14febfb8dSArd Biesheuvel // SPDX-License-Identifier: GPL-2.0 2f0133f3cSMatt Fleming /* 3f0133f3cSMatt Fleming * EFI capsule support. 4f0133f3cSMatt Fleming * 5f0133f3cSMatt Fleming * Copyright 2013 Intel Corporation; author Matt Fleming 6f0133f3cSMatt Fleming */ 7f0133f3cSMatt Fleming 8f0133f3cSMatt Fleming #define pr_fmt(fmt) "efi: " fmt 9f0133f3cSMatt Fleming 10f0133f3cSMatt Fleming #include <linux/slab.h> 11f0133f3cSMatt Fleming #include <linux/mutex.h> 12f0133f3cSMatt Fleming #include <linux/highmem.h> 13f0133f3cSMatt Fleming #include <linux/efi.h> 14f0133f3cSMatt Fleming #include <linux/vmalloc.h> 15f0133f3cSMatt Fleming #include <asm/io.h> 16f0133f3cSMatt Fleming 17f0133f3cSMatt Fleming typedef struct { 18f0133f3cSMatt Fleming u64 length; 19f0133f3cSMatt Fleming u64 data; 20f0133f3cSMatt Fleming } efi_capsule_block_desc_t; 21f0133f3cSMatt Fleming 22f0133f3cSMatt Fleming static bool capsule_pending; 2362075e58SMatt Fleming static bool stop_capsules; 24f0133f3cSMatt Fleming static int efi_reset_type = -1; 25f0133f3cSMatt Fleming 26f0133f3cSMatt Fleming /* 27f0133f3cSMatt Fleming * capsule_mutex serialises access to both capsule_pending and 2862075e58SMatt Fleming * efi_reset_type and stop_capsules. 29f0133f3cSMatt Fleming */ 30f0133f3cSMatt Fleming static DEFINE_MUTEX(capsule_mutex); 31f0133f3cSMatt Fleming 32f0133f3cSMatt Fleming /** 33f0133f3cSMatt Fleming * efi_capsule_pending - has a capsule been passed to the firmware? 34f0133f3cSMatt Fleming * @reset_type: store the type of EFI reset if capsule is pending 35f0133f3cSMatt Fleming * 36f0133f3cSMatt Fleming * To ensure that the registered capsule is processed correctly by the 37f0133f3cSMatt Fleming * firmware we need to perform a specific type of reset. If a capsule is 38f0133f3cSMatt Fleming * pending return the reset type in @reset_type. 39f0133f3cSMatt Fleming * 40f0133f3cSMatt Fleming * This function will race with callers of efi_capsule_update(), for 41f0133f3cSMatt Fleming * example, calling this function while somebody else is in 42f0133f3cSMatt Fleming * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 43f0133f3cSMatt Fleming * will miss the updates to capsule_pending and efi_reset_type after 44f0133f3cSMatt Fleming * efi_capsule_update_locked() completes. 45f0133f3cSMatt Fleming * 46f0133f3cSMatt Fleming * A non-racy use is from platform reboot code because we use 47f0133f3cSMatt Fleming * system_state to ensure no capsules can be sent to the firmware once 48f0133f3cSMatt Fleming * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 49f0133f3cSMatt Fleming */ 50f0133f3cSMatt Fleming bool efi_capsule_pending(int *reset_type) 51f0133f3cSMatt Fleming { 52f0133f3cSMatt Fleming if (!capsule_pending) 5362075e58SMatt Fleming return false; 54f0133f3cSMatt Fleming 55f0133f3cSMatt Fleming if (reset_type) 56f0133f3cSMatt Fleming *reset_type = efi_reset_type; 5762075e58SMatt Fleming 5862075e58SMatt Fleming return true; 59f0133f3cSMatt Fleming } 60f0133f3cSMatt Fleming 61f0133f3cSMatt Fleming /* 62f0133f3cSMatt Fleming * Whitelist of EFI capsule flags that we support. 63f0133f3cSMatt Fleming * 64f0133f3cSMatt Fleming * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 65f0133f3cSMatt Fleming * require us to prepare the kernel for reboot. Refuse to load any 66f0133f3cSMatt Fleming * capsules with that flag and any other flags that we do not know how 67f0133f3cSMatt Fleming * to handle. 68f0133f3cSMatt Fleming */ 69f0133f3cSMatt Fleming #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 70f0133f3cSMatt Fleming (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 71f0133f3cSMatt Fleming 72f0133f3cSMatt Fleming /** 73f0133f3cSMatt Fleming * efi_capsule_supported - does the firmware support the capsule? 74f0133f3cSMatt Fleming * @guid: vendor guid of capsule 75f0133f3cSMatt Fleming * @flags: capsule flags 76f0133f3cSMatt Fleming * @size: size of capsule data 77f0133f3cSMatt Fleming * @reset: the reset type required for this capsule 78f0133f3cSMatt Fleming * 79f0133f3cSMatt Fleming * Check whether a capsule with @flags is supported by the firmware 80f0133f3cSMatt Fleming * and that @size doesn't exceed the maximum size for a capsule. 81f0133f3cSMatt Fleming * 82f0133f3cSMatt Fleming * No attempt is made to check @reset against the reset type required 83f0133f3cSMatt Fleming * by any pending capsules because of the races involved. 84f0133f3cSMatt Fleming */ 85f0133f3cSMatt Fleming int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 86f0133f3cSMatt Fleming { 87fb7a84caSMatt Fleming efi_capsule_header_t capsule; 88fb7a84caSMatt Fleming efi_capsule_header_t *cap_list[] = { &capsule }; 89f0133f3cSMatt Fleming efi_status_t status; 90f0133f3cSMatt Fleming u64 max_size; 91f0133f3cSMatt Fleming 92f0133f3cSMatt Fleming if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 93f0133f3cSMatt Fleming return -EINVAL; 94f0133f3cSMatt Fleming 95fb7a84caSMatt Fleming capsule.headersize = capsule.imagesize = sizeof(capsule); 96fb7a84caSMatt Fleming memcpy(&capsule.guid, &guid, sizeof(efi_guid_t)); 97fb7a84caSMatt Fleming capsule.flags = flags; 98f0133f3cSMatt Fleming 99fb7a84caSMatt Fleming status = efi.query_capsule_caps(cap_list, 1, &max_size, reset); 100fb7a84caSMatt Fleming if (status != EFI_SUCCESS) 101fb7a84caSMatt Fleming return efi_status_to_err(status); 102f0133f3cSMatt Fleming 103f0133f3cSMatt Fleming if (size > max_size) 104fb7a84caSMatt Fleming return -ENOSPC; 105fb7a84caSMatt Fleming 106fb7a84caSMatt Fleming return 0; 107f0133f3cSMatt Fleming } 108f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_supported); 109f0133f3cSMatt Fleming 110f0133f3cSMatt Fleming /* 111f0133f3cSMatt Fleming * Every scatter gather list (block descriptor) page must end with a 112f0133f3cSMatt Fleming * continuation pointer. The last continuation pointer of the last 113f0133f3cSMatt Fleming * page must be zero to mark the end of the chain. 114f0133f3cSMatt Fleming */ 115f0133f3cSMatt Fleming #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 116f0133f3cSMatt Fleming 117f0133f3cSMatt Fleming /* 118f0133f3cSMatt Fleming * How many scatter gather list (block descriptor) pages do we need 119f0133f3cSMatt Fleming * to map @count pages? 120f0133f3cSMatt Fleming */ 121f0133f3cSMatt Fleming static inline unsigned int sg_pages_num(unsigned int count) 122f0133f3cSMatt Fleming { 123f0133f3cSMatt Fleming return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 124f0133f3cSMatt Fleming } 125f0133f3cSMatt Fleming 126f0133f3cSMatt Fleming /** 127f0133f3cSMatt Fleming * efi_capsule_update_locked - pass a single capsule to the firmware 128f0133f3cSMatt Fleming * @capsule: capsule to send to the firmware 129f0133f3cSMatt Fleming * @sg_pages: array of scatter gather (block descriptor) pages 130f0133f3cSMatt Fleming * @reset: the reset type required for @capsule 131f0133f3cSMatt Fleming * 132f0133f3cSMatt Fleming * Since this function must be called under capsule_mutex check 133f0133f3cSMatt Fleming * whether efi_reset_type will conflict with @reset, and atomically 134f0133f3cSMatt Fleming * set it and capsule_pending if a capsule was successfully sent to 135f0133f3cSMatt Fleming * the firmware. 136f0133f3cSMatt Fleming * 137f0133f3cSMatt Fleming * We also check to see if the system is about to restart, and if so, 138f0133f3cSMatt Fleming * abort. This avoids races between efi_capsule_update() and 139f0133f3cSMatt Fleming * efi_capsule_pending(). 140f0133f3cSMatt Fleming */ 141f0133f3cSMatt Fleming static int 142f0133f3cSMatt Fleming efi_capsule_update_locked(efi_capsule_header_t *capsule, 143f0133f3cSMatt Fleming struct page **sg_pages, int reset) 144f0133f3cSMatt Fleming { 145f0133f3cSMatt Fleming efi_physical_addr_t sglist_phys; 146f0133f3cSMatt Fleming efi_status_t status; 147f0133f3cSMatt Fleming 148f0133f3cSMatt Fleming lockdep_assert_held(&capsule_mutex); 149f0133f3cSMatt Fleming 150f0133f3cSMatt Fleming /* 151f0133f3cSMatt Fleming * If someone has already registered a capsule that requires a 152f0133f3cSMatt Fleming * different reset type, we're out of luck and must abort. 153f0133f3cSMatt Fleming */ 154f0133f3cSMatt Fleming if (efi_reset_type >= 0 && efi_reset_type != reset) { 155f0133f3cSMatt Fleming pr_err("Conflicting capsule reset type %d (%d).\n", 156f0133f3cSMatt Fleming reset, efi_reset_type); 157f0133f3cSMatt Fleming return -EINVAL; 158f0133f3cSMatt Fleming } 159f0133f3cSMatt Fleming 160f0133f3cSMatt Fleming /* 161f0133f3cSMatt Fleming * If the system is getting ready to restart it may have 162f0133f3cSMatt Fleming * called efi_capsule_pending() to make decisions (such as 163f0133f3cSMatt Fleming * whether to force an EFI reboot), and we're racing against 164f0133f3cSMatt Fleming * that call. Abort in that case. 165f0133f3cSMatt Fleming */ 16662075e58SMatt Fleming if (unlikely(stop_capsules)) { 167f0133f3cSMatt Fleming pr_warn("Capsule update raced with reboot, aborting.\n"); 168f0133f3cSMatt Fleming return -EINVAL; 169f0133f3cSMatt Fleming } 170f0133f3cSMatt Fleming 171f0133f3cSMatt Fleming sglist_phys = page_to_phys(sg_pages[0]); 172f0133f3cSMatt Fleming 173f0133f3cSMatt Fleming status = efi.update_capsule(&capsule, 1, sglist_phys); 174f0133f3cSMatt Fleming if (status == EFI_SUCCESS) { 175f0133f3cSMatt Fleming capsule_pending = true; 176f0133f3cSMatt Fleming efi_reset_type = reset; 177f0133f3cSMatt Fleming } 178f0133f3cSMatt Fleming 179f0133f3cSMatt Fleming return efi_status_to_err(status); 180f0133f3cSMatt Fleming } 181f0133f3cSMatt Fleming 182f0133f3cSMatt Fleming /** 183f0133f3cSMatt Fleming * efi_capsule_update - send a capsule to the firmware 184f0133f3cSMatt Fleming * @capsule: capsule to send to firmware 185f0133f3cSMatt Fleming * @pages: an array of capsule data pages 186f0133f3cSMatt Fleming * 187f0133f3cSMatt Fleming * Build a scatter gather list with EFI capsule block descriptors to 188f0133f3cSMatt Fleming * map the capsule described by @capsule with its data in @pages and 189f0133f3cSMatt Fleming * send it to the firmware via the UpdateCapsule() runtime service. 190f0133f3cSMatt Fleming * 1916862e6adSAustin Christ * @capsule must be a virtual mapping of the complete capsule update in the 1926862e6adSAustin Christ * kernel address space, as the capsule can be consumed immediately. 1936862e6adSAustin Christ * A capsule_header_t that describes the entire contents of the capsule 194f0133f3cSMatt Fleming * must be at the start of the first data page. 195f0133f3cSMatt Fleming * 196f0133f3cSMatt Fleming * Even though this function will validate that the firmware supports 197f0133f3cSMatt Fleming * the capsule guid, users will likely want to check that 198f0133f3cSMatt Fleming * efi_capsule_supported() returns true before calling this function 199f0133f3cSMatt Fleming * because it makes it easier to print helpful error messages. 200f0133f3cSMatt Fleming * 201f0133f3cSMatt Fleming * If the capsule is successfully submitted to the firmware, any 202f0133f3cSMatt Fleming * subsequent calls to efi_capsule_pending() will return true. @pages 203f0133f3cSMatt Fleming * must not be released or modified if this function returns 204f0133f3cSMatt Fleming * successfully. 205f0133f3cSMatt Fleming * 206f0133f3cSMatt Fleming * Callers must be prepared for this function to fail, which can 207f0133f3cSMatt Fleming * happen if we raced with system reboot or if there is already a 208f0133f3cSMatt Fleming * pending capsule that has a reset type that conflicts with the one 209f0133f3cSMatt Fleming * required by @capsule. Do NOT use efi_capsule_pending() to detect 210f0133f3cSMatt Fleming * this conflict since that would be racy. Instead, submit the capsule 211f0133f3cSMatt Fleming * to efi_capsule_update() and check the return value. 212f0133f3cSMatt Fleming * 213f0133f3cSMatt Fleming * Return 0 on success, a converted EFI status code on failure. 214f0133f3cSMatt Fleming */ 2152a457fb3SArd Biesheuvel int efi_capsule_update(efi_capsule_header_t *capsule, phys_addr_t *pages) 216f0133f3cSMatt Fleming { 217f0133f3cSMatt Fleming u32 imagesize = capsule->imagesize; 218f0133f3cSMatt Fleming efi_guid_t guid = capsule->guid; 219f0133f3cSMatt Fleming unsigned int count, sg_count; 220f0133f3cSMatt Fleming u32 flags = capsule->flags; 221f0133f3cSMatt Fleming struct page **sg_pages; 222f0133f3cSMatt Fleming int rv, reset_type; 223f0133f3cSMatt Fleming int i, j; 224f0133f3cSMatt Fleming 225f0133f3cSMatt Fleming rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 226f0133f3cSMatt Fleming if (rv) 227f0133f3cSMatt Fleming return rv; 228f0133f3cSMatt Fleming 229f0133f3cSMatt Fleming count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 230f0133f3cSMatt Fleming sg_count = sg_pages_num(count); 231f0133f3cSMatt Fleming 2326396bb22SKees Cook sg_pages = kcalloc(sg_count, sizeof(*sg_pages), GFP_KERNEL); 233f0133f3cSMatt Fleming if (!sg_pages) 234f0133f3cSMatt Fleming return -ENOMEM; 235f0133f3cSMatt Fleming 236f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 237f0133f3cSMatt Fleming sg_pages[i] = alloc_page(GFP_KERNEL); 238f0133f3cSMatt Fleming if (!sg_pages[i]) { 239f0133f3cSMatt Fleming rv = -ENOMEM; 240f0133f3cSMatt Fleming goto out; 241f0133f3cSMatt Fleming } 242f0133f3cSMatt Fleming } 243f0133f3cSMatt Fleming 244f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 245f0133f3cSMatt Fleming efi_capsule_block_desc_t *sglist; 246f0133f3cSMatt Fleming 247*91c1c092SArd Biesheuvel sglist = kmap_atomic(sg_pages[i]); 248f0133f3cSMatt Fleming 249f0133f3cSMatt Fleming for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 2502a457fb3SArd Biesheuvel u64 sz = min_t(u64, imagesize, 2512a457fb3SArd Biesheuvel PAGE_SIZE - (u64)*pages % PAGE_SIZE); 252f0133f3cSMatt Fleming 253f0133f3cSMatt Fleming sglist[j].length = sz; 2542a457fb3SArd Biesheuvel sglist[j].data = *pages++; 255f0133f3cSMatt Fleming 256f0133f3cSMatt Fleming imagesize -= sz; 257f0133f3cSMatt Fleming count--; 258f0133f3cSMatt Fleming } 259f0133f3cSMatt Fleming 260f0133f3cSMatt Fleming /* Continuation pointer */ 261f0133f3cSMatt Fleming sglist[j].length = 0; 262f0133f3cSMatt Fleming 263f0133f3cSMatt Fleming if (i + 1 == sg_count) 264f0133f3cSMatt Fleming sglist[j].data = 0; 265f0133f3cSMatt Fleming else 266f0133f3cSMatt Fleming sglist[j].data = page_to_phys(sg_pages[i + 1]); 267f0133f3cSMatt Fleming 268*91c1c092SArd Biesheuvel kunmap_atomic(sglist); 269f0133f3cSMatt Fleming } 270f0133f3cSMatt Fleming 271f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 272f0133f3cSMatt Fleming rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 273f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 274f0133f3cSMatt Fleming 275f0133f3cSMatt Fleming out: 276f0133f3cSMatt Fleming for (i = 0; rv && i < sg_count; i++) { 277f0133f3cSMatt Fleming if (sg_pages[i]) 278f0133f3cSMatt Fleming __free_page(sg_pages[i]); 279f0133f3cSMatt Fleming } 280f0133f3cSMatt Fleming 281f0133f3cSMatt Fleming kfree(sg_pages); 282f0133f3cSMatt Fleming return rv; 283f0133f3cSMatt Fleming } 284f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_update); 28562075e58SMatt Fleming 28662075e58SMatt Fleming static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd) 28762075e58SMatt Fleming { 28862075e58SMatt Fleming mutex_lock(&capsule_mutex); 28962075e58SMatt Fleming stop_capsules = true; 29062075e58SMatt Fleming mutex_unlock(&capsule_mutex); 29162075e58SMatt Fleming 29262075e58SMatt Fleming return NOTIFY_DONE; 29362075e58SMatt Fleming } 29462075e58SMatt Fleming 29562075e58SMatt Fleming static struct notifier_block capsule_reboot_nb = { 29662075e58SMatt Fleming .notifier_call = capsule_reboot_notify, 29762075e58SMatt Fleming }; 29862075e58SMatt Fleming 29962075e58SMatt Fleming static int __init capsule_reboot_register(void) 30062075e58SMatt Fleming { 30162075e58SMatt Fleming return register_reboot_notifier(&capsule_reboot_nb); 30262075e58SMatt Fleming } 30362075e58SMatt Fleming core_initcall(capsule_reboot_register); 304