1f0133f3cSMatt Fleming /* 2f0133f3cSMatt Fleming * EFI capsule support. 3f0133f3cSMatt Fleming * 4f0133f3cSMatt Fleming * Copyright 2013 Intel Corporation; author Matt Fleming 5f0133f3cSMatt Fleming * 6f0133f3cSMatt Fleming * This file is part of the Linux kernel, and is made available under 7f0133f3cSMatt Fleming * the terms of the GNU General Public License version 2. 8f0133f3cSMatt Fleming */ 9f0133f3cSMatt Fleming 10f0133f3cSMatt Fleming #define pr_fmt(fmt) "efi: " fmt 11f0133f3cSMatt Fleming 12f0133f3cSMatt Fleming #include <linux/slab.h> 13f0133f3cSMatt Fleming #include <linux/mutex.h> 14f0133f3cSMatt Fleming #include <linux/highmem.h> 15f0133f3cSMatt Fleming #include <linux/efi.h> 16f0133f3cSMatt Fleming #include <linux/vmalloc.h> 17f0133f3cSMatt Fleming #include <asm/io.h> 18f0133f3cSMatt Fleming 19f0133f3cSMatt Fleming typedef struct { 20f0133f3cSMatt Fleming u64 length; 21f0133f3cSMatt Fleming u64 data; 22f0133f3cSMatt Fleming } efi_capsule_block_desc_t; 23f0133f3cSMatt Fleming 24f0133f3cSMatt Fleming static bool capsule_pending; 2562075e58SMatt Fleming static bool stop_capsules; 26f0133f3cSMatt Fleming static int efi_reset_type = -1; 27f0133f3cSMatt Fleming 28f0133f3cSMatt Fleming /* 29f0133f3cSMatt Fleming * capsule_mutex serialises access to both capsule_pending and 3062075e58SMatt Fleming * efi_reset_type and stop_capsules. 31f0133f3cSMatt Fleming */ 32f0133f3cSMatt Fleming static DEFINE_MUTEX(capsule_mutex); 33f0133f3cSMatt Fleming 34f0133f3cSMatt Fleming /** 35f0133f3cSMatt Fleming * efi_capsule_pending - has a capsule been passed to the firmware? 36f0133f3cSMatt Fleming * @reset_type: store the type of EFI reset if capsule is pending 37f0133f3cSMatt Fleming * 38f0133f3cSMatt Fleming * To ensure that the registered capsule is processed correctly by the 39f0133f3cSMatt Fleming * firmware we need to perform a specific type of reset. If a capsule is 40f0133f3cSMatt Fleming * pending return the reset type in @reset_type. 41f0133f3cSMatt Fleming * 42f0133f3cSMatt Fleming * This function will race with callers of efi_capsule_update(), for 43f0133f3cSMatt Fleming * example, calling this function while somebody else is in 44f0133f3cSMatt Fleming * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 45f0133f3cSMatt Fleming * will miss the updates to capsule_pending and efi_reset_type after 46f0133f3cSMatt Fleming * efi_capsule_update_locked() completes. 47f0133f3cSMatt Fleming * 48f0133f3cSMatt Fleming * A non-racy use is from platform reboot code because we use 49f0133f3cSMatt Fleming * system_state to ensure no capsules can be sent to the firmware once 50f0133f3cSMatt Fleming * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 51f0133f3cSMatt Fleming */ 52f0133f3cSMatt Fleming bool efi_capsule_pending(int *reset_type) 53f0133f3cSMatt Fleming { 54f0133f3cSMatt Fleming if (!capsule_pending) 5562075e58SMatt Fleming return false; 56f0133f3cSMatt Fleming 57f0133f3cSMatt Fleming if (reset_type) 58f0133f3cSMatt Fleming *reset_type = efi_reset_type; 5962075e58SMatt Fleming 6062075e58SMatt Fleming return true; 61f0133f3cSMatt Fleming } 62f0133f3cSMatt Fleming 63f0133f3cSMatt Fleming /* 64f0133f3cSMatt Fleming * Whitelist of EFI capsule flags that we support. 65f0133f3cSMatt Fleming * 66f0133f3cSMatt Fleming * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 67f0133f3cSMatt Fleming * require us to prepare the kernel for reboot. Refuse to load any 68f0133f3cSMatt Fleming * capsules with that flag and any other flags that we do not know how 69f0133f3cSMatt Fleming * to handle. 70f0133f3cSMatt Fleming */ 71f0133f3cSMatt Fleming #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 72f0133f3cSMatt Fleming (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 73f0133f3cSMatt Fleming 74f0133f3cSMatt Fleming /** 75f0133f3cSMatt Fleming * efi_capsule_supported - does the firmware support the capsule? 76f0133f3cSMatt Fleming * @guid: vendor guid of capsule 77f0133f3cSMatt Fleming * @flags: capsule flags 78f0133f3cSMatt Fleming * @size: size of capsule data 79f0133f3cSMatt Fleming * @reset: the reset type required for this capsule 80f0133f3cSMatt Fleming * 81f0133f3cSMatt Fleming * Check whether a capsule with @flags is supported by the firmware 82f0133f3cSMatt Fleming * and that @size doesn't exceed the maximum size for a capsule. 83f0133f3cSMatt Fleming * 84f0133f3cSMatt Fleming * No attempt is made to check @reset against the reset type required 85f0133f3cSMatt Fleming * by any pending capsules because of the races involved. 86f0133f3cSMatt Fleming */ 87f0133f3cSMatt Fleming int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 88f0133f3cSMatt Fleming { 89fb7a84caSMatt Fleming efi_capsule_header_t capsule; 90fb7a84caSMatt Fleming efi_capsule_header_t *cap_list[] = { &capsule }; 91f0133f3cSMatt Fleming efi_status_t status; 92f0133f3cSMatt Fleming u64 max_size; 93f0133f3cSMatt Fleming 94f0133f3cSMatt Fleming if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 95f0133f3cSMatt Fleming return -EINVAL; 96f0133f3cSMatt Fleming 97fb7a84caSMatt Fleming capsule.headersize = capsule.imagesize = sizeof(capsule); 98fb7a84caSMatt Fleming memcpy(&capsule.guid, &guid, sizeof(efi_guid_t)); 99fb7a84caSMatt Fleming capsule.flags = flags; 100f0133f3cSMatt Fleming 101fb7a84caSMatt Fleming status = efi.query_capsule_caps(cap_list, 1, &max_size, reset); 102fb7a84caSMatt Fleming if (status != EFI_SUCCESS) 103fb7a84caSMatt Fleming return efi_status_to_err(status); 104f0133f3cSMatt Fleming 105f0133f3cSMatt Fleming if (size > max_size) 106fb7a84caSMatt Fleming return -ENOSPC; 107fb7a84caSMatt Fleming 108fb7a84caSMatt Fleming return 0; 109f0133f3cSMatt Fleming } 110f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_supported); 111f0133f3cSMatt Fleming 112f0133f3cSMatt Fleming /* 113f0133f3cSMatt Fleming * Every scatter gather list (block descriptor) page must end with a 114f0133f3cSMatt Fleming * continuation pointer. The last continuation pointer of the last 115f0133f3cSMatt Fleming * page must be zero to mark the end of the chain. 116f0133f3cSMatt Fleming */ 117f0133f3cSMatt Fleming #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 118f0133f3cSMatt Fleming 119f0133f3cSMatt Fleming /* 120f0133f3cSMatt Fleming * How many scatter gather list (block descriptor) pages do we need 121f0133f3cSMatt Fleming * to map @count pages? 122f0133f3cSMatt Fleming */ 123f0133f3cSMatt Fleming static inline unsigned int sg_pages_num(unsigned int count) 124f0133f3cSMatt Fleming { 125f0133f3cSMatt Fleming return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 126f0133f3cSMatt Fleming } 127f0133f3cSMatt Fleming 128f0133f3cSMatt Fleming /** 129f0133f3cSMatt Fleming * efi_capsule_update_locked - pass a single capsule to the firmware 130f0133f3cSMatt Fleming * @capsule: capsule to send to the firmware 131f0133f3cSMatt Fleming * @sg_pages: array of scatter gather (block descriptor) pages 132f0133f3cSMatt Fleming * @reset: the reset type required for @capsule 133f0133f3cSMatt Fleming * 134f0133f3cSMatt Fleming * Since this function must be called under capsule_mutex check 135f0133f3cSMatt Fleming * whether efi_reset_type will conflict with @reset, and atomically 136f0133f3cSMatt Fleming * set it and capsule_pending if a capsule was successfully sent to 137f0133f3cSMatt Fleming * the firmware. 138f0133f3cSMatt Fleming * 139f0133f3cSMatt Fleming * We also check to see if the system is about to restart, and if so, 140f0133f3cSMatt Fleming * abort. This avoids races between efi_capsule_update() and 141f0133f3cSMatt Fleming * efi_capsule_pending(). 142f0133f3cSMatt Fleming */ 143f0133f3cSMatt Fleming static int 144f0133f3cSMatt Fleming efi_capsule_update_locked(efi_capsule_header_t *capsule, 145f0133f3cSMatt Fleming struct page **sg_pages, int reset) 146f0133f3cSMatt Fleming { 147f0133f3cSMatt Fleming efi_physical_addr_t sglist_phys; 148f0133f3cSMatt Fleming efi_status_t status; 149f0133f3cSMatt Fleming 150f0133f3cSMatt Fleming lockdep_assert_held(&capsule_mutex); 151f0133f3cSMatt Fleming 152f0133f3cSMatt Fleming /* 153f0133f3cSMatt Fleming * If someone has already registered a capsule that requires a 154f0133f3cSMatt Fleming * different reset type, we're out of luck and must abort. 155f0133f3cSMatt Fleming */ 156f0133f3cSMatt Fleming if (efi_reset_type >= 0 && efi_reset_type != reset) { 157f0133f3cSMatt Fleming pr_err("Conflicting capsule reset type %d (%d).\n", 158f0133f3cSMatt Fleming reset, efi_reset_type); 159f0133f3cSMatt Fleming return -EINVAL; 160f0133f3cSMatt Fleming } 161f0133f3cSMatt Fleming 162f0133f3cSMatt Fleming /* 163f0133f3cSMatt Fleming * If the system is getting ready to restart it may have 164f0133f3cSMatt Fleming * called efi_capsule_pending() to make decisions (such as 165f0133f3cSMatt Fleming * whether to force an EFI reboot), and we're racing against 166f0133f3cSMatt Fleming * that call. Abort in that case. 167f0133f3cSMatt Fleming */ 16862075e58SMatt Fleming if (unlikely(stop_capsules)) { 169f0133f3cSMatt Fleming pr_warn("Capsule update raced with reboot, aborting.\n"); 170f0133f3cSMatt Fleming return -EINVAL; 171f0133f3cSMatt Fleming } 172f0133f3cSMatt Fleming 173f0133f3cSMatt Fleming sglist_phys = page_to_phys(sg_pages[0]); 174f0133f3cSMatt Fleming 175f0133f3cSMatt Fleming status = efi.update_capsule(&capsule, 1, sglist_phys); 176f0133f3cSMatt Fleming if (status == EFI_SUCCESS) { 177f0133f3cSMatt Fleming capsule_pending = true; 178f0133f3cSMatt Fleming efi_reset_type = reset; 179f0133f3cSMatt Fleming } 180f0133f3cSMatt Fleming 181f0133f3cSMatt Fleming return efi_status_to_err(status); 182f0133f3cSMatt Fleming } 183f0133f3cSMatt Fleming 184f0133f3cSMatt Fleming /** 185f0133f3cSMatt Fleming * efi_capsule_update - send a capsule to the firmware 186f0133f3cSMatt Fleming * @capsule: capsule to send to firmware 187f0133f3cSMatt Fleming * @pages: an array of capsule data pages 188f0133f3cSMatt Fleming * 189f0133f3cSMatt Fleming * Build a scatter gather list with EFI capsule block descriptors to 190f0133f3cSMatt Fleming * map the capsule described by @capsule with its data in @pages and 191f0133f3cSMatt Fleming * send it to the firmware via the UpdateCapsule() runtime service. 192f0133f3cSMatt Fleming * 193*6862e6adSAustin Christ * @capsule must be a virtual mapping of the complete capsule update in the 194*6862e6adSAustin Christ * kernel address space, as the capsule can be consumed immediately. 195*6862e6adSAustin Christ * A capsule_header_t that describes the entire contents of the capsule 196f0133f3cSMatt Fleming * must be at the start of the first data page. 197f0133f3cSMatt Fleming * 198f0133f3cSMatt Fleming * Even though this function will validate that the firmware supports 199f0133f3cSMatt Fleming * the capsule guid, users will likely want to check that 200f0133f3cSMatt Fleming * efi_capsule_supported() returns true before calling this function 201f0133f3cSMatt Fleming * because it makes it easier to print helpful error messages. 202f0133f3cSMatt Fleming * 203f0133f3cSMatt Fleming * If the capsule is successfully submitted to the firmware, any 204f0133f3cSMatt Fleming * subsequent calls to efi_capsule_pending() will return true. @pages 205f0133f3cSMatt Fleming * must not be released or modified if this function returns 206f0133f3cSMatt Fleming * successfully. 207f0133f3cSMatt Fleming * 208f0133f3cSMatt Fleming * Callers must be prepared for this function to fail, which can 209f0133f3cSMatt Fleming * happen if we raced with system reboot or if there is already a 210f0133f3cSMatt Fleming * pending capsule that has a reset type that conflicts with the one 211f0133f3cSMatt Fleming * required by @capsule. Do NOT use efi_capsule_pending() to detect 212f0133f3cSMatt Fleming * this conflict since that would be racy. Instead, submit the capsule 213f0133f3cSMatt Fleming * to efi_capsule_update() and check the return value. 214f0133f3cSMatt Fleming * 215f0133f3cSMatt Fleming * Return 0 on success, a converted EFI status code on failure. 216f0133f3cSMatt Fleming */ 217f0133f3cSMatt Fleming int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages) 218f0133f3cSMatt Fleming { 219f0133f3cSMatt Fleming u32 imagesize = capsule->imagesize; 220f0133f3cSMatt Fleming efi_guid_t guid = capsule->guid; 221f0133f3cSMatt Fleming unsigned int count, sg_count; 222f0133f3cSMatt Fleming u32 flags = capsule->flags; 223f0133f3cSMatt Fleming struct page **sg_pages; 224f0133f3cSMatt Fleming int rv, reset_type; 225f0133f3cSMatt Fleming int i, j; 226f0133f3cSMatt Fleming 227f0133f3cSMatt Fleming rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 228f0133f3cSMatt Fleming if (rv) 229f0133f3cSMatt Fleming return rv; 230f0133f3cSMatt Fleming 231f0133f3cSMatt Fleming count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 232f0133f3cSMatt Fleming sg_count = sg_pages_num(count); 233f0133f3cSMatt Fleming 234f0133f3cSMatt Fleming sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL); 235f0133f3cSMatt Fleming if (!sg_pages) 236f0133f3cSMatt Fleming return -ENOMEM; 237f0133f3cSMatt Fleming 238f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 239f0133f3cSMatt Fleming sg_pages[i] = alloc_page(GFP_KERNEL); 240f0133f3cSMatt Fleming if (!sg_pages[i]) { 241f0133f3cSMatt Fleming rv = -ENOMEM; 242f0133f3cSMatt Fleming goto out; 243f0133f3cSMatt Fleming } 244f0133f3cSMatt Fleming } 245f0133f3cSMatt Fleming 246f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 247f0133f3cSMatt Fleming efi_capsule_block_desc_t *sglist; 248f0133f3cSMatt Fleming 249f0133f3cSMatt Fleming sglist = kmap(sg_pages[i]); 250f0133f3cSMatt Fleming if (!sglist) { 251f0133f3cSMatt Fleming rv = -ENOMEM; 252f0133f3cSMatt Fleming goto out; 253f0133f3cSMatt Fleming } 254f0133f3cSMatt Fleming 255f0133f3cSMatt Fleming for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 256f0133f3cSMatt Fleming u64 sz = min_t(u64, imagesize, PAGE_SIZE); 257f0133f3cSMatt Fleming 258f0133f3cSMatt Fleming sglist[j].length = sz; 259f0133f3cSMatt Fleming sglist[j].data = page_to_phys(*pages++); 260f0133f3cSMatt Fleming 261f0133f3cSMatt Fleming imagesize -= sz; 262f0133f3cSMatt Fleming count--; 263f0133f3cSMatt Fleming } 264f0133f3cSMatt Fleming 265f0133f3cSMatt Fleming /* Continuation pointer */ 266f0133f3cSMatt Fleming sglist[j].length = 0; 267f0133f3cSMatt Fleming 268f0133f3cSMatt Fleming if (i + 1 == sg_count) 269f0133f3cSMatt Fleming sglist[j].data = 0; 270f0133f3cSMatt Fleming else 271f0133f3cSMatt Fleming sglist[j].data = page_to_phys(sg_pages[i + 1]); 272f0133f3cSMatt Fleming 273f0133f3cSMatt Fleming kunmap(sg_pages[i]); 274f0133f3cSMatt Fleming } 275f0133f3cSMatt Fleming 276f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 277f0133f3cSMatt Fleming rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 278f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 279f0133f3cSMatt Fleming 280f0133f3cSMatt Fleming out: 281f0133f3cSMatt Fleming for (i = 0; rv && i < sg_count; i++) { 282f0133f3cSMatt Fleming if (sg_pages[i]) 283f0133f3cSMatt Fleming __free_page(sg_pages[i]); 284f0133f3cSMatt Fleming } 285f0133f3cSMatt Fleming 286f0133f3cSMatt Fleming kfree(sg_pages); 287f0133f3cSMatt Fleming return rv; 288f0133f3cSMatt Fleming } 289f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_update); 29062075e58SMatt Fleming 29162075e58SMatt Fleming static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd) 29262075e58SMatt Fleming { 29362075e58SMatt Fleming mutex_lock(&capsule_mutex); 29462075e58SMatt Fleming stop_capsules = true; 29562075e58SMatt Fleming mutex_unlock(&capsule_mutex); 29662075e58SMatt Fleming 29762075e58SMatt Fleming return NOTIFY_DONE; 29862075e58SMatt Fleming } 29962075e58SMatt Fleming 30062075e58SMatt Fleming static struct notifier_block capsule_reboot_nb = { 30162075e58SMatt Fleming .notifier_call = capsule_reboot_notify, 30262075e58SMatt Fleming }; 30362075e58SMatt Fleming 30462075e58SMatt Fleming static int __init capsule_reboot_register(void) 30562075e58SMatt Fleming { 30662075e58SMatt Fleming return register_reboot_notifier(&capsule_reboot_nb); 30762075e58SMatt Fleming } 30862075e58SMatt Fleming core_initcall(capsule_reboot_register); 309