1 /* 2 * EFI capsule support. 3 * 4 * Copyright 2013 Intel Corporation; author Matt Fleming 5 * 6 * This file is part of the Linux kernel, and is made available under 7 * the terms of the GNU General Public License version 2. 8 */ 9 10 #define pr_fmt(fmt) "efi: " fmt 11 12 #include <linux/slab.h> 13 #include <linux/mutex.h> 14 #include <linux/highmem.h> 15 #include <linux/efi.h> 16 #include <linux/vmalloc.h> 17 #include <asm/io.h> 18 19 typedef struct { 20 u64 length; 21 u64 data; 22 } efi_capsule_block_desc_t; 23 24 static bool capsule_pending; 25 static int efi_reset_type = -1; 26 27 /* 28 * capsule_mutex serialises access to both capsule_pending and 29 * efi_reset_type. 30 */ 31 static DEFINE_MUTEX(capsule_mutex); 32 33 /** 34 * efi_capsule_pending - has a capsule been passed to the firmware? 35 * @reset_type: store the type of EFI reset if capsule is pending 36 * 37 * To ensure that the registered capsule is processed correctly by the 38 * firmware we need to perform a specific type of reset. If a capsule is 39 * pending return the reset type in @reset_type. 40 * 41 * This function will race with callers of efi_capsule_update(), for 42 * example, calling this function while somebody else is in 43 * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 44 * will miss the updates to capsule_pending and efi_reset_type after 45 * efi_capsule_update_locked() completes. 46 * 47 * A non-racy use is from platform reboot code because we use 48 * system_state to ensure no capsules can be sent to the firmware once 49 * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 50 */ 51 bool efi_capsule_pending(int *reset_type) 52 { 53 bool rv = false; 54 55 mutex_lock(&capsule_mutex); 56 if (!capsule_pending) 57 goto out; 58 59 if (reset_type) 60 *reset_type = efi_reset_type; 61 rv = true; 62 out: 63 mutex_unlock(&capsule_mutex); 64 return rv; 65 } 66 67 /* 68 * Whitelist of EFI capsule flags that we support. 69 * 70 * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 71 * require us to prepare the kernel for reboot. Refuse to load any 72 * capsules with that flag and any other flags that we do not know how 73 * to handle. 74 */ 75 #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 76 (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 77 78 /** 79 * efi_capsule_supported - does the firmware support the capsule? 80 * @guid: vendor guid of capsule 81 * @flags: capsule flags 82 * @size: size of capsule data 83 * @reset: the reset type required for this capsule 84 * 85 * Check whether a capsule with @flags is supported by the firmware 86 * and that @size doesn't exceed the maximum size for a capsule. 87 * 88 * No attempt is made to check @reset against the reset type required 89 * by any pending capsules because of the races involved. 90 */ 91 int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 92 { 93 efi_capsule_header_t *capsule; 94 efi_status_t status; 95 u64 max_size; 96 int rv = 0; 97 98 if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 99 return -EINVAL; 100 101 capsule = kmalloc(sizeof(*capsule), GFP_KERNEL); 102 if (!capsule) 103 return -ENOMEM; 104 105 capsule->headersize = capsule->imagesize = sizeof(*capsule); 106 memcpy(&capsule->guid, &guid, sizeof(efi_guid_t)); 107 capsule->flags = flags; 108 109 status = efi.query_capsule_caps(&capsule, 1, &max_size, reset); 110 if (status != EFI_SUCCESS) { 111 rv = efi_status_to_err(status); 112 goto out; 113 } 114 115 if (size > max_size) 116 rv = -ENOSPC; 117 out: 118 kfree(capsule); 119 return rv; 120 } 121 EXPORT_SYMBOL_GPL(efi_capsule_supported); 122 123 /* 124 * Every scatter gather list (block descriptor) page must end with a 125 * continuation pointer. The last continuation pointer of the last 126 * page must be zero to mark the end of the chain. 127 */ 128 #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 129 130 /* 131 * How many scatter gather list (block descriptor) pages do we need 132 * to map @count pages? 133 */ 134 static inline unsigned int sg_pages_num(unsigned int count) 135 { 136 return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 137 } 138 139 /** 140 * efi_capsule_update_locked - pass a single capsule to the firmware 141 * @capsule: capsule to send to the firmware 142 * @sg_pages: array of scatter gather (block descriptor) pages 143 * @reset: the reset type required for @capsule 144 * 145 * Since this function must be called under capsule_mutex check 146 * whether efi_reset_type will conflict with @reset, and atomically 147 * set it and capsule_pending if a capsule was successfully sent to 148 * the firmware. 149 * 150 * We also check to see if the system is about to restart, and if so, 151 * abort. This avoids races between efi_capsule_update() and 152 * efi_capsule_pending(). 153 */ 154 static int 155 efi_capsule_update_locked(efi_capsule_header_t *capsule, 156 struct page **sg_pages, int reset) 157 { 158 efi_physical_addr_t sglist_phys; 159 efi_status_t status; 160 161 lockdep_assert_held(&capsule_mutex); 162 163 /* 164 * If someone has already registered a capsule that requires a 165 * different reset type, we're out of luck and must abort. 166 */ 167 if (efi_reset_type >= 0 && efi_reset_type != reset) { 168 pr_err("Conflicting capsule reset type %d (%d).\n", 169 reset, efi_reset_type); 170 return -EINVAL; 171 } 172 173 /* 174 * If the system is getting ready to restart it may have 175 * called efi_capsule_pending() to make decisions (such as 176 * whether to force an EFI reboot), and we're racing against 177 * that call. Abort in that case. 178 */ 179 if (unlikely(system_state == SYSTEM_RESTART)) { 180 pr_warn("Capsule update raced with reboot, aborting.\n"); 181 return -EINVAL; 182 } 183 184 sglist_phys = page_to_phys(sg_pages[0]); 185 186 status = efi.update_capsule(&capsule, 1, sglist_phys); 187 if (status == EFI_SUCCESS) { 188 capsule_pending = true; 189 efi_reset_type = reset; 190 } 191 192 return efi_status_to_err(status); 193 } 194 195 /** 196 * efi_capsule_update - send a capsule to the firmware 197 * @capsule: capsule to send to firmware 198 * @pages: an array of capsule data pages 199 * 200 * Build a scatter gather list with EFI capsule block descriptors to 201 * map the capsule described by @capsule with its data in @pages and 202 * send it to the firmware via the UpdateCapsule() runtime service. 203 * 204 * @capsule must be a virtual mapping of the first page in @pages 205 * (@pages[0]) in the kernel address space. That is, a 206 * capsule_header_t that describes the entire contents of the capsule 207 * must be at the start of the first data page. 208 * 209 * Even though this function will validate that the firmware supports 210 * the capsule guid, users will likely want to check that 211 * efi_capsule_supported() returns true before calling this function 212 * because it makes it easier to print helpful error messages. 213 * 214 * If the capsule is successfully submitted to the firmware, any 215 * subsequent calls to efi_capsule_pending() will return true. @pages 216 * must not be released or modified if this function returns 217 * successfully. 218 * 219 * Callers must be prepared for this function to fail, which can 220 * happen if we raced with system reboot or if there is already a 221 * pending capsule that has a reset type that conflicts with the one 222 * required by @capsule. Do NOT use efi_capsule_pending() to detect 223 * this conflict since that would be racy. Instead, submit the capsule 224 * to efi_capsule_update() and check the return value. 225 * 226 * Return 0 on success, a converted EFI status code on failure. 227 */ 228 int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages) 229 { 230 u32 imagesize = capsule->imagesize; 231 efi_guid_t guid = capsule->guid; 232 unsigned int count, sg_count; 233 u32 flags = capsule->flags; 234 struct page **sg_pages; 235 int rv, reset_type; 236 int i, j; 237 238 rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 239 if (rv) 240 return rv; 241 242 count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 243 sg_count = sg_pages_num(count); 244 245 sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL); 246 if (!sg_pages) 247 return -ENOMEM; 248 249 for (i = 0; i < sg_count; i++) { 250 sg_pages[i] = alloc_page(GFP_KERNEL); 251 if (!sg_pages[i]) { 252 rv = -ENOMEM; 253 goto out; 254 } 255 } 256 257 for (i = 0; i < sg_count; i++) { 258 efi_capsule_block_desc_t *sglist; 259 260 sglist = kmap(sg_pages[i]); 261 if (!sglist) { 262 rv = -ENOMEM; 263 goto out; 264 } 265 266 for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 267 u64 sz = min_t(u64, imagesize, PAGE_SIZE); 268 269 sglist[j].length = sz; 270 sglist[j].data = page_to_phys(*pages++); 271 272 imagesize -= sz; 273 count--; 274 } 275 276 /* Continuation pointer */ 277 sglist[j].length = 0; 278 279 if (i + 1 == sg_count) 280 sglist[j].data = 0; 281 else 282 sglist[j].data = page_to_phys(sg_pages[i + 1]); 283 284 kunmap(sg_pages[i]); 285 } 286 287 mutex_lock(&capsule_mutex); 288 rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 289 mutex_unlock(&capsule_mutex); 290 291 out: 292 for (i = 0; rv && i < sg_count; i++) { 293 if (sg_pages[i]) 294 __free_page(sg_pages[i]); 295 } 296 297 kfree(sg_pages); 298 return rv; 299 } 300 EXPORT_SYMBOL_GPL(efi_capsule_update); 301