1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Firmware loading. 4 * 5 * Copyright (c) 2017-2020, Silicon Laboratories, Inc. 6 * Copyright (c) 2010, ST-Ericsson 7 */ 8 #include <linux/firmware.h> 9 #include <linux/hex.h> 10 #include <linux/slab.h> 11 #include <linux/mm.h> 12 #include <linux/bitfield.h> 13 14 #include "fwio.h" 15 #include "wfx.h" 16 #include "hwio.h" 17 18 /* Addresses below are in SRAM area */ 19 #define WFX_DNLD_FIFO 0x09004000 20 #define DNLD_BLOCK_SIZE 0x0400 21 #define DNLD_FIFO_SIZE 0x8000 /* (32 * DNLD_BLOCK_SIZE) */ 22 /* Download Control Area (DCA) */ 23 #define WFX_DCA_IMAGE_SIZE 0x0900C000 24 #define WFX_DCA_PUT 0x0900C004 25 #define WFX_DCA_GET 0x0900C008 26 #define WFX_DCA_HOST_STATUS 0x0900C00C 27 #define HOST_READY 0x87654321 28 #define HOST_INFO_READ 0xA753BD99 29 #define HOST_UPLOAD_PENDING 0xABCDDCBA 30 #define HOST_UPLOAD_COMPLETE 0xD4C64A99 31 #define HOST_OK_TO_JUMP 0x174FC882 32 #define WFX_DCA_NCP_STATUS 0x0900C010 33 #define NCP_NOT_READY 0x12345678 34 #define NCP_READY 0x87654321 35 #define NCP_INFO_READY 0xBD53EF99 36 #define NCP_DOWNLOAD_PENDING 0xABCDDCBA 37 #define NCP_DOWNLOAD_COMPLETE 0xCAFEFECA 38 #define NCP_AUTH_OK 0xD4C64A99 39 #define NCP_AUTH_FAIL 0x174FC882 40 #define NCP_PUB_KEY_RDY 0x7AB41D19 41 #define WFX_DCA_FW_SIGNATURE 0x0900C014 42 #define FW_SIGNATURE_SIZE 0x40 43 #define WFX_DCA_FW_HASH 0x0900C054 44 #define FW_HASH_SIZE 0x08 45 #define WFX_DCA_FW_VERSION 0x0900C05C 46 #define FW_VERSION_SIZE 0x04 47 #define WFX_DCA_RESERVED 0x0900C060 48 #define DCA_RESERVED_SIZE 0x20 49 #define WFX_STATUS_INFO 0x0900C080 50 #define WFX_BOOTLOADER_LABEL 0x0900C084 51 #define BOOTLOADER_LABEL_SIZE 0x3C 52 #define WFX_PTE_INFO 0x0900C0C0 53 #define PTE_INFO_KEYSET_IDX 0x0D 54 #define PTE_INFO_SIZE 0x10 55 #define WFX_ERR_INFO 0x0900C0D0 56 #define ERR_INVALID_SEC_TYPE 0x05 57 #define ERR_SIG_VERIF_FAILED 0x0F 58 #define ERR_AES_CTRL_KEY 0x10 59 #define ERR_ECC_PUB_KEY 0x11 60 #define ERR_MAC_KEY 0x18 61 62 #define DCA_TIMEOUT 50 /* milliseconds */ 63 #define WAKEUP_TIMEOUT 200 /* milliseconds */ 64 65 static const char * const fwio_errors[] = { 66 [ERR_INVALID_SEC_TYPE] = "Invalid section type or wrong encryption", 67 [ERR_SIG_VERIF_FAILED] = "Signature verification failed", 68 [ERR_AES_CTRL_KEY] = "AES control key not initialized", 69 [ERR_ECC_PUB_KEY] = "ECC public key not initialized", 70 [ERR_MAC_KEY] = "MAC key not initialized", 71 }; 72 73 /* request_firmware() allocate data using vmalloc(). It is not compatible with underlying hardware 74 * that use DMA. Function below detect this case and allocate a bounce buffer if necessary. 75 * 76 * Notice that, in doubt, you can enable CONFIG_DEBUG_SG to ask kernel to detect this problem at 77 * runtime (else, kernel silently fail). 78 * 79 * NOTE: it may also be possible to use 'pages' from struct firmware and avoid bounce buffer 80 */ 81 static int wfx_sram_write_dma_safe(struct wfx_dev *wdev, u32 addr, const u8 *buf, size_t len) 82 { 83 int ret; 84 const u8 *tmp; 85 86 if (!virt_addr_valid(buf)) { 87 tmp = kmemdup(buf, len, GFP_KERNEL); 88 if (!tmp) 89 return -ENOMEM; 90 } else { 91 tmp = buf; 92 } 93 ret = wfx_sram_buf_write(wdev, addr, tmp, len); 94 if (tmp != buf) 95 kfree(tmp); 96 return ret; 97 } 98 99 static int get_firmware(struct wfx_dev *wdev, u32 keyset_chip, 100 const struct firmware **fw, int *file_offset) 101 { 102 int keyset_file; 103 char filename[256]; 104 const char *data; 105 int ret; 106 107 snprintf(filename, sizeof(filename), "%s_%02X.sec", 108 wdev->pdata.file_fw, keyset_chip); 109 ret = firmware_request_nowarn(fw, filename, wdev->dev); 110 if (ret) { 111 dev_info(wdev->dev, "can't load %s, falling back to %s.sec\n", 112 filename, wdev->pdata.file_fw); 113 snprintf(filename, sizeof(filename), "%s.sec", wdev->pdata.file_fw); 114 ret = request_firmware(fw, filename, wdev->dev); 115 if (ret) { 116 dev_err(wdev->dev, "can't load %s\n", filename); 117 *fw = NULL; 118 return ret; 119 } 120 } 121 122 data = (*fw)->data; 123 if (memcmp(data, "KEYSET", 6) != 0) { 124 /* Legacy firmware format */ 125 *file_offset = 0; 126 keyset_file = 0x90; 127 } else { 128 *file_offset = 8; 129 keyset_file = (hex_to_bin(data[6]) * 16) | hex_to_bin(data[7]); 130 if (keyset_file < 0) { 131 dev_err(wdev->dev, "%s corrupted\n", filename); 132 release_firmware(*fw); 133 *fw = NULL; 134 return -EINVAL; 135 } 136 } 137 if (keyset_file != keyset_chip) { 138 dev_err(wdev->dev, "firmware keyset is incompatible with chip (file: 0x%02X, chip: 0x%02X)\n", 139 keyset_file, keyset_chip); 140 release_firmware(*fw); 141 *fw = NULL; 142 return -ENODEV; 143 } 144 wdev->keyset = keyset_file; 145 return 0; 146 } 147 148 static int wait_ncp_status(struct wfx_dev *wdev, u32 status) 149 { 150 ktime_t now, start; 151 u32 reg; 152 int ret; 153 154 start = ktime_get(); 155 for (;;) { 156 ret = wfx_sram_reg_read(wdev, WFX_DCA_NCP_STATUS, ®); 157 if (ret < 0) 158 return -EIO; 159 now = ktime_get(); 160 if (reg == status) 161 break; 162 if (ktime_after(now, ktime_add_ms(start, DCA_TIMEOUT))) 163 return -ETIMEDOUT; 164 } 165 if (ktime_compare(now, start)) 166 dev_dbg(wdev->dev, "chip answer after %lldus\n", ktime_us_delta(now, start)); 167 else 168 dev_dbg(wdev->dev, "chip answer immediately\n"); 169 return 0; 170 } 171 172 static int upload_firmware(struct wfx_dev *wdev, const u8 *data, size_t len) 173 { 174 int ret; 175 u32 offs, bytes_done = 0; 176 ktime_t now, start; 177 178 if (len % DNLD_BLOCK_SIZE) { 179 dev_err(wdev->dev, "firmware size is not aligned. Buffer overrun will occur\n"); 180 return -EIO; 181 } 182 offs = 0; 183 while (offs < len) { 184 start = ktime_get(); 185 for (;;) { 186 now = ktime_get(); 187 if (offs + DNLD_BLOCK_SIZE - bytes_done < DNLD_FIFO_SIZE) 188 break; 189 if (ktime_after(now, ktime_add_ms(start, DCA_TIMEOUT))) 190 return -ETIMEDOUT; 191 ret = wfx_sram_reg_read(wdev, WFX_DCA_GET, &bytes_done); 192 if (ret < 0) 193 return ret; 194 } 195 if (ktime_compare(now, start)) 196 dev_dbg(wdev->dev, "answer after %lldus\n", ktime_us_delta(now, start)); 197 198 ret = wfx_sram_write_dma_safe(wdev, WFX_DNLD_FIFO + (offs % DNLD_FIFO_SIZE), 199 data + offs, DNLD_BLOCK_SIZE); 200 if (ret < 0) 201 return ret; 202 203 /* The device seems to not support writing 0 in this register during first loop */ 204 offs += DNLD_BLOCK_SIZE; 205 ret = wfx_sram_reg_write(wdev, WFX_DCA_PUT, offs); 206 if (ret < 0) 207 return ret; 208 } 209 return 0; 210 } 211 212 static void print_boot_status(struct wfx_dev *wdev) 213 { 214 u32 reg; 215 216 wfx_sram_reg_read(wdev, WFX_STATUS_INFO, ®); 217 if (reg == 0x12345678) 218 return; 219 wfx_sram_reg_read(wdev, WFX_ERR_INFO, ®); 220 if (reg < ARRAY_SIZE(fwio_errors) && fwio_errors[reg]) 221 dev_info(wdev->dev, "secure boot: %s\n", fwio_errors[reg]); 222 else 223 dev_info(wdev->dev, "secure boot: Error %#02x\n", reg); 224 } 225 226 static int load_firmware_secure(struct wfx_dev *wdev) 227 { 228 const struct firmware *fw = NULL; 229 int header_size; 230 int fw_offset; 231 ktime_t start; 232 u8 *buf; 233 int ret; 234 235 BUILD_BUG_ON(PTE_INFO_SIZE > BOOTLOADER_LABEL_SIZE); 236 buf = kmalloc(BOOTLOADER_LABEL_SIZE + 1, GFP_KERNEL); 237 if (!buf) 238 return -ENOMEM; 239 240 wfx_sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_READY); 241 ret = wait_ncp_status(wdev, NCP_INFO_READY); 242 if (ret) 243 goto error; 244 245 wfx_sram_buf_read(wdev, WFX_BOOTLOADER_LABEL, buf, BOOTLOADER_LABEL_SIZE); 246 buf[BOOTLOADER_LABEL_SIZE] = 0; 247 dev_dbg(wdev->dev, "bootloader: \"%s\"\n", buf); 248 249 wfx_sram_buf_read(wdev, WFX_PTE_INFO, buf, PTE_INFO_SIZE); 250 ret = get_firmware(wdev, buf[PTE_INFO_KEYSET_IDX], &fw, &fw_offset); 251 if (ret) 252 goto error; 253 header_size = fw_offset + FW_SIGNATURE_SIZE + FW_HASH_SIZE; 254 255 wfx_sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_INFO_READ); 256 ret = wait_ncp_status(wdev, NCP_READY); 257 if (ret) 258 goto error; 259 260 wfx_sram_reg_write(wdev, WFX_DNLD_FIFO, 0xFFFFFFFF); /* Fifo init */ 261 wfx_sram_write_dma_safe(wdev, WFX_DCA_FW_VERSION, "\x01\x00\x00\x00", FW_VERSION_SIZE); 262 wfx_sram_write_dma_safe(wdev, WFX_DCA_FW_SIGNATURE, fw->data + fw_offset, 263 FW_SIGNATURE_SIZE); 264 wfx_sram_write_dma_safe(wdev, WFX_DCA_FW_HASH, fw->data + fw_offset + FW_SIGNATURE_SIZE, 265 FW_HASH_SIZE); 266 wfx_sram_reg_write(wdev, WFX_DCA_IMAGE_SIZE, fw->size - header_size); 267 wfx_sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_UPLOAD_PENDING); 268 ret = wait_ncp_status(wdev, NCP_DOWNLOAD_PENDING); 269 if (ret) 270 goto error; 271 272 start = ktime_get(); 273 ret = upload_firmware(wdev, fw->data + header_size, fw->size - header_size); 274 if (ret) 275 goto error; 276 dev_dbg(wdev->dev, "firmware load after %lldus\n", 277 ktime_us_delta(ktime_get(), start)); 278 279 wfx_sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_UPLOAD_COMPLETE); 280 ret = wait_ncp_status(wdev, NCP_AUTH_OK); 281 /* Legacy ROM support */ 282 if (ret < 0) 283 ret = wait_ncp_status(wdev, NCP_PUB_KEY_RDY); 284 if (ret < 0) 285 goto error; 286 wfx_sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_OK_TO_JUMP); 287 288 error: 289 kfree(buf); 290 release_firmware(fw); 291 if (ret) 292 print_boot_status(wdev); 293 return ret; 294 } 295 296 static int init_gpr(struct wfx_dev *wdev) 297 { 298 int ret, i; 299 static const struct { 300 int index; 301 u32 value; 302 } gpr_init[] = { 303 { 0x07, 0x208775 }, 304 { 0x08, 0x2EC020 }, 305 { 0x09, 0x3C3C3C }, 306 { 0x0B, 0x322C44 }, 307 { 0x0C, 0xA06497 }, 308 }; 309 310 for (i = 0; i < ARRAY_SIZE(gpr_init); i++) { 311 ret = wfx_igpr_reg_write(wdev, gpr_init[i].index, gpr_init[i].value); 312 if (ret < 0) 313 return ret; 314 dev_dbg(wdev->dev, " index %02x: %08x\n", gpr_init[i].index, gpr_init[i].value); 315 } 316 return 0; 317 } 318 319 int wfx_init_device(struct wfx_dev *wdev) 320 { 321 int ret; 322 int hw_revision, hw_type; 323 int wakeup_timeout = 50; /* ms */ 324 ktime_t now, start; 325 u32 reg; 326 327 reg = CFG_DIRECT_ACCESS_MODE | CFG_CPU_RESET | CFG_BYTE_ORDER_ABCD; 328 if (wdev->pdata.use_rising_clk) 329 reg |= CFG_CLK_RISE_EDGE; 330 ret = wfx_config_reg_write(wdev, reg); 331 if (ret < 0) { 332 dev_err(wdev->dev, "bus returned an error during first write access. Host configuration error?\n"); 333 return -EIO; 334 } 335 336 ret = wfx_config_reg_read(wdev, ®); 337 if (ret < 0) { 338 dev_err(wdev->dev, "bus returned an error during first read access. Bus configuration error?\n"); 339 return -EIO; 340 } 341 if (reg == 0 || reg == ~0) { 342 dev_err(wdev->dev, "chip mute. Bus configuration error or chip wasn't reset?\n"); 343 return -EIO; 344 } 345 dev_dbg(wdev->dev, "initial config register value: %08x\n", reg); 346 347 hw_revision = FIELD_GET(CFG_DEVICE_ID_MAJOR, reg); 348 if (hw_revision == 0) { 349 dev_err(wdev->dev, "bad hardware revision number: %d\n", hw_revision); 350 return -ENODEV; 351 } 352 hw_type = FIELD_GET(CFG_DEVICE_ID_TYPE, reg); 353 if (hw_type == 1) { 354 dev_notice(wdev->dev, "development hardware detected\n"); 355 wakeup_timeout = 2000; 356 } 357 358 ret = init_gpr(wdev); 359 if (ret < 0) 360 return ret; 361 362 ret = wfx_control_reg_write(wdev, CTRL_WLAN_WAKEUP); 363 if (ret < 0) 364 return -EIO; 365 start = ktime_get(); 366 for (;;) { 367 ret = wfx_control_reg_read(wdev, ®); 368 now = ktime_get(); 369 if (reg & CTRL_WLAN_READY) 370 break; 371 if (ktime_after(now, ktime_add_ms(start, wakeup_timeout))) { 372 dev_err(wdev->dev, "chip didn't wake up. Chip wasn't reset?\n"); 373 return -ETIMEDOUT; 374 } 375 } 376 dev_dbg(wdev->dev, "chip wake up after %lldus\n", ktime_us_delta(now, start)); 377 378 ret = wfx_config_reg_write_bits(wdev, CFG_CPU_RESET, 0); 379 if (ret < 0) 380 return ret; 381 ret = load_firmware_secure(wdev); 382 if (ret < 0) 383 return ret; 384 return wfx_config_reg_write_bits(wdev, 385 CFG_DIRECT_ACCESS_MODE | 386 CFG_IRQ_ENABLE_DATA | 387 CFG_IRQ_ENABLE_WRDY, 388 CFG_IRQ_ENABLE_DATA); 389 } 390