xref: /openbmc/linux/drivers/bluetooth/btintel.c (revision a347279d)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *
4  *  Bluetooth support for Intel devices
5  *
6  *  Copyright (C) 2015  Intel Corporation
7  */
8 
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <linux/acpi.h>
13 #include <asm/unaligned.h>
14 
15 #include <net/bluetooth/bluetooth.h>
16 #include <net/bluetooth/hci_core.h>
17 
18 #include "btintel.h"
19 
20 #define VERSION "0.1"
21 
22 #define BDADDR_INTEL		(&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
23 #define RSA_HEADER_LEN		644
24 #define CSS_HEADER_OFFSET	8
25 #define ECDSA_OFFSET		644
26 #define ECDSA_HEADER_LEN	320
27 
28 #define BTINTEL_PPAG_NAME   "PPAG"
29 
30 /* structure to store the PPAG data read from ACPI table */
31 struct btintel_ppag {
32 	u32	domain;
33 	u32     mode;
34 	acpi_status status;
35 	struct hci_dev *hdev;
36 };
37 
38 #define CMD_WRITE_BOOT_PARAMS	0xfc0e
39 struct cmd_write_boot_params {
40 	__le32 boot_addr;
41 	u8  fw_build_num;
42 	u8  fw_build_ww;
43 	u8  fw_build_yy;
44 } __packed;
45 
46 int btintel_check_bdaddr(struct hci_dev *hdev)
47 {
48 	struct hci_rp_read_bd_addr *bda;
49 	struct sk_buff *skb;
50 
51 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
52 			     HCI_INIT_TIMEOUT);
53 	if (IS_ERR(skb)) {
54 		int err = PTR_ERR(skb);
55 		bt_dev_err(hdev, "Reading Intel device address failed (%d)",
56 			   err);
57 		return err;
58 	}
59 
60 	if (skb->len != sizeof(*bda)) {
61 		bt_dev_err(hdev, "Intel device address length mismatch");
62 		kfree_skb(skb);
63 		return -EIO;
64 	}
65 
66 	bda = (struct hci_rp_read_bd_addr *)skb->data;
67 
68 	/* For some Intel based controllers, the default Bluetooth device
69 	 * address 00:03:19:9E:8B:00 can be found. These controllers are
70 	 * fully operational, but have the danger of duplicate addresses
71 	 * and that in turn can cause problems with Bluetooth operation.
72 	 */
73 	if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
74 		bt_dev_err(hdev, "Found Intel default device address (%pMR)",
75 			   &bda->bdaddr);
76 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
77 	}
78 
79 	kfree_skb(skb);
80 
81 	return 0;
82 }
83 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
84 
85 int btintel_enter_mfg(struct hci_dev *hdev)
86 {
87 	static const u8 param[] = { 0x01, 0x00 };
88 	struct sk_buff *skb;
89 
90 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
91 	if (IS_ERR(skb)) {
92 		bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
93 			   PTR_ERR(skb));
94 		return PTR_ERR(skb);
95 	}
96 	kfree_skb(skb);
97 
98 	return 0;
99 }
100 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
101 
102 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
103 {
104 	u8 param[] = { 0x00, 0x00 };
105 	struct sk_buff *skb;
106 
107 	/* The 2nd command parameter specifies the manufacturing exit method:
108 	 * 0x00: Just disable the manufacturing mode (0x00).
109 	 * 0x01: Disable manufacturing mode and reset with patches deactivated.
110 	 * 0x02: Disable manufacturing mode and reset with patches activated.
111 	 */
112 	if (reset)
113 		param[1] |= patched ? 0x02 : 0x01;
114 
115 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
116 	if (IS_ERR(skb)) {
117 		bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
118 			   PTR_ERR(skb));
119 		return PTR_ERR(skb);
120 	}
121 	kfree_skb(skb);
122 
123 	return 0;
124 }
125 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
126 
127 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
128 {
129 	struct sk_buff *skb;
130 	int err;
131 
132 	skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
133 	if (IS_ERR(skb)) {
134 		err = PTR_ERR(skb);
135 		bt_dev_err(hdev, "Changing Intel device address failed (%d)",
136 			   err);
137 		return err;
138 	}
139 	kfree_skb(skb);
140 
141 	return 0;
142 }
143 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
144 
145 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
146 {
147 	u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
148 	struct sk_buff *skb;
149 	int err;
150 
151 	if (debug)
152 		mask[1] |= 0x62;
153 
154 	skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
155 	if (IS_ERR(skb)) {
156 		err = PTR_ERR(skb);
157 		bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
158 		return err;
159 	}
160 	kfree_skb(skb);
161 
162 	return 0;
163 }
164 
165 int btintel_set_diag(struct hci_dev *hdev, bool enable)
166 {
167 	struct sk_buff *skb;
168 	u8 param[3];
169 	int err;
170 
171 	if (enable) {
172 		param[0] = 0x03;
173 		param[1] = 0x03;
174 		param[2] = 0x03;
175 	} else {
176 		param[0] = 0x00;
177 		param[1] = 0x00;
178 		param[2] = 0x00;
179 	}
180 
181 	skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
182 	if (IS_ERR(skb)) {
183 		err = PTR_ERR(skb);
184 		if (err == -ENODATA)
185 			goto done;
186 		bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
187 			   err);
188 		return err;
189 	}
190 	kfree_skb(skb);
191 
192 done:
193 	btintel_set_event_mask(hdev, enable);
194 	return 0;
195 }
196 EXPORT_SYMBOL_GPL(btintel_set_diag);
197 
198 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
199 {
200 	int err, ret;
201 
202 	err = btintel_enter_mfg(hdev);
203 	if (err)
204 		return err;
205 
206 	ret = btintel_set_diag(hdev, enable);
207 
208 	err = btintel_exit_mfg(hdev, false, false);
209 	if (err)
210 		return err;
211 
212 	return ret;
213 }
214 
215 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable)
216 {
217 	int ret;
218 
219 	/* Legacy ROM device needs to be in the manufacturer mode to apply
220 	 * diagnostic setting
221 	 *
222 	 * This flag is set after reading the Intel version.
223 	 */
224 	if (btintel_test_flag(hdev, INTEL_ROM_LEGACY))
225 		ret = btintel_set_diag_mfg(hdev, enable);
226 	else
227 		ret = btintel_set_diag(hdev, enable);
228 
229 	return ret;
230 }
231 
232 static void btintel_hw_error(struct hci_dev *hdev, u8 code)
233 {
234 	struct sk_buff *skb;
235 	u8 type = 0x00;
236 
237 	bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
238 
239 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
240 	if (IS_ERR(skb)) {
241 		bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
242 			   PTR_ERR(skb));
243 		return;
244 	}
245 	kfree_skb(skb);
246 
247 	skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
248 	if (IS_ERR(skb)) {
249 		bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
250 			   PTR_ERR(skb));
251 		return;
252 	}
253 
254 	if (skb->len != 13) {
255 		bt_dev_err(hdev, "Exception info size mismatch");
256 		kfree_skb(skb);
257 		return;
258 	}
259 
260 	bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
261 
262 	kfree_skb(skb);
263 }
264 
265 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
266 {
267 	const char *variant;
268 
269 	/* The hardware platform number has a fixed value of 0x37 and
270 	 * for now only accept this single value.
271 	 */
272 	if (ver->hw_platform != 0x37) {
273 		bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
274 			   ver->hw_platform);
275 		return -EINVAL;
276 	}
277 
278 	/* Check for supported iBT hardware variants of this firmware
279 	 * loading method.
280 	 *
281 	 * This check has been put in place to ensure correct forward
282 	 * compatibility options when newer hardware variants come along.
283 	 */
284 	switch (ver->hw_variant) {
285 	case 0x07:	/* WP - Legacy ROM */
286 	case 0x08:	/* StP - Legacy ROM */
287 	case 0x0b:      /* SfP */
288 	case 0x0c:      /* WsP */
289 	case 0x11:      /* JfP */
290 	case 0x12:      /* ThP */
291 	case 0x13:      /* HrP */
292 	case 0x14:      /* CcP */
293 		break;
294 	default:
295 		bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
296 			   ver->hw_variant);
297 		return -EINVAL;
298 	}
299 
300 	switch (ver->fw_variant) {
301 	case 0x01:
302 		variant = "Legacy ROM 2.5";
303 		break;
304 	case 0x06:
305 		variant = "Bootloader";
306 		break;
307 	case 0x22:
308 		variant = "Legacy ROM 2.x";
309 		break;
310 	case 0x23:
311 		variant = "Firmware";
312 		break;
313 	default:
314 		bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
315 		return -EINVAL;
316 	}
317 
318 	bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
319 		    variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
320 		    ver->fw_build_num, ver->fw_build_ww,
321 		    2000 + ver->fw_build_yy);
322 
323 	return 0;
324 }
325 EXPORT_SYMBOL_GPL(btintel_version_info);
326 
327 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
328 			       const void *param)
329 {
330 	while (plen > 0) {
331 		struct sk_buff *skb;
332 		u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
333 
334 		cmd_param[0] = fragment_type;
335 		memcpy(cmd_param + 1, param, fragment_len);
336 
337 		skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
338 				     cmd_param, HCI_INIT_TIMEOUT);
339 		if (IS_ERR(skb))
340 			return PTR_ERR(skb);
341 
342 		kfree_skb(skb);
343 
344 		plen -= fragment_len;
345 		param += fragment_len;
346 	}
347 
348 	return 0;
349 }
350 
351 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
352 {
353 	const struct firmware *fw;
354 	struct sk_buff *skb;
355 	const u8 *fw_ptr;
356 	int err;
357 
358 	err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
359 	if (err < 0) {
360 		bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
361 			   ddc_name, err);
362 		return err;
363 	}
364 
365 	bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
366 
367 	fw_ptr = fw->data;
368 
369 	/* DDC file contains one or more DDC structure which has
370 	 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
371 	 */
372 	while (fw->size > fw_ptr - fw->data) {
373 		u8 cmd_plen = fw_ptr[0] + sizeof(u8);
374 
375 		skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
376 				     HCI_INIT_TIMEOUT);
377 		if (IS_ERR(skb)) {
378 			bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
379 				   PTR_ERR(skb));
380 			release_firmware(fw);
381 			return PTR_ERR(skb);
382 		}
383 
384 		fw_ptr += cmd_plen;
385 		kfree_skb(skb);
386 	}
387 
388 	release_firmware(fw);
389 
390 	bt_dev_info(hdev, "Applying Intel DDC parameters completed");
391 
392 	return 0;
393 }
394 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
395 
396 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
397 {
398 	int err, ret;
399 
400 	err = btintel_enter_mfg(hdev);
401 	if (err)
402 		return err;
403 
404 	ret = btintel_set_event_mask(hdev, debug);
405 
406 	err = btintel_exit_mfg(hdev, false, false);
407 	if (err)
408 		return err;
409 
410 	return ret;
411 }
412 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
413 
414 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
415 {
416 	struct sk_buff *skb;
417 
418 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
419 	if (IS_ERR(skb)) {
420 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
421 			   PTR_ERR(skb));
422 		return PTR_ERR(skb);
423 	}
424 
425 	if (skb->len != sizeof(*ver)) {
426 		bt_dev_err(hdev, "Intel version event size mismatch");
427 		kfree_skb(skb);
428 		return -EILSEQ;
429 	}
430 
431 	memcpy(ver, skb->data, sizeof(*ver));
432 
433 	kfree_skb(skb);
434 
435 	return 0;
436 }
437 EXPORT_SYMBOL_GPL(btintel_read_version);
438 
439 static int btintel_version_info_tlv(struct hci_dev *hdev,
440 				    struct intel_version_tlv *version)
441 {
442 	const char *variant;
443 
444 	/* The hardware platform number has a fixed value of 0x37 and
445 	 * for now only accept this single value.
446 	 */
447 	if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
448 		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
449 			   INTEL_HW_PLATFORM(version->cnvi_bt));
450 		return -EINVAL;
451 	}
452 
453 	/* Check for supported iBT hardware variants of this firmware
454 	 * loading method.
455 	 *
456 	 * This check has been put in place to ensure correct forward
457 	 * compatibility options when newer hardware variants come along.
458 	 */
459 	switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
460 	case 0x17:	/* TyP */
461 	case 0x18:	/* Slr */
462 	case 0x19:	/* Slr-F */
463 	case 0x1b:      /* Mgr */
464 		break;
465 	default:
466 		bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
467 			   INTEL_HW_VARIANT(version->cnvi_bt));
468 		return -EINVAL;
469 	}
470 
471 	switch (version->img_type) {
472 	case 0x01:
473 		variant = "Bootloader";
474 		/* It is required that every single firmware fragment is acknowledged
475 		 * with a command complete event. If the boot parameters indicate
476 		 * that this bootloader does not send them, then abort the setup.
477 		 */
478 		if (version->limited_cce != 0x00) {
479 			bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
480 				   version->limited_cce);
481 			return -EINVAL;
482 		}
483 
484 		/* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
485 		if (version->sbe_type > 0x01) {
486 			bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
487 				   version->sbe_type);
488 			return -EINVAL;
489 		}
490 
491 		bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
492 		bt_dev_info(hdev, "Secure boot is %s",
493 			    version->secure_boot ? "enabled" : "disabled");
494 		bt_dev_info(hdev, "OTP lock is %s",
495 			    version->otp_lock ? "enabled" : "disabled");
496 		bt_dev_info(hdev, "API lock is %s",
497 			    version->api_lock ? "enabled" : "disabled");
498 		bt_dev_info(hdev, "Debug lock is %s",
499 			    version->debug_lock ? "enabled" : "disabled");
500 		bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
501 			    version->min_fw_build_nn, version->min_fw_build_cw,
502 			    2000 + version->min_fw_build_yy);
503 		break;
504 	case 0x03:
505 		variant = "Firmware";
506 		break;
507 	default:
508 		bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
509 		return -EINVAL;
510 	}
511 
512 	bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
513 		    2000 + (version->timestamp >> 8), version->timestamp & 0xff,
514 		    version->build_type, version->build_num);
515 
516 	return 0;
517 }
518 
519 static int btintel_parse_version_tlv(struct hci_dev *hdev,
520 				     struct intel_version_tlv *version,
521 				     struct sk_buff *skb)
522 {
523 	/* Consume Command Complete Status field */
524 	skb_pull(skb, 1);
525 
526 	/* Event parameters contatin multiple TLVs. Read each of them
527 	 * and only keep the required data. Also, it use existing legacy
528 	 * version field like hw_platform, hw_variant, and fw_variant
529 	 * to keep the existing setup flow
530 	 */
531 	while (skb->len) {
532 		struct intel_tlv *tlv;
533 
534 		/* Make sure skb has a minimum length of the header */
535 		if (skb->len < sizeof(*tlv))
536 			return -EINVAL;
537 
538 		tlv = (struct intel_tlv *)skb->data;
539 
540 		/* Make sure skb has a enough data */
541 		if (skb->len < tlv->len + sizeof(*tlv))
542 			return -EINVAL;
543 
544 		switch (tlv->type) {
545 		case INTEL_TLV_CNVI_TOP:
546 			version->cnvi_top = get_unaligned_le32(tlv->val);
547 			break;
548 		case INTEL_TLV_CNVR_TOP:
549 			version->cnvr_top = get_unaligned_le32(tlv->val);
550 			break;
551 		case INTEL_TLV_CNVI_BT:
552 			version->cnvi_bt = get_unaligned_le32(tlv->val);
553 			break;
554 		case INTEL_TLV_CNVR_BT:
555 			version->cnvr_bt = get_unaligned_le32(tlv->val);
556 			break;
557 		case INTEL_TLV_DEV_REV_ID:
558 			version->dev_rev_id = get_unaligned_le16(tlv->val);
559 			break;
560 		case INTEL_TLV_IMAGE_TYPE:
561 			version->img_type = tlv->val[0];
562 			break;
563 		case INTEL_TLV_TIME_STAMP:
564 			/* If image type is Operational firmware (0x03), then
565 			 * running FW Calendar Week and Year information can
566 			 * be extracted from Timestamp information
567 			 */
568 			version->min_fw_build_cw = tlv->val[0];
569 			version->min_fw_build_yy = tlv->val[1];
570 			version->timestamp = get_unaligned_le16(tlv->val);
571 			break;
572 		case INTEL_TLV_BUILD_TYPE:
573 			version->build_type = tlv->val[0];
574 			break;
575 		case INTEL_TLV_BUILD_NUM:
576 			/* If image type is Operational firmware (0x03), then
577 			 * running FW build number can be extracted from the
578 			 * Build information
579 			 */
580 			version->min_fw_build_nn = tlv->val[0];
581 			version->build_num = get_unaligned_le32(tlv->val);
582 			break;
583 		case INTEL_TLV_SECURE_BOOT:
584 			version->secure_boot = tlv->val[0];
585 			break;
586 		case INTEL_TLV_OTP_LOCK:
587 			version->otp_lock = tlv->val[0];
588 			break;
589 		case INTEL_TLV_API_LOCK:
590 			version->api_lock = tlv->val[0];
591 			break;
592 		case INTEL_TLV_DEBUG_LOCK:
593 			version->debug_lock = tlv->val[0];
594 			break;
595 		case INTEL_TLV_MIN_FW:
596 			version->min_fw_build_nn = tlv->val[0];
597 			version->min_fw_build_cw = tlv->val[1];
598 			version->min_fw_build_yy = tlv->val[2];
599 			break;
600 		case INTEL_TLV_LIMITED_CCE:
601 			version->limited_cce = tlv->val[0];
602 			break;
603 		case INTEL_TLV_SBE_TYPE:
604 			version->sbe_type = tlv->val[0];
605 			break;
606 		case INTEL_TLV_OTP_BDADDR:
607 			memcpy(&version->otp_bd_addr, tlv->val,
608 							sizeof(bdaddr_t));
609 			break;
610 		default:
611 			/* Ignore rest of information */
612 			break;
613 		}
614 		/* consume the current tlv and move to next*/
615 		skb_pull(skb, tlv->len + sizeof(*tlv));
616 	}
617 
618 	return 0;
619 }
620 
621 static int btintel_read_version_tlv(struct hci_dev *hdev,
622 				    struct intel_version_tlv *version)
623 {
624 	struct sk_buff *skb;
625 	const u8 param[1] = { 0xFF };
626 
627 	if (!version)
628 		return -EINVAL;
629 
630 	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
631 	if (IS_ERR(skb)) {
632 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
633 			   PTR_ERR(skb));
634 		return PTR_ERR(skb);
635 	}
636 
637 	if (skb->data[0]) {
638 		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
639 			   skb->data[0]);
640 		kfree_skb(skb);
641 		return -EIO;
642 	}
643 
644 	btintel_parse_version_tlv(hdev, version, skb);
645 
646 	kfree_skb(skb);
647 	return 0;
648 }
649 
650 /* ------- REGMAP IBT SUPPORT ------- */
651 
652 #define IBT_REG_MODE_8BIT  0x00
653 #define IBT_REG_MODE_16BIT 0x01
654 #define IBT_REG_MODE_32BIT 0x02
655 
656 struct regmap_ibt_context {
657 	struct hci_dev *hdev;
658 	__u16 op_write;
659 	__u16 op_read;
660 };
661 
662 struct ibt_cp_reg_access {
663 	__le32  addr;
664 	__u8    mode;
665 	__u8    len;
666 	__u8    data[];
667 } __packed;
668 
669 struct ibt_rp_reg_access {
670 	__u8    status;
671 	__le32  addr;
672 	__u8    data[];
673 } __packed;
674 
675 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
676 			   void *val, size_t val_size)
677 {
678 	struct regmap_ibt_context *ctx = context;
679 	struct ibt_cp_reg_access cp;
680 	struct ibt_rp_reg_access *rp;
681 	struct sk_buff *skb;
682 	int err = 0;
683 
684 	if (reg_size != sizeof(__le32))
685 		return -EINVAL;
686 
687 	switch (val_size) {
688 	case 1:
689 		cp.mode = IBT_REG_MODE_8BIT;
690 		break;
691 	case 2:
692 		cp.mode = IBT_REG_MODE_16BIT;
693 		break;
694 	case 4:
695 		cp.mode = IBT_REG_MODE_32BIT;
696 		break;
697 	default:
698 		return -EINVAL;
699 	}
700 
701 	/* regmap provides a little-endian formatted addr */
702 	cp.addr = *(__le32 *)addr;
703 	cp.len = val_size;
704 
705 	bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
706 
707 	skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
708 			   HCI_CMD_TIMEOUT);
709 	if (IS_ERR(skb)) {
710 		err = PTR_ERR(skb);
711 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
712 			   le32_to_cpu(cp.addr), err);
713 		return err;
714 	}
715 
716 	if (skb->len != sizeof(*rp) + val_size) {
717 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
718 			   le32_to_cpu(cp.addr));
719 		err = -EINVAL;
720 		goto done;
721 	}
722 
723 	rp = (struct ibt_rp_reg_access *)skb->data;
724 
725 	if (rp->addr != cp.addr) {
726 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
727 			   le32_to_cpu(rp->addr));
728 		err = -EINVAL;
729 		goto done;
730 	}
731 
732 	memcpy(val, rp->data, val_size);
733 
734 done:
735 	kfree_skb(skb);
736 	return err;
737 }
738 
739 static int regmap_ibt_gather_write(void *context,
740 				   const void *addr, size_t reg_size,
741 				   const void *val, size_t val_size)
742 {
743 	struct regmap_ibt_context *ctx = context;
744 	struct ibt_cp_reg_access *cp;
745 	struct sk_buff *skb;
746 	int plen = sizeof(*cp) + val_size;
747 	u8 mode;
748 	int err = 0;
749 
750 	if (reg_size != sizeof(__le32))
751 		return -EINVAL;
752 
753 	switch (val_size) {
754 	case 1:
755 		mode = IBT_REG_MODE_8BIT;
756 		break;
757 	case 2:
758 		mode = IBT_REG_MODE_16BIT;
759 		break;
760 	case 4:
761 		mode = IBT_REG_MODE_32BIT;
762 		break;
763 	default:
764 		return -EINVAL;
765 	}
766 
767 	cp = kmalloc(plen, GFP_KERNEL);
768 	if (!cp)
769 		return -ENOMEM;
770 
771 	/* regmap provides a little-endian formatted addr/value */
772 	cp->addr = *(__le32 *)addr;
773 	cp->mode = mode;
774 	cp->len = val_size;
775 	memcpy(&cp->data, val, val_size);
776 
777 	bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
778 
779 	skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
780 	if (IS_ERR(skb)) {
781 		err = PTR_ERR(skb);
782 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
783 			   le32_to_cpu(cp->addr), err);
784 		goto done;
785 	}
786 	kfree_skb(skb);
787 
788 done:
789 	kfree(cp);
790 	return err;
791 }
792 
793 static int regmap_ibt_write(void *context, const void *data, size_t count)
794 {
795 	/* data contains register+value, since we only support 32bit addr,
796 	 * minimum data size is 4 bytes.
797 	 */
798 	if (WARN_ONCE(count < 4, "Invalid register access"))
799 		return -EINVAL;
800 
801 	return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
802 }
803 
804 static void regmap_ibt_free_context(void *context)
805 {
806 	kfree(context);
807 }
808 
809 static const struct regmap_bus regmap_ibt = {
810 	.read = regmap_ibt_read,
811 	.write = regmap_ibt_write,
812 	.gather_write = regmap_ibt_gather_write,
813 	.free_context = regmap_ibt_free_context,
814 	.reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
815 	.val_format_endian_default = REGMAP_ENDIAN_LITTLE,
816 };
817 
818 /* Config is the same for all register regions */
819 static const struct regmap_config regmap_ibt_cfg = {
820 	.name      = "btintel_regmap",
821 	.reg_bits  = 32,
822 	.val_bits  = 32,
823 };
824 
825 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
826 				   u16 opcode_write)
827 {
828 	struct regmap_ibt_context *ctx;
829 
830 	bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
831 		    opcode_write);
832 
833 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
834 	if (!ctx)
835 		return ERR_PTR(-ENOMEM);
836 
837 	ctx->op_read = opcode_read;
838 	ctx->op_write = opcode_write;
839 	ctx->hdev = hdev;
840 
841 	return regmap_init(&hdev->dev, &regmap_ibt, ctx, &regmap_ibt_cfg);
842 }
843 EXPORT_SYMBOL_GPL(btintel_regmap_init);
844 
845 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
846 {
847 	struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
848 	struct sk_buff *skb;
849 
850 	params.boot_param = cpu_to_le32(boot_param);
851 
852 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), &params,
853 			     HCI_INIT_TIMEOUT);
854 	if (IS_ERR(skb)) {
855 		bt_dev_err(hdev, "Failed to send Intel Reset command");
856 		return PTR_ERR(skb);
857 	}
858 
859 	kfree_skb(skb);
860 
861 	return 0;
862 }
863 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
864 
865 int btintel_read_boot_params(struct hci_dev *hdev,
866 			     struct intel_boot_params *params)
867 {
868 	struct sk_buff *skb;
869 
870 	skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
871 	if (IS_ERR(skb)) {
872 		bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
873 			   PTR_ERR(skb));
874 		return PTR_ERR(skb);
875 	}
876 
877 	if (skb->len != sizeof(*params)) {
878 		bt_dev_err(hdev, "Intel boot parameters size mismatch");
879 		kfree_skb(skb);
880 		return -EILSEQ;
881 	}
882 
883 	memcpy(params, skb->data, sizeof(*params));
884 
885 	kfree_skb(skb);
886 
887 	if (params->status) {
888 		bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
889 			   params->status);
890 		return -bt_to_errno(params->status);
891 	}
892 
893 	bt_dev_info(hdev, "Device revision is %u",
894 		    le16_to_cpu(params->dev_revid));
895 
896 	bt_dev_info(hdev, "Secure boot is %s",
897 		    params->secure_boot ? "enabled" : "disabled");
898 
899 	bt_dev_info(hdev, "OTP lock is %s",
900 		    params->otp_lock ? "enabled" : "disabled");
901 
902 	bt_dev_info(hdev, "API lock is %s",
903 		    params->api_lock ? "enabled" : "disabled");
904 
905 	bt_dev_info(hdev, "Debug lock is %s",
906 		    params->debug_lock ? "enabled" : "disabled");
907 
908 	bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
909 		    params->min_fw_build_nn, params->min_fw_build_cw,
910 		    2000 + params->min_fw_build_yy);
911 
912 	return 0;
913 }
914 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
915 
916 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
917 					      const struct firmware *fw)
918 {
919 	int err;
920 
921 	/* Start the firmware download transaction with the Init fragment
922 	 * represented by the 128 bytes of CSS header.
923 	 */
924 	err = btintel_secure_send(hdev, 0x00, 128, fw->data);
925 	if (err < 0) {
926 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
927 		goto done;
928 	}
929 
930 	/* Send the 256 bytes of public key information from the firmware
931 	 * as the PKey fragment.
932 	 */
933 	err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
934 	if (err < 0) {
935 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
936 		goto done;
937 	}
938 
939 	/* Send the 256 bytes of signature information from the firmware
940 	 * as the Sign fragment.
941 	 */
942 	err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
943 	if (err < 0) {
944 		bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
945 		goto done;
946 	}
947 
948 done:
949 	return err;
950 }
951 
952 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
953 						const struct firmware *fw)
954 {
955 	int err;
956 
957 	/* Start the firmware download transaction with the Init fragment
958 	 * represented by the 128 bytes of CSS header.
959 	 */
960 	err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
961 	if (err < 0) {
962 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
963 		return err;
964 	}
965 
966 	/* Send the 96 bytes of public key information from the firmware
967 	 * as the PKey fragment.
968 	 */
969 	err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
970 	if (err < 0) {
971 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
972 		return err;
973 	}
974 
975 	/* Send the 96 bytes of signature information from the firmware
976 	 * as the Sign fragment
977 	 */
978 	err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
979 	if (err < 0) {
980 		bt_dev_err(hdev, "Failed to send firmware signature (%d)",
981 			   err);
982 		return err;
983 	}
984 	return 0;
985 }
986 
987 static int btintel_download_firmware_payload(struct hci_dev *hdev,
988 					     const struct firmware *fw,
989 					     size_t offset)
990 {
991 	int err;
992 	const u8 *fw_ptr;
993 	u32 frag_len;
994 
995 	fw_ptr = fw->data + offset;
996 	frag_len = 0;
997 	err = -EINVAL;
998 
999 	while (fw_ptr - fw->data < fw->size) {
1000 		struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1001 
1002 		frag_len += sizeof(*cmd) + cmd->plen;
1003 
1004 		/* The parameter length of the secure send command requires
1005 		 * a 4 byte alignment. It happens so that the firmware file
1006 		 * contains proper Intel_NOP commands to align the fragments
1007 		 * as needed.
1008 		 *
1009 		 * Send set of commands with 4 byte alignment from the
1010 		 * firmware data buffer as a single Data fragement.
1011 		 */
1012 		if (!(frag_len % 4)) {
1013 			err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1014 			if (err < 0) {
1015 				bt_dev_err(hdev,
1016 					   "Failed to send firmware data (%d)",
1017 					   err);
1018 				goto done;
1019 			}
1020 
1021 			fw_ptr += frag_len;
1022 			frag_len = 0;
1023 		}
1024 	}
1025 
1026 done:
1027 	return err;
1028 }
1029 
1030 static bool btintel_firmware_version(struct hci_dev *hdev,
1031 				     u8 num, u8 ww, u8 yy,
1032 				     const struct firmware *fw,
1033 				     u32 *boot_addr)
1034 {
1035 	const u8 *fw_ptr;
1036 
1037 	fw_ptr = fw->data;
1038 
1039 	while (fw_ptr - fw->data < fw->size) {
1040 		struct hci_command_hdr *cmd = (void *)(fw_ptr);
1041 
1042 		/* Each SKU has a different reset parameter to use in the
1043 		 * HCI_Intel_Reset command and it is embedded in the firmware
1044 		 * data. So, instead of using static value per SKU, check
1045 		 * the firmware data and save it for later use.
1046 		 */
1047 		if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1048 			struct cmd_write_boot_params *params;
1049 
1050 			params = (void *)(fw_ptr + sizeof(*cmd));
1051 
1052 			*boot_addr = le32_to_cpu(params->boot_addr);
1053 
1054 			bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr);
1055 
1056 			bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1057 				    params->fw_build_num, params->fw_build_ww,
1058 				    params->fw_build_yy);
1059 
1060 			return (num == params->fw_build_num &&
1061 				ww == params->fw_build_ww &&
1062 				yy == params->fw_build_yy);
1063 		}
1064 
1065 		fw_ptr += sizeof(*cmd) + cmd->plen;
1066 	}
1067 
1068 	return false;
1069 }
1070 
1071 int btintel_download_firmware(struct hci_dev *hdev,
1072 			      struct intel_version *ver,
1073 			      const struct firmware *fw,
1074 			      u32 *boot_param)
1075 {
1076 	int err;
1077 
1078 	/* SfP and WsP don't seem to update the firmware version on file
1079 	 * so version checking is currently not possible.
1080 	 */
1081 	switch (ver->hw_variant) {
1082 	case 0x0b:	/* SfP */
1083 	case 0x0c:	/* WsP */
1084 		/* Skip version checking */
1085 		break;
1086 	default:
1087 
1088 		/* Skip download if firmware has the same version */
1089 		if (btintel_firmware_version(hdev, ver->fw_build_num,
1090 					     ver->fw_build_ww, ver->fw_build_yy,
1091 					     fw, boot_param)) {
1092 			bt_dev_info(hdev, "Firmware already loaded");
1093 			/* Return -EALREADY to indicate that the firmware has
1094 			 * already been loaded.
1095 			 */
1096 			return -EALREADY;
1097 		}
1098 	}
1099 
1100 	/* The firmware variant determines if the device is in bootloader
1101 	 * mode or is running operational firmware. The value 0x06 identifies
1102 	 * the bootloader and the value 0x23 identifies the operational
1103 	 * firmware.
1104 	 *
1105 	 * If the firmware version has changed that means it needs to be reset
1106 	 * to bootloader when operational so the new firmware can be loaded.
1107 	 */
1108 	if (ver->fw_variant == 0x23)
1109 		return -EINVAL;
1110 
1111 	err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1112 	if (err)
1113 		return err;
1114 
1115 	return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1116 }
1117 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1118 
1119 static int btintel_download_fw_tlv(struct hci_dev *hdev,
1120 				   struct intel_version_tlv *ver,
1121 				   const struct firmware *fw, u32 *boot_param,
1122 				   u8 hw_variant, u8 sbe_type)
1123 {
1124 	int err;
1125 	u32 css_header_ver;
1126 
1127 	/* Skip download if firmware has the same version */
1128 	if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1129 				     ver->min_fw_build_cw,
1130 				     ver->min_fw_build_yy,
1131 				     fw, boot_param)) {
1132 		bt_dev_info(hdev, "Firmware already loaded");
1133 		/* Return -EALREADY to indicate that firmware has
1134 		 * already been loaded.
1135 		 */
1136 		return -EALREADY;
1137 	}
1138 
1139 	/* The firmware variant determines if the device is in bootloader
1140 	 * mode or is running operational firmware. The value 0x01 identifies
1141 	 * the bootloader and the value 0x03 identifies the operational
1142 	 * firmware.
1143 	 *
1144 	 * If the firmware version has changed that means it needs to be reset
1145 	 * to bootloader when operational so the new firmware can be loaded.
1146 	 */
1147 	if (ver->img_type == 0x03)
1148 		return -EINVAL;
1149 
1150 	/* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1151 	 * only RSA secure boot engine. Hence, the corresponding sfi file will
1152 	 * have RSA header of 644 bytes followed by Command Buffer.
1153 	 *
1154 	 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1155 	 * secure boot engine. As a result, the corresponding sfi file will
1156 	 * have RSA header of 644, ECDSA header of 320 bytes followed by
1157 	 * Command Buffer.
1158 	 *
1159 	 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1160 	 * version: RSA(0x00010000) , ECDSA (0x00020000)
1161 	 */
1162 	css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1163 	if (css_header_ver != 0x00010000) {
1164 		bt_dev_err(hdev, "Invalid CSS Header version");
1165 		return -EINVAL;
1166 	}
1167 
1168 	if (hw_variant <= 0x14) {
1169 		if (sbe_type != 0x00) {
1170 			bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1171 				   hw_variant);
1172 			return -EINVAL;
1173 		}
1174 
1175 		err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1176 		if (err)
1177 			return err;
1178 
1179 		err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1180 		if (err)
1181 			return err;
1182 	} else if (hw_variant >= 0x17) {
1183 		/* Check if CSS header for ECDSA follows the RSA header */
1184 		if (fw->data[ECDSA_OFFSET] != 0x06)
1185 			return -EINVAL;
1186 
1187 		/* Check if the CSS Header version is ECDSA(0x00020000) */
1188 		css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1189 		if (css_header_ver != 0x00020000) {
1190 			bt_dev_err(hdev, "Invalid CSS Header version");
1191 			return -EINVAL;
1192 		}
1193 
1194 		if (sbe_type == 0x00) {
1195 			err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1196 			if (err)
1197 				return err;
1198 
1199 			err = btintel_download_firmware_payload(hdev, fw,
1200 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1201 			if (err)
1202 				return err;
1203 		} else if (sbe_type == 0x01) {
1204 			err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1205 			if (err)
1206 				return err;
1207 
1208 			err = btintel_download_firmware_payload(hdev, fw,
1209 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1210 			if (err)
1211 				return err;
1212 		}
1213 	}
1214 	return 0;
1215 }
1216 
1217 static void btintel_reset_to_bootloader(struct hci_dev *hdev)
1218 {
1219 	struct intel_reset params;
1220 	struct sk_buff *skb;
1221 
1222 	/* Send Intel Reset command. This will result in
1223 	 * re-enumeration of BT controller.
1224 	 *
1225 	 * Intel Reset parameter description:
1226 	 * reset_type :   0x00 (Soft reset),
1227 	 *		  0x01 (Hard reset)
1228 	 * patch_enable : 0x00 (Do not enable),
1229 	 *		  0x01 (Enable)
1230 	 * ddc_reload :   0x00 (Do not reload),
1231 	 *		  0x01 (Reload)
1232 	 * boot_option:   0x00 (Current image),
1233 	 *                0x01 (Specified boot address)
1234 	 * boot_param:    Boot address
1235 	 *
1236 	 */
1237 	params.reset_type = 0x01;
1238 	params.patch_enable = 0x01;
1239 	params.ddc_reload = 0x01;
1240 	params.boot_option = 0x00;
1241 	params.boot_param = cpu_to_le32(0x00000000);
1242 
1243 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1244 			     &params, HCI_INIT_TIMEOUT);
1245 	if (IS_ERR(skb)) {
1246 		bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1247 			   PTR_ERR(skb));
1248 		return;
1249 	}
1250 	bt_dev_info(hdev, "Intel reset sent to retry FW download");
1251 	kfree_skb(skb);
1252 
1253 	/* Current Intel BT controllers(ThP/JfP) hold the USB reset
1254 	 * lines for 2ms when it receives Intel Reset in bootloader mode.
1255 	 * Whereas, the upcoming Intel BT controllers will hold USB reset
1256 	 * for 150ms. To keep the delay generic, 150ms is chosen here.
1257 	 */
1258 	msleep(150);
1259 }
1260 
1261 static int btintel_read_debug_features(struct hci_dev *hdev,
1262 				       struct intel_debug_features *features)
1263 {
1264 	struct sk_buff *skb;
1265 	u8 page_no = 1;
1266 
1267 	/* Intel controller supports two pages, each page is of 128-bit
1268 	 * feature bit mask. And each bit defines specific feature support
1269 	 */
1270 	skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1271 			     HCI_INIT_TIMEOUT);
1272 	if (IS_ERR(skb)) {
1273 		bt_dev_err(hdev, "Reading supported features failed (%ld)",
1274 			   PTR_ERR(skb));
1275 		return PTR_ERR(skb);
1276 	}
1277 
1278 	if (skb->len != (sizeof(features->page1) + 3)) {
1279 		bt_dev_err(hdev, "Supported features event size mismatch");
1280 		kfree_skb(skb);
1281 		return -EILSEQ;
1282 	}
1283 
1284 	memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1285 
1286 	/* Read the supported features page2 if required in future.
1287 	 */
1288 	kfree_skb(skb);
1289 	return 0;
1290 }
1291 
1292 static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data,
1293 					 void **ret)
1294 {
1295 	acpi_status status;
1296 	size_t len;
1297 	struct btintel_ppag *ppag = data;
1298 	union acpi_object *p, *elements;
1299 	struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL};
1300 	struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
1301 	struct hci_dev *hdev = ppag->hdev;
1302 
1303 	status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string);
1304 	if (ACPI_FAILURE(status)) {
1305 		bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
1306 		return status;
1307 	}
1308 
1309 	len = strlen(string.pointer);
1310 	if (len < strlen(BTINTEL_PPAG_NAME)) {
1311 		kfree(string.pointer);
1312 		return AE_OK;
1313 	}
1314 
1315 	if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) {
1316 		kfree(string.pointer);
1317 		return AE_OK;
1318 	}
1319 	kfree(string.pointer);
1320 
1321 	status = acpi_evaluate_object(handle, NULL, NULL, &buffer);
1322 	if (ACPI_FAILURE(status)) {
1323 		ppag->status = status;
1324 		bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
1325 		return status;
1326 	}
1327 
1328 	p = buffer.pointer;
1329 	ppag = (struct btintel_ppag *)data;
1330 
1331 	if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
1332 		kfree(buffer.pointer);
1333 		bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
1334 			    p->type, p->package.count);
1335 		ppag->status = AE_ERROR;
1336 		return AE_ERROR;
1337 	}
1338 
1339 	elements = p->package.elements;
1340 
1341 	/* PPAG table is located at element[1] */
1342 	p = &elements[1];
1343 
1344 	ppag->domain = (u32)p->package.elements[0].integer.value;
1345 	ppag->mode = (u32)p->package.elements[1].integer.value;
1346 	ppag->status = AE_OK;
1347 	kfree(buffer.pointer);
1348 	return AE_CTRL_TERMINATE;
1349 }
1350 
1351 static int btintel_set_debug_features(struct hci_dev *hdev,
1352 			       const struct intel_debug_features *features)
1353 {
1354 	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00,
1355 			0x00, 0x00, 0x00 };
1356 	u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 };
1357 	u8 trace_enable = 0x02;
1358 	struct sk_buff *skb;
1359 
1360 	if (!features) {
1361 		bt_dev_warn(hdev, "Debug features not read");
1362 		return -EINVAL;
1363 	}
1364 
1365 	if (!(features->page1[0] & 0x3f)) {
1366 		bt_dev_info(hdev, "Telemetry exception format not supported");
1367 		return 0;
1368 	}
1369 
1370 	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1371 	if (IS_ERR(skb)) {
1372 		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1373 			   PTR_ERR(skb));
1374 		return PTR_ERR(skb);
1375 	}
1376 	kfree_skb(skb);
1377 
1378 	skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT);
1379 	if (IS_ERR(skb)) {
1380 		bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)",
1381 			   PTR_ERR(skb));
1382 		return PTR_ERR(skb);
1383 	}
1384 	kfree_skb(skb);
1385 
1386 	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1387 	if (IS_ERR(skb)) {
1388 		bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)",
1389 			   PTR_ERR(skb));
1390 		return PTR_ERR(skb);
1391 	}
1392 	kfree_skb(skb);
1393 
1394 	bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x",
1395 		    trace_enable, mask[3]);
1396 
1397 	return 0;
1398 }
1399 
1400 static int btintel_reset_debug_features(struct hci_dev *hdev,
1401 				 const struct intel_debug_features *features)
1402 {
1403 	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 			0x00, 0x00, 0x00 };
1405 	u8 trace_enable = 0x00;
1406 	struct sk_buff *skb;
1407 
1408 	if (!features) {
1409 		bt_dev_warn(hdev, "Debug features not read");
1410 		return -EINVAL;
1411 	}
1412 
1413 	if (!(features->page1[0] & 0x3f)) {
1414 		bt_dev_info(hdev, "Telemetry exception format not supported");
1415 		return 0;
1416 	}
1417 
1418 	/* Should stop the trace before writing ddc event mask. */
1419 	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1420 	if (IS_ERR(skb)) {
1421 		bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)",
1422 			   PTR_ERR(skb));
1423 		return PTR_ERR(skb);
1424 	}
1425 	kfree_skb(skb);
1426 
1427 	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1428 	if (IS_ERR(skb)) {
1429 		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1430 			   PTR_ERR(skb));
1431 		return PTR_ERR(skb);
1432 	}
1433 	kfree_skb(skb);
1434 
1435 	bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x",
1436 		    trace_enable, mask[3]);
1437 
1438 	return 0;
1439 }
1440 
1441 int btintel_set_quality_report(struct hci_dev *hdev, bool enable)
1442 {
1443 	struct intel_debug_features features;
1444 	int err;
1445 
1446 	bt_dev_dbg(hdev, "enable %d", enable);
1447 
1448 	/* Read the Intel supported features and if new exception formats
1449 	 * supported, need to load the additional DDC config to enable.
1450 	 */
1451 	err = btintel_read_debug_features(hdev, &features);
1452 	if (err)
1453 		return err;
1454 
1455 	/* Set or reset the debug features. */
1456 	if (enable)
1457 		err = btintel_set_debug_features(hdev, &features);
1458 	else
1459 		err = btintel_reset_debug_features(hdev, &features);
1460 
1461 	return err;
1462 }
1463 EXPORT_SYMBOL_GPL(btintel_set_quality_report);
1464 
1465 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1466 					       struct intel_version *ver)
1467 {
1468 	const struct firmware *fw;
1469 	char fwname[64];
1470 	int ret;
1471 
1472 	snprintf(fwname, sizeof(fwname),
1473 		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1474 		 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1475 		 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1476 		 ver->fw_build_ww, ver->fw_build_yy);
1477 
1478 	ret = request_firmware(&fw, fwname, &hdev->dev);
1479 	if (ret < 0) {
1480 		if (ret == -EINVAL) {
1481 			bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1482 				   ret);
1483 			return NULL;
1484 		}
1485 
1486 		bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1487 			   fwname, ret);
1488 
1489 		/* If the correct firmware patch file is not found, use the
1490 		 * default firmware patch file instead
1491 		 */
1492 		snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1493 			 ver->hw_platform, ver->hw_variant);
1494 		if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1495 			bt_dev_err(hdev, "failed to open default fw file: %s",
1496 				   fwname);
1497 			return NULL;
1498 		}
1499 	}
1500 
1501 	bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1502 
1503 	return fw;
1504 }
1505 
1506 static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1507 				      const struct firmware *fw,
1508 				      const u8 **fw_ptr, int *disable_patch)
1509 {
1510 	struct sk_buff *skb;
1511 	struct hci_command_hdr *cmd;
1512 	const u8 *cmd_param;
1513 	struct hci_event_hdr *evt = NULL;
1514 	const u8 *evt_param = NULL;
1515 	int remain = fw->size - (*fw_ptr - fw->data);
1516 
1517 	/* The first byte indicates the types of the patch command or event.
1518 	 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1519 	 * in the current firmware buffer doesn't start with 0x01 or
1520 	 * the size of remain buffer is smaller than HCI command header,
1521 	 * the firmware file is corrupted and it should stop the patching
1522 	 * process.
1523 	 */
1524 	if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1525 		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1526 		return -EINVAL;
1527 	}
1528 	(*fw_ptr)++;
1529 	remain--;
1530 
1531 	cmd = (struct hci_command_hdr *)(*fw_ptr);
1532 	*fw_ptr += sizeof(*cmd);
1533 	remain -= sizeof(*cmd);
1534 
1535 	/* Ensure that the remain firmware data is long enough than the length
1536 	 * of command parameter. If not, the firmware file is corrupted.
1537 	 */
1538 	if (remain < cmd->plen) {
1539 		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1540 		return -EFAULT;
1541 	}
1542 
1543 	/* If there is a command that loads a patch in the firmware
1544 	 * file, then enable the patch upon success, otherwise just
1545 	 * disable the manufacturer mode, for example patch activation
1546 	 * is not required when the default firmware patch file is used
1547 	 * because there are no patch data to load.
1548 	 */
1549 	if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1550 		*disable_patch = 0;
1551 
1552 	cmd_param = *fw_ptr;
1553 	*fw_ptr += cmd->plen;
1554 	remain -= cmd->plen;
1555 
1556 	/* This reads the expected events when the above command is sent to the
1557 	 * device. Some vendor commands expects more than one events, for
1558 	 * example command status event followed by vendor specific event.
1559 	 * For this case, it only keeps the last expected event. so the command
1560 	 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1561 	 * last expected event.
1562 	 */
1563 	while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1564 		(*fw_ptr)++;
1565 		remain--;
1566 
1567 		evt = (struct hci_event_hdr *)(*fw_ptr);
1568 		*fw_ptr += sizeof(*evt);
1569 		remain -= sizeof(*evt);
1570 
1571 		if (remain < evt->plen) {
1572 			bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1573 			return -EFAULT;
1574 		}
1575 
1576 		evt_param = *fw_ptr;
1577 		*fw_ptr += evt->plen;
1578 		remain -= evt->plen;
1579 	}
1580 
1581 	/* Every HCI commands in the firmware file has its correspond event.
1582 	 * If event is not found or remain is smaller than zero, the firmware
1583 	 * file is corrupted.
1584 	 */
1585 	if (!evt || !evt_param || remain < 0) {
1586 		bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1587 		return -EFAULT;
1588 	}
1589 
1590 	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1591 				cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1592 	if (IS_ERR(skb)) {
1593 		bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1594 			   cmd->opcode, PTR_ERR(skb));
1595 		return PTR_ERR(skb);
1596 	}
1597 
1598 	/* It ensures that the returned event matches the event data read from
1599 	 * the firmware file. At fist, it checks the length and then
1600 	 * the contents of the event.
1601 	 */
1602 	if (skb->len != evt->plen) {
1603 		bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1604 			   le16_to_cpu(cmd->opcode));
1605 		kfree_skb(skb);
1606 		return -EFAULT;
1607 	}
1608 
1609 	if (memcmp(skb->data, evt_param, evt->plen)) {
1610 		bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1611 			   le16_to_cpu(cmd->opcode));
1612 		kfree_skb(skb);
1613 		return -EFAULT;
1614 	}
1615 	kfree_skb(skb);
1616 
1617 	return 0;
1618 }
1619 
1620 static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1621 				    struct intel_version *ver)
1622 {
1623 	const struct firmware *fw;
1624 	const u8 *fw_ptr;
1625 	int disable_patch, err;
1626 	struct intel_version new_ver;
1627 
1628 	BT_DBG("%s", hdev->name);
1629 
1630 	/* fw_patch_num indicates the version of patch the device currently
1631 	 * have. If there is no patch data in the device, it is always 0x00.
1632 	 * So, if it is other than 0x00, no need to patch the device again.
1633 	 */
1634 	if (ver->fw_patch_num) {
1635 		bt_dev_info(hdev,
1636 			    "Intel device is already patched. patch num: %02x",
1637 			    ver->fw_patch_num);
1638 		goto complete;
1639 	}
1640 
1641 	/* Opens the firmware patch file based on the firmware version read
1642 	 * from the controller. If it fails to open the matching firmware
1643 	 * patch file, it tries to open the default firmware patch file.
1644 	 * If no patch file is found, allow the device to operate without
1645 	 * a patch.
1646 	 */
1647 	fw = btintel_legacy_rom_get_fw(hdev, ver);
1648 	if (!fw)
1649 		goto complete;
1650 	fw_ptr = fw->data;
1651 
1652 	/* Enable the manufacturer mode of the controller.
1653 	 * Only while this mode is enabled, the driver can download the
1654 	 * firmware patch data and configuration parameters.
1655 	 */
1656 	err = btintel_enter_mfg(hdev);
1657 	if (err) {
1658 		release_firmware(fw);
1659 		return err;
1660 	}
1661 
1662 	disable_patch = 1;
1663 
1664 	/* The firmware data file consists of list of Intel specific HCI
1665 	 * commands and its expected events. The first byte indicates the
1666 	 * type of the message, either HCI command or HCI event.
1667 	 *
1668 	 * It reads the command and its expected event from the firmware file,
1669 	 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1670 	 * the returned event is compared with the event read from the firmware
1671 	 * file and it will continue until all the messages are downloaded to
1672 	 * the controller.
1673 	 *
1674 	 * Once the firmware patching is completed successfully,
1675 	 * the manufacturer mode is disabled with reset and activating the
1676 	 * downloaded patch.
1677 	 *
1678 	 * If the firmware patching fails, the manufacturer mode is
1679 	 * disabled with reset and deactivating the patch.
1680 	 *
1681 	 * If the default patch file is used, no reset is done when disabling
1682 	 * the manufacturer.
1683 	 */
1684 	while (fw->size > fw_ptr - fw->data) {
1685 		int ret;
1686 
1687 		ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1688 						 &disable_patch);
1689 		if (ret < 0)
1690 			goto exit_mfg_deactivate;
1691 	}
1692 
1693 	release_firmware(fw);
1694 
1695 	if (disable_patch)
1696 		goto exit_mfg_disable;
1697 
1698 	/* Patching completed successfully and disable the manufacturer mode
1699 	 * with reset and activate the downloaded firmware patches.
1700 	 */
1701 	err = btintel_exit_mfg(hdev, true, true);
1702 	if (err)
1703 		return err;
1704 
1705 	/* Need build number for downloaded fw patches in
1706 	 * every power-on boot
1707 	 */
1708 	err = btintel_read_version(hdev, &new_ver);
1709 	if (err)
1710 		return err;
1711 
1712 	bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1713 		    new_ver.fw_patch_num);
1714 
1715 	goto complete;
1716 
1717 exit_mfg_disable:
1718 	/* Disable the manufacturer mode without reset */
1719 	err = btintel_exit_mfg(hdev, false, false);
1720 	if (err)
1721 		return err;
1722 
1723 	bt_dev_info(hdev, "Intel firmware patch completed");
1724 
1725 	goto complete;
1726 
1727 exit_mfg_deactivate:
1728 	release_firmware(fw);
1729 
1730 	/* Patching failed. Disable the manufacturer mode with reset and
1731 	 * deactivate the downloaded firmware patches.
1732 	 */
1733 	err = btintel_exit_mfg(hdev, true, false);
1734 	if (err)
1735 		return err;
1736 
1737 	bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1738 
1739 complete:
1740 	/* Set the event mask for Intel specific vendor events. This enables
1741 	 * a few extra events that are useful during general operation.
1742 	 */
1743 	btintel_set_event_mask_mfg(hdev, false);
1744 
1745 	btintel_check_bdaddr(hdev);
1746 
1747 	return 0;
1748 }
1749 
1750 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1751 {
1752 	ktime_t delta, rettime;
1753 	unsigned long long duration;
1754 	int err;
1755 
1756 	btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1757 
1758 	bt_dev_info(hdev, "Waiting for firmware download to complete");
1759 
1760 	err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING,
1761 					   TASK_INTERRUPTIBLE,
1762 					   msecs_to_jiffies(msec));
1763 	if (err == -EINTR) {
1764 		bt_dev_err(hdev, "Firmware loading interrupted");
1765 		return err;
1766 	}
1767 
1768 	if (err) {
1769 		bt_dev_err(hdev, "Firmware loading timeout");
1770 		return -ETIMEDOUT;
1771 	}
1772 
1773 	if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) {
1774 		bt_dev_err(hdev, "Firmware loading failed");
1775 		return -ENOEXEC;
1776 	}
1777 
1778 	rettime = ktime_get();
1779 	delta = ktime_sub(rettime, calltime);
1780 	duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1781 
1782 	bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
1783 
1784 	return 0;
1785 }
1786 
1787 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1788 {
1789 	ktime_t delta, rettime;
1790 	unsigned long long duration;
1791 	int err;
1792 
1793 	bt_dev_info(hdev, "Waiting for device to boot");
1794 
1795 	err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING,
1796 					   TASK_INTERRUPTIBLE,
1797 					   msecs_to_jiffies(msec));
1798 	if (err == -EINTR) {
1799 		bt_dev_err(hdev, "Device boot interrupted");
1800 		return -EINTR;
1801 	}
1802 
1803 	if (err) {
1804 		bt_dev_err(hdev, "Device boot timeout");
1805 		return -ETIMEDOUT;
1806 	}
1807 
1808 	rettime = ktime_get();
1809 	delta = ktime_sub(rettime, calltime);
1810 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
1811 
1812 	bt_dev_info(hdev, "Device booted in %llu usecs", duration);
1813 
1814 	return 0;
1815 }
1816 
1817 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr)
1818 {
1819 	ktime_t calltime;
1820 	int err;
1821 
1822 	calltime = ktime_get();
1823 
1824 	btintel_set_flag(hdev, INTEL_BOOTING);
1825 
1826 	err = btintel_send_intel_reset(hdev, boot_addr);
1827 	if (err) {
1828 		bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
1829 		btintel_reset_to_bootloader(hdev);
1830 		return err;
1831 	}
1832 
1833 	/* The bootloader will not indicate when the device is ready. This
1834 	 * is done by the operational firmware sending bootup notification.
1835 	 *
1836 	 * Booting into operational firmware should not take longer than
1837 	 * 1 second. However if that happens, then just fail the setup
1838 	 * since something went wrong.
1839 	 */
1840 	err = btintel_boot_wait(hdev, calltime, 1000);
1841 	if (err == -ETIMEDOUT)
1842 		btintel_reset_to_bootloader(hdev);
1843 
1844 	return err;
1845 }
1846 
1847 static int btintel_get_fw_name(struct intel_version *ver,
1848 					     struct intel_boot_params *params,
1849 					     char *fw_name, size_t len,
1850 					     const char *suffix)
1851 {
1852 	switch (ver->hw_variant) {
1853 	case 0x0b:	/* SfP */
1854 	case 0x0c:	/* WsP */
1855 		snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
1856 			 ver->hw_variant,
1857 			 le16_to_cpu(params->dev_revid),
1858 			 suffix);
1859 		break;
1860 	case 0x11:	/* JfP */
1861 	case 0x12:	/* ThP */
1862 	case 0x13:	/* HrP */
1863 	case 0x14:	/* CcP */
1864 		snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
1865 			 ver->hw_variant,
1866 			 ver->hw_revision,
1867 			 ver->fw_revision,
1868 			 suffix);
1869 		break;
1870 	default:
1871 		return -EINVAL;
1872 	}
1873 
1874 	return 0;
1875 }
1876 
1877 static int btintel_download_fw(struct hci_dev *hdev,
1878 					 struct intel_version *ver,
1879 					 struct intel_boot_params *params,
1880 					 u32 *boot_param)
1881 {
1882 	const struct firmware *fw;
1883 	char fwname[64];
1884 	int err;
1885 	ktime_t calltime;
1886 
1887 	if (!ver || !params)
1888 		return -EINVAL;
1889 
1890 	/* The firmware variant determines if the device is in bootloader
1891 	 * mode or is running operational firmware. The value 0x06 identifies
1892 	 * the bootloader and the value 0x23 identifies the operational
1893 	 * firmware.
1894 	 *
1895 	 * When the operational firmware is already present, then only
1896 	 * the check for valid Bluetooth device address is needed. This
1897 	 * determines if the device will be added as configured or
1898 	 * unconfigured controller.
1899 	 *
1900 	 * It is not possible to use the Secure Boot Parameters in this
1901 	 * case since that command is only available in bootloader mode.
1902 	 */
1903 	if (ver->fw_variant == 0x23) {
1904 		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
1905 		btintel_check_bdaddr(hdev);
1906 
1907 		/* SfP and WsP don't seem to update the firmware version on file
1908 		 * so version checking is currently possible.
1909 		 */
1910 		switch (ver->hw_variant) {
1911 		case 0x0b:	/* SfP */
1912 		case 0x0c:	/* WsP */
1913 			return 0;
1914 		}
1915 
1916 		/* Proceed to download to check if the version matches */
1917 		goto download;
1918 	}
1919 
1920 	/* Read the secure boot parameters to identify the operating
1921 	 * details of the bootloader.
1922 	 */
1923 	err = btintel_read_boot_params(hdev, params);
1924 	if (err)
1925 		return err;
1926 
1927 	/* It is required that every single firmware fragment is acknowledged
1928 	 * with a command complete event. If the boot parameters indicate
1929 	 * that this bootloader does not send them, then abort the setup.
1930 	 */
1931 	if (params->limited_cce != 0x00) {
1932 		bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
1933 			   params->limited_cce);
1934 		return -EINVAL;
1935 	}
1936 
1937 	/* If the OTP has no valid Bluetooth device address, then there will
1938 	 * also be no valid address for the operational firmware.
1939 	 */
1940 	if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
1941 		bt_dev_info(hdev, "No device address configured");
1942 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1943 	}
1944 
1945 download:
1946 	/* With this Intel bootloader only the hardware variant and device
1947 	 * revision information are used to select the right firmware for SfP
1948 	 * and WsP.
1949 	 *
1950 	 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
1951 	 *
1952 	 * Currently the supported hardware variants are:
1953 	 *   11 (0x0b) for iBT3.0 (LnP/SfP)
1954 	 *   12 (0x0c) for iBT3.5 (WsP)
1955 	 *
1956 	 * For ThP/JfP and for future SKU's, the FW name varies based on HW
1957 	 * variant, HW revision and FW revision, as these are dependent on CNVi
1958 	 * and RF Combination.
1959 	 *
1960 	 *   17 (0x11) for iBT3.5 (JfP)
1961 	 *   18 (0x12) for iBT3.5 (ThP)
1962 	 *
1963 	 * The firmware file name for these will be
1964 	 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
1965 	 *
1966 	 */
1967 	err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi");
1968 	if (err < 0) {
1969 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
1970 			/* Firmware has already been loaded */
1971 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1972 			return 0;
1973 		}
1974 
1975 		bt_dev_err(hdev, "Unsupported Intel firmware naming");
1976 		return -EINVAL;
1977 	}
1978 
1979 	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
1980 	if (err < 0) {
1981 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
1982 			/* Firmware has already been loaded */
1983 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1984 			return 0;
1985 		}
1986 
1987 		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
1988 			   fwname, err);
1989 		return err;
1990 	}
1991 
1992 	bt_dev_info(hdev, "Found device firmware: %s", fwname);
1993 
1994 	if (fw->size < 644) {
1995 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
1996 			   fw->size);
1997 		err = -EBADF;
1998 		goto done;
1999 	}
2000 
2001 	calltime = ktime_get();
2002 
2003 	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2004 
2005 	/* Start firmware downloading and get boot parameter */
2006 	err = btintel_download_firmware(hdev, ver, fw, boot_param);
2007 	if (err < 0) {
2008 		if (err == -EALREADY) {
2009 			/* Firmware has already been loaded */
2010 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2011 			err = 0;
2012 			goto done;
2013 		}
2014 
2015 		/* When FW download fails, send Intel Reset to retry
2016 		 * FW download.
2017 		 */
2018 		btintel_reset_to_bootloader(hdev);
2019 		goto done;
2020 	}
2021 
2022 	/* Before switching the device into operational mode and with that
2023 	 * booting the loaded firmware, wait for the bootloader notification
2024 	 * that all fragments have been successfully received.
2025 	 *
2026 	 * When the event processing receives the notification, then the
2027 	 * INTEL_DOWNLOADING flag will be cleared.
2028 	 *
2029 	 * The firmware loading should not take longer than 5 seconds
2030 	 * and thus just timeout if that happens and fail the setup
2031 	 * of this device.
2032 	 */
2033 	err = btintel_download_wait(hdev, calltime, 5000);
2034 	if (err == -ETIMEDOUT)
2035 		btintel_reset_to_bootloader(hdev);
2036 
2037 done:
2038 	release_firmware(fw);
2039 	return err;
2040 }
2041 
2042 static int btintel_bootloader_setup(struct hci_dev *hdev,
2043 				    struct intel_version *ver)
2044 {
2045 	struct intel_version new_ver;
2046 	struct intel_boot_params params;
2047 	u32 boot_param;
2048 	char ddcname[64];
2049 	int err;
2050 
2051 	BT_DBG("%s", hdev->name);
2052 
2053 	/* Set the default boot parameter to 0x0 and it is updated to
2054 	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2055 	 * command while downloading the firmware.
2056 	 */
2057 	boot_param = 0x00000000;
2058 
2059 	btintel_set_flag(hdev, INTEL_BOOTLOADER);
2060 
2061 	err = btintel_download_fw(hdev, ver, &params, &boot_param);
2062 	if (err)
2063 		return err;
2064 
2065 	/* controller is already having an operational firmware */
2066 	if (ver->fw_variant == 0x23)
2067 		goto finish;
2068 
2069 	err = btintel_boot(hdev, boot_param);
2070 	if (err)
2071 		return err;
2072 
2073 	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2074 
2075 	err = btintel_get_fw_name(ver, &params, ddcname,
2076 						sizeof(ddcname), "ddc");
2077 
2078 	if (err < 0) {
2079 		bt_dev_err(hdev, "Unsupported Intel firmware naming");
2080 	} else {
2081 		/* Once the device is running in operational mode, it needs to
2082 		 * apply the device configuration (DDC) parameters.
2083 		 *
2084 		 * The device can work without DDC parameters, so even if it
2085 		 * fails to load the file, no need to fail the setup.
2086 		 */
2087 		btintel_load_ddc_config(hdev, ddcname);
2088 	}
2089 
2090 	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2091 
2092 	/* Read the Intel version information after loading the FW  */
2093 	err = btintel_read_version(hdev, &new_ver);
2094 	if (err)
2095 		return err;
2096 
2097 	btintel_version_info(hdev, &new_ver);
2098 
2099 finish:
2100 	/* Set the event mask for Intel specific vendor events. This enables
2101 	 * a few extra events that are useful during general operation. It
2102 	 * does not enable any debugging related events.
2103 	 *
2104 	 * The device will function correctly without these events enabled
2105 	 * and thus no need to fail the setup.
2106 	 */
2107 	btintel_set_event_mask(hdev, false);
2108 
2109 	return 0;
2110 }
2111 
2112 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver,
2113 				    char *fw_name, size_t len,
2114 				    const char *suffix)
2115 {
2116 	/* The firmware file name for new generation controllers will be
2117 	 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step>
2118 	 */
2119 	snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s",
2120 		 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2121 					  INTEL_CNVX_TOP_STEP(ver->cnvi_top)),
2122 		 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2123 					  INTEL_CNVX_TOP_STEP(ver->cnvr_top)),
2124 		 suffix);
2125 }
2126 
2127 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
2128 					   struct intel_version_tlv *ver,
2129 					   u32 *boot_param)
2130 {
2131 	const struct firmware *fw;
2132 	char fwname[64];
2133 	int err;
2134 	ktime_t calltime;
2135 
2136 	if (!ver || !boot_param)
2137 		return -EINVAL;
2138 
2139 	/* The firmware variant determines if the device is in bootloader
2140 	 * mode or is running operational firmware. The value 0x03 identifies
2141 	 * the bootloader and the value 0x23 identifies the operational
2142 	 * firmware.
2143 	 *
2144 	 * When the operational firmware is already present, then only
2145 	 * the check for valid Bluetooth device address is needed. This
2146 	 * determines if the device will be added as configured or
2147 	 * unconfigured controller.
2148 	 *
2149 	 * It is not possible to use the Secure Boot Parameters in this
2150 	 * case since that command is only available in bootloader mode.
2151 	 */
2152 	if (ver->img_type == 0x03) {
2153 		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2154 		btintel_check_bdaddr(hdev);
2155 	} else {
2156 		/*
2157 		 * Check for valid bd address in boot loader mode. Device
2158 		 * will be marked as unconfigured if empty bd address is
2159 		 * found.
2160 		 */
2161 		if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) {
2162 			bt_dev_info(hdev, "No device address configured");
2163 			set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2164 		}
2165 	}
2166 
2167 	btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2168 	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2169 	if (err < 0) {
2170 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2171 			/* Firmware has already been loaded */
2172 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2173 			return 0;
2174 		}
2175 
2176 		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2177 			   fwname, err);
2178 
2179 		return err;
2180 	}
2181 
2182 	bt_dev_info(hdev, "Found device firmware: %s", fwname);
2183 
2184 	if (fw->size < 644) {
2185 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2186 			   fw->size);
2187 		err = -EBADF;
2188 		goto done;
2189 	}
2190 
2191 	calltime = ktime_get();
2192 
2193 	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2194 
2195 	/* Start firmware downloading and get boot parameter */
2196 	err = btintel_download_fw_tlv(hdev, ver, fw, boot_param,
2197 					       INTEL_HW_VARIANT(ver->cnvi_bt),
2198 					       ver->sbe_type);
2199 	if (err < 0) {
2200 		if (err == -EALREADY) {
2201 			/* Firmware has already been loaded */
2202 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2203 			err = 0;
2204 			goto done;
2205 		}
2206 
2207 		/* When FW download fails, send Intel Reset to retry
2208 		 * FW download.
2209 		 */
2210 		btintel_reset_to_bootloader(hdev);
2211 		goto done;
2212 	}
2213 
2214 	/* Before switching the device into operational mode and with that
2215 	 * booting the loaded firmware, wait for the bootloader notification
2216 	 * that all fragments have been successfully received.
2217 	 *
2218 	 * When the event processing receives the notification, then the
2219 	 * BTUSB_DOWNLOADING flag will be cleared.
2220 	 *
2221 	 * The firmware loading should not take longer than 5 seconds
2222 	 * and thus just timeout if that happens and fail the setup
2223 	 * of this device.
2224 	 */
2225 	err = btintel_download_wait(hdev, calltime, 5000);
2226 	if (err == -ETIMEDOUT)
2227 		btintel_reset_to_bootloader(hdev);
2228 
2229 done:
2230 	release_firmware(fw);
2231 	return err;
2232 }
2233 
2234 static int btintel_get_codec_config_data(struct hci_dev *hdev,
2235 					 __u8 link, struct bt_codec *codec,
2236 					 __u8 *ven_len, __u8 **ven_data)
2237 {
2238 	int err = 0;
2239 
2240 	if (!ven_data || !ven_len)
2241 		return -EINVAL;
2242 
2243 	*ven_len = 0;
2244 	*ven_data = NULL;
2245 
2246 	if (link != ESCO_LINK) {
2247 		bt_dev_err(hdev, "Invalid link type(%u)", link);
2248 		return -EINVAL;
2249 	}
2250 
2251 	*ven_data = kmalloc(sizeof(__u8), GFP_KERNEL);
2252 	if (!*ven_data) {
2253 		err = -ENOMEM;
2254 		goto error;
2255 	}
2256 
2257 	/* supports only CVSD and mSBC offload codecs */
2258 	switch (codec->id) {
2259 	case 0x02:
2260 		**ven_data = 0x00;
2261 		break;
2262 	case 0x05:
2263 		**ven_data = 0x01;
2264 		break;
2265 	default:
2266 		err = -EINVAL;
2267 		bt_dev_err(hdev, "Invalid codec id(%u)", codec->id);
2268 		goto error;
2269 	}
2270 	/* codec and its capabilities are pre-defined to ids
2271 	 * preset id = 0x00 represents CVSD codec with sampling rate 8K
2272 	 * preset id = 0x01 represents mSBC codec with sampling rate 16K
2273 	 */
2274 	*ven_len = sizeof(__u8);
2275 	return err;
2276 
2277 error:
2278 	kfree(*ven_data);
2279 	*ven_data = NULL;
2280 	return err;
2281 }
2282 
2283 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id)
2284 {
2285 	/* Intel uses 1 as data path id for all the usecases */
2286 	*data_path_id = 1;
2287 	return 0;
2288 }
2289 
2290 static int btintel_configure_offload(struct hci_dev *hdev)
2291 {
2292 	struct sk_buff *skb;
2293 	int err = 0;
2294 	struct intel_offload_use_cases *use_cases;
2295 
2296 	skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT);
2297 	if (IS_ERR(skb)) {
2298 		bt_dev_err(hdev, "Reading offload use cases failed (%ld)",
2299 			   PTR_ERR(skb));
2300 		return PTR_ERR(skb);
2301 	}
2302 
2303 	if (skb->len < sizeof(*use_cases)) {
2304 		err = -EIO;
2305 		goto error;
2306 	}
2307 
2308 	use_cases = (void *)skb->data;
2309 
2310 	if (use_cases->status) {
2311 		err = -bt_to_errno(skb->data[0]);
2312 		goto error;
2313 	}
2314 
2315 	if (use_cases->preset[0] & 0x03) {
2316 		hdev->get_data_path_id = btintel_get_data_path_id;
2317 		hdev->get_codec_config_data = btintel_get_codec_config_data;
2318 	}
2319 error:
2320 	kfree_skb(skb);
2321 	return err;
2322 }
2323 
2324 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver)
2325 {
2326 	struct btintel_ppag ppag;
2327 	struct sk_buff *skb;
2328 	struct btintel_loc_aware_reg ppag_cmd;
2329 	acpi_handle handle;
2330 
2331 	/* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */
2332 	switch (ver->cnvr_top & 0xFFF) {
2333 	case 0x504:     /* Hrp2 */
2334 	case 0x202:     /* Jfp2 */
2335 	case 0x201:     /* Jfp1 */
2336 		return;
2337 	}
2338 
2339 	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2340 	if (!handle) {
2341 		bt_dev_info(hdev, "No support for BT device in ACPI firmware");
2342 		return;
2343 	}
2344 
2345 	memset(&ppag, 0, sizeof(ppag));
2346 
2347 	ppag.hdev = hdev;
2348 	ppag.status = AE_NOT_FOUND;
2349 	acpi_walk_namespace(ACPI_TYPE_PACKAGE, handle, 1, NULL,
2350 			    btintel_ppag_callback, &ppag, NULL);
2351 
2352 	if (ACPI_FAILURE(ppag.status)) {
2353 		if (ppag.status == AE_NOT_FOUND) {
2354 			bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found");
2355 			return;
2356 		}
2357 		return;
2358 	}
2359 
2360 	if (ppag.domain != 0x12) {
2361 		bt_dev_warn(hdev, "PPAG-BT: domain is not bluetooth");
2362 		return;
2363 	}
2364 
2365 	/* PPAG mode, BIT0 = 0 Disabled, BIT0 = 1 Enabled */
2366 	if (!(ppag.mode & BIT(0))) {
2367 		bt_dev_dbg(hdev, "PPAG-BT: disabled");
2368 		return;
2369 	}
2370 
2371 	ppag_cmd.mcc = cpu_to_le32(0);
2372 	ppag_cmd.sel = cpu_to_le32(0); /* 0 - Enable , 1 - Disable, 2 - Testing mode */
2373 	ppag_cmd.delta = cpu_to_le32(0);
2374 	skb = __hci_cmd_sync(hdev, 0xfe19, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT);
2375 	if (IS_ERR(skb)) {
2376 		bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb));
2377 		return;
2378 	}
2379 	kfree_skb(skb);
2380 }
2381 
2382 static int btintel_bootloader_setup_tlv(struct hci_dev *hdev,
2383 					struct intel_version_tlv *ver)
2384 {
2385 	u32 boot_param;
2386 	char ddcname[64];
2387 	int err;
2388 	struct intel_version_tlv new_ver;
2389 
2390 	bt_dev_dbg(hdev, "");
2391 
2392 	/* Set the default boot parameter to 0x0 and it is updated to
2393 	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2394 	 * command while downloading the firmware.
2395 	 */
2396 	boot_param = 0x00000000;
2397 
2398 	btintel_set_flag(hdev, INTEL_BOOTLOADER);
2399 
2400 	err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
2401 	if (err)
2402 		return err;
2403 
2404 	/* check if controller is already having an operational firmware */
2405 	if (ver->img_type == 0x03)
2406 		goto finish;
2407 
2408 	err = btintel_boot(hdev, boot_param);
2409 	if (err)
2410 		return err;
2411 
2412 	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2413 
2414 	btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc");
2415 	/* Once the device is running in operational mode, it needs to
2416 	 * apply the device configuration (DDC) parameters.
2417 	 *
2418 	 * The device can work without DDC parameters, so even if it
2419 	 * fails to load the file, no need to fail the setup.
2420 	 */
2421 	btintel_load_ddc_config(hdev, ddcname);
2422 
2423 	/* Read supported use cases and set callbacks to fetch datapath id */
2424 	btintel_configure_offload(hdev);
2425 
2426 	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2427 
2428 	/* Set PPAG feature */
2429 	btintel_set_ppag(hdev, ver);
2430 
2431 	/* Read the Intel version information after loading the FW  */
2432 	err = btintel_read_version_tlv(hdev, &new_ver);
2433 	if (err)
2434 		return err;
2435 
2436 	btintel_version_info_tlv(hdev, &new_ver);
2437 
2438 finish:
2439 	/* Set the event mask for Intel specific vendor events. This enables
2440 	 * a few extra events that are useful during general operation. It
2441 	 * does not enable any debugging related events.
2442 	 *
2443 	 * The device will function correctly without these events enabled
2444 	 * and thus no need to fail the setup.
2445 	 */
2446 	btintel_set_event_mask(hdev, false);
2447 
2448 	return 0;
2449 }
2450 
2451 static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant)
2452 {
2453 	switch (hw_variant) {
2454 	/* Legacy bootloader devices that supports MSFT Extension */
2455 	case 0x11:	/* JfP */
2456 	case 0x12:	/* ThP */
2457 	case 0x13:	/* HrP */
2458 	case 0x14:	/* CcP */
2459 	/* All Intel new genration controllers support the Microsoft vendor
2460 	 * extension are using 0xFC1E for VsMsftOpCode.
2461 	 */
2462 	case 0x17:
2463 	case 0x18:
2464 	case 0x19:
2465 	case 0x1b:
2466 		hci_set_msft_opcode(hdev, 0xFC1E);
2467 		break;
2468 	default:
2469 		/* Not supported */
2470 		break;
2471 	}
2472 }
2473 
2474 static int btintel_setup_combined(struct hci_dev *hdev)
2475 {
2476 	const u8 param[1] = { 0xFF };
2477 	struct intel_version ver;
2478 	struct intel_version_tlv ver_tlv;
2479 	struct sk_buff *skb;
2480 	int err;
2481 
2482 	BT_DBG("%s", hdev->name);
2483 
2484 	/* The some controllers have a bug with the first HCI command sent to it
2485 	 * returning number of completed commands as zero. This would stall the
2486 	 * command processing in the Bluetooth core.
2487 	 *
2488 	 * As a workaround, send HCI Reset command first which will reset the
2489 	 * number of completed commands and allow normal command processing
2490 	 * from now on.
2491 	 *
2492 	 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe
2493 	 * in the SW_RFKILL ON state as a workaround of fixing LED issue during
2494 	 * the shutdown() procedure, and once the device is in SW_RFKILL ON
2495 	 * state, the only way to exit out of it is sending the HCI_Reset
2496 	 * command.
2497 	 */
2498 	if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) ||
2499 	    btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2500 		skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
2501 				     HCI_INIT_TIMEOUT);
2502 		if (IS_ERR(skb)) {
2503 			bt_dev_err(hdev,
2504 				   "sending initial HCI reset failed (%ld)",
2505 				   PTR_ERR(skb));
2506 			return PTR_ERR(skb);
2507 		}
2508 		kfree_skb(skb);
2509 	}
2510 
2511 	/* Starting from TyP device, the command parameter and response are
2512 	 * changed even though the OCF for HCI_Intel_Read_Version command
2513 	 * remains same. The legacy devices can handle even if the
2514 	 * command has a parameter and returns a correct version information.
2515 	 * So, it uses new format to support both legacy and new format.
2516 	 */
2517 	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
2518 	if (IS_ERR(skb)) {
2519 		bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
2520 			   PTR_ERR(skb));
2521 		return PTR_ERR(skb);
2522 	}
2523 
2524 	/* Check the status */
2525 	if (skb->data[0]) {
2526 		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
2527 			   skb->data[0]);
2528 		err = -EIO;
2529 		goto exit_error;
2530 	}
2531 
2532 	/* Apply the common HCI quirks for Intel device */
2533 	set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2534 	set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2535 	set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
2536 
2537 	/* Set up the quality report callback for Intel devices */
2538 	hdev->set_quality_report = btintel_set_quality_report;
2539 
2540 	/* For Legacy device, check the HW platform value and size */
2541 	if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
2542 		bt_dev_dbg(hdev, "Read the legacy Intel version information");
2543 
2544 		memcpy(&ver, skb->data, sizeof(ver));
2545 
2546 		/* Display version information */
2547 		btintel_version_info(hdev, &ver);
2548 
2549 		/* Check for supported iBT hardware variants of this firmware
2550 		 * loading method.
2551 		 *
2552 		 * This check has been put in place to ensure correct forward
2553 		 * compatibility options when newer hardware variants come
2554 		 * along.
2555 		 */
2556 		switch (ver.hw_variant) {
2557 		case 0x07:	/* WP */
2558 		case 0x08:	/* StP */
2559 			/* Legacy ROM product */
2560 			btintel_set_flag(hdev, INTEL_ROM_LEGACY);
2561 
2562 			/* Apply the device specific HCI quirks
2563 			 *
2564 			 * WBS for SdP - For the Legacy ROM products, only SdP
2565 			 * supports the WBS. But the version information is not
2566 			 * enough to use here because the StP2 and SdP have same
2567 			 * hw_variant and fw_variant. So, this flag is set by
2568 			 * the transport driver (btusb) based on the HW info
2569 			 * (idProduct)
2570 			 */
2571 			if (!btintel_test_flag(hdev,
2572 					       INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
2573 				set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2574 					&hdev->quirks);
2575 			if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22)
2576 				set_bit(HCI_QUIRK_VALID_LE_STATES,
2577 					&hdev->quirks);
2578 
2579 			err = btintel_legacy_rom_setup(hdev, &ver);
2580 			break;
2581 		case 0x0b:      /* SfP */
2582 		case 0x11:      /* JfP */
2583 		case 0x12:      /* ThP */
2584 		case 0x13:      /* HrP */
2585 		case 0x14:      /* CcP */
2586 			set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2587 			fallthrough;
2588 		case 0x0c:	/* WsP */
2589 			/* Apply the device specific HCI quirks
2590 			 *
2591 			 * All Legacy bootloader devices support WBS
2592 			 */
2593 			set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2594 				&hdev->quirks);
2595 
2596 			/* Setup MSFT Extension support */
2597 			btintel_set_msft_opcode(hdev, ver.hw_variant);
2598 
2599 			err = btintel_bootloader_setup(hdev, &ver);
2600 			break;
2601 		default:
2602 			bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2603 				   ver.hw_variant);
2604 			err = -EINVAL;
2605 		}
2606 
2607 		goto exit_error;
2608 	}
2609 
2610 	/* memset ver_tlv to start with clean state as few fields are exclusive
2611 	 * to bootloader mode and are not populated in operational mode
2612 	 */
2613 	memset(&ver_tlv, 0, sizeof(ver_tlv));
2614 	/* For TLV type device, parse the tlv data */
2615 	err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
2616 	if (err) {
2617 		bt_dev_err(hdev, "Failed to parse TLV version information");
2618 		goto exit_error;
2619 	}
2620 
2621 	if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
2622 		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
2623 			   INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
2624 		err = -EINVAL;
2625 		goto exit_error;
2626 	}
2627 
2628 	/* Check for supported iBT hardware variants of this firmware
2629 	 * loading method.
2630 	 *
2631 	 * This check has been put in place to ensure correct forward
2632 	 * compatibility options when newer hardware variants come
2633 	 * along.
2634 	 */
2635 	switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) {
2636 	case 0x11:      /* JfP */
2637 	case 0x12:      /* ThP */
2638 	case 0x13:      /* HrP */
2639 	case 0x14:      /* CcP */
2640 		/* Some legacy bootloader devices starting from JfP,
2641 		 * the operational firmware supports both old and TLV based
2642 		 * HCI_Intel_Read_Version command based on the command
2643 		 * parameter.
2644 		 *
2645 		 * For upgrading firmware case, the TLV based version cannot
2646 		 * be used because the firmware filename for legacy bootloader
2647 		 * is based on the old format.
2648 		 *
2649 		 * Also, it is not easy to convert TLV based version from the
2650 		 * legacy version format.
2651 		 *
2652 		 * So, as a workaround for those devices, use the legacy
2653 		 * HCI_Intel_Read_Version to get the version information and
2654 		 * run the legacy bootloader setup.
2655 		 */
2656 		err = btintel_read_version(hdev, &ver);
2657 		if (err)
2658 			break;
2659 
2660 		/* Apply the device specific HCI quirks
2661 		 *
2662 		 * All Legacy bootloader devices support WBS
2663 		 */
2664 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
2665 
2666 		/* Set Valid LE States quirk */
2667 		set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2668 
2669 		/* Setup MSFT Extension support */
2670 		btintel_set_msft_opcode(hdev, ver.hw_variant);
2671 
2672 		err = btintel_bootloader_setup(hdev, &ver);
2673 		break;
2674 	case 0x17:
2675 	case 0x18:
2676 	case 0x19:
2677 	case 0x1b:
2678 		/* Display version information of TLV type */
2679 		btintel_version_info_tlv(hdev, &ver_tlv);
2680 
2681 		/* Apply the device specific HCI quirks for TLV based devices
2682 		 *
2683 		 * All TLV based devices support WBS
2684 		 */
2685 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
2686 
2687 		/* Valid LE States quirk for GfP */
2688 		if (INTEL_HW_VARIANT(ver_tlv.cnvi_bt) == 0x18)
2689 			set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2690 
2691 		/* Setup MSFT Extension support */
2692 		btintel_set_msft_opcode(hdev,
2693 					INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
2694 
2695 		err = btintel_bootloader_setup_tlv(hdev, &ver_tlv);
2696 		break;
2697 	default:
2698 		bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2699 			   INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
2700 		err = -EINVAL;
2701 		break;
2702 	}
2703 
2704 exit_error:
2705 	kfree_skb(skb);
2706 
2707 	return err;
2708 }
2709 
2710 static int btintel_shutdown_combined(struct hci_dev *hdev)
2711 {
2712 	struct sk_buff *skb;
2713 	int ret;
2714 
2715 	/* Send HCI Reset to the controller to stop any BT activity which
2716 	 * were triggered. This will help to save power and maintain the
2717 	 * sync b/w Host and controller
2718 	 */
2719 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2720 	if (IS_ERR(skb)) {
2721 		bt_dev_err(hdev, "HCI reset during shutdown failed");
2722 		return PTR_ERR(skb);
2723 	}
2724 	kfree_skb(skb);
2725 
2726 
2727 	/* Some platforms have an issue with BT LED when the interface is
2728 	 * down or BT radio is turned off, which takes 5 seconds to BT LED
2729 	 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the
2730 	 * device in the RFKILL ON state which turns off the BT LED immediately.
2731 	 */
2732 	if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2733 		skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2734 		if (IS_ERR(skb)) {
2735 			ret = PTR_ERR(skb);
2736 			bt_dev_err(hdev, "turning off Intel device LED failed");
2737 			return ret;
2738 		}
2739 		kfree_skb(skb);
2740 	}
2741 
2742 	return 0;
2743 }
2744 
2745 int btintel_configure_setup(struct hci_dev *hdev)
2746 {
2747 	hdev->manufacturer = 2;
2748 	hdev->setup = btintel_setup_combined;
2749 	hdev->shutdown = btintel_shutdown_combined;
2750 	hdev->hw_error = btintel_hw_error;
2751 	hdev->set_diag = btintel_set_diag_combined;
2752 	hdev->set_bdaddr = btintel_set_bdaddr;
2753 
2754 	return 0;
2755 }
2756 EXPORT_SYMBOL_GPL(btintel_configure_setup);
2757 
2758 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len)
2759 {
2760 	const struct intel_bootup *evt = ptr;
2761 
2762 	if (len != sizeof(*evt))
2763 		return;
2764 
2765 	if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING))
2766 		btintel_wake_up_flag(hdev, INTEL_BOOTING);
2767 }
2768 EXPORT_SYMBOL_GPL(btintel_bootup);
2769 
2770 void btintel_secure_send_result(struct hci_dev *hdev,
2771 				const void *ptr, unsigned int len)
2772 {
2773 	const struct intel_secure_send_result *evt = ptr;
2774 
2775 	if (len != sizeof(*evt))
2776 		return;
2777 
2778 	if (evt->result)
2779 		btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED);
2780 
2781 	if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) &&
2782 	    btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED))
2783 		btintel_wake_up_flag(hdev, INTEL_DOWNLOADING);
2784 }
2785 EXPORT_SYMBOL_GPL(btintel_secure_send_result);
2786 
2787 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2788 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
2789 MODULE_VERSION(VERSION);
2790 MODULE_LICENSE("GPL");
2791 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
2792 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
2793 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
2794 MODULE_FIRMWARE("intel/ibt-12-16.ddc");
2795