1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/acpi.h> 13 #include <acpi/acpi_bus.h> 14 #include <linux/unaligned.h> 15 #include <linux/efi.h> 16 17 #include <net/bluetooth/bluetooth.h> 18 #include <net/bluetooth/hci_core.h> 19 20 #include "btintel.h" 21 22 #define VERSION "0.1" 23 24 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 25 #define RSA_HEADER_LEN 644 26 #define CSS_HEADER_OFFSET 8 27 #define ECDSA_OFFSET 644 28 #define ECDSA_HEADER_LEN 320 29 30 #define BTINTEL_EFI_DSBR L"UefiCnvCommonDSBR" 31 32 enum { 33 DSM_SET_WDISABLE2_DELAY = 1, 34 DSM_SET_RESET_METHOD = 3, 35 }; 36 37 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 38 struct cmd_write_boot_params { 39 __le32 boot_addr; 40 u8 fw_build_num; 41 u8 fw_build_ww; 42 u8 fw_build_yy; 43 } __packed; 44 45 static struct { 46 const char *driver_name; 47 u8 hw_variant; 48 u32 fw_build_num; 49 } coredump_info; 50 51 static const guid_t btintel_guid_dsm = 52 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 53 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 54 55 int btintel_check_bdaddr(struct hci_dev *hdev) 56 { 57 struct hci_rp_read_bd_addr *bda; 58 struct sk_buff *skb; 59 60 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 61 HCI_INIT_TIMEOUT); 62 if (IS_ERR(skb)) { 63 int err = PTR_ERR(skb); 64 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 65 err); 66 return err; 67 } 68 69 if (skb->len != sizeof(*bda)) { 70 bt_dev_err(hdev, "Intel device address length mismatch"); 71 kfree_skb(skb); 72 return -EIO; 73 } 74 75 bda = (struct hci_rp_read_bd_addr *)skb->data; 76 77 /* For some Intel based controllers, the default Bluetooth device 78 * address 00:03:19:9E:8B:00 can be found. These controllers are 79 * fully operational, but have the danger of duplicate addresses 80 * and that in turn can cause problems with Bluetooth operation. 81 */ 82 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 83 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 84 &bda->bdaddr); 85 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 86 } 87 88 kfree_skb(skb); 89 90 return 0; 91 } 92 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 93 94 int btintel_enter_mfg(struct hci_dev *hdev) 95 { 96 static const u8 param[] = { 0x01, 0x00 }; 97 struct sk_buff *skb; 98 99 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 100 if (IS_ERR(skb)) { 101 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 102 PTR_ERR(skb)); 103 return PTR_ERR(skb); 104 } 105 kfree_skb(skb); 106 107 return 0; 108 } 109 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 110 111 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 112 { 113 u8 param[] = { 0x00, 0x00 }; 114 struct sk_buff *skb; 115 116 /* The 2nd command parameter specifies the manufacturing exit method: 117 * 0x00: Just disable the manufacturing mode (0x00). 118 * 0x01: Disable manufacturing mode and reset with patches deactivated. 119 * 0x02: Disable manufacturing mode and reset with patches activated. 120 */ 121 if (reset) 122 param[1] |= patched ? 0x02 : 0x01; 123 124 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 125 if (IS_ERR(skb)) { 126 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 127 PTR_ERR(skb)); 128 return PTR_ERR(skb); 129 } 130 kfree_skb(skb); 131 132 return 0; 133 } 134 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 135 136 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 137 { 138 struct sk_buff *skb; 139 int err; 140 141 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 142 if (IS_ERR(skb)) { 143 err = PTR_ERR(skb); 144 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 145 err); 146 return err; 147 } 148 kfree_skb(skb); 149 150 return 0; 151 } 152 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 153 154 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 155 { 156 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 157 struct sk_buff *skb; 158 int err; 159 160 if (debug) 161 mask[1] |= 0x62; 162 163 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 164 if (IS_ERR(skb)) { 165 err = PTR_ERR(skb); 166 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 167 return err; 168 } 169 kfree_skb(skb); 170 171 return 0; 172 } 173 174 int btintel_set_diag(struct hci_dev *hdev, bool enable) 175 { 176 struct sk_buff *skb; 177 u8 param[3]; 178 int err; 179 180 if (enable) { 181 param[0] = 0x03; 182 param[1] = 0x03; 183 param[2] = 0x03; 184 } else { 185 param[0] = 0x00; 186 param[1] = 0x00; 187 param[2] = 0x00; 188 } 189 190 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 191 if (IS_ERR(skb)) { 192 err = PTR_ERR(skb); 193 if (err == -ENODATA) 194 goto done; 195 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 196 err); 197 return err; 198 } 199 kfree_skb(skb); 200 201 done: 202 btintel_set_event_mask(hdev, enable); 203 return 0; 204 } 205 EXPORT_SYMBOL_GPL(btintel_set_diag); 206 207 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 208 { 209 int err, ret; 210 211 err = btintel_enter_mfg(hdev); 212 if (err) 213 return err; 214 215 ret = btintel_set_diag(hdev, enable); 216 217 err = btintel_exit_mfg(hdev, false, false); 218 if (err) 219 return err; 220 221 return ret; 222 } 223 224 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 225 { 226 int ret; 227 228 /* Legacy ROM device needs to be in the manufacturer mode to apply 229 * diagnostic setting 230 * 231 * This flag is set after reading the Intel version. 232 */ 233 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 234 ret = btintel_set_diag_mfg(hdev, enable); 235 else 236 ret = btintel_set_diag(hdev, enable); 237 238 return ret; 239 } 240 241 void btintel_hw_error(struct hci_dev *hdev, u8 code) 242 { 243 struct sk_buff *skb; 244 u8 type = 0x00; 245 246 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 247 248 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 249 if (IS_ERR(skb)) { 250 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 251 PTR_ERR(skb)); 252 return; 253 } 254 kfree_skb(skb); 255 256 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 257 if (IS_ERR(skb)) { 258 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 259 PTR_ERR(skb)); 260 return; 261 } 262 263 if (skb->len != 13) { 264 bt_dev_err(hdev, "Exception info size mismatch"); 265 kfree_skb(skb); 266 return; 267 } 268 269 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 270 271 kfree_skb(skb); 272 } 273 EXPORT_SYMBOL_GPL(btintel_hw_error); 274 275 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 276 { 277 const char *variant; 278 279 /* The hardware platform number has a fixed value of 0x37 and 280 * for now only accept this single value. 281 */ 282 if (ver->hw_platform != 0x37) { 283 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 284 ver->hw_platform); 285 return -EINVAL; 286 } 287 288 /* Check for supported iBT hardware variants of this firmware 289 * loading method. 290 * 291 * This check has been put in place to ensure correct forward 292 * compatibility options when newer hardware variants come along. 293 */ 294 switch (ver->hw_variant) { 295 case 0x07: /* WP - Legacy ROM */ 296 case 0x08: /* StP - Legacy ROM */ 297 case 0x0b: /* SfP */ 298 case 0x0c: /* WsP */ 299 case 0x11: /* JfP */ 300 case 0x12: /* ThP */ 301 case 0x13: /* HrP */ 302 case 0x14: /* CcP */ 303 break; 304 default: 305 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 306 ver->hw_variant); 307 return -EINVAL; 308 } 309 310 switch (ver->fw_variant) { 311 case 0x01: 312 variant = "Legacy ROM 2.5"; 313 break; 314 case 0x06: 315 variant = "Bootloader"; 316 break; 317 case 0x22: 318 variant = "Legacy ROM 2.x"; 319 break; 320 case 0x23: 321 variant = "Firmware"; 322 break; 323 default: 324 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 325 return -EINVAL; 326 } 327 328 coredump_info.hw_variant = ver->hw_variant; 329 coredump_info.fw_build_num = ver->fw_build_num; 330 331 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 332 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 333 ver->fw_build_num, ver->fw_build_ww, 334 2000 + ver->fw_build_yy); 335 336 return 0; 337 } 338 EXPORT_SYMBOL_GPL(btintel_version_info); 339 340 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 341 const void *param) 342 { 343 while (plen > 0) { 344 struct sk_buff *skb; 345 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 346 347 cmd_param[0] = fragment_type; 348 memcpy(cmd_param + 1, param, fragment_len); 349 350 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 351 cmd_param, HCI_INIT_TIMEOUT); 352 if (IS_ERR(skb)) 353 return PTR_ERR(skb); 354 355 kfree_skb(skb); 356 357 plen -= fragment_len; 358 param += fragment_len; 359 } 360 361 return 0; 362 } 363 364 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 365 { 366 const struct firmware *fw; 367 struct sk_buff *skb; 368 const u8 *fw_ptr; 369 int err; 370 371 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 372 if (err < 0) { 373 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 374 ddc_name, err); 375 return err; 376 } 377 378 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 379 380 fw_ptr = fw->data; 381 382 /* DDC file contains one or more DDC structure which has 383 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 384 */ 385 while (fw->size > fw_ptr - fw->data) { 386 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 387 388 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 389 HCI_INIT_TIMEOUT); 390 if (IS_ERR(skb)) { 391 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 392 PTR_ERR(skb)); 393 release_firmware(fw); 394 return PTR_ERR(skb); 395 } 396 397 fw_ptr += cmd_plen; 398 kfree_skb(skb); 399 } 400 401 release_firmware(fw); 402 403 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 404 405 return 0; 406 } 407 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 408 409 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 410 { 411 int err, ret; 412 413 err = btintel_enter_mfg(hdev); 414 if (err) 415 return err; 416 417 ret = btintel_set_event_mask(hdev, debug); 418 419 err = btintel_exit_mfg(hdev, false, false); 420 if (err) 421 return err; 422 423 return ret; 424 } 425 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 426 427 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 428 { 429 struct sk_buff *skb; 430 431 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 432 if (IS_ERR(skb)) { 433 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 434 PTR_ERR(skb)); 435 return PTR_ERR(skb); 436 } 437 438 if (!skb || skb->len != sizeof(*ver)) { 439 bt_dev_err(hdev, "Intel version event size mismatch"); 440 kfree_skb(skb); 441 return -EILSEQ; 442 } 443 444 memcpy(ver, skb->data, sizeof(*ver)); 445 446 kfree_skb(skb); 447 448 return 0; 449 } 450 EXPORT_SYMBOL_GPL(btintel_read_version); 451 452 int btintel_version_info_tlv(struct hci_dev *hdev, 453 struct intel_version_tlv *version) 454 { 455 const char *variant; 456 457 /* The hardware platform number has a fixed value of 0x37 and 458 * for now only accept this single value. 459 */ 460 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 461 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 462 INTEL_HW_PLATFORM(version->cnvi_bt)); 463 return -EINVAL; 464 } 465 466 /* Check for supported iBT hardware variants of this firmware 467 * loading method. 468 * 469 * This check has been put in place to ensure correct forward 470 * compatibility options when newer hardware variants come along. 471 */ 472 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 473 case 0x17: /* TyP */ 474 case 0x18: /* Slr */ 475 case 0x19: /* Slr-F */ 476 case 0x1b: /* Mgr */ 477 case 0x1c: /* Gale Peak (GaP) */ 478 case 0x1d: /* BlazarU (BzrU) */ 479 case 0x1e: /* BlazarI (Bzr) */ 480 break; 481 default: 482 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 483 INTEL_HW_VARIANT(version->cnvi_bt)); 484 return -EINVAL; 485 } 486 487 switch (version->img_type) { 488 case BTINTEL_IMG_BOOTLOADER: 489 variant = "Bootloader"; 490 /* It is required that every single firmware fragment is acknowledged 491 * with a command complete event. If the boot parameters indicate 492 * that this bootloader does not send them, then abort the setup. 493 */ 494 if (version->limited_cce != 0x00) { 495 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 496 version->limited_cce); 497 return -EINVAL; 498 } 499 500 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 501 if (version->sbe_type > 0x01) { 502 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 503 version->sbe_type); 504 return -EINVAL; 505 } 506 507 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 508 bt_dev_info(hdev, "Secure boot is %s", 509 version->secure_boot ? "enabled" : "disabled"); 510 bt_dev_info(hdev, "OTP lock is %s", 511 version->otp_lock ? "enabled" : "disabled"); 512 bt_dev_info(hdev, "API lock is %s", 513 version->api_lock ? "enabled" : "disabled"); 514 bt_dev_info(hdev, "Debug lock is %s", 515 version->debug_lock ? "enabled" : "disabled"); 516 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 517 version->min_fw_build_nn, version->min_fw_build_cw, 518 2000 + version->min_fw_build_yy); 519 break; 520 case BTINTEL_IMG_IML: 521 variant = "Intermediate loader"; 522 break; 523 case BTINTEL_IMG_OP: 524 variant = "Firmware"; 525 break; 526 default: 527 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 528 return -EINVAL; 529 } 530 531 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 532 coredump_info.fw_build_num = version->build_num; 533 534 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 535 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 536 version->build_type, version->build_num); 537 if (version->img_type == BTINTEL_IMG_OP) 538 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1); 539 540 return 0; 541 } 542 EXPORT_SYMBOL_GPL(btintel_version_info_tlv); 543 544 int btintel_parse_version_tlv(struct hci_dev *hdev, 545 struct intel_version_tlv *version, 546 struct sk_buff *skb) 547 { 548 /* Consume Command Complete Status field */ 549 skb_pull(skb, 1); 550 551 /* Event parameters contatin multiple TLVs. Read each of them 552 * and only keep the required data. Also, it use existing legacy 553 * version field like hw_platform, hw_variant, and fw_variant 554 * to keep the existing setup flow 555 */ 556 while (skb->len) { 557 struct intel_tlv *tlv; 558 559 /* Make sure skb has a minimum length of the header */ 560 if (skb->len < sizeof(*tlv)) 561 return -EINVAL; 562 563 tlv = (struct intel_tlv *)skb->data; 564 565 /* Make sure skb has a enough data */ 566 if (skb->len < tlv->len + sizeof(*tlv)) 567 return -EINVAL; 568 569 switch (tlv->type) { 570 case INTEL_TLV_CNVI_TOP: 571 version->cnvi_top = get_unaligned_le32(tlv->val); 572 break; 573 case INTEL_TLV_CNVR_TOP: 574 version->cnvr_top = get_unaligned_le32(tlv->val); 575 break; 576 case INTEL_TLV_CNVI_BT: 577 version->cnvi_bt = get_unaligned_le32(tlv->val); 578 break; 579 case INTEL_TLV_CNVR_BT: 580 version->cnvr_bt = get_unaligned_le32(tlv->val); 581 break; 582 case INTEL_TLV_DEV_REV_ID: 583 version->dev_rev_id = get_unaligned_le16(tlv->val); 584 break; 585 case INTEL_TLV_IMAGE_TYPE: 586 version->img_type = tlv->val[0]; 587 break; 588 case INTEL_TLV_TIME_STAMP: 589 /* If image type is Operational firmware (0x03), then 590 * running FW Calendar Week and Year information can 591 * be extracted from Timestamp information 592 */ 593 version->min_fw_build_cw = tlv->val[0]; 594 version->min_fw_build_yy = tlv->val[1]; 595 version->timestamp = get_unaligned_le16(tlv->val); 596 break; 597 case INTEL_TLV_BUILD_TYPE: 598 version->build_type = tlv->val[0]; 599 break; 600 case INTEL_TLV_BUILD_NUM: 601 /* If image type is Operational firmware (0x03), then 602 * running FW build number can be extracted from the 603 * Build information 604 */ 605 version->min_fw_build_nn = tlv->val[0]; 606 version->build_num = get_unaligned_le32(tlv->val); 607 break; 608 case INTEL_TLV_SECURE_BOOT: 609 version->secure_boot = tlv->val[0]; 610 break; 611 case INTEL_TLV_OTP_LOCK: 612 version->otp_lock = tlv->val[0]; 613 break; 614 case INTEL_TLV_API_LOCK: 615 version->api_lock = tlv->val[0]; 616 break; 617 case INTEL_TLV_DEBUG_LOCK: 618 version->debug_lock = tlv->val[0]; 619 break; 620 case INTEL_TLV_MIN_FW: 621 version->min_fw_build_nn = tlv->val[0]; 622 version->min_fw_build_cw = tlv->val[1]; 623 version->min_fw_build_yy = tlv->val[2]; 624 break; 625 case INTEL_TLV_LIMITED_CCE: 626 version->limited_cce = tlv->val[0]; 627 break; 628 case INTEL_TLV_SBE_TYPE: 629 version->sbe_type = tlv->val[0]; 630 break; 631 case INTEL_TLV_OTP_BDADDR: 632 memcpy(&version->otp_bd_addr, tlv->val, 633 sizeof(bdaddr_t)); 634 break; 635 case INTEL_TLV_GIT_SHA1: 636 version->git_sha1 = get_unaligned_le32(tlv->val); 637 break; 638 case INTEL_TLV_FW_ID: 639 snprintf(version->fw_id, sizeof(version->fw_id), 640 "%s", tlv->val); 641 break; 642 default: 643 /* Ignore rest of information */ 644 break; 645 } 646 /* consume the current tlv and move to next*/ 647 skb_pull(skb, tlv->len + sizeof(*tlv)); 648 } 649 650 return 0; 651 } 652 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv); 653 654 static int btintel_read_version_tlv(struct hci_dev *hdev, 655 struct intel_version_tlv *version) 656 { 657 struct sk_buff *skb; 658 const u8 param[1] = { 0xFF }; 659 660 if (!version) 661 return -EINVAL; 662 663 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 664 if (IS_ERR(skb)) { 665 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 666 PTR_ERR(skb)); 667 return PTR_ERR(skb); 668 } 669 670 if (skb->data[0]) { 671 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 672 skb->data[0]); 673 kfree_skb(skb); 674 return -EIO; 675 } 676 677 btintel_parse_version_tlv(hdev, version, skb); 678 679 kfree_skb(skb); 680 return 0; 681 } 682 683 /* ------- REGMAP IBT SUPPORT ------- */ 684 685 #define IBT_REG_MODE_8BIT 0x00 686 #define IBT_REG_MODE_16BIT 0x01 687 #define IBT_REG_MODE_32BIT 0x02 688 689 struct regmap_ibt_context { 690 struct hci_dev *hdev; 691 __u16 op_write; 692 __u16 op_read; 693 }; 694 695 struct ibt_cp_reg_access { 696 __le32 addr; 697 __u8 mode; 698 __u8 len; 699 __u8 data[]; 700 } __packed; 701 702 struct ibt_rp_reg_access { 703 __u8 status; 704 __le32 addr; 705 __u8 data[]; 706 } __packed; 707 708 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 709 void *val, size_t val_size) 710 { 711 struct regmap_ibt_context *ctx = context; 712 struct ibt_cp_reg_access cp; 713 struct ibt_rp_reg_access *rp; 714 struct sk_buff *skb; 715 int err = 0; 716 717 if (reg_size != sizeof(__le32)) 718 return -EINVAL; 719 720 switch (val_size) { 721 case 1: 722 cp.mode = IBT_REG_MODE_8BIT; 723 break; 724 case 2: 725 cp.mode = IBT_REG_MODE_16BIT; 726 break; 727 case 4: 728 cp.mode = IBT_REG_MODE_32BIT; 729 break; 730 default: 731 return -EINVAL; 732 } 733 734 /* regmap provides a little-endian formatted addr */ 735 cp.addr = *(__le32 *)addr; 736 cp.len = val_size; 737 738 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 739 740 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 741 HCI_CMD_TIMEOUT); 742 if (IS_ERR(skb)) { 743 err = PTR_ERR(skb); 744 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 745 le32_to_cpu(cp.addr), err); 746 return err; 747 } 748 749 if (skb->len != sizeof(*rp) + val_size) { 750 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 751 le32_to_cpu(cp.addr)); 752 err = -EINVAL; 753 goto done; 754 } 755 756 rp = (struct ibt_rp_reg_access *)skb->data; 757 758 if (rp->addr != cp.addr) { 759 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 760 le32_to_cpu(rp->addr)); 761 err = -EINVAL; 762 goto done; 763 } 764 765 memcpy(val, rp->data, val_size); 766 767 done: 768 kfree_skb(skb); 769 return err; 770 } 771 772 static int regmap_ibt_gather_write(void *context, 773 const void *addr, size_t reg_size, 774 const void *val, size_t val_size) 775 { 776 struct regmap_ibt_context *ctx = context; 777 struct ibt_cp_reg_access *cp; 778 struct sk_buff *skb; 779 int plen = sizeof(*cp) + val_size; 780 u8 mode; 781 int err = 0; 782 783 if (reg_size != sizeof(__le32)) 784 return -EINVAL; 785 786 switch (val_size) { 787 case 1: 788 mode = IBT_REG_MODE_8BIT; 789 break; 790 case 2: 791 mode = IBT_REG_MODE_16BIT; 792 break; 793 case 4: 794 mode = IBT_REG_MODE_32BIT; 795 break; 796 default: 797 return -EINVAL; 798 } 799 800 cp = kmalloc(plen, GFP_KERNEL); 801 if (!cp) 802 return -ENOMEM; 803 804 /* regmap provides a little-endian formatted addr/value */ 805 cp->addr = *(__le32 *)addr; 806 cp->mode = mode; 807 cp->len = val_size; 808 memcpy(&cp->data, val, val_size); 809 810 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 811 812 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 813 if (IS_ERR(skb)) { 814 err = PTR_ERR(skb); 815 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 816 le32_to_cpu(cp->addr), err); 817 goto done; 818 } 819 kfree_skb(skb); 820 821 done: 822 kfree(cp); 823 return err; 824 } 825 826 static int regmap_ibt_write(void *context, const void *data, size_t count) 827 { 828 /* data contains register+value, since we only support 32bit addr, 829 * minimum data size is 4 bytes. 830 */ 831 if (WARN_ONCE(count < 4, "Invalid register access")) 832 return -EINVAL; 833 834 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 835 } 836 837 static void regmap_ibt_free_context(void *context) 838 { 839 kfree(context); 840 } 841 842 static const struct regmap_bus regmap_ibt = { 843 .read = regmap_ibt_read, 844 .write = regmap_ibt_write, 845 .gather_write = regmap_ibt_gather_write, 846 .free_context = regmap_ibt_free_context, 847 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 848 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 849 }; 850 851 /* Config is the same for all register regions */ 852 static const struct regmap_config regmap_ibt_cfg = { 853 .name = "btintel_regmap", 854 .reg_bits = 32, 855 .val_bits = 32, 856 }; 857 858 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 859 u16 opcode_write) 860 { 861 struct regmap_ibt_context *ctx; 862 863 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 864 opcode_write); 865 866 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 867 if (!ctx) 868 return ERR_PTR(-ENOMEM); 869 870 ctx->op_read = opcode_read; 871 ctx->op_write = opcode_write; 872 ctx->hdev = hdev; 873 874 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 875 } 876 EXPORT_SYMBOL_GPL(btintel_regmap_init); 877 878 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 879 { 880 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 881 struct sk_buff *skb; 882 883 params.boot_param = cpu_to_le32(boot_param); 884 885 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 886 HCI_INIT_TIMEOUT); 887 if (IS_ERR(skb)) { 888 bt_dev_err(hdev, "Failed to send Intel Reset command"); 889 return PTR_ERR(skb); 890 } 891 892 kfree_skb(skb); 893 894 return 0; 895 } 896 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 897 898 int btintel_read_boot_params(struct hci_dev *hdev, 899 struct intel_boot_params *params) 900 { 901 struct sk_buff *skb; 902 903 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 904 if (IS_ERR(skb)) { 905 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 906 PTR_ERR(skb)); 907 return PTR_ERR(skb); 908 } 909 910 if (skb->len != sizeof(*params)) { 911 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 912 kfree_skb(skb); 913 return -EILSEQ; 914 } 915 916 memcpy(params, skb->data, sizeof(*params)); 917 918 kfree_skb(skb); 919 920 if (params->status) { 921 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 922 params->status); 923 return -bt_to_errno(params->status); 924 } 925 926 bt_dev_info(hdev, "Device revision is %u", 927 le16_to_cpu(params->dev_revid)); 928 929 bt_dev_info(hdev, "Secure boot is %s", 930 params->secure_boot ? "enabled" : "disabled"); 931 932 bt_dev_info(hdev, "OTP lock is %s", 933 params->otp_lock ? "enabled" : "disabled"); 934 935 bt_dev_info(hdev, "API lock is %s", 936 params->api_lock ? "enabled" : "disabled"); 937 938 bt_dev_info(hdev, "Debug lock is %s", 939 params->debug_lock ? "enabled" : "disabled"); 940 941 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 942 params->min_fw_build_nn, params->min_fw_build_cw, 943 2000 + params->min_fw_build_yy); 944 945 return 0; 946 } 947 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 948 949 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 950 const struct firmware *fw) 951 { 952 int err; 953 954 /* Start the firmware download transaction with the Init fragment 955 * represented by the 128 bytes of CSS header. 956 */ 957 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 958 if (err < 0) { 959 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 960 goto done; 961 } 962 963 /* Send the 256 bytes of public key information from the firmware 964 * as the PKey fragment. 965 */ 966 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 967 if (err < 0) { 968 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 969 goto done; 970 } 971 972 /* Send the 256 bytes of signature information from the firmware 973 * as the Sign fragment. 974 */ 975 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 976 if (err < 0) { 977 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 978 goto done; 979 } 980 981 done: 982 return err; 983 } 984 985 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 986 const struct firmware *fw) 987 { 988 int err; 989 990 /* Start the firmware download transaction with the Init fragment 991 * represented by the 128 bytes of CSS header. 992 */ 993 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 994 if (err < 0) { 995 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 996 return err; 997 } 998 999 /* Send the 96 bytes of public key information from the firmware 1000 * as the PKey fragment. 1001 */ 1002 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 1003 if (err < 0) { 1004 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 1005 return err; 1006 } 1007 1008 /* Send the 96 bytes of signature information from the firmware 1009 * as the Sign fragment 1010 */ 1011 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1012 if (err < 0) { 1013 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1014 err); 1015 return err; 1016 } 1017 return 0; 1018 } 1019 1020 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1021 const struct firmware *fw, 1022 size_t offset) 1023 { 1024 int err; 1025 const u8 *fw_ptr; 1026 u32 frag_len; 1027 1028 fw_ptr = fw->data + offset; 1029 frag_len = 0; 1030 err = -EINVAL; 1031 1032 while (fw_ptr - fw->data < fw->size) { 1033 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1034 1035 frag_len += sizeof(*cmd) + cmd->plen; 1036 1037 /* The parameter length of the secure send command requires 1038 * a 4 byte alignment. It happens so that the firmware file 1039 * contains proper Intel_NOP commands to align the fragments 1040 * as needed. 1041 * 1042 * Send set of commands with 4 byte alignment from the 1043 * firmware data buffer as a single Data fragment. 1044 */ 1045 if (!(frag_len % 4)) { 1046 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1047 if (err < 0) { 1048 bt_dev_err(hdev, 1049 "Failed to send firmware data (%d)", 1050 err); 1051 goto done; 1052 } 1053 1054 fw_ptr += frag_len; 1055 frag_len = 0; 1056 } 1057 } 1058 1059 done: 1060 return err; 1061 } 1062 1063 static bool btintel_firmware_version(struct hci_dev *hdev, 1064 u8 num, u8 ww, u8 yy, 1065 const struct firmware *fw, 1066 u32 *boot_addr) 1067 { 1068 const u8 *fw_ptr; 1069 1070 fw_ptr = fw->data; 1071 1072 while (fw_ptr - fw->data < fw->size) { 1073 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1074 1075 /* Each SKU has a different reset parameter to use in the 1076 * HCI_Intel_Reset command and it is embedded in the firmware 1077 * data. So, instead of using static value per SKU, check 1078 * the firmware data and save it for later use. 1079 */ 1080 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1081 struct cmd_write_boot_params *params; 1082 1083 params = (void *)(fw_ptr + sizeof(*cmd)); 1084 1085 *boot_addr = le32_to_cpu(params->boot_addr); 1086 1087 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1088 1089 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1090 params->fw_build_num, params->fw_build_ww, 1091 params->fw_build_yy); 1092 1093 return (num == params->fw_build_num && 1094 ww == params->fw_build_ww && 1095 yy == params->fw_build_yy); 1096 } 1097 1098 fw_ptr += sizeof(*cmd) + cmd->plen; 1099 } 1100 1101 return false; 1102 } 1103 1104 int btintel_download_firmware(struct hci_dev *hdev, 1105 struct intel_version *ver, 1106 const struct firmware *fw, 1107 u32 *boot_param) 1108 { 1109 int err; 1110 1111 /* SfP and WsP don't seem to update the firmware version on file 1112 * so version checking is currently not possible. 1113 */ 1114 switch (ver->hw_variant) { 1115 case 0x0b: /* SfP */ 1116 case 0x0c: /* WsP */ 1117 /* Skip version checking */ 1118 break; 1119 default: 1120 1121 /* Skip download if firmware has the same version */ 1122 if (btintel_firmware_version(hdev, ver->fw_build_num, 1123 ver->fw_build_ww, ver->fw_build_yy, 1124 fw, boot_param)) { 1125 bt_dev_info(hdev, "Firmware already loaded"); 1126 /* Return -EALREADY to indicate that the firmware has 1127 * already been loaded. 1128 */ 1129 return -EALREADY; 1130 } 1131 } 1132 1133 /* The firmware variant determines if the device is in bootloader 1134 * mode or is running operational firmware. The value 0x06 identifies 1135 * the bootloader and the value 0x23 identifies the operational 1136 * firmware. 1137 * 1138 * If the firmware version has changed that means it needs to be reset 1139 * to bootloader when operational so the new firmware can be loaded. 1140 */ 1141 if (ver->fw_variant == 0x23) 1142 return -EINVAL; 1143 1144 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1145 if (err) 1146 return err; 1147 1148 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1149 } 1150 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1151 1152 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1153 struct intel_version_tlv *ver, 1154 const struct firmware *fw, u32 *boot_param, 1155 u8 hw_variant, u8 sbe_type) 1156 { 1157 int err; 1158 u32 css_header_ver; 1159 1160 /* Skip download if firmware has the same version */ 1161 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1162 ver->min_fw_build_cw, 1163 ver->min_fw_build_yy, 1164 fw, boot_param)) { 1165 bt_dev_info(hdev, "Firmware already loaded"); 1166 /* Return -EALREADY to indicate that firmware has 1167 * already been loaded. 1168 */ 1169 return -EALREADY; 1170 } 1171 1172 /* The firmware variant determines if the device is in bootloader 1173 * mode or is running operational firmware. The value 0x01 identifies 1174 * the bootloader and the value 0x03 identifies the operational 1175 * firmware. 1176 * 1177 * If the firmware version has changed that means it needs to be reset 1178 * to bootloader when operational so the new firmware can be loaded. 1179 */ 1180 if (ver->img_type == BTINTEL_IMG_OP) 1181 return -EINVAL; 1182 1183 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1184 * only RSA secure boot engine. Hence, the corresponding sfi file will 1185 * have RSA header of 644 bytes followed by Command Buffer. 1186 * 1187 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1188 * secure boot engine. As a result, the corresponding sfi file will 1189 * have RSA header of 644, ECDSA header of 320 bytes followed by 1190 * Command Buffer. 1191 * 1192 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1193 * version: RSA(0x00010000) , ECDSA (0x00020000) 1194 */ 1195 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1196 if (css_header_ver != 0x00010000) { 1197 bt_dev_err(hdev, "Invalid CSS Header version"); 1198 return -EINVAL; 1199 } 1200 1201 if (hw_variant <= 0x14) { 1202 if (sbe_type != 0x00) { 1203 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1204 hw_variant); 1205 return -EINVAL; 1206 } 1207 1208 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1209 if (err) 1210 return err; 1211 1212 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1213 if (err) 1214 return err; 1215 } else if (hw_variant >= 0x17) { 1216 /* Check if CSS header for ECDSA follows the RSA header */ 1217 if (fw->data[ECDSA_OFFSET] != 0x06) 1218 return -EINVAL; 1219 1220 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1221 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1222 if (css_header_ver != 0x00020000) { 1223 bt_dev_err(hdev, "Invalid CSS Header version"); 1224 return -EINVAL; 1225 } 1226 1227 if (sbe_type == 0x00) { 1228 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1229 if (err) 1230 return err; 1231 1232 err = btintel_download_firmware_payload(hdev, fw, 1233 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1234 if (err) 1235 return err; 1236 } else if (sbe_type == 0x01) { 1237 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1238 if (err) 1239 return err; 1240 1241 err = btintel_download_firmware_payload(hdev, fw, 1242 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1243 if (err) 1244 return err; 1245 } 1246 } 1247 return 0; 1248 } 1249 1250 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1251 { 1252 struct intel_reset params; 1253 struct sk_buff *skb; 1254 1255 /* PCIe transport uses shared hardware reset mechanism for recovery 1256 * which gets triggered in pcie *setup* function on error. 1257 */ 1258 if (hdev->bus == HCI_PCI) 1259 return; 1260 1261 /* Send Intel Reset command. This will result in 1262 * re-enumeration of BT controller. 1263 * 1264 * Intel Reset parameter description: 1265 * reset_type : 0x00 (Soft reset), 1266 * 0x01 (Hard reset) 1267 * patch_enable : 0x00 (Do not enable), 1268 * 0x01 (Enable) 1269 * ddc_reload : 0x00 (Do not reload), 1270 * 0x01 (Reload) 1271 * boot_option: 0x00 (Current image), 1272 * 0x01 (Specified boot address) 1273 * boot_param: Boot address 1274 * 1275 */ 1276 1277 params.reset_type = 0x01; 1278 params.patch_enable = 0x01; 1279 params.ddc_reload = 0x01; 1280 params.boot_option = 0x00; 1281 params.boot_param = cpu_to_le32(0x00000000); 1282 1283 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1284 ¶ms, HCI_INIT_TIMEOUT); 1285 if (IS_ERR(skb)) { 1286 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1287 PTR_ERR(skb)); 1288 return; 1289 } 1290 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1291 kfree_skb(skb); 1292 1293 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1294 * lines for 2ms when it receives Intel Reset in bootloader mode. 1295 * Whereas, the upcoming Intel BT controllers will hold USB reset 1296 * for 150ms. To keep the delay generic, 150ms is chosen here. 1297 */ 1298 msleep(150); 1299 } 1300 1301 static int btintel_read_debug_features(struct hci_dev *hdev, 1302 struct intel_debug_features *features) 1303 { 1304 struct sk_buff *skb; 1305 u8 page_no = 1; 1306 1307 /* Intel controller supports two pages, each page is of 128-bit 1308 * feature bit mask. And each bit defines specific feature support 1309 */ 1310 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1311 HCI_INIT_TIMEOUT); 1312 if (IS_ERR(skb)) { 1313 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1314 PTR_ERR(skb)); 1315 return PTR_ERR(skb); 1316 } 1317 1318 if (skb->len != (sizeof(features->page1) + 3)) { 1319 bt_dev_err(hdev, "Supported features event size mismatch"); 1320 kfree_skb(skb); 1321 return -EILSEQ; 1322 } 1323 1324 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1325 1326 /* Read the supported features page2 if required in future. 1327 */ 1328 kfree_skb(skb); 1329 return 0; 1330 } 1331 1332 static int btintel_set_debug_features(struct hci_dev *hdev, 1333 const struct intel_debug_features *features) 1334 { 1335 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1336 0x00, 0x00, 0x00 }; 1337 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1338 u8 trace_enable = 0x02; 1339 struct sk_buff *skb; 1340 1341 if (!features) { 1342 bt_dev_warn(hdev, "Debug features not read"); 1343 return -EINVAL; 1344 } 1345 1346 if (!(features->page1[0] & 0x3f)) { 1347 bt_dev_info(hdev, "Telemetry exception format not supported"); 1348 return 0; 1349 } 1350 1351 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1352 if (IS_ERR(skb)) { 1353 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1354 PTR_ERR(skb)); 1355 return PTR_ERR(skb); 1356 } 1357 kfree_skb(skb); 1358 1359 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1360 if (IS_ERR(skb)) { 1361 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1362 PTR_ERR(skb)); 1363 return PTR_ERR(skb); 1364 } 1365 kfree_skb(skb); 1366 1367 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1368 if (IS_ERR(skb)) { 1369 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1370 PTR_ERR(skb)); 1371 return PTR_ERR(skb); 1372 } 1373 kfree_skb(skb); 1374 1375 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1376 trace_enable, mask[3]); 1377 1378 return 0; 1379 } 1380 1381 static int btintel_reset_debug_features(struct hci_dev *hdev, 1382 const struct intel_debug_features *features) 1383 { 1384 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1385 0x00, 0x00, 0x00 }; 1386 u8 trace_enable = 0x00; 1387 struct sk_buff *skb; 1388 1389 if (!features) { 1390 bt_dev_warn(hdev, "Debug features not read"); 1391 return -EINVAL; 1392 } 1393 1394 if (!(features->page1[0] & 0x3f)) { 1395 bt_dev_info(hdev, "Telemetry exception format not supported"); 1396 return 0; 1397 } 1398 1399 /* Should stop the trace before writing ddc event mask. */ 1400 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1401 if (IS_ERR(skb)) { 1402 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1403 PTR_ERR(skb)); 1404 return PTR_ERR(skb); 1405 } 1406 kfree_skb(skb); 1407 1408 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1409 if (IS_ERR(skb)) { 1410 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1411 PTR_ERR(skb)); 1412 return PTR_ERR(skb); 1413 } 1414 kfree_skb(skb); 1415 1416 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1417 trace_enable, mask[3]); 1418 1419 return 0; 1420 } 1421 1422 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1423 { 1424 struct intel_debug_features features; 1425 int err; 1426 1427 bt_dev_dbg(hdev, "enable %d", enable); 1428 1429 /* Read the Intel supported features and if new exception formats 1430 * supported, need to load the additional DDC config to enable. 1431 */ 1432 err = btintel_read_debug_features(hdev, &features); 1433 if (err) 1434 return err; 1435 1436 /* Set or reset the debug features. */ 1437 if (enable) 1438 err = btintel_set_debug_features(hdev, &features); 1439 else 1440 err = btintel_reset_debug_features(hdev, &features); 1441 1442 return err; 1443 } 1444 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1445 1446 static void btintel_coredump(struct hci_dev *hdev) 1447 { 1448 struct sk_buff *skb; 1449 1450 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1451 if (IS_ERR(skb)) { 1452 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1453 return; 1454 } 1455 1456 kfree_skb(skb); 1457 } 1458 1459 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1460 { 1461 char buf[80]; 1462 1463 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1464 coredump_info.hw_variant); 1465 skb_put_data(skb, buf, strlen(buf)); 1466 1467 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1468 coredump_info.fw_build_num); 1469 skb_put_data(skb, buf, strlen(buf)); 1470 1471 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1472 skb_put_data(skb, buf, strlen(buf)); 1473 1474 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1475 skb_put_data(skb, buf, strlen(buf)); 1476 } 1477 1478 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1479 { 1480 struct intel_debug_features features; 1481 int err; 1482 1483 err = btintel_read_debug_features(hdev, &features); 1484 if (err) { 1485 bt_dev_info(hdev, "Error reading debug features"); 1486 return err; 1487 } 1488 1489 if (!(features.page1[0] & 0x3f)) { 1490 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1491 return -EOPNOTSUPP; 1492 } 1493 1494 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1495 1496 return err; 1497 } 1498 1499 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1500 struct intel_version *ver) 1501 { 1502 const struct firmware *fw; 1503 char fwname[64]; 1504 int ret; 1505 1506 snprintf(fwname, sizeof(fwname), 1507 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1508 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1509 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1510 ver->fw_build_ww, ver->fw_build_yy); 1511 1512 ret = request_firmware(&fw, fwname, &hdev->dev); 1513 if (ret < 0) { 1514 if (ret == -EINVAL) { 1515 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1516 ret); 1517 return NULL; 1518 } 1519 1520 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1521 fwname, ret); 1522 1523 /* If the correct firmware patch file is not found, use the 1524 * default firmware patch file instead 1525 */ 1526 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1527 ver->hw_platform, ver->hw_variant); 1528 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1529 bt_dev_err(hdev, "failed to open default fw file: %s", 1530 fwname); 1531 return NULL; 1532 } 1533 } 1534 1535 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1536 1537 return fw; 1538 } 1539 1540 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1541 const struct firmware *fw, 1542 const u8 **fw_ptr, int *disable_patch) 1543 { 1544 struct sk_buff *skb; 1545 struct hci_command_hdr *cmd; 1546 const u8 *cmd_param; 1547 struct hci_event_hdr *evt = NULL; 1548 const u8 *evt_param = NULL; 1549 int remain = fw->size - (*fw_ptr - fw->data); 1550 1551 /* The first byte indicates the types of the patch command or event. 1552 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1553 * in the current firmware buffer doesn't start with 0x01 or 1554 * the size of remain buffer is smaller than HCI command header, 1555 * the firmware file is corrupted and it should stop the patching 1556 * process. 1557 */ 1558 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1559 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1560 return -EINVAL; 1561 } 1562 (*fw_ptr)++; 1563 remain--; 1564 1565 cmd = (struct hci_command_hdr *)(*fw_ptr); 1566 *fw_ptr += sizeof(*cmd); 1567 remain -= sizeof(*cmd); 1568 1569 /* Ensure that the remain firmware data is long enough than the length 1570 * of command parameter. If not, the firmware file is corrupted. 1571 */ 1572 if (remain < cmd->plen) { 1573 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1574 return -EFAULT; 1575 } 1576 1577 /* If there is a command that loads a patch in the firmware 1578 * file, then enable the patch upon success, otherwise just 1579 * disable the manufacturer mode, for example patch activation 1580 * is not required when the default firmware patch file is used 1581 * because there are no patch data to load. 1582 */ 1583 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1584 *disable_patch = 0; 1585 1586 cmd_param = *fw_ptr; 1587 *fw_ptr += cmd->plen; 1588 remain -= cmd->plen; 1589 1590 /* This reads the expected events when the above command is sent to the 1591 * device. Some vendor commands expects more than one events, for 1592 * example command status event followed by vendor specific event. 1593 * For this case, it only keeps the last expected event. so the command 1594 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1595 * last expected event. 1596 */ 1597 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1598 (*fw_ptr)++; 1599 remain--; 1600 1601 evt = (struct hci_event_hdr *)(*fw_ptr); 1602 *fw_ptr += sizeof(*evt); 1603 remain -= sizeof(*evt); 1604 1605 if (remain < evt->plen) { 1606 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1607 return -EFAULT; 1608 } 1609 1610 evt_param = *fw_ptr; 1611 *fw_ptr += evt->plen; 1612 remain -= evt->plen; 1613 } 1614 1615 /* Every HCI commands in the firmware file has its correspond event. 1616 * If event is not found or remain is smaller than zero, the firmware 1617 * file is corrupted. 1618 */ 1619 if (!evt || !evt_param || remain < 0) { 1620 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1621 return -EFAULT; 1622 } 1623 1624 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1625 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1626 if (IS_ERR(skb)) { 1627 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1628 cmd->opcode, PTR_ERR(skb)); 1629 return PTR_ERR(skb); 1630 } 1631 1632 /* It ensures that the returned event matches the event data read from 1633 * the firmware file. At fist, it checks the length and then 1634 * the contents of the event. 1635 */ 1636 if (skb->len != evt->plen) { 1637 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1638 le16_to_cpu(cmd->opcode)); 1639 kfree_skb(skb); 1640 return -EFAULT; 1641 } 1642 1643 if (memcmp(skb->data, evt_param, evt->plen)) { 1644 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1645 le16_to_cpu(cmd->opcode)); 1646 kfree_skb(skb); 1647 return -EFAULT; 1648 } 1649 kfree_skb(skb); 1650 1651 return 0; 1652 } 1653 1654 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1655 struct intel_version *ver) 1656 { 1657 const struct firmware *fw; 1658 const u8 *fw_ptr; 1659 int disable_patch, err; 1660 struct intel_version new_ver; 1661 1662 BT_DBG("%s", hdev->name); 1663 1664 /* fw_patch_num indicates the version of patch the device currently 1665 * have. If there is no patch data in the device, it is always 0x00. 1666 * So, if it is other than 0x00, no need to patch the device again. 1667 */ 1668 if (ver->fw_patch_num) { 1669 bt_dev_info(hdev, 1670 "Intel device is already patched. patch num: %02x", 1671 ver->fw_patch_num); 1672 goto complete; 1673 } 1674 1675 /* Opens the firmware patch file based on the firmware version read 1676 * from the controller. If it fails to open the matching firmware 1677 * patch file, it tries to open the default firmware patch file. 1678 * If no patch file is found, allow the device to operate without 1679 * a patch. 1680 */ 1681 fw = btintel_legacy_rom_get_fw(hdev, ver); 1682 if (!fw) 1683 goto complete; 1684 fw_ptr = fw->data; 1685 1686 /* Enable the manufacturer mode of the controller. 1687 * Only while this mode is enabled, the driver can download the 1688 * firmware patch data and configuration parameters. 1689 */ 1690 err = btintel_enter_mfg(hdev); 1691 if (err) { 1692 release_firmware(fw); 1693 return err; 1694 } 1695 1696 disable_patch = 1; 1697 1698 /* The firmware data file consists of list of Intel specific HCI 1699 * commands and its expected events. The first byte indicates the 1700 * type of the message, either HCI command or HCI event. 1701 * 1702 * It reads the command and its expected event from the firmware file, 1703 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1704 * the returned event is compared with the event read from the firmware 1705 * file and it will continue until all the messages are downloaded to 1706 * the controller. 1707 * 1708 * Once the firmware patching is completed successfully, 1709 * the manufacturer mode is disabled with reset and activating the 1710 * downloaded patch. 1711 * 1712 * If the firmware patching fails, the manufacturer mode is 1713 * disabled with reset and deactivating the patch. 1714 * 1715 * If the default patch file is used, no reset is done when disabling 1716 * the manufacturer. 1717 */ 1718 while (fw->size > fw_ptr - fw->data) { 1719 int ret; 1720 1721 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1722 &disable_patch); 1723 if (ret < 0) 1724 goto exit_mfg_deactivate; 1725 } 1726 1727 release_firmware(fw); 1728 1729 if (disable_patch) 1730 goto exit_mfg_disable; 1731 1732 /* Patching completed successfully and disable the manufacturer mode 1733 * with reset and activate the downloaded firmware patches. 1734 */ 1735 err = btintel_exit_mfg(hdev, true, true); 1736 if (err) 1737 return err; 1738 1739 /* Need build number for downloaded fw patches in 1740 * every power-on boot 1741 */ 1742 err = btintel_read_version(hdev, &new_ver); 1743 if (err) 1744 return err; 1745 1746 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1747 new_ver.fw_patch_num); 1748 1749 goto complete; 1750 1751 exit_mfg_disable: 1752 /* Disable the manufacturer mode without reset */ 1753 err = btintel_exit_mfg(hdev, false, false); 1754 if (err) 1755 return err; 1756 1757 bt_dev_info(hdev, "Intel firmware patch completed"); 1758 1759 goto complete; 1760 1761 exit_mfg_deactivate: 1762 release_firmware(fw); 1763 1764 /* Patching failed. Disable the manufacturer mode with reset and 1765 * deactivate the downloaded firmware patches. 1766 */ 1767 err = btintel_exit_mfg(hdev, true, false); 1768 if (err) 1769 return err; 1770 1771 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1772 1773 complete: 1774 /* Set the event mask for Intel specific vendor events. This enables 1775 * a few extra events that are useful during general operation. 1776 */ 1777 btintel_set_event_mask_mfg(hdev, false); 1778 1779 btintel_check_bdaddr(hdev); 1780 1781 return 0; 1782 } 1783 1784 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1785 { 1786 ktime_t delta, rettime; 1787 unsigned long long duration; 1788 int err; 1789 1790 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1791 1792 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1793 1794 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1795 TASK_INTERRUPTIBLE, 1796 msecs_to_jiffies(msec)); 1797 if (err == -EINTR) { 1798 bt_dev_err(hdev, "Firmware loading interrupted"); 1799 return err; 1800 } 1801 1802 if (err) { 1803 bt_dev_err(hdev, "Firmware loading timeout"); 1804 return -ETIMEDOUT; 1805 } 1806 1807 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1808 bt_dev_err(hdev, "Firmware loading failed"); 1809 return -ENOEXEC; 1810 } 1811 1812 rettime = ktime_get(); 1813 delta = ktime_sub(rettime, calltime); 1814 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1815 1816 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1817 1818 return 0; 1819 } 1820 1821 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1822 { 1823 ktime_t delta, rettime; 1824 unsigned long long duration; 1825 int err; 1826 1827 bt_dev_info(hdev, "Waiting for device to boot"); 1828 1829 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1830 TASK_INTERRUPTIBLE, 1831 msecs_to_jiffies(msec)); 1832 if (err == -EINTR) { 1833 bt_dev_err(hdev, "Device boot interrupted"); 1834 return -EINTR; 1835 } 1836 1837 if (err) { 1838 bt_dev_err(hdev, "Device boot timeout"); 1839 return -ETIMEDOUT; 1840 } 1841 1842 rettime = ktime_get(); 1843 delta = ktime_sub(rettime, calltime); 1844 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1845 1846 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1847 1848 return 0; 1849 } 1850 1851 static int btintel_boot_wait_d0(struct hci_dev *hdev, ktime_t calltime, 1852 int msec) 1853 { 1854 ktime_t delta, rettime; 1855 unsigned long long duration; 1856 int err; 1857 1858 bt_dev_info(hdev, "Waiting for device transition to d0"); 1859 1860 err = btintel_wait_on_flag_timeout(hdev, INTEL_WAIT_FOR_D0, 1861 TASK_INTERRUPTIBLE, 1862 msecs_to_jiffies(msec)); 1863 if (err == -EINTR) { 1864 bt_dev_err(hdev, "Device d0 move interrupted"); 1865 return -EINTR; 1866 } 1867 1868 if (err) { 1869 bt_dev_err(hdev, "Device d0 move timeout"); 1870 return -ETIMEDOUT; 1871 } 1872 1873 rettime = ktime_get(); 1874 delta = ktime_sub(rettime, calltime); 1875 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1876 1877 bt_dev_info(hdev, "Device moved to D0 in %llu usecs", duration); 1878 1879 return 0; 1880 } 1881 1882 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1883 { 1884 ktime_t calltime; 1885 int err; 1886 1887 calltime = ktime_get(); 1888 1889 btintel_set_flag(hdev, INTEL_BOOTING); 1890 btintel_set_flag(hdev, INTEL_WAIT_FOR_D0); 1891 1892 err = btintel_send_intel_reset(hdev, boot_addr); 1893 if (err) { 1894 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1895 btintel_reset_to_bootloader(hdev); 1896 return err; 1897 } 1898 1899 /* The bootloader will not indicate when the device is ready. This 1900 * is done by the operational firmware sending bootup notification. 1901 * 1902 * Booting into operational firmware should not take longer than 1903 * 5 second. However if that happens, then just fail the setup 1904 * since something went wrong. 1905 */ 1906 err = btintel_boot_wait(hdev, calltime, 5000); 1907 if (err == -ETIMEDOUT) { 1908 btintel_reset_to_bootloader(hdev); 1909 goto exit_error; 1910 } 1911 1912 if (hdev->bus == HCI_PCI) { 1913 /* In case of PCIe, after receiving bootup event, driver performs 1914 * D0 entry by writing 0 to sleep control register (check 1915 * btintel_pcie_recv_event()) 1916 * Firmware acks with alive interrupt indicating host is full ready to 1917 * perform BT operation. Lets wait here till INTEL_WAIT_FOR_D0 1918 * bit is cleared. 1919 */ 1920 calltime = ktime_get(); 1921 err = btintel_boot_wait_d0(hdev, calltime, 2000); 1922 } 1923 1924 exit_error: 1925 return err; 1926 } 1927 1928 static int btintel_get_fw_name(struct intel_version *ver, 1929 struct intel_boot_params *params, 1930 char *fw_name, size_t len, 1931 const char *suffix) 1932 { 1933 switch (ver->hw_variant) { 1934 case 0x0b: /* SfP */ 1935 case 0x0c: /* WsP */ 1936 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1937 ver->hw_variant, 1938 le16_to_cpu(params->dev_revid), 1939 suffix); 1940 break; 1941 case 0x11: /* JfP */ 1942 case 0x12: /* ThP */ 1943 case 0x13: /* HrP */ 1944 case 0x14: /* CcP */ 1945 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1946 ver->hw_variant, 1947 ver->hw_revision, 1948 ver->fw_revision, 1949 suffix); 1950 break; 1951 default: 1952 return -EINVAL; 1953 } 1954 1955 return 0; 1956 } 1957 1958 static int btintel_download_fw(struct hci_dev *hdev, 1959 struct intel_version *ver, 1960 struct intel_boot_params *params, 1961 u32 *boot_param) 1962 { 1963 const struct firmware *fw; 1964 char fwname[64]; 1965 int err; 1966 ktime_t calltime; 1967 1968 if (!ver || !params) 1969 return -EINVAL; 1970 1971 /* The firmware variant determines if the device is in bootloader 1972 * mode or is running operational firmware. The value 0x06 identifies 1973 * the bootloader and the value 0x23 identifies the operational 1974 * firmware. 1975 * 1976 * When the operational firmware is already present, then only 1977 * the check for valid Bluetooth device address is needed. This 1978 * determines if the device will be added as configured or 1979 * unconfigured controller. 1980 * 1981 * It is not possible to use the Secure Boot Parameters in this 1982 * case since that command is only available in bootloader mode. 1983 */ 1984 if (ver->fw_variant == 0x23) { 1985 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1986 btintel_check_bdaddr(hdev); 1987 1988 /* SfP and WsP don't seem to update the firmware version on file 1989 * so version checking is currently possible. 1990 */ 1991 switch (ver->hw_variant) { 1992 case 0x0b: /* SfP */ 1993 case 0x0c: /* WsP */ 1994 return 0; 1995 } 1996 1997 /* Proceed to download to check if the version matches */ 1998 goto download; 1999 } 2000 2001 /* Read the secure boot parameters to identify the operating 2002 * details of the bootloader. 2003 */ 2004 err = btintel_read_boot_params(hdev, params); 2005 if (err) 2006 return err; 2007 2008 /* It is required that every single firmware fragment is acknowledged 2009 * with a command complete event. If the boot parameters indicate 2010 * that this bootloader does not send them, then abort the setup. 2011 */ 2012 if (params->limited_cce != 0x00) { 2013 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2014 params->limited_cce); 2015 return -EINVAL; 2016 } 2017 2018 /* If the OTP has no valid Bluetooth device address, then there will 2019 * also be no valid address for the operational firmware. 2020 */ 2021 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2022 bt_dev_info(hdev, "No device address configured"); 2023 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2024 } 2025 2026 download: 2027 /* With this Intel bootloader only the hardware variant and device 2028 * revision information are used to select the right firmware for SfP 2029 * and WsP. 2030 * 2031 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2032 * 2033 * Currently the supported hardware variants are: 2034 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2035 * 12 (0x0c) for iBT3.5 (WsP) 2036 * 2037 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2038 * variant, HW revision and FW revision, as these are dependent on CNVi 2039 * and RF Combination. 2040 * 2041 * 17 (0x11) for iBT3.5 (JfP) 2042 * 18 (0x12) for iBT3.5 (ThP) 2043 * 2044 * The firmware file name for these will be 2045 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2046 * 2047 */ 2048 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2049 if (err < 0) { 2050 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2051 /* Firmware has already been loaded */ 2052 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2053 return 0; 2054 } 2055 2056 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2057 return -EINVAL; 2058 } 2059 2060 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2061 if (err < 0) { 2062 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2063 /* Firmware has already been loaded */ 2064 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2065 return 0; 2066 } 2067 2068 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2069 fwname, err); 2070 return err; 2071 } 2072 2073 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2074 2075 if (fw->size < 644) { 2076 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2077 fw->size); 2078 err = -EBADF; 2079 goto done; 2080 } 2081 2082 calltime = ktime_get(); 2083 2084 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2085 2086 /* Start firmware downloading and get boot parameter */ 2087 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2088 if (err < 0) { 2089 if (err == -EALREADY) { 2090 /* Firmware has already been loaded */ 2091 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2092 err = 0; 2093 goto done; 2094 } 2095 2096 /* When FW download fails, send Intel Reset to retry 2097 * FW download. 2098 */ 2099 btintel_reset_to_bootloader(hdev); 2100 goto done; 2101 } 2102 2103 /* Before switching the device into operational mode and with that 2104 * booting the loaded firmware, wait for the bootloader notification 2105 * that all fragments have been successfully received. 2106 * 2107 * When the event processing receives the notification, then the 2108 * INTEL_DOWNLOADING flag will be cleared. 2109 * 2110 * The firmware loading should not take longer than 5 seconds 2111 * and thus just timeout if that happens and fail the setup 2112 * of this device. 2113 */ 2114 err = btintel_download_wait(hdev, calltime, 5000); 2115 if (err == -ETIMEDOUT) 2116 btintel_reset_to_bootloader(hdev); 2117 2118 done: 2119 release_firmware(fw); 2120 return err; 2121 } 2122 2123 static int btintel_bootloader_setup(struct hci_dev *hdev, 2124 struct intel_version *ver) 2125 { 2126 struct intel_version new_ver; 2127 struct intel_boot_params params; 2128 u32 boot_param; 2129 char ddcname[64]; 2130 int err; 2131 2132 BT_DBG("%s", hdev->name); 2133 2134 /* Set the default boot parameter to 0x0 and it is updated to 2135 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2136 * command while downloading the firmware. 2137 */ 2138 boot_param = 0x00000000; 2139 2140 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2141 2142 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2143 if (err) 2144 return err; 2145 2146 /* controller is already having an operational firmware */ 2147 if (ver->fw_variant == 0x23) 2148 goto finish; 2149 2150 err = btintel_boot(hdev, boot_param); 2151 if (err) 2152 return err; 2153 2154 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2155 2156 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2157 sizeof(ddcname), "ddc"); 2158 2159 if (err < 0) { 2160 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2161 } else { 2162 /* Once the device is running in operational mode, it needs to 2163 * apply the device configuration (DDC) parameters. 2164 * 2165 * The device can work without DDC parameters, so even if it 2166 * fails to load the file, no need to fail the setup. 2167 */ 2168 btintel_load_ddc_config(hdev, ddcname); 2169 } 2170 2171 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2172 2173 /* Read the Intel version information after loading the FW */ 2174 err = btintel_read_version(hdev, &new_ver); 2175 if (err) 2176 return err; 2177 2178 btintel_version_info(hdev, &new_ver); 2179 2180 finish: 2181 /* Set the event mask for Intel specific vendor events. This enables 2182 * a few extra events that are useful during general operation. It 2183 * does not enable any debugging related events. 2184 * 2185 * The device will function correctly without these events enabled 2186 * and thus no need to fail the setup. 2187 */ 2188 btintel_set_event_mask(hdev, false); 2189 2190 return 0; 2191 } 2192 2193 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2194 char *fw_name, size_t len, 2195 const char *suffix) 2196 { 2197 const char *format; 2198 u32 cnvi, cnvr; 2199 2200 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2201 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2202 2203 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2204 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2205 2206 /* Only Blazar product supports downloading of intermediate loader 2207 * image 2208 */ 2209 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) { 2210 u8 zero[BTINTEL_FWID_MAXLEN]; 2211 2212 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) { 2213 format = "intel/ibt-%04x-%04x-iml.%s"; 2214 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2215 return; 2216 } 2217 2218 memset(zero, 0, sizeof(zero)); 2219 2220 /* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */ 2221 if (memcmp(ver->fw_id, zero, sizeof(zero))) { 2222 format = "intel/ibt-%04x-%04x-%s.%s"; 2223 snprintf(fw_name, len, format, cnvi, cnvr, 2224 ver->fw_id, suffix); 2225 return; 2226 } 2227 /* If firmware id is not present, fallback to legacy naming 2228 * convention 2229 */ 2230 } 2231 /* Fallback to legacy naming convention for other controllers 2232 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2233 */ 2234 format = "intel/ibt-%04x-%04x.%s"; 2235 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2236 } 2237 2238 static void btintel_get_iml_tlv(const struct intel_version_tlv *ver, 2239 char *fw_name, size_t len, 2240 const char *suffix) 2241 { 2242 const char *format; 2243 u32 cnvi, cnvr; 2244 2245 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2246 INTEL_CNVX_TOP_STEP(ver->cnvi_top)); 2247 2248 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2249 INTEL_CNVX_TOP_STEP(ver->cnvr_top)); 2250 2251 format = "intel/ibt-%04x-%04x-iml.%s"; 2252 snprintf(fw_name, len, format, cnvi, cnvr, suffix); 2253 } 2254 2255 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2256 struct intel_version_tlv *ver, 2257 u32 *boot_param) 2258 { 2259 const struct firmware *fw; 2260 char fwname[128]; 2261 int err; 2262 ktime_t calltime; 2263 2264 if (!ver || !boot_param) 2265 return -EINVAL; 2266 2267 /* The firmware variant determines if the device is in bootloader 2268 * mode or is running operational firmware. The value 0x03 identifies 2269 * the bootloader and the value 0x23 identifies the operational 2270 * firmware. 2271 * 2272 * When the operational firmware is already present, then only 2273 * the check for valid Bluetooth device address is needed. This 2274 * determines if the device will be added as configured or 2275 * unconfigured controller. 2276 * 2277 * It is not possible to use the Secure Boot Parameters in this 2278 * case since that command is only available in bootloader mode. 2279 */ 2280 if (ver->img_type == BTINTEL_IMG_OP) { 2281 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2282 btintel_check_bdaddr(hdev); 2283 } else { 2284 /* 2285 * Check for valid bd address in boot loader mode. Device 2286 * will be marked as unconfigured if empty bd address is 2287 * found. 2288 */ 2289 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2290 bt_dev_info(hdev, "No device address configured"); 2291 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2292 } 2293 } 2294 2295 if (ver->img_type == BTINTEL_IMG_OP) { 2296 /* Controller running OP image. In case of FW downgrade, 2297 * FWID TLV may not be present and driver may attempt to load 2298 * firmware image which doesn't exist. Lets compare the version 2299 * of IML image 2300 */ 2301 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) 2302 btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi"); 2303 else 2304 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2305 } else { 2306 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2307 } 2308 2309 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2310 if (err < 0) { 2311 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2312 /* Firmware has already been loaded */ 2313 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2314 return 0; 2315 } 2316 2317 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2318 fwname, err); 2319 2320 return err; 2321 } 2322 2323 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2324 2325 if (fw->size < 644) { 2326 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2327 fw->size); 2328 err = -EBADF; 2329 goto done; 2330 } 2331 2332 calltime = ktime_get(); 2333 2334 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2335 2336 /* Start firmware downloading and get boot parameter */ 2337 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2338 INTEL_HW_VARIANT(ver->cnvi_bt), 2339 ver->sbe_type); 2340 if (err < 0) { 2341 if (err == -EALREADY) { 2342 /* Firmware has already been loaded */ 2343 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2344 err = 0; 2345 goto done; 2346 } 2347 2348 /* When FW download fails, send Intel Reset to retry 2349 * FW download. 2350 */ 2351 btintel_reset_to_bootloader(hdev); 2352 goto done; 2353 } 2354 2355 /* Before switching the device into operational mode and with that 2356 * booting the loaded firmware, wait for the bootloader notification 2357 * that all fragments have been successfully received. 2358 * 2359 * When the event processing receives the notification, then the 2360 * BTUSB_DOWNLOADING flag will be cleared. 2361 * 2362 * The firmware loading should not take longer than 5 seconds 2363 * and thus just timeout if that happens and fail the setup 2364 * of this device. 2365 */ 2366 err = btintel_download_wait(hdev, calltime, 5000); 2367 if (err == -ETIMEDOUT) 2368 btintel_reset_to_bootloader(hdev); 2369 2370 done: 2371 release_firmware(fw); 2372 return err; 2373 } 2374 2375 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2376 __u8 link, struct bt_codec *codec, 2377 __u8 *ven_len, __u8 **ven_data) 2378 { 2379 int err = 0; 2380 2381 if (!ven_data || !ven_len) 2382 return -EINVAL; 2383 2384 *ven_len = 0; 2385 *ven_data = NULL; 2386 2387 if (link != ESCO_LINK) { 2388 bt_dev_err(hdev, "Invalid link type(%u)", link); 2389 return -EINVAL; 2390 } 2391 2392 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2393 if (!*ven_data) { 2394 err = -ENOMEM; 2395 goto error; 2396 } 2397 2398 /* supports only CVSD and mSBC offload codecs */ 2399 switch (codec->id) { 2400 case 0x02: 2401 **ven_data = 0x00; 2402 break; 2403 case 0x05: 2404 **ven_data = 0x01; 2405 break; 2406 default: 2407 err = -EINVAL; 2408 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2409 goto error; 2410 } 2411 /* codec and its capabilities are pre-defined to ids 2412 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2413 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2414 */ 2415 *ven_len = sizeof(__u8); 2416 return err; 2417 2418 error: 2419 kfree(*ven_data); 2420 *ven_data = NULL; 2421 return err; 2422 } 2423 2424 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2425 { 2426 /* Intel uses 1 as data path id for all the usecases */ 2427 *data_path_id = 1; 2428 return 0; 2429 } 2430 2431 static int btintel_configure_offload(struct hci_dev *hdev) 2432 { 2433 struct sk_buff *skb; 2434 int err = 0; 2435 struct intel_offload_use_cases *use_cases; 2436 2437 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2438 if (IS_ERR(skb)) { 2439 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2440 PTR_ERR(skb)); 2441 return PTR_ERR(skb); 2442 } 2443 2444 if (skb->len < sizeof(*use_cases)) { 2445 err = -EIO; 2446 goto error; 2447 } 2448 2449 use_cases = (void *)skb->data; 2450 2451 if (use_cases->status) { 2452 err = -bt_to_errno(skb->data[0]); 2453 goto error; 2454 } 2455 2456 if (use_cases->preset[0] & 0x03) { 2457 hdev->get_data_path_id = btintel_get_data_path_id; 2458 hdev->get_codec_config_data = btintel_get_codec_config_data; 2459 } 2460 error: 2461 kfree_skb(skb); 2462 return err; 2463 } 2464 2465 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2466 { 2467 struct sk_buff *skb; 2468 struct hci_ppag_enable_cmd ppag_cmd; 2469 acpi_handle handle; 2470 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 2471 union acpi_object *p, *elements; 2472 u32 domain, mode; 2473 acpi_status status; 2474 2475 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2476 switch (ver->cnvr_top & 0xFFF) { 2477 case 0x504: /* Hrp2 */ 2478 case 0x202: /* Jfp2 */ 2479 case 0x201: /* Jfp1 */ 2480 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2481 ver->cnvr_top & 0xFFF); 2482 return; 2483 } 2484 2485 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2486 if (!handle) { 2487 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2488 return; 2489 } 2490 2491 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer); 2492 if (ACPI_FAILURE(status)) { 2493 if (status == AE_NOT_FOUND) { 2494 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2495 return; 2496 } 2497 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 2498 return; 2499 } 2500 2501 p = buffer.pointer; 2502 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 2503 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 2504 p->type, p->package.count); 2505 kfree(buffer.pointer); 2506 return; 2507 } 2508 2509 elements = p->package.elements; 2510 2511 /* PPAG table is located at element[1] */ 2512 p = &elements[1]; 2513 2514 domain = (u32)p->package.elements[0].integer.value; 2515 mode = (u32)p->package.elements[1].integer.value; 2516 kfree(buffer.pointer); 2517 2518 if (domain != 0x12) { 2519 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2520 return; 2521 } 2522 2523 /* PPAG mode 2524 * BIT 0 : 0 Disabled in EU 2525 * 1 Enabled in EU 2526 * BIT 1 : 0 Disabled in China 2527 * 1 Enabled in China 2528 */ 2529 mode &= 0x03; 2530 2531 if (!mode) { 2532 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS"); 2533 return; 2534 } 2535 2536 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode); 2537 2538 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), 2539 &ppag_cmd, HCI_CMD_TIMEOUT); 2540 if (IS_ERR(skb)) { 2541 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2542 return; 2543 } 2544 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode); 2545 kfree_skb(skb); 2546 } 2547 2548 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2549 { 2550 int ret = 0; 2551 acpi_status status; 2552 union acpi_object *p, *ref; 2553 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2554 2555 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2556 if (ACPI_FAILURE(status)) { 2557 bt_dev_err(hdev, "Failed to run _PRR method"); 2558 ret = -ENODEV; 2559 return ret; 2560 } 2561 p = buffer.pointer; 2562 2563 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2564 bt_dev_err(hdev, "Invalid arguments"); 2565 ret = -EINVAL; 2566 goto exit_on_error; 2567 } 2568 2569 ref = &p->package.elements[0]; 2570 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2571 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2572 ret = -EINVAL; 2573 goto exit_on_error; 2574 } 2575 2576 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2577 if (ACPI_FAILURE(status)) { 2578 bt_dev_err(hdev, "Failed to run_RST method"); 2579 ret = -ENODEV; 2580 goto exit_on_error; 2581 } 2582 2583 exit_on_error: 2584 kfree(buffer.pointer); 2585 return ret; 2586 } 2587 2588 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2589 struct intel_version_tlv *ver_tlv) 2590 { 2591 struct btintel_data *data = hci_get_priv(hdev); 2592 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2593 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2594 union acpi_object *obj, argv4; 2595 enum { 2596 RESET_TYPE_WDISABLE2, 2597 RESET_TYPE_VSEC 2598 }; 2599 2600 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2601 2602 if (!handle) { 2603 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2604 return; 2605 } 2606 2607 if (!acpi_has_method(handle, "_PRR")) { 2608 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2609 return; 2610 } 2611 2612 switch (ver_tlv->cnvi_top & 0xfff) { 2613 case 0x910: /* GalePeak2 */ 2614 reset_payload[2] = RESET_TYPE_VSEC; 2615 break; 2616 default: 2617 /* WDISABLE2 is the default reset method */ 2618 reset_payload[2] = RESET_TYPE_WDISABLE2; 2619 2620 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2621 BIT(DSM_SET_WDISABLE2_DELAY))) { 2622 bt_dev_err(hdev, "No dsm support to set reset delay"); 2623 return; 2624 } 2625 argv4.integer.type = ACPI_TYPE_INTEGER; 2626 /* delay required to toggle BT power */ 2627 argv4.integer.value = 160; 2628 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2629 DSM_SET_WDISABLE2_DELAY, &argv4); 2630 if (!obj) { 2631 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2632 return; 2633 } 2634 ACPI_FREE(obj); 2635 } 2636 2637 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2638 2639 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2640 DSM_SET_RESET_METHOD)) { 2641 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2642 return; 2643 } 2644 argv4.buffer.type = ACPI_TYPE_BUFFER; 2645 argv4.buffer.length = sizeof(reset_payload); 2646 argv4.buffer.pointer = reset_payload; 2647 2648 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2649 DSM_SET_RESET_METHOD, &argv4); 2650 if (!obj) { 2651 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2652 return; 2653 } 2654 ACPI_FREE(obj); 2655 data->acpi_reset_method = btintel_acpi_reset_method; 2656 } 2657 2658 #define BTINTEL_ISODATA_HANDLE_BASE 0x900 2659 2660 static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) 2661 { 2662 /* 2663 * Distinguish ISO data packets form ACL data packets 2664 * based on their connection handle value range. 2665 */ 2666 if (hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { 2667 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2668 2669 if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE) 2670 return HCI_ISODATA_PKT; 2671 } 2672 2673 return hci_skb_pkt_type(skb); 2674 } 2675 2676 /* 2677 * UefiCnvCommonDSBR UEFI variable provides information from the OEM platforms 2678 * if they have replaced the BRI (Bluetooth Radio Interface) resistor to 2679 * overcome the potential STEP errors on their designs. Based on the 2680 * configauration, bluetooth firmware shall adjust the BRI response line drive 2681 * strength. The below structure represents DSBR data. 2682 * struct { 2683 * u8 header; 2684 * u32 dsbr; 2685 * } __packed; 2686 * 2687 * header - defines revision number of the structure 2688 * dsbr - defines drive strength BRI response 2689 * bit0 2690 * 0 - instructs bluetooth firmware to use default values 2691 * 1 - instructs bluetooth firmware to override default values 2692 * bit3:1 2693 * Reserved 2694 * bit7:4 2695 * DSBR override values (only if bit0 is set. Default value is 0xF 2696 * bit31:7 2697 * Reserved 2698 * Expected values for dsbr field: 2699 * 1. 0xF1 - indicates that the resistor on board is 33 Ohm 2700 * 2. 0x00 or 0xB1 - indicates that the resistor on board is 10 Ohm 2701 * 3. Non existing UEFI variable or invalid (none of the above) - indicates 2702 * that the resistor on board is 10 Ohm 2703 * Even if uefi variable is not present, driver shall send 0xfc0a command to 2704 * firmware to use default values. 2705 * 2706 */ 2707 static int btintel_uefi_get_dsbr(u32 *dsbr_var) 2708 { 2709 struct btintel_dsbr { 2710 u8 header; 2711 u32 dsbr; 2712 } __packed data; 2713 2714 efi_status_t status; 2715 unsigned long data_size = 0; 2716 efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03, 2717 0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31); 2718 2719 if (!IS_ENABLED(CONFIG_EFI)) 2720 return -EOPNOTSUPP; 2721 2722 if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) 2723 return -EOPNOTSUPP; 2724 2725 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2726 NULL); 2727 2728 if (status != EFI_BUFFER_TOO_SMALL || !data_size) 2729 return -EIO; 2730 2731 status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, 2732 &data); 2733 2734 if (status != EFI_SUCCESS) 2735 return -ENXIO; 2736 2737 *dsbr_var = data.dsbr; 2738 return 0; 2739 } 2740 2741 static int btintel_set_dsbr(struct hci_dev *hdev, struct intel_version_tlv *ver) 2742 { 2743 struct btintel_dsbr_cmd { 2744 u8 enable; 2745 u8 dsbr; 2746 } __packed; 2747 2748 struct btintel_dsbr_cmd cmd; 2749 struct sk_buff *skb; 2750 u32 dsbr, cnvi; 2751 u8 status; 2752 int err; 2753 2754 cnvi = ver->cnvi_top & 0xfff; 2755 /* DSBR command needs to be sent for, 2756 * 1. BlazarI or BlazarIW + B0 step product in IML image. 2757 * 2. Gale Peak2 or BlazarU in OP image. 2758 */ 2759 2760 switch (cnvi) { 2761 case BTINTEL_CNVI_BLAZARI: 2762 case BTINTEL_CNVI_BLAZARIW: 2763 if (ver->img_type == BTINTEL_IMG_IML && 2764 INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01) 2765 break; 2766 return 0; 2767 case BTINTEL_CNVI_GAP: 2768 case BTINTEL_CNVI_BLAZARU: 2769 if (ver->img_type == BTINTEL_IMG_OP && 2770 hdev->bus == HCI_USB) 2771 break; 2772 return 0; 2773 default: 2774 return 0; 2775 } 2776 2777 dsbr = 0; 2778 err = btintel_uefi_get_dsbr(&dsbr); 2779 if (err < 0) 2780 bt_dev_dbg(hdev, "Error reading efi: %ls (%d)", 2781 BTINTEL_EFI_DSBR, err); 2782 2783 cmd.enable = dsbr & BIT(0); 2784 cmd.dsbr = dsbr >> 4 & 0xF; 2785 2786 bt_dev_info(hdev, "dsbr: enable: 0x%2.2x value: 0x%2.2x", cmd.enable, 2787 cmd.dsbr); 2788 2789 skb = __hci_cmd_sync(hdev, 0xfc0a, sizeof(cmd), &cmd, HCI_CMD_TIMEOUT); 2790 if (IS_ERR(skb)) 2791 return -bt_to_errno(PTR_ERR(skb)); 2792 2793 status = skb->data[0]; 2794 kfree_skb(skb); 2795 2796 if (status) 2797 return -bt_to_errno(status); 2798 2799 return 0; 2800 } 2801 2802 int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2803 struct intel_version_tlv *ver) 2804 { 2805 u32 boot_param; 2806 char ddcname[64]; 2807 int err; 2808 struct intel_version_tlv new_ver; 2809 2810 bt_dev_dbg(hdev, ""); 2811 2812 /* Set the default boot parameter to 0x0 and it is updated to 2813 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2814 * command while downloading the firmware. 2815 */ 2816 boot_param = 0x00000000; 2817 2818 /* In case of PCIe, this function might get called multiple times with 2819 * same hdev instance if there is any error on firmware download. 2820 * Need to clear stale bits of previous firmware download attempt. 2821 */ 2822 for (int i = 0; i < __INTEL_NUM_FLAGS; i++) 2823 btintel_clear_flag(hdev, i); 2824 2825 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2826 2827 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2828 if (err) 2829 return err; 2830 2831 /* check if controller is already having an operational firmware */ 2832 if (ver->img_type == BTINTEL_IMG_OP) 2833 goto finish; 2834 2835 err = btintel_boot(hdev, boot_param); 2836 if (err) 2837 return err; 2838 2839 err = btintel_read_version_tlv(hdev, ver); 2840 if (err) 2841 return err; 2842 2843 /* set drive strength of BRI response */ 2844 err = btintel_set_dsbr(hdev, ver); 2845 if (err) { 2846 bt_dev_err(hdev, "Failed to send dsbr command (%d)", err); 2847 return err; 2848 } 2849 2850 /* If image type returned is BTINTEL_IMG_IML, then controller supports 2851 * intermediate loader image 2852 */ 2853 if (ver->img_type == BTINTEL_IMG_IML) { 2854 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2855 if (err) 2856 return err; 2857 2858 err = btintel_boot(hdev, boot_param); 2859 if (err) 2860 return err; 2861 } 2862 2863 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2864 2865 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2866 /* Once the device is running in operational mode, it needs to 2867 * apply the device configuration (DDC) parameters. 2868 * 2869 * The device can work without DDC parameters, so even if it 2870 * fails to load the file, no need to fail the setup. 2871 */ 2872 btintel_load_ddc_config(hdev, ddcname); 2873 2874 /* Read supported use cases and set callbacks to fetch datapath id */ 2875 btintel_configure_offload(hdev); 2876 2877 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2878 2879 /* Set PPAG feature */ 2880 btintel_set_ppag(hdev, ver); 2881 2882 /* Read the Intel version information after loading the FW */ 2883 err = btintel_read_version_tlv(hdev, &new_ver); 2884 if (err) 2885 return err; 2886 2887 btintel_version_info_tlv(hdev, &new_ver); 2888 2889 finish: 2890 /* Set the event mask for Intel specific vendor events. This enables 2891 * a few extra events that are useful during general operation. It 2892 * does not enable any debugging related events. 2893 * 2894 * The device will function correctly without these events enabled 2895 * and thus no need to fail the setup. 2896 */ 2897 btintel_set_event_mask(hdev, false); 2898 2899 return 0; 2900 } 2901 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv); 2902 2903 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2904 { 2905 switch (hw_variant) { 2906 /* Legacy bootloader devices that supports MSFT Extension */ 2907 case 0x11: /* JfP */ 2908 case 0x12: /* ThP */ 2909 case 0x13: /* HrP */ 2910 case 0x14: /* CcP */ 2911 /* All Intel new generation controllers support the Microsoft vendor 2912 * extension are using 0xFC1E for VsMsftOpCode. 2913 */ 2914 case 0x17: 2915 case 0x18: 2916 case 0x19: 2917 case 0x1b: 2918 case 0x1c: 2919 case 0x1d: 2920 case 0x1e: 2921 hci_set_msft_opcode(hdev, 0xFC1E); 2922 break; 2923 default: 2924 /* Not supported */ 2925 break; 2926 } 2927 } 2928 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode); 2929 2930 void btintel_print_fseq_info(struct hci_dev *hdev) 2931 { 2932 struct sk_buff *skb; 2933 u8 *p; 2934 u32 val; 2935 const char *str; 2936 2937 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT); 2938 if (IS_ERR(skb)) { 2939 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)", 2940 PTR_ERR(skb)); 2941 return; 2942 } 2943 2944 if (skb->len < (sizeof(u32) * 16 + 2)) { 2945 bt_dev_dbg(hdev, "Malformed packet of length %u received", 2946 skb->len); 2947 kfree_skb(skb); 2948 return; 2949 } 2950 2951 p = skb_pull_data(skb, 1); 2952 if (*p) { 2953 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p); 2954 kfree_skb(skb); 2955 return; 2956 } 2957 2958 p = skb_pull_data(skb, 1); 2959 switch (*p) { 2960 case 0: 2961 str = "Success"; 2962 break; 2963 case 1: 2964 str = "Fatal error"; 2965 break; 2966 case 2: 2967 str = "Semaphore acquire error"; 2968 break; 2969 default: 2970 str = "Unknown error"; 2971 break; 2972 } 2973 2974 if (*p) { 2975 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2976 kfree_skb(skb); 2977 return; 2978 } 2979 2980 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p); 2981 2982 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2983 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val); 2984 2985 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2986 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val); 2987 2988 val = get_unaligned_le32(skb_pull_data(skb, 4)); 2989 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val); 2990 2991 p = skb->data; 2992 skb_pull_data(skb, 4); 2993 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2994 p[2], p[3]); 2995 2996 p = skb->data; 2997 skb_pull_data(skb, 4); 2998 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1], 2999 p[2], p[3]); 3000 3001 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3002 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val); 3003 3004 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3005 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val); 3006 3007 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3008 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val); 3009 3010 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3011 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val); 3012 3013 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3014 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val); 3015 3016 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3017 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val); 3018 3019 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3020 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val); 3021 3022 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3023 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val); 3024 3025 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3026 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val); 3027 3028 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3029 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val); 3030 3031 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3032 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val); 3033 3034 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3035 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val); 3036 3037 val = get_unaligned_le32(skb_pull_data(skb, 4)); 3038 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val); 3039 3040 kfree_skb(skb); 3041 } 3042 EXPORT_SYMBOL_GPL(btintel_print_fseq_info); 3043 3044 static int btintel_setup_combined(struct hci_dev *hdev) 3045 { 3046 const u8 param[1] = { 0xFF }; 3047 struct intel_version ver; 3048 struct intel_version_tlv ver_tlv; 3049 struct sk_buff *skb; 3050 int err; 3051 3052 BT_DBG("%s", hdev->name); 3053 3054 /* The some controllers have a bug with the first HCI command sent to it 3055 * returning number of completed commands as zero. This would stall the 3056 * command processing in the Bluetooth core. 3057 * 3058 * As a workaround, send HCI Reset command first which will reset the 3059 * number of completed commands and allow normal command processing 3060 * from now on. 3061 * 3062 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 3063 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 3064 * the shutdown() procedure, and once the device is in SW_RFKILL ON 3065 * state, the only way to exit out of it is sending the HCI_Reset 3066 * command. 3067 */ 3068 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 3069 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3070 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 3071 HCI_INIT_TIMEOUT); 3072 if (IS_ERR(skb)) { 3073 bt_dev_err(hdev, 3074 "sending initial HCI reset failed (%ld)", 3075 PTR_ERR(skb)); 3076 return PTR_ERR(skb); 3077 } 3078 kfree_skb(skb); 3079 } 3080 3081 /* Starting from TyP device, the command parameter and response are 3082 * changed even though the OCF for HCI_Intel_Read_Version command 3083 * remains same. The legacy devices can handle even if the 3084 * command has a parameter and returns a correct version information. 3085 * So, it uses new format to support both legacy and new format. 3086 */ 3087 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 3088 if (IS_ERR(skb)) { 3089 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 3090 PTR_ERR(skb)); 3091 return PTR_ERR(skb); 3092 } 3093 3094 /* Check the status */ 3095 if (skb->data[0]) { 3096 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 3097 skb->data[0]); 3098 err = -EIO; 3099 goto exit_error; 3100 } 3101 3102 /* Apply the common HCI quirks for Intel device */ 3103 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 3104 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 3105 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 3106 3107 /* Set up the quality report callback for Intel devices */ 3108 hdev->set_quality_report = btintel_set_quality_report; 3109 3110 /* For Legacy device, check the HW platform value and size */ 3111 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 3112 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 3113 3114 memcpy(&ver, skb->data, sizeof(ver)); 3115 3116 /* Display version information */ 3117 btintel_version_info(hdev, &ver); 3118 3119 /* Check for supported iBT hardware variants of this firmware 3120 * loading method. 3121 * 3122 * This check has been put in place to ensure correct forward 3123 * compatibility options when newer hardware variants come 3124 * along. 3125 */ 3126 switch (ver.hw_variant) { 3127 case 0x07: /* WP */ 3128 case 0x08: /* StP */ 3129 /* Legacy ROM product */ 3130 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 3131 3132 /* Apply the device specific HCI quirks 3133 * 3134 * WBS for SdP - For the Legacy ROM products, only SdP 3135 * supports the WBS. But the version information is not 3136 * enough to use here because the StP2 and SdP have same 3137 * hw_variant and fw_variant. So, this flag is set by 3138 * the transport driver (btusb) based on the HW info 3139 * (idProduct) 3140 */ 3141 if (!btintel_test_flag(hdev, 3142 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 3143 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3144 &hdev->quirks); 3145 3146 err = btintel_legacy_rom_setup(hdev, &ver); 3147 break; 3148 case 0x0b: /* SfP */ 3149 case 0x11: /* JfP */ 3150 case 0x12: /* ThP */ 3151 case 0x13: /* HrP */ 3152 case 0x14: /* CcP */ 3153 fallthrough; 3154 case 0x0c: /* WsP */ 3155 /* Apply the device specific HCI quirks 3156 * 3157 * All Legacy bootloader devices support WBS 3158 */ 3159 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 3160 &hdev->quirks); 3161 3162 /* These variants don't seem to support LE Coded PHY */ 3163 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3164 3165 /* Setup MSFT Extension support */ 3166 btintel_set_msft_opcode(hdev, ver.hw_variant); 3167 3168 err = btintel_bootloader_setup(hdev, &ver); 3169 btintel_register_devcoredump_support(hdev); 3170 break; 3171 default: 3172 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3173 ver.hw_variant); 3174 err = -EINVAL; 3175 } 3176 3177 hci_set_hw_info(hdev, 3178 "INTEL platform=%u variant=%u revision=%u", 3179 ver.hw_platform, ver.hw_variant, 3180 ver.hw_revision); 3181 3182 goto exit_error; 3183 } 3184 3185 /* memset ver_tlv to start with clean state as few fields are exclusive 3186 * to bootloader mode and are not populated in operational mode 3187 */ 3188 memset(&ver_tlv, 0, sizeof(ver_tlv)); 3189 /* For TLV type device, parse the tlv data */ 3190 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 3191 if (err) { 3192 bt_dev_err(hdev, "Failed to parse TLV version information"); 3193 goto exit_error; 3194 } 3195 3196 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 3197 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 3198 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 3199 err = -EINVAL; 3200 goto exit_error; 3201 } 3202 3203 /* Check for supported iBT hardware variants of this firmware 3204 * loading method. 3205 * 3206 * This check has been put in place to ensure correct forward 3207 * compatibility options when newer hardware variants come 3208 * along. 3209 */ 3210 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 3211 case 0x11: /* JfP */ 3212 case 0x12: /* ThP */ 3213 case 0x13: /* HrP */ 3214 case 0x14: /* CcP */ 3215 /* Some legacy bootloader devices starting from JfP, 3216 * the operational firmware supports both old and TLV based 3217 * HCI_Intel_Read_Version command based on the command 3218 * parameter. 3219 * 3220 * For upgrading firmware case, the TLV based version cannot 3221 * be used because the firmware filename for legacy bootloader 3222 * is based on the old format. 3223 * 3224 * Also, it is not easy to convert TLV based version from the 3225 * legacy version format. 3226 * 3227 * So, as a workaround for those devices, use the legacy 3228 * HCI_Intel_Read_Version to get the version information and 3229 * run the legacy bootloader setup. 3230 */ 3231 err = btintel_read_version(hdev, &ver); 3232 if (err) 3233 break; 3234 3235 /* Apply the device specific HCI quirks 3236 * 3237 * All Legacy bootloader devices support WBS 3238 */ 3239 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3240 3241 /* These variants don't seem to support LE Coded PHY */ 3242 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 3243 3244 /* Setup MSFT Extension support */ 3245 btintel_set_msft_opcode(hdev, ver.hw_variant); 3246 3247 err = btintel_bootloader_setup(hdev, &ver); 3248 btintel_register_devcoredump_support(hdev); 3249 break; 3250 case 0x18: /* GfP2 */ 3251 case 0x1c: /* GaP */ 3252 /* Re-classify packet type for controllers with LE audio */ 3253 hdev->classify_pkt_type = btintel_classify_pkt_type; 3254 fallthrough; 3255 case 0x17: 3256 case 0x19: 3257 case 0x1b: 3258 case 0x1d: 3259 case 0x1e: 3260 /* Display version information of TLV type */ 3261 btintel_version_info_tlv(hdev, &ver_tlv); 3262 3263 /* Apply the device specific HCI quirks for TLV based devices 3264 * 3265 * All TLV based devices support WBS 3266 */ 3267 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 3268 3269 /* Setup MSFT Extension support */ 3270 btintel_set_msft_opcode(hdev, 3271 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3272 btintel_set_dsm_reset_method(hdev, &ver_tlv); 3273 3274 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 3275 if (err) 3276 goto exit_error; 3277 3278 btintel_register_devcoredump_support(hdev); 3279 btintel_print_fseq_info(hdev); 3280 break; 3281 default: 3282 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 3283 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3284 err = -EINVAL; 3285 break; 3286 } 3287 3288 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u", 3289 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt), 3290 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 3291 3292 exit_error: 3293 kfree_skb(skb); 3294 3295 return err; 3296 } 3297 3298 int btintel_shutdown_combined(struct hci_dev *hdev) 3299 { 3300 struct sk_buff *skb; 3301 int ret; 3302 3303 /* Send HCI Reset to the controller to stop any BT activity which 3304 * were triggered. This will help to save power and maintain the 3305 * sync b/w Host and controller 3306 */ 3307 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 3308 if (IS_ERR(skb)) { 3309 bt_dev_err(hdev, "HCI reset during shutdown failed"); 3310 return PTR_ERR(skb); 3311 } 3312 kfree_skb(skb); 3313 3314 3315 /* Some platforms have an issue with BT LED when the interface is 3316 * down or BT radio is turned off, which takes 5 seconds to BT LED 3317 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 3318 * device in the RFKILL ON state which turns off the BT LED immediately. 3319 */ 3320 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 3321 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 3322 if (IS_ERR(skb)) { 3323 ret = PTR_ERR(skb); 3324 bt_dev_err(hdev, "turning off Intel device LED failed"); 3325 return ret; 3326 } 3327 kfree_skb(skb); 3328 } 3329 3330 return 0; 3331 } 3332 EXPORT_SYMBOL_GPL(btintel_shutdown_combined); 3333 3334 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 3335 { 3336 hdev->manufacturer = 2; 3337 hdev->setup = btintel_setup_combined; 3338 hdev->shutdown = btintel_shutdown_combined; 3339 hdev->hw_error = btintel_hw_error; 3340 hdev->set_diag = btintel_set_diag_combined; 3341 hdev->set_bdaddr = btintel_set_bdaddr; 3342 3343 coredump_info.driver_name = driver_name; 3344 3345 return 0; 3346 } 3347 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3348 3349 int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3350 { 3351 struct intel_tlv *tlv = (void *)&skb->data[5]; 3352 3353 /* The first event is always an event type TLV */ 3354 if (tlv->type != INTEL_TLV_TYPE_ID) 3355 goto recv_frame; 3356 3357 switch (tlv->val[0]) { 3358 case INTEL_TLV_SYSTEM_EXCEPTION: 3359 case INTEL_TLV_FATAL_EXCEPTION: 3360 case INTEL_TLV_DEBUG_EXCEPTION: 3361 case INTEL_TLV_TEST_EXCEPTION: 3362 /* Generate devcoredump from exception */ 3363 if (!hci_devcd_init(hdev, skb->len)) { 3364 hci_devcd_append(hdev, skb_clone(skb, GFP_ATOMIC)); 3365 hci_devcd_complete(hdev); 3366 } else { 3367 bt_dev_err(hdev, "Failed to generate devcoredump"); 3368 } 3369 break; 3370 default: 3371 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 3372 } 3373 3374 recv_frame: 3375 return hci_recv_frame(hdev, skb); 3376 } 3377 EXPORT_SYMBOL_GPL(btintel_diagnostics); 3378 3379 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3380 { 3381 struct hci_event_hdr *hdr = (void *)skb->data; 3382 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 3383 3384 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3385 hdr->plen > 0) { 3386 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3387 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3388 3389 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3390 switch (skb->data[2]) { 3391 case 0x02: 3392 /* When switching to the operational firmware 3393 * the device sends a vendor specific event 3394 * indicating that the bootup completed. 3395 */ 3396 btintel_bootup(hdev, ptr, len); 3397 kfree_skb(skb); 3398 return 0; 3399 case 0x06: 3400 /* When the firmware loading completes the 3401 * device sends out a vendor specific event 3402 * indicating the result of the firmware 3403 * loading. 3404 */ 3405 btintel_secure_send_result(hdev, ptr, len); 3406 kfree_skb(skb); 3407 return 0; 3408 } 3409 } 3410 3411 /* Handle all diagnostics events separately. May still call 3412 * hci_recv_frame. 3413 */ 3414 if (len >= sizeof(diagnostics_hdr) && 3415 memcmp(&skb->data[2], diagnostics_hdr, 3416 sizeof(diagnostics_hdr)) == 0) { 3417 return btintel_diagnostics(hdev, skb); 3418 } 3419 } 3420 3421 return hci_recv_frame(hdev, skb); 3422 } 3423 EXPORT_SYMBOL_GPL(btintel_recv_event); 3424 3425 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3426 { 3427 const struct intel_bootup *evt = ptr; 3428 3429 if (len != sizeof(*evt)) 3430 return; 3431 3432 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3433 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3434 } 3435 EXPORT_SYMBOL_GPL(btintel_bootup); 3436 3437 void btintel_secure_send_result(struct hci_dev *hdev, 3438 const void *ptr, unsigned int len) 3439 { 3440 const struct intel_secure_send_result *evt = ptr; 3441 3442 if (len != sizeof(*evt)) 3443 return; 3444 3445 if (evt->result) 3446 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3447 3448 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3449 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3450 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3451 } 3452 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3453 3454 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3455 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3456 MODULE_VERSION(VERSION); 3457 MODULE_LICENSE("GPL"); 3458 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3459 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3460 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3461 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3462