14febfb8dSArd Biesheuvel // SPDX-License-Identifier: GPL-2.0 2f0133f3cSMatt Fleming /* 3f0133f3cSMatt Fleming * EFI capsule support. 4f0133f3cSMatt Fleming * 5f0133f3cSMatt Fleming * Copyright 2013 Intel Corporation; author Matt Fleming 6f0133f3cSMatt Fleming */ 7f0133f3cSMatt Fleming 8f0133f3cSMatt Fleming #define pr_fmt(fmt) "efi: " fmt 9f0133f3cSMatt Fleming 10f0133f3cSMatt Fleming #include <linux/slab.h> 11f0133f3cSMatt Fleming #include <linux/mutex.h> 12f0133f3cSMatt Fleming #include <linux/highmem.h> 13f0133f3cSMatt Fleming #include <linux/efi.h> 14f0133f3cSMatt Fleming #include <linux/vmalloc.h> 15*4dbe44fbSArd Biesheuvel #include <asm/efi.h> 16f0133f3cSMatt Fleming #include <asm/io.h> 17f0133f3cSMatt Fleming 18f0133f3cSMatt Fleming typedef struct { 19f0133f3cSMatt Fleming u64 length; 20f0133f3cSMatt Fleming u64 data; 21f0133f3cSMatt Fleming } efi_capsule_block_desc_t; 22f0133f3cSMatt Fleming 23f0133f3cSMatt Fleming static bool capsule_pending; 2462075e58SMatt Fleming static bool stop_capsules; 25f0133f3cSMatt Fleming static int efi_reset_type = -1; 26f0133f3cSMatt Fleming 27f0133f3cSMatt Fleming /* 28f0133f3cSMatt Fleming * capsule_mutex serialises access to both capsule_pending and 2962075e58SMatt Fleming * efi_reset_type and stop_capsules. 30f0133f3cSMatt Fleming */ 31f0133f3cSMatt Fleming static DEFINE_MUTEX(capsule_mutex); 32f0133f3cSMatt Fleming 33f0133f3cSMatt Fleming /** 34f0133f3cSMatt Fleming * efi_capsule_pending - has a capsule been passed to the firmware? 35f0133f3cSMatt Fleming * @reset_type: store the type of EFI reset if capsule is pending 36f0133f3cSMatt Fleming * 37f0133f3cSMatt Fleming * To ensure that the registered capsule is processed correctly by the 38f0133f3cSMatt Fleming * firmware we need to perform a specific type of reset. If a capsule is 39f0133f3cSMatt Fleming * pending return the reset type in @reset_type. 40f0133f3cSMatt Fleming * 41f0133f3cSMatt Fleming * This function will race with callers of efi_capsule_update(), for 42f0133f3cSMatt Fleming * example, calling this function while somebody else is in 43f0133f3cSMatt Fleming * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 44f0133f3cSMatt Fleming * will miss the updates to capsule_pending and efi_reset_type after 45f0133f3cSMatt Fleming * efi_capsule_update_locked() completes. 46f0133f3cSMatt Fleming * 47f0133f3cSMatt Fleming * A non-racy use is from platform reboot code because we use 48f0133f3cSMatt Fleming * system_state to ensure no capsules can be sent to the firmware once 49f0133f3cSMatt Fleming * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 50f0133f3cSMatt Fleming */ 51f0133f3cSMatt Fleming bool efi_capsule_pending(int *reset_type) 52f0133f3cSMatt Fleming { 53f0133f3cSMatt Fleming if (!capsule_pending) 5462075e58SMatt Fleming return false; 55f0133f3cSMatt Fleming 56f0133f3cSMatt Fleming if (reset_type) 57f0133f3cSMatt Fleming *reset_type = efi_reset_type; 5862075e58SMatt Fleming 5962075e58SMatt Fleming return true; 60f0133f3cSMatt Fleming } 61f0133f3cSMatt Fleming 62f0133f3cSMatt Fleming /* 63f0133f3cSMatt Fleming * Whitelist of EFI capsule flags that we support. 64f0133f3cSMatt Fleming * 65f0133f3cSMatt Fleming * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 66f0133f3cSMatt Fleming * require us to prepare the kernel for reboot. Refuse to load any 67f0133f3cSMatt Fleming * capsules with that flag and any other flags that we do not know how 68f0133f3cSMatt Fleming * to handle. 69f0133f3cSMatt Fleming */ 70f0133f3cSMatt Fleming #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 71f0133f3cSMatt Fleming (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 72f0133f3cSMatt Fleming 73f0133f3cSMatt Fleming /** 74f0133f3cSMatt Fleming * efi_capsule_supported - does the firmware support the capsule? 75f0133f3cSMatt Fleming * @guid: vendor guid of capsule 76f0133f3cSMatt Fleming * @flags: capsule flags 77f0133f3cSMatt Fleming * @size: size of capsule data 78f0133f3cSMatt Fleming * @reset: the reset type required for this capsule 79f0133f3cSMatt Fleming * 80f0133f3cSMatt Fleming * Check whether a capsule with @flags is supported by the firmware 81f0133f3cSMatt Fleming * and that @size doesn't exceed the maximum size for a capsule. 82f0133f3cSMatt Fleming * 83f0133f3cSMatt Fleming * No attempt is made to check @reset against the reset type required 84f0133f3cSMatt Fleming * by any pending capsules because of the races involved. 85f0133f3cSMatt Fleming */ 86f0133f3cSMatt Fleming int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 87f0133f3cSMatt Fleming { 88fb7a84caSMatt Fleming efi_capsule_header_t capsule; 89fb7a84caSMatt Fleming efi_capsule_header_t *cap_list[] = { &capsule }; 90f0133f3cSMatt Fleming efi_status_t status; 91f0133f3cSMatt Fleming u64 max_size; 92f0133f3cSMatt Fleming 93f0133f3cSMatt Fleming if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 94f0133f3cSMatt Fleming return -EINVAL; 95f0133f3cSMatt Fleming 96fb7a84caSMatt Fleming capsule.headersize = capsule.imagesize = sizeof(capsule); 97fb7a84caSMatt Fleming memcpy(&capsule.guid, &guid, sizeof(efi_guid_t)); 98fb7a84caSMatt Fleming capsule.flags = flags; 99f0133f3cSMatt Fleming 100fb7a84caSMatt Fleming status = efi.query_capsule_caps(cap_list, 1, &max_size, reset); 101fb7a84caSMatt Fleming if (status != EFI_SUCCESS) 102fb7a84caSMatt Fleming return efi_status_to_err(status); 103f0133f3cSMatt Fleming 104f0133f3cSMatt Fleming if (size > max_size) 105fb7a84caSMatt Fleming return -ENOSPC; 106fb7a84caSMatt Fleming 107fb7a84caSMatt Fleming return 0; 108f0133f3cSMatt Fleming } 109f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_supported); 110f0133f3cSMatt Fleming 111f0133f3cSMatt Fleming /* 112f0133f3cSMatt Fleming * Every scatter gather list (block descriptor) page must end with a 113f0133f3cSMatt Fleming * continuation pointer. The last continuation pointer of the last 114f0133f3cSMatt Fleming * page must be zero to mark the end of the chain. 115f0133f3cSMatt Fleming */ 116f0133f3cSMatt Fleming #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 117f0133f3cSMatt Fleming 118f0133f3cSMatt Fleming /* 119f0133f3cSMatt Fleming * How many scatter gather list (block descriptor) pages do we need 120f0133f3cSMatt Fleming * to map @count pages? 121f0133f3cSMatt Fleming */ 122f0133f3cSMatt Fleming static inline unsigned int sg_pages_num(unsigned int count) 123f0133f3cSMatt Fleming { 124f0133f3cSMatt Fleming return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 125f0133f3cSMatt Fleming } 126f0133f3cSMatt Fleming 127f0133f3cSMatt Fleming /** 128f0133f3cSMatt Fleming * efi_capsule_update_locked - pass a single capsule to the firmware 129f0133f3cSMatt Fleming * @capsule: capsule to send to the firmware 130f0133f3cSMatt Fleming * @sg_pages: array of scatter gather (block descriptor) pages 131f0133f3cSMatt Fleming * @reset: the reset type required for @capsule 132f0133f3cSMatt Fleming * 133f0133f3cSMatt Fleming * Since this function must be called under capsule_mutex check 134f0133f3cSMatt Fleming * whether efi_reset_type will conflict with @reset, and atomically 135f0133f3cSMatt Fleming * set it and capsule_pending if a capsule was successfully sent to 136f0133f3cSMatt Fleming * the firmware. 137f0133f3cSMatt Fleming * 138f0133f3cSMatt Fleming * We also check to see if the system is about to restart, and if so, 139f0133f3cSMatt Fleming * abort. This avoids races between efi_capsule_update() and 140f0133f3cSMatt Fleming * efi_capsule_pending(). 141f0133f3cSMatt Fleming */ 142f0133f3cSMatt Fleming static int 143f0133f3cSMatt Fleming efi_capsule_update_locked(efi_capsule_header_t *capsule, 144f0133f3cSMatt Fleming struct page **sg_pages, int reset) 145f0133f3cSMatt Fleming { 146f0133f3cSMatt Fleming efi_physical_addr_t sglist_phys; 147f0133f3cSMatt Fleming efi_status_t status; 148f0133f3cSMatt Fleming 149f0133f3cSMatt Fleming lockdep_assert_held(&capsule_mutex); 150f0133f3cSMatt Fleming 151f0133f3cSMatt Fleming /* 152f0133f3cSMatt Fleming * If someone has already registered a capsule that requires a 153f0133f3cSMatt Fleming * different reset type, we're out of luck and must abort. 154f0133f3cSMatt Fleming */ 155f0133f3cSMatt Fleming if (efi_reset_type >= 0 && efi_reset_type != reset) { 156f0133f3cSMatt Fleming pr_err("Conflicting capsule reset type %d (%d).\n", 157f0133f3cSMatt Fleming reset, efi_reset_type); 158f0133f3cSMatt Fleming return -EINVAL; 159f0133f3cSMatt Fleming } 160f0133f3cSMatt Fleming 161f0133f3cSMatt Fleming /* 162f0133f3cSMatt Fleming * If the system is getting ready to restart it may have 163f0133f3cSMatt Fleming * called efi_capsule_pending() to make decisions (such as 164f0133f3cSMatt Fleming * whether to force an EFI reboot), and we're racing against 165f0133f3cSMatt Fleming * that call. Abort in that case. 166f0133f3cSMatt Fleming */ 16762075e58SMatt Fleming if (unlikely(stop_capsules)) { 168f0133f3cSMatt Fleming pr_warn("Capsule update raced with reboot, aborting.\n"); 169f0133f3cSMatt Fleming return -EINVAL; 170f0133f3cSMatt Fleming } 171f0133f3cSMatt Fleming 172f0133f3cSMatt Fleming sglist_phys = page_to_phys(sg_pages[0]); 173f0133f3cSMatt Fleming 174f0133f3cSMatt Fleming status = efi.update_capsule(&capsule, 1, sglist_phys); 175f0133f3cSMatt Fleming if (status == EFI_SUCCESS) { 176f0133f3cSMatt Fleming capsule_pending = true; 177f0133f3cSMatt Fleming efi_reset_type = reset; 178f0133f3cSMatt Fleming } 179f0133f3cSMatt Fleming 180f0133f3cSMatt Fleming return efi_status_to_err(status); 181f0133f3cSMatt Fleming } 182f0133f3cSMatt Fleming 183f0133f3cSMatt Fleming /** 184f0133f3cSMatt Fleming * efi_capsule_update - send a capsule to the firmware 185f0133f3cSMatt Fleming * @capsule: capsule to send to firmware 186f0133f3cSMatt Fleming * @pages: an array of capsule data pages 187f0133f3cSMatt Fleming * 188f0133f3cSMatt Fleming * Build a scatter gather list with EFI capsule block descriptors to 189f0133f3cSMatt Fleming * map the capsule described by @capsule with its data in @pages and 190f0133f3cSMatt Fleming * send it to the firmware via the UpdateCapsule() runtime service. 191f0133f3cSMatt Fleming * 1926862e6adSAustin Christ * @capsule must be a virtual mapping of the complete capsule update in the 1936862e6adSAustin Christ * kernel address space, as the capsule can be consumed immediately. 1946862e6adSAustin Christ * A capsule_header_t that describes the entire contents of the capsule 195f0133f3cSMatt Fleming * must be at the start of the first data page. 196f0133f3cSMatt Fleming * 197f0133f3cSMatt Fleming * Even though this function will validate that the firmware supports 198f0133f3cSMatt Fleming * the capsule guid, users will likely want to check that 199f0133f3cSMatt Fleming * efi_capsule_supported() returns true before calling this function 200f0133f3cSMatt Fleming * because it makes it easier to print helpful error messages. 201f0133f3cSMatt Fleming * 202f0133f3cSMatt Fleming * If the capsule is successfully submitted to the firmware, any 203f0133f3cSMatt Fleming * subsequent calls to efi_capsule_pending() will return true. @pages 204f0133f3cSMatt Fleming * must not be released or modified if this function returns 205f0133f3cSMatt Fleming * successfully. 206f0133f3cSMatt Fleming * 207f0133f3cSMatt Fleming * Callers must be prepared for this function to fail, which can 208f0133f3cSMatt Fleming * happen if we raced with system reboot or if there is already a 209f0133f3cSMatt Fleming * pending capsule that has a reset type that conflicts with the one 210f0133f3cSMatt Fleming * required by @capsule. Do NOT use efi_capsule_pending() to detect 211f0133f3cSMatt Fleming * this conflict since that would be racy. Instead, submit the capsule 212f0133f3cSMatt Fleming * to efi_capsule_update() and check the return value. 213f0133f3cSMatt Fleming * 214f0133f3cSMatt Fleming * Return 0 on success, a converted EFI status code on failure. 215f0133f3cSMatt Fleming */ 2162a457fb3SArd Biesheuvel int efi_capsule_update(efi_capsule_header_t *capsule, phys_addr_t *pages) 217f0133f3cSMatt Fleming { 218f0133f3cSMatt Fleming u32 imagesize = capsule->imagesize; 219f0133f3cSMatt Fleming efi_guid_t guid = capsule->guid; 220f0133f3cSMatt Fleming unsigned int count, sg_count; 221f0133f3cSMatt Fleming u32 flags = capsule->flags; 222f0133f3cSMatt Fleming struct page **sg_pages; 223f0133f3cSMatt Fleming int rv, reset_type; 224f0133f3cSMatt Fleming int i, j; 225f0133f3cSMatt Fleming 226f0133f3cSMatt Fleming rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 227f0133f3cSMatt Fleming if (rv) 228f0133f3cSMatt Fleming return rv; 229f0133f3cSMatt Fleming 230f0133f3cSMatt Fleming count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 231f0133f3cSMatt Fleming sg_count = sg_pages_num(count); 232f0133f3cSMatt Fleming 2336396bb22SKees Cook sg_pages = kcalloc(sg_count, sizeof(*sg_pages), GFP_KERNEL); 234f0133f3cSMatt Fleming if (!sg_pages) 235f0133f3cSMatt Fleming return -ENOMEM; 236f0133f3cSMatt Fleming 237f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 238f0133f3cSMatt Fleming sg_pages[i] = alloc_page(GFP_KERNEL); 239f0133f3cSMatt Fleming if (!sg_pages[i]) { 240f0133f3cSMatt Fleming rv = -ENOMEM; 241f0133f3cSMatt Fleming goto out; 242f0133f3cSMatt Fleming } 243f0133f3cSMatt Fleming } 244f0133f3cSMatt Fleming 245f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 246f0133f3cSMatt Fleming efi_capsule_block_desc_t *sglist; 247f0133f3cSMatt Fleming 24891c1c092SArd Biesheuvel sglist = kmap_atomic(sg_pages[i]); 249f0133f3cSMatt Fleming 250f0133f3cSMatt Fleming for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 2512a457fb3SArd Biesheuvel u64 sz = min_t(u64, imagesize, 2522a457fb3SArd Biesheuvel PAGE_SIZE - (u64)*pages % PAGE_SIZE); 253f0133f3cSMatt Fleming 254f0133f3cSMatt Fleming sglist[j].length = sz; 2552a457fb3SArd Biesheuvel sglist[j].data = *pages++; 256f0133f3cSMatt Fleming 257f0133f3cSMatt Fleming imagesize -= sz; 258f0133f3cSMatt Fleming count--; 259f0133f3cSMatt Fleming } 260f0133f3cSMatt Fleming 261f0133f3cSMatt Fleming /* Continuation pointer */ 262f0133f3cSMatt Fleming sglist[j].length = 0; 263f0133f3cSMatt Fleming 264f0133f3cSMatt Fleming if (i + 1 == sg_count) 265f0133f3cSMatt Fleming sglist[j].data = 0; 266f0133f3cSMatt Fleming else 267f0133f3cSMatt Fleming sglist[j].data = page_to_phys(sg_pages[i + 1]); 268f0133f3cSMatt Fleming 269*4dbe44fbSArd Biesheuvel #if defined(CONFIG_ARM) || defined(CONFIG_ARM64) 270*4dbe44fbSArd Biesheuvel /* 271*4dbe44fbSArd Biesheuvel * At runtime, the firmware has no way to find out where the 272*4dbe44fbSArd Biesheuvel * sglist elements are mapped, if they are mapped in the first 273*4dbe44fbSArd Biesheuvel * place. Therefore, on architectures that can only perform 274*4dbe44fbSArd Biesheuvel * cache maintenance by virtual address, the firmware is unable 275*4dbe44fbSArd Biesheuvel * to perform this maintenance, and so it is up to the OS to do 276*4dbe44fbSArd Biesheuvel * it instead. 277*4dbe44fbSArd Biesheuvel */ 278*4dbe44fbSArd Biesheuvel efi_capsule_flush_cache_range(sglist, PAGE_SIZE); 279*4dbe44fbSArd Biesheuvel #endif 28091c1c092SArd Biesheuvel kunmap_atomic(sglist); 281f0133f3cSMatt Fleming } 282f0133f3cSMatt Fleming 283f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 284f0133f3cSMatt Fleming rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 285f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 286f0133f3cSMatt Fleming 287f0133f3cSMatt Fleming out: 288f0133f3cSMatt Fleming for (i = 0; rv && i < sg_count; i++) { 289f0133f3cSMatt Fleming if (sg_pages[i]) 290f0133f3cSMatt Fleming __free_page(sg_pages[i]); 291f0133f3cSMatt Fleming } 292f0133f3cSMatt Fleming 293f0133f3cSMatt Fleming kfree(sg_pages); 294f0133f3cSMatt Fleming return rv; 295f0133f3cSMatt Fleming } 296f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_update); 29762075e58SMatt Fleming 29862075e58SMatt Fleming static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd) 29962075e58SMatt Fleming { 30062075e58SMatt Fleming mutex_lock(&capsule_mutex); 30162075e58SMatt Fleming stop_capsules = true; 30262075e58SMatt Fleming mutex_unlock(&capsule_mutex); 30362075e58SMatt Fleming 30462075e58SMatt Fleming return NOTIFY_DONE; 30562075e58SMatt Fleming } 30662075e58SMatt Fleming 30762075e58SMatt Fleming static struct notifier_block capsule_reboot_nb = { 30862075e58SMatt Fleming .notifier_call = capsule_reboot_notify, 30962075e58SMatt Fleming }; 31062075e58SMatt Fleming 31162075e58SMatt Fleming static int __init capsule_reboot_register(void) 31262075e58SMatt Fleming { 31362075e58SMatt Fleming return register_reboot_notifier(&capsule_reboot_nb); 31462075e58SMatt Fleming } 31562075e58SMatt Fleming core_initcall(capsule_reboot_register); 316