1 /* 2 * 3 * Bluetooth HCI UART driver for Intel devices 4 * 5 * Copyright (C) 2015 Intel Corporation 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/kernel.h> 25 #include <linux/errno.h> 26 #include <linux/skbuff.h> 27 #include <linux/firmware.h> 28 #include <linux/wait.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 33 #include "hci_uart.h" 34 #include "btintel.h" 35 36 #define STATE_BOOTLOADER 0 37 #define STATE_DOWNLOADING 1 38 #define STATE_FIRMWARE_LOADED 2 39 #define STATE_FIRMWARE_FAILED 3 40 #define STATE_BOOTING 4 41 42 struct intel_data { 43 struct sk_buff *rx_skb; 44 struct sk_buff_head txq; 45 unsigned long flags; 46 }; 47 48 static int intel_open(struct hci_uart *hu) 49 { 50 struct intel_data *intel; 51 52 BT_DBG("hu %p", hu); 53 54 intel = kzalloc(sizeof(*intel), GFP_KERNEL); 55 if (!intel) 56 return -ENOMEM; 57 58 skb_queue_head_init(&intel->txq); 59 60 hu->priv = intel; 61 return 0; 62 } 63 64 static int intel_close(struct hci_uart *hu) 65 { 66 struct intel_data *intel = hu->priv; 67 68 BT_DBG("hu %p", hu); 69 70 skb_queue_purge(&intel->txq); 71 kfree_skb(intel->rx_skb); 72 kfree(intel); 73 74 hu->priv = NULL; 75 return 0; 76 } 77 78 static int intel_flush(struct hci_uart *hu) 79 { 80 struct intel_data *intel = hu->priv; 81 82 BT_DBG("hu %p", hu); 83 84 skb_queue_purge(&intel->txq); 85 86 return 0; 87 } 88 89 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 90 { 91 struct sk_buff *skb; 92 struct hci_event_hdr *hdr; 93 struct hci_ev_cmd_complete *evt; 94 95 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 96 if (!skb) 97 return -ENOMEM; 98 99 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 100 hdr->evt = HCI_EV_CMD_COMPLETE; 101 hdr->plen = sizeof(*evt) + 1; 102 103 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 104 evt->ncmd = 0x01; 105 evt->opcode = cpu_to_le16(opcode); 106 107 *skb_put(skb, 1) = 0x00; 108 109 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 110 111 return hci_recv_frame(hdev, skb); 112 } 113 114 static int intel_setup(struct hci_uart *hu) 115 { 116 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 117 0x00, 0x08, 0x04, 0x00 }; 118 struct intel_data *intel = hu->priv; 119 struct hci_dev *hdev = hu->hdev; 120 struct sk_buff *skb; 121 struct intel_version *ver; 122 struct intel_boot_params *params; 123 const struct firmware *fw; 124 const u8 *fw_ptr; 125 char fwname[64]; 126 u32 frag_len; 127 ktime_t calltime, delta, rettime; 128 unsigned long long duration; 129 int err; 130 131 BT_DBG("%s", hdev->name); 132 133 hu->hdev->set_bdaddr = btintel_set_bdaddr; 134 135 calltime = ktime_get(); 136 137 set_bit(STATE_BOOTLOADER, &intel->flags); 138 139 /* Read the Intel version information to determine if the device 140 * is in bootloader mode or if it already has operational firmware 141 * loaded. 142 */ 143 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 144 if (IS_ERR(skb)) { 145 BT_ERR("%s: Reading Intel version information failed (%ld)", 146 hdev->name, PTR_ERR(skb)); 147 return PTR_ERR(skb); 148 } 149 150 if (skb->len != sizeof(*ver)) { 151 BT_ERR("%s: Intel version event size mismatch", hdev->name); 152 kfree_skb(skb); 153 return -EILSEQ; 154 } 155 156 ver = (struct intel_version *)skb->data; 157 if (ver->status) { 158 BT_ERR("%s: Intel version command failure (%02x)", 159 hdev->name, ver->status); 160 err = -bt_to_errno(ver->status); 161 kfree_skb(skb); 162 return err; 163 } 164 165 /* The hardware platform number has a fixed value of 0x37 and 166 * for now only accept this single value. 167 */ 168 if (ver->hw_platform != 0x37) { 169 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 170 hdev->name, ver->hw_platform); 171 kfree_skb(skb); 172 return -EINVAL; 173 } 174 175 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 176 * supported by this firmware loading method. This check has been 177 * put in place to ensure correct forward compatibility options 178 * when newer hardware variants come along. 179 */ 180 if (ver->hw_variant != 0x0b) { 181 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 182 hdev->name, ver->hw_variant); 183 kfree_skb(skb); 184 return -EINVAL; 185 } 186 187 btintel_version_info(hdev, ver); 188 189 /* The firmware variant determines if the device is in bootloader 190 * mode or is running operational firmware. The value 0x06 identifies 191 * the bootloader and the value 0x23 identifies the operational 192 * firmware. 193 * 194 * When the operational firmware is already present, then only 195 * the check for valid Bluetooth device address is needed. This 196 * determines if the device will be added as configured or 197 * unconfigured controller. 198 * 199 * It is not possible to use the Secure Boot Parameters in this 200 * case since that command is only available in bootloader mode. 201 */ 202 if (ver->fw_variant == 0x23) { 203 kfree_skb(skb); 204 clear_bit(STATE_BOOTLOADER, &intel->flags); 205 btintel_check_bdaddr(hdev); 206 return 0; 207 } 208 209 /* If the device is not in bootloader mode, then the only possible 210 * choice is to return an error and abort the device initialization. 211 */ 212 if (ver->fw_variant != 0x06) { 213 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 214 hdev->name, ver->fw_variant); 215 kfree_skb(skb); 216 return -ENODEV; 217 } 218 219 kfree_skb(skb); 220 221 /* Read the secure boot parameters to identify the operating 222 * details of the bootloader. 223 */ 224 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 225 if (IS_ERR(skb)) { 226 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 227 hdev->name, PTR_ERR(skb)); 228 return PTR_ERR(skb); 229 } 230 231 if (skb->len != sizeof(*params)) { 232 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 233 kfree_skb(skb); 234 return -EILSEQ; 235 } 236 237 params = (struct intel_boot_params *)skb->data; 238 if (params->status) { 239 BT_ERR("%s: Intel boot parameters command failure (%02x)", 240 hdev->name, params->status); 241 err = -bt_to_errno(params->status); 242 kfree_skb(skb); 243 return err; 244 } 245 246 BT_INFO("%s: Device revision is %u", hdev->name, 247 le16_to_cpu(params->dev_revid)); 248 249 BT_INFO("%s: Secure boot is %s", hdev->name, 250 params->secure_boot ? "enabled" : "disabled"); 251 252 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 253 params->min_fw_build_nn, params->min_fw_build_cw, 254 2000 + params->min_fw_build_yy); 255 256 /* It is required that every single firmware fragment is acknowledged 257 * with a command complete event. If the boot parameters indicate 258 * that this bootloader does not send them, then abort the setup. 259 */ 260 if (params->limited_cce != 0x00) { 261 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 262 hdev->name, params->limited_cce); 263 kfree_skb(skb); 264 return -EINVAL; 265 } 266 267 /* If the OTP has no valid Bluetooth device address, then there will 268 * also be no valid address for the operational firmware. 269 */ 270 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 271 BT_INFO("%s: No device address configured", hdev->name); 272 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 273 } 274 275 /* With this Intel bootloader only the hardware variant and device 276 * revision information are used to select the right firmware. 277 * 278 * Currently this bootloader support is limited to hardware variant 279 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 280 */ 281 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 282 le16_to_cpu(params->dev_revid)); 283 284 err = request_firmware(&fw, fwname, &hdev->dev); 285 if (err < 0) { 286 BT_ERR("%s: Failed to load Intel firmware file (%d)", 287 hdev->name, err); 288 kfree_skb(skb); 289 return err; 290 } 291 292 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 293 294 kfree_skb(skb); 295 296 if (fw->size < 644) { 297 BT_ERR("%s: Invalid size of firmware file (%zu)", 298 hdev->name, fw->size); 299 err = -EBADF; 300 goto done; 301 } 302 303 set_bit(STATE_DOWNLOADING, &intel->flags); 304 305 /* Start the firmware download transaction with the Init fragment 306 * represented by the 128 bytes of CSS header. 307 */ 308 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 309 if (err < 0) { 310 BT_ERR("%s: Failed to send firmware header (%d)", 311 hdev->name, err); 312 goto done; 313 } 314 315 /* Send the 256 bytes of public key information from the firmware 316 * as the PKey fragment. 317 */ 318 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 319 if (err < 0) { 320 BT_ERR("%s: Failed to send firmware public key (%d)", 321 hdev->name, err); 322 goto done; 323 } 324 325 /* Send the 256 bytes of signature information from the firmware 326 * as the Sign fragment. 327 */ 328 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 329 if (err < 0) { 330 BT_ERR("%s: Failed to send firmware signature (%d)", 331 hdev->name, err); 332 goto done; 333 } 334 335 fw_ptr = fw->data + 644; 336 frag_len = 0; 337 338 while (fw_ptr - fw->data < fw->size) { 339 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 340 341 frag_len += sizeof(*cmd) + cmd->plen; 342 343 BT_DBG("%s: patching %td/%zu", hdev->name, 344 (fw_ptr - fw->data), fw->size); 345 346 /* The parameter length of the secure send command requires 347 * a 4 byte alignment. It happens so that the firmware file 348 * contains proper Intel_NOP commands to align the fragments 349 * as needed. 350 * 351 * Send set of commands with 4 byte alignment from the 352 * firmware data buffer as a single Data fragement. 353 */ 354 if (frag_len % 4) 355 continue; 356 357 /* Send each command from the firmware data buffer as 358 * a single Data fragment. 359 */ 360 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 361 if (err < 0) { 362 BT_ERR("%s: Failed to send firmware data (%d)", 363 hdev->name, err); 364 goto done; 365 } 366 367 fw_ptr += frag_len; 368 frag_len = 0; 369 } 370 371 set_bit(STATE_FIRMWARE_LOADED, &intel->flags); 372 373 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 374 375 /* Before switching the device into operational mode and with that 376 * booting the loaded firmware, wait for the bootloader notification 377 * that all fragments have been successfully received. 378 * 379 * When the event processing receives the notification, then the 380 * STATE_DOWNLOADING flag will be cleared. 381 * 382 * The firmware loading should not take longer than 5 seconds 383 * and thus just timeout if that happens and fail the setup 384 * of this device. 385 */ 386 err = wait_on_bit_timeout(&intel->flags, STATE_DOWNLOADING, 387 TASK_INTERRUPTIBLE, 388 msecs_to_jiffies(5000)); 389 if (err == 1) { 390 BT_ERR("%s: Firmware loading interrupted", hdev->name); 391 err = -EINTR; 392 goto done; 393 } 394 395 if (err) { 396 BT_ERR("%s: Firmware loading timeout", hdev->name); 397 err = -ETIMEDOUT; 398 goto done; 399 } 400 401 if (test_bit(STATE_FIRMWARE_FAILED, &intel->flags)) { 402 BT_ERR("%s: Firmware loading failed", hdev->name); 403 err = -ENOEXEC; 404 goto done; 405 } 406 407 rettime = ktime_get(); 408 delta = ktime_sub(rettime, calltime); 409 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 410 411 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 412 413 done: 414 release_firmware(fw); 415 416 if (err < 0) 417 return err; 418 419 calltime = ktime_get(); 420 421 set_bit(STATE_BOOTING, &intel->flags); 422 423 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 424 HCI_INIT_TIMEOUT); 425 if (IS_ERR(skb)) 426 return PTR_ERR(skb); 427 428 kfree_skb(skb); 429 430 /* The bootloader will not indicate when the device is ready. This 431 * is done by the operational firmware sending bootup notification. 432 * 433 * Booting into operational firmware should not take longer than 434 * 1 second. However if that happens, then just fail the setup 435 * since something went wrong. 436 */ 437 BT_INFO("%s: Waiting for device to boot", hdev->name); 438 439 err = wait_on_bit_timeout(&intel->flags, STATE_BOOTING, 440 TASK_INTERRUPTIBLE, 441 msecs_to_jiffies(1000)); 442 443 if (err == 1) { 444 BT_ERR("%s: Device boot interrupted", hdev->name); 445 return -EINTR; 446 } 447 448 if (err) { 449 BT_ERR("%s: Device boot timeout", hdev->name); 450 return -ETIMEDOUT; 451 } 452 453 rettime = ktime_get(); 454 delta = ktime_sub(rettime, calltime); 455 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 456 457 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 458 459 clear_bit(STATE_BOOTLOADER, &intel->flags); 460 461 return 0; 462 } 463 464 static int intel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 465 { 466 struct hci_uart *hu = hci_get_drvdata(hdev); 467 struct intel_data *intel = hu->priv; 468 struct hci_event_hdr *hdr; 469 470 if (!test_bit(STATE_BOOTLOADER, &intel->flags)) 471 goto recv; 472 473 hdr = (void *)skb->data; 474 475 /* When the firmware loading completes the device sends 476 * out a vendor specific event indicating the result of 477 * the firmware loading. 478 */ 479 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 && 480 skb->data[2] == 0x06) { 481 if (skb->data[3] != 0x00) 482 set_bit(STATE_FIRMWARE_FAILED, &intel->flags); 483 484 if (test_and_clear_bit(STATE_DOWNLOADING, &intel->flags) && 485 test_bit(STATE_FIRMWARE_LOADED, &intel->flags)) { 486 smp_mb__after_atomic(); 487 wake_up_bit(&intel->flags, STATE_DOWNLOADING); 488 } 489 490 /* When switching to the operational firmware the device 491 * sends a vendor specific event indicating that the bootup 492 * completed. 493 */ 494 } else if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 && 495 skb->data[2] == 0x02) { 496 if (test_and_clear_bit(STATE_BOOTING, &intel->flags)) { 497 smp_mb__after_atomic(); 498 wake_up_bit(&intel->flags, STATE_BOOTING); 499 } 500 } 501 recv: 502 return hci_recv_frame(hdev, skb); 503 } 504 505 static const struct h4_recv_pkt intel_recv_pkts[] = { 506 { H4_RECV_ACL, .recv = hci_recv_frame }, 507 { H4_RECV_SCO, .recv = hci_recv_frame }, 508 { H4_RECV_EVENT, .recv = intel_recv_event }, 509 }; 510 511 static int intel_recv(struct hci_uart *hu, const void *data, int count) 512 { 513 struct intel_data *intel = hu->priv; 514 515 if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) 516 return -EUNATCH; 517 518 intel->rx_skb = h4_recv_buf(hu->hdev, intel->rx_skb, data, count, 519 intel_recv_pkts, 520 ARRAY_SIZE(intel_recv_pkts)); 521 if (IS_ERR(intel->rx_skb)) { 522 int err = PTR_ERR(intel->rx_skb); 523 BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err); 524 intel->rx_skb = NULL; 525 return err; 526 } 527 528 return count; 529 } 530 531 static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb) 532 { 533 struct intel_data *intel = hu->priv; 534 535 BT_DBG("hu %p skb %p", hu, skb); 536 537 skb_queue_tail(&intel->txq, skb); 538 539 return 0; 540 } 541 542 static struct sk_buff *intel_dequeue(struct hci_uart *hu) 543 { 544 struct intel_data *intel = hu->priv; 545 struct sk_buff *skb; 546 547 skb = skb_dequeue(&intel->txq); 548 if (!skb) 549 return skb; 550 551 if (test_bit(STATE_BOOTLOADER, &intel->flags) && 552 (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT)) { 553 struct hci_command_hdr *cmd = (void *)skb->data; 554 __u16 opcode = le16_to_cpu(cmd->opcode); 555 556 /* When the 0xfc01 command is issued to boot into 557 * the operational firmware, it will actually not 558 * send a command complete event. To keep the flow 559 * control working inject that event here. 560 */ 561 if (opcode == 0xfc01) 562 inject_cmd_complete(hu->hdev, opcode); 563 } 564 565 /* Prepend skb with frame type */ 566 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 567 568 return skb; 569 } 570 571 static const struct hci_uart_proto intel_proto = { 572 .id = HCI_UART_INTEL, 573 .name = "Intel", 574 .init_speed = 115200, 575 .open = intel_open, 576 .close = intel_close, 577 .flush = intel_flush, 578 .setup = intel_setup, 579 .recv = intel_recv, 580 .enqueue = intel_enqueue, 581 .dequeue = intel_dequeue, 582 }; 583 584 int __init intel_init(void) 585 { 586 return hci_uart_register_proto(&intel_proto); 587 } 588 589 int __exit intel_deinit(void) 590 { 591 return hci_uart_unregister_proto(&intel_proto); 592 } 593