1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9 #include <linux/module.h> 10 #include <linux/firmware.h> 11 #include <linux/regmap.h> 12 #include <linux/acpi.h> 13 #include <acpi/acpi_bus.h> 14 #include <asm/unaligned.h> 15 16 #include <net/bluetooth/bluetooth.h> 17 #include <net/bluetooth/hci_core.h> 18 19 #include "btintel.h" 20 21 #define VERSION "0.1" 22 23 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 24 #define RSA_HEADER_LEN 644 25 #define CSS_HEADER_OFFSET 8 26 #define ECDSA_OFFSET 644 27 #define ECDSA_HEADER_LEN 320 28 29 enum { 30 DSM_SET_WDISABLE2_DELAY = 1, 31 DSM_SET_RESET_METHOD = 3, 32 }; 33 34 #define CMD_WRITE_BOOT_PARAMS 0xfc0e 35 struct cmd_write_boot_params { 36 __le32 boot_addr; 37 u8 fw_build_num; 38 u8 fw_build_ww; 39 u8 fw_build_yy; 40 } __packed; 41 42 static struct { 43 const char *driver_name; 44 u8 hw_variant; 45 u32 fw_build_num; 46 } coredump_info; 47 48 static const guid_t btintel_guid_dsm = 49 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 50 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 51 52 int btintel_check_bdaddr(struct hci_dev *hdev) 53 { 54 struct hci_rp_read_bd_addr *bda; 55 struct sk_buff *skb; 56 57 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 58 HCI_INIT_TIMEOUT); 59 if (IS_ERR(skb)) { 60 int err = PTR_ERR(skb); 61 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 62 err); 63 return err; 64 } 65 66 if (skb->len != sizeof(*bda)) { 67 bt_dev_err(hdev, "Intel device address length mismatch"); 68 kfree_skb(skb); 69 return -EIO; 70 } 71 72 bda = (struct hci_rp_read_bd_addr *)skb->data; 73 74 /* For some Intel based controllers, the default Bluetooth device 75 * address 00:03:19:9E:8B:00 can be found. These controllers are 76 * fully operational, but have the danger of duplicate addresses 77 * and that in turn can cause problems with Bluetooth operation. 78 */ 79 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 80 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 81 &bda->bdaddr); 82 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 83 } 84 85 kfree_skb(skb); 86 87 return 0; 88 } 89 EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 90 91 int btintel_enter_mfg(struct hci_dev *hdev) 92 { 93 static const u8 param[] = { 0x01, 0x00 }; 94 struct sk_buff *skb; 95 96 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 97 if (IS_ERR(skb)) { 98 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 99 PTR_ERR(skb)); 100 return PTR_ERR(skb); 101 } 102 kfree_skb(skb); 103 104 return 0; 105 } 106 EXPORT_SYMBOL_GPL(btintel_enter_mfg); 107 108 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 109 { 110 u8 param[] = { 0x00, 0x00 }; 111 struct sk_buff *skb; 112 113 /* The 2nd command parameter specifies the manufacturing exit method: 114 * 0x00: Just disable the manufacturing mode (0x00). 115 * 0x01: Disable manufacturing mode and reset with patches deactivated. 116 * 0x02: Disable manufacturing mode and reset with patches activated. 117 */ 118 if (reset) 119 param[1] |= patched ? 0x02 : 0x01; 120 121 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 122 if (IS_ERR(skb)) { 123 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 124 PTR_ERR(skb)); 125 return PTR_ERR(skb); 126 } 127 kfree_skb(skb); 128 129 return 0; 130 } 131 EXPORT_SYMBOL_GPL(btintel_exit_mfg); 132 133 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 134 { 135 struct sk_buff *skb; 136 int err; 137 138 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 139 if (IS_ERR(skb)) { 140 err = PTR_ERR(skb); 141 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 142 err); 143 return err; 144 } 145 kfree_skb(skb); 146 147 return 0; 148 } 149 EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 150 151 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 152 { 153 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 154 struct sk_buff *skb; 155 int err; 156 157 if (debug) 158 mask[1] |= 0x62; 159 160 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 161 if (IS_ERR(skb)) { 162 err = PTR_ERR(skb); 163 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 164 return err; 165 } 166 kfree_skb(skb); 167 168 return 0; 169 } 170 171 int btintel_set_diag(struct hci_dev *hdev, bool enable) 172 { 173 struct sk_buff *skb; 174 u8 param[3]; 175 int err; 176 177 if (enable) { 178 param[0] = 0x03; 179 param[1] = 0x03; 180 param[2] = 0x03; 181 } else { 182 param[0] = 0x00; 183 param[1] = 0x00; 184 param[2] = 0x00; 185 } 186 187 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 188 if (IS_ERR(skb)) { 189 err = PTR_ERR(skb); 190 if (err == -ENODATA) 191 goto done; 192 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 193 err); 194 return err; 195 } 196 kfree_skb(skb); 197 198 done: 199 btintel_set_event_mask(hdev, enable); 200 return 0; 201 } 202 EXPORT_SYMBOL_GPL(btintel_set_diag); 203 204 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 205 { 206 int err, ret; 207 208 err = btintel_enter_mfg(hdev); 209 if (err) 210 return err; 211 212 ret = btintel_set_diag(hdev, enable); 213 214 err = btintel_exit_mfg(hdev, false, false); 215 if (err) 216 return err; 217 218 return ret; 219 } 220 221 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 222 { 223 int ret; 224 225 /* Legacy ROM device needs to be in the manufacturer mode to apply 226 * diagnostic setting 227 * 228 * This flag is set after reading the Intel version. 229 */ 230 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 231 ret = btintel_set_diag_mfg(hdev, enable); 232 else 233 ret = btintel_set_diag(hdev, enable); 234 235 return ret; 236 } 237 238 static void btintel_hw_error(struct hci_dev *hdev, u8 code) 239 { 240 struct sk_buff *skb; 241 u8 type = 0x00; 242 243 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 244 245 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 246 if (IS_ERR(skb)) { 247 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 248 PTR_ERR(skb)); 249 return; 250 } 251 kfree_skb(skb); 252 253 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 254 if (IS_ERR(skb)) { 255 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 256 PTR_ERR(skb)); 257 return; 258 } 259 260 if (skb->len != 13) { 261 bt_dev_err(hdev, "Exception info size mismatch"); 262 kfree_skb(skb); 263 return; 264 } 265 266 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 267 268 kfree_skb(skb); 269 } 270 271 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 272 { 273 const char *variant; 274 275 /* The hardware platform number has a fixed value of 0x37 and 276 * for now only accept this single value. 277 */ 278 if (ver->hw_platform != 0x37) { 279 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 280 ver->hw_platform); 281 return -EINVAL; 282 } 283 284 /* Check for supported iBT hardware variants of this firmware 285 * loading method. 286 * 287 * This check has been put in place to ensure correct forward 288 * compatibility options when newer hardware variants come along. 289 */ 290 switch (ver->hw_variant) { 291 case 0x07: /* WP - Legacy ROM */ 292 case 0x08: /* StP - Legacy ROM */ 293 case 0x0b: /* SfP */ 294 case 0x0c: /* WsP */ 295 case 0x11: /* JfP */ 296 case 0x12: /* ThP */ 297 case 0x13: /* HrP */ 298 case 0x14: /* CcP */ 299 break; 300 default: 301 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 302 ver->hw_variant); 303 return -EINVAL; 304 } 305 306 switch (ver->fw_variant) { 307 case 0x01: 308 variant = "Legacy ROM 2.5"; 309 break; 310 case 0x06: 311 variant = "Bootloader"; 312 break; 313 case 0x22: 314 variant = "Legacy ROM 2.x"; 315 break; 316 case 0x23: 317 variant = "Firmware"; 318 break; 319 default: 320 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 321 return -EINVAL; 322 } 323 324 coredump_info.hw_variant = ver->hw_variant; 325 coredump_info.fw_build_num = ver->fw_build_num; 326 327 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 328 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 329 ver->fw_build_num, ver->fw_build_ww, 330 2000 + ver->fw_build_yy); 331 332 return 0; 333 } 334 EXPORT_SYMBOL_GPL(btintel_version_info); 335 336 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 337 const void *param) 338 { 339 while (plen > 0) { 340 struct sk_buff *skb; 341 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 342 343 cmd_param[0] = fragment_type; 344 memcpy(cmd_param + 1, param, fragment_len); 345 346 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 347 cmd_param, HCI_INIT_TIMEOUT); 348 if (IS_ERR(skb)) 349 return PTR_ERR(skb); 350 351 kfree_skb(skb); 352 353 plen -= fragment_len; 354 param += fragment_len; 355 } 356 357 return 0; 358 } 359 360 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 361 { 362 const struct firmware *fw; 363 struct sk_buff *skb; 364 const u8 *fw_ptr; 365 int err; 366 367 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 368 if (err < 0) { 369 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 370 ddc_name, err); 371 return err; 372 } 373 374 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 375 376 fw_ptr = fw->data; 377 378 /* DDC file contains one or more DDC structure which has 379 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 380 */ 381 while (fw->size > fw_ptr - fw->data) { 382 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 383 384 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 385 HCI_INIT_TIMEOUT); 386 if (IS_ERR(skb)) { 387 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 388 PTR_ERR(skb)); 389 release_firmware(fw); 390 return PTR_ERR(skb); 391 } 392 393 fw_ptr += cmd_plen; 394 kfree_skb(skb); 395 } 396 397 release_firmware(fw); 398 399 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 400 401 return 0; 402 } 403 EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 404 405 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 406 { 407 int err, ret; 408 409 err = btintel_enter_mfg(hdev); 410 if (err) 411 return err; 412 413 ret = btintel_set_event_mask(hdev, debug); 414 415 err = btintel_exit_mfg(hdev, false, false); 416 if (err) 417 return err; 418 419 return ret; 420 } 421 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 422 423 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 424 { 425 struct sk_buff *skb; 426 427 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 428 if (IS_ERR(skb)) { 429 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 430 PTR_ERR(skb)); 431 return PTR_ERR(skb); 432 } 433 434 if (!skb || skb->len != sizeof(*ver)) { 435 bt_dev_err(hdev, "Intel version event size mismatch"); 436 kfree_skb(skb); 437 return -EILSEQ; 438 } 439 440 memcpy(ver, skb->data, sizeof(*ver)); 441 442 kfree_skb(skb); 443 444 return 0; 445 } 446 EXPORT_SYMBOL_GPL(btintel_read_version); 447 448 static int btintel_version_info_tlv(struct hci_dev *hdev, 449 struct intel_version_tlv *version) 450 { 451 const char *variant; 452 453 /* The hardware platform number has a fixed value of 0x37 and 454 * for now only accept this single value. 455 */ 456 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 457 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 458 INTEL_HW_PLATFORM(version->cnvi_bt)); 459 return -EINVAL; 460 } 461 462 /* Check for supported iBT hardware variants of this firmware 463 * loading method. 464 * 465 * This check has been put in place to ensure correct forward 466 * compatibility options when newer hardware variants come along. 467 */ 468 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 469 case 0x17: /* TyP */ 470 case 0x18: /* Slr */ 471 case 0x19: /* Slr-F */ 472 case 0x1b: /* Mgr */ 473 case 0x1c: /* Gale Peak (GaP) */ 474 break; 475 default: 476 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 477 INTEL_HW_VARIANT(version->cnvi_bt)); 478 return -EINVAL; 479 } 480 481 switch (version->img_type) { 482 case 0x01: 483 variant = "Bootloader"; 484 /* It is required that every single firmware fragment is acknowledged 485 * with a command complete event. If the boot parameters indicate 486 * that this bootloader does not send them, then abort the setup. 487 */ 488 if (version->limited_cce != 0x00) { 489 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 490 version->limited_cce); 491 return -EINVAL; 492 } 493 494 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 495 if (version->sbe_type > 0x01) { 496 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 497 version->sbe_type); 498 return -EINVAL; 499 } 500 501 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 502 bt_dev_info(hdev, "Secure boot is %s", 503 version->secure_boot ? "enabled" : "disabled"); 504 bt_dev_info(hdev, "OTP lock is %s", 505 version->otp_lock ? "enabled" : "disabled"); 506 bt_dev_info(hdev, "API lock is %s", 507 version->api_lock ? "enabled" : "disabled"); 508 bt_dev_info(hdev, "Debug lock is %s", 509 version->debug_lock ? "enabled" : "disabled"); 510 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 511 version->min_fw_build_nn, version->min_fw_build_cw, 512 2000 + version->min_fw_build_yy); 513 break; 514 case 0x03: 515 variant = "Firmware"; 516 break; 517 default: 518 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 519 return -EINVAL; 520 } 521 522 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 523 coredump_info.fw_build_num = version->build_num; 524 525 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 526 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 527 version->build_type, version->build_num); 528 529 return 0; 530 } 531 532 static int btintel_parse_version_tlv(struct hci_dev *hdev, 533 struct intel_version_tlv *version, 534 struct sk_buff *skb) 535 { 536 /* Consume Command Complete Status field */ 537 skb_pull(skb, 1); 538 539 /* Event parameters contatin multiple TLVs. Read each of them 540 * and only keep the required data. Also, it use existing legacy 541 * version field like hw_platform, hw_variant, and fw_variant 542 * to keep the existing setup flow 543 */ 544 while (skb->len) { 545 struct intel_tlv *tlv; 546 547 /* Make sure skb has a minimum length of the header */ 548 if (skb->len < sizeof(*tlv)) 549 return -EINVAL; 550 551 tlv = (struct intel_tlv *)skb->data; 552 553 /* Make sure skb has a enough data */ 554 if (skb->len < tlv->len + sizeof(*tlv)) 555 return -EINVAL; 556 557 switch (tlv->type) { 558 case INTEL_TLV_CNVI_TOP: 559 version->cnvi_top = get_unaligned_le32(tlv->val); 560 break; 561 case INTEL_TLV_CNVR_TOP: 562 version->cnvr_top = get_unaligned_le32(tlv->val); 563 break; 564 case INTEL_TLV_CNVI_BT: 565 version->cnvi_bt = get_unaligned_le32(tlv->val); 566 break; 567 case INTEL_TLV_CNVR_BT: 568 version->cnvr_bt = get_unaligned_le32(tlv->val); 569 break; 570 case INTEL_TLV_DEV_REV_ID: 571 version->dev_rev_id = get_unaligned_le16(tlv->val); 572 break; 573 case INTEL_TLV_IMAGE_TYPE: 574 version->img_type = tlv->val[0]; 575 break; 576 case INTEL_TLV_TIME_STAMP: 577 /* If image type is Operational firmware (0x03), then 578 * running FW Calendar Week and Year information can 579 * be extracted from Timestamp information 580 */ 581 version->min_fw_build_cw = tlv->val[0]; 582 version->min_fw_build_yy = tlv->val[1]; 583 version->timestamp = get_unaligned_le16(tlv->val); 584 break; 585 case INTEL_TLV_BUILD_TYPE: 586 version->build_type = tlv->val[0]; 587 break; 588 case INTEL_TLV_BUILD_NUM: 589 /* If image type is Operational firmware (0x03), then 590 * running FW build number can be extracted from the 591 * Build information 592 */ 593 version->min_fw_build_nn = tlv->val[0]; 594 version->build_num = get_unaligned_le32(tlv->val); 595 break; 596 case INTEL_TLV_SECURE_BOOT: 597 version->secure_boot = tlv->val[0]; 598 break; 599 case INTEL_TLV_OTP_LOCK: 600 version->otp_lock = tlv->val[0]; 601 break; 602 case INTEL_TLV_API_LOCK: 603 version->api_lock = tlv->val[0]; 604 break; 605 case INTEL_TLV_DEBUG_LOCK: 606 version->debug_lock = tlv->val[0]; 607 break; 608 case INTEL_TLV_MIN_FW: 609 version->min_fw_build_nn = tlv->val[0]; 610 version->min_fw_build_cw = tlv->val[1]; 611 version->min_fw_build_yy = tlv->val[2]; 612 break; 613 case INTEL_TLV_LIMITED_CCE: 614 version->limited_cce = tlv->val[0]; 615 break; 616 case INTEL_TLV_SBE_TYPE: 617 version->sbe_type = tlv->val[0]; 618 break; 619 case INTEL_TLV_OTP_BDADDR: 620 memcpy(&version->otp_bd_addr, tlv->val, 621 sizeof(bdaddr_t)); 622 break; 623 default: 624 /* Ignore rest of information */ 625 break; 626 } 627 /* consume the current tlv and move to next*/ 628 skb_pull(skb, tlv->len + sizeof(*tlv)); 629 } 630 631 return 0; 632 } 633 634 static int btintel_read_version_tlv(struct hci_dev *hdev, 635 struct intel_version_tlv *version) 636 { 637 struct sk_buff *skb; 638 const u8 param[1] = { 0xFF }; 639 640 if (!version) 641 return -EINVAL; 642 643 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 644 if (IS_ERR(skb)) { 645 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 646 PTR_ERR(skb)); 647 return PTR_ERR(skb); 648 } 649 650 if (skb->data[0]) { 651 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 652 skb->data[0]); 653 kfree_skb(skb); 654 return -EIO; 655 } 656 657 btintel_parse_version_tlv(hdev, version, skb); 658 659 kfree_skb(skb); 660 return 0; 661 } 662 663 /* ------- REGMAP IBT SUPPORT ------- */ 664 665 #define IBT_REG_MODE_8BIT 0x00 666 #define IBT_REG_MODE_16BIT 0x01 667 #define IBT_REG_MODE_32BIT 0x02 668 669 struct regmap_ibt_context { 670 struct hci_dev *hdev; 671 __u16 op_write; 672 __u16 op_read; 673 }; 674 675 struct ibt_cp_reg_access { 676 __le32 addr; 677 __u8 mode; 678 __u8 len; 679 __u8 data[]; 680 } __packed; 681 682 struct ibt_rp_reg_access { 683 __u8 status; 684 __le32 addr; 685 __u8 data[]; 686 } __packed; 687 688 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 689 void *val, size_t val_size) 690 { 691 struct regmap_ibt_context *ctx = context; 692 struct ibt_cp_reg_access cp; 693 struct ibt_rp_reg_access *rp; 694 struct sk_buff *skb; 695 int err = 0; 696 697 if (reg_size != sizeof(__le32)) 698 return -EINVAL; 699 700 switch (val_size) { 701 case 1: 702 cp.mode = IBT_REG_MODE_8BIT; 703 break; 704 case 2: 705 cp.mode = IBT_REG_MODE_16BIT; 706 break; 707 case 4: 708 cp.mode = IBT_REG_MODE_32BIT; 709 break; 710 default: 711 return -EINVAL; 712 } 713 714 /* regmap provides a little-endian formatted addr */ 715 cp.addr = *(__le32 *)addr; 716 cp.len = val_size; 717 718 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 719 720 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 721 HCI_CMD_TIMEOUT); 722 if (IS_ERR(skb)) { 723 err = PTR_ERR(skb); 724 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 725 le32_to_cpu(cp.addr), err); 726 return err; 727 } 728 729 if (skb->len != sizeof(*rp) + val_size) { 730 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 731 le32_to_cpu(cp.addr)); 732 err = -EINVAL; 733 goto done; 734 } 735 736 rp = (struct ibt_rp_reg_access *)skb->data; 737 738 if (rp->addr != cp.addr) { 739 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 740 le32_to_cpu(rp->addr)); 741 err = -EINVAL; 742 goto done; 743 } 744 745 memcpy(val, rp->data, val_size); 746 747 done: 748 kfree_skb(skb); 749 return err; 750 } 751 752 static int regmap_ibt_gather_write(void *context, 753 const void *addr, size_t reg_size, 754 const void *val, size_t val_size) 755 { 756 struct regmap_ibt_context *ctx = context; 757 struct ibt_cp_reg_access *cp; 758 struct sk_buff *skb; 759 int plen = sizeof(*cp) + val_size; 760 u8 mode; 761 int err = 0; 762 763 if (reg_size != sizeof(__le32)) 764 return -EINVAL; 765 766 switch (val_size) { 767 case 1: 768 mode = IBT_REG_MODE_8BIT; 769 break; 770 case 2: 771 mode = IBT_REG_MODE_16BIT; 772 break; 773 case 4: 774 mode = IBT_REG_MODE_32BIT; 775 break; 776 default: 777 return -EINVAL; 778 } 779 780 cp = kmalloc(plen, GFP_KERNEL); 781 if (!cp) 782 return -ENOMEM; 783 784 /* regmap provides a little-endian formatted addr/value */ 785 cp->addr = *(__le32 *)addr; 786 cp->mode = mode; 787 cp->len = val_size; 788 memcpy(&cp->data, val, val_size); 789 790 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 791 792 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 793 if (IS_ERR(skb)) { 794 err = PTR_ERR(skb); 795 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 796 le32_to_cpu(cp->addr), err); 797 goto done; 798 } 799 kfree_skb(skb); 800 801 done: 802 kfree(cp); 803 return err; 804 } 805 806 static int regmap_ibt_write(void *context, const void *data, size_t count) 807 { 808 /* data contains register+value, since we only support 32bit addr, 809 * minimum data size is 4 bytes. 810 */ 811 if (WARN_ONCE(count < 4, "Invalid register access")) 812 return -EINVAL; 813 814 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 815 } 816 817 static void regmap_ibt_free_context(void *context) 818 { 819 kfree(context); 820 } 821 822 static const struct regmap_bus regmap_ibt = { 823 .read = regmap_ibt_read, 824 .write = regmap_ibt_write, 825 .gather_write = regmap_ibt_gather_write, 826 .free_context = regmap_ibt_free_context, 827 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 828 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 829 }; 830 831 /* Config is the same for all register regions */ 832 static const struct regmap_config regmap_ibt_cfg = { 833 .name = "btintel_regmap", 834 .reg_bits = 32, 835 .val_bits = 32, 836 }; 837 838 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 839 u16 opcode_write) 840 { 841 struct regmap_ibt_context *ctx; 842 843 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 844 opcode_write); 845 846 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 847 if (!ctx) 848 return ERR_PTR(-ENOMEM); 849 850 ctx->op_read = opcode_read; 851 ctx->op_write = opcode_write; 852 ctx->hdev = hdev; 853 854 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 855 } 856 EXPORT_SYMBOL_GPL(btintel_regmap_init); 857 858 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 859 { 860 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 861 struct sk_buff *skb; 862 863 params.boot_param = cpu_to_le32(boot_param); 864 865 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 866 HCI_INIT_TIMEOUT); 867 if (IS_ERR(skb)) { 868 bt_dev_err(hdev, "Failed to send Intel Reset command"); 869 return PTR_ERR(skb); 870 } 871 872 kfree_skb(skb); 873 874 return 0; 875 } 876 EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 877 878 int btintel_read_boot_params(struct hci_dev *hdev, 879 struct intel_boot_params *params) 880 { 881 struct sk_buff *skb; 882 883 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 884 if (IS_ERR(skb)) { 885 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 886 PTR_ERR(skb)); 887 return PTR_ERR(skb); 888 } 889 890 if (skb->len != sizeof(*params)) { 891 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 892 kfree_skb(skb); 893 return -EILSEQ; 894 } 895 896 memcpy(params, skb->data, sizeof(*params)); 897 898 kfree_skb(skb); 899 900 if (params->status) { 901 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 902 params->status); 903 return -bt_to_errno(params->status); 904 } 905 906 bt_dev_info(hdev, "Device revision is %u", 907 le16_to_cpu(params->dev_revid)); 908 909 bt_dev_info(hdev, "Secure boot is %s", 910 params->secure_boot ? "enabled" : "disabled"); 911 912 bt_dev_info(hdev, "OTP lock is %s", 913 params->otp_lock ? "enabled" : "disabled"); 914 915 bt_dev_info(hdev, "API lock is %s", 916 params->api_lock ? "enabled" : "disabled"); 917 918 bt_dev_info(hdev, "Debug lock is %s", 919 params->debug_lock ? "enabled" : "disabled"); 920 921 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 922 params->min_fw_build_nn, params->min_fw_build_cw, 923 2000 + params->min_fw_build_yy); 924 925 return 0; 926 } 927 EXPORT_SYMBOL_GPL(btintel_read_boot_params); 928 929 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 930 const struct firmware *fw) 931 { 932 int err; 933 934 /* Start the firmware download transaction with the Init fragment 935 * represented by the 128 bytes of CSS header. 936 */ 937 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 938 if (err < 0) { 939 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 940 goto done; 941 } 942 943 /* Send the 256 bytes of public key information from the firmware 944 * as the PKey fragment. 945 */ 946 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 947 if (err < 0) { 948 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 949 goto done; 950 } 951 952 /* Send the 256 bytes of signature information from the firmware 953 * as the Sign fragment. 954 */ 955 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 956 if (err < 0) { 957 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 958 goto done; 959 } 960 961 done: 962 return err; 963 } 964 965 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 966 const struct firmware *fw) 967 { 968 int err; 969 970 /* Start the firmware download transaction with the Init fragment 971 * represented by the 128 bytes of CSS header. 972 */ 973 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 974 if (err < 0) { 975 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 976 return err; 977 } 978 979 /* Send the 96 bytes of public key information from the firmware 980 * as the PKey fragment. 981 */ 982 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 983 if (err < 0) { 984 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 985 return err; 986 } 987 988 /* Send the 96 bytes of signature information from the firmware 989 * as the Sign fragment 990 */ 991 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 992 if (err < 0) { 993 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 994 err); 995 return err; 996 } 997 return 0; 998 } 999 1000 static int btintel_download_firmware_payload(struct hci_dev *hdev, 1001 const struct firmware *fw, 1002 size_t offset) 1003 { 1004 int err; 1005 const u8 *fw_ptr; 1006 u32 frag_len; 1007 1008 fw_ptr = fw->data + offset; 1009 frag_len = 0; 1010 err = -EINVAL; 1011 1012 while (fw_ptr - fw->data < fw->size) { 1013 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1014 1015 frag_len += sizeof(*cmd) + cmd->plen; 1016 1017 /* The parameter length of the secure send command requires 1018 * a 4 byte alignment. It happens so that the firmware file 1019 * contains proper Intel_NOP commands to align the fragments 1020 * as needed. 1021 * 1022 * Send set of commands with 4 byte alignment from the 1023 * firmware data buffer as a single Data fragement. 1024 */ 1025 if (!(frag_len % 4)) { 1026 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1027 if (err < 0) { 1028 bt_dev_err(hdev, 1029 "Failed to send firmware data (%d)", 1030 err); 1031 goto done; 1032 } 1033 1034 fw_ptr += frag_len; 1035 frag_len = 0; 1036 } 1037 } 1038 1039 done: 1040 return err; 1041 } 1042 1043 static bool btintel_firmware_version(struct hci_dev *hdev, 1044 u8 num, u8 ww, u8 yy, 1045 const struct firmware *fw, 1046 u32 *boot_addr) 1047 { 1048 const u8 *fw_ptr; 1049 1050 fw_ptr = fw->data; 1051 1052 while (fw_ptr - fw->data < fw->size) { 1053 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1054 1055 /* Each SKU has a different reset parameter to use in the 1056 * HCI_Intel_Reset command and it is embedded in the firmware 1057 * data. So, instead of using static value per SKU, check 1058 * the firmware data and save it for later use. 1059 */ 1060 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1061 struct cmd_write_boot_params *params; 1062 1063 params = (void *)(fw_ptr + sizeof(*cmd)); 1064 1065 *boot_addr = le32_to_cpu(params->boot_addr); 1066 1067 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1068 1069 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1070 params->fw_build_num, params->fw_build_ww, 1071 params->fw_build_yy); 1072 1073 return (num == params->fw_build_num && 1074 ww == params->fw_build_ww && 1075 yy == params->fw_build_yy); 1076 } 1077 1078 fw_ptr += sizeof(*cmd) + cmd->plen; 1079 } 1080 1081 return false; 1082 } 1083 1084 int btintel_download_firmware(struct hci_dev *hdev, 1085 struct intel_version *ver, 1086 const struct firmware *fw, 1087 u32 *boot_param) 1088 { 1089 int err; 1090 1091 /* SfP and WsP don't seem to update the firmware version on file 1092 * so version checking is currently not possible. 1093 */ 1094 switch (ver->hw_variant) { 1095 case 0x0b: /* SfP */ 1096 case 0x0c: /* WsP */ 1097 /* Skip version checking */ 1098 break; 1099 default: 1100 1101 /* Skip download if firmware has the same version */ 1102 if (btintel_firmware_version(hdev, ver->fw_build_num, 1103 ver->fw_build_ww, ver->fw_build_yy, 1104 fw, boot_param)) { 1105 bt_dev_info(hdev, "Firmware already loaded"); 1106 /* Return -EALREADY to indicate that the firmware has 1107 * already been loaded. 1108 */ 1109 return -EALREADY; 1110 } 1111 } 1112 1113 /* The firmware variant determines if the device is in bootloader 1114 * mode or is running operational firmware. The value 0x06 identifies 1115 * the bootloader and the value 0x23 identifies the operational 1116 * firmware. 1117 * 1118 * If the firmware version has changed that means it needs to be reset 1119 * to bootloader when operational so the new firmware can be loaded. 1120 */ 1121 if (ver->fw_variant == 0x23) 1122 return -EINVAL; 1123 1124 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1125 if (err) 1126 return err; 1127 1128 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1129 } 1130 EXPORT_SYMBOL_GPL(btintel_download_firmware); 1131 1132 static int btintel_download_fw_tlv(struct hci_dev *hdev, 1133 struct intel_version_tlv *ver, 1134 const struct firmware *fw, u32 *boot_param, 1135 u8 hw_variant, u8 sbe_type) 1136 { 1137 int err; 1138 u32 css_header_ver; 1139 1140 /* Skip download if firmware has the same version */ 1141 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1142 ver->min_fw_build_cw, 1143 ver->min_fw_build_yy, 1144 fw, boot_param)) { 1145 bt_dev_info(hdev, "Firmware already loaded"); 1146 /* Return -EALREADY to indicate that firmware has 1147 * already been loaded. 1148 */ 1149 return -EALREADY; 1150 } 1151 1152 /* The firmware variant determines if the device is in bootloader 1153 * mode or is running operational firmware. The value 0x01 identifies 1154 * the bootloader and the value 0x03 identifies the operational 1155 * firmware. 1156 * 1157 * If the firmware version has changed that means it needs to be reset 1158 * to bootloader when operational so the new firmware can be loaded. 1159 */ 1160 if (ver->img_type == 0x03) 1161 return -EINVAL; 1162 1163 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1164 * only RSA secure boot engine. Hence, the corresponding sfi file will 1165 * have RSA header of 644 bytes followed by Command Buffer. 1166 * 1167 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1168 * secure boot engine. As a result, the corresponding sfi file will 1169 * have RSA header of 644, ECDSA header of 320 bytes followed by 1170 * Command Buffer. 1171 * 1172 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1173 * version: RSA(0x00010000) , ECDSA (0x00020000) 1174 */ 1175 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1176 if (css_header_ver != 0x00010000) { 1177 bt_dev_err(hdev, "Invalid CSS Header version"); 1178 return -EINVAL; 1179 } 1180 1181 if (hw_variant <= 0x14) { 1182 if (sbe_type != 0x00) { 1183 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1184 hw_variant); 1185 return -EINVAL; 1186 } 1187 1188 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1189 if (err) 1190 return err; 1191 1192 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1193 if (err) 1194 return err; 1195 } else if (hw_variant >= 0x17) { 1196 /* Check if CSS header for ECDSA follows the RSA header */ 1197 if (fw->data[ECDSA_OFFSET] != 0x06) 1198 return -EINVAL; 1199 1200 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1201 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1202 if (css_header_ver != 0x00020000) { 1203 bt_dev_err(hdev, "Invalid CSS Header version"); 1204 return -EINVAL; 1205 } 1206 1207 if (sbe_type == 0x00) { 1208 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1209 if (err) 1210 return err; 1211 1212 err = btintel_download_firmware_payload(hdev, fw, 1213 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1214 if (err) 1215 return err; 1216 } else if (sbe_type == 0x01) { 1217 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1218 if (err) 1219 return err; 1220 1221 err = btintel_download_firmware_payload(hdev, fw, 1222 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1223 if (err) 1224 return err; 1225 } 1226 } 1227 return 0; 1228 } 1229 1230 static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1231 { 1232 struct intel_reset params; 1233 struct sk_buff *skb; 1234 1235 /* Send Intel Reset command. This will result in 1236 * re-enumeration of BT controller. 1237 * 1238 * Intel Reset parameter description: 1239 * reset_type : 0x00 (Soft reset), 1240 * 0x01 (Hard reset) 1241 * patch_enable : 0x00 (Do not enable), 1242 * 0x01 (Enable) 1243 * ddc_reload : 0x00 (Do not reload), 1244 * 0x01 (Reload) 1245 * boot_option: 0x00 (Current image), 1246 * 0x01 (Specified boot address) 1247 * boot_param: Boot address 1248 * 1249 */ 1250 params.reset_type = 0x01; 1251 params.patch_enable = 0x01; 1252 params.ddc_reload = 0x01; 1253 params.boot_option = 0x00; 1254 params.boot_param = cpu_to_le32(0x00000000); 1255 1256 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1257 ¶ms, HCI_INIT_TIMEOUT); 1258 if (IS_ERR(skb)) { 1259 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1260 PTR_ERR(skb)); 1261 return; 1262 } 1263 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1264 kfree_skb(skb); 1265 1266 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1267 * lines for 2ms when it receives Intel Reset in bootloader mode. 1268 * Whereas, the upcoming Intel BT controllers will hold USB reset 1269 * for 150ms. To keep the delay generic, 150ms is chosen here. 1270 */ 1271 msleep(150); 1272 } 1273 1274 static int btintel_read_debug_features(struct hci_dev *hdev, 1275 struct intel_debug_features *features) 1276 { 1277 struct sk_buff *skb; 1278 u8 page_no = 1; 1279 1280 /* Intel controller supports two pages, each page is of 128-bit 1281 * feature bit mask. And each bit defines specific feature support 1282 */ 1283 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1284 HCI_INIT_TIMEOUT); 1285 if (IS_ERR(skb)) { 1286 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1287 PTR_ERR(skb)); 1288 return PTR_ERR(skb); 1289 } 1290 1291 if (skb->len != (sizeof(features->page1) + 3)) { 1292 bt_dev_err(hdev, "Supported features event size mismatch"); 1293 kfree_skb(skb); 1294 return -EILSEQ; 1295 } 1296 1297 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1298 1299 /* Read the supported features page2 if required in future. 1300 */ 1301 kfree_skb(skb); 1302 return 0; 1303 } 1304 1305 static int btintel_set_debug_features(struct hci_dev *hdev, 1306 const struct intel_debug_features *features) 1307 { 1308 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1309 0x00, 0x00, 0x00 }; 1310 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1311 u8 trace_enable = 0x02; 1312 struct sk_buff *skb; 1313 1314 if (!features) { 1315 bt_dev_warn(hdev, "Debug features not read"); 1316 return -EINVAL; 1317 } 1318 1319 if (!(features->page1[0] & 0x3f)) { 1320 bt_dev_info(hdev, "Telemetry exception format not supported"); 1321 return 0; 1322 } 1323 1324 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1325 if (IS_ERR(skb)) { 1326 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1327 PTR_ERR(skb)); 1328 return PTR_ERR(skb); 1329 } 1330 kfree_skb(skb); 1331 1332 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1333 if (IS_ERR(skb)) { 1334 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1335 PTR_ERR(skb)); 1336 return PTR_ERR(skb); 1337 } 1338 kfree_skb(skb); 1339 1340 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1341 if (IS_ERR(skb)) { 1342 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1343 PTR_ERR(skb)); 1344 return PTR_ERR(skb); 1345 } 1346 kfree_skb(skb); 1347 1348 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1349 trace_enable, mask[3]); 1350 1351 return 0; 1352 } 1353 1354 static int btintel_reset_debug_features(struct hci_dev *hdev, 1355 const struct intel_debug_features *features) 1356 { 1357 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1358 0x00, 0x00, 0x00 }; 1359 u8 trace_enable = 0x00; 1360 struct sk_buff *skb; 1361 1362 if (!features) { 1363 bt_dev_warn(hdev, "Debug features not read"); 1364 return -EINVAL; 1365 } 1366 1367 if (!(features->page1[0] & 0x3f)) { 1368 bt_dev_info(hdev, "Telemetry exception format not supported"); 1369 return 0; 1370 } 1371 1372 /* Should stop the trace before writing ddc event mask. */ 1373 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1374 if (IS_ERR(skb)) { 1375 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1376 PTR_ERR(skb)); 1377 return PTR_ERR(skb); 1378 } 1379 kfree_skb(skb); 1380 1381 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1382 if (IS_ERR(skb)) { 1383 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1384 PTR_ERR(skb)); 1385 return PTR_ERR(skb); 1386 } 1387 kfree_skb(skb); 1388 1389 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1390 trace_enable, mask[3]); 1391 1392 return 0; 1393 } 1394 1395 int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1396 { 1397 struct intel_debug_features features; 1398 int err; 1399 1400 bt_dev_dbg(hdev, "enable %d", enable); 1401 1402 /* Read the Intel supported features and if new exception formats 1403 * supported, need to load the additional DDC config to enable. 1404 */ 1405 err = btintel_read_debug_features(hdev, &features); 1406 if (err) 1407 return err; 1408 1409 /* Set or reset the debug features. */ 1410 if (enable) 1411 err = btintel_set_debug_features(hdev, &features); 1412 else 1413 err = btintel_reset_debug_features(hdev, &features); 1414 1415 return err; 1416 } 1417 EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1418 1419 static void btintel_coredump(struct hci_dev *hdev) 1420 { 1421 struct sk_buff *skb; 1422 1423 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1424 if (IS_ERR(skb)) { 1425 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1426 return; 1427 } 1428 1429 kfree_skb(skb); 1430 } 1431 1432 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1433 { 1434 char buf[80]; 1435 1436 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1437 coredump_info.hw_variant); 1438 skb_put_data(skb, buf, strlen(buf)); 1439 1440 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1441 coredump_info.fw_build_num); 1442 skb_put_data(skb, buf, strlen(buf)); 1443 1444 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1445 skb_put_data(skb, buf, strlen(buf)); 1446 1447 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1448 skb_put_data(skb, buf, strlen(buf)); 1449 } 1450 1451 static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1452 { 1453 struct intel_debug_features features; 1454 int err; 1455 1456 err = btintel_read_debug_features(hdev, &features); 1457 if (err) { 1458 bt_dev_info(hdev, "Error reading debug features"); 1459 return err; 1460 } 1461 1462 if (!(features.page1[0] & 0x3f)) { 1463 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1464 return -EOPNOTSUPP; 1465 } 1466 1467 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1468 1469 return err; 1470 } 1471 1472 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1473 struct intel_version *ver) 1474 { 1475 const struct firmware *fw; 1476 char fwname[64]; 1477 int ret; 1478 1479 snprintf(fwname, sizeof(fwname), 1480 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1481 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1482 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1483 ver->fw_build_ww, ver->fw_build_yy); 1484 1485 ret = request_firmware(&fw, fwname, &hdev->dev); 1486 if (ret < 0) { 1487 if (ret == -EINVAL) { 1488 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1489 ret); 1490 return NULL; 1491 } 1492 1493 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1494 fwname, ret); 1495 1496 /* If the correct firmware patch file is not found, use the 1497 * default firmware patch file instead 1498 */ 1499 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1500 ver->hw_platform, ver->hw_variant); 1501 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1502 bt_dev_err(hdev, "failed to open default fw file: %s", 1503 fwname); 1504 return NULL; 1505 } 1506 } 1507 1508 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1509 1510 return fw; 1511 } 1512 1513 static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1514 const struct firmware *fw, 1515 const u8 **fw_ptr, int *disable_patch) 1516 { 1517 struct sk_buff *skb; 1518 struct hci_command_hdr *cmd; 1519 const u8 *cmd_param; 1520 struct hci_event_hdr *evt = NULL; 1521 const u8 *evt_param = NULL; 1522 int remain = fw->size - (*fw_ptr - fw->data); 1523 1524 /* The first byte indicates the types of the patch command or event. 1525 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1526 * in the current firmware buffer doesn't start with 0x01 or 1527 * the size of remain buffer is smaller than HCI command header, 1528 * the firmware file is corrupted and it should stop the patching 1529 * process. 1530 */ 1531 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1532 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1533 return -EINVAL; 1534 } 1535 (*fw_ptr)++; 1536 remain--; 1537 1538 cmd = (struct hci_command_hdr *)(*fw_ptr); 1539 *fw_ptr += sizeof(*cmd); 1540 remain -= sizeof(*cmd); 1541 1542 /* Ensure that the remain firmware data is long enough than the length 1543 * of command parameter. If not, the firmware file is corrupted. 1544 */ 1545 if (remain < cmd->plen) { 1546 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1547 return -EFAULT; 1548 } 1549 1550 /* If there is a command that loads a patch in the firmware 1551 * file, then enable the patch upon success, otherwise just 1552 * disable the manufacturer mode, for example patch activation 1553 * is not required when the default firmware patch file is used 1554 * because there are no patch data to load. 1555 */ 1556 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1557 *disable_patch = 0; 1558 1559 cmd_param = *fw_ptr; 1560 *fw_ptr += cmd->plen; 1561 remain -= cmd->plen; 1562 1563 /* This reads the expected events when the above command is sent to the 1564 * device. Some vendor commands expects more than one events, for 1565 * example command status event followed by vendor specific event. 1566 * For this case, it only keeps the last expected event. so the command 1567 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1568 * last expected event. 1569 */ 1570 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1571 (*fw_ptr)++; 1572 remain--; 1573 1574 evt = (struct hci_event_hdr *)(*fw_ptr); 1575 *fw_ptr += sizeof(*evt); 1576 remain -= sizeof(*evt); 1577 1578 if (remain < evt->plen) { 1579 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1580 return -EFAULT; 1581 } 1582 1583 evt_param = *fw_ptr; 1584 *fw_ptr += evt->plen; 1585 remain -= evt->plen; 1586 } 1587 1588 /* Every HCI commands in the firmware file has its correspond event. 1589 * If event is not found or remain is smaller than zero, the firmware 1590 * file is corrupted. 1591 */ 1592 if (!evt || !evt_param || remain < 0) { 1593 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1594 return -EFAULT; 1595 } 1596 1597 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1598 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1599 if (IS_ERR(skb)) { 1600 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1601 cmd->opcode, PTR_ERR(skb)); 1602 return PTR_ERR(skb); 1603 } 1604 1605 /* It ensures that the returned event matches the event data read from 1606 * the firmware file. At fist, it checks the length and then 1607 * the contents of the event. 1608 */ 1609 if (skb->len != evt->plen) { 1610 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1611 le16_to_cpu(cmd->opcode)); 1612 kfree_skb(skb); 1613 return -EFAULT; 1614 } 1615 1616 if (memcmp(skb->data, evt_param, evt->plen)) { 1617 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1618 le16_to_cpu(cmd->opcode)); 1619 kfree_skb(skb); 1620 return -EFAULT; 1621 } 1622 kfree_skb(skb); 1623 1624 return 0; 1625 } 1626 1627 static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1628 struct intel_version *ver) 1629 { 1630 const struct firmware *fw; 1631 const u8 *fw_ptr; 1632 int disable_patch, err; 1633 struct intel_version new_ver; 1634 1635 BT_DBG("%s", hdev->name); 1636 1637 /* fw_patch_num indicates the version of patch the device currently 1638 * have. If there is no patch data in the device, it is always 0x00. 1639 * So, if it is other than 0x00, no need to patch the device again. 1640 */ 1641 if (ver->fw_patch_num) { 1642 bt_dev_info(hdev, 1643 "Intel device is already patched. patch num: %02x", 1644 ver->fw_patch_num); 1645 goto complete; 1646 } 1647 1648 /* Opens the firmware patch file based on the firmware version read 1649 * from the controller. If it fails to open the matching firmware 1650 * patch file, it tries to open the default firmware patch file. 1651 * If no patch file is found, allow the device to operate without 1652 * a patch. 1653 */ 1654 fw = btintel_legacy_rom_get_fw(hdev, ver); 1655 if (!fw) 1656 goto complete; 1657 fw_ptr = fw->data; 1658 1659 /* Enable the manufacturer mode of the controller. 1660 * Only while this mode is enabled, the driver can download the 1661 * firmware patch data and configuration parameters. 1662 */ 1663 err = btintel_enter_mfg(hdev); 1664 if (err) { 1665 release_firmware(fw); 1666 return err; 1667 } 1668 1669 disable_patch = 1; 1670 1671 /* The firmware data file consists of list of Intel specific HCI 1672 * commands and its expected events. The first byte indicates the 1673 * type of the message, either HCI command or HCI event. 1674 * 1675 * It reads the command and its expected event from the firmware file, 1676 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1677 * the returned event is compared with the event read from the firmware 1678 * file and it will continue until all the messages are downloaded to 1679 * the controller. 1680 * 1681 * Once the firmware patching is completed successfully, 1682 * the manufacturer mode is disabled with reset and activating the 1683 * downloaded patch. 1684 * 1685 * If the firmware patching fails, the manufacturer mode is 1686 * disabled with reset and deactivating the patch. 1687 * 1688 * If the default patch file is used, no reset is done when disabling 1689 * the manufacturer. 1690 */ 1691 while (fw->size > fw_ptr - fw->data) { 1692 int ret; 1693 1694 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1695 &disable_patch); 1696 if (ret < 0) 1697 goto exit_mfg_deactivate; 1698 } 1699 1700 release_firmware(fw); 1701 1702 if (disable_patch) 1703 goto exit_mfg_disable; 1704 1705 /* Patching completed successfully and disable the manufacturer mode 1706 * with reset and activate the downloaded firmware patches. 1707 */ 1708 err = btintel_exit_mfg(hdev, true, true); 1709 if (err) 1710 return err; 1711 1712 /* Need build number for downloaded fw patches in 1713 * every power-on boot 1714 */ 1715 err = btintel_read_version(hdev, &new_ver); 1716 if (err) 1717 return err; 1718 1719 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1720 new_ver.fw_patch_num); 1721 1722 goto complete; 1723 1724 exit_mfg_disable: 1725 /* Disable the manufacturer mode without reset */ 1726 err = btintel_exit_mfg(hdev, false, false); 1727 if (err) 1728 return err; 1729 1730 bt_dev_info(hdev, "Intel firmware patch completed"); 1731 1732 goto complete; 1733 1734 exit_mfg_deactivate: 1735 release_firmware(fw); 1736 1737 /* Patching failed. Disable the manufacturer mode with reset and 1738 * deactivate the downloaded firmware patches. 1739 */ 1740 err = btintel_exit_mfg(hdev, true, false); 1741 if (err) 1742 return err; 1743 1744 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1745 1746 complete: 1747 /* Set the event mask for Intel specific vendor events. This enables 1748 * a few extra events that are useful during general operation. 1749 */ 1750 btintel_set_event_mask_mfg(hdev, false); 1751 1752 btintel_check_bdaddr(hdev); 1753 1754 return 0; 1755 } 1756 1757 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1758 { 1759 ktime_t delta, rettime; 1760 unsigned long long duration; 1761 int err; 1762 1763 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1764 1765 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1766 1767 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1768 TASK_INTERRUPTIBLE, 1769 msecs_to_jiffies(msec)); 1770 if (err == -EINTR) { 1771 bt_dev_err(hdev, "Firmware loading interrupted"); 1772 return err; 1773 } 1774 1775 if (err) { 1776 bt_dev_err(hdev, "Firmware loading timeout"); 1777 return -ETIMEDOUT; 1778 } 1779 1780 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1781 bt_dev_err(hdev, "Firmware loading failed"); 1782 return -ENOEXEC; 1783 } 1784 1785 rettime = ktime_get(); 1786 delta = ktime_sub(rettime, calltime); 1787 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1788 1789 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1790 1791 return 0; 1792 } 1793 1794 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1795 { 1796 ktime_t delta, rettime; 1797 unsigned long long duration; 1798 int err; 1799 1800 bt_dev_info(hdev, "Waiting for device to boot"); 1801 1802 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1803 TASK_INTERRUPTIBLE, 1804 msecs_to_jiffies(msec)); 1805 if (err == -EINTR) { 1806 bt_dev_err(hdev, "Device boot interrupted"); 1807 return -EINTR; 1808 } 1809 1810 if (err) { 1811 bt_dev_err(hdev, "Device boot timeout"); 1812 return -ETIMEDOUT; 1813 } 1814 1815 rettime = ktime_get(); 1816 delta = ktime_sub(rettime, calltime); 1817 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1818 1819 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1820 1821 return 0; 1822 } 1823 1824 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1825 { 1826 ktime_t calltime; 1827 int err; 1828 1829 calltime = ktime_get(); 1830 1831 btintel_set_flag(hdev, INTEL_BOOTING); 1832 1833 err = btintel_send_intel_reset(hdev, boot_addr); 1834 if (err) { 1835 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1836 btintel_reset_to_bootloader(hdev); 1837 return err; 1838 } 1839 1840 /* The bootloader will not indicate when the device is ready. This 1841 * is done by the operational firmware sending bootup notification. 1842 * 1843 * Booting into operational firmware should not take longer than 1844 * 1 second. However if that happens, then just fail the setup 1845 * since something went wrong. 1846 */ 1847 err = btintel_boot_wait(hdev, calltime, 1000); 1848 if (err == -ETIMEDOUT) 1849 btintel_reset_to_bootloader(hdev); 1850 1851 return err; 1852 } 1853 1854 static int btintel_get_fw_name(struct intel_version *ver, 1855 struct intel_boot_params *params, 1856 char *fw_name, size_t len, 1857 const char *suffix) 1858 { 1859 switch (ver->hw_variant) { 1860 case 0x0b: /* SfP */ 1861 case 0x0c: /* WsP */ 1862 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1863 ver->hw_variant, 1864 le16_to_cpu(params->dev_revid), 1865 suffix); 1866 break; 1867 case 0x11: /* JfP */ 1868 case 0x12: /* ThP */ 1869 case 0x13: /* HrP */ 1870 case 0x14: /* CcP */ 1871 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1872 ver->hw_variant, 1873 ver->hw_revision, 1874 ver->fw_revision, 1875 suffix); 1876 break; 1877 default: 1878 return -EINVAL; 1879 } 1880 1881 return 0; 1882 } 1883 1884 static int btintel_download_fw(struct hci_dev *hdev, 1885 struct intel_version *ver, 1886 struct intel_boot_params *params, 1887 u32 *boot_param) 1888 { 1889 const struct firmware *fw; 1890 char fwname[64]; 1891 int err; 1892 ktime_t calltime; 1893 1894 if (!ver || !params) 1895 return -EINVAL; 1896 1897 /* The firmware variant determines if the device is in bootloader 1898 * mode or is running operational firmware. The value 0x06 identifies 1899 * the bootloader and the value 0x23 identifies the operational 1900 * firmware. 1901 * 1902 * When the operational firmware is already present, then only 1903 * the check for valid Bluetooth device address is needed. This 1904 * determines if the device will be added as configured or 1905 * unconfigured controller. 1906 * 1907 * It is not possible to use the Secure Boot Parameters in this 1908 * case since that command is only available in bootloader mode. 1909 */ 1910 if (ver->fw_variant == 0x23) { 1911 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1912 btintel_check_bdaddr(hdev); 1913 1914 /* SfP and WsP don't seem to update the firmware version on file 1915 * so version checking is currently possible. 1916 */ 1917 switch (ver->hw_variant) { 1918 case 0x0b: /* SfP */ 1919 case 0x0c: /* WsP */ 1920 return 0; 1921 } 1922 1923 /* Proceed to download to check if the version matches */ 1924 goto download; 1925 } 1926 1927 /* Read the secure boot parameters to identify the operating 1928 * details of the bootloader. 1929 */ 1930 err = btintel_read_boot_params(hdev, params); 1931 if (err) 1932 return err; 1933 1934 /* It is required that every single firmware fragment is acknowledged 1935 * with a command complete event. If the boot parameters indicate 1936 * that this bootloader does not send them, then abort the setup. 1937 */ 1938 if (params->limited_cce != 0x00) { 1939 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 1940 params->limited_cce); 1941 return -EINVAL; 1942 } 1943 1944 /* If the OTP has no valid Bluetooth device address, then there will 1945 * also be no valid address for the operational firmware. 1946 */ 1947 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 1948 bt_dev_info(hdev, "No device address configured"); 1949 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 1950 } 1951 1952 download: 1953 /* With this Intel bootloader only the hardware variant and device 1954 * revision information are used to select the right firmware for SfP 1955 * and WsP. 1956 * 1957 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 1958 * 1959 * Currently the supported hardware variants are: 1960 * 11 (0x0b) for iBT3.0 (LnP/SfP) 1961 * 12 (0x0c) for iBT3.5 (WsP) 1962 * 1963 * For ThP/JfP and for future SKU's, the FW name varies based on HW 1964 * variant, HW revision and FW revision, as these are dependent on CNVi 1965 * and RF Combination. 1966 * 1967 * 17 (0x11) for iBT3.5 (JfP) 1968 * 18 (0x12) for iBT3.5 (ThP) 1969 * 1970 * The firmware file name for these will be 1971 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 1972 * 1973 */ 1974 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 1975 if (err < 0) { 1976 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 1977 /* Firmware has already been loaded */ 1978 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1979 return 0; 1980 } 1981 1982 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 1983 return -EINVAL; 1984 } 1985 1986 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 1987 if (err < 0) { 1988 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 1989 /* Firmware has already been loaded */ 1990 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1991 return 0; 1992 } 1993 1994 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 1995 fwname, err); 1996 return err; 1997 } 1998 1999 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2000 2001 if (fw->size < 644) { 2002 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2003 fw->size); 2004 err = -EBADF; 2005 goto done; 2006 } 2007 2008 calltime = ktime_get(); 2009 2010 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2011 2012 /* Start firmware downloading and get boot parameter */ 2013 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2014 if (err < 0) { 2015 if (err == -EALREADY) { 2016 /* Firmware has already been loaded */ 2017 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2018 err = 0; 2019 goto done; 2020 } 2021 2022 /* When FW download fails, send Intel Reset to retry 2023 * FW download. 2024 */ 2025 btintel_reset_to_bootloader(hdev); 2026 goto done; 2027 } 2028 2029 /* Before switching the device into operational mode and with that 2030 * booting the loaded firmware, wait for the bootloader notification 2031 * that all fragments have been successfully received. 2032 * 2033 * When the event processing receives the notification, then the 2034 * INTEL_DOWNLOADING flag will be cleared. 2035 * 2036 * The firmware loading should not take longer than 5 seconds 2037 * and thus just timeout if that happens and fail the setup 2038 * of this device. 2039 */ 2040 err = btintel_download_wait(hdev, calltime, 5000); 2041 if (err == -ETIMEDOUT) 2042 btintel_reset_to_bootloader(hdev); 2043 2044 done: 2045 release_firmware(fw); 2046 return err; 2047 } 2048 2049 static int btintel_bootloader_setup(struct hci_dev *hdev, 2050 struct intel_version *ver) 2051 { 2052 struct intel_version new_ver; 2053 struct intel_boot_params params; 2054 u32 boot_param; 2055 char ddcname[64]; 2056 int err; 2057 2058 BT_DBG("%s", hdev->name); 2059 2060 /* Set the default boot parameter to 0x0 and it is updated to 2061 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2062 * command while downloading the firmware. 2063 */ 2064 boot_param = 0x00000000; 2065 2066 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2067 2068 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2069 if (err) 2070 return err; 2071 2072 /* controller is already having an operational firmware */ 2073 if (ver->fw_variant == 0x23) 2074 goto finish; 2075 2076 err = btintel_boot(hdev, boot_param); 2077 if (err) 2078 return err; 2079 2080 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2081 2082 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2083 sizeof(ddcname), "ddc"); 2084 2085 if (err < 0) { 2086 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2087 } else { 2088 /* Once the device is running in operational mode, it needs to 2089 * apply the device configuration (DDC) parameters. 2090 * 2091 * The device can work without DDC parameters, so even if it 2092 * fails to load the file, no need to fail the setup. 2093 */ 2094 btintel_load_ddc_config(hdev, ddcname); 2095 } 2096 2097 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2098 2099 /* Read the Intel version information after loading the FW */ 2100 err = btintel_read_version(hdev, &new_ver); 2101 if (err) 2102 return err; 2103 2104 btintel_version_info(hdev, &new_ver); 2105 2106 finish: 2107 /* Set the event mask for Intel specific vendor events. This enables 2108 * a few extra events that are useful during general operation. It 2109 * does not enable any debugging related events. 2110 * 2111 * The device will function correctly without these events enabled 2112 * and thus no need to fail the setup. 2113 */ 2114 btintel_set_event_mask(hdev, false); 2115 2116 return 0; 2117 } 2118 2119 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2120 char *fw_name, size_t len, 2121 const char *suffix) 2122 { 2123 /* The firmware file name for new generation controllers will be 2124 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2125 */ 2126 snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s", 2127 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2128 INTEL_CNVX_TOP_STEP(ver->cnvi_top)), 2129 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2130 INTEL_CNVX_TOP_STEP(ver->cnvr_top)), 2131 suffix); 2132 } 2133 2134 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2135 struct intel_version_tlv *ver, 2136 u32 *boot_param) 2137 { 2138 const struct firmware *fw; 2139 char fwname[64]; 2140 int err; 2141 ktime_t calltime; 2142 2143 if (!ver || !boot_param) 2144 return -EINVAL; 2145 2146 /* The firmware variant determines if the device is in bootloader 2147 * mode or is running operational firmware. The value 0x03 identifies 2148 * the bootloader and the value 0x23 identifies the operational 2149 * firmware. 2150 * 2151 * When the operational firmware is already present, then only 2152 * the check for valid Bluetooth device address is needed. This 2153 * determines if the device will be added as configured or 2154 * unconfigured controller. 2155 * 2156 * It is not possible to use the Secure Boot Parameters in this 2157 * case since that command is only available in bootloader mode. 2158 */ 2159 if (ver->img_type == 0x03) { 2160 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2161 btintel_check_bdaddr(hdev); 2162 } else { 2163 /* 2164 * Check for valid bd address in boot loader mode. Device 2165 * will be marked as unconfigured if empty bd address is 2166 * found. 2167 */ 2168 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2169 bt_dev_info(hdev, "No device address configured"); 2170 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2171 } 2172 } 2173 2174 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2175 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2176 if (err < 0) { 2177 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2178 /* Firmware has already been loaded */ 2179 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2180 return 0; 2181 } 2182 2183 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2184 fwname, err); 2185 2186 return err; 2187 } 2188 2189 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2190 2191 if (fw->size < 644) { 2192 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2193 fw->size); 2194 err = -EBADF; 2195 goto done; 2196 } 2197 2198 calltime = ktime_get(); 2199 2200 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2201 2202 /* Start firmware downloading and get boot parameter */ 2203 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2204 INTEL_HW_VARIANT(ver->cnvi_bt), 2205 ver->sbe_type); 2206 if (err < 0) { 2207 if (err == -EALREADY) { 2208 /* Firmware has already been loaded */ 2209 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2210 err = 0; 2211 goto done; 2212 } 2213 2214 /* When FW download fails, send Intel Reset to retry 2215 * FW download. 2216 */ 2217 btintel_reset_to_bootloader(hdev); 2218 goto done; 2219 } 2220 2221 /* Before switching the device into operational mode and with that 2222 * booting the loaded firmware, wait for the bootloader notification 2223 * that all fragments have been successfully received. 2224 * 2225 * When the event processing receives the notification, then the 2226 * BTUSB_DOWNLOADING flag will be cleared. 2227 * 2228 * The firmware loading should not take longer than 5 seconds 2229 * and thus just timeout if that happens and fail the setup 2230 * of this device. 2231 */ 2232 err = btintel_download_wait(hdev, calltime, 5000); 2233 if (err == -ETIMEDOUT) 2234 btintel_reset_to_bootloader(hdev); 2235 2236 done: 2237 release_firmware(fw); 2238 return err; 2239 } 2240 2241 static int btintel_get_codec_config_data(struct hci_dev *hdev, 2242 __u8 link, struct bt_codec *codec, 2243 __u8 *ven_len, __u8 **ven_data) 2244 { 2245 int err = 0; 2246 2247 if (!ven_data || !ven_len) 2248 return -EINVAL; 2249 2250 *ven_len = 0; 2251 *ven_data = NULL; 2252 2253 if (link != ESCO_LINK) { 2254 bt_dev_err(hdev, "Invalid link type(%u)", link); 2255 return -EINVAL; 2256 } 2257 2258 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2259 if (!*ven_data) { 2260 err = -ENOMEM; 2261 goto error; 2262 } 2263 2264 /* supports only CVSD and mSBC offload codecs */ 2265 switch (codec->id) { 2266 case 0x02: 2267 **ven_data = 0x00; 2268 break; 2269 case 0x05: 2270 **ven_data = 0x01; 2271 break; 2272 default: 2273 err = -EINVAL; 2274 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2275 goto error; 2276 } 2277 /* codec and its capabilities are pre-defined to ids 2278 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2279 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2280 */ 2281 *ven_len = sizeof(__u8); 2282 return err; 2283 2284 error: 2285 kfree(*ven_data); 2286 *ven_data = NULL; 2287 return err; 2288 } 2289 2290 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2291 { 2292 /* Intel uses 1 as data path id for all the usecases */ 2293 *data_path_id = 1; 2294 return 0; 2295 } 2296 2297 static int btintel_configure_offload(struct hci_dev *hdev) 2298 { 2299 struct sk_buff *skb; 2300 int err = 0; 2301 struct intel_offload_use_cases *use_cases; 2302 2303 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2304 if (IS_ERR(skb)) { 2305 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2306 PTR_ERR(skb)); 2307 return PTR_ERR(skb); 2308 } 2309 2310 if (skb->len < sizeof(*use_cases)) { 2311 err = -EIO; 2312 goto error; 2313 } 2314 2315 use_cases = (void *)skb->data; 2316 2317 if (use_cases->status) { 2318 err = -bt_to_errno(skb->data[0]); 2319 goto error; 2320 } 2321 2322 if (use_cases->preset[0] & 0x03) { 2323 hdev->get_data_path_id = btintel_get_data_path_id; 2324 hdev->get_codec_config_data = btintel_get_codec_config_data; 2325 } 2326 error: 2327 kfree_skb(skb); 2328 return err; 2329 } 2330 2331 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2332 { 2333 struct sk_buff *skb; 2334 struct hci_ppag_enable_cmd ppag_cmd; 2335 acpi_handle handle; 2336 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 2337 union acpi_object *p, *elements; 2338 u32 domain, mode; 2339 acpi_status status; 2340 2341 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2342 switch (ver->cnvr_top & 0xFFF) { 2343 case 0x504: /* Hrp2 */ 2344 case 0x202: /* Jfp2 */ 2345 case 0x201: /* Jfp1 */ 2346 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2347 ver->cnvr_top & 0xFFF); 2348 return; 2349 } 2350 2351 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2352 if (!handle) { 2353 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2354 return; 2355 } 2356 2357 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer); 2358 if (ACPI_FAILURE(status)) { 2359 if (status == AE_NOT_FOUND) { 2360 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2361 return; 2362 } 2363 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 2364 return; 2365 } 2366 2367 p = buffer.pointer; 2368 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 2369 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 2370 p->type, p->package.count); 2371 kfree(buffer.pointer); 2372 return; 2373 } 2374 2375 elements = p->package.elements; 2376 2377 /* PPAG table is located at element[1] */ 2378 p = &elements[1]; 2379 2380 domain = (u32)p->package.elements[0].integer.value; 2381 mode = (u32)p->package.elements[1].integer.value; 2382 kfree(buffer.pointer); 2383 2384 if (domain != 0x12) { 2385 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2386 return; 2387 } 2388 2389 /* PPAG mode 2390 * BIT 0 : 0 Disabled in EU 2391 * 1 Enabled in EU 2392 * BIT 1 : 0 Disabled in China 2393 * 1 Enabled in China 2394 */ 2395 mode &= 0x03; 2396 2397 if (!mode) { 2398 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS"); 2399 return; 2400 } 2401 2402 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode); 2403 2404 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), 2405 &ppag_cmd, HCI_CMD_TIMEOUT); 2406 if (IS_ERR(skb)) { 2407 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2408 return; 2409 } 2410 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode); 2411 kfree_skb(skb); 2412 } 2413 2414 static int btintel_acpi_reset_method(struct hci_dev *hdev) 2415 { 2416 int ret = 0; 2417 acpi_status status; 2418 union acpi_object *p, *ref; 2419 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2420 2421 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2422 if (ACPI_FAILURE(status)) { 2423 bt_dev_err(hdev, "Failed to run _PRR method"); 2424 ret = -ENODEV; 2425 return ret; 2426 } 2427 p = buffer.pointer; 2428 2429 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2430 bt_dev_err(hdev, "Invalid arguments"); 2431 ret = -EINVAL; 2432 goto exit_on_error; 2433 } 2434 2435 ref = &p->package.elements[0]; 2436 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2437 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2438 ret = -EINVAL; 2439 goto exit_on_error; 2440 } 2441 2442 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2443 if (ACPI_FAILURE(status)) { 2444 bt_dev_err(hdev, "Failed to run_RST method"); 2445 ret = -ENODEV; 2446 goto exit_on_error; 2447 } 2448 2449 exit_on_error: 2450 kfree(buffer.pointer); 2451 return ret; 2452 } 2453 2454 static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2455 struct intel_version_tlv *ver_tlv) 2456 { 2457 struct btintel_data *data = hci_get_priv(hdev); 2458 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2459 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2460 union acpi_object *obj, argv4; 2461 enum { 2462 RESET_TYPE_WDISABLE2, 2463 RESET_TYPE_VSEC 2464 }; 2465 2466 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2467 2468 if (!handle) { 2469 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2470 return; 2471 } 2472 2473 if (!acpi_has_method(handle, "_PRR")) { 2474 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2475 return; 2476 } 2477 2478 switch (ver_tlv->cnvi_top & 0xfff) { 2479 case 0x910: /* GalePeak2 */ 2480 reset_payload[2] = RESET_TYPE_VSEC; 2481 break; 2482 default: 2483 /* WDISABLE2 is the default reset method */ 2484 reset_payload[2] = RESET_TYPE_WDISABLE2; 2485 2486 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2487 BIT(DSM_SET_WDISABLE2_DELAY))) { 2488 bt_dev_err(hdev, "No dsm support to set reset delay"); 2489 return; 2490 } 2491 argv4.integer.type = ACPI_TYPE_INTEGER; 2492 /* delay required to toggle BT power */ 2493 argv4.integer.value = 160; 2494 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2495 DSM_SET_WDISABLE2_DELAY, &argv4); 2496 if (!obj) { 2497 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2498 return; 2499 } 2500 ACPI_FREE(obj); 2501 } 2502 2503 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2504 2505 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2506 DSM_SET_RESET_METHOD)) { 2507 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2508 return; 2509 } 2510 argv4.buffer.type = ACPI_TYPE_BUFFER; 2511 argv4.buffer.length = sizeof(reset_payload); 2512 argv4.buffer.pointer = reset_payload; 2513 2514 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2515 DSM_SET_RESET_METHOD, &argv4); 2516 if (!obj) { 2517 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2518 return; 2519 } 2520 ACPI_FREE(obj); 2521 data->acpi_reset_method = btintel_acpi_reset_method; 2522 } 2523 2524 static int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2525 struct intel_version_tlv *ver) 2526 { 2527 u32 boot_param; 2528 char ddcname[64]; 2529 int err; 2530 struct intel_version_tlv new_ver; 2531 2532 bt_dev_dbg(hdev, ""); 2533 2534 /* Set the default boot parameter to 0x0 and it is updated to 2535 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2536 * command while downloading the firmware. 2537 */ 2538 boot_param = 0x00000000; 2539 2540 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2541 2542 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2543 if (err) 2544 return err; 2545 2546 /* check if controller is already having an operational firmware */ 2547 if (ver->img_type == 0x03) 2548 goto finish; 2549 2550 err = btintel_boot(hdev, boot_param); 2551 if (err) 2552 return err; 2553 2554 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2555 2556 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2557 /* Once the device is running in operational mode, it needs to 2558 * apply the device configuration (DDC) parameters. 2559 * 2560 * The device can work without DDC parameters, so even if it 2561 * fails to load the file, no need to fail the setup. 2562 */ 2563 btintel_load_ddc_config(hdev, ddcname); 2564 2565 /* Read supported use cases and set callbacks to fetch datapath id */ 2566 btintel_configure_offload(hdev); 2567 2568 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2569 2570 /* Set PPAG feature */ 2571 btintel_set_ppag(hdev, ver); 2572 2573 /* Read the Intel version information after loading the FW */ 2574 err = btintel_read_version_tlv(hdev, &new_ver); 2575 if (err) 2576 return err; 2577 2578 btintel_version_info_tlv(hdev, &new_ver); 2579 2580 finish: 2581 /* Set the event mask for Intel specific vendor events. This enables 2582 * a few extra events that are useful during general operation. It 2583 * does not enable any debugging related events. 2584 * 2585 * The device will function correctly without these events enabled 2586 * and thus no need to fail the setup. 2587 */ 2588 btintel_set_event_mask(hdev, false); 2589 2590 return 0; 2591 } 2592 2593 static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2594 { 2595 switch (hw_variant) { 2596 /* Legacy bootloader devices that supports MSFT Extension */ 2597 case 0x11: /* JfP */ 2598 case 0x12: /* ThP */ 2599 case 0x13: /* HrP */ 2600 case 0x14: /* CcP */ 2601 /* All Intel new genration controllers support the Microsoft vendor 2602 * extension are using 0xFC1E for VsMsftOpCode. 2603 */ 2604 case 0x17: 2605 case 0x18: 2606 case 0x19: 2607 case 0x1b: 2608 case 0x1c: 2609 hci_set_msft_opcode(hdev, 0xFC1E); 2610 break; 2611 default: 2612 /* Not supported */ 2613 break; 2614 } 2615 } 2616 2617 static int btintel_setup_combined(struct hci_dev *hdev) 2618 { 2619 const u8 param[1] = { 0xFF }; 2620 struct intel_version ver; 2621 struct intel_version_tlv ver_tlv; 2622 struct sk_buff *skb; 2623 int err; 2624 2625 BT_DBG("%s", hdev->name); 2626 2627 /* The some controllers have a bug with the first HCI command sent to it 2628 * returning number of completed commands as zero. This would stall the 2629 * command processing in the Bluetooth core. 2630 * 2631 * As a workaround, send HCI Reset command first which will reset the 2632 * number of completed commands and allow normal command processing 2633 * from now on. 2634 * 2635 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 2636 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 2637 * the shutdown() procedure, and once the device is in SW_RFKILL ON 2638 * state, the only way to exit out of it is sending the HCI_Reset 2639 * command. 2640 */ 2641 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 2642 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2643 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 2644 HCI_INIT_TIMEOUT); 2645 if (IS_ERR(skb)) { 2646 bt_dev_err(hdev, 2647 "sending initial HCI reset failed (%ld)", 2648 PTR_ERR(skb)); 2649 return PTR_ERR(skb); 2650 } 2651 kfree_skb(skb); 2652 } 2653 2654 /* Starting from TyP device, the command parameter and response are 2655 * changed even though the OCF for HCI_Intel_Read_Version command 2656 * remains same. The legacy devices can handle even if the 2657 * command has a parameter and returns a correct version information. 2658 * So, it uses new format to support both legacy and new format. 2659 */ 2660 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 2661 if (IS_ERR(skb)) { 2662 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 2663 PTR_ERR(skb)); 2664 return PTR_ERR(skb); 2665 } 2666 2667 /* Check the status */ 2668 if (skb->data[0]) { 2669 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 2670 skb->data[0]); 2671 err = -EIO; 2672 goto exit_error; 2673 } 2674 2675 /* Apply the common HCI quirks for Intel device */ 2676 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2677 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2678 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 2679 2680 /* Set up the quality report callback for Intel devices */ 2681 hdev->set_quality_report = btintel_set_quality_report; 2682 2683 /* For Legacy device, check the HW platform value and size */ 2684 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 2685 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 2686 2687 memcpy(&ver, skb->data, sizeof(ver)); 2688 2689 /* Display version information */ 2690 btintel_version_info(hdev, &ver); 2691 2692 /* Check for supported iBT hardware variants of this firmware 2693 * loading method. 2694 * 2695 * This check has been put in place to ensure correct forward 2696 * compatibility options when newer hardware variants come 2697 * along. 2698 */ 2699 switch (ver.hw_variant) { 2700 case 0x07: /* WP */ 2701 case 0x08: /* StP */ 2702 /* Legacy ROM product */ 2703 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 2704 2705 /* Apply the device specific HCI quirks 2706 * 2707 * WBS for SdP - For the Legacy ROM products, only SdP 2708 * supports the WBS. But the version information is not 2709 * enough to use here because the StP2 and SdP have same 2710 * hw_variant and fw_variant. So, this flag is set by 2711 * the transport driver (btusb) based on the HW info 2712 * (idProduct) 2713 */ 2714 if (!btintel_test_flag(hdev, 2715 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 2716 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2717 &hdev->quirks); 2718 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22) 2719 set_bit(HCI_QUIRK_VALID_LE_STATES, 2720 &hdev->quirks); 2721 2722 err = btintel_legacy_rom_setup(hdev, &ver); 2723 break; 2724 case 0x0b: /* SfP */ 2725 case 0x11: /* JfP */ 2726 case 0x12: /* ThP */ 2727 case 0x13: /* HrP */ 2728 case 0x14: /* CcP */ 2729 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2730 fallthrough; 2731 case 0x0c: /* WsP */ 2732 /* Apply the device specific HCI quirks 2733 * 2734 * All Legacy bootloader devices support WBS 2735 */ 2736 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2737 &hdev->quirks); 2738 2739 /* These variants don't seem to support LE Coded PHY */ 2740 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2741 2742 /* Setup MSFT Extension support */ 2743 btintel_set_msft_opcode(hdev, ver.hw_variant); 2744 2745 err = btintel_bootloader_setup(hdev, &ver); 2746 btintel_register_devcoredump_support(hdev); 2747 break; 2748 default: 2749 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2750 ver.hw_variant); 2751 err = -EINVAL; 2752 } 2753 2754 goto exit_error; 2755 } 2756 2757 /* memset ver_tlv to start with clean state as few fields are exclusive 2758 * to bootloader mode and are not populated in operational mode 2759 */ 2760 memset(&ver_tlv, 0, sizeof(ver_tlv)); 2761 /* For TLV type device, parse the tlv data */ 2762 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 2763 if (err) { 2764 bt_dev_err(hdev, "Failed to parse TLV version information"); 2765 goto exit_error; 2766 } 2767 2768 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 2769 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 2770 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 2771 err = -EINVAL; 2772 goto exit_error; 2773 } 2774 2775 /* Check for supported iBT hardware variants of this firmware 2776 * loading method. 2777 * 2778 * This check has been put in place to ensure correct forward 2779 * compatibility options when newer hardware variants come 2780 * along. 2781 */ 2782 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 2783 case 0x11: /* JfP */ 2784 case 0x12: /* ThP */ 2785 case 0x13: /* HrP */ 2786 case 0x14: /* CcP */ 2787 /* Some legacy bootloader devices starting from JfP, 2788 * the operational firmware supports both old and TLV based 2789 * HCI_Intel_Read_Version command based on the command 2790 * parameter. 2791 * 2792 * For upgrading firmware case, the TLV based version cannot 2793 * be used because the firmware filename for legacy bootloader 2794 * is based on the old format. 2795 * 2796 * Also, it is not easy to convert TLV based version from the 2797 * legacy version format. 2798 * 2799 * So, as a workaround for those devices, use the legacy 2800 * HCI_Intel_Read_Version to get the version information and 2801 * run the legacy bootloader setup. 2802 */ 2803 err = btintel_read_version(hdev, &ver); 2804 if (err) 2805 break; 2806 2807 /* Apply the device specific HCI quirks 2808 * 2809 * All Legacy bootloader devices support WBS 2810 */ 2811 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 2812 2813 /* These variants don't seem to support LE Coded PHY */ 2814 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2815 2816 /* Set Valid LE States quirk */ 2817 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2818 2819 /* Setup MSFT Extension support */ 2820 btintel_set_msft_opcode(hdev, ver.hw_variant); 2821 2822 err = btintel_bootloader_setup(hdev, &ver); 2823 btintel_register_devcoredump_support(hdev); 2824 break; 2825 case 0x17: 2826 case 0x18: 2827 case 0x19: 2828 case 0x1b: 2829 case 0x1c: 2830 /* Display version information of TLV type */ 2831 btintel_version_info_tlv(hdev, &ver_tlv); 2832 2833 /* Apply the device specific HCI quirks for TLV based devices 2834 * 2835 * All TLV based devices support WBS 2836 */ 2837 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 2838 2839 /* Apply LE States quirk from solar onwards */ 2840 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2841 2842 /* Setup MSFT Extension support */ 2843 btintel_set_msft_opcode(hdev, 2844 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 2845 btintel_set_dsm_reset_method(hdev, &ver_tlv); 2846 2847 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 2848 if (err) 2849 goto exit_error; 2850 2851 btintel_register_devcoredump_support(hdev); 2852 break; 2853 default: 2854 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2855 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 2856 err = -EINVAL; 2857 break; 2858 } 2859 2860 exit_error: 2861 kfree_skb(skb); 2862 2863 return err; 2864 } 2865 2866 static int btintel_shutdown_combined(struct hci_dev *hdev) 2867 { 2868 struct sk_buff *skb; 2869 int ret; 2870 2871 /* Send HCI Reset to the controller to stop any BT activity which 2872 * were triggered. This will help to save power and maintain the 2873 * sync b/w Host and controller 2874 */ 2875 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2876 if (IS_ERR(skb)) { 2877 bt_dev_err(hdev, "HCI reset during shutdown failed"); 2878 return PTR_ERR(skb); 2879 } 2880 kfree_skb(skb); 2881 2882 2883 /* Some platforms have an issue with BT LED when the interface is 2884 * down or BT radio is turned off, which takes 5 seconds to BT LED 2885 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 2886 * device in the RFKILL ON state which turns off the BT LED immediately. 2887 */ 2888 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2889 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 2890 if (IS_ERR(skb)) { 2891 ret = PTR_ERR(skb); 2892 bt_dev_err(hdev, "turning off Intel device LED failed"); 2893 return ret; 2894 } 2895 kfree_skb(skb); 2896 } 2897 2898 return 0; 2899 } 2900 2901 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 2902 { 2903 hdev->manufacturer = 2; 2904 hdev->setup = btintel_setup_combined; 2905 hdev->shutdown = btintel_shutdown_combined; 2906 hdev->hw_error = btintel_hw_error; 2907 hdev->set_diag = btintel_set_diag_combined; 2908 hdev->set_bdaddr = btintel_set_bdaddr; 2909 2910 coredump_info.driver_name = driver_name; 2911 2912 return 0; 2913 } 2914 EXPORT_SYMBOL_GPL(btintel_configure_setup); 2915 2916 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 2917 { 2918 struct intel_tlv *tlv = (void *)&skb->data[5]; 2919 2920 /* The first event is always an event type TLV */ 2921 if (tlv->type != INTEL_TLV_TYPE_ID) 2922 goto recv_frame; 2923 2924 switch (tlv->val[0]) { 2925 case INTEL_TLV_SYSTEM_EXCEPTION: 2926 case INTEL_TLV_FATAL_EXCEPTION: 2927 case INTEL_TLV_DEBUG_EXCEPTION: 2928 case INTEL_TLV_TEST_EXCEPTION: 2929 /* Generate devcoredump from exception */ 2930 if (!hci_devcd_init(hdev, skb->len)) { 2931 hci_devcd_append(hdev, skb); 2932 hci_devcd_complete(hdev); 2933 } else { 2934 bt_dev_err(hdev, "Failed to generate devcoredump"); 2935 kfree_skb(skb); 2936 } 2937 return 0; 2938 default: 2939 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 2940 } 2941 2942 recv_frame: 2943 return hci_recv_frame(hdev, skb); 2944 } 2945 2946 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 2947 { 2948 struct hci_event_hdr *hdr = (void *)skb->data; 2949 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 2950 2951 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 2952 hdr->plen > 0) { 2953 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 2954 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 2955 2956 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2957 switch (skb->data[2]) { 2958 case 0x02: 2959 /* When switching to the operational firmware 2960 * the device sends a vendor specific event 2961 * indicating that the bootup completed. 2962 */ 2963 btintel_bootup(hdev, ptr, len); 2964 break; 2965 case 0x06: 2966 /* When the firmware loading completes the 2967 * device sends out a vendor specific event 2968 * indicating the result of the firmware 2969 * loading. 2970 */ 2971 btintel_secure_send_result(hdev, ptr, len); 2972 break; 2973 } 2974 } 2975 2976 /* Handle all diagnostics events separately. May still call 2977 * hci_recv_frame. 2978 */ 2979 if (len >= sizeof(diagnostics_hdr) && 2980 memcmp(&skb->data[2], diagnostics_hdr, 2981 sizeof(diagnostics_hdr)) == 0) { 2982 return btintel_diagnostics(hdev, skb); 2983 } 2984 } 2985 2986 return hci_recv_frame(hdev, skb); 2987 } 2988 EXPORT_SYMBOL_GPL(btintel_recv_event); 2989 2990 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 2991 { 2992 const struct intel_bootup *evt = ptr; 2993 2994 if (len != sizeof(*evt)) 2995 return; 2996 2997 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 2998 btintel_wake_up_flag(hdev, INTEL_BOOTING); 2999 } 3000 EXPORT_SYMBOL_GPL(btintel_bootup); 3001 3002 void btintel_secure_send_result(struct hci_dev *hdev, 3003 const void *ptr, unsigned int len) 3004 { 3005 const struct intel_secure_send_result *evt = ptr; 3006 3007 if (len != sizeof(*evt)) 3008 return; 3009 3010 if (evt->result) 3011 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3012 3013 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3014 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3015 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3016 } 3017 EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3018 3019 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3020 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3021 MODULE_VERSION(VERSION); 3022 MODULE_LICENSE("GPL"); 3023 MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3024 MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3025 MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3026 MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3027