1*f0133f3cSMatt Fleming /* 2*f0133f3cSMatt Fleming * EFI capsule support. 3*f0133f3cSMatt Fleming * 4*f0133f3cSMatt Fleming * Copyright 2013 Intel Corporation; author Matt Fleming 5*f0133f3cSMatt Fleming * 6*f0133f3cSMatt Fleming * This file is part of the Linux kernel, and is made available under 7*f0133f3cSMatt Fleming * the terms of the GNU General Public License version 2. 8*f0133f3cSMatt Fleming */ 9*f0133f3cSMatt Fleming 10*f0133f3cSMatt Fleming #define pr_fmt(fmt) "efi: " fmt 11*f0133f3cSMatt Fleming 12*f0133f3cSMatt Fleming #include <linux/slab.h> 13*f0133f3cSMatt Fleming #include <linux/mutex.h> 14*f0133f3cSMatt Fleming #include <linux/highmem.h> 15*f0133f3cSMatt Fleming #include <linux/efi.h> 16*f0133f3cSMatt Fleming #include <linux/vmalloc.h> 17*f0133f3cSMatt Fleming #include <asm/io.h> 18*f0133f3cSMatt Fleming 19*f0133f3cSMatt Fleming typedef struct { 20*f0133f3cSMatt Fleming u64 length; 21*f0133f3cSMatt Fleming u64 data; 22*f0133f3cSMatt Fleming } efi_capsule_block_desc_t; 23*f0133f3cSMatt Fleming 24*f0133f3cSMatt Fleming static bool capsule_pending; 25*f0133f3cSMatt Fleming static int efi_reset_type = -1; 26*f0133f3cSMatt Fleming 27*f0133f3cSMatt Fleming /* 28*f0133f3cSMatt Fleming * capsule_mutex serialises access to both capsule_pending and 29*f0133f3cSMatt Fleming * efi_reset_type. 30*f0133f3cSMatt Fleming */ 31*f0133f3cSMatt Fleming static DEFINE_MUTEX(capsule_mutex); 32*f0133f3cSMatt Fleming 33*f0133f3cSMatt Fleming /** 34*f0133f3cSMatt Fleming * efi_capsule_pending - has a capsule been passed to the firmware? 35*f0133f3cSMatt Fleming * @reset_type: store the type of EFI reset if capsule is pending 36*f0133f3cSMatt Fleming * 37*f0133f3cSMatt Fleming * To ensure that the registered capsule is processed correctly by the 38*f0133f3cSMatt Fleming * firmware we need to perform a specific type of reset. If a capsule is 39*f0133f3cSMatt Fleming * pending return the reset type in @reset_type. 40*f0133f3cSMatt Fleming * 41*f0133f3cSMatt Fleming * This function will race with callers of efi_capsule_update(), for 42*f0133f3cSMatt Fleming * example, calling this function while somebody else is in 43*f0133f3cSMatt Fleming * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 44*f0133f3cSMatt Fleming * will miss the updates to capsule_pending and efi_reset_type after 45*f0133f3cSMatt Fleming * efi_capsule_update_locked() completes. 46*f0133f3cSMatt Fleming * 47*f0133f3cSMatt Fleming * A non-racy use is from platform reboot code because we use 48*f0133f3cSMatt Fleming * system_state to ensure no capsules can be sent to the firmware once 49*f0133f3cSMatt Fleming * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 50*f0133f3cSMatt Fleming */ 51*f0133f3cSMatt Fleming bool efi_capsule_pending(int *reset_type) 52*f0133f3cSMatt Fleming { 53*f0133f3cSMatt Fleming bool rv = false; 54*f0133f3cSMatt Fleming 55*f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 56*f0133f3cSMatt Fleming if (!capsule_pending) 57*f0133f3cSMatt Fleming goto out; 58*f0133f3cSMatt Fleming 59*f0133f3cSMatt Fleming if (reset_type) 60*f0133f3cSMatt Fleming *reset_type = efi_reset_type; 61*f0133f3cSMatt Fleming rv = true; 62*f0133f3cSMatt Fleming out: 63*f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 64*f0133f3cSMatt Fleming return rv; 65*f0133f3cSMatt Fleming } 66*f0133f3cSMatt Fleming 67*f0133f3cSMatt Fleming /* 68*f0133f3cSMatt Fleming * Whitelist of EFI capsule flags that we support. 69*f0133f3cSMatt Fleming * 70*f0133f3cSMatt Fleming * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 71*f0133f3cSMatt Fleming * require us to prepare the kernel for reboot. Refuse to load any 72*f0133f3cSMatt Fleming * capsules with that flag and any other flags that we do not know how 73*f0133f3cSMatt Fleming * to handle. 74*f0133f3cSMatt Fleming */ 75*f0133f3cSMatt Fleming #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 76*f0133f3cSMatt Fleming (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 77*f0133f3cSMatt Fleming 78*f0133f3cSMatt Fleming /** 79*f0133f3cSMatt Fleming * efi_capsule_supported - does the firmware support the capsule? 80*f0133f3cSMatt Fleming * @guid: vendor guid of capsule 81*f0133f3cSMatt Fleming * @flags: capsule flags 82*f0133f3cSMatt Fleming * @size: size of capsule data 83*f0133f3cSMatt Fleming * @reset: the reset type required for this capsule 84*f0133f3cSMatt Fleming * 85*f0133f3cSMatt Fleming * Check whether a capsule with @flags is supported by the firmware 86*f0133f3cSMatt Fleming * and that @size doesn't exceed the maximum size for a capsule. 87*f0133f3cSMatt Fleming * 88*f0133f3cSMatt Fleming * No attempt is made to check @reset against the reset type required 89*f0133f3cSMatt Fleming * by any pending capsules because of the races involved. 90*f0133f3cSMatt Fleming */ 91*f0133f3cSMatt Fleming int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 92*f0133f3cSMatt Fleming { 93*f0133f3cSMatt Fleming efi_capsule_header_t *capsule; 94*f0133f3cSMatt Fleming efi_status_t status; 95*f0133f3cSMatt Fleming u64 max_size; 96*f0133f3cSMatt Fleming int rv = 0; 97*f0133f3cSMatt Fleming 98*f0133f3cSMatt Fleming if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 99*f0133f3cSMatt Fleming return -EINVAL; 100*f0133f3cSMatt Fleming 101*f0133f3cSMatt Fleming capsule = kmalloc(sizeof(*capsule), GFP_KERNEL); 102*f0133f3cSMatt Fleming if (!capsule) 103*f0133f3cSMatt Fleming return -ENOMEM; 104*f0133f3cSMatt Fleming 105*f0133f3cSMatt Fleming capsule->headersize = capsule->imagesize = sizeof(*capsule); 106*f0133f3cSMatt Fleming memcpy(&capsule->guid, &guid, sizeof(efi_guid_t)); 107*f0133f3cSMatt Fleming capsule->flags = flags; 108*f0133f3cSMatt Fleming 109*f0133f3cSMatt Fleming status = efi.query_capsule_caps(&capsule, 1, &max_size, reset); 110*f0133f3cSMatt Fleming if (status != EFI_SUCCESS) { 111*f0133f3cSMatt Fleming rv = efi_status_to_err(status); 112*f0133f3cSMatt Fleming goto out; 113*f0133f3cSMatt Fleming } 114*f0133f3cSMatt Fleming 115*f0133f3cSMatt Fleming if (size > max_size) 116*f0133f3cSMatt Fleming rv = -ENOSPC; 117*f0133f3cSMatt Fleming out: 118*f0133f3cSMatt Fleming kfree(capsule); 119*f0133f3cSMatt Fleming return rv; 120*f0133f3cSMatt Fleming } 121*f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_supported); 122*f0133f3cSMatt Fleming 123*f0133f3cSMatt Fleming /* 124*f0133f3cSMatt Fleming * Every scatter gather list (block descriptor) page must end with a 125*f0133f3cSMatt Fleming * continuation pointer. The last continuation pointer of the last 126*f0133f3cSMatt Fleming * page must be zero to mark the end of the chain. 127*f0133f3cSMatt Fleming */ 128*f0133f3cSMatt Fleming #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 129*f0133f3cSMatt Fleming 130*f0133f3cSMatt Fleming /* 131*f0133f3cSMatt Fleming * How many scatter gather list (block descriptor) pages do we need 132*f0133f3cSMatt Fleming * to map @count pages? 133*f0133f3cSMatt Fleming */ 134*f0133f3cSMatt Fleming static inline unsigned int sg_pages_num(unsigned int count) 135*f0133f3cSMatt Fleming { 136*f0133f3cSMatt Fleming return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 137*f0133f3cSMatt Fleming } 138*f0133f3cSMatt Fleming 139*f0133f3cSMatt Fleming /** 140*f0133f3cSMatt Fleming * efi_capsule_update_locked - pass a single capsule to the firmware 141*f0133f3cSMatt Fleming * @capsule: capsule to send to the firmware 142*f0133f3cSMatt Fleming * @sg_pages: array of scatter gather (block descriptor) pages 143*f0133f3cSMatt Fleming * @reset: the reset type required for @capsule 144*f0133f3cSMatt Fleming * 145*f0133f3cSMatt Fleming * Since this function must be called under capsule_mutex check 146*f0133f3cSMatt Fleming * whether efi_reset_type will conflict with @reset, and atomically 147*f0133f3cSMatt Fleming * set it and capsule_pending if a capsule was successfully sent to 148*f0133f3cSMatt Fleming * the firmware. 149*f0133f3cSMatt Fleming * 150*f0133f3cSMatt Fleming * We also check to see if the system is about to restart, and if so, 151*f0133f3cSMatt Fleming * abort. This avoids races between efi_capsule_update() and 152*f0133f3cSMatt Fleming * efi_capsule_pending(). 153*f0133f3cSMatt Fleming */ 154*f0133f3cSMatt Fleming static int 155*f0133f3cSMatt Fleming efi_capsule_update_locked(efi_capsule_header_t *capsule, 156*f0133f3cSMatt Fleming struct page **sg_pages, int reset) 157*f0133f3cSMatt Fleming { 158*f0133f3cSMatt Fleming efi_physical_addr_t sglist_phys; 159*f0133f3cSMatt Fleming efi_status_t status; 160*f0133f3cSMatt Fleming 161*f0133f3cSMatt Fleming lockdep_assert_held(&capsule_mutex); 162*f0133f3cSMatt Fleming 163*f0133f3cSMatt Fleming /* 164*f0133f3cSMatt Fleming * If someone has already registered a capsule that requires a 165*f0133f3cSMatt Fleming * different reset type, we're out of luck and must abort. 166*f0133f3cSMatt Fleming */ 167*f0133f3cSMatt Fleming if (efi_reset_type >= 0 && efi_reset_type != reset) { 168*f0133f3cSMatt Fleming pr_err("Conflicting capsule reset type %d (%d).\n", 169*f0133f3cSMatt Fleming reset, efi_reset_type); 170*f0133f3cSMatt Fleming return -EINVAL; 171*f0133f3cSMatt Fleming } 172*f0133f3cSMatt Fleming 173*f0133f3cSMatt Fleming /* 174*f0133f3cSMatt Fleming * If the system is getting ready to restart it may have 175*f0133f3cSMatt Fleming * called efi_capsule_pending() to make decisions (such as 176*f0133f3cSMatt Fleming * whether to force an EFI reboot), and we're racing against 177*f0133f3cSMatt Fleming * that call. Abort in that case. 178*f0133f3cSMatt Fleming */ 179*f0133f3cSMatt Fleming if (unlikely(system_state == SYSTEM_RESTART)) { 180*f0133f3cSMatt Fleming pr_warn("Capsule update raced with reboot, aborting.\n"); 181*f0133f3cSMatt Fleming return -EINVAL; 182*f0133f3cSMatt Fleming } 183*f0133f3cSMatt Fleming 184*f0133f3cSMatt Fleming sglist_phys = page_to_phys(sg_pages[0]); 185*f0133f3cSMatt Fleming 186*f0133f3cSMatt Fleming status = efi.update_capsule(&capsule, 1, sglist_phys); 187*f0133f3cSMatt Fleming if (status == EFI_SUCCESS) { 188*f0133f3cSMatt Fleming capsule_pending = true; 189*f0133f3cSMatt Fleming efi_reset_type = reset; 190*f0133f3cSMatt Fleming } 191*f0133f3cSMatt Fleming 192*f0133f3cSMatt Fleming return efi_status_to_err(status); 193*f0133f3cSMatt Fleming } 194*f0133f3cSMatt Fleming 195*f0133f3cSMatt Fleming /** 196*f0133f3cSMatt Fleming * efi_capsule_update - send a capsule to the firmware 197*f0133f3cSMatt Fleming * @capsule: capsule to send to firmware 198*f0133f3cSMatt Fleming * @pages: an array of capsule data pages 199*f0133f3cSMatt Fleming * 200*f0133f3cSMatt Fleming * Build a scatter gather list with EFI capsule block descriptors to 201*f0133f3cSMatt Fleming * map the capsule described by @capsule with its data in @pages and 202*f0133f3cSMatt Fleming * send it to the firmware via the UpdateCapsule() runtime service. 203*f0133f3cSMatt Fleming * 204*f0133f3cSMatt Fleming * @capsule must be a virtual mapping of the first page in @pages 205*f0133f3cSMatt Fleming * (@pages[0]) in the kernel address space. That is, a 206*f0133f3cSMatt Fleming * capsule_header_t that describes the entire contents of the capsule 207*f0133f3cSMatt Fleming * must be at the start of the first data page. 208*f0133f3cSMatt Fleming * 209*f0133f3cSMatt Fleming * Even though this function will validate that the firmware supports 210*f0133f3cSMatt Fleming * the capsule guid, users will likely want to check that 211*f0133f3cSMatt Fleming * efi_capsule_supported() returns true before calling this function 212*f0133f3cSMatt Fleming * because it makes it easier to print helpful error messages. 213*f0133f3cSMatt Fleming * 214*f0133f3cSMatt Fleming * If the capsule is successfully submitted to the firmware, any 215*f0133f3cSMatt Fleming * subsequent calls to efi_capsule_pending() will return true. @pages 216*f0133f3cSMatt Fleming * must not be released or modified if this function returns 217*f0133f3cSMatt Fleming * successfully. 218*f0133f3cSMatt Fleming * 219*f0133f3cSMatt Fleming * Callers must be prepared for this function to fail, which can 220*f0133f3cSMatt Fleming * happen if we raced with system reboot or if there is already a 221*f0133f3cSMatt Fleming * pending capsule that has a reset type that conflicts with the one 222*f0133f3cSMatt Fleming * required by @capsule. Do NOT use efi_capsule_pending() to detect 223*f0133f3cSMatt Fleming * this conflict since that would be racy. Instead, submit the capsule 224*f0133f3cSMatt Fleming * to efi_capsule_update() and check the return value. 225*f0133f3cSMatt Fleming * 226*f0133f3cSMatt Fleming * Return 0 on success, a converted EFI status code on failure. 227*f0133f3cSMatt Fleming */ 228*f0133f3cSMatt Fleming int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages) 229*f0133f3cSMatt Fleming { 230*f0133f3cSMatt Fleming u32 imagesize = capsule->imagesize; 231*f0133f3cSMatt Fleming efi_guid_t guid = capsule->guid; 232*f0133f3cSMatt Fleming unsigned int count, sg_count; 233*f0133f3cSMatt Fleming u32 flags = capsule->flags; 234*f0133f3cSMatt Fleming struct page **sg_pages; 235*f0133f3cSMatt Fleming int rv, reset_type; 236*f0133f3cSMatt Fleming int i, j; 237*f0133f3cSMatt Fleming 238*f0133f3cSMatt Fleming rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 239*f0133f3cSMatt Fleming if (rv) 240*f0133f3cSMatt Fleming return rv; 241*f0133f3cSMatt Fleming 242*f0133f3cSMatt Fleming count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 243*f0133f3cSMatt Fleming sg_count = sg_pages_num(count); 244*f0133f3cSMatt Fleming 245*f0133f3cSMatt Fleming sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL); 246*f0133f3cSMatt Fleming if (!sg_pages) 247*f0133f3cSMatt Fleming return -ENOMEM; 248*f0133f3cSMatt Fleming 249*f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 250*f0133f3cSMatt Fleming sg_pages[i] = alloc_page(GFP_KERNEL); 251*f0133f3cSMatt Fleming if (!sg_pages[i]) { 252*f0133f3cSMatt Fleming rv = -ENOMEM; 253*f0133f3cSMatt Fleming goto out; 254*f0133f3cSMatt Fleming } 255*f0133f3cSMatt Fleming } 256*f0133f3cSMatt Fleming 257*f0133f3cSMatt Fleming for (i = 0; i < sg_count; i++) { 258*f0133f3cSMatt Fleming efi_capsule_block_desc_t *sglist; 259*f0133f3cSMatt Fleming 260*f0133f3cSMatt Fleming sglist = kmap(sg_pages[i]); 261*f0133f3cSMatt Fleming if (!sglist) { 262*f0133f3cSMatt Fleming rv = -ENOMEM; 263*f0133f3cSMatt Fleming goto out; 264*f0133f3cSMatt Fleming } 265*f0133f3cSMatt Fleming 266*f0133f3cSMatt Fleming for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 267*f0133f3cSMatt Fleming u64 sz = min_t(u64, imagesize, PAGE_SIZE); 268*f0133f3cSMatt Fleming 269*f0133f3cSMatt Fleming sglist[j].length = sz; 270*f0133f3cSMatt Fleming sglist[j].data = page_to_phys(*pages++); 271*f0133f3cSMatt Fleming 272*f0133f3cSMatt Fleming imagesize -= sz; 273*f0133f3cSMatt Fleming count--; 274*f0133f3cSMatt Fleming } 275*f0133f3cSMatt Fleming 276*f0133f3cSMatt Fleming /* Continuation pointer */ 277*f0133f3cSMatt Fleming sglist[j].length = 0; 278*f0133f3cSMatt Fleming 279*f0133f3cSMatt Fleming if (i + 1 == sg_count) 280*f0133f3cSMatt Fleming sglist[j].data = 0; 281*f0133f3cSMatt Fleming else 282*f0133f3cSMatt Fleming sglist[j].data = page_to_phys(sg_pages[i + 1]); 283*f0133f3cSMatt Fleming 284*f0133f3cSMatt Fleming kunmap(sg_pages[i]); 285*f0133f3cSMatt Fleming } 286*f0133f3cSMatt Fleming 287*f0133f3cSMatt Fleming mutex_lock(&capsule_mutex); 288*f0133f3cSMatt Fleming rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 289*f0133f3cSMatt Fleming mutex_unlock(&capsule_mutex); 290*f0133f3cSMatt Fleming 291*f0133f3cSMatt Fleming out: 292*f0133f3cSMatt Fleming for (i = 0; rv && i < sg_count; i++) { 293*f0133f3cSMatt Fleming if (sg_pages[i]) 294*f0133f3cSMatt Fleming __free_page(sg_pages[i]); 295*f0133f3cSMatt Fleming } 296*f0133f3cSMatt Fleming 297*f0133f3cSMatt Fleming kfree(sg_pages); 298*f0133f3cSMatt Fleming return rv; 299*f0133f3cSMatt Fleming } 300*f0133f3cSMatt Fleming EXPORT_SYMBOL_GPL(efi_capsule_update); 301