP */ 2914 /* Legacy ROM product */ 2915 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 2916 2917 /* Apply the device specific HCI quirks 2918 * 2919 * WBS for SdP - For the Legacy ROM products, only SdP 2920 * supports the WBS. But the version information is not 2921 * enough to use here because the StP2 and SdP have same 2922 * hw_variant and fw_variant. So, this flag is set by 2923 * the transport driver (btusb) based on the HW info 2924 * (idProduct) 2925 */ 2926 if (!btintel_test_flag(hdev, 2927 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 2928 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2929 &hdev->quirks); 2930 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22) 2931 set_bit(HCI_QUIRK_VALID_LE_STATES, 2932 &hdev->quirks); 2933 2934 err = btintel_legacy_rom_setup(hdev, &ver); 2935 break; 2936 case 0x0b: /* SfP */ 2937 case 0x11: /* JfP */ 2938 case 0x12: /* ThP */ 2939 case 0x13: /* HrP */ 2940 case 0x14: /* CcP */ 2941 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2942 fallthrough; 2943 case 0x0c: /* WsP */ 2944 /* Apply the device specific HCI quirks 2945 * 2946 * All Legacy bootloader devices support WBS 2947 */ 2948 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2949 &hdev->quirks); 2950 2951 /* These variants don't seem to support LE Coded PHY */ 2952 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2953 2954 /* Setup MSFT Extension support */ 2955 btintel_set_msft_opcode(hdev, ver.hw_variant); 2956 2957 err = btintel_bootloader_setup(hdev, &ver); 2958 btintel_register_devcoredump_support(hdev); 2959 break; 2960 default: 2961 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2962 ver.hw_variant); 2963 err = -EINVAL; 2964 } 2965 2966 hci_set_hw_info(hdev, 2967 "INTEL platform=%u variant=%u revision=%u", 2968 ver.hw_platform, ver.hw_variant, 2969 ver.hw_revision); 2970 2971 goto exit_error; 2972 } 2973 2974 /* memset ver_tlv to start with clean state as few fields are exclusive 2975 * to bootloader mode and are not populated in operational mode 2976 */ 2977 memset(&ver_tlv, 0, sizeof(ver_tlv)); 2978 /* For TLV type device, parse the tlv data */ 2979 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 2980 if (err) { 2981 bt_dev_err(hdev, "Failed to parse TLV version information"); 2982 goto exit_error; 2983 } 2984 2985 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 2986 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 2987 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 2988 err = -EINVAL; 2989 goto exit_error; 2990 } 2991 2992 /* Check for supported iBT hardware variants of this firmware 2993 * loading method. 2994 * 2995 * This check has been put in place to ensure correct forward 2996 * compatibility options when newer hardware variants come 2997 * along. 2998 */ 2999 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 3000 case 0x11: /* JfP */ 3001 case 0x12: /* ThP */ 3002 case 0x13: /* HrP */ 3003 case 0x14: /* CcP */ 3004 /* Some legacy bootloader devices starting from JfP, 3005 * the operational firmware supports both old and TLV based 3006 * HCI_Intel_Read_Version command based on the command 3007 * parameter. 3008 * 3009 * For upgrading firmware case, the TLV based version cannot 3010 * be used because the firmware filename for legacy bootloader 3011 * is based on the old format. 3012 * 3013 * Also, it is not easy to convert TLV based version from the 3014 * legacy version format. 3015 * 3016 * So, as a workaround for those devices, use the legacy 3017 * HCI_Intel_Read_Version to get the version information and 3018 * run the legacy bootloader setup. 3019 */ 3020 err = btintel_read_version(hdev, &ver); 3021 if (err) 3022 break; 3023 3024 /* Apply the device specific HCI quirks 3025 * 3026 * All Legacy bootloader devices support WBS 3027 */ 3028 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3029 3030 /* These variants don't seem to support LE Coded PHY */ 3031 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3032 3033 /* Set Valid LE States quirk */ 3034 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 3035 3036 /* Setup MSFT Extension support */ 3037 btintel_set_msft_opcode(hdev, ver.hw_variant); 3038 3039 err = btintel_bootloader_setup(hdev, &ver); 3040 btintel_register_devcoredump_support(hdev); 3041 break; 3042 case 0x17: 3043 case 0x18: 3044 case 0x19: 3045 case 0x1b: 3046 case 0x1c: 3047 case 0x1e: 3048 /* Display version information of TLV type */ 3049 btintel_version_info_tlv(hdev, &ver_tlv); 3050 3051 /* Apply the device specific HCI quirks for TLV based devices 3052 * 3053 * All TLV based devices support WBS 3054 */ 3055 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3056 3057 /* Apply LE States quirk from solar onwards */ 3058 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 3059 3060 /* Setup MSFT Extension support */ 3061 btintel_set_msft_opcode(hdev, 3062 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3063 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3064 3065 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3066 btintel_register_devcoredump_support(hdev); 3067 btintel_print_fseq_info(hdev); 3068 break; 3069 default: 3070 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3071 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3072 err = -EINVAL; 3073 break; 3074 } 3075 3076 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u", 3077 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt), 3078 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3079 3080 exit_error: 3081 kfree_skb(skb); 3082 3083 return err; 3084 } 3085 3086 int btintel_shutdown_combined(struct hci_dev *hdev) 3087 { 3088 struct sk_buff *skb; 3089 int ret; 3090 3091 /* Send HCI Reset to the controller to stop any BT activity which 3092 * were triggered. This will help to save power and maintain the 3093 * sync b/w Host and controller 3094 */ 3095 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3096 if (IS_ERR(skb)) { 3097 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3098 return PTR_ERR(skb); 3099 } 3100 kfree_skb(skb); 3101 3102 3103 /* Some platforms have an issue with BT LED when the interface is 3104 * down or BT radio is turned off, which takes 5 seconds to BT LED 3105 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3106 * device in the RFKILL ON state which turns off the BT LED immediately. 3107 */ 3108 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3109 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3110 if (IS_ERR(skb)) { 3111 ret = PTR_ERR(skb); 3112 bt_dev_err(hdev, "turning off Intel device LED failed"); 3113 return ret; 3114 } 3115 kfree_skb(skb); 3116 } 3117 3118 return 0; 3119 } 3120 EXPORT_SYMBOL_GPL(btintel_shutdown_combined); 3121 3122 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3123 { 3124 hdev->manufacturer = 2; 3125 hdev->setup = btintel_setup_combined; 3126 hdev->shutdown = btintel_shutdown_combined; 3127 hdev->hw_error = btintel_hw_error; 3128 hdev->set_diag = btintel_set_diag_combined; 3129 hdev->set_bdaddr = btintel_set_bdaddr; 3130 3131 coredump_info.driver_name = driver_name; 3132 3133 return 0; 3134 } 3135 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3136 3137 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3138 { 3139 struct intel_tlv *tlv = (void *)&skb->data[5]; 3140 3141 /* The first event is always an event type TLV */ 3142 if (tlv->type != INTEL_TLV_TYPE_ID) 3143 goto recv_frame; 3144 3145 switch (tlv->val[0]) { 3146 case INTEL_TLV_SYSTEM_EXCEPTION: 3147 case INTEL_TLV_FATAL_EXCEPTION: 3148 case INTEL_TLV_DEBUG_EXCEPTION: 3149 case INTEL_TLV_TEST_EXCEPTION: 3150 /* Generate devcoredump from exception */ 3151 if (!hci_devcd_init(hdev, skb->len)) { 3152 hci_devcd_append(hdev, skb); 3153 hci_devcd_complete(hdev); 3154 } else { 3155 bt_dev_err(hdev, "Failed to generate devcoredump"); 3156 kfree_skb(skb); 3157 } 3158 return 0; 3159 default: 3160 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3161 } 3162 3163 recv_frame: 3164 return hci_recv_frame(hdev, skb); 3165 } 3166 3167 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3168 { 3169 struct hci_event_hdr *hdr = (void *)skb->data; 3170 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3171 3172 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3173 hdr->plen > 0) { 3174 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3175 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3176 3177 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3178 switch (skb->data[2]) { 3179 case 0x02: 3180 /* When switching to the operational firmware 3181 * the device sends a vendor specific event 3182 * indicating that the bootup completed. 3183 */ 3184 btintel_bootup(hdev, ptr, len); 3185 break; 3186 case 0x06: 3187 /* When the firmware loading completes the 3188 * device sends out a vendor specific event 3189 * indicating the result of the firmware 3190 * loading. 3191 */ 3192 btintel_secure_send_result(hdev, ptr, len); 3193 break; 3194 } 3195 } 3196 3197 /* Handle all diagnostics events separately. May still call 3198 * hci_recv_frame. 3199 */ 3200 if (len >= sizeof(diagnostics_hdr) && 3201 memcmp(&skb->data[2], diagnostics_hdr, 3202 sizeof(diagnostics_hdr)) == 0) { 3203 return btintel_diagnostics(hdev, skb); 3204 } 3205 } 3206 3207 return hci_recv_frame(hdev, skb); 3208 } 3209 EXPORT_SYMBOL_GPL(btintel_recv_event); 3210 3211 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3212 { 3213 const struct intel_bootup *evt = ptr; 3214 3215 if (len != sizeof(*evt)) 3216 return; 3217 3218 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3219 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3220 } 3221 EXPORT_SYMBOL_GPL(btintel_bootup); 3222 3223 void btintel_secure_send_result(struct hci_dev *hdev, 3224 const void *ptr, unsigned int len) 3225 { 3226 const struct intel_secure_send_result *evt = ptr; 3227 3228 if (len != sizeof(*evt)) 3229 return; 3230 3231 if (evt->result) 3232 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3233 3234 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3235 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3236 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3237 } 3238 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3239 3240 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3241 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3242 MODULE_VERSION(VERSION); 3243 MODULE_LICENSE("GPL"); 3244 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3245 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3246 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3247 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3248