1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Microchip Polarfire SoC "Auto Update" FPGA reprogramming. 4 * 5 * Documentation of this functionality is available in the "PolarFire® FPGA and 6 * PolarFire SoC FPGA Programming" User Guide. 7 * 8 * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved. 9 * 10 * Author: Conor Dooley <conor.dooley@microchip.com> 11 */ 12 #include <linux/cleanup.h> 13 #include <linux/debugfs.h> 14 #include <linux/firmware.h> 15 #include <linux/math.h> 16 #include <linux/module.h> 17 #include <linux/mtd/mtd.h> 18 #include <linux/platform_device.h> 19 #include <linux/sizes.h> 20 21 #include <soc/microchip/mpfs.h> 22 23 #define AUTO_UPDATE_DEFAULT_MBOX_OFFSET 0u 24 #define AUTO_UPDATE_DEFAULT_RESP_OFFSET 0u 25 26 #define AUTO_UPDATE_FEATURE_CMD_OPCODE 0x05u 27 #define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE 0u 28 #define AUTO_UPDATE_FEATURE_RESP_SIZE 33u 29 #define AUTO_UPDATE_FEATURE_CMD_DATA NULL 30 #define AUTO_UPDATE_FEATURE_ENABLED BIT(5) 31 32 #define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE 0x22u 33 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE 0u 34 #define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE 1u 35 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA NULL 36 37 #define AUTO_UPDATE_PROGRAM_CMD_OPCODE 0x46u 38 #define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE 0u 39 #define AUTO_UPDATE_PROGRAM_RESP_SIZE 1u 40 #define AUTO_UPDATE_PROGRAM_CMD_DATA NULL 41 42 /* 43 * SPI Flash layout example: 44 * |------------------------------| 0x0000000 45 * | 1 KiB | 46 * | SPI "directories" | 47 * |------------------------------| 0x0000400 48 * | 1 MiB | 49 * | Reserved area | 50 * | Used for bitstream info | 51 * |------------------------------| 0x0100400 52 * | 20 MiB | 53 * | Golden Image | 54 * |------------------------------| 0x1500400 55 * | 20 MiB | 56 * | Auto Upgrade Image | 57 * |------------------------------| 0x2900400 58 * | 20 MiB | 59 * | Reserved for multi-image IAP | 60 * | Unused for Auto Upgrade | 61 * |------------------------------| 0x3D00400 62 * | ? B | 63 * | Unused | 64 * |------------------------------| 0x? 65 */ 66 #define AUTO_UPDATE_DIRECTORY_BASE 0u 67 #define AUTO_UPDATE_DIRECTORY_WIDTH 4u 68 #define AUTO_UPDATE_GOLDEN_INDEX 0u 69 #define AUTO_UPDATE_UPGRADE_INDEX 1u 70 #define AUTO_UPDATE_BLANK_INDEX 2u 71 #define AUTO_UPDATE_GOLDEN_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX) 72 #define AUTO_UPDATE_UPGRADE_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX) 73 #define AUTO_UPDATE_BLANK_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX) 74 #define AUTO_UPDATE_DIRECTORY_SIZE SZ_1K 75 #define AUTO_UPDATE_INFO_BASE AUTO_UPDATE_DIRECTORY_SIZE 76 #define AUTO_UPDATE_INFO_SIZE SZ_1M 77 #define AUTO_UPDATE_BITSTREAM_BASE (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_INFO_SIZE) 78 79 #define AUTO_UPDATE_TIMEOUT_MS 60000 80 81 struct mpfs_auto_update_priv { 82 struct mpfs_sys_controller *sys_controller; 83 struct device *dev; 84 struct mtd_info *flash; 85 struct fw_upload *fw_uploader; 86 struct completion programming_complete; 87 size_t size_per_bitstream; 88 bool cancel_request; 89 }; 90 91 static bool mpfs_auto_update_is_bitstream_info(const u8 *data, u32 size) 92 { 93 if (size < 4) 94 return false; 95 96 if (data[0] == 0x4d && data[1] == 0x43 && data[2] == 0x48 && data[3] == 0x50) 97 return true; 98 99 return false; 100 } 101 102 static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data, 103 u32 size) 104 { 105 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 106 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE; 107 108 /* 109 * Verifying the Golden Image is idealistic. It will be evaluated 110 * against the currently programmed image and thus may fail - due to 111 * either rollback protection (if its an older version than that in use) 112 * or if the version is the same as that of the in-use image. 113 * Extracting the information as to why a failure occurred is not 114 * currently possible due to limitations of the system controller 115 * driver. If those are fixed, verification of the Golden Image should 116 * be added here. 117 */ 118 119 priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller); 120 if (!priv->flash) 121 return FW_UPLOAD_ERR_HW_ERROR; 122 123 erase_size = round_up(erase_size, (u64)priv->flash->erasesize); 124 125 /* 126 * We need to calculate if we have enough space in the flash for the 127 * new image. 128 * First, chop off the first 1 KiB as it's reserved for the directory. 129 * The 1 MiB reserved for design info needs to be ignored also. 130 * All that remains is carved into 3 & rounded down to the erasesize. 131 * If this is smaller than the image size, we abort. 132 * There's also no need to consume more than 20 MiB per image. 133 */ 134 priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M; 135 priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size); 136 if (priv->size_per_bitstream > 20 * SZ_1M) 137 priv->size_per_bitstream = 20 * SZ_1M; 138 139 if (priv->size_per_bitstream < size) { 140 dev_err(priv->dev, 141 "flash device has insufficient capacity to store this bitstream\n"); 142 return FW_UPLOAD_ERR_INVALID_SIZE; 143 } 144 145 priv->cancel_request = false; 146 147 return FW_UPLOAD_ERR_NONE; 148 } 149 150 static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader) 151 { 152 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 153 154 priv->cancel_request = true; 155 } 156 157 static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader) 158 { 159 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 160 int ret; 161 162 /* 163 * There is no meaningful way to get the status of the programming while 164 * it is in progress, so attempting anything other than waiting for it 165 * to complete would be misplaced. 166 */ 167 ret = wait_for_completion_timeout(&priv->programming_complete, 168 msecs_to_jiffies(AUTO_UPDATE_TIMEOUT_MS)); 169 if (!ret) 170 return FW_UPLOAD_ERR_TIMEOUT; 171 172 return FW_UPLOAD_ERR_NONE; 173 } 174 175 static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader) 176 { 177 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 178 u32 *response_msg __free(kfree) = 179 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL); 180 struct mpfs_mss_response *response __free(kfree) = 181 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL); 182 struct mpfs_mss_msg *message __free(kfree) = 183 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL); 184 int ret; 185 186 if (!response_msg || !response || !message) 187 return -ENOMEM; 188 189 /* 190 * The system controller can verify that an image in the flash is valid. 191 * Rather than duplicate the check in this driver, call the relevant 192 * service from the system controller instead. 193 * This service has no command data and no response data. It overloads 194 * mbox_offset with the image index in the flash's SPI directory where 195 * the bitstream is located. 196 */ 197 response->resp_msg = response_msg; 198 response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE; 199 message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE; 200 message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE; 201 message->response = response; 202 message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA; 203 message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX; 204 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET; 205 206 dev_info(priv->dev, "Running verification of Upgrade Image\n"); 207 ret = mpfs_blocking_transaction(priv->sys_controller, message); 208 if (ret | response->resp_status) { 209 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n"); 210 return ret ? ret : -EBADMSG; 211 } 212 213 dev_info(priv->dev, "Verification of Upgrade Image passed!\n"); 214 215 return 0; 216 } 217 218 static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv, 219 u32 image_address, loff_t directory_address) 220 { 221 struct erase_info erase; 222 size_t erase_size = round_up(AUTO_UPDATE_DIRECTORY_SIZE, (u64)priv->flash->erasesize); 223 size_t bytes_written = 0, bytes_read = 0; 224 char *buffer __free(kfree) = kzalloc(erase_size, GFP_KERNEL); 225 int ret; 226 227 if (!buffer) 228 return -ENOMEM; 229 230 erase.addr = AUTO_UPDATE_DIRECTORY_BASE; 231 erase.len = erase_size; 232 233 /* 234 * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling 235 * the system controller where to find the actual bitstream. Since 236 * this is spi-nor, we have to read the first eraseblock, erase that 237 * portion of the flash, modify the data and then write it back. 238 * There's no need to do this though if things are already the way they 239 * should be, so check and save the write in that case. 240 */ 241 ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read, 242 (u_char *)buffer); 243 if (ret) 244 return ret; 245 246 if (bytes_read != erase_size) 247 return -EIO; 248 249 if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) && 250 !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY))) 251 return 0; 252 253 ret = mtd_erase(priv->flash, &erase); 254 if (ret) 255 return ret; 256 257 /* 258 * Populate the image address and then zero out the next directory so 259 * that the system controller doesn't complain if in "Single Image" 260 * mode. 261 */ 262 memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address, 263 AUTO_UPDATE_DIRECTORY_WIDTH); 264 memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH); 265 266 dev_info(priv->dev, "Writing the image address (0x%x) to the flash directory (0x%llx)\n", 267 image_address, directory_address); 268 269 ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer); 270 if (ret) 271 return ret; 272 273 if (bytes_written != erase_size) 274 return -EIO; 275 276 return 0; 277 } 278 279 static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data, 280 u32 offset, u32 size, u32 *written) 281 { 282 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 283 struct erase_info erase; 284 loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY; 285 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE; 286 size_t bytes_written = 0; 287 bool is_info = mpfs_auto_update_is_bitstream_info(data, size); 288 u32 image_address; 289 int ret; 290 291 erase_size = round_up(erase_size, (u64)priv->flash->erasesize); 292 293 if (is_info) 294 image_address = AUTO_UPDATE_INFO_BASE; 295 else 296 image_address = AUTO_UPDATE_BITSTREAM_BASE + 297 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream; 298 299 /* 300 * For bitstream info, the descriptor is written to a fixed offset, 301 * so there is no need to set the image address. 302 */ 303 if (!is_info) { 304 ret = mpfs_auto_update_set_image_address(priv, image_address, directory_address); 305 if (ret) { 306 dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret); 307 return ret; 308 } 309 } else { 310 if (size > AUTO_UPDATE_INFO_SIZE) { 311 dev_err(priv->dev, "bitstream info exceeds permitted size\n"); 312 return -ENOSPC; 313 } 314 } 315 316 /* 317 * Now the .spi image itself can be written to the flash. Preservation 318 * of contents here is not important here, unlike the spi "directory" 319 * which must be RMWed. 320 */ 321 erase.len = round_up(size, (size_t)priv->flash->erasesize); 322 erase.addr = image_address; 323 324 dev_info(priv->dev, "Erasing the flash at address (0x%x)\n", image_address); 325 ret = mtd_erase(priv->flash, &erase); 326 if (ret) 327 return ret; 328 329 /* 330 * No parsing etc of the bitstream is required. The system controller 331 * will do all of that itself - including verifying that the bitstream 332 * is valid. 333 */ 334 dev_info(priv->dev, "Writing the image to the flash at address (0x%x)\n", image_address); 335 ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data); 336 if (ret) 337 return ret; 338 339 if (bytes_written != size) 340 return -EIO; 341 342 *written = bytes_written; 343 dev_info(priv->dev, "Wrote 0x%zx bytes to the flash\n", bytes_written); 344 345 return 0; 346 } 347 348 static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data, 349 u32 offset, u32 size, u32 *written) 350 { 351 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle; 352 enum fw_upload_err err = FW_UPLOAD_ERR_NONE; 353 int ret; 354 355 reinit_completion(&priv->programming_complete); 356 357 ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written); 358 if (ret) { 359 err = FW_UPLOAD_ERR_RW_ERROR; 360 goto out; 361 } 362 363 if (priv->cancel_request) { 364 err = FW_UPLOAD_ERR_CANCELED; 365 goto out; 366 } 367 368 if (mpfs_auto_update_is_bitstream_info(data, size)) 369 goto out; 370 371 ret = mpfs_auto_update_verify_image(fw_uploader); 372 if (ret) 373 err = FW_UPLOAD_ERR_FW_INVALID; 374 375 out: 376 complete(&priv->programming_complete); 377 378 return err; 379 } 380 381 static const struct fw_upload_ops mpfs_auto_update_ops = { 382 .prepare = mpfs_auto_update_prepare, 383 .write = mpfs_auto_update_write, 384 .poll_complete = mpfs_auto_update_poll_complete, 385 .cancel = mpfs_auto_update_cancel, 386 }; 387 388 static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv) 389 { 390 u32 *response_msg __free(kfree) = 391 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL); 392 struct mpfs_mss_response *response __free(kfree) = 393 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL); 394 struct mpfs_mss_msg *message __free(kfree) = 395 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL); 396 int ret; 397 398 if (!response_msg || !response || !message) 399 return -ENOMEM; 400 401 /* 402 * To verify that Auto Update is possible, the "Query Security Service 403 * Request" is performed. 404 * This service has no command data & does not overload mbox_offset. 405 */ 406 response->resp_msg = response_msg; 407 response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE; 408 message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE; 409 message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE; 410 message->response = response; 411 message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA; 412 message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET; 413 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET; 414 415 ret = mpfs_blocking_transaction(priv->sys_controller, message); 416 if (ret) 417 return ret; 418 419 /* 420 * Currently, the system controller's firmware does not generate any 421 * interrupts for failed services, so mpfs_blocking_transaction() should 422 * time out & therefore return an error. 423 * Hitting this check is highly unlikely at present, but if the system 424 * controller's behaviour changes so that it does generate interrupts 425 * for failed services, it will be required. 426 */ 427 if (response->resp_status) 428 return -EIO; 429 430 /* 431 * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is 432 * not possible. 433 */ 434 if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED) 435 return -EPERM; 436 437 return 0; 438 } 439 440 static int mpfs_auto_update_probe(struct platform_device *pdev) 441 { 442 struct device *dev = &pdev->dev; 443 struct mpfs_auto_update_priv *priv; 444 struct fw_upload *fw_uploader; 445 int ret; 446 447 priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); 448 if (!priv) 449 return -ENOMEM; 450 451 priv->sys_controller = mpfs_sys_controller_get(dev); 452 if (IS_ERR(priv->sys_controller)) 453 return dev_err_probe(dev, PTR_ERR(priv->sys_controller), 454 "Could not register as a sub device of the system controller\n"); 455 456 priv->dev = dev; 457 platform_set_drvdata(pdev, priv); 458 459 ret = mpfs_auto_update_available(priv); 460 if (ret) 461 return dev_err_probe(dev, ret, 462 "The current bitstream does not support auto-update\n"); 463 464 init_completion(&priv->programming_complete); 465 466 fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update", 467 &mpfs_auto_update_ops, priv); 468 if (IS_ERR(fw_uploader)) 469 return dev_err_probe(dev, PTR_ERR(fw_uploader), 470 "Failed to register the bitstream uploader\n"); 471 472 priv->fw_uploader = fw_uploader; 473 474 return 0; 475 } 476 477 static void mpfs_auto_update_remove(struct platform_device *pdev) 478 { 479 struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev); 480 481 firmware_upload_unregister(priv->fw_uploader); 482 } 483 484 static struct platform_driver mpfs_auto_update_driver = { 485 .driver = { 486 .name = "mpfs-auto-update", 487 }, 488 .probe = mpfs_auto_update_probe, 489 .remove_new = mpfs_auto_update_remove, 490 }; 491 module_platform_driver(mpfs_auto_update_driver); 492 493 MODULE_LICENSE("GPL"); 494 MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>"); 495 MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming"); 496