1 // SPDX-License-Identifier: GPL-2.0 2 // SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. 3 4 //! Contains structures and functions dedicated to the parsing, building and patching of firmwares 5 //! to be loaded into a given execution unit. 6 7 use core::marker::PhantomData; 8 use core::ops::Deref; 9 10 use kernel::{ 11 device, 12 firmware, 13 prelude::*, 14 str::CString, 15 transmute::FromBytes, // 16 }; 17 18 use crate::{ 19 falcon::{ 20 FalconDmaLoadTarget, 21 FalconFirmware, // 22 }, 23 gpu, 24 num::{ 25 FromSafeCast, 26 IntoSafeCast, // 27 }, 28 }; 29 30 pub(crate) mod booter; 31 pub(crate) mod fsp; 32 pub(crate) mod fwsec; 33 pub(crate) mod gsp; 34 pub(crate) mod riscv; 35 36 pub(crate) const FIRMWARE_VERSION: &str = "570.144"; 37 38 /// Requests the GPU firmware `name` suitable for `chipset`, with version `ver`. 39 fn request_firmware( 40 dev: &device::Device, 41 chipset: gpu::Chipset, 42 name: &str, 43 ver: &str, 44 ) -> Result<firmware::Firmware> { 45 let chip_name = chipset.name(); 46 47 CString::try_from_fmt(fmt!("nvidia/{chip_name}/gsp/{name}-{ver}.bin")) 48 .and_then(|path| firmware::Firmware::request(&path, dev)) 49 } 50 51 /// Structure used to describe some firmwares, notably FWSEC-FRTS. 52 #[repr(C)] 53 #[derive(Debug, Clone, FromBytes)] 54 pub(crate) struct FalconUCodeDescV2 { 55 /// Header defined by 'NV_BIT_FALCON_UCODE_DESC_HEADER_VDESC*' in OpenRM. 56 hdr: u32, 57 /// Stored size of the ucode after the header, compressed or uncompressed 58 stored_size: u32, 59 /// Uncompressed size of the ucode. If store_size == uncompressed_size, then the ucode 60 /// is not compressed. 61 pub(crate) uncompressed_size: u32, 62 /// Code entry point 63 pub(crate) virtual_entry: u32, 64 /// Offset after the code segment at which the Application Interface Table headers are located. 65 pub(crate) interface_offset: u32, 66 /// Base address at which to load the code segment into 'IMEM'. 67 pub(crate) imem_phys_base: u32, 68 /// Size in bytes of the code to copy into 'IMEM' (includes both secure and non-secure 69 /// segments). 70 pub(crate) imem_load_size: u32, 71 /// Virtual 'IMEM' address (i.e. 'tag') at which the code should start. 72 pub(crate) imem_virt_base: u32, 73 /// Virtual address of secure IMEM segment. 74 pub(crate) imem_sec_base: u32, 75 /// Size of secure IMEM segment. 76 pub(crate) imem_sec_size: u32, 77 /// Offset into stored (uncompressed) image at which DMEM begins. 78 pub(crate) dmem_offset: u32, 79 /// Base address at which to load the data segment into 'DMEM'. 80 pub(crate) dmem_phys_base: u32, 81 /// Size in bytes of the data to copy into 'DMEM'. 82 pub(crate) dmem_load_size: u32, 83 /// "Alternate" Size of data to load into IMEM. 84 pub(crate) alt_imem_load_size: u32, 85 /// "Alternate" Size of data to load into DMEM. 86 pub(crate) alt_dmem_load_size: u32, 87 } 88 89 /// Structure used to describe some firmwares, notably FWSEC-FRTS. 90 #[repr(C)] 91 #[derive(Debug, Clone)] 92 pub(crate) struct FalconUCodeDescV3 { 93 /// Header defined by `NV_BIT_FALCON_UCODE_DESC_HEADER_VDESC*` in OpenRM. 94 hdr: u32, 95 /// Stored size of the ucode after the header. 96 stored_size: u32, 97 /// Offset in `DMEM` at which the signature is expected to be found. 98 pub(crate) pkc_data_offset: u32, 99 /// Offset after the code segment at which the app headers are located. 100 pub(crate) interface_offset: u32, 101 /// Base address at which to load the code segment into `IMEM`. 102 pub(crate) imem_phys_base: u32, 103 /// Size in bytes of the code to copy into `IMEM`. 104 pub(crate) imem_load_size: u32, 105 /// Virtual `IMEM` address (i.e. `tag`) at which the code should start. 106 pub(crate) imem_virt_base: u32, 107 /// Base address at which to load the data segment into `DMEM`. 108 pub(crate) dmem_phys_base: u32, 109 /// Size in bytes of the data to copy into `DMEM`. 110 pub(crate) dmem_load_size: u32, 111 /// Mask of the falcon engines on which this firmware can run. 112 pub(crate) engine_id_mask: u16, 113 /// ID of the ucode used to infer a fuse register to validate the signature. 114 pub(crate) ucode_id: u8, 115 /// Number of signatures in this firmware. 116 pub(crate) signature_count: u8, 117 /// Versions of the signatures, used to infer a valid signature to use. 118 pub(crate) signature_versions: u16, 119 _reserved: u16, 120 } 121 122 // SAFETY: all bit patterns are valid for this type, and it doesn't use 123 // interior mutability. 124 unsafe impl FromBytes for FalconUCodeDescV3 {} 125 126 /// Enum wrapping the different versions of Falcon microcode descriptors. 127 /// 128 /// This allows handling both V2 and V3 descriptor formats through a 129 /// unified type, providing version-agnostic access to firmware metadata 130 /// via the [`FalconUCodeDescriptor`] trait. 131 #[derive(Debug, Clone)] 132 pub(crate) enum FalconUCodeDesc { 133 V2(FalconUCodeDescV2), 134 V3(FalconUCodeDescV3), 135 } 136 137 impl Deref for FalconUCodeDesc { 138 type Target = dyn FalconUCodeDescriptor; 139 140 fn deref(&self) -> &Self::Target { 141 match self { 142 FalconUCodeDesc::V2(v2) => v2, 143 FalconUCodeDesc::V3(v3) => v3, 144 } 145 } 146 } 147 148 /// Trait providing a common interface for accessing Falcon microcode descriptor fields. 149 /// 150 /// This trait abstracts over the different descriptor versions ([`FalconUCodeDescV2`] and 151 /// [`FalconUCodeDescV3`]), allowing code to work with firmware metadata without needing to 152 /// know the specific descriptor version. Fields not present return zero. 153 pub(crate) trait FalconUCodeDescriptor { 154 fn hdr(&self) -> u32; 155 fn imem_load_size(&self) -> u32; 156 fn interface_offset(&self) -> u32; 157 fn dmem_load_size(&self) -> u32; 158 fn pkc_data_offset(&self) -> u32; 159 fn engine_id_mask(&self) -> u16; 160 fn ucode_id(&self) -> u8; 161 fn signature_count(&self) -> u8; 162 fn signature_versions(&self) -> u16; 163 164 /// Returns the size in bytes of the header. 165 fn size(&self) -> usize { 166 let hdr = self.hdr(); 167 168 const HDR_SIZE_SHIFT: u32 = 16; 169 const HDR_SIZE_MASK: u32 = 0xffff0000; 170 ((hdr & HDR_SIZE_MASK) >> HDR_SIZE_SHIFT).into_safe_cast() 171 } 172 173 fn imem_sec_load_params(&self) -> FalconDmaLoadTarget; 174 fn imem_ns_load_params(&self) -> Option<FalconDmaLoadTarget>; 175 fn dmem_load_params(&self) -> FalconDmaLoadTarget; 176 } 177 178 impl FalconUCodeDescriptor for FalconUCodeDescV2 { 179 fn hdr(&self) -> u32 { 180 self.hdr 181 } 182 fn imem_load_size(&self) -> u32 { 183 self.imem_load_size 184 } 185 fn interface_offset(&self) -> u32 { 186 self.interface_offset 187 } 188 fn dmem_load_size(&self) -> u32 { 189 self.dmem_load_size 190 } 191 fn pkc_data_offset(&self) -> u32 { 192 0 193 } 194 fn engine_id_mask(&self) -> u16 { 195 0 196 } 197 fn ucode_id(&self) -> u8 { 198 0 199 } 200 fn signature_count(&self) -> u8 { 201 0 202 } 203 fn signature_versions(&self) -> u16 { 204 0 205 } 206 207 fn imem_sec_load_params(&self) -> FalconDmaLoadTarget { 208 // `imem_sec_base` is the *virtual* start address of the secure IMEM segment, so subtract 209 // `imem_virt_base` to get its physical offset. 210 let imem_sec_start = self.imem_sec_base.saturating_sub(self.imem_virt_base); 211 212 FalconDmaLoadTarget { 213 src_start: imem_sec_start, 214 dst_start: self.imem_phys_base.saturating_add(imem_sec_start), 215 len: self.imem_sec_size, 216 } 217 } 218 219 fn imem_ns_load_params(&self) -> Option<FalconDmaLoadTarget> { 220 Some(FalconDmaLoadTarget { 221 // Non-secure code always starts at offset 0. 222 src_start: 0, 223 dst_start: self.imem_phys_base, 224 // `imem_load_size` includes the size of the secure segment, so subtract it to 225 // get the correct amount of data to copy. 226 len: self.imem_load_size.saturating_sub(self.imem_sec_size), 227 }) 228 } 229 230 fn dmem_load_params(&self) -> FalconDmaLoadTarget { 231 FalconDmaLoadTarget { 232 src_start: self.dmem_offset, 233 dst_start: self.dmem_phys_base, 234 len: self.dmem_load_size, 235 } 236 } 237 } 238 239 impl FalconUCodeDescriptor for FalconUCodeDescV3 { 240 fn hdr(&self) -> u32 { 241 self.hdr 242 } 243 fn imem_load_size(&self) -> u32 { 244 self.imem_load_size 245 } 246 fn interface_offset(&self) -> u32 { 247 self.interface_offset 248 } 249 fn dmem_load_size(&self) -> u32 { 250 self.dmem_load_size 251 } 252 fn pkc_data_offset(&self) -> u32 { 253 self.pkc_data_offset 254 } 255 fn engine_id_mask(&self) -> u16 { 256 self.engine_id_mask 257 } 258 fn ucode_id(&self) -> u8 { 259 self.ucode_id 260 } 261 fn signature_count(&self) -> u8 { 262 self.signature_count 263 } 264 fn signature_versions(&self) -> u16 { 265 self.signature_versions 266 } 267 268 fn imem_sec_load_params(&self) -> FalconDmaLoadTarget { 269 FalconDmaLoadTarget { 270 // IMEM segment always starts at offset 0. 271 src_start: 0, 272 dst_start: self.imem_phys_base, 273 len: self.imem_load_size, 274 } 275 } 276 277 fn imem_ns_load_params(&self) -> Option<FalconDmaLoadTarget> { 278 // Not used on V3 platforms 279 None 280 } 281 282 fn dmem_load_params(&self) -> FalconDmaLoadTarget { 283 FalconDmaLoadTarget { 284 // DMEM segment starts right after the IMEM one. 285 src_start: self.imem_load_size, 286 dst_start: self.dmem_phys_base, 287 len: self.dmem_load_size, 288 } 289 } 290 } 291 292 /// Trait implemented by types defining the signed state of a firmware. 293 trait SignedState {} 294 295 /// Type indicating that the firmware must be signed before it can be used. 296 struct Unsigned; 297 impl SignedState for Unsigned {} 298 299 /// Type indicating that the firmware is signed and ready to be loaded. 300 struct Signed; 301 impl SignedState for Signed {} 302 303 /// Microcode to be loaded into a specific falcon. 304 /// 305 /// This is module-local and meant for sub-modules to use internally. 306 /// 307 /// After construction, a firmware is [`Unsigned`], and must generally be patched with a signature 308 /// before it can be loaded (with an exception for development hardware). The 309 /// [`Self::patch_signature`] and [`Self::no_patch_signature`] methods are used to transition the 310 /// firmware to its [`Signed`] state. 311 // TODO: Consider replacing this with a coherent memory object once `CoherentAllocation` supports 312 // temporary CPU-exclusive access to the object without unsafe methods. 313 struct FirmwareObject<F: FalconFirmware, S: SignedState>(KVVec<u8>, PhantomData<(F, S)>); 314 315 /// Trait for signatures to be patched directly into a given firmware. 316 /// 317 /// This is module-local and meant for sub-modules to use internally. 318 trait FirmwareSignature<F: FalconFirmware>: AsRef<[u8]> {} 319 320 impl<F: FalconFirmware> FirmwareObject<F, Unsigned> { 321 /// Patches the firmware at offset `signature_start` with `signature`. 322 fn patch_signature<S: FirmwareSignature<F>>( 323 mut self, 324 signature: &S, 325 signature_start: usize, 326 ) -> Result<FirmwareObject<F, Signed>> { 327 let signature_bytes = signature.as_ref(); 328 let signature_end = signature_start 329 .checked_add(signature_bytes.len()) 330 .ok_or(EOVERFLOW)?; 331 let dst = self 332 .0 333 .get_mut(signature_start..signature_end) 334 .ok_or(EINVAL)?; 335 336 // PANIC: `dst` and `signature_bytes` have the same length. 337 dst.copy_from_slice(signature_bytes); 338 339 Ok(FirmwareObject(self.0, PhantomData)) 340 } 341 342 /// Mark the firmware as signed without patching it. 343 /// 344 /// This method is used to explicitly confirm that we do not need to sign the firmware, while 345 /// allowing us to continue as if it was. This is typically only needed for development 346 /// hardware. 347 fn no_patch_signature(self) -> FirmwareObject<F, Signed> { 348 FirmwareObject(self.0, PhantomData) 349 } 350 } 351 352 /// Header common to most firmware files. 353 #[repr(C)] 354 #[derive(Debug, Clone)] 355 struct BinHdr { 356 /// Magic number, must be `0x10de`. 357 bin_magic: u32, 358 /// Version of the header. 359 bin_ver: u32, 360 /// Size in bytes of the binary (to be ignored). 361 bin_size: u32, 362 /// Offset of the start of the application-specific header. 363 header_offset: u32, 364 /// Offset of the start of the data payload. 365 data_offset: u32, 366 /// Size in bytes of the data payload. 367 data_size: u32, 368 } 369 370 // SAFETY: all bit patterns are valid for this type, and it doesn't use interior mutability. 371 unsafe impl FromBytes for BinHdr {} 372 373 // A firmware blob starting with a `BinHdr`. 374 struct BinFirmware<'a> { 375 hdr: BinHdr, 376 fw: &'a [u8], 377 } 378 379 impl<'a> BinFirmware<'a> { 380 /// Interpret `fw` as a firmware image starting with a [`BinHdr`], and returns the 381 /// corresponding [`BinFirmware`] that can be used to extract its payload. 382 fn new(fw: &'a firmware::Firmware) -> Result<Self> { 383 const BIN_MAGIC: u32 = 0x10de; 384 let fw = fw.data(); 385 386 fw.get(0..size_of::<BinHdr>()) 387 // Extract header. 388 .and_then(BinHdr::from_bytes_copy) 389 // Validate header. 390 .filter(|hdr| hdr.bin_magic == BIN_MAGIC) 391 .map(|hdr| Self { hdr, fw }) 392 .ok_or(EINVAL) 393 } 394 395 /// Returns the data payload of the firmware, or `None` if the data range is out of bounds of 396 /// the firmware image. 397 fn data(&self) -> Option<&[u8]> { 398 let fw_start = usize::from_safe_cast(self.hdr.data_offset); 399 let fw_size = usize::from_safe_cast(self.hdr.data_size); 400 let fw_end = fw_start.checked_add(fw_size)?; 401 402 self.fw.get(fw_start..fw_end) 403 } 404 } 405 406 pub(crate) struct ModInfoBuilder<const N: usize>(firmware::ModInfoBuilder<N>); 407 408 impl<const N: usize> ModInfoBuilder<N> { 409 const fn make_entry_file(self, chipset: &str, fw: &str) -> Self { 410 ModInfoBuilder( 411 self.0 412 .new_entry() 413 .push("nvidia/") 414 .push(chipset) 415 .push("/gsp/") 416 .push(fw) 417 .push("-") 418 .push(FIRMWARE_VERSION) 419 .push(".bin"), 420 ) 421 } 422 423 const fn make_entry_chipset(self, chipset: gpu::Chipset) -> Self { 424 let name = chipset.name(); 425 426 let this = self 427 .make_entry_file(name, "booter_load") 428 .make_entry_file(name, "booter_unload") 429 .make_entry_file(name, "bootloader") 430 .make_entry_file(name, "gsp"); 431 432 let this = if chipset.needs_fwsec_bootloader() { 433 this.make_entry_file(name, "gen_bootloader") 434 } else { 435 this 436 }; 437 438 if chipset.uses_fsp() { 439 this.make_entry_file(name, "fmc") 440 } else { 441 this 442 } 443 } 444 445 pub(crate) const fn create( 446 module_name: &'static core::ffi::CStr, 447 ) -> firmware::ModInfoBuilder<N> { 448 let mut this = Self(firmware::ModInfoBuilder::new(module_name)); 449 let mut i = 0; 450 451 while i < gpu::Chipset::ALL.len() { 452 this = this.make_entry_chipset(gpu::Chipset::ALL[i]); 453 i += 1; 454 } 455 456 this.0 457 } 458 } 459 460 /// Ad-hoc and temporary module to extract sections from ELF images. 461 /// 462 /// Some firmware images are currently packaged as ELF files, where sections names are used as keys 463 /// to specific and related bits of data. Future firmware versions are scheduled to move away from 464 /// that scheme before nova-core becomes stable, which means this module will eventually be 465 /// removed. 466 mod elf { 467 use core::mem::size_of; 468 469 use kernel::{ 470 bindings, 471 str::CStr, 472 transmute::FromBytes, // 473 }; 474 475 /// Trait to abstract over ELF header differences. 476 trait ElfHeader: FromBytes { 477 fn shnum(&self) -> u16; 478 fn shoff(&self) -> u64; 479 fn shstrndx(&self) -> u16; 480 } 481 482 /// Trait to abstract over ELF section-header differences. 483 trait ElfSectionHeader: FromBytes { 484 fn name(&self) -> u32; 485 fn offset(&self) -> u64; 486 fn size(&self) -> u64; 487 } 488 489 /// Trait describing a matching ELF header and section-header format. 490 trait ElfFormat { 491 type Header: ElfHeader; 492 type SectionHeader: ElfSectionHeader; 493 } 494 495 /// Newtype to provide a [`FromBytes`] implementation. 496 #[repr(transparent)] 497 struct Elf64Hdr(bindings::elf64_hdr); 498 // SAFETY: all bit patterns are valid for this type, and it doesn't use interior mutability. 499 unsafe impl FromBytes for Elf64Hdr {} 500 501 impl ElfHeader for Elf64Hdr { 502 fn shnum(&self) -> u16 { 503 self.0.e_shnum 504 } 505 506 fn shoff(&self) -> u64 { 507 self.0.e_shoff 508 } 509 510 fn shstrndx(&self) -> u16 { 511 self.0.e_shstrndx 512 } 513 } 514 515 #[repr(transparent)] 516 struct Elf64SHdr(bindings::elf64_shdr); 517 // SAFETY: all bit patterns are valid for this type, and it doesn't use interior mutability. 518 unsafe impl FromBytes for Elf64SHdr {} 519 520 impl ElfSectionHeader for Elf64SHdr { 521 fn name(&self) -> u32 { 522 self.0.sh_name 523 } 524 525 fn offset(&self) -> u64 { 526 self.0.sh_offset 527 } 528 529 fn size(&self) -> u64 { 530 self.0.sh_size 531 } 532 } 533 534 struct Elf64Format; 535 536 impl ElfFormat for Elf64Format { 537 type Header = Elf64Hdr; 538 type SectionHeader = Elf64SHdr; 539 } 540 541 /// Newtype to provide [`FromBytes`] and [`ElfHeader`] implementations for ELF32. 542 #[repr(transparent)] 543 struct Elf32Hdr(bindings::elf32_hdr); 544 // SAFETY: all bit patterns are valid for this type, and it doesn't use interior mutability. 545 unsafe impl FromBytes for Elf32Hdr {} 546 547 impl ElfHeader for Elf32Hdr { 548 fn shnum(&self) -> u16 { 549 self.0.e_shnum 550 } 551 552 fn shoff(&self) -> u64 { 553 u64::from(self.0.e_shoff) 554 } 555 556 fn shstrndx(&self) -> u16 { 557 self.0.e_shstrndx 558 } 559 } 560 561 /// Newtype to provide [`FromBytes`] and [`ElfSectionHeader`] implementations for ELF32. 562 #[repr(transparent)] 563 struct Elf32SHdr(bindings::elf32_shdr); 564 // SAFETY: all bit patterns are valid for this type, and it doesn't use interior mutability. 565 unsafe impl FromBytes for Elf32SHdr {} 566 567 impl ElfSectionHeader for Elf32SHdr { 568 fn name(&self) -> u32 { 569 self.0.sh_name 570 } 571 572 fn offset(&self) -> u64 { 573 u64::from(self.0.sh_offset) 574 } 575 576 fn size(&self) -> u64 { 577 u64::from(self.0.sh_size) 578 } 579 } 580 581 struct Elf32Format; 582 583 impl ElfFormat for Elf32Format { 584 type Header = Elf32Hdr; 585 type SectionHeader = Elf32SHdr; 586 } 587 588 /// Returns a NULL-terminated string from the ELF image at `offset`. 589 fn elf_str(elf: &[u8], offset: u64) -> Option<&str> { 590 let idx = usize::try_from(offset).ok()?; 591 let bytes = elf.get(idx..)?; 592 CStr::from_bytes_until_nul(bytes).ok()?.to_str().ok() 593 } 594 595 fn elf_section_generic<'a, F>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> 596 where 597 F: ElfFormat, 598 { 599 let hdr = F::Header::from_bytes(elf.get(0..size_of::<F::Header>())?)?; 600 601 let shdr_num = usize::from(hdr.shnum()); 602 let shdr_start = usize::try_from(hdr.shoff()).ok()?; 603 let shdr_end = shdr_num 604 .checked_mul(size_of::<F::SectionHeader>()) 605 .and_then(|v| v.checked_add(shdr_start))?; 606 607 // Get all the section headers as an iterator over byte chunks. 608 let shdr_bytes = elf.get(shdr_start..shdr_end)?; 609 let mut shdr_iter = shdr_bytes.chunks_exact(size_of::<F::SectionHeader>()); 610 611 // Get the strings table. 612 let strhdr = shdr_iter 613 .clone() 614 .nth(usize::from(hdr.shstrndx())) 615 .and_then(F::SectionHeader::from_bytes)?; 616 617 // Find the section which name matches `name` and return it. 618 shdr_iter.find_map(|sh_bytes| { 619 let sh = F::SectionHeader::from_bytes(sh_bytes)?; 620 let name_offset = strhdr.offset().checked_add(u64::from(sh.name()))?; 621 let section_name = elf_str(elf, name_offset)?; 622 623 if section_name != name { 624 return None; 625 } 626 627 let start = usize::try_from(sh.offset()).ok()?; 628 let end = usize::try_from(sh.size()) 629 .ok() 630 .and_then(|sz| start.checked_add(sz))?; 631 632 elf.get(start..end) 633 }) 634 } 635 636 /// Extract the section with name `name` from the ELF64 image `elf`. 637 fn elf64_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> { 638 elf_section_generic::<Elf64Format>(elf, name) 639 } 640 641 /// Extract the section with name `name` from the ELF32 image `elf`. 642 fn elf32_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> { 643 elf_section_generic::<Elf32Format>(elf, name) 644 } 645 646 /// Automatically detects ELF32 vs ELF64 based on the ELF header. 647 pub(super) fn elf_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> { 648 // ELF identification: a 4-byte magic followed by a class byte (32- vs 64-bit). 649 const ELFMAG: &[u8] = b"\x7fELF"; 650 const SELFMAG: usize = ELFMAG.len(); 651 const EI_CLASS: usize = 4; 652 const ELFCLASS32: u8 = 1; 653 const ELFCLASS64: u8 = 2; 654 655 if elf.get(0..SELFMAG) != Some(ELFMAG) { 656 return None; 657 } 658 659 match *elf.get(EI_CLASS)? { 660 ELFCLASS32 => elf32_section(elf, name), 661 ELFCLASS64 => elf64_section(elf, name), 662 _ => None, 663 } 664 } 665 } 666