1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Microchip Polarfire SoC "Auto Update" FPGA reprogramming. 4 * 5 * Documentation of this functionality is available in the "PolarFire® FPGA and 6 * PolarFire SoC FPGA Programming" User Guide. 7 * 8 * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved. 9 * 10 * Author: Conor Dooley <conor.dooley@microchip.com> 11 */ 12 #include <linux/debugfs.h> 13 #include <linux/firmware.h> 14 #include <linux/math.h> 15 #include <linux/module.h> 16 #include <linux/mtd/mtd.h> 17 #include <linux/platform_device.h> 18 #include <linux/sizes.h> 19 20 #include <soc/microchip/mpfs.h> 21 22 #define AUTO_UPDATE_DEFAULT_MBOX_OFFSET 0u 23 #define AUTO_UPDATE_DEFAULT_RESP_OFFSET 0u 24 25 #define AUTO_UPDATE_FEATURE_CMD_OPCODE 0x05u 26 #define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE 0u 27 #define AUTO_UPDATE_FEATURE_RESP_SIZE 33u 28 #define AUTO_UPDATE_FEATURE_CMD_DATA NULL 29 #define AUTO_UPDATE_FEATURE_ENABLED BIT(5) 30 31 #define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE 0x22u 32 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE 0u 33 #define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE 1u 34 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA NULL 35 36 #define AUTO_UPDATE_PROGRAM_CMD_OPCODE 0x46u 37 #define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE 0u 38 #define AUTO_UPDATE_PROGRAM_RESP_SIZE 1u 39 #define AUTO_UPDATE_PROGRAM_CMD_DATA NULL 40 41 /* 42 * SPI Flash layout example: 43 * |------------------------------| 0x0000000 44 * | 1 KiB | 45 * | SPI "directories" | 46 * |------------------------------| 0x0000400 47 * | 1 MiB | 48 * | Reserved area | 49 * | Used for bitstream info | 50 * |------------------------------| 0x0100400 51 * | 20 MiB | 52 * | Golden Image | 53 * |------------------------------| 0x1500400 54 * | 20 MiB | 55 * | Auto Upgrade Image | 56 * |------------------------------| 0x2900400 57 * | 20 MiB | 58 * | Reserved for multi-image IAP | 59 * | Unused for Auto Upgrade | 60 * |------------------------------| 0x3D00400 61 * | ? B | 62 * | Unused | 63 * |------------------------------| 0x? 64 */ 65 #define AUTO_UPDATE_DIRECTORY_BASE 0u 66 #define AUTO_UPDATE_DIRECTORY_WIDTH 4u 67 #define AUTO_UPDATE_GOLDEN_INDEX 0u 68 #define AUTO_UPDATE_UPGRADE_INDEX 1u 69 #define AUTO_UPDATE_BLANK_INDEX 2u 70 #define AUTO_UPDATE_GOLDEN_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX) 71 #define AUTO_UPDATE_UPGRADE_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX) 72 #define AUTO_UPDATE_BLANK_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX) 73 #define AUTO_UPDATE_DIRECTORY_SIZE SZ_1K 74 #define AUTO_UPDATE_RESERVED_SIZE SZ_1M 75 #define AUTO_UPDATE_BITSTREAM_BASE (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_RESERVED_SIZE) 76 77 #define AUTO_UPDATE_TIMEOUT_MS 60000 78 79 struct mpfs_auto_update_priv { 80 struct mpfs_sys_controller *sys_controller; 81 struct device *dev; 82 struct mtd_info *flash; 83 struct fw_upload *fw_uploader; 84 struct completion programming_complete; 85 size_t size_per_bitstream; 86 bool cancel_request; 87 }; 88 89 static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data, 90 u32 size) 91 { 92 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 93 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE; 94 95 /* 96 * Verifying the Golden Image is idealistic. It will be evaluated 97 * against the currently programmed image and thus may fail - due to 98 * either rollback protection (if its an older version than that in use) 99 * or if the version is the same as that of the in-use image. 100 * Extracting the information as to why a failure occurred is not 101 * currently possible due to limitations of the system controller 102 * driver. If those are fixed, verification of the Golden Image should 103 * be added here. 104 */ 105 106 priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller); 107 if (!priv->flash) 108 return FW_UPLOAD_ERR_HW_ERROR; 109 110 erase_size = round_up(erase_size, (u64)priv->flash->erasesize); 111 112 /* 113 * We need to calculate if we have enough space in the flash for the 114 * new image. 115 * First, chop off the first 1 KiB as it's reserved for the directory. 116 * The 1 MiB reserved for design info needs to be ignored also. 117 * All that remains is carved into 3 & rounded down to the erasesize. 118 * If this is smaller than the image size, we abort. 119 * There's also no need to consume more than 20 MiB per image. 120 */ 121 priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M; 122 priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size); 123 if (priv->size_per_bitstream > 20 * SZ_1M) 124 priv->size_per_bitstream = 20 * SZ_1M; 125 126 if (priv->size_per_bitstream < size) { 127 dev_err(priv->dev, 128 "flash device has insufficient capacity to store this bitstream\n"); 129 return FW_UPLOAD_ERR_INVALID_SIZE; 130 } 131 132 priv->cancel_request = false; 133 134 return FW_UPLOAD_ERR_NONE; 135 } 136 137 static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader) 138 { 139 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 140 141 priv->cancel_request = true; 142 } 143 144 static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader) 145 { 146 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 147 int ret; 148 149 /* 150 * There is no meaningful way to get the status of the programming while 151 * it is in progress, so attempting anything other than waiting for it 152 * to complete would be misplaced. 153 */ 154 ret = wait_for_completion_timeout(&priv->programming_complete, 155 msecs_to_jiffies(AUTO_UPDATE_TIMEOUT_MS)); 156 if (ret) 157 return FW_UPLOAD_ERR_TIMEOUT; 158 159 return FW_UPLOAD_ERR_NONE; 160 } 161 162 static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader) 163 { 164 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 165 struct mpfs_mss_response *response; 166 struct mpfs_mss_msg *message; 167 u32 *response_msg; 168 int ret; 169 170 response_msg = devm_kzalloc(priv->dev, AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), 171 GFP_KERNEL); 172 if (!response_msg) 173 return -ENOMEM; 174 175 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL); 176 if (!response) { 177 ret = -ENOMEM; 178 goto free_response_msg; 179 } 180 181 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL); 182 if (!message) { 183 ret = -ENOMEM; 184 goto free_response; 185 } 186 187 /* 188 * The system controller can verify that an image in the flash is valid. 189 * Rather than duplicate the check in this driver, call the relevant 190 * service from the system controller instead. 191 * This service has no command data and no response data. It overloads 192 * mbox_offset with the image index in the flash's SPI directory where 193 * the bitstream is located. 194 */ 195 response->resp_msg = response_msg; 196 response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE; 197 message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE; 198 message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE; 199 message->response = response; 200 message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA; 201 message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX; 202 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET; 203 204 dev_info(priv->dev, "Running verification of Upgrade Image\n"); 205 ret = mpfs_blocking_transaction(priv->sys_controller, message); 206 if (ret | response->resp_status) { 207 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n"); 208 ret = ret ? ret : -EBADMSG; 209 goto free_message; 210 } 211 212 dev_info(priv->dev, "Verification of Upgrade Image passed!\n"); 213 214 free_message: 215 devm_kfree(priv->dev, message); 216 free_response: 217 devm_kfree(priv->dev, response); 218 free_response_msg: 219 devm_kfree(priv->dev, response_msg); 220 221 return ret; 222 } 223 224 static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv, char *buffer, 225 u32 image_address, loff_t directory_address) 226 { 227 struct erase_info erase; 228 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE; 229 size_t bytes_written = 0, bytes_read = 0; 230 int ret; 231 232 erase_size = round_up(erase_size, (u64)priv->flash->erasesize); 233 234 erase.addr = AUTO_UPDATE_DIRECTORY_BASE; 235 erase.len = erase_size; 236 237 /* 238 * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling 239 * the system controller where to find the actual bitstream. Since 240 * this is spi-nor, we have to read the first eraseblock, erase that 241 * portion of the flash, modify the data and then write it back. 242 * There's no need to do this though if things are already the way they 243 * should be, so check and save the write in that case. 244 */ 245 ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read, 246 (u_char *)buffer); 247 if (ret) 248 return ret; 249 250 if (bytes_read != erase_size) 251 return -EIO; 252 253 if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) && 254 !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY))) 255 return 0; 256 257 ret = mtd_erase(priv->flash, &erase); 258 if (ret) 259 return ret; 260 261 /* 262 * Populate the image address and then zero out the next directory so 263 * that the system controller doesn't complain if in "Single Image" 264 * mode. 265 */ 266 memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address, 267 AUTO_UPDATE_DIRECTORY_WIDTH); 268 memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH); 269 270 dev_info(priv->dev, "Writing the image address (0x%x) to the flash directory (0x%llx)\n", 271 image_address, directory_address); 272 273 ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer); 274 if (ret) 275 return ret; 276 277 if (bytes_written != erase_size) 278 return ret; 279 280 return 0; 281 } 282 283 static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data, 284 u32 offset, u32 size, u32 *written) 285 { 286 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 287 struct erase_info erase; 288 char *buffer; 289 loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY; 290 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE; 291 size_t bytes_written = 0; 292 u32 image_address; 293 int ret; 294 295 erase_size = round_up(erase_size, (u64)priv->flash->erasesize); 296 297 image_address = AUTO_UPDATE_BITSTREAM_BASE + 298 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream; 299 300 buffer = devm_kzalloc(priv->dev, erase_size, GFP_KERNEL); 301 if (!buffer) 302 return -ENOMEM; 303 304 ret = mpfs_auto_update_set_image_address(priv, buffer, image_address, directory_address); 305 if (ret) { 306 dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret); 307 goto out; 308 } 309 310 /* 311 * Now the .spi image itself can be written to the flash. Preservation 312 * of contents here is not important here, unlike the spi "directory" 313 * which must be RMWed. 314 */ 315 erase.len = round_up(size, (size_t)priv->flash->erasesize); 316 erase.addr = image_address; 317 318 dev_info(priv->dev, "Erasing the flash at address (0x%x)\n", image_address); 319 ret = mtd_erase(priv->flash, &erase); 320 if (ret) 321 goto out; 322 323 /* 324 * No parsing etc of the bitstream is required. The system controller 325 * will do all of that itself - including verifying that the bitstream 326 * is valid. 327 */ 328 dev_info(priv->dev, "Writing the image to the flash at address (0x%x)\n", image_address); 329 ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data); 330 if (ret) 331 goto out; 332 333 if (bytes_written != size) { 334 ret = -EIO; 335 goto out; 336 } 337 338 *written = bytes_written; 339 340 out: 341 devm_kfree(priv->dev, buffer); 342 return ret; 343 } 344 345 static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data, 346 u32 offset, u32 size, u32 *written) 347 { 348 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 349 enum fw_upload_err err = FW_UPLOAD_ERR_NONE; 350 int ret; 351 352 reinit_completion(&priv->programming_complete); 353 354 ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written); 355 if (ret) { 356 err = FW_UPLOAD_ERR_RW_ERROR; 357 goto out; 358 } 359 360 if (priv->cancel_request) { 361 err = FW_UPLOAD_ERR_CANCELED; 362 goto out; 363 } 364 365 ret = mpfs_auto_update_verify_image(fw_uploader); 366 if (ret) 367 err = FW_UPLOAD_ERR_FW_INVALID; 368 369 out: 370 complete(&priv->programming_complete); 371 372 return err; 373 } 374 375 static const struct fw_upload_ops mpfs_auto_update_ops = { 376 .prepare = mpfs_auto_update_prepare, 377 .write = mpfs_auto_update_write, 378 .poll_complete = mpfs_auto_update_poll_complete, 379 .cancel = mpfs_auto_update_cancel, 380 }; 381 382 static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv) 383 { 384 struct mpfs_mss_response *response; 385 struct mpfs_mss_msg *message; 386 u32 *response_msg; 387 int ret; 388 389 response_msg = devm_kzalloc(priv->dev, 390 AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), 391 GFP_KERNEL); 392 if (!response_msg) 393 return -ENOMEM; 394 395 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL); 396 if (!response) 397 return -ENOMEM; 398 399 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL); 400 if (!message) 401 return -ENOMEM; 402 403 /* 404 * To verify that Auto Update is possible, the "Query Security Service 405 * Request" is performed. 406 * This service has no command data & does not overload mbox_offset. 407 */ 408 response->resp_msg = response_msg; 409 response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE; 410 message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE; 411 message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE; 412 message->response = response; 413 message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA; 414 message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET; 415 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET; 416 417 ret = mpfs_blocking_transaction(priv->sys_controller, message); 418 if (ret) 419 return ret; 420 421 /* 422 * Currently, the system controller's firmware does not generate any 423 * interrupts for failed services, so mpfs_blocking_transaction() should 424 * time out & therefore return an error. 425 * Hitting this check is highly unlikely at present, but if the system 426 * controller's behaviour changes so that it does generate interrupts 427 * for failed services, it will be required. 428 */ 429 if (response->resp_status) 430 return -EIO; 431 432 /* 433 * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is 434 * not possible. 435 */ 436 if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED) 437 return -EPERM; 438 439 return 0; 440 } 441 442 static int mpfs_auto_update_probe(struct platform_device *pdev) 443 { 444 struct device *dev = &pdev->dev; 445 struct mpfs_auto_update_priv *priv; 446 struct fw_upload *fw_uploader; 447 int ret; 448 449 priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); 450 if (!priv) 451 return -ENOMEM; 452 453 priv->sys_controller = mpfs_sys_controller_get(dev); 454 if (IS_ERR(priv->sys_controller)) 455 return dev_err_probe(dev, PTR_ERR(priv->sys_controller), 456 "Could not register as a sub device of the system controller\n"); 457 458 priv->dev = dev; 459 platform_set_drvdata(pdev, priv); 460 461 ret = mpfs_auto_update_available(priv); 462 if (ret) 463 return dev_err_probe(dev, ret, 464 "The current bitstream does not support auto-update\n"); 465 466 init_completion(&priv->programming_complete); 467 468 fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update", 469 &mpfs_auto_update_ops, priv); 470 if (IS_ERR(fw_uploader)) 471 return dev_err_probe(dev, PTR_ERR(fw_uploader), 472 "Failed to register the bitstream uploader\n"); 473 474 priv->fw_uploader = fw_uploader; 475 476 return 0; 477 } 478 479 static void mpfs_auto_update_remove(struct platform_device *pdev) 480 { 481 struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev); 482 483 firmware_upload_unregister(priv->fw_uploader); 484 } 485 486 static struct platform_driver mpfs_auto_update_driver = { 487 .driver = { 488 .name = "mpfs-auto-update", 489 }, 490 .probe = mpfs_auto_update_probe, 491 .remove_new = mpfs_auto_update_remove, 492 }; 493 module_platform_driver(mpfs_auto_update_driver); 494 495 MODULE_LICENSE("GPL"); 496 MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>"); 497 MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming"); 498