1f0133f3cSMatt Fleming /* 2f0133f3cSMatt Fleming * EFI capsule support. 3f0133f3cSMatt Fleming * 4f0133f3cSMatt Fleming * Copyright 2013 Intel Corporation; author Matt Fleming 5f0133f3cSMatt Fleming * 6f0133f3cSMatt Fleming * This file is part of the Linux kernel, and is made available under 7f0133f3cSMatt Fleming * the terms of the GNU General Public License version 2. 8f0133f3cSMatt Fleming */ 9f0133f3cSMatt Fleming 10f0133f3cSMatt Fleming #define pr_fmt(fmt) "efi: " fmt 11f0133f3cSMatt Fleming 12f0133f3cSMatt Fleming #include <linux/slab.h> 13f0133f3cSMatt Fleming #include <linux/mutex.h> 14f0133f3cSMatt Fleming #include <linux/highmem.h> 15f0133f3cSMatt Fleming #include <linux/efi.h> 16f0133f3cSMatt Fleming #include <linux/vmalloc.h> 17f0133f3cSMatt Fleming #include <asm/io.h> 18f0133f3cSMatt Fleming 19f0133f3cSMatt Fleming typedef struct { 20f0133f3cSMatt Fleming u64 length; 21f0133f3cSMatt Fleming u64 data; 22f0133f3cSMatt Fleming } efi_capsule_block_desc_t; 23f0133f3cSMatt Fleming 24f0133f3cSMatt Fleming static bool capsule_pending; 25*62075e58SMatt Fleming static bool stop_capsules; 26f0133f3cSMatt Fleming static int efi_reset_type = -1; 27f0133f3cSMatt Fleming 28f0133f3cSMatt Fleming /* 29f0133f3cSMatt Fleming * capsule_mutex serialises access to both capsule_pending and 30*62075e58SMatt Fleming * efi_reset_type and stop_capsules. 31f0133f3cSMatt Fleming */ 32f0133f3cSMatt Fleming static DEFINE_MUTEX(capsule_mutex); 33f0133f3cSMatt Fleming 34f0133f3cSMatt Fleming /** 35f0133f3cSMatt Fleming * efi_capsule_pending - has a capsule been passed to the firmware? 36f0133f3cSMatt Fleming * @reset_type: store the type of EFI reset if capsule is pending 37f0133f3cSMatt Fleming * 38f0133f3cSMatt Fleming * To ensure that the registered capsule is processed correctly by the 39f0133f3cSMatt Fleming * firmware we need to perform a specific type of reset. If a capsule is 40f0133f3cSMatt Fleming * pending return the reset type in @reset_type. 41f0133f3cSMatt Fleming * 42f0133f3cSMatt Fleming * This function will race with callers of efi_capsule_update(), for 43f0133f3cSMatt Fleming * example, calling this function while somebody else is in 44f0133f3cSMatt Fleming * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 45f0133f3cSMatt Fleming * will miss the updates to capsule_pending and efi_reset_type after 46f0133f3cSMatt Fleming * efi_capsule_update_locked() completes. 47f0133f3cSMatt Fleming * 48f0133f3cSMatt Fleming * A non-racy use is from platform reboot code because we use 49f0133f3cSMatt Fleming * system_state to ensure no capsules can be sent to the firmware once 50f0133f3cSMatt Fleming * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 51f0133f3cSMatt Fleming */ 52f0133f3cSMatt Fleming bool efi_capsule_pending(int *reset_type) 53f0133f3cSMatt Fleming { 54f0133f3cSMatt Fleming if (!capsule_pending) 55*62075e58SMatt Fleming return false; 56f0133f3cSMatt Fleming 57f0133f3cSMatt Fleming if (reset_type) 58f0133f3cSMatt Fleming *reset_type = efi_reset_type; 59*62075e58SMatt Fleming 60*62075e58SMatt Fleming return true; 61f0133f3cSMatt Fleming } 62f0133f3cSMatt Fleming 63f0133f3cSMatt Fleming /* 64f0133f3cSMatt Fleming * Whitelist of EFI capsule flags that we support. 65f0133f3cSMatt Fleming * 66f0133f3cSMatt Fleming * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 67f0133f3cSMatt Fleming * require us to prepare the kernel for reboot. Refuse to load any 68f0133f3cSMatt Fleming * capsules with that flag and any other flags that we do not know how 69f0133f3cSMatt Fleming * to handle. 70f0133f3cSMatt Fleming */ 71f0133f3cSMatt Fleming #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 72f0133f3cSMatt Fleming (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 73f0133f3cSMatt Fleming 74f0133f3cSMatt Fleming /** 75f0133f3cSMatt Fleming * efi_capsule_supported - does the firmware support the capsule? 76f0133f3cSMatt Fleming * @guid: vendor guid of capsule 77f0133f3cSMatt Fleming * @flags: capsule flags 78f0133f3cSMatt Fleming * @size: size of capsule data 79f0133f3cSMatt Fleming * @reset: the reset type required for this capsule 80f0133f3cSMatt Fleming * 81f0133f3cSMatt Fleming * Check whether a capsule with @flags is supported by the firmware 82f0133f3cSMatt Fleming * and that @size doesn't exceed the maximum size for a capsule. 83f0133f3cSMatt Fleming * 84f0133f3cSMatt Fleming * No attempt is made to check @reset against the reset type required 85f0133f3cSMatt Fleming * by any pending capsules because of the races involved. 86f0133f3cSMatt Fleming */ 87f0133f3cSMatt Fleming int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 88f0133f3cSMatt Fleming { 89f0133f3cSMatt Fleming efi_capsule_header_t *capsule; 90f0133f3cSMatt Fleming efi_status_t status; 91f0133f3cSMatt Fleming u64 max_size; 92f0133f3cSMatt Fleming int rv = 0; 93f0133f3cSMatt Fleming 94f0133f3cSMatt Fleming if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 95f0133f3cSMatt Fleming return -EINVAL; 96f0133f3cSMatt Fleming 97f0133f3cSMatt Fleming capsule = kmalloc(sizeof(*capsule), GFP_KERNEL); 98f0133f3cSMatt Fleming if (!capsule) 99f0133f3cSMatt Fleming return -ENOMEM; 100f0133f3cSMatt Fleming 101f0133f3cSMatt Fleming capsule->headersize = capsule->imagesize = sizeof(*capsule); 102f0133f3cSMatt Fleming memcpy(&capsule->guid, &guid, sizeof(efi_guid_t)); 103f0133f3cSMatt Fleming capsule->flags = flags; 104f0133f3cSMatt Fleming 105f0133f3cSMatt Fleming status = efi.query_capsule_caps(&capsule, 1, &max_size, reset); 106f0133f3cSMatt Fleming if (status != EFI_SUCCESS) { 107f0133f3cSMatt Fleming rv = efi_status_to_err(status); 108f0133f3cSMatt Fleming goto out; 109f0133f3cSMatt Fleming } 110f0133f3cSMatt Fleming 111f0133f3cSMatt Fleming if (size > max_size) 112f0133f3cSMatt Fleming rv = -ENOSPC; 113f0133f3cSMatt Fleming out: 114f0133f3cSMatt Fleming kfree(capsule); 115f0133f3cSMatt Fleming return rv; 116f0133f3cSMatt Fleming } 117f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_supported); 118f0133f3cSMatt Fleming 119f0133f3cSMatt Fleming /* 120f0133f3cSMatt Fleming * Every scatter gather list (block descriptor) page must end with a 121f0133f3cSMatt Fleming * continuation pointer. The last continuation pointer of the last 122f0133f3cSMatt Fleming * page must be zero to mark the end of the chain. 123f0133f3cSMatt Fleming */ 124f0133f3cSMatt Fleming #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 125f0133f3cSMatt Fleming 126f0133f3cSMatt Fleming /* 127f0133f3cSMatt Fleming * How many scatter gather list (block descriptor) pages do we need 128f0133f3cSMatt Fleming * to map @count pages? 129f0133f3cSMatt Fleming */ 130f0133f3cSMatt Fleming static inline unsigned int sg_pages_num(unsigned int count) 131f0133f3cSMatt Fleming { 132f0133f3cSMatt Fleming return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 133f0133f3cSMatt Fleming } 134f0133f3cSMatt Fleming 135f0133f3cSMatt Fleming /** 136f0133f3cSMatt Fleming * efi_capsule_update_locked - pass a single capsule to the firmware 137f0133f3cSMatt Fleming * @capsule: capsule to send to the firmware 138f0133f3cSMatt Fleming * @sg_pages: array of scatter gather (block descriptor) pages 139f0133f3cSMatt Fleming * @reset: the reset type required for @capsule 140f0133f3cSMatt Fleming * 141f0133f3cSMatt Fleming * Since this function must be called under capsule_mutex check 142f0133f3cSMatt Fleming * whether efi_reset_type will conflict with @reset, and atomically 143f0133f3cSMatt Fleming * set it and capsule_pending if a capsule was successfully sent to 144f0133f3cSMatt Fleming * the firmware. 145f0133f3cSMatt Fleming * 146f0133f3cSMatt Fleming * We also check to see if the system is about to restart, and if so, 147f0133f3cSMatt Fleming * abort. This avoids races between efi_capsule_update() and 148f0133f3cSMatt Fleming * efi_capsule_pending(). 149f0133f3cSMatt Fleming */ 150f0133f3cSMatt Fleming static int 151f0133f3cSMatt Fleming efi_capsule_update_locked(efi_capsule_header_t *capsule, 152f0133f3cSMatt Fleming struct page **sg_pages, int reset) 153f0133f3cSMatt Fleming { 154f0133f3cSMatt Fleming efi_physical_addr_t sglist_phys; 155f0133f3cSMatt Fleming efi_status_t status; 156f0133f3cSMatt Fleming 157f0133f3cSMatt Fleming lockdep_assert_held(&capsule_mutex); 158f0133f3cSMatt Fleming 159f0133f3cSMatt Fleming /* 160f0133f3cSMatt Fleming * If someone has already registered a capsule that requires a 161f0133f3cSMatt Fleming * different reset type, we're out of luck and must abort. 162f0133f3cSMatt Fleming */ 163f0133f3cSMatt Fleming if (efi_reset_type >= 0 && efi_reset_type != reset) { 164f0133f3cSMatt Fleming pr_err("Conflicting capsule reset type %d (%d).\n", 165f0133f3cSMatt Fleming reset, efi_reset_type); 166f0133f3cSMatt Fleming return -EINVAL; 167f0133f3cSMatt Fleming } 168f0133f3cSMatt Fleming 169f0133f3cSMatt Fleming /* 170f0133f3cSMatt Fleming * If the system is getting ready to restart it may have 171f0133f3cSMatt Fleming * called efi_capsule_pending() to make decisions (such as 172f0133f3cSMatt Fleming * whether to force an EFI reboot), and we're racing against 173f0133f3cSMatt Fleming * that call. Abort in that case. 174f0133f3cSMatt Fleming */ 175*62075e58SMatt Fleming if (unlikely(stop_capsules)) { 176f0133f3cSMatt Fleming pr_warn("Capsule update raced with reboot, aborting.\n"); 177f0133f3cSMatt Fleming return -EINVAL; 178f0133f3cSMatt Fleming } 179f0133f3cSMatt Fleming 180f0133f3cSMatt Fleming sglist_phys = page_to_phys(sg_pages[0]); 181f0133f3cSMatt Fleming 182f0133f3cSMatt Fleming status = efi.update_capsule(&capsule, 1, sglist_phys); 183f0133f3cSMatt Fleming if (status == EFI_SUCCESS) { 184f0133f3cSMatt Fleming capsule_pending = true; 185f0133f3cSMatt Fleming efi_reset_type = reset; 186f0133f3cSMatt Fleming } 187f0133f3cSMatt Fleming 188f0133f3cSMatt Fleming return efi_status_to_err(status); 189f0133f3cSMatt Fleming } 190f0133f3cSMatt Fleming 191f0133f3cSMatt Fleming /** 192f0133f3cSMatt Fleming * efi_capsule_update - send a capsule to the firmware 193f0133f3cSMatt Fleming * @capsule: capsule to send to firmware 194f0133f3cSMatt Fleming * @pages: an array of capsule data pages 195f0133f3cSMatt Fleming * 196f0133f3cSMatt Fleming * Build a scatter gather list with EFI capsule block descriptors to 197f0133f3cSMatt Fleming * map the capsule described by @capsule with its data in @pages and 198f0133f3cSMatt Fleming * send it to the firmware via the UpdateCapsule() runtime service. 199f0133f3cSMatt Fleming * 200f0133f3cSMatt Fleming * @capsule must be a virtual mapping of the first page in @pages 201f0133f3cSMatt Fleming * (@pages[0]) in the kernel address space. That is, a 202f0133f3cSMatt Fleming * capsule_header_t that describes the entire contents of the capsule 203f0133f3cSMatt Fleming * must be at the start of the first data page. 204f0133f3cSMatt Fleming * 205f0133f3cSMatt Fleming * Even though this function will validate that the firmware supports 206f0133f3cSMatt Fleming * the capsule guid, users will likely want to check that 207f0133f3cSMatt Fleming * efi_capsule_supported() returns true before calling this function 208f0133f3cSMatt Fleming * because it makes it easier to print helpful error messages. 209f0133f3cSMatt Fleming * 210f0133f3cSMatt Fleming * If the capsule is successfully submitted to the firmware, any 211f0133f3cSMatt Fleming * subsequent calls to efi_capsule_pending() will return true. @pages 212f0133f3cSMatt Fleming * must not be released or modified if this function returns 213f0133f3cSMatt Fleming * successfully. 214f0133f3cSMatt Fleming * 215f0133f3cSMatt Fleming * Callers must be prepared for this function to fail, which can 216f0133f3cSMatt Fleming * happen if we raced with system reboot or if there is already a 217f0133f3cSMatt Fleming * pending capsule that has a reset type that conflicts with the one 218f0133f3cSMatt Fleming * required by @capsule. Do NOT use efi_capsule_pending() to detect 219f0133f3cSMatt Fleming * this conflict since that would be racy. Instead, submit the capsule 220f0133f3cSMatt Fleming * to efi_capsule_update() and check the return value. 221f0133f3cSMatt Fleming * 222f0133f3cSMatt Fleming * Return 0 on success, a converted EFI status code on failure. 223f0133f3cSMatt Fleming */ 224f0133f3cSMatt Fleming int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages) 225f0133f3cSMatt Fleming { 226f0133f3cSMatt Fleming u32 imagesize = capsule->imagesize; 227f0133f3cSMatt Fleming efi_guid_t guid = capsule->guid; 228f0133f3cSMatt Fleming unsigned int count, sg_count; 229f0133f3cSMatt Fleming u32 flags = capsule->flags; 230f0133f3cSMatt Fleming struct page **sg_pages; 231f0133f3cSMatt Fleming int rv, reset_type; 232f0133f3cSMatt Fleming int i, j; 233f0133f3cSMatt Fleming 234f0133f3cSMatt Fleming rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 235f0133f3cSMatt Fleming if (rv) 236f0133f3cSMatt Fleming return rv; 237f0133f3cSMatt Fleming 238f0133f3cSMatt Fleming count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 239f0133f3cSMatt Fleming sg_count = sg_pages_num(count); 240f0133f3cSMatt Fleming 241f0133f3cSMatt Fleming sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL); 242f0133f3cSMatt Fleming if (!sg_pages) 243f0133f3cSMatt Fleming return -ENOMEM; 244f0133f3cSMatt Fleming 245f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 246f0133f3cSMatt Fleming sg_pages[i] = alloc_page(GFP_KERNEL); 247f0133f3cSMatt Fleming if (!sg_pages[i]) { 248f0133f3cSMatt Fleming rv = -ENOMEM; 249f0133f3cSMatt Fleming goto out; 250f0133f3cSMatt Fleming } 251f0133f3cSMatt Fleming } 252f0133f3cSMatt Fleming 253f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 254f0133f3cSMatt Fleming efi_capsule_block_desc_t *sglist; 255f0133f3cSMatt Fleming 256f0133f3cSMatt Fleming sglist = kmap(sg_pages[i]); 257f0133f3cSMatt Fleming if (!sglist) { 258f0133f3cSMatt Fleming rv = -ENOMEM; 259f0133f3cSMatt Fleming goto out; 260f0133f3cSMatt Fleming } 261f0133f3cSMatt Fleming 262f0133f3cSMatt Fleming for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 263f0133f3cSMatt Fleming u64 sz = min_t(u64, imagesize, PAGE_SIZE); 264f0133f3cSMatt Fleming 265f0133f3cSMatt Fleming sglist[j].length = sz; 266f0133f3cSMatt Fleming sglist[j].data = page_to_phys(*pages++); 267f0133f3cSMatt Fleming 268f0133f3cSMatt Fleming imagesize -= sz; 269f0133f3cSMatt Fleming count--; 270f0133f3cSMatt Fleming } 271f0133f3cSMatt Fleming 272f0133f3cSMatt Fleming /* Continuation pointer */ 273f0133f3cSMatt Fleming sglist[j].length = 0; 274f0133f3cSMatt Fleming 275f0133f3cSMatt Fleming if (i + 1 == sg_count) 276f0133f3cSMatt Fleming sglist[j].data = 0; 277f0133f3cSMatt Fleming else 278f0133f3cSMatt Fleming sglist[j].data = page_to_phys(sg_pages[i + 1]); 279f0133f3cSMatt Fleming 280f0133f3cSMatt Fleming kunmap(sg_pages[i]); 281f0133f3cSMatt Fleming } 282f0133f3cSMatt Fleming 283f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 284f0133f3cSMatt Fleming rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 285f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 286f0133f3cSMatt Fleming 287f0133f3cSMatt Fleming out: 288f0133f3cSMatt Fleming for (i = 0; rv && i < sg_count; i++) { 289f0133f3cSMatt Fleming if (sg_pages[i]) 290f0133f3cSMatt Fleming __free_page(sg_pages[i]); 291f0133f3cSMatt Fleming } 292f0133f3cSMatt Fleming 293f0133f3cSMatt Fleming kfree(sg_pages); 294f0133f3cSMatt Fleming return rv; 295f0133f3cSMatt Fleming } 296f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_update); 297*62075e58SMatt Fleming 298*62075e58SMatt Fleming static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd) 299*62075e58SMatt Fleming { 300*62075e58SMatt Fleming mutex_lock(&capsule_mutex); 301*62075e58SMatt Fleming stop_capsules = true; 302*62075e58SMatt Fleming mutex_unlock(&capsule_mutex); 303*62075e58SMatt Fleming 304*62075e58SMatt Fleming return NOTIFY_DONE; 305*62075e58SMatt Fleming } 306*62075e58SMatt Fleming 307*62075e58SMatt Fleming static struct notifier_block capsule_reboot_nb = { 308*62075e58SMatt Fleming .notifier_call = capsule_reboot_notify, 309*62075e58SMatt Fleming }; 310*62075e58SMatt Fleming 311*62075e58SMatt Fleming static int __init capsule_reboot_register(void) 312*62075e58SMatt Fleming { 313*62075e58SMatt Fleming return register_reboot_notifier(&capsule_reboot_nb); 314*62075e58SMatt Fleming } 315*62075e58SMatt Fleming core_initcall(capsule_reboot_register); 316